Unconditionally Secured Classical Cryptography Using Quantum Superposition and Unitary Transformation
Unconditionally Secured Classical Cryptography Using Quantum Superposition and Unitary Transformation
Unconditionally Secured Classical Cryptography Using Quantum Superposition and Unitary Transformation
Abstract
Over decades quantum cryptography has been intensively studied for unconditionally secured data
transmission in a quantum regime. Due to the quantum loopholes caused by imperfect single photon
detectors and/or lossy quantum channels, however, the quantum cryptography is practically inefficient
and even vulnerable to eavesdropping. Here, a method of unconditionally secured key distribution
potentially compatible with current fiber-optic communications networks is proposed in a classical
regime for high-speed optical backbone networks. The unconditional security is due to the quantum
superposition-caused measurement indistinguishability of a paired transmission channel and its
unitary transformation resulting in deterministic randomness corresponding to the no-cloning theorem
in a quantum regime.
Introduction
In (classical) cryptographic technologies, there are two major versions: One is symmetric key-based
private cryptography, and another is asymmetric key-based public one [1]. The public cryptography is
called RSA and has become prevalent now, where its security relies on non-polynomial computational
complexity of prime number factorization. Thus, the classical cryptography has been focused on the
developments of efficient encrypting algorithms requiring more computing recourses in crypto-
analysis. This is why the RSA key size has been continuously increased over decades, and now it is as
long as 2048 bits [1]. As Internet traffic rapidly increases recently, information security has gained
much more attention to protect the data from potential eavesdropping. Although the security of
classical (public) cryptography looks good to some extent, it is basically conditional (or breakable)
and even vulnerable to a quantum computer [2].
Quantum key distribution (QKD) belongs to the symmetric key-based private cryptography, and
its security relies on how to distribute the keys rather than how to generate them. QKD has gained its
importance due to theoretically confirmed unconditional security by Heisenberg’s uncertainty
principle in quantum mechanics [3]. Specifically the unconditional security of QKD is based on no-
cloning theorem [4], resulting from quantum superposition between paired conjugate (non-orthogonal)
variables used for bases of a quantum key [5]. The unconditional security of QKD, however, is not
guaranteed in practice due to the quantum loopholes based on imperfectness of a single photon
detector [6-12] and/or a quantum channel [12]. The detection loophole with the channel loss affects all
QKD protocols based on single photons [5-7], entangled photon pairs [8-11], and coherent continuous
variables [12]. As a result, QKD is practically fragile to eavesdropping unless the quantum loophole is
completely closed [13]. Thus, the unconditional security of QKD has become a practical matter,
resulting in the unrealistically low key rate. For example, in a standard optical fiber whose loss is 10-2
per 100 km, the actual quantum bit rate (QBR) drops down to 10-4, resulting in kilo~Mega-bits per
second (bps) depending on the single/entangled photon generation rate [10]. Besides, technical
difficulties in single-photon or entangled photon-pair generations make current QKD highly
impractical. Most of all, current QKD is not compatible with conventional (classical) networks mainly
due to nonlinear effects violating the no-cloning theorem. As a result, the transmission distance in
QKD through an optical fiber is severely limited unless quantum repeaters are implemented [14].
Historically one-time-pad (OTP) has been proposed for an ideal communication system
satisfying unconditional security, where the key is equivalent or longer than the data in length and
must be used only one time [15]. Any existing cryptographic technologies, thus, do not support OTP
1
simply due to either the low key rate or conditional security, while the classical data traffic rate in
current fiber-optic communications backbone networks is more than 10 Gbps per channel, and its
transmission is unlimited. Here, a completely different concept of unconditionally secured
cryptography is proposed in a classical regime to overcome the limitations in both classical and
quantum cryptographies and to support OTP. The proposed cryptography is safe from all kind attacks
and quantum computers because its security is based on perfect randomness and measurement
immunity.
Unlike QKD, the unconditional security in the proposed cryptography is provided by quantum-
superposed transmission channels such as in a typical Young’s double-slit experiment. As is well
known, the Young’s double-slit experiment is satisfied by both coherence (wave nature) [16,17] and
incoherence (particle nature) optics [18], and the double slit can be replaced by a beam splitter (BS) in
a Mach-Zehnder interferometer (MZI). In this paper, we focus on the classical nature of light
(coherence optics) rather than the quantum nature to satisfy its classicality in both fundamental
physics and potential applications. Compared with non-orthogonal basis set of a single photon in
QKD, the orthogonal basis set of bright coherent light in the proposed cryptography has technical
advantages to fit coming information era in terms of speed and compatibility. The key concept of the
Young’s double-slit experiments is in the measurement indistinguishability satisfied by both
coherence (classical) and incoherence (quantum) physics. In other words, the state of a light such as a
phase and a polarization cannot be measured definitely in MZI channels due to quantum superposition,
resulting in prefect randomness in a binary system. According to the Shannon’s information theory,
the prefect randomness is equivalent to no eavesdropping or unconditional security [19]. To prove the
unconditional security of the proposed cryptography, we present, analyze and discuss the fundamental
physics of how to generate and distribute a perfect randomness-based key in a measurement-immune
condition. Reminding of that QKD is the only method satisfying the unconditional security in key
distribution using quantum mechanics, it is counterintuitive to perform the same function in a classical
manner. This is the quintessence of the present paper.
