Physical-layer security analysis of a quantum-noise randomized cipher based on the wire-tap channel model

Haisong Jiao; Tao Pu; Jilin Zheng; Peng Xiang; Tao Fang

doi:10.1364/OE.25.010947

1. Introduction

Despite its better security than copper-wired links and wireless communications in terms of no-leakage of electromagnetic radiation, optical fiber communication (OFC) is still vulnerable to various attacks [1, 2]. Meanwhile, conventional encryption based on computation complexity is under the threat of rapidly increasing computing power of modern computers [3]. Based on quantum mechanical principles, quantum key distribution (QKD) is an effective approach to solving the aforementioned problems [4], which combined with one-time pad (OTP) encryption can provide unconditional security theoretically. Unfortunately, the attainable key generation efficiency and transmission distance of QKD are quite limited (eg., 2.38 Mbps, 70 km [5]).

Quantum-noise randomized cipher (QNRC) is an alternative quantum secure communication method [6], the well-known encryption protocol of which is Yuen 2000 (Y-00) [7]. Based on Heisenberg’s uncertainty principle, the intrinsic quantum noise protects both the data and the key from being intercepted by eavesdroppers. Since ciphertext is directly modulated onto the phase of mesoscopic coherent states, the Y-00 protocol is well compatible with the currently existing OFC infrastructure so that secure communication with high speed and long distance can be realized (eg., 100 Gbit/s, 120km [8]). Therefore, QNRC is an important direction for the practical application of high-speed quantum secure communication.

However, the security of Y-00 protocol hasn’t been proven perfectly in theory, which has been challenged in [9–11] with corresponding refutations in [12–14] by the inventors. The current security metrics of Y-00, like correct detection probability [15] and unicity distance [7], tend to be qualitative or merely focus on the eavesdropper. Ref [16]. has pointed out the applicability of wire-tap channel model [17] as the framework for consideration of Y-00 security of the key and developing secure instantiations. In the wire-tap channel theory, a well-developed theoretical system originated from Wyner [17], there exists a nonzero secrecy capacity, which is the information-theoretic limit of secure transmission rate. As the transmission rate is under secrecy capacity, there exist certain proper channel codes making eavesdropper’s acquisition useless for the knowledge of source information. So far, some specific coding strategies for certain channel models are presented to achieve secrecy capacity [18], such as schemes based on low-density parity-check codes for binary erasure/symmetric channel [19] and polar codes for binary-input symmetric discrete channel [20]. In spite of no general coding schemes, it’s doubtless that secrecy capacity is an instructive metric of security and performance. By its very nature, it is the channel advantage of legal parties over eavesdroppers, which takes into consideration both the main channel and the wire-tap channel as a whole system. Fortunately, such advantages can be provided by Y-00 protocol from the physical layer. Therefore, it’s desirable to investigate the security of Y-00 by considering quantum noise as physical-layer superiority in the wire-tap channel model.

In this paper, we focus on the quantitative security analysis of the Y-00 protocol with secrecy capacity employed as the performance metric. It turns out that QNRC is of great potential for physical-layer security, and the investigation results may contribute to setting proper system parameters for security promotion. The rest of this paper is organized as follows. In Section 2, a brief overview about Y-00 quantum-encryption protocol is provided. In Section 3, we introduce the wire-tap models for both channels of the key and data in detail and characterize their secrecy capacities respectively. Furthermore, the maximal achievable secrecy rate of the system is proposed. In Section 4, comprehensive simulation results about the influences of key system parameters and in-depth discussion about their implications are presented. Finally, we summarize our main findings.

2. Overview of Y-00 protocol

The operation principle of Y-00 quantum-encryption protocol is reviewed as follows [7].

(1) Legitimate communication parties, namely Alice and Bob, share a seed key K^S that is absolutely safe, probably from QKD key pool.
(2) With expansion function ENC(•) (e.g., linear feedback shift register or AES in stream cipher mode), S-bit K is extended into a running key U that is divided into n blocks subsequently: ENC(K^S) = U^N = (u₁, u₂,…, u_n). Each subkey u has l = N/n bits with M_b = 2^l values at most.
(3) n-bit data $X^{n} = (x_{1}, x_{2}, \dots, x_{n})$ will be encrypted by U^N with each bit encrypted by u. The encryption mapping is $m = f (x, u) = u + [x \oplus P o l (u)] \cdot M_{b}$
POL(u) is 0 or 1 according to whether u is even or odd.
(4) Ciphertext m is modulated into the phase of coherent states. Thus, the original quantum states are $| ϕ (m) 〉 = | α e^{i m \frac{π}{M_{b}}} 〉, m \in {0, 1, \dots, 2 M_{b} - 1}$
where α is the coherent-state amplitude. We can find that the data bits encoded in all neighboring states are antipodal, given that M_b is odd.
Note that u_i determines the basis ${| α e^{i θ_{i}} 〉, | α e^{i (θ_{i} + π)} 〉}$ , where $θ_{i} = u_{i} π / M_{b}$ ; then x_i is transmitted selecting one of them; and M_b is called the number of bases.
(5) Bob runs an identical ENC(•) function as Alice, so knowing the basis u_i, he only needs to distinguish $| α e^{i \cdot 0} 〉$ and $| α e^{i \cdot π} 〉$ , the orthogonal states with |α| big enough (>>1).

