Towards Quantum Enigma Cipher II-A protocol based on quantum illumination-
aa r X i v : . [ qu a n t - ph ] N ov Towards Quantum Enigma Cipher II-A protocol based on quantum illumination-
Osamu Hirota
Quantum ICT Research Institute, Tamagawa University6-1-1 Tamagawa-gakuen, Machida, Tokyo 194-8610, Japan
E-mail: [email protected]
Abstract —This research note II introduces a way tounderstand a basic concept of the quantum enigma cipher.The conventional cipher is designed by a mathematicalalgorithm and its security is evaluated by the complexity ofthe algorithm in security analysis and ability of computers.This kind of cipher can be decrypted with probability one inprinciple by the Brute force attack in which an eavesdroppertries all the possible keys based on the correct ciphertextand some known plaintext. A cipher with quantum effectsin physical layer may protect the system from the Bruteforce attack by means of the quantum no cloning theoremand randomizations based on quantum noise effect. Therandomizations for the ciphertext which is the output fromthe mathematical encryption box is crucial to realize aquantum enigma cipher. Especially, by randomizations, itis necessary to make a substantial difference in accuracyof ciphertext in eavesdropper’s observation and legitimateuser’s observation. The quantum illumination protocol canmake a difference in error performance of the legitimate’sreceiver and the eavesdropper’s receiver. This differenceis due to differences in ability of the legitimate’s receiverwith entanglement and the eavesdropper’s receiver withoutentanglement. It is shown in this note that the quantumillumination can be employed as an element of the mostsimple quantum enigma cipher.
I. I
NTRODUCTION
The general network systems need to be protected frominterception by unauthorized parties. The most serious at-tack is “ Cyber attack against Layer-1 (physical layer suchas optical communication line)”, because technologiesof coupler for tapping have been developed by severalinstitutes [1]. In addition, there are many optical monitorports for network maintenance. In fact physical layer ofhigh speed data link is a defenseless. To date, that protec-tion has been provided by classical encryption systems.However, such technologies cannot ensure the provablesecurity, and also the eavesdropper can obtain the correctciphertext: C of mathematical cipher for payload at Layer-2, and she can store it in memory devices. Thus, wecannot rule out the possibility that the cipher may bedecrypted by future technology.The best way to protect high speed data is to physicallyrandomize signals as the ciphertext of the mathematicalencryption. This is called physical random cipher. Themost important feature of this physical random cipher isthat the eavesdropper cannot get the correct ciphertextof mathematical encryption box, for example a streamcipher by PRNG (pseudo random number generator), from communication lines, while the legitimate user canget it based on a knowledge of secret key of PRNG. Thus,the ciphertext: Y B ( C ) as the signal of the legitimateuser and the ciphertext: Y E ( C ) as the signal of theeavesdropper may be different as Y B ( C ) = Y E ( C ) .Along with this concept, Quantum Enigma Cipherallows a secure high speed data transmission by meansof the quantum noise randomization by a mathematicalencryption box and signal modulation systems, or byan integration of a mathematical encryption box and aphysical encryption box [2]. When we consider how torealize such a system, we have to take into account thefollowing requirements on the encryption system in thereal world: Requirement of specifications: (1) Data-speed:1 Gbit/sec ∼
100 Gbit/sec(2) Distance: 1000 Km ∼ ECURITY OF SYMMETRIC KEY CIPHERINCLUDING ONE TIME PAD
A. Model
Let us describe a standard symmetric key encryption.A general symmetric key encryption Λ can be given by Λ = ([ P K ] , Enc, Dec ) (1)where [ P K ] is key generation algorithm and it provideskey sequence K ∈ K depending on the probability P K , Enc is an encryption algorithm which generatesiphertext C = Enc ( K, M ) where M is plaintext, Dec is a decryption algorithm which produces plaintext M = Dec ( K, C ) . B. Security criterion
When Λ cannot be decrypted by means ofcomputational resource, its security is evaluated by“Guessing probability”[5,6].(i) Ciphertext only attack on data: P G ( M ) = max M ∈M P ( M | C ) (2)(ii) Ciphertext only attack on key: P G ( K ) = max K ∈K P ( K | C ) (3)On the other hand, when some plaintext M k andciphertext corresponding to them are known, it is calledknown plaintext attack. It is easy to generalize the aboveformula as follows:(iii) Known plaintext attack on data: P G k ( M ) = max M ∈M P ( M | C, M k ) (4)(iv) Known plaintext attack on key: P G k ( K ) = max K ∈K P ( K | C, M k ) (5)These are sometimes called maximum “a posteriori prob-ability” guessing. If one needs an average, then one candefine average guessing probability as follows: ¯ P G ( M ) = X C ∈C P ( C ) max M ∈M P ( M | C ) (6) C. Security of ideal one time pad
