Analysis of Y00 Protocol Under Quantum Generalization of a Fast Correlation Attack: Toward Information-Theoretic Security

In our previous work, it was demonstrated that the attacker could not pin-down the correct keys to start the Y00 protocol with a probability of one under the assistance of unlimitedly long known-plaintext attacks and optimal quantum measurements on the attacker’s quantum memory. However, there were several assumptions that the Y00 system utilized linear-feedback shift registers as pseudo-random-number generators, and a fast correlation attack was disabled by irregular mapping on the Y00 systems. This study generalizes such an attack to remove the assumptions of the previous work. The framework of the security analyses of this study reiterates two well-known results from the past: (1) Y00 systems would be cryptanalyzed when the system is not designed well; (2) the system is possibly information-theoretically secure when the system is designed well, although the attacker’s confidence in the correct key increases over time but the success probability of key recovery does not reach unity in finite time; (3) the breach probability of the shared keys increases with time. Hence, a key-refreshment procedure for the Y00 protocol is provided herein. Such security analyses are important not only in key refreshment but also in initial key agreement.


INTRODUCTION
Since the first concept of quantum key distribution (QKD) was invented [1], [2], whether informationtheoretically secure (ITS) communication is realizable using the laws of quantum physics is a topic that has garnered immense attention.
Around the year 2000, the Y00 protocol (its original name was αη) was proposed by Yuen [3]- [6] for compatibility to existing high-speed and long-distance optical communication infrastructure [3]- [15].However, the Y00 protocol had been believed to be non-ITS since the fast correlation attack (FCA) on the Y00 protocol was found [16], [17], even after "irregular mapping" was equipped as a countermeasure to the FCA [17], [18].Hence, the Y00 protocol is believed to be computational secure, while QKDs are said to be ITS.
In our previous work [19], it was shown that the attacker "Eve" could not guess the correct secret keys shared by legitimate users "Alice" and "Bob" with a probability of one even under an unlimitedly long known-plaintext attack (KPA) with the assistance of quantum memory to utilize the quantum and classical multiple-hypotheses testing theory [20]- [22].The key aspect of the unlimitedly long KPA is to simplify the security analysis of the Y00 protocol because the signals cyclically appear when the effect of the plaintext is subtracted.However, our previous work still assumed that the Y00 system was designed as is; therefore, no security guarantee existed as to how ITS would be realizable against unknown computational attacks.
The purpose of this study is to show that well-designed Y00 systems are immune to the quantum generalization of FCA with the assistance of the unlimitedly long KPA and quantum memories that Eve possesses without any computational assumptions.The analyses in this study demonstrate two results: the main claim of the FCA was recovered against a certain class of Y00 systems not well-designed, while the others would be ITS under the unlimitedly long KPA with the generalized framework of FCA.The framework of the quantum generalization of FCA corresponds to "collective attacks" or "coherent attacks" in the context of QKDs [23], while the existing security analyses of the Y00 protocol were "individual attacks" in the context of QKDs [7]- [18].
The security analyses in this study provide clear security parameters: the security breach time of the Y00 systems, and the minimum error pattern probability that determines the breach time.This paper is structured as follows.Section II will describe the differences between the conventional stream ciphers and the Y00 protocol in terms of probabilities and information theory to show how the Y00 would be ITS along with the principle of the Y00 protocol.Section III describes the quantum detection theory that Eve performs on her quantum memory storing wire-tapped quantum states.Section IV describes the known concepts of FCA and how it will be generalized in this study.The section also describes the conditions for designing non-ITS Y00 systems and ITS Y00 systems, reiterating known results [16]- [19] in terms of the security breach time.Even if the Y00 system is implemented to be ITS, Eve's success probability increases in the end; hence, Section V describes how the Y00 system securely exchanges fresh keys.Section VI describes the remaining problem, while Section VII states the conclusions.

BRIEF DESCRIPTION OF PRINCIPLES OF Y00 PROTOCOL
This section describes the differences between the conventional stream ciphers and quantum-noiserandomized stream ciphers, such as the Y00 protocol.

