Next Article in Journal
Bayesian Mechanics of Synaptic Learning Under the Free-Energy Principle
Previous Article in Journal
New Variable-Weight Optical Orthogonal Codes with Weights 3 to 5
Previous Article in Special Issue
Detecting a Photon-Number Splitting Attack in Decoy-State Measurement-Device-Independent Quantum Key Distribution via Statistical Hypothesis Testing
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Quantum Stream Cipher Based on Holevo–Yuen Theory: Part II

1
Quantum ICT Research Institute, Tamagawa University, 6-1-1, Tamagawa-gakuen, Machida, Tokyo 194-8610, Japan
2
Research and Development Initiative, Chuo University, 1-13-27, Kasuga, Bunkyou-ku, Tokyo 112-8551, Japan
*
Author to whom correspondence should be addressed.
Entropy 2024, 26(11), 983; https://doi.org/10.3390/e26110983
Submission received: 10 October 2024 / Revised: 9 November 2024 / Accepted: 14 November 2024 / Published: 15 November 2024
(This article belongs to the Special Issue Quantum Communication, Quantum Radar, and Quantum Cipher, 2nd Edition)

Abstract

:
This paper discusses the foundation of security theory for the Quantum stream cipher based on the Holevo–Yuen theory, which allows the use of “optical amplifiers”. This type of cipher is a technology that provides information-theoretic security (ITS) to optical data transmission by randomizing ultrafast optical communication signals with quantum noise. In general, the quantitative security of ITS is evaluated in terms of the unicity distance in Shannon theory. However, the quantum version requires modeling beyond the Shannon model of a random cipher to utilize the characteristics of the physical layer. Therefore, as the first step, one has to develop a generalized unicity distance theory and apply it to the evaluation of security. Although a complete theoretical formulation has not yet been established, this paper explains a primitive structure of a generalization of the Shannon random cipher and shows that the realization of this is the generalized quantum stream cipher. In addition, we present several implementation methods of generalized quantum stream ciphers and their security.

1. Introduction

Shannon has developed a historically groundbreaking theory for evaluating cryptographic functionality, utilizing his own entropy theory to analyze whether a cipher is decipherable [1]. Massey, on the other hand, offered a cryptographic direction that addresses real-world challenges while respecting Shannon’s concept [2]. The conditions that must be satisfied by ciphers for data to be useful in the real world are shown in Figure 1. That is, it is important that the ciphers used in practice satisfy the above in a balanced manner.
Massey suggested a concept to realize the above conditions as a technology, as follows:
(1)
A short symmetric key is set and it is extended by a pseudo-random number generator (PRNG).
(2)
The data are encrypted by the output of the PRNG.
(3)
Private randomization techniques are useful to attain information theoretic security.
(4)
Randomization for plaintext is a candidate for private randomization.
These are applicable for immunity against ciphertext-only attacks. A symmetric key cipher in modern mathematical cryptology requires at least a guarantee of computational security against known plaintext attacks. Thus, it was considered a difficult question whether or not an information-theoretic cipher can guarantee immunity against known plaintext attacks. To solve the above problem, H.P. Yuen proposed the basic concept of a new cipher, the so-called “generalized random cipher”, in collaboration with P. Kumar and O. Hirota; he disclosed a physical example of the generalized random cipher in a white paper in 2000, and the first experimental demonstration was reported in the QCMC in 2002 with the Kumar group [3]. The realization of the generalized random cipher is called the quantum stream cipher, at present. A more detailed name is the quantum noise randomized stream cipher operated by the Y-00 protocol. His fundamental idea consists of the following structure to satisfy Massey’s conditions of utility, as shown in Figure 1:
(1)
Use a high-powered laser with a coherent state as the light source and use optical amplifiers for long transmissions.
(2)
Use the mathematical cipher to diffuse the data into a set of M-ary coherent states that make up the transmission medium.
(3)
Adopt randomizations of ciphertext in order to effectively control the quantum noise of the high-powered laser.
What crucially distinguishes Yuen’s idea from Massey’s is that the randomization moves from plaintext to ciphertext to achieve information-theoretic security against known plaintext attacks (see Figure 2). To realize these configurations, Yuen proposed a scheme based on communication theory to differentiate between the physical signal detection capabilities of the legitimate receiver and the eavesdropper. This is called “advantage creation by secret key”. The way to perform this is to adopt a communication scheme such that the ciphertext received by the eavesdropper is hidden by quantum noise. Such a principle is called keyed communication in quantum noise (KCQ). This principle leads to a situation where the ciphertexts that can be received by the receivers for legitimate communicators and for eavesdroppers are different. Figure 3 shows the scheme of the conventional mathematical stream cipher. Figure 4 and Figure 5 show the scheme and the concept of the quantum stream cipher based on the Holevo–Yuen theory.
Applications of such a physical encryption technique appear to be limited, not applicable to general communication networks. But to diversify communication functions, a quantum stream cipher which utilizes physical phenomena is beginning to be considered for the ultrafast optical backbone network by several industries. However, this cryptographic technique has extremely complicated mechanisms, and some aspects have emerged that are difficult to communicate, even among experts in cryptography. The first paper in 2022 with the same title [4] has explained the position of the quantum stream cipher from a broad perspective as a cryptographic technique. In this second paper, we introduce the principles of security guarantees for quantum stream ciphers. Then, we describe the theoretical structure of security and explain its final target, as shown in Figure 6.
Since the main purpose of this paper is to explain how the random cipher based on the KCQ principle differs from the conventional Shannon random cipher, we first summarize Shannon’s concept in Section 2, which is based on information theory, and explain a generalized Shannon random cipher in this context as a conceptual model in Section 3. Then, we list the theoretical structure and performance of quantum stream ciphers such as Type-I, Type-II, and Type-III as concrete implementations of the conceptual model in the subsequent sections. In such models, we show that there exists a quantum stream cipher which is not broken, even if the secret key is stolen after communications.

2. Review of Shannon–Massey Theory of Cryptography

2.1. Historical View

It is well known that Shannon published in BSTJ, in 1949, his attempt to apply the entropy-based information theory to clarify a fundamental concept of cryptography. Many well-known researchers have explained its purpose [2,5,6,7], and the authors have nothing to add. However, in view of the development of cryptology after Shannon, it is worthwhile to explain the position of Shannon’s cryptology once again based on Massey’s concept [2].
Today’s practical cryptography has moved away from Shannon’s information-theoretic viewpoint to mathematical cryptography based on computer science, which has developed into the fundamental technology of the modern information society. One of the reasons for this is that the modern information infrastructure, of which the Internet is the main form of communication, is extremely large and cannot be handled only by Shannon’s cryptosystem. Mathematical cryptography based on computer science can handle large-scale systems and is absolutely indispensable for the ever-expanding communication infrastructure.
On the other hand, in recent years, ultrahigh-speed backbone communication networks have become necessary as a communication infrastructure to support huge systems represented by cloud computing, and thanks to the efforts of optical communication researchers, optical backbone communication lines are reaching the point of completion to support huge cloud computing systems. Against this backdrop, an environment has emerged in which information-theoretic cryptography can play an active role as a security technology for backbone communication networks.
Taking this opportunity, we believe it is worthwhile to analyze the Shannon–Massey scheme of cryptology again from various point of views. In the following sections, we describe our attempt.

2.2. Conventional Definition of Information-Theoretic Security for Symmetric Key Cipher

First, let us set a cipher mechanism to be considered. When a plaintext sequence is X and a secret key is K, the ciphertext is given by
Y = F e n c ( X , K )
where F e n c is a encryption function. The secret key includes a running key sequence from PRNG with a short initial key or a true long random sequence.
We begin by stating a basic assumption of Shannon theory. In Shannon theory, when one constructs a cryptographic mechanism, there is an assumption that the ciphertext Y A is set by the legitimate sender and it can be correctly received by both legitimate receiver and eavesdropper. Namely,
Y A = Y B = Y E Y
where Y B and Y E are ciphertext sequences that can be received by the legitimate receiver and eavesdropper. Under this precondition, both the legitimate one and the eavesdropper can decrypt the correct ciphertext with the correct key sequence based on a secret key and PRNG. Such a mechanism can be expressed using the entropy theory developed by Shannon as follows:
H ( X | K , Y B ) = H ( X | K , Y E ) = 0
Thus, the security of Shannon’s cryptology is defined as follows:
Definition 1. 
An eavesdropper who does not know the secret key cannot decrypt the ciphertext Y ( = Y E = Y B ) with probability 1. This is equivalent to
H ( X | Y ) 0 .
This cryptosystem is said to be information-theoretically secure against a ciphertext-only attack (COA).
On the other hand, the following theorem holds for cryptosystems with the conditions of Equation (2) [2,5,6].
Theorem 1. 
When the ciphertext consists of plaintext and the key sequence, the ambiguity of the plaintext has the following limitations.
H ( X | Y ) H ( K )
This theorem is called the Shannon limit. In the following, we explain specific features of Shannon’s cipher under the conditions of Equation (2).

2.2.1. Non-Random Cipher

Prepare a key sequence K to encrypt a plaintext sequence X. Assume that the ciphertext is composed of these two sequences. In this case, a non-random cipher is defined as follows:
Definition 2. 
A cryptosystem whose constructed ciphertext satisfies the following properties is called a non-random cipher:
H ( Y E | X , K ) = H ( Y B | X , K ) = 0
A typical example of this type of cipher is an additive stream cipher. Let X = x 1 , x 2 , x 3 , x n and K = k 1 , k 2 , k 3 , k n be a plaintext and a key sequence, respectively. Then the ciphertext is as follows.
Y A = X K = Y B = Y E
Here, Shannon gives the following definition of full confidentiality for the above cryptographic mechanism.
Definition 3. 
A cryptosystem is fully confidential (or has perfect security in the sense of entropy) if it satisfies the following properties
H ( X | Y ) = H ( X )
Based on this definition, the conditions for achieving perfect security in the sense of entropy are as follows.
Theorem 2. 
For a cipher system to have perfect security in the sense of entropy for any plaintext statistics, the key sequence length must be equal to or greater than the plaintext sequence length, i.e.,
| X | | K |
where the key sequence must be a sequence of true random numbers.
The cryptographic mechanism that meets the above conditions is called the One Time Pad (or Vernum cipher). It is inefficient and leaves excesses in key management and known plaintext attacks [8,9].