As a physical infrastructure of the proposed unconditionally secured classical cryptography, a
MZI scheme is used for the real transmission lines to realize both randomness-based key generation
and unconditionally safe distribution via quantum superposition and unitary transformation (discussed
in Figs. 1~3). It should be noted that MZI itself has already been used for some QKD protocols for
encoding (for a sender) and decoding (for a receiver) through single transmission line [20-22], but it
has nothing to do with the proposed one relied on double transmission lines with classical light. In the
case of single-core fibers comprising the MZI scheme, the phase stability between them has already
been proved for a km distance range by using a common locking technique [23]. Locking delicate
noisy environments caused by temperatures, vibrations, and air fluctuations has also been proved in a
free space for a 4-km distance range [24]. Technically the MZI stability issue is now closed and can
be applied for a much longer traveling distance.
To understand the fundamental physics of the proposed cryptography, firstly, we present
eavesdropping randomness and transmission directionality in an ideal MZI scheme. Then, round-trip
MZI physics is analyzed for unitary transformation for engenvalue controllability. The unitary
transformation in the proposed protocol is fulfilled with non-canonical (orthogonal) phase bases to
satisfy a classical regime. The round-trip MZI-physics is then discussed for deterministic randomness,
in which the key generation is random to eavesdroppers but deterministic to both sender and receiver.
The deterministic randomness equivalent to the no-cloning theorem in QKD in a technical point of
view is achieved classically via random shuffling of the eigenvalues in the MZI unitary transformation.
Finally, the classically unconditional key distribution protocol is presented and discussed for potential
attacks and future fiber-optic applications. This classically achieved unconditional security (perfect
randomness in eavesdropping) surpassing QKD and RSA has never been discussed before and thus
opens a door to the future information era.
Results
2
The phase shifter Φ in a MZI scheme of Fig. 1(a) is for a random basis selection between two
orthogonal phase bases 0 and p. For the MZI unitary transformation, universal quantum gate
operations have already been presented in a phase shifter-coupled MZI in a quantum regime [25].
Compared with nonorthogonal bases in QKD resulting in randomness according to the Heisenberg’s
uncertainty principle, the orthogonal bases in the proposed classical cryptography play the same role
of the randomness in a classical regime (discussed in Figs. 2 and 3). For coherence optics with bright
light fields, the split lights E3 and E4 on the first BS are perfectly coherent regardless of the bandwidth,
intensity fluctuation, and phase noise of E1. For incoherence optics with single photons, intensity
correlation (or 4th order interference) has been proved for photon anti-bunching of the particle nature
in a quantum regime [26]. These two different roles of BS have been intensively discussed for
complementarity in quantum mechanics, where both phenomena cannot be dealt with simultaneously.
The present protocol is for coherence optics but not excludes the particle nature of incoherence optics,
either.
The BS matrix, [BS], was firstly discussed in 1979 by Degiorgio [16] and generalized in 1980 by
Zeilinger [17], where there exists a p/2 phase shift between the split lights, the transmitted (E3) and
the reflected (E4) for 𝜑 = 0 (see Fig. 1):
[𝐵𝐵] =
1 1 𝑖
� �, (1)
√2 𝑖 1
𝐸 𝑖𝑖
where, 𝐸3 = 12 and 𝐸4 = 21 . There is no way to measure the absolute phase of traveling lights in
√ √
the MZI channels unless E1 is known. In other words, the measurement randomness in MZI channels
is self-sustained by physics. Here, any measurement in the MZI channels also violates the
indistinguishability in quantum superposition regardless of coherence or incoherence optics. This
means that the channel measurement itself causes a fringe shift in the output interference pattern
between E5 and E6. The relative phase measurement without fringe shift may be technically possible
in an ideal system [27], but useless in crypto-analysis without knowing the input light (E1) due to 50%
chance in success (randomness). This randomness in eavesdropping represents no information
withdrawal [19]. The path superposition of MZI channels, thus, becomes the origin of the
unconditional security of the proposed protocol for a classical regime.
Fig. 1. Deterministic randomness in MZI. (a) MZI with a phase shifter Φ (𝜑): M, Mirror; BS,
beam splitter. Ei indicates light field in each region i. (b and c) Visibility Vi,j (solid curve):
𝐼 −𝐼
𝑉𝑖,𝑗 = 𝑗 𝑖. Ei, coherent light pulse; Ii is the intensity of Ei. 𝐼𝐼𝑖,𝑗 is the interference between 𝐸𝑖
𝐼 +𝐼
𝑗 𝑖
and 𝐸𝑗 in the unit of I0. The green and red dots refer to the basis 𝜑 = {0, 𝜋}.