On the other hand, the eavesdropper (named Eve) ignorant of the key has to discriminate 2M_b quantum states and tell the difference of neighboring states that is masked by unavoidable quantum noise. So the information Eve derives from the measurement is a seriously noisy version where key and data are both protected from the physical layer.

3. Wire-tap channel model and secrecy capacity for QNRC system

Three preconditions of our research are illustrated, as follows.

(1) We consider the scenarios where the sample size of running key is bounded by |U|≤2^S.
(2) Besides unlimited computation power and memory capacity, we assume there are two kinds of wiretappers. The ordinary one can only intercept small part of the signal from Alice. The other could get nearly full copy of signal without being detected. For example, Eve might replace ordinary fiber with ultra-low-loss fiber, so her interception could hide in the fiber loss.
(3) We take no account of optical amplifiers that increase optical power but reduce SNR.

Figure 1 describes the situation of legal communication with an external eavesdropper. In order to obtain useful information, Eve has to intercept part of the signal from the main channel by fiber bending, beam splitting or other fiber-tapping methods. Suppose that Eve’s interception rate of received power is r and Bob takes a fraction t. Generally, r + t = 1.

Fig. 1 General case of wire tapping in OFC system.

Download Full Size | PDF

Consider that Alice sends signals with initial amplitude α and the distances between Alice and Bob, and between Alice and Eve are L_B, L_E respectively. Hence, the average number of photons arriving at Bob and Eve are

{\begin{matrix} {| α_{B} |}^{2} = t {| α |}^{2} e^{- μ L_{B}} \\ {| α_{E} |}^{2} = r {| α |}^{2} e^{- μ L_{E}} \end{matrix}

where

μ (k m^{- 1})

is the fiber transmission loss coefficient.

With the received quantum states, coherent heterodyne measurement is an indispensable step to obtain all bits of the output for each qumode [16, 21]. If the coherent state received is $| ϕ (m) 〉 = | α_{x} e^{i θ_{m}} 〉$ $(θ_{m} = \frac{m}{M_{b}} π)$ , then (r, θ), the observed values of amplitude |α_x| and phase angle θ_m, will be obtained from the constellation. With a shot noise variance σ² defined as unity, the probability density function in polar coordinates for a quantum heterodyne receiver is [21],

p (r, θ | m) = \frac{r}{2 π σ^{2}} \exp (\frac{- {| α_{x} |}^{2} - r^{2} + 2 | α_{x} | r \cos (θ_{m} - θ)}{2 σ^{2}})

Based upon the two-tuples (r, θ), Eve need make a decision on the original state $| ϕ (m) 〉$ and cipher text m. According to the Bayes strategy, the polar coordinate plane should be divided into M = 2M_b decision regions [21],

D_{m^{'}} = {(r, θ) | 0 \leq r < \infty, θ_{m}_{'} - π / 2 M_{b} \leq θ < θ_{m}_{'} + π / 2 M_{b}}, m^{'} = 0, 1, \dots, M - 1

corresponding to the M qumodes. The best decision is that when

(r, θ) \in D_{m^{'}}

, make the choice of m'. Thus, symbol transition probability of cipher text in Eve’s wire-tap channel is

P (m^{'} | m) = \iint_{D_{m^{'}}} p (r, θ | m) d r d θ

Note that α_x = α_E in p(r, θ| m).

While with knowledge of the key K and u, Bob only needs to judge between $| ϕ (m) 〉$ or $| ϕ (m + M_{b}) 〉$ so that the coordinate plane needs to be divided into two parts, namely,

{D^{'}}_{m^{'}} = {(r, θ) | 0 \leq r < \infty, θ_{m^{'}} - π / 2 \leq θ < θ_{m^{'}} + π / 2}, m^{'} = m or m + M_{b}

Correspondingly, the symbol transition probability in the main channel is

P (m^{'} | m) = \iint_{{D^{'}}_{m^{'}}} p (r, θ | m) d r d θ

Here note that α_x = α_B in p(r, θ| m).

On the basis of the fundamental channel built above, the wire-tap channel models for the secret key and data can be founded concretely.

3.1 Secret key part

The seed key is shared in advance between Alice and Bob. So is the extended key. However, the transmitted quantum state $| ϕ (m) 〉$ still contains the information of the subkey u, which Eve can intercept so as to figure out the K in a further step. Hence, it’s necessary to analyze the security of running key in a wire-tap channel, as shown in Fig. 2.

Fig. 2 Wire-tap channel model of the running key.

Download Full Size | PDF

We regard the running key U as the information source to be sent from Alice, which already has been known by Bob. In this sense, the main channel is always error-free. Actually such a decoder is non-existent. While the wire-tap channel is noisy under heterodyne measurement with serious disturbance from quantum noise. In order to make the noisy running key totally useless for Eve, U is encoded into U_c before selecting bases, and U_c is then chopped into n subkeys to encrypt the corresponding data.