When the distribution P K is uniform, the one time padhas the perfect secrecy such that P G ( M ) = max M ∈M P ( M | C ) = P ( M ) (7)However, even if the system has the perfect secrecy, itdoes not mean “secure” against known plaintext attackon data when data is a language such as English. Thatis, ⌈ The perfect secrecy means secure against ciphertextonly attack, and it does not imply the security against“known plaintext attack and falsification attack”. ⌋ Thus, the term of “unconditional security” is misleading.Let us show an example. The eavesdropper can getthe correct chiphertext of the length | K | bits, and shecan launch the Brute force attack. The decrypted data sequences of the length | K | bits give all combination ofEnglish alphabet (ASCII code) of length | K | bits. Theseinclude a large number of correct English words suchas “orange, signal, cipher, and so on”. When the attackis ciphertext only attack, she cannot decide which wordis the real plaintext. However, if she knows the firstalphabet “o” as the known plaintext attack, the correctword may be “orange”. Thus, the guessing probabilitymay become very large value. D. Security of one time pad forwarded by QKD
The quantum key distribution does not provide the per-fectly uniform distribution for key sequence K G againstan eavesdropper. In fact, the average guessing probabilityis given by Portman and Renner[7] as follows: ¯ P G ( K G ) ≤ | K G | + d (8)where d is the trace distance in QKD protocol. Thus,the one time pad forwarded by QKD is non ideal onetime pad which is encrypted by key sequence with nonuniform distribution. That is, Λ = ([ P K ] = ideal, Enc, Dec ) , P K = 12 | K G | (9)If the value of the trace distance is very large in compar-ison with | KG | , the guessing probability is very large.So such a one time pad may be decrypted easily[5,6].In addition, QKD needs an initial secret key for theauthentification before the legitimate users start the QKDprotocol. This is the same situation as the conventionalsymmetric cipher in which the key is for initial seedkey for PRNG. Thus, we cannot start cryptographicaction without certain initial secret key, except for theconventional public key encryption.III. D EFINITION AND SECURITY OF QUANTUMENIGMA CIPHER
A. Definition
Let us describe here the ideal quantum enigma ciphersystem. The quantum enigma cipher consists of an in-tegration of mathematical encryption box and physicalrandomization for ciphertext of mathematical encryptionbox [2]. The mathematical encryption box has a secretkey of the length | K s | bits and PRNG for expansion of thesecret key. The physical encryption box has a mechanismto create ciphertext as signal and it has a function toinduces an error when the eavesdropper receives theciphertext as signal. Consequently different ciphertextsequences are observed in the legitimate’s receiver andthe eavesdropper’s receiver, respectively. A requirementfor the physical randomization is P e ( Eve ) >> P e ( Bob or Alice ) (10)This means that the error performance P e of the eaves-dropper becomes worse than that of the legitimate user,hen they observe the ciphertext as signal in communica-tion lines. We can consider many schemes to realize theabove condition based on several quantum effects suchas quantum noise, entanglement. But the system has tosatisfy the conditions described in the introduction. B. Security
The conventional symmetric key cipher produces theciphertext of length at most | K s | bits. Because the keylength is | K s | bits, when the eavesdropper gets the knownplaintext of the length | K s | bits and ciphertext corre-sponding to them, she can pindown the secret key by theBrute force attack (trying | K s | key candidates). That is,the guessing probability is one. In addition, the sequenceof the ciphertext has certain correlation because of thestructure of PRNG. So the eavesdropper can investigateseveral mathematical algorithms to estimate the secretkey.In the ideal quantum enigma cipher, the eavesdropper’sobservation of the cipertext as signal in communicationlines suffers error completely, while the legitimate userdoes not. So the legitimate user can decrypt by the secretkey, but the eavesdropper does not even if she gets thesecret key after her observation of ciphertext as signal.Thus, the guessing probability is P G ( K s ) = 2 −| K s | (11)even if she collects the ciphertext of | K s | bits. Thismeans an immunity against the Brute force attack bycomputers. On the other hand, the quantum no cloningtheorem may protect a physical Brute force attack bycloning whole quantum states, because a set of quantumstates for the quantum enigma cipher are designed bynon-orthogonal state with very close signal distance eachother.IV. A PPLICATION OF QUANTUM ILLUMINATION
It is not clear whether the quantum illumination proto-col provides the ideal difference between the correctnessof the ciphertext or not: η ideal = P G ( Eve ) ( K s ) P G ( Bob ) ( K s ) = P G ( Eve ) ( K s ) = 2 −| K s | (12)However, it may be one of the quantum methods tocreate the different correctness of the ciphertext as signalaccording to [3,4]. If it is so, the application of quantumillumination is very easy.(1) Alice generates entangled state, and sends thesignal mode to Bob.(2) Bob prepares a mathematical encryption box toencrypt the data sequence and modulates the receivedlight by means of BPSK, but the signal for the modulatoris the ciphertext from the mathematical encryption box.(3) Bob employs the conventional optical amplifier to mask the ciphertext signal by the spontaneous emissionnoise from the amplifier. Then he returns optical signalto Alice.