sign in sign up
<<
Home , Correlation attack, Correlation immunity

arXiv:quant-ph/0604036v1 6 Apr 2006 and where ihr hnte aetefloigproperty: following the have stream non-random they a when called approach. is cipher, ciphers theoretic per- stream information of these class operation an describe The us XOR on let the based Here, and formances generator: bits. data number secret plaintext short with random a ciphers. is pseudo with cipher stream PRNG a stream of the by structure , implemented basic conventional the the In survey conventional the we from one, different quite has randomization at- typical most ciphers. cipher the clar- stream stream attack, on will quantum correlation tack we the fast paper, of the property against this the security In of the one ify is subjects. cipher interesting stream the quantum secu- to most the concrete applied on the widely analysis provide So rity be can may networks. telecommunication it quantum security, real the good pretty of a type many this [2,3,4]. fact, demonstrated If In been . have be data re- experiments speed remarkable might can high which protocol ultra cryptography the 2000 alize quantum Yuen new attractive called an so [1] domization † ∗ lcrncades [email protected] address: Electronic lcrncades [email protected] address: Electronic ic h unu temcpe yqatmnoise quantum by cipher stream quantum the Since ran- noise quantum by cipher stream quantum The nimnt gis orlto tako unu temci stream quantum on attack correlation against immunity An K X stesce e hrdb h eiiaeusers, legitimate the by shared key secret the is n , Y rtcl(or protocol ASnmes 36.d 42.50.Lc 03.67.Dd, such numbers: cipher. r PACS In stream second quantum noise. the the quantum on from by work correlation also not dismissed key does is running that patterns clarify the suc mapping we scheme, against fact, immunity fa this correlation In the in perfect by protocol. the sense 2000 attains theoretic Yuen which information of the feature in basic str quantum decrypted the of be model may experimental simple very a Although n hspprpeet h euiyaayi nteqatmstr quantum the on analysis security the presents paper This r the are .INTRODUCTION I. H ( Y eerhCne o unu nomto cec,Tamagawa Science, Information Quantum for Center Research n n αη ln litx n , and plaintext -long | KX cee gis h atcreainatc,tetpclat typical the attack, correlation fast the against scheme) --,Tmgw-aun ahd,Tko 9-60 JAPAN 194-8610, Tokyo, Machida, Tamagawa-gakuen, 6-1-1, n (1) 0 = ) aut fEgneig brk University Ibaraki Engineering, of Faculty Dtd ue1,2018) 16, June (Dated: ar Kurosawa Kaoru brk,JAPAN Ibaraki, sm Hirota Osamu protocol ihri aldternoie temcpe hnthey stream when property: cipher the following stream hand, the randomized de- have other the uniquely the called is key On cipher and ciphertext. plaintext the the termine Thus respectively. h efc orlto muiyaantthem. against attain immunity the to correlation against method perfect we physical Y-00 the a of paper, show security and the this attacks of correlation In property a any may clarify by cipher. will Y-00 attained key feature. be symmetric basic cannot which a conventional security not specific is quan- a it the have verify and to effect, is noise demonstration in- tum the attacks. the of correlation purpose in fast a decrypted the But by be sense may theoretic model mapper formation experimental random simple a very optical without A the by quantum implemented [1]. ”a be communications called can so which cipher cipher” stream stream unbreakable new randomized a the randomized of leads of the (Y-00) type potential protocol that Yuen-2000 a Now, shows have encryption. pro- it may However, speed cipher high stream it. a with by to system cessing difficult practical is it the un- Unfortunately, implement security restriction. of memory notion a der theoretic information approach that an This assumption provides limited[6]. the is on attackers works of probability protocol capacity his memory with But plaintext 1. information the to no close about obtains sense Eve Shannon’s cipher that prove in stream can randomized one which a for devised of Maurer type and Maurer, this Cachin[5]. Diffie, Schnorr, cryptography, are by discussed modern is the the cryptography the is, if In That even same. unique randomized. are not key are and ciphertexts plaintext that means This ∗ † tak ne napoiain And approximation. an under attacks h a ihrwtotarno mapper random a without cipher eam hr xssarnoiainscheme randomization a exists there tcreainagrtm ti o a not is it algorithm, correlation st noiainta eemnsthe determines that andomization ae n atcreainattack correlation fast any case, a a ihrs aldYuen-2000 called so cipher eam H ( ako temciphers. stream on tack Y University n | KX hrb un2000 Yuen by pher n ) 0 6= . (2) 2

II. YUEN 2000 PROTOCOL π|α| where t0 = 2M for the phase modulation scheme, and |αmax−αmin| t0 = 4M for amplitude or intensity modulation According to a quantum detection theory[7], we have scheme. This corresponds to the error probability be- the following properties for the average error probability: tween neighboring states, and gives the degree of the quantum noise effect for the quadrature amplitude α. P (BP ) < P (BM), P (BP ) < P (MP ) (3) e e e e The output sequence of the transmitter in Y-00 is that where BP , BM, MP mean a binary pure state, a binary sequence of coherent states which convey the information mixed state, and a M-ary pure state, respectively. One data or key. Even if the sequence of coherent states is a can apply the above principle of the quantum detection deterministic sequence, Eve has to measure the sequence, theory to cryptography. Y-00 protocol is an example. and error in the measured data is inevitable. Such an er- In Y-00 protocol, a PRNG with a shared key is used to ror provides a randomization by quantum noise at the make a difference in the performances of quantum signal measurement. The measured data corresponds to the ci- detection. It means that if Eve does not know the key, phertext, and the ciphertext is not unique even if the sig- she has to detect M-ary quantum states, while Bob’s nal is the same one. This fact corresponds to Eq(2). De- detection procedure is the binary with the key. So Eve’s spite it, Bob can decrypt the measured data. Indeed the detection suffers intrinsic errors. As a result, Eve has decision making of legitimate users have no error or few to search for the data or the key based on her detection errors because of the measurement with the key, which results with an unavoidable quantum error. corresponds to no encryption. Thus a crucial point of Some ideas for the implementation are proposed as fol- Y-00 is to realize the encryption by the unavoidable er- lows[2,3,4]. Alice and Bob share a secret key K. The key ror of Eve. So it is clear that Y-00 is an encryption by length is K = 100 1000 bits. The key is stretched by quantum noise. | | ∼ ′ |K| Here we denote the necessities for the evaluation of a PRNG. The length of the running key is K ∼= 2 . The output bit sequence of the PRNG is divided| | by each the security of Y-00. In the case of the ciphertext only logM bits, and each logM bits is regarded as the run- attacks, we need the following unicity distance: ning key: KR = 1, 2,...,Ki,...,M . The running key { iθi }i(θi+π) nu = min n : H(K Yn)=0 (8) corresponds to the basis αe , αe . That is, { | } ∼ ∞ when a running key appears,{| a coherenti | statei} basis cor- In the case of the known or chosen plaintext attacks, responding to the running key is chosen. Then, the data the security can be evaluated by the following unicity x X is transmitted by αeiθi , or αei(θi+π) of the ba- distance: sis.∈ A mapping pattern| thati a mapping| functioni from running keys to bases of coherent states is given by the nGu = min n : H(K YnXn)=0 (9) next relation in the basic model of Y-00 by the phase { | } modulation: This property is a main subject for the security analysis of Y-00. There is no general theory on this problem, but Ki 1 2 3 ...M = = (4) we discuss the feature on the specific attacks. L  θi   θ1 θ2 θ3 ... θM  where the mapping Ki θi means that Ki θi,θi + → → { III. CONCRETE MODEL OF ATTACK π , and π>θi+1 >θi > 0. However, to employ a random mapping} from running keys to bases of coherent states by an additional LFSR with K2 has been recommended in First let us discuss a role of the no cloning property a real implementation[3]. Here, to simplify the explana- in attacks on Y-00. If Eve can make many copies of tion we use Eq(4) as a mapping pattern. Quantum state the output state signals by a cloning procedure, she can sequences emitted from the transmitter can be described try the brute force attack on copies of the signals by as follows: the receivers with possible keys. However, in Y-00, the output of the transmitter is the sequence of 2M-ary co- Ψ = α(KR,X) α(KR,X) α(KR,X) ... | i | i1| i2| i3 herent states as the non-orthogonal quantum states for = αi αj αk ... (5) | i1| i2| i3 Eve. Consequently Eve cannot get the required copies iθi where αi is one of 2M coherent states, αi = α e , and of the non-orthogonal quantum states according to the i, j, k | i = (1 2M). | | no cloning theorem[8,9]. So Eve cannot launch a parallel Alice∈M and Bob∼ will design the number of basis and sig- optical processing for the attack by all kind of key. Thus, nal distance between the neighboring states which satisfy Eve cannot realize the parallel processing. But she can make the equivalent situation to the parallel processing 2 αi αi 1, (6) |h | +1i| ∼ on a long time series sequence of the coherent state sig- If Eve uses a heterodyne measurement as a sub quantum nals. That is, Eve can try to measure many different optimum receiver, Eve’s ability can be evaluated by sequential segments of quantum states by the receivers with many different keys. So she can try to decrypt Y- t0 1 1 2 00 along the time axis by ciphertext only attacks with Pe(i+1 i)= exp( t /2)dt =0.2 0.5 (7) | 2 − √2π Z0 − ∼ a statistical analysis. However, if the trial number is 3

2|K|, Eve will spend the intractable time in the real channel: BSC which represents the randomness by the ∼ world even if she has the unlimited computation power. non-linear combiner of many LFSRs. Let Pb be an error This is one of the quantum advantages against the brute probability or a crossover probability in the BSC. Due force attack. In addition, a quantum unambiguous dis- to the correlation between the input and output of the crimination attack also does not work[4]. channel (BSC), attackers can search for the initial state Consequently, the most important attack is a post of the LFSR by the maximum likelihood decoding proce- measurement procedure which requires a sequential pro- dure. In [11], it is claimed that a fast cessing on the measurement results along the time axis may succeed if N >n0, where n0 is the critical length by a single quantum optimum receiver to discriminate K 2M coherent states. In schemes to get the serial data n = | | (10) by the single receiver, a quantum noise effect is also un- 0 C avoidable. So Eve cannot get the exact data from her where C =1 H(Pb) is the channel capacity of the BSC measurement without the key. This fact realizes a ran- − domized as Eq(2). However, Eve can apply in the fast correlation attack model, and where H(Pb)= Pb log Pb (1 Pb) log(1 Pb). As an example, the the correlation attacks based on the post measurement − − − − procedure, which are the efficient known plaintext at- complexity of fast correlation attacks is given [11] tacks on stream ciphers [10-13]. Here, we will show a |K| 1 t |K|(1− ) security analysis against the correlation attack based on F O(( ) −1 2 n0 ) (11) the quantum individual measurement. ∼ 2ǫ × Let us survey the structure of the transmitter of Y-00. where t is a number of tap of the LFSR, and ǫ = 1/2 − (i) The sequence of the output of the PRNG is the Pb. To break the system the attacker needs to observe a sequence of 0 and 1. segment of length N, where

1 t−1 (ii) The output sequence is divided by logM bits, N O(( ) ) >n0 (12) and each block is transformed into the number of ∼ 2ǫ mod(M). These correspond to the running key se- In the case of the current stream ciphers, when ǫ> 0.05, quence, and assign one basis from M basis sets. the complexity and the required number of the∼ obser- (iii) One plaintext is sent by one running key of logM vation may be efficiently reduced according to several bits. simulations[10-13]. Let us turn to Y-00. The observations of Eve in Y- Then, the situation of Eve is described as follows: 00 scheme suffer errors by real noises in the quantum measurement process. When the measurement process (i) Eve measures each slot by the heterodyne receiver. is regarded as the channel model with quantum noises, (ii) When Eve knows the plaintext, the measurement the fast correlation attack against the LFSR as the driver results are regarded as the running key sequence. of the M -ary modulator in Y-00 is applicable, when the Then the measurement results of one slot corre- tap state of the LFSR is opened. We give, here, a simple spond to logM bits of the output sequence from example. The error in Eve’s phase measurement on a the PRNG. very simple model of Y-00 is described by

So we have to consider the following problem. θi θm = θi±e, e =0, 1, 2 (13) To determine the structure of the PRNG from the re- → { } ceived sequence with errors. where θm is the measurement data when θi is true. If the The brute force complexity of this problem is about mapping pattern is Eq(4) which is a deterministic map- O(2|K|). Here, a fast correlation attack is applicable to ping, the bit error per each logM bits occurs mainly in the above problem when the PRNG is a linear feedback the last 3 bits of logM bits. In such a case, if the length : LFSR or its nonlinear combinations, only of the known plaintext is nearly K bits, Eve cannot de- when the secret part of the LFSR is the initial state. The termine the key even if she has| an| unlimited power of basic notion of the fast correlation attacks is to avoid the computer. So, she has to try ciphertext only attacks as factor 2|K| and derive algorithms with the complexity of the brute force attack on the remained keys along the order 2η|K| with respect to η < 1. In the correlation time axis of the sequences because Eve cannot proceed attack, the approach of viewing the problem as a decod- a parallel processing according to the no cloning prop- ing problem is used. The linear complexity of the target erty. Consequently it takes intractable time to try the LFSR is K and the set of possible LFSR sequences is brute force attack. This fact is one of quantum advan- =2|K|.| For| a fixed length N of the measured date, the tages. However, it seems to qualify if the length of the Ctruncated sequences from form a linear [N, K ] block known plaintext is sufficiently long. That is, Eve may code. The LFSR sequencesC is regarded as a code| | word decrypt Y-00 by using a correlation between each K from an [N, K ] linear block code, and the observed se- bits block(linear complexity of LFSR) in the measured| | quence is regarded| | as the output of a binary symmetric sequence and a set of LFSR of the number 2λ|K|, λ< 1. 4

The correlation comes from the error free bits in the serial against the fast correlation attacks segments of logM bits. under the assumption of no quantum state to quantum On the other hand, when we employ a random map- state correlation being exploited by Eve. ping from the running keys to bases of coherent states Let us denote here again that the region of the phase by keyed randomization[3,14], the position of the error error by the quantum noise is given only by Eq(13), which bits will be diffused. An example of the concrete random is a small effect. Our aim is to enhance this effect by the mapping method is given by us[15], which improves the keyed randomization. One of the roles of the randomiza- security feature against the fast correlation attacks. So, tion is to make error positions in bit sequences from the even if Eve can get long known plaintext (N >> n0), LFSR uniform by the effect of the quantum noise even a very simple model of Y-00 with a random mapping if the phase error by the quantum noise is small. How- technique is secure against the fast correlation attack in ever, it is not sufficient for our purpose. In order that the sense of the computational complexity, because the the additional keyed randomization gives a further effect computational complexity of the fast correlation attacks, on the system, there exists a condition. That is, keys of which are known at present, is still exponential for a small both the driver and the additional randomization should ǫ. be hidden by quantum noise effects. The reason will be Thus, despite that we employ the simple LFSR as explained later. the driver to the M -ary modulator, the security of Y- We will show a method which can attain the perfect 00 against the known plaintext attack is sufficiently pro- correlation immunity. We prepare an additional LFSR tected in the practical sense by quantum noise effects. If which will be used to chose a mapping pattern from many we employ a non-linear LFSR by a non-linear combiner mapping patterns 1, 2, 3,.... However, each mapping L L L (or multiplexed sequence generator) as the running key pattern of the set i is designed as follows: {L } generator in Y-00, the required length of the observed Ki 1 2 3 ...M sequence for the fast correlation attack on the non-linear 1 = = LFSR itself may be an exponential number even if the L  θi   θ1 θ2 θ3 ... θM  system is noiseless. In this case, the running key se- 2 3 ...M 1 2 = quence of Y-00 corresponds to the output sequence of L  θ1 + δ θ2 + δ ... θM−1 + δ θM + δ  the channel model of the fast correlation attack. The 3 4 ... 1 2 real observation sequence is the output of the cascaded = 3 θ +2δ θ +2δ ... θ +2δ θ +2δ channels consisting of the channel of the fast correlation L  1 2 M−1 M  attack and the channel of the quantum measurement. . . Thus, Y-00 is always more secure than the conventional M...M 1 stream cipher owing to the quantum noise effect and the M = − (14) L  θ1 + (M 1)δ ... θM + (M 1)δ  no cloning property as concluded in the references [1,3,4]. − − where δ = θi+1 θi /M. The crucial point of this method is the shift| permutation− | in the mapping and the degree of IV. CORRELATION IMMUNITY δ. A mapping pattern is chosen by the random sequence of logM bits from the additional second LFSR. After the In practice, there are many technical limits to give the selection of the mapping pattern, the first LFSR assigns appropriate quantum noise effects which guarantee the which basis should be used to transmit the information security. In the attacks based on heterodyne receiver[1,4], bit. Since the second LFSR is also shared between Alice the quantum noise is independent of the signal power and Bob, the error performance of Bob is not degraded. However, Eve has to discriminate M M states which and the effect is not so large when the signal energy is × large. See Eq(13). So some mapping mechanisms so have the phase difference δ. The quantum noise in the called ”mapper” are necessary for practical applications heterodyne receiver affects several states close to the true of Y-00. phase. That is, the standard deviation of the phase mea- A basic idea of the error enhancement techniques for surement is a provable security has been described in the reference σ = ∆θm > 2Mδ =2 θi θi (15) [1] so called the deliberate signal randomization (DSR) | +1 − | which is a method without a shared key. Besides, the er- Hence the running keys of the first LFSR and the sec- ror performance of Bob is degraded, so one will need an ond LFSR are completely hidden by the quantum noise. appropriate design. Let us introduce keyed randomiza- This fact is important because the running key correla- tion[14] as mentioned in the previous section. This is a tion from the second LFSR that determines the mapping randomization by an additional LFSR with an additional patterns is dismissed. As a result, it becomes a basis in- shared key. This randomization has such an advantage dependence. That is, all logM bits per signal slot suffer that it does not affect the error performance of Bob’s re- the error by the quantum noise. ceiver. Although it seems, in general, not to be essential We here employ a wedge approximation for the quan- for the ultimate security, however, here we show that the tum noise effect on the phase space in order to evalu- keyed randomization gives a method to attain the perfect ate the quantum noise effect. The wedge approximation 5 means the following model: Let us cut a circle on the becomes intractable. So the correlation immunity is at- phase space like a wedge based on the center of the circle, tained. This results is valid for any fast correlation attack θi+1 and θi on the circle. If the phase difference θi+1 θi under the approximation that Eve looks at each quantum is sufficiently small, the probability distribution| of noise− | state independently of the others as in the standard corre- can be regarded as uniform within the standard deviation lation attacks, which does not take into account quantum and zero outside. Under this approximation, the symbol state to quantum state basis correlation. error is 1 Pe =1 , (16) − M V. CONCLUSION then the bit error is 1 1 We have analyzed the security against the fast correla- Pb = (1 ) (17) 2 − M tion attack on the quantum stream cipher by Yuen 2000 protocol, and we have proposed a scheme which attains 1 Thus, in Eq(11) and Eq(12), ǫ is 2M 0,M >> 1. the perfect correlation immunity under an approxima- It leads the fact that the required observation∼ number tion.

[1] H.P.Yuen, arXiv e-print quant-ph/0311061V6, LANL, pp25-29, 2001. 2003. [10] W.Meier, and O.Straffelbach, Journal of Cryptography, [2] G.A.Barbosa, E.Corndorf, P.Kumar, and H.P.Yuen, vol-1, pp159-176, 1989. Phys. Rev. Lett., vol-90, 227901-4, 2003. [11] V.Chepyzhov, and B.Smeets, Advances in Cryptography- [3] E.Corndorf, C.Liang, G.S.Kanter, P.Kumar, and EUROCRYPT’91, pp179-186, Springer-Verlag, 1991. H.P.Yuen, Physical Review A, vol 71, 062326, 2005. [12] T.Johansson, and F.Jonsson, Advances in Cryptography- [4] O.Hirota, M.Sohma, M.Fuse, and K.Kato, Physical Re- ’99, pp181-197, Springer-Verlag, 1999. view A, vol 72, 022335, 2005. [13] V.Chepyzhov, T.Johansson, and B.Smeets, Fast Software [5] B.Schneier, Applied cryptography, John Wiley and Sons Encryption, FSE 2000 in Lecture Notes in Computer Sci- Inc, 2003. ence, Springer-Verlag, 2000. [6] U.M.Maurer, Advances in Cryptography- [14] O.Hirota, T.Usuda, and M.Fuse, Conference.on Quan- EUROCRYPT’90, p361, Springer-Verlag, 1991. tum commun. and Quantum imaging III, Proc. of SPIE, [7] C.W.Helstrom, Quantum detection and estimation the- vol-5893, Aug. 2005. ory, Academic Press, 1976 [15] Y.Mizukami, K.Watanabe, and O.Hirota, National Con- [8] W.K.Wootters, and W.H.Zurec, Nature, vol-299, p802, vention Record of IEICE of Japan, Proc. of 2006 IEICE 1982. General Conference, B-10-39, 2006. [9] V.Buzek, and M.Hillery, Physics World, vol-14, no-11,