In fact the wire-tap channel above includes: mapping u_ci→m_i, transmission $m_{i} \to {\hat{m}}_{i}$ and inverse mapping ${\hat{m}}_{i} \to {\hat{u}}_{c i}$ . Because different subkeys are applied in different coherent states transmitting separately, the channel is discrete, memoryless channel (DMC), that is,

\begin{array}{l} P ({\hat{U}}_{c} | U_{c}) = \prod_{i = 1}^{n} P ({\hat{u}}_{c i} | u_{c i}) \\ P ({\hat{u}}_{c i} | u_{c i}) = \sum_{m_{i}} \sum_{{\hat{m}}_{i}} P ({\hat{u}}_{c i} | {\hat{m}}_{i}) P ({\hat{m}}_{i} | m_{i}) P (m_{i} | u_{c i}) \end{array}

Due to the mapping rule of encryption, for given u_ci and ${\hat{u}}_{c i}$ , ciphertext equals only two values depending on the corresponding value of x_i. So,

\begin{array}{l} P ({\hat{u}}_{c i} | u_{c i}) = (P ({\hat{m}}_{{\hat{u}}_{c i}} + M_{b} | m_{u_{c i}} + M_{b}) + P ({\hat{m}}_{{\hat{u}}_{c i}} | m_{u_{c i}} + M_{b})) \cdot P (m_{u_{c i}} + M_{b} | u_{c i}) \\ + (P ({\hat{m}}_{{\hat{u}}_{c i}} | m_{u_{c i}}) + P ({\hat{m}}_{{\hat{u}}_{c i}} + M_{b} | m_{u_{c i}})) \cdot P (m_{u_{c i}} | u_{c i}) \end{array}

We note that $m_{u_{c}} = u_{c}$ , ${\hat{m}}_{{\hat{u}}_{c}} = {\hat{u}}_{c}$ for simplicity. And it is provable that $P ({\hat{m}}_{{\hat{u}}_{c}} | m_{u_{c}}) = P ({\hat{m}}_{{\hat{u}}_{c}} + M_{b} | m_{u_{c}} + M_{b})$ and $P ({\hat{m}}_{{\hat{u}}_{c}} | m_{u_{c}} + M_{b}) = P ({\hat{m}}_{{\hat{u}}_{c}} + M_{b} | m_{u_{c}})$ . Accordingly, the transition probability of running key in wire-tap channel can be simplified as below.

\begin{array}{l} P ({\hat{u}}_{c} | u_{c}) = (P ({\hat{m}}_{{\hat{u}}_{c}} | m_{u_{c}}) + P ({\hat{m}}_{{\hat{u}}_{c}} + M_{b} | m_{u_{c}})) \cdot (P (m_{u_{c i}} | u_{c i}) + P (m_{u_{c i}} + M_{b} | u_{c i})) \\ = P ({\hat{m}}_{{\hat{u}}_{c}} | m_{u_{c}}) + P ({\hat{m}}_{{\hat{u}}_{c}} + M_{b} | m_{u_{c}}) \end{array}

which can be calculated together with Eqs. (4) (6).

An equivalent wire-tap channel model for the running key has been founded, and according to Wyner’s theory [17], its secrecy capacity is

\begin{array}{l} C_{S u} = \max_{P (u_{c})} {I (u_{c}, u_{c}) - I (u_{c}, {\hat{u}}_{c})} \\ = \max_{P (u_{c})} {[H (u_{c}) - H (u_{c} | u_{c})] - [H (u_{c}) - H (u_{c} | {\hat{u}}_{c})]} \\ = \max_{P (u_{c})} {H (u_{c} | {\hat{u}}_{c})} \end{array}

Hereinto, I denotes the mutual information, and H is the (conditional) entropy function.

We can find that the wire-tap channel with channel matrix $[P ({\hat{u}}_{c} | u_{c})]$ is a symmetric discrete channel. By using Lagrange multipliers technique and taking the channel characteristics into account, we derive that $H (u_{c} | {\hat{u}}_{c})$ is maximal when subkeys u_c are uniformly distributed. Thus, it provides a normal demand for the encoding of U. Moreover, resorting to the symmetric discrete channel matrix and matching distribution of u_c, the applied C_Su formula for calculation is given by

C_{S u} = - \sum_{j = 0}^{M_{b} - 1} P ({\hat{u}}_{c} = j | u_{c} = i) \log_{2} P ({\hat{u}}_{c} = j | u_{c} = i), \forall 0 \leq i < M_{b}

where each row of [P] consists of same elements, so i can be arbitrary, and we take 0•log0 = 0 in this paper.

3.2 Data bit part

Also, Eve can derive a noisy version of the original data from heterodyne measurement. Consequently, we study the physical-layer security of data X on the basis of wire-tap channel, as shown in Fig. 3.

Fig. 3 Wire-tap channel model of the data.