In a typical MZI scheme of Fig. 1(a), each mirror generates the same phase shift in each path,
resulting in perfect phase cancellation. The original light pulse E1 generated by a commercial laser
system hits on the first BS and split into two, E3 and E4. The split lights E3 and E4 are perfectly
coherent each other in principle. This robust coherence of MZI even works for a single photon whose
phase is random as an upper bound [23,27]. The random 𝜑 −phase control for E3 is provided by Bob
3
using his phase shifter Φ, where the phase basis is binary and orthogonal: 𝜑 = {0, 𝜋}. In Fig. 1(a), the
MZI matrix representation with a phase shifter Φ is denoted by:
𝑖𝑖
1 (1 − 𝑒 ) 𝑖(1 + 𝑒 𝑖𝑖 )
[𝑀𝑀]φ = � �, (2)
2 𝑖(1 + 𝑒 𝑖𝑖 ) −(1 − 𝑒 𝑖𝑖 )
1 0
where [Φ] = � � and [𝑀𝑀]𝜑 = [BS][Φ][BS]. For 𝜑 = 0, the output lights at the second BS
0 𝑒 𝑖𝑖
become unidirectional into E6: 𝐸6 = 𝑖𝐸1 ; 𝐸5 = 0. The phase factor “i” in E6 indicates a phase gain
via MZI with respect to the input light E1. For 𝜑 = 𝜋, the output light direction is switched into E5:
𝐸5 = 𝐸1 ; 𝐸6 = 0. As shown in Fig. 1(b) (see green and red dots in the solid curve), the output
directionality in MZI is predetermined depending on the phase basis.
Allowing Eve to copy the traveling lights through MZI channels without altering the output
interference fringe, the eavesdropping analysis in both visibility and interference between E3 and E4
proves the basic physics of measurement randomness: see Fig. 1(c). The orthogonal 𝜑−values used
for distinct visibility in Fig. 1(b), however, represent complete indistinguishability in the
eavesdropping measurement. This 𝜑−independent visibility in Fig. 1(c) is somewhat obvious owing
to phase independency in measurements: |𝐸3 |2 = |𝐸4 |2 . The measurement randomness is due to the
fundamental physics of quantum superposition between two paths (phases) of MZI and corresponds to
the no-cloning theorem in QKD. Even if Eve is highly sophisticated in eavesdropping with the same
measurement tool as Alice’s, Eve’s success rate is 50% in average, resulting in perfect randomness
like ideal coin tossing because the λ−limited phase change cannot be controlled in two independent
systems (Bob-Alice & Bob-Eve; see Fig. 2) simultaneously: Further discussions are given in
Discussion section.
Fig. 2. A schematic of PCD-MZI for OKD. LD, Laser; OM, optical modulator; Ai, detector at Alice
side; Bi, detectors at Bob’s side; BS, 50/50 unpolarized beam splitter; M, mirror; Φ, Bob’s phase
controller; Ψ, Alice’s phase controller; OD, optical delay; Eve, eavesdropper.
Figure 2 shows a schematic of the proposed protocol based on a round-trip MZI scheme, where
the result of [𝑀𝑀]2𝜑 is the identity matrix for 𝜑 = 𝜓 (see Section 1 of the Supplementary
information):
4
[𝑀𝑀]2𝜑 = (−𝑒 𝑖𝑖 ) �1 0�. (3)
0 1
From equation (3), it is clear that a typical MZI system satisfies unitary transformation regardless of
𝜑 if 𝜑 = 𝜓. The physical meaning of the identity matrix in equation (3) implies a time-reversible
process as in a memory, where this phenomenon has been discussed for both quantum optics [28,29]
and classical optics [30,31]. Here, the global phase in equation (3) has nothing to do with a
measurement value or unitary transformation.
In the round-trip MZI configuration of Fig. 2, the phase shifter Ψ (Φ) is supposed to be invisible
to the outbound (inbound) lights E5 and E6 (E9 and E10). For the key distribution, firstly, Bob prepares
a key for Alice via random choosing of the phase basis 𝜑 ∈ {0, 𝜋} and sends it to Alice via MZI
channels. According to the MZI theory discussed in equation (2) and Fig. 1, Alice at the output port
surely knows what Bob’s random choice was by measuring her visibility VA (=V5,6): MZI directional
determinacy. For example, if Alice detects A2 click for E5 (𝑉5,6 = −1) as shown in Fig. 1(b) (see the
red dot), she definitely knows what Bob prepared is 𝜑 = 𝜋 representing the key ‘1’, unless network
error occurs: see Table 1(a) in details.
Table 1. Visibility measurement-based key distribution in PCD-MZI. (a) Alice’s visibility VA,
(b) Bob’s visibility VB, (c) key sharing via deterministic randomness: 𝑉𝐴 = 𝑉5,6 ; 𝑉𝐵 = 𝑉9,10 ;
𝐼 −𝐼
𝑉𝑖𝑖 = 𝑗 𝑖
𝐼 +𝐼
𝑗 𝑖
For the reflected light of E5 and E6, Alice randomly selects her phase basis 𝜓 ∈ {0, 𝜋} for her
phase shifter Ψ and sends them back to Bob via the same MZI channels. The 𝜓 −set inbound light
E8 together with E7 is now going back through the same MZI, resulting in the final output lights, E9
and E10 at Bob’s side. The matrix [BH] for the return light of E9 and E10 in Fig. 2 is represented by:
𝑖𝑖
1 −(𝑒 + 𝑒 𝑖𝑖 ) 𝑖(𝑒 𝑖𝑖 − 𝑒 𝑖𝑖 )
[𝐵𝐵]𝜓/φ = [𝑀𝑀]𝜓 [𝑀𝑀]φ = � �, (4)
2 −𝑖(𝑒 𝑖𝑖 − 𝑒 𝑖𝑖 ) −(𝑒 𝑖𝑖 + 𝑒 𝑖𝑖 )
𝐸 𝐸
where � 9 � = [𝐵𝐵]𝜓/φ � 1 �. From equation (4), all four possible [BH] matrices are obtained:
𝐸10 0
where each of them satisfies either identity (E9) or inversion (E10) relation: see Table 1(b) in details.