(4) Alice can recover the ciphertext signal from themasking by noise by means of entanglement effect ather receiver. But Eve’s receiver suffers the error becauseshe cannot use the entanglement.So far, the quantum illumination protocol has beenproposed for a direct encryption to plaintext, and forkey generation [3,4]. However, this is not a good idea,because it is difficult to guarantee its security. It shouldbe used as a physical randamoization technique. Thescheme introduced here is an example based on the mostsimple cascade cipher of the mathematical encryption boxand the physical randomization. Even so, the structure ofsecurity analysis is drastically changed. First we need anoptimaization as follows: η error = max Λ QI P e ( Eve ) P e ( Alice ) (13)where Λ QI is a set of quantum illumination with severalphysical parameters. According to [4], P e ( Eve ) = exp ( − W κ s G B N S /RN B ) / (14) P e ( Alice ) = exp ( − W κ s G B N S /RN B ) / (15)Although we need complicated analysis to derive theguessing probabiliy of the secret key of the mathematicalenryption box based on the above under the unconditionalsetting, it may be expected to perform well.V. F OR FUTURE
We have given an example of the concept of thequantum enigma cipher by using quantum illuminationtechnique. In the sense of theoretical cryptology, such acascade cipher would not be attractive. The real quantumenigma cipher requires the emergence of the additionalenhancement for the security or the function by integrat-ing the mathematical encryption box and the physicalrandomization such as the triple DES in the conventionalcipher. The quantum noise randomized stream cipher α/η [8,9] and Y-00 [10,11] is a random cipher alongwith this concept. However, the masking is very smallin the real setting, so they need additional randomizationmethods [12] or a new technique. A key concept is howto protect a secret key of the mathematical encryptionbox by the law of quantum mechanics. The author isexpecting a good proposal.VI. C
ONCLUSION
Quantum key distribution has only just one of thefunctions of cryptology that provide secret key sequencefor realizing one time pad. As described in this note,the one time pad is not a new concept in cryptology,but quantum enigma cipher is indeed a new concept incryptology. It was claimed that the quantum illuminationay provide G bit/sec rate. But the direct encryption andalso the one time pad based on it are not an attractivescheme for the real world. Thus it is preferable to adoptas a physical randomization technique to the quantumenigma cipher.The purpose of this note is to introduce the conceptof the quantum enigma cipher using the quantum illumi-nation. The author would like to emphasize that thereare many ways to realize quantum enigma cipher byapplying the quantum physics, but he does not knowhow to establish the ideal system design to provide thedifferent performance from simple cascade effect. Thisnote may give a hint.A
CKNOWLEDGMENT
I am grateful to M.Sohma (Chief Professor of QuantumICT Research Institute) for fruitful discussions.R
EFERENCES[1] MIT, Lincolin Laboratory,
IEEE Network , May/June, pp42-48,1997.Corning Incorporated,
IEEE Military Communication Conference ,pp711-716,2004.[2] O.Hirota, Quantum Enigma Cipher: protecting optical network forcloud computing system,
Reader’s Review, United Airline ,vol-70,March 2013.O.Hirota, Cyber attack against optical communication systemand its defense technology -Toward development of QuantumEnigma Cipher-,
IEICE Technical Meeting on Optical Com-mun.System:OCS , vol-113, no-90, OCS2013-18, June, 2013.O.Hirota and F.Futami, Quantum Enigma Cipher,
ManyousyaPublishing Company , in Japanese, Oct. 2013.[3] J.H.Shapiro, Z.Zhang,and F.N.C.Wong, Secure communicationvia quantum illumination,
Quantum Information Processing, vol-13 ,pp2171-2193,2014.[4] Q.Zhang,Z.Zhang, J.Dove,F.N.C.Wong, and J.H.Shapiro, Ultra-broadband quantum secured communication, arxiv.org:quant-ph ,1508.01471, 2015.[5] M.Alimomeni, and R.Safavi-Naini, Guessing secrecy,
Proceedingsof the 6th International conference on Information TheoreticSecurity, LNCS-7412, Springer , pp1-13, 2012.[6] M.Iwamoto, and J.Shikata, Constructions of symmetric key en-cryption with Guessing secrecy,
Proceedings of the 32th confer-ence on Cryptography and Information Security , SCIS-2015.[7] C.Portman and R.Renner, Cryptographic security of quantum keydistribution, arxiv.org:quant-ph , 1409.3525, 2014.[8] G.A.Borbosa, E.Corndorf, G.S.Kanter, P.Kumar, and H.P.Yuen,Secure communication using mesoscopic coherent state,
PhysicalReview Letters, vol-90 , 227901, 2003.[9] E.Corndorf, C.Liang, G.S.Kanter, P.Kumar, and H.P.Yuen, Quan-tum noise randomized data encryption for wavelength divi-sion multiplexed fiber optic network,
Physical Review A, vol-71 ,062326, 2005.[10] O.Hirota, M.Sohma, M.Fuse, and K.Kato, Quantum stream cipherby Yuen 2000 protocol: Design and experiment by intensitymodulation scheme,
Physical Review A vol-72 , 022335, 2005.[11] F.Futami, Experimental demonstrations of Y-00 cipher for highcapacity and secure fiber communications,
Quantum InformationProcessing, vol-13 , no-10,pp2277-2292,2014.[12] O.Hirota, and K.Kurosawa, Immunity against correlation attackon quantum stream cipher by Yuen 2000 protocol,