Download Full Size | PDF

Likewise, source $X^{k} = (x_{1}, x_{2}, \dots, x_{k})$ is encoded into $X_{c}^{n} = (x_{c 1}, x_{c 2}, \dots, x_{c n})$ before encryption so as to make Eve’s measurement of data meaningless. Still, the wire-tap channel is noisy and output is Zⁿ. However, the main channel isn’t always noiseless any more, because SNR degrades after channel transmission. Output of main channel is Yⁿ. Since $X_{c}^{n}$ is encrypted bit by bit with subkeys from $U_{c}^{n}$ , it’s easy to know that the main channel $X_{c}^{n} \to Y^{n}$ and wire-tap channel $X_{c}^{n} \to Z^{n}$ are both DMCs, i.e.,

\begin{matrix} P (Y^{n} | X_{c}^{n}) = \prod_{i = 1}^{n} P (y_{i} | x_{c i}), \\ P (Z^{n} | X_{c}^{n}) = \prod_{i = 1}^{n} P (z_{i} | x_{c i}), \\ P (y_{i} | x_{c i}) = \sum_{m_{i}} \sum_{{\hat{m}}_{i}} P (y_{i} | {\hat{m}}_{B i}) P ({\hat{m}}_{B i} | m_{i}) P (m_{i} | x_{c i}), \\ P (z_{i} | x_{c i}) = \sum_{m_{i}} \sum_{{\hat{m}}_{i}} P (z_{i} | {\hat{m}}_{E i}) P ({\hat{m}}_{E i} | m_{i}) P (m_{i} | x_{c i}) \end{matrix}

Hereinto,

{\hat{m}}_{B}

and

{\hat{m}}_{E}

are the respective ciphertexts received by Bob and Eve. Specifically, for given x_c y z,

P (m | x_{c}) = P (u_{c})

P (y | {\hat{m}}_{B}) = {\begin{matrix} 1, {\hat{m}}_{B} = f (y, u_{c}) \\ 0, e l s e \end{matrix}, P (z | {\hat{m}}_{E}) = {\begin{matrix} 1, {\hat{m}}_{E} = f (z, {\hat{u}}_{c}) \\ 0, e l s e \end{matrix}

By substituting Eqs. (15) (16) into Eq. (14), then we have

\begin{array}{l} P (z | x_{c}) = \sum_{u_{c}} \sum_{{\hat{u}}_{c}} P ({\hat{m}}_{E} = f (z, {\hat{u}}_{c}) | m = f (x_{c}, u_{c})) P (u_{c}) \\ \underline{\underline{(a)}} \sum_{u_{c}} P (u_{c}) \sum_{{\hat{u}}_{c}} P ({\hat{m}}_{E} = f (z, {\hat{u}}_{c}) | m = f (x_{c}, 0)) \\ = \sum_{{\hat{u}}_{c}} P ({\hat{m}}_{E} = f (z, {\hat{u}}_{c}) | m = f (x_{c}, 0)) \end{array}

where (a) follows that the matrix

[P ({\hat{m}}_{E} | m)]

is also symmetric discrete, consisting of same elements in each row, and generally we take the row of u_c = 0. Similarly,

\begin{array}{l} P (y | x_{c}) = \sum_{{\hat{u}}_{c}} P ({\hat{m}}_{B} = f (y, {\hat{u}}_{c}) | m = f (x_{c}, 0)) \\ \underline{\underline{(b)}} P ({\hat{m}}_{B} = f (y, 0) | m = f (x_{c}, 0)) \end{array}

where (b) follows only probability items with

{\hat{u}}_{c} = u_{c}

exist, given that Bob knows running key, i.e., the basis level. Further, it’s not hard to prove both channels of data communication leading to Bob and Eve are binary symmetric channels (BSC). Their crossover probabilities, namely, the respective error rates, are

P_{B e} = P ({\hat{m}}_{B} = M_{b} | m = 0)

P_{E e} = \sum_{{\hat{u}}_{c}} P ({\hat{m}}_{E} = f (1, {\hat{u}}_{c}) | m = 0) \underline{\underline{(c)}} \sum_{i = 1}^{M_{b}} P ({\hat{m}}_{E} = 2 i - 1 | m = 0)

provided that u_c = 0~M_b-1 and M_b is odd for (c). Note that the transition probabilities in Eqs. (17) and (20) and (18) and (19) follow Eqs. (6) and (8) respectively.

The wire-tap channel model for data communication is clearly demonstrated above. The secrecy capacity of data is given by

\begin{array}{l} C_{S x} = \max_{P (x_{c})} {I (x_{c}, y) - I (x_{c}, z)} \\ = \max_{P (x_{c})} {[H (y) - H (y | x_{c})] - [H (z) - H (z | x_{c})]} \\ = \max_{P (x_{c})} {H (y) - H (z)} + H (z | x_{c}) - H (y | x_{c}) \\ \overset{(d)}{\leq} H (z | x_{c}) - H (y | x_{c}) \end{array}

Inequality (d) follows that Y→Z could be treated as another BSC, if error rates P_Be ≤ P_Ee, and the entropy of output of a BSC is not less than that of its input [22], i.e., H(y) ≤ H(z). Further, the condition for equality is P(x_c = 0) = P(x_c = 1) = 1/2, which provides a normal demand for encoding X. On this condition, the final C_Sx is given by

C_{S x} = h (P_{E e}) - h (P_{B e})

where h(p) = -plog₂ p-(1-p)log₂(1-p), 0≤ p≤1. For further analysis, we express it as C_Sx = [1-h(P_Be)]-[1-h(P_Ee)] = C_M-C_W.

