Translator Disclaimer
10 December 2018 Guessing probability under unlimited known-plaintext attack on secret keys for Y00 quantum stream cipher by quantum multiple hypotheses testing
Author Affiliations +
Although quantum key distribution is regarded as promising secure communication, security of Y00 protocol proposed by Yuen in 2000 for the affinity to conventional optical communication is not well-understood yet; its security has been evaluated only by the eavesdropper’s error probabilities of detecting individual signals or masking size, the number of hidden signal levels under quantum and classical noise. Our study is the first challenge of evaluating the guessing probabilities on shared secret keys for pseudorandom number generators in a simplified Y00 communication system based on quantum multiple hypotheses testing theory. The result is that even unlimitedly long known-plaintext attack only lets the eavesdropper guess the shared secret keys of limited lengths with a probability strictly <1. This study will give some insights for detailed future works on this quantum communication protocol.



Recent heating-up in the development race of quantum computers brings attention to secure communications that are resistant to quantum computers. Quantum key distribution (QKD) has been said to be the most promising technology to protect communications from cryptanalysis even with quantum computers.

On the other hand, Y00 protocol proposed by Yuen (its original name is αη) in 200013 is compatible to conventional high-speed and long-distance optical communication technologies while it sends messages directly and hides them under quantum noise, enhancing the security of conventional cryptographies.414 However, its security has not been well-understood except some evaluations by unicity distance,15,16 numerical analyses by masking sizes that are the numbers of signal levels hidden under quantum noise,17,18 or error probability in eavesdropping on individual signals.19 Therefore, since fast correlation attack on Y00 protocol was found,20,21 Y00 protocol has been believed to be computationally secure while QKDs are information-theoretically secure, although “irregular mapping” was equipped on Y00 systems as a countermeasure to fast correlation attack.22

This study gives the first example of security analysis on Y00 protocol with an unlimitedly long known-plaintext attack (KPA) by quantum multiple hypotheses testing theory. It shows that Y00 protocol is secure with guessing probabilities on the two shared secret keys of 128 bits strictly <1 even under unlimitedly long KPA. However, as time passes the attack increases the guessing probability, hence fresh keys have to be sent instead of messages before Y00 communication systems are breached. In this case, if the probability distribution of the provided fresh key is uniform, the guessing probability on the key has to be evaluated by ciphertext-only attack (COA). There are still some assumptions in this study, therefore, this study is not rigorous yet. However, it will give a better understanding of the security of Y00 protocol and some insights for detailed future works.

One of the major methods to evaluate information-theoretic security has been calculation of the guessing probability on secret keys since Shannon23 and in the literature following.24,25 Therefore, this study follows these concepts as well to evaluate the security of Y00 protocol.


Known Works on Security Evaluations on Information-Theoretic Secure Cryptography

The founder of the information theory, Shannon proved that the “perfect secrecy” is satisfied only when the length of the encryption key k with its probability distribution independent and identically distributed has to be longer than the plaintext x, which is one-time pad.23 Then the ciphertext string c is given by the modulo-2 addition of x and k:

Eq. (1)


Eq. (2)

Alimomeni and Safavi-Naini24 proposed “guessing secrecy,” generalizing Shannon’s concept; the encryption is not perfectly secure, but the key is obtained only probabilistically by Eve’s guess as

Eq. (3)

Iwamoto and Shikata25 proposed “worst-case guessing secrecy,” considering the worst scenario such as

Eq. (4)

Therefore, this study follows the above concepts “guessing probability on the key” to evaluate the security of Y00 protocol.


Security of Conventional Stream Ciphers Under Long Known-Plaintext Attack

This section treats the security of conventional stream ciphers with KPA; those are not randomized by quantum noise to give a better understanding on the security of Y00 protocol, which is a stream cipher randomized by quantum noise. In conventional stream ciphers, a shared secret key k is fed into the pseudorandom number generator (PRNG) to generate a key stream s. A plaintext string x from a sender, Alice, is converted into a ciphertext string c=x+s mod 2. To decode c, the receiver, Bob, feeds the shared k into his common PRNG, then recovers x=c+s mod 2. If Eve has the same PRNG and knows x during a period of s, she obtains s completely, hence her correspondence table of ks recovers the original key k no matter how much computationally complex the key expansion process is. Then Eve can read all messages from the next period. In terms of conditional probability, this means

Eq. (5)



Security of Y00 protocol Under KPA During Least Common Multiple of PRNGs’ Periods

This section describes the security of Y00 protocol with KPA during the least common multiple (LCM) of the two PRNGs’ periods using quantum multiple hypotheses testing theory.26,27