2.2.2. Shannon Random Cipher

In Shannon theory, we can consider an information-theoretically secure cipher even if it does not satisfy the full confidentiality condition. It is called a random cipher and is defined as follows:
Definition 4. 
When a cryptosystem constructed under the conditions of Equations (2), (3), and (5) has the following properties
H ( Y | X , K ) 0
it is called a random cipher in the sense of Shannon.
In the case of a ciphertext-only attack, a cryptosystem with these properties can be realized by adopting a private randomization mechanism originating from Gauss, and its information-theoretic security is evaluated by the unicity distance theory. Its concrete structure is shown below [2,5,6].

2.3. Unicity Distance Theory

2.3.1. Summary

Shannon and his successors have discussed cases where Theorem 2 does not hold but the encryption cannot be uniquely decrypted by a ciphertext-only attack. To simplify the discussion, we take a stream cipher encrypted by a pseudo-random number generator (PRNG) with a short secret key. In order to evaluate the degree of information-theoretic security of such a cipher system, the following unicity distance is defined.
Definition 5. 
Let Y n = y 1 , y 2 , y 3 , , y n be a sequence of ciphertexts for an eavesdropper and n 0 be the minimum number of ciphertexts for which the ambiguity of the secret key is zero. Then, it is called the unicity distance of a ciphertext-only attack. That is,
n 0 : H ( K | Y n 0 ) = 0
Here, we assume that the statistical structure of the plaintext is known, the entropy per symbol is H ( p ) , and the entropy of the key sequence is H ( K ) . Then, the number of key–plaintext pairs per each ciphertext is given by
F = 2 H ( K ) 2 n H ( p ) 2 n = 2 H ( K ) n H ( p ) n
Since F = 1 in the above equation is equivalent to zero key ambiguity, the unicity distance is as follows [5,6]
n 0 = H ( K ) 1 H ( p )
The above equation shows that the unicity distance depends on the statistical structure of the plaintext.

2.3.2. Shannon Random Cipher and Its Unicity Distance

Homophonic substitution is an example of a method to increase the entropy per symbol of plaintext, independent of the key sequence. When this method is introduced, the ciphertext is not uniquely determined by the key–plaintext pair. In this case, Equation (10) holds. Therefore, this cipher system is a random cipher. In such a random cipher, the larger the entropy of the plaintext, the more difficult it becomes to estimate the key from the ciphertext. In other words, the unicity distance becomes larger. If H ( X ) = n H ( p ) = n , the unicity distance becomes infinite and the key cannot be uniquely determined even from an infinite number of ciphertexts. This is called an ideal cipher. However, if the eavesdropper obtains the correct key after obtaining the ciphertext, the correct plaintext can be decrypted since H ( X | K , Y ) = 0 is a precondition. Thus, the Shannon limit holds.

2.4. Known Plaintext Attack Against Conventional Cipher

As introduced in the previous section, the cryptography theory of Shannon and his successors ends with a formulation for a ciphertext-only attack. In this section, we explain how Shannon’s theory holds when we assume a known plaintext attack (for simplicity, we assume an additive stream cipher).
Definition 6. 
Let Y n = y 1 , y 2 , y 3 , , y n be the ciphertexts of length n of the eavesdropper, and assume that the plaintexts of the same length are known. The minimum number of ciphertexts for which the ambiguity with respect to the key is zero is defined as follows.
n 1 : H ( K | Y n 1 , X n 1 ) = 0
The n 1 in the above equation is called the unicity distance of known plaintext attacks.
In the following, we show some properties of the unicity distance for non-random ciphers and random ciphers in the Shannon theory.

2.4.1. Non-Random Cipher

Since H ( Y | K , X ) = 0 in a non-random cipher, the following holds if a ciphertext of length equal to the key length and the corresponding plaintext are known.
H ( K | Y | K | , X | K | ) = 0
where Y | K | and X | K | are the ciphertext equal to the key length and the corresponding known plaintext, respectively. From the above,
n 1 | K |
This means that non-random ciphers can be decrypted in principle. Thus, the conventional symmetric key cryptography has only the above degree of information-theoretic security, and the rest relies on computational security.

2.4.2. Shannon Random Cipher

For a random cipher in Shannon theory, one has H ( X | K , Y ) = 0 , H ( X | Y ) H ( K ) under the condition H ( Y | K , X ) 0 . From the theory of entropy, the following holds in general.
H ( X n | Y n ) + H ( K | X n , Y n ) = H ( K | Y n ) + H ( X n | K , Y n )
Assuming equality in the Shannon limit H ( X n | Y n ) H ( K ) , there exists a finite n, namely n 1 , for which H ( K | X n , Y n ) = 0 from the above formula. Therefore, even if n 0 is infinite, a random cipher can be formally deciphered by a known plaintext attack. From the above, it is expected that conventional random ciphers are not very effective against known plaintext attacks because they depend on plaintexts, and if the structure of the plaintext is known, the randomization has little effect.
Thus, the conventional cryptographic techniques can provide information-theoretic security against a ciphertext-only attack, but these cannot provide information-theoretic security against known plaintext attacks.

3. Conceptual Generalized Random Cipher and Its Fundamental Properties

3.1. Conceptual Mechanism

Even with a cryptographic mechanism that uses a short secret key and PRNG, it is still possible to resist ciphertext-only attacks to a practical extent. In order to realize a cryptosystem with information-theoretic security for general attacks, it is necessary to develop a random cipher that goes beyond the existing concept of random ciphers. In this section, we provide an overview of the generalization of the Shannon random cipher as a conceptual mechanism.
Here, we define a generalized Shannon random cipher as a cryptosystem such that the ciphertext of the cryptosystem is hidden by ideal noise, and it has the following features.
Y A = Y B Y E q
where Y A and Y B are the ciphertexts of the legitimate communicator and Y E q is the ciphertext received by the eavesdropper. In other words, this is achieved by creating a situation where the ciphertext received by the legitimate receiver and the ciphertext that can be received by the eavesdropper are different. If we describe this in a sequence, it is as follows:
Y n B = y 1 A , y 2 A , y 3 A , , y n A
Y n E q = y 1 E q , y 2 E q , y 3 E q , , y n E q = y 1 A q 1 , y 2 A q 2 , y 3 A q 3 , , y n A q n
where q 1 , q 2 , q 3 , denote errors due to true noise. If this situation could be realized, then the following conceptual relations would be held.
H ( Y B | K , X ) = 0 ,
H ( Y E q | K , X ) 0
Such a random cipher is a completely different form of random cipher than the conventional Shannon random cipher. Why this is possible is explained in a later section.

3.2. Generalized Unicity Distance

First, if the ciphertext received by a legitimate receiver and the ciphertext that can be received by an eavesdropper are different, the following situation is possible in the practical sense.
H ( X n | K , Y n B ) = 0
H ( X n | K , Y n E q ) 0
In other words, the legitimate receiver can obtain the correct plaintext with the correct key, but because the ciphertext of the eavesdropper has errors, the possibility appears such that the correct plaintext is not obtained even with the correct key. We need a generalization of the unicity distance to evaluate the security of the system in such cases. The unicity distances for such a cryptographic mechanism are described below [10,11,12].

3.2.1. Ciphertext-Only Attack

The unicity distance of a ciphertext-only attack is described for the eavesdropper’s ciphertext as follows:
Definition 7. 
Let n 0 Q be the minimum length of the ciphertext that has zero key ambiguity for the eavesdropper’s ciphertext. Then, it is given by
n 0 Q : H ( K | Y n 0 Q E q ) = 0
n 0 Q is called the unicity distance of the ciphertext-only attack for a generalized random cipher.
Unlike the conventional type, the above equation does not depend on the statistical structure of the plaintext, but on the randomness of the ciphertext that can be obtained by the eavesdropper. The error sequence in Equation (20) should be completely random numbers or its equivalent.
To achieve this, it is convenient to use the quantum noise effects of light. As an example, if the signal system consists of non-orthogonal quantum states when the eavesdropper receives the signal, the theory is that an ideal random number error effect will appear in the received signal. This is due to quantum irregularities (Born effect) when quantum superpositions are collapsed by measurement. Detailed discussions will be given in the subsequent sections.

3.2.2. Known Plaintext Attack

The conventional random ciphers can achieve a large unicity distance for a ciphertext-only attack, but the technology to achieve this is very complicated. Furthermore, it is difficult to guarantee information-theoretic security more than a key length in the known plaintext attack.
Here, we consider a known plaintext attack on a generalized random cipher. First, the information-theoretic security evaluation for the known plaintext attack is given as follows.
Definition 8. 
The unicity distance of known plaintext attacks for generalized random ciphers is defined as follows:
n 1 Q : H ( K | X n 1 Q , Y n 1 Q E q ) = 0
In the case of the generalized random cipher, since it does not depend on the structure of the plaintext, the known plaintexts do not have much effect on the unicity distance. In other words, the following can be expected.
| K | n 1 Q 2 | K |
Later sections will discuss specific examples of this.

3.2.3. Secret Key Leakage Attack in COA

In conventional symmetric-key ciphers, an eavesdropper can retain the correct ciphertext, and if she can obtain the secret key after the communication, the correct plaintext can be obtained. This is due to H ( X | K , Y ) = 0 . However, in generalized random ciphers, a possibility of Equation (24) arises because the eavesdropper’s ciphertext will be inaccurate. Therefore, we can define the following evaluation function.
Definition 9. 
When the secret key (initial key for PRNG) is stolen after communication, the minimum length of ciphertext needed by the eavesdropper to obtain the correct plaintext is as follows:
n 2 Q : H ( X n 2 Q | K , Y n 2 Q E q ) = 0
The above is called the unicity distance of the secret key leakage attack.

