Guessing probability under unlimited known-plaintext attack on secret keys for Y00 quantum stream cipher by quantum multiple hypotheses testing

Although quantum key distribution is regarded as promising secure communication, security of Y00 protocol proposed by Yuen in 2000 for the affinity to conventional optical communication is not well-understood yet; its security has been evaluated only by the eavesdropper's error probabilities of detecting individual signals or masking size, the number of hidden signal levels under quantum and classical noise. Our study is the first challenge of evaluating the guessing probabilities on shared secret keys for pseudorandom number generators in a simplified Y00 communication system based on quantum multiple hypotheses testing theory. The result is that even unlimitedly long known-plaintext attack only lets the eavesdropper guess the shared secret keys of limited lengths with a probability strictly<1. This study will give some insights for detailed future works on this quantum communication protocol.


Known works on security evaluations on Information-Theoretic Secure Cryptography
The founder of the Information Theory, C. E. Shannon proved that there is that "perfect secrecy" is satisfied only when the length of the encryption key k with its probability distribution Independent and Identically-Distributed (IID) has to be longer than the plaintext x, which is One-Time Pad (OTP) 23 . Then the ciphertext string c is given by the modulo-2 addition of x and k. 3 Therefore, In 2012, M. Alimomeni and R. Safavi-Naini proposed "Guessing Secrecy," generalizing Shannon's concept 24 ; the encryption is not perfectly secure, but the key is obtained only probabilistically by Eve's guess as In 2013, M. Iwamoto and J. Shikata proposed "Worst-case Guessing Secrecy" 25 , considering the worst scenario such as Therefore, this study follows the above concepts "guessing probability on the key" to evaluate the security of Y00 protocol.

Security of Conventional Stream Ciphers under Long Known-Plaintext Attack
This section treats the security of conventional stream ciphers with KPA; those are not randomized by quantum noise to give a better understanding on the security of Y00 protocol which is a stream cipher randomized by quantum noise. In conventional stream ciphers, a shared secret key k is fed  5 To avoid the situation, Overlap-Selection-Keying (OSK) was proposed 28 . An additional common PRNGs with another shared key Δk are equipped in both a transmitter and a receiver to randomize the plaintext x with pseudo-random number Δx as Then the transmitter Alice sends a coherent state ρ(m(t)) with classical randomizations named DSR and DER 19 although these are omitted in this study for simplicity.
Eve obtains coherent states separated from a beam-splitter ρ′(m(t)) and stores its time sequence in her quantum memory. Denote the quantum sequence ρ′(x, s, Δx) with the splitting ratio η as Note that a set of (s, Δx) ∊ (S, ΔX) is generated from (k, Δk) ∊ (K, ΔK). Therefore there are only 2 |K|+|ΔK| patterns of single sequences, although the number of single levels is 2M and the period of KPA is T. Hence, what Eve needs is not 2M‧T-ary quantum decision theory but 2 |K|+|ΔK| -ary one, no matter how long the key-stream lengths of s and Δx are. Therefore the main problem is whether Eve can determine the correct (s, Δx) in the LCM of the periods of (s, Δx), denoted as T LCM , like in case of the conventional stream cipher explained in Sec.3 or she needs longer than T LCM .

Brief Description of M-ary Quantum Detection Theory
Before this section starts, here are some assumptions to be satisfied.
Quantum multi-hypotheses testing theory based on the Bayes criterion is applicable to decide which (s′, Δx′) is the most possible. Let the Bayes cost in the theory be as described in Eq. (11).
When the prior probability is Pr(s, Δx), the average Bayes cost is The Hermitian risk operators are , , : To minimize Eve's error probability, the necessary-and-sufficient conditions are 26 Then Eve's maximum success probability of obtaining the correct (s, Δx) is,

s x s x x x s x x s x s x x s x s x x x s x x s x s x x
. (20) For pure states, from Eq. (8),

Security of Y00 under KPA on Secret Key: in case of Exact Signal Detections for Eve
Although it is impossible for Eve to obtain the correct signal sequence without any errors because of quantum noise in Y00 protocol, it is worth to consider an imaginary case where Eve could detect signals without any errors to compare Y00 protocol with conventional stream ciphers in Sec.3.
The situation where Eve could detect signals without any errors is that, from the Born rule, Eq.(28) also implies from Eq.(21) that Then, from the left-hand side of Eq. (22), Therefore, through one period of (s, Δx), that is T LCM , Eve would obtain the correct (s, Δx) with a probability of 1. Then the situation is the same as conventional stream ciphers. Therefore, the effect of unavoidable quantum noise in Eq.(28) as a non-zero factor should play an important role in Y00 protocol.

Security of Y00 under KPA on Secret Key: in case of Erroneous Signal Detections for Eve
Unless Eve's detections are error-free expressed by Eq.(28), from Eq.(21), (31) Therefore, Eq.(24) satisfies the following inequality as well.
Even if Pr(s, Δx) is uniform, that is Pr(s, Δx) = 2 -|K|-|ΔK| , since Eve has to make the success probability in measurement larger than the failure probability, Then from Eqs. (21,22), ) tr Pr , , , Therefore, Eve has an advantage in obtaining the correct (s, Δx) compared to pure-guessing. Thus, even Eve launches KPA using Quantum Multiple Hypotheses Testing Theory during a least common multiple of the periods of two PRNGs, she cannot pin-down the keys deterministically, far different from conventional stream ciphers. The problem is how long Y00 protocol stays secure.

Security of Y00 Protocol under Unlimitedly Long KPA
This section describes the security of Y00 protocol under unlimitedly long KPA so that Eve guesses the most likely key by Bayes Criterion 29 .

Y00 Protocol under Unlimitedly Long KPA
Since (s, Δx) is pseudo-random of a period of T LCM while the plaintext x is supposed not to repeat, Eve can statistically confirm the most likely (s, Δx) during N‧T LCM periods as shown in Table 1.  , s, Δx, x).
This situation is depicted in Fig.1. Fig.1 Schematic view of how the seucrity of Y00 system is evaluated by Eve's failure probability.