Principles of Binary Y00 Quantum Stream Cipher

To start Y00 protocol, the legitimate users Alice and Bob have to share a secret key k. Then they expand k into a key stream s using a common PRNG equipped in each transmitter/receiver. Then s is chopped every log2M bits to form M-ary string s(t) of times lot t while a message bit x(t) is encoded into a coherent state |α[m(t)] using s(t) as

Eq. (6)

Map[s(t)] is a projection from s(t) to Map[s(t)]{0,1,2,3,,M1}. Therefore, the message bit x(t){0,1} corresponds to a set of quantum states {|α[m(t)],|α[m(t)+M]} for even number Map[s(t)], otherwise {|α[m(t)+M],|α[m(t)]}. On the other hand, Bob’s receiver sets an optimal threshold(s) to discriminate the set of quantum states. Therefore, he decodes x(t) since he knows Map[s(t)] thanks to the common PRNG and the shared k. On the other hand, the eavesdropper, Eve, has to discriminate 2M-ary signals hidden under overlapping quantum and classical noise since she does not know whether Map[s(t)] is even or odd, hence x(t) neither.

When Eve launches KPA, a number of the hidden signal level under noise effectively halves, hence it might help Eve to guess k.

To avoid the situation, overlap-selection-keying was proposed.28 An additional pair of PRNGs with another shared key Δk are equipped in both a transmitter and a receiver to randomize the plaintext x with pseudorandom number Δx as

Eq. (7)

Then the transmitter Alice sends a coherent state ρ[m(t)] with classical randomizations named DSR and DER19 although these are omitted in this study for simplicity.

Eve obtains coherent states separated from a beam-splitter ρ[m(t)] and stores its time sequence in her quantum memory. Denote the quantum sequence ρ(x,s,Δx) with the splitting ratio η as

Eq. (8)

Note that a set of (s,Δx) (S,ΔX) is generated from (k,Δk) (K,ΔK). Therefore, there are only 2|K|+|ΔK| patterns of signal sequences, although the number of signal levels is 2M and the period of KPA is T. Hence, what Eve needs is not 2M·T-ary quantum decision theory but 2|K|+|ΔK|-ary one, no matter how long the key-stream lengths of s and Δx are. Therefore, the main problem is whether Eve can determine the correct (s,Δx) in the LCM of the periods of (s,Δx) denoted as TLCM, like in case of the conventional stream cipher explained in Sec. 3 or she needs longer than TLCM.


Brief Description of M-ary Quantum Detection Theory

Before this section starts, here are some assumptions to be satisfied.

  • The projection Map[·] stays unchanged during the running of Y00 protocol.

  • Map[·] is known to Eve according to the Kerckhoffs’ principle, as known as Shannon’s maxim.

  • Map[·] is well-designed irregular mapping so that quantum noise covers all bits in s(t) equally.

The set of Eve’s measurement operators {E(s,Δx|x)} satisfies

Eq. (9)

By the Born rule, the measurement operator E(s,Δx|x) gives Eve a measurement result (s,Δx) (S,ΔX) from a quantum state ρ(x,s,Δx) with a probability of

Eq. (10)

Quantum multiple hypotheses testing theory based on the Bayes criterion is applicable to decide which (s,Δx) is the most possible. Let the Bayes cost in the theory be as described in

Eq. (11)

When the prior probability is Pr(s,Δx), the average Bayes cost is

Eq. (12)

The Hermitian risk operators are

Eq. (13)

To minimize Eve’s error probability, the necessary and sufficient conditions are26

Eq. (14)


Eq. (15)


Eq. (16)


Eq. (17)

Then Eve’s maximum success probability of obtaining the correct (s,Δx) is

Eq. (18)

Now, denote E(s,Δx|x) as

Eq. (19)

From Eq. (15),

Eq. (20)

For pure states, from Eq. (8),

Eq. (21)

Therefore, Eq. (20) gives 22|K|+2|ΔK|2|K|+|ΔK| equalities and Eq. (21) gives 2|K|+|ΔK| equalities. Thus there are 22|K|+2|ΔK| equations in total, and there are 23|K|+3|ΔK| variables including {Pr(s,Δx)}.

To remove remained variables {Pr(s,Δx)}, apply Cauchy–Schwarz inequality to Eq. (18):

Eq. (22)

Let Eve know the prior probability Pr(s,Δx) under Shannon’s maxim. Then Eve can choose her {E(s,Δx|x)} so that the equality of Eq. (23) is satisfied

Eq. (23)

Therefore, the prior probability distribution {Pr(s,Δx)} vanishes as follows:

Eq. (24)

The condition Eq. (23) satisfies Eq. (14) trivially, and Eqs. (15) and (16) are converted as follows:

Eq. (25)


Eq. (26)

Therefore, Eq. (26) originated from Eq. (16) is also satisfied while a new condition is Eq. (25). The absolute value of Eq. (25) is

Eq. (27)



Security of Y00 under KPA on Secret Key: In Case of Exact Signal Detections for Eve

Although it is impossible for Eve to obtain the correct signal sequence without any errors because of quantum noise in Y00 protocol, it is worth considering an imaginary case where Eve could detect signals without any errors to compare Y00 protocol with conventional stream ciphers in Sec. 3.

The situation where Eve could detect signals without any errors is that, from the Born rule,

Eq. (28)

Equation (28) also implies from Eq. (21) that

Eq. (29)

Then from the left-hand side of Eq. (22),

Eq. (30)

Therefore, through one period of (s,Δx), that is TLCM, Eve would obtain the correct (s,Δx) with a probability of 1. Then the situation is the same as conventional stream ciphers. Therefore, the effect of unavoidable quantum noise in Eq. (28) as a nonzero factor should play an important role in Y00 protocol.


Security of Y00 under KPA on Secret Key: In Case of Erroneous Signal Detections for Eve

Unless Eve’s detections are error-free expressed by Eq. (28), from Eq. (21),

Eq. (31)

Therefore, Eq. (24) satisfies the following inequality as well:

Eq. (32)

Even if Pr(s,Δx) is uniform, that is Pr(s,Δx)=2|K||ΔK|, since Eve has to make the success probability in measurement larger than the failure probability,

Eq. (33)

Then from Eqs. (21) and (22),

Eq. (34)

Therefore, Eve has an advantage in obtaining the correct (s,Δx) compared to pure-guessing. Thus even Eve launches KPA using quantum multiple hypotheses testing theory during an LCM of the periods of two PRNGs; she cannot pin down the keys deterministically, far different from conventional stream ciphers. The problem is how long Y00 protocol stays secure.


Security of Y00 Protocol under Unlimitedly Long KPA

This section describes the security of Y00 protocol under unlimitedly long KPA so that Eve guesses the most likely by the Bayes criterion.29


Y00 Protocol Under Unlimitedly Long KPA

Since (s,Δx) is pseudorandom of a period of TLCM while the plaintext x is supposed not to repeat, Eve can statistically confirm the most likely (s,Δx) during N·TLCM periods as shown in Table 1.

Table 1

A timetable of a set of variables (m, s, Δx, and x).


At the nth period of n{1,2,3,,N}, Eve measures coherent states |ηα(xn,s,Δx) with a set of operators denoted as {E(s,Δx|xn)} based on known plaintext xn:

Eq. (35)


Eq. (36)


Eq. (37)


Eq. (38)

Since Eve just performs 2|K|+|ΔK|-ary quantum hypotheses testing to obtain (s,Δx) based on known xn, the results are independent of n. Therefore, from the Born rule, define as follows:

Eq. (39)


Eq. (40)

Suppose that Eve has obtained n(s,Δx) times of her measurement result (s,Δx) during N·TLCM periods, then such a probability is

Eq. (41)


At the boundary where Eve makes a wrong decision, the Bayes criterion requests,

Eq. (42)

Two nearest probability distributions give the following boundary conditions:

Eq. (43)


Eq. (44)

Substituting Eqs. (43) and (44) into Eq. (42), nTh is given in

Eq. (45)


Eq. (46)

This situation is depicted in Fig. 1.

Fig. 1

Schematic view of how the security of Y00 system is evaluated by Eve’s failure probability.


There are 2|K|+|ΔK| patterns of possible probability distributions, and only one is for the correct (s,Δx). Therefore, maximizing nTh by all wrong sets of (s,Δx) and defining it as max nTh,

Eq. (47)

Thus Eve’s success probability in obtaining the correct (s,Δx) corresponding to the shared secret keys (k,Δk) in the Y00 system is Pr(success) = 1–Pr(fail).

To perform numerical simulation, all conditional probabilities {Pr(s,Δx|x0,s,Δx)} defined in Eq. (39) have to be determined. However, those parameters are dependent on implementations of Y00 systems including key-expansion algorithms. Therefore, this study gives numerical examples as follows. Assume initial key lengths are |K|=|ΔK|=128 bits and

Eq. (48)


Eq. (49)


Eq. (50)

The numerical simulation result with the above situation is shown in Fig. 2.

Fig. 2

Eve’s success probability in guessing the correct keys in the long run. From the top, p=28, p=216, p=232, and p=264 in Eqs. (48)–(50).


As Eve’s success probability of obtaining the correct (s,Δx) in one TLCM smaller, Eve needs a larger number of N, which is a repetition number of the period TLCM of the two PRNGs. However, note that even with p=216, Eve needs N=104 periods to pin-down the correct (k,Δk) with a probability of almost 1. When p=264, even N=106 periods are not enough for Eve, only allowing her to guess the correct (k,Δk) with a probability of about 1013. Therefore, it was shown that Y00 protocol can go beyond the Shannon Limit of cryptography.30

While Eve’s success probability is small enough, Alice has to send fresh keys to Bob to continue secure quantum communications. In this case, Eve’s probability of obtaining the fresh keys has to be evaluated by COA with probabilistically known (k,Δk), that is,

Eq. (51)



Results and Discussions: Assumptions Used in Security Analysis and Future Works

In this work, it was shown that even a Y00 system with a few-hundred bits of shared keys can be secure far longer than the period of its PRNGs, such as 106 periods if its implementations are well-designed. The security analyses in this study applied the following assumptions.

  • 1. Irregular mapping3 makes quantum noise cover all bits in the chopped key stream equally.

  • 2. Irregular mapping is fixed and known to Eve during her eavesdropping.

Hence, there are still necessities of further studies to give mathematically more rigorous analyses when the above assumptions are not satisfied. Also, the security of fresh keys is not given in this study yet. Hence, it has to be analyzed in the next work.


Appendix A: Simulation Code for Fig. 2 on Mathematica 11.3

Simulation code for Fig. 2 on Mathematica 11.3

ps[p_]: = p;

pf[p_]: = (1 - ps[p])/(2^(128*2)-1);

nth[n_, p_]: = n*Log[2, (1 - pf[p])/(1 - ps[p])]/Log[2, ps[p]*(1 - pf[p]) / pf[p] / (1 - ps[p])];

prob[n_,p_]: = 1 - CDF[BinomialDistribution[n, ps[p]], Floor[nth[n, p]]];

Show [Table [LogLogPlot [prob [Floor[m], 2^(-b)], {m, 1,10^6},

PlotRange -> {{1, 10^6}, {5*10^(-21), 4}}, Frame -> True,

PlotLegends -> {Switch[b, 8, “p=2-8”, 16, “p=2-16”, 32, “p=2-32”, 64, “p=2-64”]},

PlotStyle->{Switch[b, 8, Blue, 16, Orange, 32, Green, 64, Red]}], {b, {8, 16, 32, 64}}]]



H. P. Yuen, “KCQ: a new approach to quantum cryptography I. General principles and key generation,” (2003). Google Scholar


G. A. Barbosa et al., “Secure communication using mesoscopic coherent states,” Phys. Rev. Lett., 90 (22), 227901 (2003). PRLTAO 0031-9007 Google Scholar


H. P. Yuen, “Key generation: foundations and a new quantum approach,” IEEE J. Sel. Top. Quantum Electron., 15 1630 –1645 (2009). IJSQEN 1077-260X Google Scholar


E. Corndorf et al., “Quantum-noise randomized data encryption for wavelength-division-multiplexed fiber-optic networks,” Phys. Rev. A, 71 062326 (2005). Google Scholar


C. Liang et al., “Quantum noise protected data encryption in a WDM network,” IEEE Photonic Technol. Lett., 17 1573 –1575 (2005). Google Scholar


O. Hirota et al., “Quantum stream cipher by the Yuen 2000 protocol: design and experiment by an intensity-modulation scheme,” Phys. Rev. A, 72 022335 (2005). Google Scholar


Y. Doi et al., “360 km field transmission of 10 Gbit/s stream cipher by quantum noise for optical network,” in Proc. Optical Fiber Communication Conf. (OFC), OWC4 (2010). Google Scholar


K. Harasawa et al., “Quantum encryption communication over a 192-km 2.5-Gbit/s line with optical transceivers employing Yuen-2000 protocol based on intensity modulation,” J. Lightwave Technol., 29 (3), 316 –323 (2011). JLTEDG 0733-8724 Google Scholar


F. Futami, “Experimental demonstrations of Y-00 cipher for high capacity and secure optical fiber communications,” Quantum Inf. Process., 13 2277 –2291 (2014). QIPUAT 1570-0755 Google Scholar


M. Nakazawa et al., “QAM quantum stream cipher using digital coherent optical transmission,” Opt. Express, 22 4098 –4107 (2014). OPEXFF 1094-4087 Google Scholar


M. Yoshida et al., “Single-channel 40 Gbit/s digital coherent QAM quantum noise stream cipher transmission over 480 km,” Opt. Express, 24 652 –661 (2016). OPEXFF 1094-4087 Google Scholar


F. Futami et al., “Experimental investigation of security parameters of Y-00 quantum stream cipher transceiver with randomization technique, part I,” Proc. SPIE, 10409 104090I (2017). PSISDG 0277-786X Google Scholar


F. Futami et al., “Dynamic routing of Y00 quantum stream cipher in field-deployed dynamic optical path network,” in Optical Fiber Communication Conf., Tu2G-5 (2018). Google Scholar


F. Futami et al., “Y-00 quantum stream cipher overlay in a coherent 256-Gbit/s polarization multiplexed 16-QAM WDM system,” Opt. Express, 25 (26), 33338 –33349 (2017). OPEXFF 1094-4087 Google Scholar


R. Nair et al., “Quantum-noise randomized ciphers,” Phys. Rev. A, 74 052309 (2006). Google Scholar


R. Nair and H. P. Yuen, “Comment on: ‘Exposed-key weakness of αη’ [Phys. Lett. A 370 (2007) 131],” Phys. Lett. A, 372 7091 –7096 (2008). PYLAAG 0375-9601 Google Scholar


O. Hirota, “Practical security analysis of a quantum stream cipher by the Yuen 2000 protocol,” Phys. Rev. A, 76 032307 (2007). Google Scholar


T. Iwakoshi, F. Futami and O. Hirota, “Quantitative analysis of quantum noise masking in quantum stream cipher by intensity modulation operating at G-bit/sec data rate,” Proc. SPIE, 8189 818915 (2011). PSISDG 0277-786X Google Scholar


K. Kato, “Enhancement of quantum noise effect by classical error control codes in the intensity shift keying Y00 quantum stream cipher,” Proc. SPIE, 9225 922508 (2014). PSISDG 0277-786X Google Scholar


S. Donnet et al., “Security of Y-00 under heterodyne measurement and fast correlation attack,” Phys. Lett. A, 356 406 –410 (2006). PYLAAG 0375-9601 Google Scholar


M. J. Mihaljevic, “Generic framework for the secure Yuen 2000 quantum-encryption protocol employing the wire-tap channel approach,” Phys. Rev. A, 75 052334 (2007). Google Scholar


T. Shimizu, O. Hirota and Y. Nagasako, “Running key mapping in a quantum stream cipher by the Yuen 2000 protocol,” Phys. Rev. A, 77 034305 (2008). Google Scholar


C. E. Shannon, “Communication theory of secrecy systems,” Bell Syst. Tech. J., 28 (4), 656 –715 (1949). BSTJAN 0005-8580 Google Scholar


M. Alimomeni and R. Safavi-Naini, “Guessing secrecy,” Lect. Notes Comput. Sci., 7412 1 –13 (2012). LNCSD9 0302-9743 Google Scholar


M. Iwamoto and J. Shikata, “Information theoretic security for encryption based on conditional Rényi entropies,” Lect. Notes Comput. Sci., 8317 103 –121 (2013). LNCSD9 0302-9743 Google Scholar


C. W. Helstrom, “Quantum detection and estimation theory,” J. Stat. Phys., 1 (2), 231 –252 (1969). JSTPBS 0022-4715 Google Scholar


H. P. Yuen, R. Kennedy and M. Lax, “Optimum testing of multiple hypotheses in quantum detection theory,” IEEE Trans. Inf. Theory, 21 (2), 125 –134 (1975). IETTAW 0018-9448 Google Scholar


O. Hirota et al., “Quantum key distribution with unconditional security for all-optical fiber network,” Proc. SPIE, 5161 320 –332 (2004). PSISDG 0277-786X Google Scholar


H. L. Van Trees, K. L. Bell and Z. Tian, Detection, Estimation, and Modulation Theory, Part I: Detection, Estimation, and Linear Modulation Theory, 2nd edn.Kindle, John Wiley & Sons, New York (2004). Google Scholar


O. Hirota et al., “Getting around the Shannon limit of cryptography,” SPIE Newsroom, (2010). Google Scholar

Biography of the author is not available.

© The Authors. Published by SPIE under a Creative Commons Attribution 3.0 Unported License. Distribution or reproduction of this work in whole or in part requires full attribution of the original publication, including its DOI.
Takehisa Iwakoshi "Guessing probability under unlimited known-plaintext attack on secret keys for Y00 quantum stream cipher by quantum multiple hypotheses testing," Optical Engineering 57(12), 126103 (10 December 2018).
Received: 4 September 2018; Accepted: 14 November 2018; Published: 10 December 2018

Back to Top