4. Concrete Evaluation Method of Generalized Shannon Random Cipher

In the above section, we defined several unicity distances for several attacks. The main purpose of a generalized Shannon random cipher is to improve security against known plaintext attacks (KPAs). In order to perform a quantitative evaluation of security, it is necessary to develop a method for its calculation. We discuss a method in the following.
In the case of KPA for the conventional cipher, an eavesdropper can obtain the correct running key sequence which corresponds to the output sequence from the PRNG.
The purpose of the eavesdropper is to estimate the secret key of the PRNG from the running key sequence. Assume that the PRNG consists of a linear shift register (LFSR) with a secret key (e.g., 256 bits) and a nonlinear filter. In general, one can adopt information theoretic analysis in an immunity evaluation in the conventional stream ciphers. The technique is called a fast correlation attack.
The efficiency of key estimation is evaluated by considering the following model. Suppose that the LFSR output is regarded as a linear code word of ( n , | K | ) and the nonlinear filter section is modeled as a noisy communication channel with an error rate of ϵ which depends on the structure of the nonlinear part. So, the model corresponds to a decoding problem for a linear code word of length n and information bit K. The feature of this method is that the computational security of the nonlinear filter section is analyzed by an information-theoretic model. Such a theory was developed by Siegenthaler [13], Chepyzhov-Smeets [14], and others, from which the following theorem was derived [13].
Theorem 3. 
When the length n of the code word, which corresponds to the length of the output sequence obtained by the eavesdropper, is satisfied as follows:
n > N = | K | C ( ϵ )
then, the probability of a key being correct is greater than 1 / 2 if the total search complexity of the decryption algorithm is
O ( 2 | K | × | K | C ( ϵ ) )
where C ( ϵ ) is the maximum mutual information of the communication channel model with error ϵ.
Although this body of theory analyzes computational problems in the context of information theory, it was pointed out by Yuen et al. that these theories are rather appropriate for the ITS analysis of generalized random ciphers [10,11]. Here, we apply this theory to a detailed characterization of generalized random ciphers.
The generalized random cipher consists of a PRNG with a short key and real noise for randomization of the ciphertext or running key sequences. The nonlinear filter part of the running key sequence of the generalized random cipher does not make sense from an information-theoretic point of view. Therefore, the model is replaced as follows.
A sequence of LFSR with an initial key is the channel input, and this sequence is perturbed by true noise and a channel model by the nonlinear part. But, the main issue is a perturbation by real noise. Then, the procedure of the eavesdropper is to use decoding theory for the code word (LFSR) based on the sequence with errors due to the true noise.
Conventional theories that use communication channel models for computational problems lose the rigor of applying code theory because the noise model is not an independent process, but in a generalized random cipher, noise is a true independent process, so the above idea is more valid. From the above, the aforementioned theorem can be read into the problem of information-theoretic cryptography.
As a result, if we consider the meaning of the unicity distance, we can set up the following relation.
n 1 Q | K | C ( ϵ q )
C ( ϵ q ) is the maximum mutual information of the measurement channel where the eavesdropper receives the running key sequence. ϵ q is the error probability due to true noise.

5. Protocol and Structure of Standard Quantum Stream Cipher

The challenge is how to show that the conceptually presented generalized random ciphers are real. The Y-00 protocol was proposed to solve this problem. The Y-00 protocol is a technique that combines cryptographically secure pseudo-random numbers and quantum noise effects, and is characterized by the fact that it can be equivalently regarded as a function to hide the ciphertext of mathematical ciphers with quantum noise. In this section, we show a simple explanation of the original scheme of a quantum stream cipher based on the Y-00 protocol [10,11], which is called a basic quantum stream cipher or standard quantum stream cipher.
In order to guarantee ultrahigh-speed and long-distance transmission, it is necessary to adopt optical signals with high energy, not single photon or entanglement light. However, in general, high-power signals have little quantum effect and do not adequately hide the ciphertext. Therefore, we introduce a mechanism in which the receiver Bob (the legitimate receiver) can ignore the quantum effect, such as quantum noise, and the receiver Eve (the eavesdropper) cannot avoid the quantum effect, even though the light is strong. This scheme is called “Advantage creation by secret key”. It is designed as follows:
(a)
Let us consider two optical signals with quantum coherent states sending 0 and 1 data. Let us denote the two coherent state signals as follows: | α > and | α > , with | α | 1 , which is an amplitude of laser light. A pair of two coherent states is called the communication basis B a ( g ) for transmitting the “Binary Signal Data” as plaintext, where g = 1 , 2 , 3 , , M . It means to prepare a set M of different pairs B a ( g ) of two coherent states with different complex amplitudes, as follows:
B a ( 1 ) = { | α e i θ 1 > , | α e i θ 1 > } , B a ( 2 ) = { | α e i θ 2 > , | α e i θ 2 > } , B a ( M ) = { | α e i θ M > , | α e i θ M > }
The selection can be realized by a unitary transformation controlled by the running key. In the standard quantum stream cipher, the data information x = 0 , 1 are assigned regularly to one of the signals of each basis. Thus, in general there is a correlation between the plaintext and running key as in the conventional cipher.
(b)
Alice and Bob share the same PRNG with the same secret key (for example 256 bits) as the conventional stream cipher. A sequence is generated by the output of PRNG. This is called a “running key” sequence in a stream cipher. Alice’s transmitter selects a communication basis in Equation (32) following the running key of M values, and then one of the binary data is transmitted by using the selected communication basis. Thus, a sequence of 2 M -ary optical signals with coherent states of different amplitudes or phases is transmitted. It is a quantum ciphertext that must be converted into an electrical signal by quantum measurement for cryptanalysis.
(c)
Alice and Bob share the same running key, so Bob can know which basis was selected. That is, he can receive the optical signal as the binary signal after an inverse unitary transformation. So, the quantum signals for Bob are as follows:
ρ 0 B = | α > < α | , ρ 1 B = | α > < α |
This is independent of the communication basis.
But Eve has no information on the running key, because she does not know the secret key for PRNG. So Eve has to use a receiver for 2 M -valued signals, and has to discriminate 2 M -ary phase shift keying (PSK) signals. In the case of phase shift keying, the set of quantum states is described by
ρ m E = | α e i θ m > < α e i θ m | , m = 1 , 2 , 3 , , 2 M
where m is controlled by the binary data and M-ary running key. Thus the error performance of Bob is given by binary quantum detection, and the error performance of Eve is formulated by the 2 M -ary quantum detection for cryptanalysis.
(d)
The Y-00 protocol requires a signal constellation such that the binary detection is error free, but the 2 M -ary signal detection suffers from the quantum noise effect based on the Helstrom–Holevo–Yuen principle [15,16,17,18]. That is, a non-orthogonal quantum state signal cannot be discriminated without error. The above structures satisfy this condition, because a binary detection of two coherent states is regarded as nearly orthogonal for | α | 1 , but the 2 M -ary detection for the complex amplitude α m , m = 1 , 2 , 3 , , 2 M is regarded as a non-orthogonal quantum state system. The concrete signal constellation based on phase shift keying (PSK) is given in [10].
(e)
Consequently, Bob can obtain directly a data bit sequence without serious error. However, Eve can only obtain a multi-level signal sequence which corresponds to ciphertext as the measurement result of quantum ciphertext. This electrical sequence of the ciphertext has errors. So Eve has to recover the data sequence or secret key of the PRNG from this sequence with errors.
Thus a quantum stream cipher based on the Y-00 protocol is a candidate for the generalized random cipher in which Eve cannot obtain the correct ciphertext (see Figure 7). Moreover, this scheme has technical advantages in real world applications. That is, the noise for randomization is only generated in the measurement process, and it does not disturb the bandwidth of the channel or data speed of the legitimate communicator. Thus, it is applicable to the conventional optical communication systems for ultrafast data transmission.

6. Quantum Communication Theory for Cryptanalysis

The security of the cipher relies on errors in the ciphertext that an eavesdropper can obtain. Therefore, quantum communication theory plays an essential role in analyzing errors in the ciphertext received by the eavesdropper. In the following, we will denote a formulation of the error analysis of the ciphertexts of legitimate receivers and eavesdroppers based on the quantum communication theory.

6.1. Fundamental Formulae

The quantum communication theory was initiated in the 1970s and 1980s by pioneers such as C. Helstrom, R. Kennedy, A. Holevo, V. Belavkin, H.P. Yuen, S. Personic, and V.W.Chan, and its whole formulation was integrated by Helstrom [15] and Holevo [16]. Specifically, Holevo [17] and Yuen [18] clarified the optimum conditions of the quantum Bayes detection rule for multi-level signals independently, and Hirota–Ikehara formulated the quantum minimax detection rule with the admissibility and completeness [19] that corresponds to the quantum version of the Wald–Middleton decision theory [20,21]. An introduction is available in [22]. Let us describe the formulation of quantum detection theory of the core of quantum Shannon theory. When the 2 M -ary coherent state signal is received at each slot, the optimizing variable of the quantum measurement channel is described by a compact set of the positive operator-valued measure (POVM): Π m , m = 1 , 2 , 3 , , 2 M . Then, these operations are interpreted as the projector acting on the quantum state of each slot, and these provide error or detection probabilities as follows:
P ( α l | α m ) = T r ρ m Π l , m , l = 1 , 2 , 3 , , 2 M ρ m = | α m > < α m | , l Π l = I , Π l 0 l
The appearance of quantum effects in the reception process of signals is characterized by the above formula. The quantum Bayes rule is formulated as follows:
P ¯ e = min { Π } { 1 m = 1 2 M ξ m T r ρ m Π m }
where a priori probability is ( ξ m > 0 , m ) for the admissibility in the decision theory. The necessary and sufficient conditions are given as follows [17,18]:
Theorem 4. 
{ H o l e v o , Y u e n } :
Π m [ ξ m ρ m ξ l ρ l ] Π l = 0 , l , m γ ξ l ρ l 0 , l γ = l ξ l ρ l Π l
On the other hand, the quantum minimax rule is formulated as follows [19]:
P ¯ e = max { ξ } min { Π } { 1 m = 1 2 M ξ m T r ρ m Π m }
The necessary and sufficient conditions are given as follows [19]:
Theorem 5. 
{ H i r o t a · I k e h a r a } :
T r Π l ρ l = T r Π m ρ m , l , m Π m [ ξ m ρ m ξ l ρ l ] Π l = 0 , l , m γ ξ l ρ l 0 , l γ = l ξ l ρ l Π l
In general, it is very difficult to find the solutions of the above two quantum detection rules. However, in the standard quantum stream cipher system, quantum state signals have a property of the covariant as defined below.
Definition 10. 
Let G be a group with an operation. The set of quantum state signals is called the group covariant if there exist unitary operators U k ( k G ) such that
U k | ψ m > = | ψ k m > , m , k G
It characterizes the quantum states { | ψ m > , m G } .
The general properties of the quantum Bayes rule for the covariant case of multi parameters are given by Ban [23]. One of the results for coherent state signals is as follows:
Theorem 6. 
If the signal set { | α m > } is a covariant, the optimum POVM is given by using Gram operator H as follows:
Π l = | μ l > < μ l | , | μ l > = H 1 / 2 | α l > , H = m = 1 M | α m > < α m |
and the optimum quantum Bayes solution is
P ¯ e = 1 | < α 1 | H 1 / 2 | α 1 > | 2
where | α 1 > is the base state.
The error probability for Eve for 2 M covariant signals can be given as follows [15,24,25]:
P ¯ e E = 1 1 ( 2 M ) 2 ( m = 1 2 M λ m ) 2 λ m = k = 1 2 M < α 1 | α k > u ( k 1 ) m
where u = exp [ π i / M ] . In addition, Osaki showed that the worst a priori probability in the quantum minimax rule for the covariant signals becomes the uniform distribution and the minimax solution is also given by Equations (41) and (42) [26].

