Guessing probability under unlimited known-plaintext attack on secret keys for Y00 quantum stream cipher by quantum multiple hypotheses testing

Although quantum key distribution is regarded as promising secure communication, security of Y00 protocol proposed by Yuen in 2000 for the affinity to conventional optical communication is not well-understood yet; its security has been evaluated only by the eavesdropper’s error probabilities of detecting individual signals or masking size, the number of hidden signal levels under quantum and classical noise. Our study is the first challenge of evaluating the guessing probabilities on shared secret keys for pseudorandom number generators in a simplified Y00 communication system based on quantum multiple hypotheses testing theory. The result is that even unlimitedly long known-plaintext attack only lets the eavesdropper guess the shared secret keys of limited lengths with a probability strictly < 1. This study will give some insights for detailed future works on this quantum communication protocol.

💡 Research Summary

The paper investigates the information‑theoretic security of the Y00 (also known as αη) quantum stream cipher, focusing on the probability that an eavesdropper (Eve) can correctly guess the shared secret keys when she is allowed an unlimited known‑plaintext attack (KPA). While previous work on Y00 has largely been limited to evaluating single‑signal error probabilities or the “masking size” (the number of signal levels hidden by quantum and classical noise), this study is the first to apply quantum multiple‑hypothesis testing theory to the problem of key recovery.

The authors begin by recalling Shannon’s perfect secrecy condition and the later concepts of “guessing secrecy” and “worst‑case guessing secrecy.” They then contrast conventional stream ciphers, where a known‑plaintext attack instantly reveals the entire keystream (and thus the secret key), with Y00, which hides the keystream in a set of M‑ary coherent states that are further randomized by quantum noise. In Y00, a secret key k and a secondary key Δk are fed into two pseudo‑random number generators (PRNGs) to produce streams s and Δx. These streams are chopped into log₂M‑bit blocks, mapped to M‑ary symbols, and combined with the message bit x(t) to generate a coherent state ρ(m(t)). Bob, who knows the mapping, can decode with an optimal threshold; Eve, lacking the mapping, must discriminate among 2M possible quantum states that are overlapped by noise.

The core of the analysis reformulates Eve’s measurement problem as a Bayesian quantum multiple‑hypothesis test. Measurement operators E(s,Δx|x) are defined, together with a Bayes cost C. The authors derive the risk operators W and the necessary‑and‑sufficient optimality conditions (Eqs. 14‑16). They first consider an idealized “error‑free” scenario in which Eve could perfectly discriminate the states; under this unrealistic assumption the success probability would be 1, showing that the quantum noise is essential for security. In the realistic noisy case, they prove via inequalities (Eqs. 31‑34) that the probability of correctly identifying the pair (s,Δx) is strictly less than 1.

Because the pair (s,Δx) repeats with a period equal to the least common multiple (LCM) of the two PRNG periods, Eve can collect measurement data over N·T_LCM intervals. The paper shows that each interval yields an independent 2|K| + |ΔK|‑ary hypothesis test, so after N repetitions Eve’s posterior distribution over the possible (s,Δx) patterns is still confined to this finite set. Using Bayes’ criterion, the authors define a decision threshold n_Th (Eq. 46) that determines when Eve would switch her guess to the most likely hypothesis. Importantly, n_Th grows only logarithmically with N and remains bounded, meaning that even with unlimited data Eve’s success probability never reaches unity.

Consequently, for the typical parameter choice of 128‑bit secret keys (|K| = |ΔK| = 128), the maximum guessing probability is bounded away from 1. The protocol therefore offers information‑theoretic security: the quantum noise guarantees that the key cannot be deterministically recovered, unlike conventional stream ciphers where a KPA trivially breaks the system.

The authors acknowledge that the security degrades gradually as more data are accumulated, implying that fresh keys must be refreshed before the accumulated statistics make the guessing probability unacceptably high. They also note that the analysis assumes idealized PRNGs, perfect knowledge of the mapping (Kerckhoffs’s principle), and ignores additional randomizations such as DSR and DER, which would only strengthen security.

In summary, the paper provides a rigorous quantum‑hypothesis‑testing framework for evaluating key‑guessing probabilities in Y00 under unlimited known‑plaintext attacks, demonstrates that the success probability remains strictly less than one, and highlights the practical requirement of periodic key renewal to maintain security in real‑world deployments.