Thus, Bob also surely knows which phase basis was set by Alice by observing his detectors B3 and B4
for visibility V9,10 (=VB). Then, the key is set deterministically if and only if the identity matrix is
satisfied (𝜑 = 𝜓): see Table 1(c) in details. Unlike mandatory sifting in QKD, Bob and Alice do not
need to communicate with their measurement results. Although the key setting is inner shared with
100% sureness in an errorless MZI system, it is perfectly random to an eavesdropper Eve due to the
measurement randomness as discussed in Fig. 1: deterministic randomness. Here, the MZI
randomness in Fig. 1 is of course not sufficient to classical cryptography due to the memory-based
attack (see Discussion). To protect it from this classical attack an additional action such as QKD-like
sifting or network initialization must be given (discussed later). The deterministic randomness in Fig.
2 offers a significant feature of unconditional security to a classical regime. The discarded keys
(𝜑 ≠ 𝜓) are of course used for network monitoring of eavesdropping (discussed in Fig. 3).
As shown in Table 1(b), the identity matrix of equations (5-1) and (5-2) is achieved if Alice
chooses the same basis as Bob does (𝜑 = 𝜓), and it is maximally distinguished from the inversion
case of 𝜑 ≠ 𝜓. Even though the identical basis (𝜑 = 𝜓) results in the same value of 𝑉𝐵 = −1 (see
the diagonal values), Bob surely knows what Alice’s choice is because he has prepared the key with
𝜑: see also Table 1(c). Table 1(c) summarizes the key distribution determinacy in the proposed
cryptography.
Figure 3 shows numerical calculations for Fig. 2 using equation (4). For the identity matrix of
equations (5-1) and (5-2) with 𝜑 = 𝜓, the visibility of 𝑉9,10 (𝑉𝐵 ) = −1 confirms the deterministic
key distribution as shown in Figs. 3(a) and 3(b) (see the green and red dots). For the inversion matrix
of equations (5-3) and (5-4) with 𝜑 ≠ 𝜓, the visibility of 𝑉9,10 = +1 also confirms network
monitoring (see the open circles).
Fig. 3. Numerical proofs for OKD in Fig. 2. (a and b) Visibility V9,10 for key distribution between
Alice and Bob. The dashed and dotted curves are interference I9,10 for 𝜑 = 0 and π, respectively.
(c and d) The same value of interference IN7,8 shows eavesdropping randomness. Green and Red
dots indicate random keys set by Alice with ψ ∈ {0, 𝜋} for 𝜑 = 𝜓. The open circles in (a) and (c)
𝐼 −𝐼
represent for discarded keys by Alice (see also open circles in (b)). Visibility 𝑉𝑖𝑖 = 𝑗 𝑖: Ii is the
𝐼 +𝐼
𝑗 𝑖
intensity of Ei.
6
As analyzed in Fig. 1(c) for eavesdropping randomness in MZI, the same analysis is performed
for the return lights, E7 and E8 for indistinguishability, where the lights in both MZI paths have the
same amplitude but different phase determined by 𝜑 and 𝜓:
𝐸7 𝑖𝑖
𝑖𝑒 𝑖𝑖 � �𝐸1 �.
� = 2 �−𝑒𝑖𝑖
1
� (6)
𝐸8 √ 𝑖𝑒 −𝑒 𝑖𝑖 0
As shown in Figs. 3(c) and 3(d), the matrix analysis of equation (6) for indistinguishability is
numerically proved in both interference (IN7,8) and visibility (V7,8) (see the same value for different
bases). Recalling the indistinguishability in the MZI path measurements in Fig. 1(c), Eve’s
measurement for the return lights (E7 and E8) reveals the same randomness: Eve never knows what
basis is chosen by Alice as well as Bob due to the random basis selections as well as measurement
indistinguishability in the superposed paths of MZI. This is the essence of the proposed cryptography
using quantum superposition of MZI paths. The deterministic random key distribution process
analyzed in Figs. 2 and 3 shows potential OTP applications owing to the compatibility with classical
physics including duplication and amplification (see Discussion).
Except only for the keys denoted in green and red dots in Fig. 3(a), all others are considered as
network errors caused by such as environmental noises and eavesdropping trials. Thus, Fig. 3(a) can
be used as a bit error rate (BER) map. If Eve is successful for a safe measurement in both channels of
MZI without the fringe shift, she can brutely scan her interferometer until a distinctive fringe patterns
are observed. This brute force trial appears as a single curve in the BER map such as in Fig. 3(b).
Even in this case, the probability of exact matching with the original one of Fig. 3(b) is 50% in
average because there is no way to know exact MZI configuration due to independency of both
systems. Thus, Eve’s eavesdropping chance is random as in coin tossing. Here it should be noted that
the random eavesdropping chance by Eve is, however, consistent to all bits, resulting in a room for a
memory-based attack in classical crypto-analysis: see the memory-based attack in Discussion. By the
way, the phase selection by both parties may be performed using a random number generator [32].
[Sequence]
1. Bob randomly selects his phase basis 𝜑 ∈ {0, 𝜋} to provide a 𝜑 −controlled coherent light
pulse via the phase shifter Φ and sends it to Alice. Here, the 𝜑 −controlled light can be either
individual or an N-bit chain for a batch job.