6.2. Advantage Creation by Differentiation of Quantum Detection Performance by Secret Key

Let us apply the above formulae to cryptanalysis. Bob can control the unitary transformation to convert back to binary optical signals by using the running key from the pseudo-random number for the 2 M optical signals. Then, the quantum detection model becomes the binary quantum states of { ρ 0 B , ρ 1 B } : Equation (33), independent of the communication basis. The average error probability is given by the Helstrom formula, as follows [15]:
P ¯ e B = min { Π } { 1 m = 0 1 ξ m T r ρ m B Π m } = 1 2 [ 1 1 4 ξ ( 1 ξ ) T r ( ρ 0 B ρ 1 B ) ] 1 2
On the other hand, “in order for Eve to perform the cryptanalysis”, she has to obtain the information of the running key sequence by her quantum measurement to the 2 M -ary quantum ciphertext. The first step in the procedure leading to an attack is to receive a signal flowing through the real communication channel. The average minimum error probability for the adopted quantum state signal scheme (or equivalently, the maximum detection probability) can be given by the following formulae: Equations (38), (39), (41), and (43). For M 1 , it becomes
P ¯ e E = max { ξ } min { Π } { 1 m = 1 2 M ξ m T r ρ m Π m } 1
Thus, these formulae provide the theoretical accuracy of the ciphertext that the eavesdropper can obtain.
If Eve were to attempt to decode the binary data directly, she would adopt the binary quantum optimal measurement for the following mixed quantum states.
ρ 0 E = 1 M m = 1 M | α ( m = e v e n ) > < α ( m = e v e n ) | ρ 1 E = 1 M m = 1 M | α ( m = o d d ) > < α ( m = o d d ) |
This structure of mixed states is called doubly symmetric mixed state, and Kato gives the quantum Bayes (also minimax) solution for such as mixed states of the coherent state [27]. Then, the average error probability for binary data is given as follows:
P ¯ e E = max { ξ } min { Π } { 1 1 2 l = 0 1 T r ρ l E Π l } 1 2 , M 1
The difference between Equation (44) vs. Equation (45) and Equation (44) vs. Equation (47) is called the advantage creation by the secret key.

6.3. Physical Processes for Cryptanalysis Against PRNG

A sequence of length n of quantum ciphertext from a transmitter of a standard quantum stream cipher is described as follows:
ρ E ( x 1 , k 1 R ) ρ E ( x 2 , k 2 R ) ρ E ( x n , k n R )
x X are binary data (plaintext) and k R K R is the running key of M values from PRNG. Let us denote the physical attack process for cryptanalysis in the following.

6.3.1. Individual Quantum Measurement-Collective Procedure

Let us assume that Eve adopts a quantum optimum measurement { Π i } for each slot. The observed sequence corresponds to a sequence of the decision output for the 2 M -valued signal at each slot. The randomness of signals is represented by Equation (38), and its randomness automatically provides a fully independent true random noise. The target for Eve is data (binary plaintext) or the secret key of PRNG, and she has to estimate them from the sequence with errors based on the security analysis like in the correlation attack or other attack. Such a procedure is called an “ individual   quantum   measurement - collective   attack ”.

6.3.2. Collective Quantum Measurement-Collective Procedure

On the other hand, Eve can adopt a collective quantum measurement. It is a quantum measurement such that one treats some slots of the coherent state sequence of 2 M -ary as one block quantum state. Here, Eve has to construct a quantum entanglement measurement system of ( 2 M ) | N | B l signals, where | N | B l is the length of the block. Based on such a measured sequence, she analyzes several attacks against the sequence. This scheme is called a “ collective   quantum   measurement - collective   attack ”. When | N | B l is a large number, it seems that this physical implementation is impossible. After such physical manipulations, the eavesdropper would be forced to make some crypt analytic attempts.

7. Cryptological Attack for Quantum Stream Cipher and Its Performance

7.1. The Main Attack Schemes of Symmetric Key Ciphers with PRNG

The PRNG used in this cipher is guaranteed to be computationally secure. If the eavesdropper’s error in the quantum stream cipher is zero, then the security is consistent with the security of the PRNG itself. Therefore, the security analysis of the quantum stream cipher is based on the error in the ciphertext received by the eavesdropper, which is an investigation of how the cryptanalysis of the mathematical cipher is invalidated. This is because the purpose of this cipher is to make the mathematical analysis and exhaustive search for symmetric key ciphers impossible. Thus, it is sufficient to mention exhaustive search, correlation attacks, and key compromise as attack methods for the discussion of information-theoretic security against symmetric key ciphers.
Here, let us describe briefly the concept of cryptological attacks against the standard and some generalized quantum stream ciphers. At first, we denote a notion of the quantum noise effect in the Y-00 protocol. Since the receiver Bob adopts a binary detection scheme by the communication basis synchronized with the same PRNG with the same secret key, there is no mismatch in the communication basis. Then, it outputs a binary signal as data without serious error, because the signal power is strong and the signal distance of the two signals in the basis is large (See Figure 4). However, Eve’s received signals are 2 M -ary and contain errors, because the signal distances between several signals are small. The extent of the error is called the noise masking region (See Figure 8).
Definition 11. 
Let “ Γ ” be the number of signals masked by quantum noise in several measurement processes. Then, 1 / Γ is the correct probability of signals in the wedge approximation.

7.1.1. Legitimate Receiver Simulation Attack

Let us consider the KPA based on the exhaustive search. This attack clarifies the difference between the standard symmetric key cipher and quantum stream ciphers. In the standard quantum stream cipher based on the Y-00 protocol, the data (plaintext) of the signal of each basis are deterministically set such that data 0 and 1 are regularly mapped to neighboring signals composed of a communication basis [10]. That is, the data information is mapped to 0 , 1 , 0 , 1 , clockwise of the phase signal in the phase space. This means that the standard quantum stream ciphers have a correlation between basis and data.
As a result, each signal of 2 M -valued signals has information for the plaintext (data) and the communication basis, simultaneously. The information of the basis corresponds to that of the running key. Therefore, if the each signal value can be determined by 2 M -ary detection, the plaintext and running key sequence information can be obtained directly.
In the above scheme, the information of binary plaintext in neighboring signals is completely masked by noises, but the information of the running key of M values has finite ambiguity, because the Γ is small. In such a situation, it is easy for Eve to memorize the digital ciphertext sequence of the 2 M -ary signals containing errors. Eve can try KPA based on exhaustive search for all binary decisions similar to Bob on the stored sequence. This is called a legitimate   receiver   simulation   attack .
Here, let us denote a rough approximate analysis for intuitive understanding. If the length of known plaintext is | X | = | K | / log M which corresponds to the equivalent key length and also equals the length of the ciphertext, then the probability of the correct decision for the running key K R = { α e i θ m } of | K | / log M length is
P ( K R | Y E q ) ( Γ / 2 ) | K | log M 1
Equation (49) means that the following number of keys corresponds to the correct plaintext of | K | / log M length in the exhaustive search.
( Γ / 2 ) | K | log M
This means
n 1 Q > | K | log M
In other words, these features correspond to the property of the random cipher based on the degeneracy structure [10]. On the other hand, if there is no error, the cipher is
P ( K R | Y E q ) = 1 , n 1 Q = | K | log M
The above characteristics indicate that the criticism stating that the standard quantum stream is the same as the conventional cipher is incorrect.

7.1.2. Fast Correlation Attack

Let us assume that no restriction is placed on the known plaintext length. In this situation, one can consider the running key sequence (LFSR output) as a linear code and attempt a fast correlation attack on the received sequence with errors. The 2 M -valued running key sequence of the LFSR output can be stored with errors. Then the 2 M -valued sequence is converted to binary values and a fast correlation attack is performed. The performance is evaluated by the unicity distance. From the definition of unicity distance, we can obtain the channel capacity of Eve’s measurement channel. In general, the standard quantum stream cipher does not have sufficient performance against the fast correlation attack when Γ is small [28]. The concrete example to overcome this will be shown in the subsequent section.

7.1.3. Secret Key Leakage Attack

Assume that Eve memorizes the digital ciphertext sequence of 2 M -ary signals containing errors. After communication, we assume that Eve can obtain the secret key of PRNG. Eve will try an attack to estimate the plaintext that uses the correct secret key to the measured sequence with errors. That is, Eve can adopt the threshold for the binary decision depending on the correct running key, and she collects the plaintext sequence. The performance against such an attack is the most important in the generalized Shannon random cipher. Unfortunately, the standard quantum stream cipher does not have immunity against this type of attack.

7.2. Role of Additional Randomization Technique

In generalized random ciphers, the ciphertext or running key sequence obtained by an eavesdropper is perturbed by a true noise (such as quantum noise). If the noise effect is small, it naturally cannot provide sufficient information-theoretic security from the above theory. For realistic applications, it is necessary to develop techniques to reduce the channel capacity in Equation (31). Since noise must physically appear, such a generalized random cipher can be realized only at the physical layer.
The problem to make increasing noise, as described above, has little precedent in information theory and is the exact opposite of what has been done so far. That is, the technological development is to increase the noise effect of the eavesdropper, but it does not affect the legitimate communicator. In the channel model of the receiving process of the eavesdropper, the research to reduce its maximum mutual information is called “Randomization technology”, and several examples have already been studied. Specific models will be presented later, but further research is expected.

