Perfect information- theoretical security requires that the meaning of an encrypted message transmitted from point A to point B be statistically independent of the ciphertext in which that message is embedded. In other words, possession and analysis of the ciphertext must yield no information about the message sent. This article briefly describes cryptographic protocols exhibiting perfect, or near-perfect, security before addressing a new quantum data encryption protocol that employs quantum noise of light at the physical layer to buttress security based on mathematical complexity. This new protocol is called Keyed Communication in Quantum Noise, or KCQ. KCQ does not presently guarantee flawless information-theoretical security; however, because of KCQ's physical-layer encryption in the quantum noise of light, some scientists believe that it enables better security than current secure communications systems based solely on mathematical complexity.

Figure 1. BB84 generates session key, K1, between A and B, to encrypt and distribute the shared network key, K0.

Virtually no electronic communication transmitted between individuals, in uniform or not, can be assured perfect information-theoretical security in the ideal sense defined above. However, communications using either the "one-time pad" or the quantum key generation protocol, called BB84, are notable exceptions. Scientists can prove one-time pad transmissions to be perfectly secure, and they believe BB84 provides near-perfect security.1,2 A onetime pad encrypts a plaintext message by combining it with a random bitstream generated by an automated physical process. Cryptographers refer to this encrypting random bitstream as a secret key. The recipient can decrypt the resultant ciphertext, also a randomly generated bitstream, using the same secret key that encrypted the message, thus recovering the plaintext content. In cryptographic systems with perfect security, a plaintext item might very well be a fresh key, uncompromisable even in the hands of an enemy who has managed to obtain the ciphertext and secret key used for secure distribution to allies. The onetime pad is a symmetric cipher, wherein parties (allies) A and B share a secret key. In contrast, BB84 becomes a symmetric cipher through its inherent generation of a fresh key, engendered on the spot in a two-way communications link between A and B. That fresh session key can subsequently encrypt other keys for distribution, as indicated in Figure 1. Since each transmission event employs just a single photon, however, BB84 is extremely sensitive to noise and loss. Necessary error correction and privacy amplification mechanisms require additional bits, reducing the effective bit rate and severely limiting the effective transmission range in both wired and wireless implementations. Consequently, communications engineers cannot easily incorporate the BB84 protocol into existing networks.

KCQ is an alternative, newer physical-layer quantum communication protocol— one that has received much less attention from the commercial press than single-photon quantum protocols such as BB84 have garnered.3,4,5,6 KCQ employs the radiation states of multiple photons emitted by ordinary lasers as the information transport medium. These radiation states are called coherent states of light. In terms of quantum mechanics, they are fuzzy waves in that their amplitudes, phases, and polarization states do not exist in crisply measured quantities. Rather, those observable characteristics are stochastic (random) variables possessing mean values and equally important variances from those mean values. The measurement fluctuation in amplitude, phase, and polarization is called quantum noise. Truly a fundamental physical random process, quantum noise is irreducible; it cannot be filtered away, not even in principle.

Instantiations of KCQ devoted specifically to ultrasecure data encryption at the physical layer are called the AlphaEta protocol in the US and the Y-00 protocol in Japan. Like BB84, AlphaEta uses either polarization states of light or temporal phase states of light to encode logical bits. Unlike BB84, AlphaEta uses on the order of ten to several thousand photons per logical bit—an important distinction. Whereas BB84 uses single photons, AlphaEta employs light beams comprising many photons. This basic fact facilitates AlphaEta's relatively seamless incorporation into existing wired and wireless networks. Furthermore, AlphaEta encrypted traffic can be amplified, while BB84 key generation traffic cannot.

Figure 2. Schematic of AlphaEta protocol

Figure 2 provides a schematic of the AlphaEta protocol. As illustrated, AlphaEta requires a secret seed key, K, shared between allies A and B. A suitable mathematical algorithm extends K to a long pseudorandom running key, K ′, which is divided into bitstream blocks. An encryption algorithm combines blocks of bits from K ′ with each bit in the plaintext data, X, producing a block of ciphertext, ρ. Physically, each such block specifies a voltage driving a light modulator, which rotates the polarization or temporal phase states of all photons passing through it and contributing to the transport of a particular bit. A quantity, M, of polarization bases are available for the encryption, providing 2 × M possible rotations, since there are 2 possible electric field polarization states per basis, each denoting a logical 1 or 0.

Measuring each bit sent from A to B entails quantum mechanical uncertainty, because the state of polarization or phase is uncertain, mired in the quantum noise. The variances about the mean values of each possible state sent suffer significant overlap with neighboring states, as indicated in Figure 3. Each such uncertain ciphertext state sent by A will undergo measurement by ally B on the legitimate receiving end and by enemy E, if through snooping that enemy has managed to intercept some of the signal. Sharing a key with A, ally B can perform an optimal binary measurement in noise, while enemy E, who does not share a key, cannot. Instead, enemy E must perform a multiple choice, or M-ary (as opposed to binary), measurement on the signal. Consequently, ally B's probability for error is significantly less than enemy E's probability for error. In fact, enemy E's bit error rate can be made arbitrarily close to 50%, the guessing limit. In other words, enemy E is forced to flip a coin regarding the value of each ciphertext bit sent. Each ciphertext bit can itself be ciphertext output from the most stringent mathematical-complexity-based encrypting algorithm known. AlphaEta therefore provides a physical barrier to successful snooping, augmenting mathematical-complexity-based security and effecting perfect security against ciphertext-only attacks by enemy E.

