Security analysis of a QAM modulated quantum noise stream cipher under a correlation attack

Mingrui Zhang; Yajie Li; Yajie Li; Haokun Song; Kongni Zhu; Yongli Zhao; Jie Zhang

doi:10.1364/OE.472581

1. Introduction

More and more privacy messages are transmitted through optical link with the rapid development of optical communication. Protecting these messages from eavesdropping is a major task in optical communication system. Yet the emergence of quantum computer brings serious threats to most encrypting algorithms. The quantum key distribution (QKD) is proposed to stand against these threats, such as BB84 [1]. However, QKD suffers from technical imperfections, which limits the rates of key generation and the distribution distances. Quantum noise stream cipher (QNSC) is proposed to overcome these challenges [2,3]. High transmission rates and distances are allowed since its encryption is performed in digital signal processing (DSP). Its security generates from the noise in the transmission system including quantum noise. Many experiments have been reported for different modulation formats, such as phase shift-key (PSK) [4,5], quadrature amplitude modulation (QAM) [6–8], and intensity shift-key (ISK) [9–11]. Meanwhile, QNSC requires the transmitter and the receiver to share a stream cipher that is generated from a pseudorandom number generator (PRNG).

However, due to the computable mathematical properties of linear-feedback-shift-register-based (LFSR-based) PRNG, QNSC is threated by mathematical attack. The correlation attack is proposed as a powerful attack against LFSR-based PRNG. Correlation attack targets the seed keys which is the initial state of LFSR and it belongs to known-plaintext attacks. The security of QNSC under correlation attack has been analyzed in [12,13], which theoretically proves the immunity of QNSC against correlation attack. Besides, it is shown that the system can achieve theoretical security through reasonable parameter settings [14]. However, the parameters of transmission system such as optical power and noise are variable, which causes the variation in security level in the practical transmission system of QNSC.

In this paper, we conduct the security analysis of QAM/QNSC transmission system under correlation attack based on hypothesis testing theory by experiment. Our previous work demonstrates that the security can be ensured in QNSC system through maintaining a high-level noise masking and timely updating the seed keys [15]. This article extends the previous work by addressing the following three aspects. (i) We establish a method to derive bit error ratio for different bit positions in a symbol by noise masking model. This method can describe the effect of noise on of different bit positions in a symbol more accurately. Besides, the correlation between intercepted running keys and the original running keys can be quantified through this method. (ii) We consider different correlation brought by the nonlinear function of the register of LFSR. The correlation between seed keys and original running keys is able to be quantified through this method. (iii) Experiment is updated according to the proposed two methods. In addition, compared with the fixed optical power in our previous work, variable optical power from −20dBm to 10dBm is considered in our experiment in this paper. Besides, noise masking for different optical power is discussed in our result analysis. The experiment demonstrates that the correlation attack can be prevented in QAM/QNSC system through weakening the correlation between seed keys and incepted running keys and timely updating the seed keys.

2. Principle of QAM/QNSC based on QAM modulation

2.1. Key generation

First, Alice (the transmitter) has to share a seed key K_S with Bob (the receiver) to generate the running key. The key generator of QNSC consists of several LFSRs and a nonlinear function. The x ₁, x ₂…x_N represent the output bits of each LFSRs. The running key is finally generated by x ₁, x ₂…x_N through a nonlinear function. The nonlinear function breaks the linear relationship between the output of LFSR and the running key, which brings challenge to correlation attack. In Fig. 1, Geffe’s generator is used as an example of the key generator, which consists of three LFSRs. Each LFSR has different initial states and generator polynomials. For instance, register 1 is ‘1000010110001’ and ${x^{13}} + {x^{10}} + {x^9} + {x^2} + 1$. And x ₁, x ₂ and x ₃ represent the output of these three LFSRs, respectively. The running key K_R is drawn after the processing of the nonlinear function, that is ${K_R} = {x_1}\neg {x_2} + {x_2}{x_3}$. We define q as the correlation between the output of registers and the output of nonlinear function. Hence in all possible outputs, we can see that $ p({K_R} = \textrm{ }{x_1}) = {q_1} = {6 / 8} = 0.75$ for register 1, $ p({K_R} = \textrm{ }{x_2}) = {q_2} = {4 / 8} = 0.5$ for register 2 and $p({K_R} = \textrm{ }{x_3}) = {q_3} = {6 / 8} = 0.75$ for register 3. Since additional mathematical operations are introduced, the nonlinear function will slightly reduce the generation speed of session keys. For instance, the offline key generation system is implemented based on the Intel Core i7-8750 H CPU. During the generation of 600 thousand key bits, the additional time cost of using nonlinear function is about 4.3 milliseconds. Thus, the nonlinear function hardly affects the processing speed of encryption and decryption.