2. Bob converts his chosen 𝜑 into a key set {𝑥} for a record: x ∈ {0,1}, where x = 0 if 𝜑 = 0
and x = 1 if 𝜑 = 𝜋.
3. Alice measures her detectors A1 and A2 for visibility VA to copy Bob’s key {𝑥} in {𝑦}
according to MZI directionality (see Table 1a): y = 0 if 𝑉𝐴 = 1; y = 1 if 𝑉𝐴 = −1; y = V𝐴 if
𝑉𝐴 ≠ ±1 ; {𝑦} = {𝑥} , except for 𝑉𝐴 ≠ ±1 . Here, 𝑉𝐴 ≠ ±1 stands for an error due to
eavesdropping or network problems: see the red number in Table 2.
4. Alice randomly selects her phase 𝜓 ∈ {0, 𝜋} to create a 𝜓 −controlled light pulse via the phase
shifter Ψ and sends it back to Bob. Here, the 𝜓 −phase control is performed on the reflected
𝜑 −controlled light pulse(s). This process is for the key setting, resulting in eavesdropping
randomness as the inner-shared sifting process in addition to the MZI indistinguishability.
5. Alice converts her chosen 𝜓 into a key set {𝑧} for a record: z ∈ {0,1}, where z = 0 if 𝜓 = 0
and z = 1 if 𝜓 = 𝜋.
7
6. Alice sifts her prepared key in {𝑧} into {𝑎} by herself: a = y if y − z = 0; a=D if y − z ≠ 0.
Here, D stands for discarded. This process is to avoid the memory-based attack.
7. Bob measures his detectors B3 and B4 for visibility VB: w = x if V𝐵 = −1; w=D if V𝐵 = 1;
w = V𝐵 if 𝑉𝐵 ≠ ±1. This step results in the copy of {𝑎} into {𝑤} (see Table 1(c)) except for
error D (red). Here, 𝑉𝐵 ≠ ±1 stands for an error due to eavesdropping or network problems.
8. Bob sifts the copied key in {𝑤} into {𝑏} by himself: b = w if w − x = 0; b=D if w − x ≠ 0;
{𝑤} = {𝑎}, except for 𝑉𝐵 ≠ ±1.
9. Alice and Bob announce their error bits (red) only for 𝑉𝐴 ≠ ±1 or 𝑉𝐵 ≠ ±1, and discard all
corresponding bits in their keys {𝑎} and {𝑏}, respectively. They never announce their selected
bases or visibilities. Alice and Bob finally share the same key {𝑚}. In Table 2, the occurrence of
network error (red D) is exaggerated for demonstration purpose, where the key rate of {m} is
close to the half of the prepared one {x}.
VA 1 −1 −1 1 −1 1 1 −0.5∗ 1 −1
3
Copy x: y 0 1 1 0 1 0 0 −0.5 0 1 {𝑦}
4 ψ 0 0 p 0 p 0 p p p p
Alice 5 z(ψ) 0 0 1 0 1 0 1 1 1 1 {𝑧}
6 Sifting y: a 0 D 1 0 1 0 D D D 1 {𝑎}
9 Final key 0 C 0 0 0 C C D C 0 {𝑚}
1 φ 0 p p 0 p 0 0 p 0 p
Prepared key:
2 0 1 1 0 1 0 0 1 0 1 {𝑥}
x(φ)
∗
VB −1 1 −1 −1 −1 −0.8 1 −1 1 −1
Bob 7
0opy a: w 0 D 1 0 1 -0.8 D 1 D 1 {𝑤}
8 Sifting w: b 0 D 1 0 1 D D 1 D 1 {𝑏}
9 Final key 0 C 1 0 1 C D D D 1 {𝑚}
*
The numbers in red refer to network errors by disturbance or eavesdropping.
**
By the sifting process the discarded bit D is shared between Alice and Bob automatically even
without public announcement owing to the MZI determinacy. Only error bits denoted by red
numbers are announced publically to discard the corresponding bit from the final key set {𝑚}:
see the red D.
***
The discarded bit D can be represented by any big number, e.g., D =9 for a computing algorithm:
𝐼 −𝐼
𝑉𝐴 = 𝑉5,6 ; 𝑉𝐵 = 𝑉9,10; 𝑉𝑖𝑖 = 𝑗 𝑖.
𝐼 +𝐼 𝑗 𝑖
Discussion
Unconditional security
The basic physics of unconditional security in the proposed classical cryptography lies in the quantum
superposition between noncanonical (orthogonal) variables in MZI, corresponding to the no-cloning
theorem in QKD, where the no-cloning theorem originates in Schrodinger’s uncertainty principle with
canonical (nonorthogonal) variables. Compared with the Heisenberg’s uncertainty principle-caused
no-cloning theorem in QKD, the unconditional security of the present cryptography belongs to
classical physics of indistinguishability in MZI channel measurement. The measurement
(eavesdropping)-caused fringe shift in MZI corresponds to the measurement-caused demolition of a
quantum state in QKD.
When Alice’s random phase choice is activated for the prepared keys by Bob, the unconditional
security is fulfilled via round-trip MZI unitary transformation in a classical regime, where the random
choice corresponds to post-measurement sifting in QKD. In other words, the eigenvalue (a basis for a
8
provided key) provided by Bob is randomly chosen (a basis for a final key) by Alice for key setting,
resulting in deterministic randomness as analyzed in Fig. 2 (see also Fig. S1 in the Supplementary
information). The deterministic randomness means that the eigenvalue is deterministically inner
shared between both parties but perfectly random to an eavesdropper owing to the controlled MZI
unitary transformation via quantum superposition. Thus, the phase controlled round-trip MZI becomes
the physical bedrock of the present unconditionally secured classical cryptography. The novelty of the
present cryptography protocol is in the realization of the unconditional security in a classical regime
with orthogonal (non-canonical) phase bases of bright light. As a result, the proposed cryptography is
compatible with current fiber-optic communications networks, and thus, can support OTP with a high-
speed (high-bit rate) optical key distribution at an extremely low error rate.
Memory-based attack
The memory-based attack is one of the major attacks in classical crypto-analysis. All classically
encoded data can be intercepted and stored in a permanent memory device until a new technology
such as a powerful computer or an efficient algorithm emerges. This is why there are several different
encryption levels depending on the confidential level, e.g., in government documents. In the present
cryptography, the memory-based attack can also be a powerful tool to a sophisticated eavesdropper,
where the 50% chance in eavesdropping applies to all bits synchronously. Thus, Eve just unanimously
flips all bits in the same key block {𝑚′} for correction if her guess is wrong. This is why the random
basis selection is needed for sifting as shown in Table 2, resulting in bit-by-bit randomness.
Another way to protect the key from the memory-based attack is to use network initialization
(discussed in Table 3) for each bit of the key. By either sifting or network initialization, the
eavesdropping randomness in Fig. 2 is achieved. Thus, the eavesdropping chance exponentially
decreases as the key length increases: For an n-bit-long key block, the eavesdropping chance η is
η = 2−𝑛 . If the key length is as short as 126-bit long (n=126), it takes thousand times longer than the
universe age to decipher the key with even the most powerful supercomputer in the world (see Section
3 of the Supplementary information). Because there is no efficient algorithm for perfect random
variables and the 126-bit long key can be easily and repeatedly (to some extent) generated by an even
pseudo-random generator, it proves that the present protocol is unconditionally secured in a classical
regime. By using personal computers and optoelectronic devices operating at GHz speed, the key
distribution rate is independent of the transmission distance if a batch job is performed as shown in
Table 2. Thus, the proposed protocol can be potentially applicable to a real-time key distribution
system.
Network Initialization
For the deterministic randomness analyzed in Figs. 1~3, the network initialization between Alice and
Bob is prerequisite to avoid the memory-based attack if there is no sifting as shown in Table 2. As a
preparation step, Alice resets the MZI network with intentional phase turbulence to break the
synchronized randomness in Eve’s eavesdropping. To do this, Alice scans her phase shifter Ψ(d) until
she has maxima in visibility VA for the same test bits provided by Bob. The value of VA, however, is
not determined by the 𝜑 phase basis because of 𝜑 ≠ 𝛿. This fact also applies to Eve (𝛿’) in the same
analogy: 𝛿 ≠ 𝛿′. Thus, the key sharing between Bob and Alice is not deterministic anymore. To solve
this dilemma, i.e., to let only Alice know secretly and deterministically the 𝜑-value set by Bob, the
following network initialization procedure must be performed before the key procedure of Table 2
(see Table 3).
Table 3 is for network initialization preceded the key distribution procedure in Table 2: sequence
2~5. For this, firstly, Alice randomly resets the MZI system by arbitrarily adjusting a path length with
an additional phase variable d and scans it for her phase controller Ψ(δ) until she gets maxima in VA:
sequence 1. Then, Alice sends a cue to Bob. For this, Bob sends the same test bits encoded by
𝜑 ∈ {0, 𝜋}. Secondly, Bob randomly selects 𝜑 ∈ {0, 𝜋} for the light pulse E4 and sends it to Alice
along with E3 (see Fig. 2). Thirdly, Alice randomly sets her phase controller Ψ with either d or d+p,
measures VA, and announces the result publically. Alice never announces her phase choice either for
𝜓 or d. Lastly, Bob measures his VB and publically announces whether Alice’s measurement is
9
correct or not. Then, Alice knows secretly and deterministically whether the d is correct or wrong:
Table 3 is for the case of non−p−phase shifted d. For the wrong case, Alice simply added a p phase to
d to fix it. The sequence 2~5 may be repeated until successful or to have a batch code for network
initialization to provide the MZI network security indistinctly. As mentioned in Table 2, each network
initialization must be performed for each bit if there is no sifting.
[Sequence]
0. Initially Alice resets the MZI network by disturbing the MZI with her phase controller Ψ(𝛿)
and scans 𝛿 until she gets 𝑉𝐴 = ±1 for the test bits provided by Bob. The d is a phase
variable added to her phase basis 𝜓 ∈ {0, 𝜋}. Then, Alice gives a cue to Bob.
1. Bob randomly selects his phase basis 𝜑 ∈ {0, 𝜋}, encodes his light with 𝜑, and sends it to
Alice.
2. Alice measures VA and publically announces the result.
3. Alice resend the 𝜑−set light after encoding it with 𝛿 + 𝜓.
4. Bob measures VB and publically announces whether Alice’s result is correct (O) or not (X).
5. Alice resets her phase basis 𝜓 ∈ {0, 𝜋} to either 𝜓 ∈ {𝛿, 𝜋 + 𝛿} or 𝜓 ∈ {−𝛿, 𝜋 − 𝛿}
depending on the Bob’s announcement: end of network initialization: Correctness
6. The sequence 2~5 may be repeated if not successful or to store additional initialization use
with different d values: Order (N=2~10).
2 VA 1 −1 −1 1 −1 1 1 1 −1 1
Alice 3 𝜓 δ δ d+π d d+π d+π d d+π d d+π
5 Correctness O X O O O X O X X X
1 𝜑 0 π π 0 π 0 0 0 π 0
Bob
4 VB −1 1 −1 −1 −1 1 −1 1 1 1
*
𝑉𝐴 = 𝑉5,6; 𝑉𝐵 = 𝑉9,10
**
Table 3 is for non−p−added d. For p−added d, see Section 4 of the Supplementary information.
***
“O” (“X”) represents a correct (wrong) one.
Eve can also do the same job as Alice does with an arbitrary value of 𝛿 ′ . In the same analogy
Eve may get the same but unsynchronized fringe pattern due to 𝛿 ≠ 𝛿′. The chance of 𝛿 = 𝛿′ is
extremely law as shown in the BER map in Fig. 3(a). Here, the BER map resolution is determined by
the detector sensitivity which is very high (>104 V/W at GHz) for commercially available photodiodes.
Thus, the eavesdropping-immune MZI security is obtained by network initialization. To surprise, this
MZI security is achieved by all classical means to satisfy the unconditionally secured cryptography.
One might repute that Eve’s intervention may cause a VA shift so that the initialization sequence could
results an error. It could be true, but a consistent VA shift does not affect the unconditional security at
all, otherwise, confirms Eve’s existence. Thus, the network initialization can be used as authentication.
With the sifting in Table 2, the network initialization does not have to be repeated. The expected
overall key distribution rate in Table 2, therefore, would be half of the usual data traffic rate. Without
sifting, however, the network initialization must be performed for each bit to avoid the memory-based
attack: see Section 4 of the Supplementary information. With the network initialization for each bit
without sifting the key distribution speed for Table 2 (without sifting) may be slowed down.
Applications
Owing to strong demand in both wired and wireless communications, the information traffic in an
optical fiber has increased three folds every two years over the last thirty years [33]. In optical fiber
backbone networks, a traffic speed of 100 Gbps per (wavelength) channel has already been deployed
for 80 channels in a dense wavelength division multiplexing system, resulting in a total capacity of 8
Tbps in a single-core optical fiber [34,35]. Thus, the capacity per fiber will reach its theoretical upper
bound of 100 Tbps in a decade. Eventually a multicore fiber may replace current single-core fibers in
the near future to overcome the channel capacity saturation [36]. In the multi-core fiber, a relative
path-length drift caused by environmental noises such as vibrations and temperatures should be frozen
due to spatial proximity between them in a few micron scales. Thus, the basic infrastructure of the
double channels satisfying the MZI scheme for the present cryptography can be easily provided (see
Fig. S3 of the Supplementary information).
For the applications, current 10~100 km spaced EDFA fiber-optic networks may be fit, where the
MZI length becomes unlimited due to the coherence nature of light even with coherent amplifications
at EDFA. This unlimited transmission distance is the 2nd novelty of the present cryptography, where
photon cloning by EDFA is basically phase-locked coherence process, resulting in only a fixed phase
shift. The fixed phase shift in the cloning process can be dynamically adjusted in real time via
visibility monitoring with laser locking techniques [23,24].
Acknowledgment: The author acknowledges that the present work was supported by the ICT R&D
program of MSIT/IITP (1711042435: Reliable crypto-system standards and core technology
development for secure quantum key distribution network) and GRI grant funded by GIST in 2019.
Additional Information
Supplementary information is available in the online version of the paper. Reprints and permissions
information is available online at www.nature.com/reprints.
Competing interests
The author declares no competing (both financial and non-financial) interests.
Author contribution
B.S.H. wrote the manuscript text and prepared all figures and tables. Correspondence and request of
materials should be addressed to BSH (email: bham@gist.ac.kr)
11
References
1. Mao, W. Modern cryptography: Theory and Practice. NJ, Prentice Hall, Inc. (2004).
2. Nielsen, M. A. & Chuang, I. L. Quantum computation and quantum information. Cambridge,
Cambridge university press. (2000).
3. Gisin, N., Ribordy, G., Tittle, W. & Zbinden, H. Quantum cryptography. Rev. Mod. Phys. 74,
145-195 (2002).
4. Wootters, W. K. & Zurek, W. H. A single quantum cannot be cloned. Nature 299, 802-803 (1982).
5. Bennett, C. H. & Brassard, G. Quantum cryptography: Public key distribution and coin tossing.
In Proceedings of IEEE International Conference on Computers, Systems and Signal Processing,
volume 1, pp. 175-179, New York. (1984); ibid, Theoretical Computer Sci. 560, 7-11 (2014).
6. Diamanti, E., Lo, H.-K., Qi, B. & Yuan, Z. Practical challenges in quantum key distribution.
Quantum Info. 2, 16025 (2016).
7. Lydersen, L., Wiechers, C., Wittmann, C., Elser, D., Skaar, J. & Makarov, V. Hacking
commercial quantum cryptography systems by tailored bright illumination. Nature Photon. 4,
686-689 (2010).
8. Huang, A., Sun, S.-H., Liu, Z. & Makarov, V. Quantum key distribution with distinguishable
decoy states. Phys. Rev. A 98, 012330 (2018).
9. Gerhardt, I. et al. Experimental faking the violation of Bell’s inequalities. Phys. Rev. Lett. 107,
170404 (2011).
10. Sajeed, S., Huang, A., Suon, S., Xu, F., Makarov, V. & Curty, M. Insecurity of detector-device-
independent quantum key distribution. Phys. Rev. Lett. 117, 250505 (2016).
11. Lucamarini, M., Yuan, Z. L., Dynes, J. F. & Shields, A. J. Overcoming the rate-distance limit of
quantum key distribution without quantum repeaters. Nature 557, 400-403 (2018).
12. Qin, H., Kumar, R., Makarov, V. & Alleaume, R. Homodyne-detector-blinding attack in
continuous-variable quantum key distribution. Phys. Rev. A 98, 012312 (2018).
13. Marsili, F. et al. Detecting single infrared photons with 93% system efficiency. Nature Photon. 7,
210-214 (2013).
14. Sangouard, N., Simon, C., de Riedmatten, H. & Gisin, N. Quantum repeaters based on atomic
ensembles and linear optics. Rev. Mod. Phys. 83, 33-80 (2011).
15. Vernam, G. S. Secrete signaling system. US patent 1,310,719 (1919).
16. Degiorgio, V. Phase shift between the transmitted and the reflected optical fields of a
semireflecting lossless mirror is p/2. Am. J. Phys. 48, 81-82 (1980).
17. Zeilinger, A. General properties of lossless beam splitters in interferometry. Am. J. Phys. 49, 882-
883 (1981).
18. Mandel, L. Photon interference and correlation effects produced by independent quantum sources.
Phys. Rev. A 28, 929-943 (1983).
19. Shannon, C. A mathematical theory of communication. Bell Sys. Tech. J. 27, 379-423 (1948).
20. Bennett, C. H. Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett. 68,
3121-1324 (1992).
21. Honjo, T., Inoue, K. & Takahashi, H. Differential-phase-shift quantum key distribution
experiment with a planar light-wave circuit Mach-Zehnder interferometer. Opt. Lett. 29, 2797-
2799 (2004).
22. Sibson, P. et al. Chip-based quantum key distribution. Nature Communi. 8, 13984 (2016).
23. Xaiver, G. B. & von der Weid, J. P. Stable single-photon interference in a 1 km fiber-optic Mach-
Zehnder interferometer with continuous space adjustment. Opt. Lett. 36, 1764-1766 (2011).
24. Abbott, B. P. et al. Observation of gravitational waves from binary black hole merger Phys. Rev.
Lett. 116, 061102 (2016).
25. Cerf, N. J., Adami, C. & Kwiat, P. G. Optical simulation of quantum logic. Phys. Rev. A 57,
R1477-R1480 (1998).
26. Hong, C. K., Ou, Z. Y. & Mandel, L. Measurement of subpicosend time intervals between two
photons by interference. Phys. Rev. Lett. 59, 2044-2046 (1987).
27. Carolan, J. et al. Universal linear optics. Science 349, 711-716 (2015).
12
28. Capbell, G. T., Pinel, O., Hosseini, M., Ralph, T. C., Buchler, B. C. & Lam, P. K. Configurable
unitary transformations and linear logic gates using quantum memories. Phys. Rev. Lett. 113,
063601 (2014).
29. Ham, B. S. Wavelength convertible quantum memory: controlled echo. Sci. Rep. 8, 10675 (2018).
30. Kikforman, J.-P., Joffre, M. & Thierry-Mieg, V. Measurement of photon echoes by use of
femtosecond Fourier-transform spectral interferometry. Opt. Lett. 22, 1104-1106 (1997).
31. Ham, B. S., Shahriar, M. S., Kim, M. K. & Hemmer, P. R. Spin coherence excitation and
rephrasing with optically shelved atoms. Phys. Rev. B 58, R11825-R11828 (1998).
32. Gentle, J. E. Random number generation and Monte Carlo Methods. 2nd Ed., Springer, NY
(2004).
33. Matsuoka, S. Ultrahigh-speed ultrahigh-capacity transport network technology for cost-effective
core and metro networks. NTT Tech. Rev. 9, 1-7 (2011).
34. Essiambre, R.-J. & Tkach, R. W. Capacity trends and limit of optical communication networks.
Proceeding of IEEE 5, 1035-1055 (2012).
35. SK Telecommunications, S. Korea. Private conversation.
36. Saitoh, K. Multicore fiber technology. J. Lightwave Tech. 34, 55-66 (2016).
37. Ham, B. S. & Hahn, J. Observations of ultraslow light-based photon logic gates: NAND/OR.
Appl. Phys. Lett. 94, 101110 (2009).
38. Nauerth, S., Moll, F., Rau, M., Fuchs, C., Horwath, J., Frick, S. & Weinfurter H. Air-to-ground
quantum communication. Nature Photon. 7, 382-386 (2013).
39. Liao, S.-K. et al. Satellite-to-ground quantum key distribution. Nature 549, 43-47 (2017).
40. Larsson, E. G., Edfors, O., Tufvesson, F. & Marzetta, T. L. Massive MIMO for next generation
wireless systems. IEEE Communi. Mag. pp. 186-195 (Feb. 2014).
13