A. BRIEF DESCRIPTION OF CONVENTIONAL MATHEMATICAL STREAM CIPHERS
Let Set(V) denote the set of possible variables V, let |Set(V)| denote the number of elements in Set(V).
Conventional stream ciphers expand an initial short key k ∊ Set(K) into a longer keystream s ∊ Set(S) by a pseudo-random-number generator (PRNG).If the KPA is longer than the period of s, it completely reveals s.Alice sends her message x ∊ Set(X) encoded into her ciphertext c ∊ Set(C) by Then, Eve can recover k, irrespective of the complexity of the key expansion algorithm because the key expansion is deterministic, and Eve knows the PRNG, according to Shannon's maxim.In terms of conditional probabilities, In terms of Shannon entropy,

B. PRINCIPLE OF THE Y00 PROTOCOL
To start the Y00 protocol, Alice and Bob must share secret keys, k and Δk. is even or odd and also does not know x(t).
When Eve can launch KPA longer than TLCM, which is the least common multiple (LCM) of PRNGs' periods in a Y00 system, she will launch an optimal measurement to guess the most probable shared keys.Accordingly, in such a case, the quantum detection theory for multiple-hypothesis testing is required to evaluate the security of the Y00 protocol.

C. SECURITY FRAMEWORK OF THE Y00 PROTOCOL
Shannon proved the necessary condition of perfect secrecy in his Theorem 6 [24] as After Shannon's perfect secrecy, Wyner showed that almost perfect secrecy could be maintained if the channel to Eve is noisy enough [25].Such a degradation for Eve is realized only on the physical layer [26].However, the property of noise on the wire-tap channel is unknown in general situations, especially in the case that Eve has no restrictions on her performance except the laws of physics.
In the case of a Y00 system, the property of noise depends on the implementation of the system.Eve cannot avoid quantum noise in eavesdropping ideal Y00 systems because of overlapping quantum noise caused by the Born rule, as described in Section IV.Consider the following simplified situation.Alice and Bob communicate by a stream cipher In contrast, Eve receives a ciphertext CE with an error pattern E caused by the noise as From ( 8), Eve would be able to recover S if she had known E and X and had observed CE.Hence, ( ) However, because Eve never knows E, ( ) ( ) ( ) The equality in (10) holds only when E is a deterministic function of CE and X, which never happens until ( 8) is satisfied except when Eve can estimate S by algebraic attacks such as FCA, corresponding to the security analysis by equations ( 6)-( 8) in a previous study [6].The derivation of (10) as well as the reason why the FCA succeeded are given in Appendix A.
Hence, the ideal Y00 protocol never allows Eve to obtain S as well as K deterministically, which is significantly different from conventional stream ciphers in Section II.A. Therefore, (10) suggests that an ideal Y00 system is ITS.
Accurately, von Neumann entropy is more suitable than Shannon entropy because Eve is supposed to store wire-tapped quantum states in her quantum memory.However, Eve must measure her memory to obtain the most likely results.Therefore, Shannon entropy is sufficient because the measured results are classical.The above point will be discussed in Section IV.E.

D. OTHER CLASSES OF ATTACKS
The readers may wonder why this study treats only KPA while there are several classes of attacks as follows.
1. Ciphertext only attacks (COA); The attacker utilizes the only ciphertext to obtain the plaintext or the key.

Known plaintext attacks (KPA);
The attacker knows the plaintext then tries to find the encryption key.

Chosen plaintext attacks (CPA);
The attacker can access the encryption system to obtain the pair of a known plaintext and the corresponding ciphertext.

Chosen ciphertext attacks (CCA);
The attacker can access the decryption system, then injects ciphertext to obtain the corresponding plaintext.
In any classes except COA, the attacker can obtain the pair of the plaintext and the corresponding ciphertext to perform key-recovery attacks in the Y00 systems.Therefore, there is no significant difference between unlimitedly long KPA in this study and other cryptologic attack classes.

BRIEF DESCRIPTION OF QUANTUM DETECTION THEORY
This section describes how Eve utilizes her quantum memory and performs the optimal measurement.
The description shows that Eve's success probability in obtaining the correct keys never reaches unity.

A. BRIEF DESCRIPTION OF THE QUANTUM DETECTION THEORY
From this section onward, (s, Δx) ∊ Set(S, ΔX) is abbreviated as r ∊ Set(R) for simplicity.In the quantum detection theory, ( , ) W r x is a Hermitian risk operator, and is a set of Eve's optimal measurement operators to minimize her average error rate conditioned on the known x [20], [21].The necessary-and-sufficient conditions of Eve's optimum E
( ) is determined, from the Cauchy-Schwarz inequality, Eve's average success probability with known x denoted by -tr Γ(x) is maximized as follows [19].
[ ] The equality is satisfied when Eve can choose E
( ) Hence, Eve's average success probability ( 20) is satisfied if and only if ( 21) is satisfied.

