Guessing probability under unlimited known-plaintext attack on secret keys for Y00 quantum stream cipher by quantum multiple hypotheses testing

Abstract: Although quantum key distribution is regarded as promising secure communication, security of Y00 protocol proposed by Yuen in 2000 for the affinity to conventional optical communication is not well-understood yet; its security has been evaluated only by the eavesdropper's error probabilities of detecting individual signals or masking size, the number of hidden signal levels under quantum and classical noise. Our study is the first challenge of evaluating the guessing probabilities on shared secret keys for pse… Show more

“…is determined, from the Cauchy-Schwarz inequality, Eve's average success probability with known x denoted by -tr Γ(x) is maximized as follows [19].…”

“…In our previous work [19], it was shown that the attacker "Eve" could not guess the correct secret keys shared by legitimate users "Alice" and "Bob" with a probability of one even under an unlimitedly long known-plaintext attack (KPA) with the assistance of quantum memory to utilize the quantum and classical multiple-hypotheses testing theory [20]- [22]. The key aspect of the unlimitedly long KPA is to simplify the security analysis of the Y00 protocol because the signals cyclically appear when the effect of the plaintext is subtracted.…”

Analysis of Y00 Protocol Under Quantum Generalization of a Fast Correlation Attack: Toward Information-Theoretic Security

“…is determined, from the Cauchy-Schwarz inequality, Eve's average success probability with known x denoted by -tr Γ(x) is maximized as follows [19].…”

“…In our previous work [19], it was shown that the attacker "Eve" could not guess the correct secret keys shared by legitimate users "Alice" and "Bob" with a probability of one even under an unlimitedly long known-plaintext attack (KPA) with the assistance of quantum memory to utilize the quantum and classical multiple-hypotheses testing theory [20]- [22]. The key aspect of the unlimitedly long KPA is to simplify the security analysis of the Y00 protocol because the signals cyclically appear when the effect of the plaintext is subtracted.…”

Analysis of Y00 Protocol Under Quantum Generalization of a Fast Correlation Attack: Toward Information-Theoretic Security

“…There are not many studies on full-KPA against conventional mathematical stream ciphers or OTP where full-plaintext is granted to Eve. In the previous work [28], it was shown that a Y00 protocol would not allow Eve to launch a key-recovery attack by unlimitedly long KPA with a probability of unity under the certain attack scenario and implementation of the Y00 system even when Eve has a quantum memory and can perform the optimal measurement. Contrary, conventional mathematical stream ciphers allow Eve to recover the key with a probability of unity because the keystream will be explicitly known to Eve.…”

“…However, there would be better attacks. For instance, the previous work [28] showed Eve would be more confident as time passes under her unlimitedly long KPA. Eve may keep passive eavesdropping until she becomes confident of the shared keys, then she launches her message falsification attacks based on her most possible keys.…”

“…Note also that [28] described that the legitimate users have to exchange a fresh key before the attacker's guessing probability rises at a certain level to threat the Y00 system. This key-refreshment will also prevent Eve from launching a message-falsification attack based on the most likely keys described above.…”

Message-Falsification Prevention With Small Quantum Mask in Quaternary Y00 Protocol

Physical-layer security analysis of a quantum noise randomized cipher assisted by chaos masking