Fig. 1. Structure of Geffe’s generator.

Download Full Size | PDF

2.2. DSP in QAM/QNSC

Figure 2(a) shows the DSP module in QNSC at transmitter and receiver. The data stream is mapped into quad-phase shift keyed (QPSK) signal at the transmitter firstly. Secondly, an encrypted QAM signal is generated by the QPSK signal with QNSC principle as shown in Fig. 2(b). The 1-bit QPSK data and M-1-bits basis are used to generate the encrypted QAM signal in I and Q modes. The basis and encrypt rule are shared by transmitter and receiver. The number of constellation points of QNSC signal is 2^M× 2 M. Therefore, the M + M encrypted symbols hide the 2-bits (I + Q) original data and the decision level of QNSC signal for Eve is covered by quantum noise or other noise such as amplifier spontaneous emission (ASE) noise without shared basis. As an example, we use 2-bit information data ${S_I} = (1)$, ${S_Q} = (1)$ and 18-bit basis ${B_I} = ({b_{I9}}{b_{I8}}{b_{I7}} \ldots {b_{I1}}) = (011110010)$, ${B_Q} = ({b_{Q9}}{b_{Q8}}{b_{Q7}} \ldots {b_{Q1}}) = (010010011)$ to generate 20-bit encrypted data ${E_I} = ({S_I} \oplus {b_{I1}},{B_I}) = (1011110010)$, ${E_Q} = ({S_Q} \oplus {b_{Q1}},{B_Q}) = (0010010011)$. Then, 2 bands divide the encrypted 1024 × 1024-QAM signal. Each band of signal is converted from time-domain to frequency-domain by a 256-point discrete fourier transform (DFT). The two bands are inserted into the center of the bandwidth at transmitter. A 1024-point inverse discrete fourier transform (IDFT) is used to generate the discrete-fourier-transform spread orthogonal frequency division multiplexing (DFTs-OFDM) signal by padding redundant zeroes on the higher frequency area. After DFTs-OFDM signal is converted from frequency-domain to time-domain by IDFT, a 32 sampling points’ cyclic prefix (CP) is inserted to resist polarization mode dispersion. Then, DFTs-OFDM based QNSC signal is generated by a M-bit resolution digital-to-analog converter (DAC) [16].

Fig. 2. (a) DSP at the transmitter and receiver; (b) generation principle of encryption.

Download Full Size | PDF

The detected QNSC signal is operated with carrier recovery and dispersion compensation at receiver. The CP is removed after synchronization is made, Subsequently, a 1024-point DFT transforms the data from time-domain to frequency-domain. Channel equalization is performed with the training sequence. The encrypted 1024 × 1024-QAM signal is restored by 256-point IDFT after the frequency-domain equalization. Then, the encrypted 1024 × 1024-QAM signal is decrypted into a QPSK signal by pre-shared basis. Eve has to deploy correlation attack to gain the seed key from encrypted QAM signal without the pre-shared basis. Finally, the QPSK signal is demodulated into binary data.

2.3. Bit error ratio for different bit positions

The noise masking Γ is commonly considered as an evaluation index of security in QNSC system [17]. It is defined as $\Gamma = 2\sigma /\varDelta$, where σ is the standard deviation of quantum noise and other noise and Δ is the minimum Euclidean distance of QNSC signal in constellation diagram, as shown in Eq. (1).

(1)$$\Delta = \frac{2}{{{2^M} - 1}}, $$

M is the length of encrypted symbol for I or Q channel. Furthermore, the symbol error ratio (SER) of QAM/QNSC is given as Eq. (2).

(2)$$SER = 1 - {\left[ {1 - \frac{{M - 1}}{M}erfc\left( {\frac{1}{{\sqrt 2 \Gamma }}} \right)} \right]^2}, $$

where

(3)$$erfc(x )= \frac{2}{{\sqrt \pi }}\int_x^\mathrm{\infty } {{e^{ - {t^2}}}dt} , $$

In our previous work, the average bit error ratio (BER) can be concluded by SER as $BER = 1 - {(1 - SER)^{1/M}}$ [15]. Yet the BER for different bit positions in a symbol is not the same in the practical transmission system. The previous algorithm underestimates the noise masking Γ. In this paper, we conduct further research to calculate each bit’s error ratio P_m in a symbol, and m represents bit position (m grows higher from right to left). There are two common QAM mapping: bin mapping and gray mapping. If gray mapping based QAM is used, the relationship between BER and bit position will change. There is only one-bit difference for two adjacent constellation points in gray mapping. In this case, the BER of high bit position in high modulation will increase in gray mapping. Consequently, it is very difficult for Bob to get the encoded bit from high bit position. That is why we adopt bin mapping for our QNSC encryption. For example, as shown in Fig. 3, a symbol of 4 × 4 QAM in In-phase (I) or Quadrature-phase (Q) channels has 2 bits which are 00, 01, 10, 11, and the P_m of 1^st and 2^nd bit are also given. We assume that I and Q channels are independent and approximated Gaussian distribution. Thus, the bit error ratio of QAM in I channel is just discussed.

Fig. 3. Error ratio of 1^st and 2^nd bit in an I channel’s symbol of 4 × 4QAM.

Download Full Size | PDF

The red areas a ₁, a ₂, a ₃ and a ₄ represent the error decision areas for each bit. For example, the 1^st bit position of symbol 01 is 1, and the bit error ratio of it is a ₁+ a ₄. Therefore, we are able to calculate the bit error ratio for 1^st bit position as Eq. (4). Similarly, the bit error ratio for 2^nd bit position is showed as Eq. (5).

The factors h and j are defined to general our calculation method of P_m from 4 × 4 QAM to M × M QAM. As shown in Fig. 4, h represents the decimal of the bits below the m ^th bit position in the symbol while j represents the decimal of the bits after the m ^th bit position in the symbol.

(4)$$\begin{array}{ll} {P_1} &= \frac{1}{4}({{a_1} + {a_2} + {a_1} + {a_4} + {a_1} + {a_4} + {a_1} + {a_2}} )= \frac{1}{2}({2{a_1} + {a_2} + {a_4}} )\\ \textrm{ } &= \frac{1}{2}\sum\limits_{h = 0}^0 {\left\{ {\sum\limits_{j = 0}^1 {\left[ {\sum\limits_{i = 1}^{3 - 2j} {{{({ - 1} )}^{i + 1}}\frac{1}{2}erfc\left( {\frac{{i2 - 1 - 2h}}{{\sqrt 2 \Gamma }}} \right) + \sum\limits_{i = 1}^{2j} {{{({ - 1} )}^{i + 1}}\frac{1}{2}erfc\left( {\frac{{i2 - 1 - 2h}}{{\sqrt 2 \Gamma }}} \right)} } } \right]} } \right\}} , \end{array}$$

(5)$$\begin{array}{ll} {P_2} &= \frac{1}{4}({{a_3} + {a_4} + {a_4} + {a_3}} )= \frac{1}{2}({{a_3} + {a_4}} )\\ \textrm{ } &= \frac{1}{2}\sum\limits_{h = 0}^1 {\left\{ {\sum\limits_{j = 0}^0 {\left[ {\sum\limits_{i = 1}^{1 - 2j} {{{({ - 1} )}^{i + 1}}\frac{1}{2}erfc\left( {\frac{{i2 - 1 - 2h}}{{\sqrt 2 \Gamma }}} \right) + \sum\limits_{i = 1}^{2j} {{{({ - 1} )}^{i + 1}}\frac{1}{2}erfc\left( {\frac{{i2 - 1 - 2h}}{{\sqrt 2 \Gamma }}} \right)} } } \right]} } \right\}} , \end{array}$$

Fig. 4. Definition of h and j.

Download Full Size | PDF

If 0 and 1 are equally distributed and inter symbol interference (ISI) is ignorable, the calculation of P_m (m = 1,2…M) is as followed:

(6)$${P_m} = \frac{1}{{{2^{M - 1}}}}\sum\limits_{h = 0}^{\scriptstyle{2^{m - 1}} \atop \scriptstyle - 1 } {\left\{ {\sum\limits_{j = 0}^{\scriptstyle{2^{M - m}} \atop \scriptstyle - 1 } {\left[ {\sum\limits_{i = 1}^{\scriptstyle{2^{M - m + 1}} \atop \scriptstyle - 1 - 2j } {{{({ - 1} )}^{i + 1}}\frac{1}{2}erfc\left( {\frac{{i{2^m} - 1 - 2h}}{{\sqrt 2 \Gamma }}} \right)} + \sum\limits_{i = 1}^{2j} {{{({ - 1} )}^{i + 1}}\frac{1}{2}erfc\left( {\frac{{i{2^m} - 1 - 2h}}{{\sqrt 2 \Gamma }}} \right)} } \right]} } \right\}} , $$

The bit error ratio for different bit positions m in an I channel’s symbol of 1024 × 1024 QAM/QNSC shows as Fig. 5(a). The theoretical value derived from Eq. (6) is close to the experimental value while Γ=133 and Γ=246. The effect of noise on bit position increases as bit position decreases. Specially, P_m is close to 0.5 for bit positions below 5. And higher Γ brings higher P_m for bit positions after 5. Since P_m is not 0.5 for all bit positions, Eve can deploy correlation attack to derive the seed key from the noise effected sequence [18].

Fig. 5. (a) Bit error ratio P _m for different bit positions m; (b) The p for different noise standard deviation σ in QAM/QNSC without deliberate signal randomization.

Download Full Size | PDF

3. Correlation attack

In correlation attack on QNSC, the propose of Eve is to gain the seed keys (the initial state of LFSR). The steps of correlation attack are as follows.

(1) We assume that the DSP rules and the structure of LFSR have been exposed by Eve. Besides, Eve utilizes M and σ to calculate P_m as Eq. (6).
(2) Eve performs the same DSP as Bob and intercepts the ciphertext with a specific length L. L is much larger than the number of bits in one symbol. The correlation attack is a kind of known-plaintext attack. Assuming that Eve knows the plaintext corresponding to the intercepted ciphertext. Thus, Eve is able to get the intercepted running key K_I with a length L. Yet, K_I is still interfered by the noise under this assumption, which shows correlation with the K_R as shown in Eq. (7).
(3) Using K_I and P_m, correlation attack is launched by Eve to gain the seed keys.
(4) If Eve gets the seed keys, Eve is able to decode the message with the generated key stream. $(7)$$p = \frac{1}{L}\sum\limits_{n = 1}^L {({{K_{In}}\mathrm{\ \oplus }{K_{Rn}}} )} = 1 - {P_m}, $$$

The p is defined as the probability that each bit of K_I equals with the K_R. The n represents the n ^th bit in a sequence with a length of L. Without deliberate signal randomization, Fig. 5(b) shows variations of p for different noise standard deviation σ in QAM/QNSC. The p decreases while σ increases, which proves the noise in transmission system weaken the correlation between K_I and K_R. Besides, increasing M in QAM/QNSC also weaken such correlation. With the help of the quantum noise, deliberate signal randomization and deliberate error randomization [19] including running key mapping [20,21], gray mapping [22], and multi-bit mapping [23], $p \in [0,0.5]$.

Then, ${p_e} = 1 - ({p + q} )+ 2pq$ (q is defined in Section 2.1) is calculated, where p_e is the probability that K_I equals with the output of LFSR. Suppose the seed keys’ length of attacked register is g, we need to separate all 2 g possible K_S into two hypotheses (H ₁: seed keys; H ₂: non-seed keys). These hypotheses are given their own Gaussian distributions with Eq. (8).

(8)$$\begin{array}{ll} P({\alpha |{{H_1}} } ):{\mu _1} &= 0,{\sigma _1} = \sqrt L , \\ P({\alpha |{{H_2}} } ):{\mu _2} &= L({2{p_e} - 1} ),{\sigma _1} = 2\sqrt L \sqrt {{p_e}({1 - {p_e}} )} , \end{array}$$

where α is the correlation measure between the intercepted running key and the LFSR output generated by the tested possible seed key. Based on the value of α, we can thus determine which probability distribution the tested key most likely belongs to.

We can see that two distributions have a relatively small overlap, which should make it easy to place the correlation measure α for the guessed initial state in the correct distribution. The next thing we need to do is to calculate the threshold T, which is used to separate the two distributions. The threshold will therefore be placed somewhere between the two distributions. To do that, we need to first set our target value for probability of false positives (p_f) or the probability of missing the event (p_m). The p_m represents the probability that the true seed keys are misplaced in H ₂. Besides, the p_f represents the probability that each false seed key is misplaced in H ₁. These values represent the probability that a guessed initial state is placed in the wrong distribution. In this example, they would be defined as Eq. (9):

(9)$$\begin{array}{ll} {p_f} &= P({\alpha \ge T|{{H_1}} } )= 1 - Q\left( {\left|{\frac{T}{{\sqrt L }}} \right|} \right), \\ {p_m} &= P({\alpha \mathrm{\ < }T|{{H_2}} } )= Q\left( {\left|{\frac{{L({2{p_e} - 1} )T}}{{2\sqrt L \sqrt {{p_e}({1 - {p_e}} )} }}} \right|} \right), \end{array}$$

where

(10)$$Q(x )= \frac{1}{{\sqrt {2\pi } }}\int_x^\mathrm{\infty } {{e^{{{ - {t^2}} / 2}}}dt} , $$

The next step is then to obtain the correlation measure α with Eq. (11):

(11)$$\alpha = L - 2\sum\limits_{n = 1}^L {({{K_{In}}\mathrm{\ \oplus }{x_{Nn}}} )} , $$

The correlation measure α needs to be calculated for each guessed K_S for the attacked LFSR as shown in Eq. (11). K_In and x_Nn is the n ^th bit of K_I and the output from the N ^th LFSR (with guessed K_S) that we try to attack. Hence, each α for every guessed K_S is able to be calculated.

The final stage of the attack involves determining which hypothesis to accept for every guessed K_S. Thanks to the α, T, H ₁ and H ₂, the evaluation is:

If α ≥ T, we accept the hypothesis H ₁ and the guessed K_S is a candidate for being the correct one. The probability that is was falsely selected as a candidate is expressed in p_f.

If α<T, we accept the hypothesis H ₂, and the guessed K_S is not a candidate for being the correct one. The probability that is was falsely selected as not a candidate is expressed in p_m.

As shown in Fig. 6(a), we obtained T = 123.665 as p_e= 0.575, L = 1200, p_m= 0.05 and p_f= 0. Besides α=128 for K_S= 0111011111001, α=128 for K_S= 1010101010101 and α=228 for K_S =1000010110001 with a 13-bit LFSR. According to the previous evaluation, these three K_S will be the candidate for being the correct K_S, since their α≥T. We suppose Ca as the number of candidates found. Thus, Ca is equal to 3 in Fig. 6(a). Obviously, the smaller Ca is, the more possibility for correlation attack to be success. Compare Fig. 6(a) and (b), we can find that the shorter the length of K_I L, the more difficult it is for Eve to approach correlation attack. Comparing Fig. 6(a) with Fig. 6(c), we can find that the higher p _e can make correlation attack easier. It is worth noting that the higher p _m can also give assistance to correlation attack according to Fig. 6(a) and Fig. 6(d). Yet this approach is not recommended since the true seed key will be assigned to H ₂ with p _m probability. However, this approach will be the only way to increase attack success possibility (ASP) for Eve while p _e and L are limited.

Fig. 6. The distributions of $P({\alpha |{{H_1}} } )$ and $P({\alpha |{{H_2}} } )$ for p_e= 0.575, L = 1200, p_m= 0.05, p_f= 0 (a); p_e= 0.575, L = 600, p_m= 0.05, p_f= 0 (b); p_e= 0.75, L = 1200, p_m= 0.05, p_f= 0 (c) and p_e= 0.575, L = 1200, p_m= 0.5, p_f= 0 (d).

Download Full Size | PDF

Eventually, ASP is 100% if Ca = 1. Besides, ASP is 0% if Ca = 2 g. Therefore, the ASP is defined as Eq. (12), which represents the average amount of information obtained by Eve in each bit of the seed key. For instance, ASP = 0 when Ca = 4 and g = 2. It means the candidates of 2-bits seed key for Eve is ‘00’, ‘01’, ‘10’ and ‘11’. The average probability for Eve to get each bit of true 2-bits seed key is 50% (0 or 1). Hence the average amount of information obtained by Eve in each bit of the seed key is 0. The computational complexity of this correlation attack is calculated by…

(12)$$ASP = 1 - \frac{{{{\log }_2}Ca}}{g}, $$

4. Experimental setup and results analysis

Figure 7 shows the experiment’s setup of 2^M× 2 M QAM/QNSC digital coherent transmission over 300 km standard single mode fiber (SSMF). A continuous wave (CW) laser sends a beam light with 11dBm power and 1550 nm wavelength into an I/Q modulator. At transmitter, the I and Q channel’s data are generated by an arbitrary waveform generator (AWG) into an electrical signal at 10-GSample/s after DSP. The electrical signal is loaded onto the beam optical carrier after amplified by the modulator driver (MD). Then, the optical signal is attenuated by a variable optical attenuator, amplified by an erbium-doped fiber amplifier (EDFA) and transmitted through a 300 km SSMF. At the receiver, the received optical signal is amplified into 0dBm. A coherent optical receiver is used to detect optical signal. The detected I and Q channel’s signals are captured by an oscilloscope with 40-GSa/s. Eve can temporarily intercept the signal from Bob to launch the correlation attack.

Fig. 7. The experimental setup of 2^M× 2 M QAM/QNSC digital coherent transmission over 300 km SSMF.

Download Full Size | PDF

ASP of correlation attack for Eve is shown in Fig. 8. Different values of ASP are shown as different colors. We can draw a conclusion that the ASP is approaching 1 as the growth of p while L and q is fixed. Besides the ASP is approaching 1 as the growth of q while L and p is fixed for instance ASP = 0 and 0.373 for q = 0.75 and 1 while L = 1800 and p = 0.56. Because a higher p or q strengthens the correlation between intercepted keys and seed keys, which makes it easier to extract the seed keys through correlation attack. Meanwhile, the growth of ASP results from the increase of L. Hence longer intercepted ciphertext brings more information of seed keys to Eve during correlation attack. In addition, a higher ASP stems from a higher p_m with fixed L and p. For example, ASP = 0.373 and 1 for p_m =0 and 0.5 while L = 1800 and p = 0.56.

Fig. 8. ASP of correlation attack

Download Full Size | PDF

Figure 9(a) shows the noise masking numbers for M = 6, 7, 8, 9 and 10 while the optical power is changed from −20 to 10 dBm. Γ decreases as the optical power increases. Therefore, low-level optical power has to be maintained to ensure high noise masking numbers, which also brings challenge to correlation attack. Besides, it is also effective for maintaining high-level noise masking numbers by increasing M in 2^M× 2 M QAM/QNSC. Figure 9(b) shows the BER performance of 2^M× 2 M QAM/QNSC data as different optical powers. The error-free condition is defined as a BER below the FEC threshold (4 × 10⁻²). We achieved an error-free operation with FEC at optical power above −12, −7, −4, −2 and −1dBm for M = 6, 7, 8, 9 and 10. Meanwhile, BER decreases as the increase of optical power and a higher BER value leads to a higher M.

Fig. 9. (a) Noise masking by quantum noise and (b) BER performance of 2^M× 2 M QAM/QNSC with different optical powers;

Download Full Size | PDF

The time cost (TC) of correlation attack is shown as Fig. 10. When L = 2400 and g = 14, the TC is 79.48. When L = 2400 and g = 13, the TC is 39.12. The equipment we used to conduct correlation attack carries Intel Core i7-8750 H CPU, which is the same as our previous work. The TC is exponential growing with the increase of register’s length g. Meanwhile, a linear correlation is shown between the TC and L. Therefore, our experiment proves the correctness of the theoretical computational complexity which is shown as $C = O({2^g}L)$. Besides, the TC in fixed L and g in this experiment is the same as our previous work since the attack equipment is the same.

Fig. 10. Time cost of correlation attack.

Download Full Size | PDF

The experiment results show that three approaches are available to provide the security under correlation attack in QNSC system. The first is to apply nonlinear function after LFSR. Different reduction of q is brought by this approach according to different setup of nonlinear function. The second is to maintain high-level noise masking by increasing symbol length M or decreasing optical power. However, this protection can be overcome by increasing L at the cost of a higher TC. Besides, it will also degrade the transmission performance between Alice and Bob. The third approach is to periodically update the seed keys. This approach hardly affects the transmission between Alice and Bob, which maintains BER over 4E-2. The period of updating seed keys is defined as R. As the situation of L = 2400 and g = 13 in Fig. 10, if R>39.12, Eve will always get seed keys whenever seed keys are updated. If R<39.12, Eve cannot get seed keys before seed keys are updated. Therefore, the security is ensured while R<TC.

5. Conclusion

In this paper, we conduct the security analysis on QAM/QNSC transmission system under correlation attack based on hypothesis testing theory by experiment. Compared with our previous study on LFSR-based QAM/QNSC transmission system, we establish a method to derive bit error ratio for different bit positions in a symbol based on noise masking model. This method can describe the noise of system and the correlation between intercepted key and the original running key accurately. Besides, we consider different correlation brought by the nonlinear function of the register of LFSR. Noise masking for variable optical power is also considered in our experiment in this paper. The experiment demonstrates that the correlation attack can be prevented in QAM/QNSC system through weakening the correlation between seed keys through following approaches. (i) Applying nonlinear function after LFSR. (ii) Maintaining high-level noise masking by increasing symbol length M or decreasing optical power. (iii) Deploying deliberate signal randomization and deliberate error randomization. (iv) Updating the seed keys timely.

There have been new progresses on fast true random number generation based on broadband photonic sources [24–26]. Due to the application of fast true random number generation based on broadband photonic sources, key distribution rate can break through 10Gbps. Hence it is able to be used in QNSC system. Besides, the risk of mathematical attack also reduces since the security of it originates from physical initial chaos instead of initial state and mathematical algorithm of LFSR-based PRNG. Yet on the other hand, fast true random number generation based on broadband photonic source requires specific equipment such as chaotic laser, which may be the limitation of its application.

Funding

National Natural Science Foundation of China (61831003, 61901053, 62021005); Fundamental Research Funds for the Central Universities (2021RC12); Soochow University (SDGC2117).

Disclosures

The authors declare no conflicts of interest.

Data availability

Data underlying the results presented in this paper are not publicly available at this time but may be obtained from the authors upon reasonable request.

References

1. P. W. Shor and J. Preskill, “Simple proof of security of the BB84 quantum key distribution protocol,” Phys. Rev. Lett. 85(2), 441–444 (2000). [CrossRef]

2. G. A. Barbosa, E. Corndorf, P. Kumar, and H. P. Yuen, “Secure communication using mesoscopic coherent states,” Phys. Rev. Lett. 90(22), 227901 (2003). [CrossRef]

3. R. Nair, H. P. Yuen, E. Corndorf, T. Eguchi, and P. Kumar, “Quantum-noise randomized ciphers,” Phys. Rev. A 74(5), 052309 (2006). [CrossRef]

4. K. Tanizawa and F. Futami, “Digital coherent PSK Y-00 quantum stream cipher with 2¹⁷ randomized phase levels,” Opt. Express 27(2), 1071–1079 (2019). [CrossRef]

5. K. Tanizawa and F. Futami, “Digital coherent 20-Gbit/s DP-PSK Y-00 quantum stream cipher transmission over 800-km SSMF,” in Optical Fiber Communication Conference (San Diego, CA, USA, 2019), paper Th1J.7.

6. F. Futami, K. Guan, J. Gripp, K. Kato, K. Tanizawa, S. Chandrasekhar, and P. J. Winzer, “Y-00 quantum stream cipher overlay in a coherent 256-Gbit/s polarization multiplexed 16-QAM WDM system,” Opt. Express 25(26), 33338–33349 (2017). [CrossRef]

7. M. Nakazawa, M. Yoshida, T. Hirooka, and K. Kasai, “QAM quantum stream cipher using digital coherent optical transmission,” Opt. Express 22(4), 4098–4107 (2014). [CrossRef]

8. M. Nakazawa, M. Yoshida, T. Hirooka, K. Kasai, T. Hirano, T. Ichikawa, and R. Namiki, “QAM quantum noise stream cipher transmission over 100 km with continuous variable quantum key distribution,” IEEE J. Quantum Electron. 53(4), 1–16 (2017). [CrossRef]

9. F. Futami, K. Tanizawa, K. Kato, and O. Hirota, “1000-km transmission of 1.5-Gb/s Y-00 quantum stream cipher using 4096-level intensity modulation signals,” in CLEO: Science and Innovations (San Jose, CA, USA, 2019), paper SW3O.4.

10. F. Futami and O. Hirota, “Masking of 4096-level intensity modulation signals by noises for secure communication employing Y-00 cipher protocol,” in Proceedings of European Conference on Optical Communication and Exhibition (Geneva, Switzerland, 2011), paper Tu.6.C.4.

11. F. Futami, K. Tanizawa, and K. Kato, “Y-00 quantum-noise randomized stream cipher using intensity modulation signals for physical layer security of optical communications,” J. Lightwave Technol. 38(10), 2774–2781 (2020). [CrossRef]

12. S. Donnet, A. Thangaraj, M. Bloch, J. Cussey, J. Merolla, and L. Larger, “Security of Y-00 under heterodyne measurement and fast correlation attack,” Phys. Lett. A 356(6), 406–410 (2006). [CrossRef]

13. T. Iwakoshi, “Analysis of Y00 protocol under quantum generalization of a fast correlation attack: Toward information-theoretic security,” IEEE Access 8, 23417–23426 (2020). [CrossRef]

14. Y. Chen, H. Jiao, H. Zhou, J. Zheng, and T. Pu, “Security analysis of QAM quantum-noise randomized cipher system,” IEEE Photonics J. 12(4), 1–14 (2020). [CrossRef]

15. M. Zhang, Y. Li, H. Song, B. Wang, Y. Zhao, and J. Zhang, “Security analysis of quantum noise stream cipher under fast correlation attack,” in Optical Fiber Communication Conference (Virtual, Online, United States, 2021), paper Th1A.5.

16. X. Yang, J. Zhang, Y. Li, Y. Zhao, G. Gao, and H. Zhang, “DFTs-OFDM based quantum noise stream cipher system,” Opt. Fiber Technol. 52, 101939 (2019). [CrossRef]

17. F. Fumio, K. Tanizawa, K. Kato, and O. Hirota, “Experimental investigation of security parameter of Y-00 quantum stream cipher transceiver with randomization technique: part II,” Proc. SPIE 10771, 1077114 (2018). [CrossRef]

18. Siegenthaler, “Decrypting a class of stream ciphers using ciphertext only,” IEEE Trans. Comput. C-34(1), 81–85 (1985). [CrossRef]

19. K. Kentaro and O. Hirota, “Quantum stream cipher part IV: effects of the deliberate signal randomization and the deliberate error randomization,” Proc. SPIE 6305, 630508 (2006). [CrossRef]

20. S. Tetsuya, O. Hirota, and Y. Nagasako, “Running key mapping in a quantum stream cipher by the Yuen 2000 protocol,” Phys. Rev. A 77(3), 034305 (2008). [CrossRef]

21. O. Hirota and K. Kurosawa, “Immunity against correlation attack on quantum stream cipher by Yuen 2000 protocol,” Quantum Inf. Process. 6(2), 81–91 (2007). [CrossRef]

22. J. Li, Y. Li, B. Wang, K. Wang, Y. Zhao, and J. Zhang, “Ciphertext mapping method based on gray code in quantum noise stream cipher,” in Proceedings of International Conference on Optical Communications and Networks (Qufu, China, 2021).

23. K. Wang, J. Zhang, Y. Li, Y. Zhao, and H. Zhang, “Multi-bit mapping based on constellation rotation in Quantum Noise Stream Cipher,” Opt. Commun. 446, 147–155 (2019). [CrossRef]

24. Y. Guo, Q. Cai, P. Li, R. Zhang, B. Xu, K. Alan Shore, and Y. Wang, “Ultrafast and real-time physical random bit extraction with all-optical quantization,” Adv. Photonics 4(3), 035001 (2022). [CrossRef]

25. P. Li, Y. Wang, and J. Zhang, “All-optical fast random number generator,” Opt. Express 18(19), 20360 (2010). [CrossRef]

26. P. Li, Y. Guo, Y. Guo, Y. Fan, X. Guo, X. Liu, K. Li, K. Alan Shore, Y. Wang, and A. Wang, “Ultrafast fully photonic random bit generator,” J. Lightwave Technol. 36(12), 2531–2540 (2018). [CrossRef]

Security analysis of a QAM modulated quantum noise stream cipher under a correlation attack

Abstract

1. Introduction

2. Principle of QAM/QNSC based on QAM modulation

2.1. Key generation

2.2. DSP in QAM/QNSC

2.3. Bit error ratio for different bit positions

3. Correlation attack

4. Experimental setup and results analysis

5. Conclusion

Funding

Disclosures

Data availability

References

Data availability

Cited By

Figures (10)

Equations (12)

Optics Express