8. Randomizations Towards Generalized Quantum Stream Ciphers

The standard quantum stream cipher introduced in the previous section is highly practical and has affinity with real communication networks. However, it may have weaknesses in terms of the quantitative security evaluation. Randomization techniques are needed to realize a generalized quantum stream cipher with high performance. This section presents some examples of randomization methods and gives a rough description of the improvements achieved by each method.

8.1. Overlap Selection Keying (OSK)

The OSK is a mechanism to randomize the geometrical relation between the data (plaintext) and signal value of the communication basis, patented by Tamagawa University (Patent number 4451085, 27 June 2003) [29]. It is to randomize the relation between the data and given basis based on a sequence from a branch of the PRNG. By this method, the correlation of the geometrical relation of the data and communication basis is broken inside of the region of quantum noise masking Γ . So, we have the following performance instead of Equation (49):
P ( K R | Y E q ) ( Γ ) | K | log M
In addition, the KPA is converted to the ciphertext-only attack. So the legitimate receiver simulation attack does not work. Thus, the unicity distance for KPA is guaranteed to have the following performance.
n 1 Q | K |
The other effect of OSK is that plaintext is automatically encrypted with pseudo-random numbers, and the plaintext itself becomes a kind of ciphertext called Y-00 plaintext.

8.2. Deliberate Signal Randomization (DSR)

Assume that a communication basis consists of a binary phase shift signal. A basis is randomly selected by the running key sequence from PRNG, and one signal for data is transmitted by the selected basis. Then, M signals are located on the upper plain of the phase space, and the other M signals are located on the lower plain of the phase space [10]. Here, phase space means a space by quadrature amplitude X C and X S .
Even if M 1 , the masking effect Γ by quantum noise in Eve’s receiver is not enough, because the quantum noise is small. To enhance Eve’s error, the signal for transmission is randomly shifted by true noise on the upper plain when the signal belongs to the upper plain, and is shifted on the lower plain when it belongs to the lower plain. This scheme is called Deliberate Signal Randomization (DSR) which corresponds to “ private   randomization ”. The strength of DSR is described by | R p | . As a result, the masking region is enhanced by σ | R p | , where σ is the quantum noise effect. This was proposed by Yuen in 10 November 2003 [30]. When we adopt OSK and DSR with σ | R p | = M , we may have the ideal performance such as
P ( K R | Y E q ) 2 | K |
Thus, this may improve the unicity distance in Equation (54). The concrete example will be given in the subsequent section.

8.3. Quantum Noise Diffusion Mapping

The unicity distance of the generalized random cipher may be evaluated by the channel capacity of Eve from Equation (31). In this theory, it can be regarded that the linear code has the initial value of LFSR as information propagates through the noisy channel. Thus, the decoding capability, as the decryptability, at that time is evaluated by the channel capacity. In other words, as the length of the LFSR increases and the rate decreases, it becomes smaller than the channel capacity and the decoding accuracy increases. To obtain a large unicity distance, it is necessary to reduce the eavesdropper’s channel capacity by additional randomization like DSR. However, there is a trade-off in that it requires sacrificing the communication performance of the legitimate communicator. Therefore, a method to increase the unicity distance while keeping the amount of noise fixed is the subject of research.
In 2007, Hirota–Kurosawa proposed a method to introduce a mapping mechanism from a sequence of PRNG to actual quantum states, such that the input to the noisy channel is regarded as a nonlinear code [31]. This is achieved by re-diffusing the signal masked by a small quantum noise. This mechanism renders the fast correlation attack inoperative. In addition, it provides the immunity against algebra attacks. The detailed information-theoretic analysis of this method is still incomplete, but we look forward to further research.

8.4. Phase Masking by Symplectic Matrix

A theory for the randomization of the code form of coherent states is given by Sohma [32]. It consists of the unitary operator U associated with a symplectic transformation in which any unitary operator composed of beamsplitters and phase shifters can be described by a symplectic transformation. First, let us consider the general code form of the coherent state, as follows:
| ϕ > = | α 1 > | α 2 > | α N >
From the Stone–von Neumann theorem [33], the quantum characteristic function for the class of quantum Gaussian state is given as follows:
Φ ( z ) = T r U | ϕ > < ϕ | U V ( z ) = T r | ϕ > < ϕ | V ( L T z )
where
V ( z ) = exp { i R T z }
R = [ ( q 1 , p 1 ) , , ( q N , p N ) , ] T
and where ( q i , p i ) are the canonical conjugate operators. Then L is a symplectic matrix, and it is given by
L = r 11 e i θ 11 r 1 N e i θ 1 N r 21 e i θ 21 r 2 N e i θ 2 N r N 1 e i θ N 1 r N N e i θ N N
Here, let us denote a vector of complex amplitudes α , as follows:
α i n = ( α 1 , α 2 , , α N )
then, we have the following relation.
α o u t = L α i n = ( α 1 o u t , α 2 o u t , , α N o u t )
As a result, the unitary transformation for the coherent state sequence is given as follows:
U | ϕ > = | ϕ o u t > = | α 1 o u t > | α 2 o u t > | α N o u t >
Thus, by scrambling the elements of Equation (60) with pseudo-random numbers, one can construct codes with any waveform. This technology is useful to realize the coherent PPM scheme proposed by Yuen [30].

9. Generalized Quantum Stream Cipher of Type-I and Its Performance

A quantum stream cipher that adds randomization techniques like OSK and DSR to the standard quantum stream is called a Type-I generalized quantum stream cipher. In this section, we show the scheme and its performance.

9.1. Communication Scheme

Let us describe the communication scheme for phase shift keying (PSK). A running key sequence is generated by PRNG with a short secret key. The selection scheme of communication basis by the running key is the same as the standard quantum stream cipher. In addition, several randomizations described above may be installed. Then, 2 M -valued signals are transmitted. Bob can adopt the binary quantum optimum receiver, but in practice he can adopt an optical heterodyne receiver.
In the latter case, the output of the receiver is an analog electrical current consisting of signal and quantum noise. For decoding, the threshold for binary decisions is controlled based on the running key. Using the selected threshold, the binary decision is performed to obtain data. This type of communication scheme can be realized by the current optical communication technology.

9.2. Unicity Distance of Known Plaintext Attack

Here, let us assume a phase shift keying (PSK) quantum stream cipher with DSR and OSK. Eve is forced to adopt a detection of 2 M -ary signals and proceeds with the conventional fast correlation attack. Once the eavesdropper’s channel is set, the lower bound of the unicity distance is obtained by its channel capacity. The optimum condition of maximum mutual information for multi-valued quantum state signals is given by Holevo [17], and the optimum POVM is given by Osaki [34], based on the prediction of Fuchs–Peres [35], as follows:
Theorem 7. 
{ O s a k i } : The optimum POVM for maximum mutual information is given by the quantum minimax detection operator when the signal set is covariant and linearly independent.
The numerical performance has been verified for the maximum mutual information property based on the above theorem. As a result, when M 1 , it is possible to approximate its properties by the heterodyne receiver. In fact, M 1 means that the signal set is regarded as an almost analog signal. To confirm it, we can estimate the optimality for an analog signal by the following theorem [36].
Theorem 8. 
{ Y u e n · L a x } : The estimation bounds for complex amplitudes are given by the following formula.
V a r ( α ^ ) 1 T r ρ L L
where the right logarithm derivative is defined by
ρ α = L ρ
And its solution is as follows:
L = a
where a is a photon annihilation operator, and it corresponds to a heterodyne measurement.
So, we can assume that the eavesdropper adopts the heterodyne receiver, which is the highest performance for asynchronous quantum state signals. In this case, the eavesdropper receives 2 M original phase signals to obtain M-valued information on the running key. The signal distance between signals is π S / M , where S = | α | is the signal strength, and σ is the masking effect of the signal by quantum noise. The amount of signal masking is Γ g = 2 M σ / π S . When the strength of DSR that spreads the quantum noise effect is | R p | , we have Γ g = 2 | R p | σ M / π S . Here, the range of DSR can be set as follows.
1 σ | R p | < 1 2 π S
The equivalent quantum noise of the optical heterodyne measurement is σ = 1 , and the maximum mutual information in the wedge approximation is [10]
C H e t e r o log 2 π S 2 | R p |
(the exact communication channel capacity will be reported separately). Then the generalized unicity distance for KPA is
n 1 Q > | K | log 2 π S 2 | R p |
This is called the Nair–Yuen formula [10]. If the strength of DSR is | R p |   >   1 4 π S , the generalized unicity distance is
| K | n 1 Q 2 | K |
This cannot be achieved using only a mathematical cipher. Thus, this scheme has advantages over conventional cryptographic mechanisms in terms of information-theoretic security. Although it is not the ultimate one, this type of system is expected to play a significant role in assuring the security of real optical communication systems.

9.3. Coherent Pulse Position Modulation Method

There is a method to realize the Type-I quantum stream cipher without using the above randomization technique. It is called the coherent pulse position modulation (CPPM). This mechanism takes information as M-valued and configures it as a transmitted signal system with M-ary PPM. The M-ary PPM signals are then spread like a pseudo-waveform signal into the M-ary slot by unitary transformations driven by a pseudo-random number generator. This scheme asymptotically approaches an eavesdropper’s ciphertext error of 1 as M increases. At the same time, however, it has the disadvantage of infinite baseband bandwidth, which makes it impractical. Recently, we have developed a method to avoid the bandwidth explosion. Details will be presented in another paper.

10. Generalized Quantum Stream Cipher of Type-II and Its Performance

In this section, we discuss a higher-security performance scheme than the Type-I system. When a secret key for the cipher is stolen after communications, the conventional cipher can be decrypted correctly. The most important feature of the generalized quantum stream cipher is that the cipher may not be decrypted even when the secret key is stolen. We discuss in this section “a conceptual model” to show that there exists secure communication even if the secret key is stolen.