3.3 Maximal achievable secrecy rate of the system

Now that the transmitted quantum states contain information of both the data and the key, we need to take their secrecy restrictions into consideration at the same time for strict security of the whole system. That is to say, R_u≤C_Su and R_x≤C_Sx, where R_u, R_x denote the respective rate. Meanwhile, each state $| ϕ (m) 〉$ includes l-bit u and 1-bit x, which means R_u = lR_x. As a result,

{\begin{matrix} R_{x} \leq C_{S x} \\ l R_{x} \leq C_{S u} \end{matrix} \Rightarrow R_{x} \leq \min {C_{S x}, \frac{C_{S u}}{l}} = \min {C_{S x}, C_{S u 0}}

where C_Su0 = C_Su/l can be regarded as the average secrecy capacity per bit of running key. We define the maximal achievable secrecy rate of the system as R_S = min{C_Sx, C_Su0}.

In addition, since K→U→U_c form a Markov-chain series channel, when Eve can acquire nothing about the running key (U), the initial key (K) will be more impossible to be revealed. Thus, transmission at rate up to R_S is achievable with both key and data in perfect secrecy.

4. Results and discussion

The secrecy capacities derived above are dependent on key system parameters, such as the number of bases, the initial amplitude of coherent state, the signal transmission distances, the interception rate and so on. In this section, we focus on impacts of the parameters mentioned above. Moreover, comparison between C_Su and C_Sx is analyzed. We try to find some meaningful results to optimize those parameters for greater secrecy capacities.

4.1 Secrecy capacity of running key

According to the formula (13), secrecy capacity of running key C_Su is evaluated with regard to different parameters, as shown in Fig. 4-6. In Fig. 4, C_Su is considered as a function of transmission distance between Alice and Eve (L_E), for the case of interception ratio r = {0.01,0.1,0.5,1}, M_b = 127, $| α | = M_{b} / 3 π \approx 13.5$ and fiber loss coefficient with typical value $μ$ = 0.2dB/km. Evidently, secrecy capacity increases with L_E and decreases as the interception ratio rises. When r is large, it’s difficult to reach the maximum. In order to obtain more information, smart wiretappers would choose to eavesdrop as close as possible to Alice (L_E→0) with r as large as possible. Though Eve is likely to be discovered as r>10⁻² resulting in a noticeable power reduction, to maximize Eve’s ability and consider the worst situation, we still assume Eve with strongest ability can have a full copy of signal, implying r = t = 1.

Fig. 4 Secrecy capacity of the running key vs. L_E, with M_b = 127, |α| = 13.5 and $μ$ = 0.2 dB/km.

Download Full Size | PDF

Fig. 5 Secrecy capacity of running key (normalized to C_Mu) vs. M_b = 2^l-1. Smart Eve (L_E = 0) with strongest ability (r = t = 1).

Download Full Size | PDF

Fig. 6 Secrecy capacity of running key (normalized to C_Mu) vs. N_σ, assuming L_E = 0 and r = t = 1.

Download Full Size | PDF

In Fig. 5, we evaluate the impact of number of bases under smart Eve with strongest ability, that is, |α_E| = |α|. Specifically, we set M_b = 2^l-1 for l-bit subkey. In fact, here C_Su is normalized to C_Mu, capacity of the main channel with C_Mu = log₂M_b, and is approximatively the average secrecy capacity per bit of subkey. As M_b increases with the length of subkey, there are more state levels Eve has to discriminate with more difficulties. As a result, the phase difference between adjacent quantum states diminishes and Eve will surely make more mistakes, leading to a larger C_Su.

While the question is, Alice has to emit more photons in each coherent state so as to communicate reliably for longer distance. According to uncertainty principle, the more photons Eve receives, the smaller the uncertainty of signal phase will be, and smaller quantum phase noise results in more accurate detection leaking more information to Eve. Then, more bases in turn are needed to protect signal information from being intercepted. We observe that, when average number of photons |α|² is large, the growth of C_Su is too slow to reach the biggest value, i.e., C_Mu. For instance, to protect merely 25 photons on average (for |α| = 5) to 0.81C_Mu, about 1023 bases are needed. It’s extremely difficult to actualize perfect C_Su = C_Mu in practically remote communication. Therefore, we have to set the running key rate not exceeding C_Su to ensure the security of key, together with proper encoding of U.

From the analyses above, we know coherent-state amplitude |α| is decisive to Δφ, the quantum noise in phase detection, which quantitatively is $Δ φ = 1 / \sqrt{\bar{N}} = 1 / | α |$ , and the number of bases M_b is to δφ, the phase difference of adjacent quantum states, which is δφ = π/M_b. In the physical nature, it’s only when Δφ masks δφ that secure QNRC becomes possible. Moreover, define the number of states masked by quantum noise as $N_{σ} = \frac{Δ φ}{δ φ} = \frac{M_{b}}{π | α |}$ .