Enemy E can, however, execute a known plaintext attack on the system— an attack that can be launched against any cryptographic system presently in use. By knowing the plaintext, X, and the ciphertext, ρ, enemy E can execute an exhaustive search to determine the seed key, K. In standard mathematical-complexity-based systems, ρ is assumed completely known by E. In the AlphaEta environment, ρ is uncertain and E cannot ascertain any of the ciphertext bits. However, scientists believe that given sufficient time and resources, enemy E could eventually determine the seed key, K, though she cannot execute her attack via computer terminal and network alone. Rather, enemy E must execute her attack making imperfect physical measurements on a single enciphered message. Assuming she knows the exact encrypting algorithm, she can try every possible key/plaintext combination until hitting the right one. A resourceful enemy might eventually prevail, given sufficient time and resources to find that one in 2K possible keys with which to crack the AlphaEta cipher. In current AlphaEta implementations, the possible number of keys approximates 2500—a huge number that can be made bigger still.5

In the face of brute force, known, plaintext attacks, the required number of ciphertext copies physically generated (by beam splitters, for example) for successful attack on the key can easily be made greater than the number of elementary particles in the universe. Once a quantum computer becomes available, even Grover's quantum search algorithm could not reduce that requirement to a practical reality. This form of security is called exponential security and is prevalent in currently deployed cryptographic protocols. Physical-layer quantum encryption buttresses existing mathematical-complexity-based encryption security to deliver ultrasecure, high-data-rate, long-range, optical-backbone-to-tactical communications that are readily incorporated into existing optical networks.

Figure 3. B can understand the encrypted message, because having the key enables B to make a binary, rather than M-ary, measurement decision.

The AlphaEta protocol is a product of NuCrypt, LLC, a small high-tech company founded by Professor Prem Kumar, of Northwestern University (Evanston, Illinois). AlphaEta is based principally upon the KCQ ideas of Prof Horace Yuen, also of Northwestern University. Northwestern University researchers developed AlphaEta through the recently initiated Defense Advanced Research Projects Agency (DARPA) Quantum Information Science and Technology program. Operating AlphaEta at 1550 nm wavelengths and 622 Mbps, Telcordia® Technologies, Inc., successfully demonstrated it on existing fiber-optic networks existing in the Advanced Technology Demonstration Network (near Washington DC) and linked to the Boston South Network (in Boston, Massachusetts) via New York City, a distance of approximately 850 km. Ciena® Government Solutions, Inc., demonstrated AlphaEta on a 550 km fiber-optic network connecting Argonne National Laboratory with the National Center for Supercomputing Applications at the University of Illinois at Urbana- Champaign.

DARPA and an AFRL and Air Force Space and Missile Center consortium awarded NuCrypt parallel Small Business Innovation Research contracts. These efforts are concentrating on wired quantum communications and wireless quantum communications, respectively. The company is developing systems with communication bit rates ranging from 100 Mbps to several Gbps, since scalability is a desirable capability for interoperability among disparate communications platforms. Meanwhile, AFRL also awarded NuCrypt a Small Business Technology Transfer Phase I contract to investigate the use of recent advances in short-pulse laser physics to enhance the considerable physical-layer security AlphaEta already offers. The objective of this basic research activity is to achieve near-perfect information-theoretical security, allowing ultrasecure, remote, secret key distribution at high data rates and long ranges in existing wireless and wired optical networks.

Dr. David H. Hughes, of the Air Force Research Laboratory's Information Directorate, wrote this article. For more information, contact TECH CONNECT at (800) 203-6451 or place a request at . Reference document IF-H-06-04.


  1. Bennett, C. and Brassard, G. "Quantum Cryptography: Public-Key Distribution and Coin Tossing." Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing. Bangalore, India, 1984 (IEEE Press, 1984): 175-179.
  2. Shor, P. and Preskill, J. "Simple Proof of Security of the BB84 Quantum Key Distribution Protocol." PS_cache/quant-ph/pdf/0003/0003004.pdf.
  3. Yuen, H., et al. "Security of Y-00 and Similar Quantum Cryptographic Protocols." Quantum Physics Abstract (quantph/ 0407067). quant-ph/pdf/0407/0407067.pdf.
  4. Yuen, H. "KCQ: A New Approach to Quantum Cryptography I. General Principles and Key Generation." Quantum Physics Abstract (quant-ph/0311061). pdf/0311/0311061.pdf.
  5. Barbosa, G., et al. "High-speed data encryption over 25 km of fiber using two-mode coherent-state quantum cryptography." Optics Letters, vol 28, no 21 (2003): 2040-2042.
  6. Corndorf, E., et al. "Quantum-Noise- Protected Data Encryption in a WDM Network." IEEE Photonics Technology Letters, vol 17, no 7 (Jul 05): 1573-1575.