10.1. Communication Scheme

Here we show that there exists a scheme that is resistant to the secret key leakage attack. Let us assume that a channel between Alice and Bob is low-loss.
(a)
Alice uses PSK (phase shift keying). The set of the communication basis consists of two coherent states with small angles, as follows (See Figure 9):
B a ( 1 ) = { | α 1 > , | α 1 e i Δ θ > } , B a ( 2 ) = { | α 2 e i 2 Δ θ > , | α 2 e i 3 Δ θ > } , B a ( 3 ) = { | α 3 e i 4 Δ θ > , | α 3 e i 5 Δ θ > } , B a ( M ) = { | α M e i ( M 1 ) Δ θ > , | α M e i M Δ θ > }
where Δ θ = π / M . When α = α m , m , a set of 2 M signals becomes covariant by Equation (40). This communication basis is selected by a running key sequence. Then, plaintext is set to the selected basis, the same as in Type-I, or the quantum cipher text is generated by the unitary transform U ( x ) U ( k R ) to coherent states controlled by the running key sequence.
(b)
Bob has the same unitary transform U ( k R ) , and it inversely transforms the input quantum states depending on the running key sequence. The output quantum states from the inverse unitary transformation can be regarded as binary quantum states.
(c)
Bob adopts the quantum optimum receiver with the Helstrom limit for these binary quantum states. The concrete system is called the Dolinar receiver. The average error for the data x = 0 , 1 is independent of the basis and it is given by Equation (44), as follows:
P ¯ e B = 1 2 { 1 1 | < α | α e i Δ θ > | 2 }
The amplitude and phase difference are designed so that the above equation holds sufficiently small.
(d)
Eve has to discriminate 2 M -valued coherent state signals. Since Eve does not know the a priori probability distribution for the 2 M -valued signals, she has to adopt a quantum minimax rule, as follows:
P ¯ e E = max { ξ } min { Π } [ 1 m = 1 2 M ξ m T r ρ ˜ m E Π m ]
where { ρ ˜ m E } is a set of Equation (71).
Figure 9. The signal arrangement above is the conventional form in the PSK scheme, while the one below is the proposed form; 0 and 1 are the information of the plaintext.
Figure 9. The signal arrangement above is the conventional form in the PSK scheme, while the one below is the proposed form; 0 and 1 are the information of the plaintext.
Entropy 26 00983 g009

10.2. Secret Key Leakage Attack

Here, we show that the system is resistant to the secret key leakage attack. At first, Eve has to store a sequence of 2 M -valued signals received by the above quantum minimax receiver to try the crypto analysis. Once Eve has the secret key and the correct running key sequence after the measurement, she can try a classical binary decision scheme on sequences with errors in the 2M values for each slot.
Let us show how it works. When a set of quantum states is a covariant, the solution of the minimax rule is equivalent to the quantum Bayes rule with the worst a priori probability distribution: ξ m = 1 / 2 M , m [26]. When M 1 , one can approximate the error performance based on quantum noise by the analog version in the quantum decision theory. The solution becomes the heterodyne receiver. Thus, let us assume that Eve adopts the heterodyne receiver with an analog-to-digital converter with infinite bandwidth. She can store the almost analog signal consisting of signals and quantum Gaussian noise.
When Eve obtains the secret key and the correct running key sequence, she adopts the binary threshold decision based on the classical Bayes rule depending on the running key. It corresponds to a model for the binary decision for binary signals with Gaussian quantum noise, because the uncertainty caused by pseudo-random numbers will disappear. The error probability for the binary data (plaintext) is
P ¯ e E ( x ) erfc { | α | ( 1 cos Δ θ ) σ e q }
The relation between Bob’s error, Equation (72), and Eve’s errors, Equation (74), with secret the key provided after communication for the plaintext (data) is as follows:
P ¯ e E ( x ) P ¯ e B ( x )
Thus, the sequences of plaintexts that Bob and Eve can obtain become as follows:
X n B x 1 , x 2 , x 3 , , x n
X n E q = x 1 E q , x 2 E q , x 3 E q , , x n E q = x 1 q 1 , x 2 q 2 , x 3 q 3 , , x n q n
where x i : { 0 , 1 } , q i : { 0 , 1 } . As a result, Eve’s sequence consists of the plaintext X and the quantum error sequence.
Here, we can regard the quantum error as the random key: K q = q 1 , q 2 , , q n . The structure of Eve’s sequence of plaintext, Equation (77), is equivalent to the Shannon cipher with the key sequence K q . So the unicity distance of the final sequence for Eve is as follows.
n 2 Q = H ( K q ) 1 H ( p )
where H ( K q ) is the entropy of the quantum error sequence and H ( p ) is the entropy per symbol of the plaintext.
Thus, in principle, there exists the generalized Shannon random cipher with the following performance:
H ( X | Y B , K ) 0 , f o r Bob
H ( X | Y E , K ) > 0 , f o r Eve
However, we emphasize that this is intended to provide theoretical evidence and is applicable only to channels with very low losses. Therefore, more careful research is needed for practical application.

11. Generalized Quantum Stream Cipher of Type-III and Its Performance

The principle of the previous schemes was to adopt a pseudo-random number generator (PRNG) for the diffusion of the quantum noise effect. Here, we show new schemes such that the quantum ciphertext is constructed by directly mapping the plaintext regularly to the quantum state signal without an encryption mechanism by the PRNG and secret key.

11.1. Communication Scheme as Protocol 1

First, we consider the encryption mechanism such that the advantage creation is given only by the difference of Bob’s and Eve’s receiving mechanisms. Let us assume that Alice can control the a priori probability of M-valued coherent state signals. So, Bob can use the quantum Bayes rule because Bob knows the a priori probability of the ciphertext, and Eve is forced to use the quantum minimax rule because she does not know the a priori probability of the ciphertext. This corresponds to the advantage creation based on only error performances between the quantum Bayes rule and quantum minimax rule. The communication scheme of the protocol is as follows:
(a)
The plaintext consists of a combination of J bits ( x 1 , x 2 , x 3 , , x J ) , x j = { 0 , 1 } . The information data becomes M = 2 J , as follows:
X 1 = ( 1 , 0 , 0 , , 0 ) X 2 = ( 0 , 1 , 0 , , 0 ) X M = ( 1 , 1 , 1 , , 1 )
Next, assume that Alice can control the prior probability distribution { ξ m A } of M-valued coherent state signals. However, the structure of the quantum state set { ρ m A } will be exposed. In other words, the only thing unknown to Eve is the a priori probability distribution.
(b)
The M-valued plaintext is mapped regularly to one of the M-valued quantum states as follows:
ρ m A = | α m > < α m | , m = 1 , 2 , 3 , , M
For example, an M-ary PSK scheme can be used, but the signal constellation may not be covariant.
(c)
Bob has information for the a priori probability for M signals and has information about the structure of the quantum state ensemble ρ m A . Then, he can adopt the quantum Bayes decision rule. His error probability is given by
P ¯ e , B a y e s B = min { Π } [ 1 m = 1 M ξ m A T r ρ m A Π m ]
Eve knows the structure of quantum state signals, but she does not know the a priori probability distribution. So, she has to adopt the quantum minimax decision rule as follows:
P ¯ e , m i n E = max { ξ } min { Π } [ 1 m = 1 M ξ m T r ρ m Π m ]
Then, her error probability is given by the quantum Bayes rule with the worst a priori probability. We wish to enlarge the absolute quantity of Eve’s error. To achieve this, we can adopt the concept of covariant and non-covariant signals [37,38,39]. For discrete signals, the criterion of these is given by the following [40].
Theorem 9. 
{ U s u d a · T a k u m i } :
M-ary signals { | ψ m > , m = 1 , 2 , 3 , , M } are group covariant with respect to a group ( G ; ) of order M if and only if the following relation holds:
< ψ k m | ψ k l > = < ψ m | ψ l > , k , l , m G
where G = { 1 , 2 , 3 , M } and is the operation of the group G.
The minimax decision rule gives a solution assuming an a priori probability distribution that gives the maximum value of the Bayes rule solution. Here, when the signal system is not group covariant, the worst a priori probability distribution of minimax is not uniform [26]. According to the general theory of quantum detection theory [17,19], we have the following relation.
P ¯ e , B a y e s E ( C o v a r i a n t ) = P ¯ e , m i n i m a x E ( C o v a r i a n t ) < P ¯ e , m i n i m a x E ( N o n c o v a r i a n t )
That is, when the set of quantum states is not covariant, the error performances for the minimax rules themselves is greatly degraded, depending on the signal properties [26,41]. Thus, we can have the following relation.
P ¯ e , B a y e s B ( N o n c o v a r i a n t ) < P ¯ e , m i n i m a x E ( N o n c o v a r i a n t )
Using this property, the system uses a signal set that is not group covariant and transmits with an a priori probability distribution ξ m A that maximizes the characteristic difference between Bayes and minimax. The optimization problem is given as follows:
max { ρ m } max { ξ m A } P ¯ e , B a y e s B ( N o n c o v a r i a n t ) P ¯ e , m i n i m a x E ( N o n c o v a r i a n t )
where ξ m A is the a priori probability distribution that Alice can control, and the relation among the a priori probability distributions is ξ m A = ξ m B ξ m E . { ρ m } is a structure of non-covariant states. Here, the worst a priori probability distribution ξ m E for the minimax is determined only by the structure of non-covariant quantum states. Thus, even if the legitimate communicators do not have PRNG with the secret symmetric key, we can realize an encryption scheme based on the advantage creation due to the Holevo–Yuen theory. The details of this property require numerical analysis and it will be shown in the subsequent paper.