B. QUANTUM DETECTION FOR SEQUENTIAL COHERENT SIGNALS
To provide detailed analyses for the sequential Y00 signals, the over-completeness property of coherent states in ( 22) is required with D(All) covering the entire complex plains.In (23), D(r | x) is an integration domain for signals originated from (r, x), satisfying ( 24)-( 26).
( )  e E r x r e x r x .
Here, e is an error pattern from the correct r as a result of Eve's measurement operator

QUANTUM GENERALIZATION OF FCA AND SECURITY REQUIREMENTS
Our previous study [19] showed that the Y00 protocol would be secure against an unlimitedly long KPA under several assumptions.This section removes the assumptions to generalize FCA to evaluate the security of the Y00 protocol.Thus, the disadvantage of the Y00 protocol compared with that of the QKD + One-Time Pad (OTP) described in Section IV.A. of [27] would be removed.

A. BASIC CONCEPT OF FCA AND GENERALIZATION
The fundamental concept of the original FCA is as follows [16], [17].
1. Unless Map[‧] is designed well, some bits in r(t) are not sufficiently hidden in quantum noise.
2. Hence, it reveals some bits in the keystream from the linear feedback shift register (LFSR) to Eve.
3. Eve calculates the most likely seed key from the revealed bits in the keystream; some erroneous bits are even corrected by applying error-correction code.
Fig. 3 of the literature [16] showed the above situation.Then, the literature [17] formulated the attack scheme.However, if Map[‧] is well-designed, quantum noise hides all bits in r(t) almost equally, as proposed by the literature [17] and [18].A numerical simulation is performed in the literature [18].
However, note that the above countermeasure is for a specific attack against a certain Y00 implementation.There should be more general attacks.
To construct a more general attack, the above assumptions listed in the literature [19] must be removed as follows.
1.A Y00 system employs arbitrary PRNGs to expand the shared secret keys into r.
2. Map[‧] is not specified; however, some of the bits in r(t) may not be covered by quantum noise.
3. Eve guesses the most likely r by a collective measurement on her quantum memory, including known plaintext, which is different from an individual measurement on each signal in the original FCA.
All analyses are performed similarly to the discussions in Section II.

B. DETAILED DESCRIPTION OF GENERALIZED ATTACK
Here, NBreach is defined as follows: Therefore, in the generalized framework of FCA in this study, the known results [16], [17] are obtained under the condition (34).Such Y00 systems cannot be ITS irrespective of the complexity of PRNGs' algorithms, as discussed in Section II.
As a conclusion of this section, the generalization of FCA on Y00 systems is given in terms of the information theory and probabilities under Eve's optimal quantum measurement without any computational assumptions.It was shown that there exist some non-ITS Y00 systems if their implementations are invalid.

D. REQUIREMENTS ON ITS Y00 SYSTEMS
To implement an ITS Y00 system, the requirement is ∞ > NBreach ≥ 1.Therefore, If ( 35) is satisfied, then the right-hand side of (30) never reaches unity while ∞ > N ≥ 0, which is unlike the conventional stream ciphers described in Section II.A, although Eve's success probability asymptotically increases as time T increases.Therefore, the generalization framework of FCA in this study again recovers the known result [19].
Moreover, the following simple case satisfies the condition.
( ) The above result means that irrespective of how long Eve launches KPA, her guessing probability remains the same as her pure guessing probability because of the infinitely long NBreach, although the condition may not be satisfied.
The above conclusions are an analogy of OTP with a non-IID key string.If the key string is far from IID, its statistical property may give Eve a hint on the plaintext corresponding to r in this work because of the absence of ( 6).