Figure 6 shows the more states are masked, the better C_Su (normalized to C_Mu) will be achieved for certain number of bases generally. And particularly, C_Su increases most rapidly in the first division of N_σ, implying that more than 20 state levels need to be masked there to ensure C_Su large enough, especially for large M_b. Normalized C_Su will reduce when M_b increases proportional to |α| with fixed N_σ. It means that N_σ isn’t the only decisive factor of C_Su per bit, which is more sensitive to the negative impact of |α| instead of the protection of M_b with their proportion fixed.

4.2 Secrecy capacity of data

According to the Eq. (22), secrecy capacity of data C_Sx is evaluated for different cases, as shown in Fig. 7-9. Thereinto, we regard Eve as a wiretapper smart enough to eavesdrop close to Alice (L_E→0).

Fig. 7 Secrecy capacity of data vs. L_B, with N_σ = 3. Smart wiretapper (L_E = 0) and M_b = 127.

Download Full Size | PDF

Fig. 8 (a) Secrecy capacity of data, C_Sx vs. |α|, with Eve of normal ability (r = 0.01, t = 0.99); (b) C_Sx vs. |α|, with Eve of strongest power (r = t = 1); (c) Data capacity of main channel, C_M and data capacity of wire-tap channel, C_W vs. |α|, with r = 0.01, t = 0.99; (d) C_M and C_W vs. |α|, with r = t = 1. L_B = 100km and L_E = 0 for all (a)~(d).

Download Full Size | PDF

Fig. 9 Secrecy capacity of data vs. N_σ, with optimal wiretapper (r = t = 1, L_E = 0), and L_B = 100km.

Download Full Size | PDF

We investigate C_Sx versus the transmission distance between Alice and Bob (L_B), for the case of transmissivity t = {0.1,0.3,0.5,0.99}, M_b = 127, |α| = 13.5 and $μ$ = 0.2dB/km, in Fig. 7. C_Sx decreases along with the growth of L_B and reduction of t. While under this case, C_W, the capacity of wire-tap channel, remains constant 0 irrelevant to L_B or t, since N_σ = 3 states are masked at source. It indicates Eve could derive nothing useful from her interception, as long as data is protected at source. Actually, the decrease of C_Sx here results from the reduction of main channel capacity, C_M. After long distance transmission, the coherent states are pulled closer to the vacuum states, with the phase uncertainty so large that even Bob’s measurement is affected with errors. If N_σ<1, nonzero C_W shall decrease with t = 1-r. Anyway, transmission distance unavailable for the honest parties is a relative advantage that Eve could utilize.

Next, we illustrate the influence of coherent-state amplitude. Figure 8 (a) and (b) plot C_Sx versus |α| in the presence of eavesdroppers with normal ability (r = 0.01, t = 0.99) and strongest power (r = t = 1), respectively, at the length of 100km. And Fig. 8 (c) and (d) plot the corresponding C_W and C_M versus $| α |$ for further analysis. It’s obvious that the scenario with strongest Eve, which is the worst case, degenerates the security performance seriously. Taking M_b = 15 as an example, C_Sx in the case against normal Eve attains the maximum 1 with |α| ranging 41~45; in contrast, C_Sx against the strongest Eve can only reach 0.24 at most with |α| = 10.

Curves in both Fig. 8(a) and 8(b) show the trend that increases in the beginning, keeps the peak value at some point or for an interval in the middle and then decreases. According to Fig. 8(c) and 8(d), we can make an explanation correspondingly. We note that C_M, which increases from the very beginning, is related to |α| but irrelevant to M_b. While C_W starts rising only when signal is intensive enough to overcome the disturbance of Δφ. In other words, as |α| is small, C_W = 0 or its increment speed is slower than C_M. Thus, C_Sx = C_M-C_W keeps increasing up to the maximum before C_W increases faster than C_M. If C_Sx saturates before C_W starts increasing for certain interval, there will be a corresponding interval where C_Sx holds the peak value.

From the analyses above, we infer that to achieve the maximal C_Sx, |α| is supposed to satisfy the constraint given below,

{\begin{matrix} | α_{B} | \geq | α_{B 0} | \\ \frac{M_{b}}{π | α_{E} |} > 1 \end{matrix} \Rightarrow | α_{B 0} | \cdot 10^{\frac{β L_{B}}{20}} \leq | α | < \frac{M_{b}}{π \sqrt{r}}

where α_B, α_E are from Eq. (3) and α_B₀ corresponds to the minimum of average number of photons for correct heterodyne detection in PSK scheme. Typically, to ensure P_Be≈10⁻⁹,

{| α_{B 0} |}^{2}

≈18 at least. The second inequality ensures that accurate measurement is impossible for Eve. The final in Eq. (24) is of significance to set proper values of

| α |

and M_b to maximize C_Sx, for given length from Alice to Bob. The intervals meeting the inequation conform to Fig. 8(a), 8(c) and 8(b) for M_b = 255, approximatively. Otherwise, for given L_B and M_b, if the interval meeting the inequation doesn’t exist, C_Sx will not achieve the theoretical maximum 1, as shown in Fig. 8(b), 8(d) for M_b = {15, 31, 63}.

Further, according to in Eq. (24), as L_B is quite long, M_b needs to be sufficiently large against the strongest Eve. For instance, as L_B = 300km, M_b needs to be more than 10⁴, of which the realization is quite a trouble. We suggest designing the parameters for secure QNRC based on different requirements of security. For those vital communication applications requiring absolute safety, we adopt the conservative designing strategy, imagining Eve most powerful and taking r = 1; while in ordinary scenarios with general demands for security, designing against Eve with normal ability (i.e., r = 0.01) is safe enough, and it’s easier to be realized.

Similarly, we study the impact of N_σ, the number of states masked by quantum noise, on data secrecy capacity in Fig. 9. Here consider Eve as an optimal wiretapper. The variation trend of C_Sx also includes rising, holding or not, and dropping. We observe that for given M_b, it is unnecessary or harmful to set N_σ too big value and some value of $N_{σ} \leq 1$ is sufficient to attain the maximum of C_Sx. Moreover, as N_σ keeps constant, C_Sx is much larger with more bases, implying the protection of M_b prevails over the negative impact of |α| in data communication part when they increase proportionally. In comparison, normalized C_Su in Fig. 6 reaches the maximum with much higher N_σ. Though the data are indeed protected as long as the adjacent quantum states are masked by quantum noise, the states within the standard deviation of phase uncertainty are likely to have several bits in common, which reveals partial information of the key to Eve. Therefore, it’s harder for the running key to be completely secure by contrast with data on equal conditions. An effective way to improve security of the key is devising more disordered mappers.

4.3 Comparison between C_Su and C_Sx

According to Eq. (23), the comparison between C_Sx and C_Su0 for different cases is shown in Fig. 10. In particular, the strict maximal secrecy rate R_S is pointed out. Generally, C_Sx<C_Su0 as |α| is small, implying R_S is limited to C_Sx there; when |α| becomes large enough, C_Sx>C_Su0, during which time C_Su0 is the restriction of R_S. From the practical viewpoint, the region limited to C_Su0 with larger |α| is of more significance. Although the peak value of R_S moves higher with bigger M_b, the great gain in C_Sx doesn’t make much difference, unfortunately. Therefore, more attention should be paid to the restriction from C_Su0, and improving the secrecy of running key is the key point to achieve a strict maximal secrecy rate much higher.

Fig. 10 Comparisons between secrecy capacities of data and running key per bit as function of |α|. Parameter values: (a) M_b = 63, L_B = 100km, (b) M_b = 127, L_B = 100km, (c) M_b = 255, L_B = 100km, (d) M_b = 127, L_B = 200km, (e) M_b = 255, L_B = 200km, (f) M_b = 1023, L_B = 200km, with optimal Eve (r = t = 1 and L_E = 0) for all (a)~(f).

Download Full Size | PDF

Meanwhile, Fig. 10(d)-10(f) indicate that R_S and C_Sx degrade drastically with long distance transmission, where much more bases are needed. However, even for transmission of 200km with merely 127 bases against the optimal Eve, we can still obtain a maximal secrecy rate up to R_S = 0.16, i.e., 16% of the maximal transmission bit rate of the main channel. If capacity of the main channel is C_Mt = 100 Gb/s as reported in [8], secure bit rate on the scale of Gb/s can be yielded with both the key and data in perfect secrecy. We remark here that the framework of QNRC + QKD combined with Wyner’s theory can achieve perfectly secure bit rate orders of magnitude higher than that of OTP + QKD. It’s quite a promising direction of secure communication since R_S can be greatly improved by increasing both C_Su0 and C_Mt.

5. Conclusion

The QNRC system with inevitable quantum noise suffered by eavesdroppers can provide a great channel advantage for the legal users, which shows a huge potential for the physical-layer security. This kind of security is quantitatively investigated with secrecy capacity as the performance metric for the first time. Moreover, considering the secrecy constraints of both the key and data, the maximal achievable secrecy rate of the system (i.e., R_S) is proposed. The results show that QNRC can potentially provide physical-layer security at data rates orders of magnitude higher than the perfect secrecy rate of QKD. Also, even if the eavesdropper intercepts much more signal power than the legitimate receiver, a considerable secrecy capacity can still exist. Furthermore, it is found that the secrecy capacity of running key per bit is the main constraint to R_S, which suggests the critical importance of improving the running key secrecy.

By analyzing the security of QNRC via taking both the legitimate and wire-tap channels into account as a whole system, we believe that these results can provide effective instructions for the system configuration according to specific security requirements. Moreover, the design of secure encoding schemes is a potential research area in the next step, where we have proved the matching codes must be uniformly distributed.

Funding

National Natural Science Foundation of China (NSFC) (61475193 and 61504170); Natural Science Foundation of Jiangsu Province (BK20140069).

References and links

1. K. Shaneman and S. Gray, “Optical network security: Technical analysis of fiber tapping mechanisms and methods for detection prevention,” in Proc. IEEE MILCOM (IEEE, 2004), pp. 711–716. [CrossRef]

2. K. Guan, A. Tulino, P. Winzer, and E. Soljanin, “Secrecy capacities in space-division multiplexed fiber optic communication systems,” IEEE T Inf. Foren. Sec 10(7), 1325–1335 (2015).

3. P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIMA. J. Comput. (Taipei) 26(5), 1484–1509 (1997).

4. V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys. 81(3), 1301–1350 (2009). [CrossRef]

5. K. Patel, J. Dynes, M. Lucamarini, I. Choi, A. Sharpe, Z. L. Yuan, R. Penty, and A. Shields, “Quantum key distribution for 10 Gb/s dense wavelength division multiplexing networks,” Appl. Phys. Lett. 104(5), 051123 (2014). [CrossRef]

6. G. S. Kanter, D. Reilly, and N. Smith, “Practical physical-layer encryption: The marriage of optical noise with traditional cryptography,” IEEE Commun. Mag. 47(11), 74–81 (2009). [CrossRef]

7. R. Nair, H. P. Yuen, E. Corndorf, T. Eguchi, and P. Kumar, “Quantum-noise randomized ciphers,” Phys. Rev. A 74(5), 052309 (2006). [CrossRef]

8. F. Futami and O. Hirota, “100 Gbit/s (10 x 10 Gbit/s) Y-00 cipher transmission over 120 km for secure optical communication between data centers,” in Proc. OECC/ACOFT2014, pp.4–6.

9. T. Nishioka, T. Hasegawa, H. Ishizuka, K. Imafuku, and H. Imai, “How much security does Y-00 protocol provide us?” Phys. Lett. A 327(1), 28–32 (2004). [CrossRef]

10. T. Nishioka, T. Hasegawa, H. Ishizuka, K. Imafuku, and H. Imai, “Reply to: Comment on: How much security does Y-00 protocol provide us?” Phys. Lett. A 346(1–3), 7–16 (2005). [CrossRef]

11. Z. L. Yuan and A. J. Shields, “Comment on “Secure Communication using Mesoscopic coherent states”,” Phys. Rev. Lett. 94(4), 048901 (2005). [CrossRef] [PubMed]

12. H. P. Yuen, P. Kumar, E. Corndorf, and R. Nair, “Comment on: How much security does Y-00 protocol provide us?” Phys. Lett. A 346(1–3), 1–6 (2005). [CrossRef]

13. R. Nair, H. P. Yuen, E. Corndorf, and P. Kumar, “Reply to: Reply to: Comment on: How much security does Y-00 protocol provide us?” arXiv preprint quant-ph/ 0509092.

14. H. Yuen, E. Corndorf, G. Barbosa, and P. Kumar, “Reply to Comment on Secure Communication using mesoscopic coherent states,” Phys. Rev. Lett. 94(4), 048902 (2005). [CrossRef]

15. O. Hirota, “Practical security analysis of a quantum stream cipher by the Yuen 2000 protocol,” Phys. Rev. A 76(3), 032307 (2007). [CrossRef]

16. M. J. Mihaljević, “Generic framework for the secure Yuen 2000 quantum-encryption protocol employing the wire-tap channel approach,” Phys. Rev. A 75(5), 052334 (2007). [CrossRef]

17. A. D. Wyner, “The wire-tap channel,” Bell Syst. Tech. J. 54(8), 1355–1387 (1975). [CrossRef]

18. W. K. Harrison, J. Almeida, M. R. Bloch, S. W. McLaughlin, and J. Barros, “Coding for secrecy: an overview of error-control coding techniques for physical-layer security,” IEEE Signal Process. Mag. 30(5), 41–50 (2013). [CrossRef]

19. A. Thangaraj, D. Dihidar, A. R. Calderbank, S. W. McLaughlin, and J. M. Merolla, “Applications of LDPC codes to the wiretap channel,” IEEE Trans. Inf. Theory 53(8), 2933–2945 (2007). [CrossRef]

20. H. Mahdavifar and A. Vardy, “Achieving the secrecy capacity of wiretap channels using polar codes,” IEEE Trans. Inf. Theory 57(10), 6428–6443 (2011). [CrossRef]

21. S. Donnet, A. Thangaraj, M. Bloch, J. Cussey, J. M. Merolla, and L. Larger, “Security of Y-00 under heterodyne measurement and fast correlation attack,” Phys. Lett. A 356(6), 406–410 (2006). [CrossRef]

22. A. D. Wyner and J. Ziv, “A theorem on the entropy of certain binary sequences and applications: part I,” IEEE Trans. Inf. Theory IT-19(6), 769–772 (1973). [CrossRef]

Physical-layer security analysis of a quantum-noise randomized cipher based on the wire-tap channel model

Abstract

1. Introduction

2. Overview of Y-00 protocol