11.2. Communication Scheme as Protocol 2

Here, we consider the second candidate of the encryption without PRNG applicable to space communication. In general, space communication is modeled by a continuous waveform communication model [42]. In such purposes, a wire-tap channel model assumes poor signal-to-noise ratio conditions for eavesdroppers under natural conditions. However, the wire-tap channel models based on the Holevo–Yuen theory are different to conventional theories, because they are characterized by creating an advantage for legitimate communicators by legitimate communicators. Let us discuss the basic concept of the wire-tap channel scheme in the sense of the advantage creation principle based on the quantum communication theory by Holevo–Yuen.
The conventional wire-tap channel model requires a special channel such that the signal-to-noise ratio of Bob is greater than that of Eve, as the system requirement. We replace its condition with the notion of advantage creation in the quantum measurements. According to the quantum Shannon theory established by Holevo and others [16], the capacity formula for the lossy Gaussian noise channel for coherent states is given as follows [43]:
Theorem 10. 
{ H o l e v o · S o h m a · H i r o t a }
The capacity formula of the quantum lossy Gaussian noise channel for coherent state signals is given as follows:
C H = log ( 1 + S 1 + < n > ) + S log ( 1 + 1 S + < n > ) < n > log ( 1 + S < n > 1 + S 1 + < n > )
where S and < n > are average photon numbers of the received signal and additive noise, respectively.
The above formula is in general greater than the Shannon classical capacity. To achieve this Holevo capacity in the realization stage, the communicators must have prior knowledge of the quantum signal structure, time–phase synchronization and other various conditions. The capacity can only be achieved by adopting a quantum optimum measurement under those conditions. The time–phase synchronization between Alice and Bob is available, but Eve cannot obtain such system parameter information.
The secret capacity is defined as follows:
C S = max { ξ } , { Π B } I B ( X , Y ) max { ξ } , { Π E } I E ( X , Y )
where { Π B } and { Π E } are POVMs for Bob and Eve, respectively. The mutual information for Eve is formulated under the condition that Eve does not know the system parameter information. If the system parameter is not known, a heterodyne receiver would be optimal. Thus, Eve’s POVM is restricted to the heterodyne. With this differentiation, it is possible to construct a modified wire-tap channel communication scheme.
A conjecture of the concrete formula of the secret capacity for this model based on the coherent state is as follows [44].
C S = C H C S h a n n o n = log ( 1 + S B 1 + < n > B ) + S B log ( 1 + 1 S B + < n > B ) < n > B log ( 1 + S B < n > B 1 + S B 1 + < n > B ) log ( 1 + S E 1 + < n > E )
where S B and < n > B are the average photon numbers of signal and noise for Bob. S E and < n > E are those for Eve. When the above formula is positive, one can implement the secure communication system in principle.
For the practical discussions, we need a discretization technique like the realization of classical waveform communication [42]. Then we need to construct a coding theory that creates an advantage for the legitimate communicators. It is equivalent to constructing the super-additivity of mutual information. The first challenge to clarify the effect of coding was made in [45].

12. Conclusions

In this paper, we explained that generalized quantum stream ciphers, which can improve the shortcomings of one-time pad ciphers, are realizable by applying quantum effects. The most important claim of this paper is that the quantum stream cipher based on the Holevo–Yuen theory is guaranteed to be information-theoretically secure, even though it consists of a PRNG with a short secret key. Figure 10 shows the difference in principles that guarantee the security. To demonstrate the performance of such ciphers, we have introduced the generalized unicity distance and showed some examples. A more detailed theoretical analysis needs to be developed for the realization of the ultimate performance, such as for Type-II and Type-III.
On the other hand, a number of experimental studies for the standard quantum stream cipher have already been initiated on the basis of the above theory. As a result, promising results for practical application have been obtained by groups in the USA, Japan, and China [46,47,48,49,50,51,52,53]. In addition, the generalized quantum stream cipher with randomizations of Type-I has been implemented by the Futami group [54]. This is the first demonstration of a quantum stream cipher with sufficient information-theoretic security.
The purpose and methods of development of such research and development are quite different from those of quantum technology in physics, which currently has the largest research population. As a result, the concept of security and the method of proof are completely different, making some aspects difficult to explain. Figure 11 illustrates the difference in concepts. Figure 12 shows the summary of the comparisons among several schemes of stream ciphers.
Finally, another possibility of the generalized random ciphers is Shapiro’s scheme, the so-called quantum low probability of intercept [55], and Lloyd’s scheme [56]. These will be introduced in part III.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Data Availability Statement