E. EFFECT OF EVE'S LOCAL OPERATIONS
This section discusses whether Eve can obtain any advantage by her local quantum operations, including any trace-preserving completely positive (TPCP) maps in her quantum memory.Such quantum operations include classical operations, as well.Hence, her optical amplifications on the stolen signals are theoretically included.
Without her local operations, her optimal measurement is given by (18), which is given here again.( ) Therefore, the problem is whether tr ( ) Such a ΛE is rewritten by a unitary operator UEQ by adding a virtual ancilla Q to Eve's system.
The above conclusion sounds natural since the Holevo quantity bounds the accessible information, while the quantum data processing inequality described by von Neumann entropy tells degradation of the obtainable information by TPCP maps.With regard to the time scale of NBreach, her success probability reaches almost unity.Because her success probability must be sufficiently suppressed, the legitimate users must set a security threshold

F. NUMERICAL EXAMPLE
PTh to a certain level, and then, they must estimate the actual breach time of the shared key.However, NBreach is very sensitive to mine Pr(e | r, x) when the users need sufficiently long NBreach.Hence, in the actual situation, parameters must be carefully estimated from the designs of the corresponding Y00 systems.

G. POSSIBLY BETTER IMPLEMENTATIONS
To realize a condition close to the ideal situation (36), the simple implementation described in Section II.B. may not be sufficient.
A possible solution is to add a classical randomization technique named deliberate signal randomization (DSR).Security enhancement by the technique originated was obtained from a previous study [3].Then, implementation using an additional PRNG was proposed [8], [11], called the "keyed DSR."The concept of DSR is a modification of (4).
[ ] [ ] ( ) PRNGs in Y00 systems must be chosen carefully.Recall that the Y00 systems described in this study consist of at least two PRNGs; one is for s to select the signal level, and the other is for Δx to scramble the plaintext x.It is well-known that LFSRs do not even have a statistically good property.A combination of several LFSRs shows correlations between them.At least statistically good PRNGs must be chosen, such as Mersenne Twister [28] or TinyMT [29].

H. EFFECT OF TRUE-RANDOM DSR
By a true-random DSR, pure states being sent from Alice become mixed states for Eve, as follows: [ ] ( ) The above situation is similar to the situation in Section IV.E, in which Eve performs her local TPCP operations, resulting in her local quantum system becoming a mixed state.Hence, by a similar procedure, ( ) Because Section IV.E concluded that Eve's local TPCP operations never give her any advantages by the same discussion, the conclusion is tr ( ) ′ − Γ x ≤ tr ( ) − Γ x , as well.

KEY-REFRESHMENT BY LEFTOVER HASHING IN QUANTUM NOISE
Section IV.D showed that Y00 systems would be ITS if their implementations are appropriate.However, Eve becomes confident regarding the correct keys over time.Therefore, this section provides a method to refresh the shared keys between Alice and Bob before the Y00 systems are threatened.

A. LEFTOVER HASH LEMMA
To share a set of fresh keys, Alice or Bob sends a random string x ∊ Set(X) instead of their messages, where x is an error correction code containing a hash function h ∊ Set(H), and a seed key kR ∊ Set(KR) to generate (knew, Δknew) as follows.
Because Eve never knows X, her attack is now limited to ciphertext only attacks (COA).
According to the ordinary leftover hash lemma (LHL) [30], [31] there exists a strong (τ, κ, ε)randomness extractor to obtain the final key of its length τ with Eve's min-entropy ( ) ) Note that CE is the ciphertext observed by Eve under the effect of quantum noise and DSR, which corresponds to X for legitimate users.

B. OPTIMUM LEFTOVER HASHING
From ( 53)-( 55), the upper-bound of Eve's average guessing probability on H(KR) is The derivation of ( 56) is shown in Appendix C.
As discussed previously [32], [33], there is an optimum sacrifice amount in LHL as follows.
( ) If the final key is shorter than the above amount, it is considered "over-sacrificing," whereas if the final key is longer than the optimal final key, it is considered "under-sacrificing."Hence, ( The parameter PTh is the threshold discussed in Section IV.F.
In the case of the Y00 protocol, there is no classical channel to exchange h contrarily to QKDs, in which h is openly known to Eve.However, she would also try to guess the most likely X based on her most confident keys denoted by rE.Then, the following inequality is derived.
Then, instead of (57), the following is the optimal key length.
( ) Eve's corresponding guessing probability on H(KR) is Therefore, to obtain the valid lengths of the fresh keys for the Y00 protocol, typically |knew| + |Δknew| = |h(kR)| = 256 or 512 bit, min r ( ) must be requested for the final key lengths, while Eve's guessing probability on H(KR) must be suppressed, as suggested previously by (61).

FUTURE REMARKS
In the key-refreshment process discussed in Section V, Eve may launch so-called "entangling probe attacks" to steal fresh keys as well as the initial keys discussed in Section VI.D of our previous study [27] by preparing her quantum system and then performing joint unitary operations on her system with the signal states between Alice and Bob.Further generalization may be possible that Eve would keep eavesdropping by entangling probe attack during the key-refreshment/initial-key-agreement as well as KPA during the message exchanges after the key-refreshment, which corresponds to coherent attack in QKDs.
The effect of such an attack on the Y00 protocol may be limited; however, evaluation of the strength of such classes of attacks is required.At least, in the key refreshment process, quantum minimax problem in [13], [34], [35] may be helpful; Alice and Bob exchange the keys with a prior probability to minimize Eve's success probability, while Eve derives her optimal measurement operators to maximize her success probability.
In contrast, in the message transmission processes, Eve would not require such a class of attacks because the plaintext is already available to her, while the purpose of the entangling probe attack is to steal the exchanged information in the context of QKDs.
Rather, the critical problem in this study is that the analyses would not give any concrete designs of the Y00 systems because all analyses have done abstractly to find what is the necessary condition to implement ITS Y00 systems.Hence it would neither guarantee whether existing Y00 systems are ITS.
However, the study showed the possibility and important parameter for ITS Y00 systems.Some more studies would be required to evaluate the security of the designed systems more easily compared to the security parameter given in this study, which is hard to estimate.

CONCLUSIONS
This study showed the important security parameter to request the Y00 systems to be ITS and what parameter determines whether the designed Y00 systems are non-ITS or ITS against an attacker who has unlimited computational power with the assistance of quantum memory and unlimitedly long knownplaintext attacks.The analyzed condition is called "collective attacks" or "coherent attacks" in the context of QKD protocols.The conclusions are that Y00 systems remain ITS under certain conditions explicitly provided in this study.Furthermore, this study showed that the attacker's confidence in the shared correct key set increases as time passes.Therefore, a method to refresh the sets of shared keys is proposed using LHL.It had been believed that Y00 protocols are computationally secure.However, this study showed ITS Y00 systems are possible by pointing out what parameters are important to design ITS Y00 systems.To find the above requirement, security analyses were done abstractly.Hence, the critical problem in this study is that the analyses would not give any concrete designs of ITS Y00 systems.
Hence, it would not guarantee whether existing Y00 systems are ITS.However, the study showed the possibility and the destination to design ITS Y00 systems.Some more studies would be required to evaluate the security of the designed systems more easily compared to the security parameter given in this study, which is hard to estimate.

A. DERIVATION OF (10)
From the equality between conditional and joint entropies, ( An inequality between a conditional entropy and entropy with additional information gives The equality is satisfied only when E is a deterministic function of CE and X irrespective of what S is.
Such a situation occur when a sufficient number of bits in S are not hidden under quantum noise enough; then Eve can correct errors by simulation of the system and estimate the error patterns to correct errors using error-correcting code with LFSR, leading to successful FCAs [16], [17].
the convenience in security analyses discussed in Section IV.Set[ ( | )] E r x is a set of error patterns e originated from r conditioned on x.
Let us denote the duration of KPA as T = N•TLCM and the number of error patterns e as n(e| x, r) during T.Then, = TLCM log2 (2M) is the length of the error patterns e.Then, Eve's success probability Pr( | , ) is a set of{ ( | , )} n e r x whereby the detected state originates from r under known x, and its complemental set is C ( | ) Ω r x := (All) Ω -( | ) Ω r x .The upper bound of Pr( | , ) r r x is

M
d) is uniform, Pr(d) = M -T .Thus, Eve's success probability tr ( ) ′ r x as follows: the following summation with Ω(All) as a set of all patterns of { ( | , )} n e r x with the total being N. Denote a set of possible signal sequences originating from the shared key stream r as ( | ) (r | x, r) is strictly less than unity unless | ( | ) Ω r x | = | (All) the size of | ( | ) Ω r x | must be Pr(r)(2M) T because there are (2M) T patterns of possible detected signal patterns, which suggest | (All) Ω | = (2M) T .Hence, 29)-(31) are derived by letting ( | , ) n e r x = N for the mine Pr( | , ) e r x as follows.
on the last side of (72) shows,