Data are contained within the article.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Shannon, E. Communication theory of secrecy systems. BSTJ 1949, 26, 656. [Google Scholar] [CrossRef]
  2. Massey, J. Contemporary Cryptology—An Introduction; Simmons, G.J., Ed.; IEEE Press: Piscateville, NJ, USA, 1992. [Google Scholar]
  3. Borbosa, G.A.; Corndolf, E.; Kumar, P.; Yuen, H.P. Secure communication using coherent state. In Proceedings of QCMC-2002; Shapiro, J.H., Ed.; Rinton Press: Princeton, NJ, USA, 2002. [Google Scholar]
  4. Sohma, M.; Hirota, O. Quantum stream cipher based on Holevo-Yuen theory. Entropy 2022, 24, 667. [Google Scholar] [CrossRef] [PubMed]
  5. Welsh, D. Codes and Cryptography; Oxford U Press: Oxford, UK, 1988. [Google Scholar]
  6. Blahut, R.E. Cryptography and Secure Communication; Cambridge University Press: Cambridge, UK, 2014. [Google Scholar]
  7. Papen, G.C.; Blahut, R.E. Lightwave Communication; Cambridge University Press: Cambridge, UK, 2019. [Google Scholar]
  8. Imai, H. Theory of Information, Codes, and Cryptography; Lecture Series of IEICE of Japan; Corona Pablising Co., Ltd.: Tokyo, Japan, 2004. [Google Scholar]
  9. Tsuchiya, H. A Study of Attack Against Vernum Cipher; Report of Graduation Research at Tamagawa University; Tamagawa University: Machida, Japan, 2002. [Google Scholar]
  10. Nair, R.; Yuen, H.P.; Corndolf, E.; Kumar, P. Quantum noise randomized ciphers. Phys. Rev. A 2006, 74, 052309. [Google Scholar] [CrossRef]
  11. Yuen, H.P.; Nair, R.; Corndolf, E.; Kanter, G.S.; Kumar, P. On the security of alpha-eta response to some attakc on quantum-based cryptographic protocols. Quantum Inf. Comput. 2006, 6, 561–582. [Google Scholar]
  12. Hirota, O.; Sohma, M.; Kawanishi, K. Quantum noise randamized stream cipher:Y-00. Jpn. J. Opt. 2010, 39, 17. [Google Scholar]
  13. Siegenthaler, T. Decrypting a class of stream ciphers using ciphertext only. IEEE Trans. Comput. 1985, C-34, 81. [Google Scholar] [CrossRef]
  14. Chepyzhov, V.V.; Johansson, T.; Smeets, B. A simple algorithm for fast correlation attacks on stream cipher. In Fast Software Encryption: 7th International Workshop, FSE 2000 New York, NY, USA, April 10–12, 2000 Proceedings 7; Springer: Berlin/Heidelberg, Germany, 2001; pp. 181–195. [Google Scholar]
  15. Helstrom, C.W. Quantum Detection and Estimation Theory; Academic Press: Cambridge, MA, USA, 1976. [Google Scholar]
  16. Holevo, A.S. Quantum Systems, Channels, Information; De Gruyter: Berlin/Heidelberg, Germany, 2012. [Google Scholar]
  17. Holevo, A.S. Statistical decision theory for quantum systems. J. Multivar. Anal. 1973, 3, 337. [Google Scholar] [CrossRef]
  18. Yuen, H.P.; Kennedy, R.S.; Lax, M. Optimum testing of multiple hypotheses in quantum detection theory. IEEE Trans. Inf. Theory 1975, 21, 125–134. [Google Scholar] [CrossRef]
  19. Hirota, O.; Ikehara, S. Minimax strategy in the quantum detection theory and its application to optical communications. Trans. IEICE Jpn. 1982, 65E, 627. [Google Scholar]
  20. Wald, A. Statistical Decision Theory; Wiley: Hoboken, NJ, USA, 1950. [Google Scholar]
  21. Middleton, D. An Introduction to Statistical Communication Theory; McGRAW-HILL: New York, NY, USA, 1960. [Google Scholar]
  22. Cariolaro, G. Quantum Communication; Springer: Berlin/Heidelberg, Germany, 2015. [Google Scholar]
  23. Ban, M.; Kurokawa, K.; Momose, R.; Hirota, O. Quantum measurements for discrimination among symmetric quantum states and parameter estimation. Int. Theor. Phys. 1997, 36, 1269. [Google Scholar] [CrossRef]
  24. Osaki, M.; Usuda, T.S.; Hirota, O. Group covariant detection for a three phase shift keyed signal. Phys. Lett. A 1998, 245, 189–196. [Google Scholar] [CrossRef]
  25. Kato, K.; Osaki, M.; Hirota, O. Quantum detection and mutual information for QAM and PSK signals. IEEE Trans. Commun. 1999, 47, 248–254. [Google Scholar] [CrossRef]
  26. Osaki, M.; Ban, M.; Hirota, O. Derivation and physical interpretation of the optimum detection operators For coherent state signals. Phys. Rev. A 1996, 54, 1691. [Google Scholar] [CrossRef] [PubMed]
  27. Kato, K.; Hirota, O. Square root measurement for quantum symmetric mixed state signals. IEEE Trans. Inf. Theory 2003, 49, 3312–3317. [Google Scholar] [CrossRef]
  28. Donnet, S.; Thangaraj, A.; Bloch, M.; Cussey, J.; Merolla, J.; Larger, L. Security of Y-00 under heterodyne measurement and fast correlation attack. Phys. Lett. A 2006, 356, 406–410. [Google Scholar] [CrossRef]
  29. Sohma, M.; Hirota, O.; Kato, K. Japan Patent Number 4451085. 27 June 2003. [Google Scholar]
  30. Yuen, H.P. Key Generation: Foundations and a new quantum approach. IEEE J. Sel. Top. Quantum Electron. 2009, 15, 1630–1645. [Google Scholar] [CrossRef]
  31. Hirota, O.; Kurosawa, K. Immunity against correlation attack on quantum stream cipher by Yuen 2000 protocol. Quantum Inf. Process. 2007, 6, 81–91. [Google Scholar] [CrossRef]
  32. Sohma, M.; Hirota, O. Masking property of quantum random cipher with phase mask encryption. Quantum Info. Process. 2014, 13, 2221–2240. [Google Scholar] [CrossRef]
  33. Holevo, A.S. Statistical Structure of Quantum Theory; Springer: Berlin/Heidelberg, Germany, 2001. [Google Scholar]
  34. Osaki, M.; Ban, M.; Hirota, O. The maximum mutual information without coding for binary quantum state signals. J. Mod. Opt. 1998, 45, 269–282. [Google Scholar] [CrossRef]
  35. Fuchs, C.A.; Peres, A. Quantum-state disturbance versus information gain: Uncertainty relations for quantum information. Phys. Rev. A 1996, 53, 2038. [Google Scholar] [CrossRef]
  36. Yuen, H.P.; Lax, M. Multiple-parameter quantum estimation and measurement of non-self adjoint observables. IEEE Trans. Inf. Theory 1973, IT-19, 740–750. [Google Scholar] [CrossRef]
  37. Davies, E.B. Information and quantum measurement. IEEE Trans. Inf. Theory 1978, IT-24, 596. [Google Scholar]
  38. Holevo, A.S. Covariant measurements and uncertainty relation. Reprts Math. Phys. 1979, 16, 385–400. [Google Scholar] [CrossRef]
  39. Bogomolov, N.A. Minimax measurements in a general statistical decision theory. Theory Probab. Its Appl. 1081, XXVI, 787–795. [Google Scholar] [CrossRef]
  40. Usuda, T.; Takumi, I. Group covariant signals in quantum information theory. In Proceedings of the Quantum Communication, Computing, and Measurement 2; Kumar, P., Ed.; Prenum Press (Kluwer/Plenum): New York, NY, USA, 2000. [Google Scholar]
  41. Nakahira, K.; (Tamagawa University, Quantum ICT Research Institute). Minimum Error Probability of Asymmetric 3PSK Coherent State Signal. Private communication, 2015. [Google Scholar]
  42. Gallager, R.G. Information Theory and Reliable Communication; John Wiley and Sons: Hoboken, NJ, USA, 1968. [Google Scholar]
  43. Holevo, A.S.; Sohma, M.; Hirota, O. Capacity of quantum Gaussian channels. Phys. Rev. 1999, A-59, 1820. [Google Scholar] [CrossRef]
  44. Hirota, O.; Iwakoshi, T.; Sohma, M.; Futami, F. Quantum stream cipher beyond the Shannon limit of symmetric cipher and the possibility of experimental demonstration. In Proceedings of the SPIE on Quantum Communication and Quantum Imaging; SPIE: Bellingham, WA, USA, 2010; Volume 7815. [Google Scholar]
  45. Hirota, O. A foundation of quantum channels with super additiveness for Shannon information. Appl. Algebra Eng. Commun. Comput. 2000, 10, 401–423. [Google Scholar] [CrossRef]
  46. Borbosa, G.A.; Corndorf, E.; Kumar, P.; Yuen, H.P. Secure communication using mesoscopic coherent states. Phys. Rev. Lett. 2003, 90, 227901. [Google Scholar] [CrossRef]
  47. Kanter, G.S.; Reillly, D.; Smith, N. Practical physical layer encryption:The marriage of optical noise with traditional cryptography. IEEE Commun. Mag. 2009, 47, 74–81. [Google Scholar] [CrossRef]
  48. Hirota, O.; Sohma, M.; Fuse, M.; Kato, K. Quantum stream cipher by Yuen 2000 protocol: Design and experiment by intensity modulation scheme. Phys. Rev. A 2005, 72, 022335. [Google Scholar] [CrossRef]
  49. Nakazawa, M.; Yosida, M.; Hirooka, T.; Kasai, K. QAM quantum stream cipher using digital coherent optical transmission. Opt. Express 2014, 22, 4098. [Google Scholar] [CrossRef]
  50. Futami, F.; Guan, K.; Gripp, J.; Kato, K.; Tanizawa, K.; Chandrasekhar, S.; Winzer, P.J. Y-00 quantum stream cipher overlay in a coherent 256-Gbit/s polarization multiplexed 16-QAM WDM. Opt. Express 2017, 25, 33338. [Google Scholar] [CrossRef]
  51. Tanizawa, K.; Futami, F. Ultra-long-haul digital coherent PSK Y-00 quantum stream cipher transmission system. Opt. Express 2021, 29, 10451–10464. [Google Scholar] [CrossRef] [PubMed]
  52. Yu, Q.; Wang, Y.; Li, D.; Song, H.; Fu, Y.; Jiang, X.; Huang, L.; Cheng, M.; Liu, D.; Deng, L. Secure 100 Gb/s IMDD Transmission over 100 km SSMF enabled by quantum noise stream cipher and sparse RLS-Volterra Equalizer. IEEE Access 2020, 8, 63585. [Google Scholar] [CrossRef]
  53. Luo, H.; Zhang, Z.; Dai, L.; Zhong, Y.Q.; Deng, L.; Liu, D.; Dai, X.; Gao, X.; Cheng, M. Device-compatible ultra-high-order quantum noise stream cipher based on delta-sigma modulator and optical chaos. Nature Commun. Eng. 2024, 3, 27. [Google Scholar] [CrossRef]
  54. Futami, F.; Tanizawa, K.; Kato, K. Transmission of Y-00 quantum noise stream cipher with quantum deliberate signal randomization over field-installed fiber. Bull. Quantum Ict Res. Inst. Tamagawa Univ. 2023, 13, 23–25. Available online: https://www.tamagawa.jp/research/quantum/bulletin/pdf/10_2023_23-25.pdf (accessed on 1 October 2024).
  55. Shapiro, J.H.; Boroson, D.N.; Dixon, P.B.; Green, M.E.; Hamilton, S.A. Quantum low probability of intercept. JOSA-B Opt. Phys. 2019, 36, B41. [Google Scholar] [CrossRef]
  56. Guha, S.; Hayden, P.; Krovi, H.L.; Lloyd, S.; Shapiro, J.H. Quantum enigma machines and the locking capacity of a quantum channel. Phys. Rev. 2014, 4, 011016. [Google Scholar] [CrossRef]
Figure 1. Requirements for cryptography to be used in the real world.
Figure 1. Requirements for cryptography to be used in the real world.
Entropy 26 00983 g001
Figure 2. Difference in randomization for mathematical cipher and quantum stream cipher.
Figure 2. Difference in randomization for mathematical cipher and quantum stream cipher.
Entropy 26 00983 g002
Figure 3. Structure of mathematical stream cipher.
Figure 3. Structure of mathematical stream cipher.
Entropy 26 00983 g003
Figure 4. Structure of the standard quantum stream cipher, so-called the Y-00 protocol. The light source is an ordinary high-powered laser. The security is evaluated by Eve’s error when she observes the ciphertext. If the error is zero, it is equivalent to the security of PRNG.
Figure 4. Structure of the standard quantum stream cipher, so-called the Y-00 protocol. The light source is an ordinary high-powered laser. The security is evaluated by Eve’s error when she observes the ciphertext. If the error is zero, it is equivalent to the security of PRNG.
Entropy 26 00983 g004
Figure 5. Encryption and decryption process in quantum stream cipher for Bob and Eve. The ciphertext is generated at the transmitter by an optical M-ary modulator for the laser light controlled by PRNG. It corresponds to the 2 M -ary coherent state signal. The difference between Bob and Eve is whether the receiver has the correct PRNG and secret key. The difference gives the difference of error performance when Bob and Eve observe the ciphertext signals.
Figure 5. Encryption and decryption process in quantum stream cipher for Bob and Eve. The ciphertext is generated at the transmitter by an optical M-ary modulator for the laser light controlled by PRNG. It corresponds to the 2 M -ary coherent state signal. The difference between Bob and Eve is whether the receiver has the correct PRNG and secret key. The difference gives the difference of error performance when Bob and Eve observe the ciphertext signals.
Entropy 26 00983 g005
Figure 6. Targeted security of several quantum stream ciphers. The standard type is the scheme currently under development. Type-I causes Eve to receive a complete random ciphertext. Its realization is the latest goal of our experimental research.
Figure 6. Targeted security of several quantum stream ciphers. The standard type is the scheme currently under development. Type-I causes Eve to receive a complete random ciphertext. Its realization is the latest goal of our experimental research.
Entropy 26 00983 g006
Figure 7. The principle of the security analysis. The security is governed by the error performance of the eavesdropper’s ciphertext based on quantum communication theory. The subsequent process of the security analysis is the same as that of the mathematical cipher under the error.
Figure 7. The principle of the security analysis. The security is governed by the error performance of the eavesdropper’s ciphertext based on quantum communication theory. The subsequent process of the security analysis is the same as that of the mathematical cipher under the error.
Entropy 26 00983 g007
Figure 8. The signal arrangement in the PSK scheme. Points on the circle are signals in the phase space; 0, 1 are plaintext; and | α | is the amplitude of the laser.
Figure 8. The signal arrangement in the PSK scheme. Points on the circle are signals in the phase space; 0, 1 are plaintext; and | α | is the amplitude of the laser.
Entropy 26 00983 g008
Figure 10. Essential difference in the principle of security assurance between schemes using microscopic and macroscopic quantum phenomena.
Figure 10. Essential difference in the principle of security assurance between schemes using microscopic and macroscopic quantum phenomena.
Entropy 26 00983 g010
Figure 11. Essential differences in the realization method between schemes using microscopic and macroscopic quantum phenomena.
Figure 11. Essential differences in the realization method between schemes using microscopic and macroscopic quantum phenomena.
Entropy 26 00983 g011
Figure 12. Essential differences in features for conventional mathematical cipher and quantum stream cipher to attain information theoretic security.
Figure 12. Essential differences in features for conventional mathematical cipher and quantum stream cipher to attain information theoretic security.
Entropy 26 00983 g012
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Hirota, O.; Sohma, M. Quantum Stream Cipher Based on Holevo–Yuen Theory: Part II. Entropy 2024, 26, 983. https://doi.org/10.3390/e26110983

AMA Style

Hirota O, Sohma M. Quantum Stream Cipher Based on Holevo–Yuen Theory: Part II. Entropy. 2024; 26(11):983. https://doi.org/10.3390/e26110983

Chicago/Turabian Style

Hirota, Osamu, and Masaki Sohma. 2024. "Quantum Stream Cipher Based on Holevo–Yuen Theory: Part II" Entropy 26, no. 11: 983. https://doi.org/10.3390/e26110983

APA Style

Hirota, O., & Sohma, M. (2024). Quantum Stream Cipher Based on Holevo–Yuen Theory: Part II. Entropy, 26(11), 983. https://doi.org/10.3390/e26110983

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop