Introduction

In (classical) cryptographic technologies, there are two major versions: One is symmetric key-based private cryptography, and another is asymmetric key-based public one1. The public cryptography is called RSA and has become prevalent now, where its security relies on non-polynomial computational complexity of prime number factorization. Thus, the classical cryptography has been focused on the developments of efficient encrypting algorithms requiring more computing recourses in crypto-analysis. This is why the RSA key size has been continuously increased over decades, and now it is as long as 2048 bits1. As Internet traffic rapidly increases recently, information security has gained much more attention to protect the data from potential eavesdropping. Although the security of classical (public) cryptography looks good to some extent, it is basically conditional (or breakable) and even vulnerable to a quantum computer2.

Quantum key distribution (QKD) belongs to the symmetric key-based private cryptography, and its security relies on how to distribute the keys rather than how to generate them. QKD has gained its importance due to theoretically confirmed unconditional security by Heisenberg’s uncertainty principle in quantum mechanics3. Specifically the unconditional security of QKD is based on no-cloning theorem4, resulting from quantum superposition between paired conjugate (non-orthogonal) variables used for bases of a quantum key5. The unconditional security of QKD, however, is not guaranteed in practice due to the quantum loopholes based on imperfectness of a single photon detector6,7,8,9,10,11,12 and/or a quantum channel12. The detection loophole with the channel loss affects all QKD protocols based on single photons5,6,7, entangled photon pairs8,9,10,11, and coherent continuous variables12. As a result, QKD is practically fragile to eavesdropping unless the quantum loophole is completely closed13. Thus, the unconditional security of QKD has become a practical matter, resulting in the unrealistically low key rate. For example, in a standard optical fiber whose loss is 10–2 per 100 km, the actual quantum bit rate (QBR) drops down to 10–4, resulting in kilo–Mega-bits per second (bps) depending on the single/entangled photon generation rate10. Besides, technical difficulties in single-photon or entangled photon-pair generations make current QKD highly impractical. Most of all, current QKD is not compatible with conventional (classical) networks mainly due to nonlinear effects violating the no-cloning theorem. As a result, the transmission distance in QKD through an optical fiber is severely limited unless quantum repeaters are implemented14.

Historically one-time-pad (OTP) has been proposed for an ideal communication system satisfying unconditional security, where the key is equivalent or longer than the data in length and must be used only one time15. Any existing cryptographic technologies, thus, do not support OTP simply due to either the low key rate or conditional security, while the classical data traffic rate in current fiber-optic communications backbone networks is more than 10 Gbps per channel, and its transmission distance is unlimited. Here, a completely different concept of unconditionally secured cryptography is proposed in a classical regime to overcome the limitations in both classical and quantum cryptographies and to support OTP. The proposed cryptography is safe from all kind attacks and quantum computers because its security is based on perfect randomness and measurement immunity.

Unlike QKD, the unconditional security in the proposed cryptography is provided by quantum-superposed transmission channels such as in a typical Young’s double-slit experiment. As is well known, the Young’s double-slit experiment is satisfied by both coherence (wave nature)16,17 and incoherence (particle nature) optics18. Moreover, the double slit can be replaced by a beam splitter (BS) in a Mach–Zehnder interferometer (MZI). In this paper, we focus on the classical nature of light (coherence optics) rather than the quantum nature to satisfy its classicality in both fundamental physics and potential applications. Compared with non-orthogonal basis set of a single photon in QKD, the orthogonal basis set of bright coherent light in the proposed cryptography has technical advantages to fit coming information era in terms of speed and compatibility. The key concept of the Young’s double-slit experiments is in the measurement indistinguishability satisfied by both coherence (classical) and incoherence (quantum) physics. In other words, the state of a light such as a phase and a polarization cannot be measured definitely in MZI channels due to quantum superposition, resulting in prefect randomness in a binary system. According to the Shannon’s information theory, the prefect randomness is equivalent to no eavesdropping or unconditional security19. To prove the unconditional security of the proposed cryptography, we present, analyze and discuss the fundamental physics of how to generate and distribute a perfect randomness-based key in a measurement-immune condition. Reminding of that QKD is the only method satisfying the unconditional security in key distribution using quantum mechanics, it is counterintuitive to perform the same function in a classical manner. This is the quintessence of the present paper.

As a physical infrastructure of the proposed unconditionally secured classical cryptography, an MZI scheme is used for the real transmission lines to realize both randomness-based key generation and unconditionally safe distribution via quantum superposition and unitary transformation (discussed in Figs. 1, 2 and 3). It should be noted that MZI itself has already been used for some QKD protocols for encoding (for a sender) and decoding (for a receiver) through single transmission line20,21,22, but it has nothing to do with the proposed one relied on double transmission lines with classical light. In the case of single-core fibers comprising the MZI scheme, the phase stability between them has already been proved for a km distance range by using a common locking technique23. Locking delicate noisy environments caused by temperatures, vibrations, and air fluctuations has also been proved in a free space for a 4-km distance range24. Technically the MZI stability issue is now closed and can be applied for a much longer traveling distance.

Figure 1
figure 1

Deterministic randomness in MZI. (a) MZI with a phase shifter \( \Phi \left( \varphi \right)\): M, Mirror; BS, beam splitter. Ei indicates light field in each region i. (b, c) Visibility Vi,j (solid curve): \(V_{i,j} = \frac{{I_{j} - I_{i} }}{{I_{j} + I_{i} }}\). Ei, coherent light pulse; Ii is the intensity of Ei. is the interference between and in the unit of I0. The green and red dots refer to the basis \(\varphi = \left\{ {0,\pi } \right\}\).

In the middle of 1990s, a MZI-channel-based QKD protocol was introduced for orthogonal bases, where the security relies on MZI physics of path superposition25. The eavesdropping randomness of the orthogonal bases could be obtained by random timing of key generation. For such unknown information distribution between remote parties QKD is necessary, in which another quantum channel is required to support the orthogonal MZI protocol. The basic physics of MZI channels for QKD with orthogonal bases were analytically discussed using a simple projection-based measurement for a quantum state. In that sense, the MZI physics of randomness is clarified for the secured key distribution. However, unconditional security cannot be fulfilled in such a one-way process in a single MZI scheme, unless the unknown timing information distribution is solved. Here, we present a complete protocol for orthogonal basis in a double MZI scheme, whose secured key distribution is achieved by time-reversal process of unitary transformation without an additional quantum channel relied on QKD itself.

To understand the fundamental physics of the proposed cryptography, firstly, we present eavesdropping randomness and transmission directionality in an ideal MZI scheme. Then, round-trip MZI physics is analyzed for unitary transformation for eigenvalue controllability. The unitary transformation in the proposed protocol is fulfilled with non-canonical (orthogonal) phase bases to satisfy a classical regime. The round-trip MZI-physics is then discussed for deterministic randomness, in which the key generation is random to eavesdroppers but deterministic to both sender and receiver. The deterministic randomness equivalent to the no-cloning theorem in QKD in a technical point of view is achieved classically via random shuffling of the eigenvalues in the MZI unitary transformation. Finally, the classically unconditional key distribution protocol is presented and discussed for potential attacks and future fiber-optic applications. This classically achieved unconditional security with perfect randomness in eavesdropping surpasses QKD and RSA and has never been discussed before.

Results

The phase shifter Φ in an MZI scheme of Fig. 1a is for a random basis selection between two orthogonal phase bases 0 and π. For the MZI unitary transformation, universal quantum gate operations have already been presented in a phase shifter-coupled MZI in a quantum regime26. Compared with nonorthogonal bases in QKD resulting in randomness according to the Heisenberg’s uncertainty principle, the orthogonal bases in the proposed classical cryptography play the same role of the randomness in a classical regime (discussed in Figs. 2 and 3). For coherence optics with bright light fields, the split lights E3 and E4 on the first BS are perfectly coherent regardless of the bandwidth, intensity fluctuation, and phase noise of E1. For incoherence optics with single photons, intensity correlation (or 4th order interference) has been proved for photon anti-bunching of the particle nature in a quantum regime27. These two different roles of BS have been intensively discussed for complementarity in quantum mechanics, where both phenomena cannot be dealt with simultaneously. The present protocol is for coherence optics but not excludes the particle nature of incoherence optics, either.

Figure 2
figure 2

A schematic of PCD-MZI for OKD. LD, Laser; OM, optical modulator; Ai, detector at Alice side; Bi, detectors at Bob’s side; BS, 50/50 unpolarized beam splitter; M, mirror; Φ, Bob’s phase controller; Ψ, Alice’s phase controller; OD, optical delay; Eve, eavesdropper.

Figure 3
figure 3

Numerical proofs for OKD in Fig. 2. (a, b) Visibility V9,10 for key distribution between Alice and Bob. The dashed and dotted curves are interference I9,10 for , respectively. (c, d) The same value of interference IN7,8 shows eavesdropping randomness. Green and Red dots indicate random keys set by Alice with for . The open circles in (a) and (c) represent for discarded keys by Alice [see also open circles in (b)]. Visibility : Ii is the intensity of Ei.

The BS matrix, [BS], was firstly discussed in 1979 by Degiorgio16 and generalized in 1980 by Zeilinger17, where there exists a π/2 phase shift between the split lights, the transmitted (E3) and the reflected (E4) for \(\varphi = 0\) (see Fig. 1):

$$ \left[ {BS} \right] = \frac{1}{\sqrt 2 }\left[ {\begin{array}{*{20}c} 1 & i \\ i & 1 \\ \end{array} } \right], $$
(1)

where, \(E_{3} = \frac{{E_{1} }}{\sqrt 2 }\) and \(E_{4} = \frac{{iE_{1} }}{\sqrt 2 }\). There is no way to measure the absolute phase of traveling lights in the MZI channels unless E1 is known. In other words, the measurement randomness in MZI channels is self-sustained by physics25. Here, any measurement in the MZI channels also violates the indistinguishability in quantum superposition regardless of coherence or incoherence optics. This means that the channel measurement itself causes a fringe shift in the output interference pattern between E5 and E6. The relative phase measurement without fringe shift may be technically possible in an ideal system28, but useless in crypto-analysis without knowing the input light (E1) due to 50% chance in success (randomness). This randomness in eavesdropping represents no information withdrawal19. The path superposition of MZI channels, thus, becomes the origin of the unconditional security of the proposed protocol for a classical regime.

In a typical MZI scheme of Fig. 1a, each mirror generates the same phase shift in each path, resulting in perfect phase cancellation. The original light pulse E1 generated by a commercial laser system hits on the first BS and split into two, E3 and E4. The split lights E3 and E4 are perfectly coherent each other in principle. This robust coherence of MZI even works for a single photon whose phase is random as an upper bound23,28. The random \(\varphi\)-phase control for E3 is provided by Bob using his phase shifter Φ, where the phase basis is binary and orthogonal: \(\varphi = \left\{ {0,\pi } \right\}\). In Fig. 1a, the MZI matrix representation with a phase shifter Φ is denoted by:

$$ \left[ {MZ} \right]_{{\upvarphi }} = \frac{1}{2}\left[ {\begin{array}{*{20}c} {\left( {1 - e^{i\varphi } } \right)} & {i\left( {1 + e^{i\varphi } } \right)} \\ {i\left( {1 + e^{i\varphi } } \right)} & { - \left( {1 - e^{i\varphi } } \right)} \\ \end{array} } \right], $$
(2)

where \(\left[ {\Phi } \right] = \left[ {\begin{array}{*{20}c} 1 & 0 \\ 0 & {e^{i\varphi } } \\ \end{array} } \right]\) and \(\left[ {MZ} \right]_{\varphi } = \left[ {{\text{BS}}} \right]\left[ {\Phi } \right]\left[ {{\text{BS}}} \right]\). For \(\varphi = 0\), the output lights at the second BS become unidirectional into E6: \(E_{6} = iE_{1}\); \(E_{5} = 0\). The phase factor “i” in E6 indicates a phase gain via MZI with respect to the input light E1. For \(\varphi = \pi\), the output light direction is switched into E5 according to Eq. (2): \(E_{5} = E_{1}\); \(E_{6} = 0\). As shown in Fig. 1b (see the green and red dots in the solid curve), the output directionality in MZI is predetermined depending on the phase basis.

Allowing Eve to copy the traveling lights through MZI channels without altering the output interference fringe, the eavesdropping analysis in both visibility and interference between E3 and E4 proves the basic physics of measurement randomness: see Fig. 1c. The orthogonal \(\varphi\)-values used for distinct visibility in Fig. 1b, however, represent complete indistinguishability in the eavesdropping measurement. This \(\varphi\)-independent visibility in Fig. 1c is somewhat obvious owing to phase independency in measurements: \(\left| {E_{3} } \right|^{2} = \left| {E_{4} } \right|^{2}\). The measurement randomness is due to the fundamental physics of quantum superposition between two paths (phases) of MZI and corresponds to the no-cloning theorem in QKD. Even if Eve is highly sophisticated in eavesdropping with the same measurement tool of MZI as Alice’s, Eve’s success rate is 50% in average, resulting in perfect randomness like ideal coin tossing. This is because the path length-caused phase change cannot be controlled for two independent MZI systems (Bob-Alice and Bob-Eve; see Fig. 2) simultaneously: Further discussions are given in Discussion section.

Figure 2 shows a schematic of the proposed protocol based on a round-trip MZI scheme, where the result of \(\left[ {MZ} \right]_{\varphi }^{2}\) is the identity matrix for \(\varphi = \psi\) (see Section S1 of the Supplementary Information):

$$ \left[ {MZ} \right]_{\varphi }^{2} = \left( { - e^{i\varphi } } \right)\left[ {\begin{array}{*{20}c} 1 & 0 \\ 0 & 1 \\ \end{array} } \right]. $$
(3)

From Eq. (3), it is clear that a typical MZI system satisfies unitary transformation regardless of \(\varphi\) if \(\varphi = \psi\). The physical meaning of the identity matrix in Eq. (3) for the double-MZI scheme implies a time-reversible process as in an optical quantum memory, where the quantum memory has been discussed for both quantum optics29,30 and classical optics31,32. Here, the global phase in Eq. (3) has nothing to do with a measurement value or unitary transformation.

In the round-trip MZI configuration of Fig. 2, the phase shifter Ψ(Φ) is supposed to be invisible to the outbound (inbound) lights E5 and E6 (E9 and E10). For the key distribution, firstly, Bob prepares a key for Alice via random choosing of the phase basis \(\varphi \in \left\{ {0,\pi } \right\}\) and sends it to Alice via MZI channels. According to the MZI theory discussed in Eq. (2) and Fig. 1, Alice at the output port surely knows what Bob’s random choice was by measuring her visibility VA (= V5,6): MZI directional determinacy. For example, if Alice detects A2 click for E5 (\(V_{5,6} = - 1\)) as shown in Fig. 1b (see the red dot), she definitely knows what Bob prepared is \(\varphi = \pi\) representing the key ‘1’, unless network error occurs: see Table 1a in details.

Table 1 Visibility measurement-based key distribution in PCD-MZI. (a) Alice’s visibility VA, (b) Bob’s visibility VB, (c) key sharing via deterministic randomness: \( V_{A} = V_{5,6} ; V_{B} = V_{9,10}\); \(V_{ij} = \frac{{I_{j} - I_{i} }}{{I_{j} + I_{i} }}\).

For the reflected light of E5 and E6, Alice randomly selects her phase basis \(\psi \in \left\{ {0,\pi } \right\}\) for her phase shifter \({\Psi }\) and sends it back to Bob via the same MZI channels. The \(\psi\)-set inbound light E8 together with E7 is now going back to Bob, resulting in the final output lights, E9 and E10 at Bob’s side. The matrix [BH] for the return light of E9 and E10 in Fig. 2 is represented by:

$$ \left[ {BH} \right]_{{\psi /{\upvarphi }}} = \left[ {MZ} \right]_{\psi } \left[ {MZ} \right]_{{\upvarphi }} = \frac{1}{2}\left[ {\begin{array}{*{20}c} { - (e^{i\varphi } + e^{i\psi } )} & {i\left( {e^{i\varphi } - e^{i\psi } } \right)} \\ { - i\left( {e^{i\varphi } - e^{i\psi } } \right)} & { - \left( {e^{i\varphi } + e^{i\psi } } \right)} \\ \end{array} } \right], $$
(4)

where \(\left[ {\begin{array}{*{20}c} {E_{9} } \\ {E_{10} } \\ \end{array} } \right] = \left[ {BH} \right]_{{\psi /{\upvarphi }}} \left[ {\begin{array}{*{20}c} {E_{1} } \\ 0 \\ \end{array} } \right]\). From Eq. (4), all four possible [BH] matrices are obtained:

$$ \left[ {BH} \right]_{0/0} = \left( { - 1} \right)\left[ {\begin{array}{*{20}c} 1 & 0 \\ 0 & 1 \\ \end{array} } \right], $$
(5-1)
$$ \left[ {BH} \right]_{\pi /\pi } = \left[ {\begin{array}{*{20}c} 1 & 0 \\ 0 & 1 \\ \end{array} } \right], $$
(5-2)
$$ \left[ {BH} \right]_{0/\pi } = { } - i\left[ {\begin{array}{*{20}c} 0 & 1 \\ { - 1} & 0 \\ \end{array} } \right], $$
(5-3)
$$ \left[ {BH} \right]_{\pi /0} = i\left[ {\begin{array}{*{20}c} 0 & 1 \\ { - 1} & 0 \\ \end{array} } \right]. $$
(5-4)

Each of them satisfies either identity (E9) or inversion (E10) relation: see Table 1b in details. Thus, Bob also surely knows which phase basis was set by Alice by observing his detectors B3 and B4 for visibility V9,10 (= VB). Then, the key is set deterministically if and only if the identity matrix is satisfied \(\left( {\varphi = \psi } \right)\), otherwise discarded: see Table 1c in details. Unlike mandatory sifting in QKD, Bob and Alice do not need to communicate each other with their measurement results. Although the key setting is inner shared with 100% sureness in the double MZI system, it is perfectly random to an eavesdropper Eve due to the measurement randomness as discussed in Fig. 1: deterministic randomness. Here, the deterministic randomness of the double-MZI presented in Figs. 1 and 2 as well as Table 1 is of course good enough for QKD but not sufficient for classical cryptography due to the memory-based attack (see Discussion section). To protect it from this classical attack an additional action such as QKD-like sifting or network initialization must be given (discussed later). The deterministic randomness in Fig. 2 offers a significant feature of unconditional security to a classical regime. The discarded keys \(\left( {\varphi \ne \psi } \right)\) are of course used for network monitoring of eavesdropping (discussed in Fig. 3).

As shown in Table 1b, the identity matrix of Eqs. (5-1) and (5-2) is achieved if Alice chooses the same basis as Bob does \(\left( {\varphi = \psi } \right)\), and it is maximally distinguished from the inversion case of \(\varphi \ne \psi\). Even though the identical basis (\(\varphi = \psi\)) results in the same value of \(V_{B} = - 1\) (see the diagonal values), Bob surely knows Alice’s choice because he has prepared the key with \(\varphi\): see also Table 1c. Table 1c summarizes the key distribution determinacy in the proposed cryptography.

Figure 3 shows numerical calculations for Fig. 2 using Eq. (4). For the identity matrix of Eqs. (5-1) and (5-2) with \(\varphi = \psi\), the visibility of \(V_{9,10} \left( {V_{B} } \right) = - 1\) confirms the deterministic key distribution as shown in Fig. 3a, b (see the green and red dots). For the inversion matrix of Eqs. (5-3) and (5-4) with \(\varphi \ne \psi\), the visibility of \(V_{9,10} = + 1\) also confirms network monitoring (see the open circles).

As analyzed in Fig. 1c for eavesdropping randomness in MZI, the same analysis is performed for the return lights, E7 and E8 for indistinguishability, where the lights in both MZI paths have the same amplitude but different phase determined by \(\varphi\) and \(\psi\):

$$ \left[ {\begin{array}{*{20}c} {E_{7} } \\ {E_{8} } \\ \end{array} } \right] = \frac{1}{\sqrt 2 }\left[ {\begin{array}{*{20}c} { - e^{i\varphi } } & {ie^{i\varphi } } \\ {ie^{i\psi } } & { - e^{i\psi } } \\ \end{array} } \right]\left[ {\begin{array}{*{20}c} {E_{1} } \\ 0 \\ \end{array} } \right]. $$
(6)

As shown in Fig. 3c, d, the matrix analysis of Eq. (6) for indistinguishability is numerically proved in both interference (IN7,8) and visibility (V7,8) (see the same value for different bases). Recalling the indistinguishability in the MZI path measurements in Fig. 1c, Eve’s measurement for the return lights (E7 and E8) reveals the same randomness: Eve never knows what basis is chosen by Alice as well as Bob due to the random basis selections as well as measurement indistinguishability in the superposed paths of MZI. This is the essence of the proposed cryptography using quantum superposition of MZI paths. The deterministic random key distribution process analyzed in Figs. 2 and 3 shows potential OTP applications owing to the compatibility with classical physics including duplication and amplification (see Discussion section).

Except for the keys marked by green and red dots in Fig. 3a along the off-diagonal direction, all others are considered as network errors caused by such as environmental noises and eavesdropping trials. Thus, Fig. 3a can be used as a bit error rate (BER) map. If Eve is successful for a safe measurement in both channels of MZI without the fringe shift, she can brutely scan her interferometer until a distinctive fringe patterns are observed. This brute force trial appears as a single curve in the BER map such as in Fig. 3b. Even in this case, the probability of exact matching with the original one of Fig. 3b is 50% in average because there is no way to know exact MZI configuration due to independency of both systems. Thus, Eve’s eavesdropping chance is random as in coin tossing. Here it should be noted that the random eavesdropping chance by Eve is, however, consistent to all copied bits, resulting in a room for a memory-based attack in classical crypto-analysis: see the memory-based attack in Discussion section. By the way, the phase selection by both parties may be performed using a random number generator33.

Key distribution procedure

The order (1–10) in Table 2 can be performed either individually or in a packet. The sifting process is necessary to avoid the memory-based attack (see Discussion section). Assuming no network error or perfect tapping by Eve without affecting fringe shift, each bit rate in the key distribution procedure is as high as 50% with respect to Bob’s key provision rate, which is more than Gbps according to current optoelectronic device in fiber optic communications. As mentioned above, the outbound (inbound) light is invisible to the phase shifter Ψ (Φ). The key distribution procedure of the present cryptography is as follows (see Table 2):

Table 2 A key distribution procedure for Fig. 2.

[Sequence].

  1. 1.

    Bob randomly selects his phase basis \(\varphi \in \left\{ {0,\pi } \right\}\) to provide a \(\varphi\)-controlled coherent light pulse via the phase shifter Φ and sends it to Alice. Here, the \(\varphi\)-controlled light can be either individual or an N-bit chain for a batch job.

  2. 2.

    Bob converts his chosen \(\varphi\) into a key set \(\left\{ x \right\}\) for a record: \({\text{x}} \in \left\{ {0,1} \right\}\), where \({\text{x}} = 0\) if \(\varphi = 0\) and \({\text{x}} = 1\) if \(\varphi = \pi\).

  3. 3.

    Alice measures her detectors A1 and A2 for visibility VA to copy Bob’s key \(\left\{ x \right\}\) in \(\left\{ y \right\}\) according to MZI physics of directionality (see Table 1a): \({\text{y}} = 0\) if \(V_{A} = 1\); \({\text{y}} = 1\) if \(V_{A} = - 1\); \({\text{y}} = {\text{V}}_{A}\) if \(V_{A} \ne \pm 1\); \(\left\{ y \right\} = \left\{ x \right\}\), except for \(V_{A} \ne \pm 1\). Here, \(V_{A} \ne \pm 1\) stands for an error due to eavesdropping or network problems: see the red number in Table 2.

  4. 4.

    Alice randomly selects her phase \(\psi \in \left\{ {0,\pi } \right\}\) to create a \(\psi\)-controlled light pulse via the phase shifter Ψ and sends it back to Bob. Here, the \(\psi\)-phase control is performed on the reflected \(\varphi\)- controlled light pulse(s). This process is for the key setting, resulting in eavesdropping randomness as the inner-shared sifting process in addition to the MZI indistinguishability.

  5. 5.

    Alice converts her chosen \(\psi\) into a key set \(\left\{ z \right\}\) for a record: \({\text{z}} \in \left\{ {0,1} \right\}\), where \({\text{z}} = 0\) if \(\psi = 0\) and \({\text{z}} = 1\) if \(\psi = \pi\).

  6. 6.

    Alice sifts her prepared key in \(\left\{ z \right\}\) into \(\left\{ a \right\}\) by herself: \({\text{a}} = {\text{y}}\) if \({\text{y}} - {\text{z}} = 0\); a = D if \({\text{y}} - {\text{z}} \ne 0\). Here, D stands for a discarded bit. This process is to avoid the memory-based attack.

  7. 7.

    Bob measures his detectors B3 and B4 for visibility VB: \({\text{w}} = {\text{x}}\) if \({\text{V}}_{B} = - 1\); w = D if \({\text{V}}_{B} = 1\); \({\text{w}} = {\text{V}}_{B}\) if \(V_{B} \ne \pm 1\). This step results in the copy of \(\left\{ a \right\}\) into \(\left\{ w \right\}\) (see Table 1c) except for error D (red). Here, \(V_{B} \ne \pm 1\) stands for an error due to eavesdropping or network problems.

  8. 8.

    Bob sifts the copied key in \(\left\{ w \right\}\) into \(\left\{ b \right\}\) by himself: \({\text{b}} = {\text{w}}\) if \({\text{w}} - {\text{x}} = 0\); b = D if \({\text{w}} - {\text{x}} \ne 0\); \(\left\{ w \right\} = \left\{ a \right\}\), except for \(V_{B} \ne \pm 1\).

  9. 9.

    Alice and Bob announce their error bits (red) only for \(V_{A} \ne \pm 1\) or \(V_{B} \ne \pm 1\), and discard all corresponding bits in their key sets \(\left\{ a \right\}\) and \(\left\{ b \right\}\), respectively. They never announce their selected bases or visibilities. Alice and Bob finally share the same key \(\left\{ m \right\}\). In Table 2, the occurrence of network error (red D) is exaggerated for demonstration purpose, where the key rate of {m} is close to the half of the prepared one {x}.

Discussion

Unconditional security

The basic physics of unconditional security in the proposed classical cryptography lies in the quantum superposition between noncanonical (orthogonal) variables in MZI, corresponding to the no-cloning theorem in QKD, where the no-cloning theorem originates in Schrodinger’s uncertainty principle with canonical (nonorthogonal) variables. Compared with the Heisenberg’s uncertainty principle-caused no-cloning theorem in QKD, the unconditional security of the present cryptography belongs to classical physics of indistinguishability in MZI channel measurement. The measurement (eavesdropping)-caused fringe shift in MZI corresponds to the measurement-caused demolition of a quantum state in QKD.

When Alice’s random phase choice is activated for the prepared keys by Bob, the unconditional security is fulfilled via round-trip MZI unitary transformation in a classical regime, where the random choice corresponds to post-measurement sifting in QKD. In other words, the eigenvalue (a chosen raw basis) provided by Bob is randomly selected (a basis for a final key) by Alice for key setting, resulting in deterministic randomness as analyzed in Fig. 2 (see also Fig. S1 in the Supplementary Information). The deterministic randomness means that the eigenvalue is deterministically inner shared between both parties but perfectly random to an eavesdropper owing to the double unitary transformations in a double MZI scheme. Thus, the phase controlled round-trip MZI becomes the physical bedrock of the present unconditionally secured classical cryptography. The novelty of the present cryptography protocol is in the potential application of the unconditional security to the classical regime with orthogonal (non-canonical) bases of bright light. As a result, the proposed cryptography is compatible with current fiber-optic communications networks, and thus, can support OTP with a high-speed (high-bit rate) optical key distribution at an extremely low error rate.

Memory-based attack

The memory-based attack is one of the major attacks in classical crypto-analysis. All classically encoded data can be intercepted and stored in a permanent memory device until a new technology such as a powerful computer or an efficient algorithm emerges. This is why there are several different encryption levels depending on the confidential level, e.g., in government documents. In the present cryptography, the memory-based attack can also be a powerful tool to a sophisticated eavesdropper, where the 50% chance in eavesdropping applies to all bits synchronously. Thus, Eve just unanimously flips all bits in the same key block \(\left\{ {m^{{\prime }} } \right\}\) for correction if her guess is wrong. This is why the random basis selection is needed for sifting as shown in Table 2, resulting in bit-by-bit randomness.

Another way to protect the key from the memory-based attack is to use network initialization (discussed in Table 3) for each bit of the key. By either sifting or network initialization, the eavesdropping randomness in Fig. 2 is achieved. Thus, the eavesdropping chance exponentially decreases as the key length increases: For an n-bit-long key block, the eavesdropping chance η is \({\upeta } = 2^{ - n}\). If the key length is as short as 128-bit long (n = 128), it takes thousand times longer than the universe age to decipher the key with even the most powerful supercomputer in the world (see Section S3 of the Supplementary information). Because there is no efficient algorithm for perfect random variables and the 128-bit long key can be easily and repeatedly (to some extent) generated by an even pseudo-random generator, it proves that the present protocol is unconditionally secured in a classical regime. By using personal computers and optoelectronic devices operating at GHz speed, the key distribution rate is independent of the transmission distance if a batch job is performed as shown in Table 2. Thus, the proposed protocol can be potentially applicable to a real-time key distribution system opening the door to OTP.

Table 3 Network initialization for Table 2.

Network Initialization

For the deterministic randomness analyzed in Figs. 1, 2 and 3, the network initialization between Alice and Bob is prerequisite to avoid the memory-based attack if there is no sifting. As a preparation step, Alice resets the MZI network with intentional phase turbulence to break the synchronized randomness in Eve’s eavesdropping strategy. To do this, Alice scans her phase shifter Ψ(δ) until she has maxima in visibility VA for the same test bits provided by Bob. The value of VA, however, is not determined by the \(\varphi\) phase basis because of \(\varphi \ne \delta\). This fact also applies to Eve (\(\delta\)’) in the same analogy: \(\delta \ne \delta^{{\prime }}\). Thus, the key sharing between Bob and Alice is not deterministic anymore. To solve this dilemma, i.e., to let only Alice know secretly and deterministically the \(\varphi\)-value set by Bob, the following network initialization procedure must be performed before the key procedure of Table 2.

Table 3 is for network initialization preceded the key distribution procedure in Table 2: sequence 2–5. For this, firstly, Alice randomly resets the MZI system by arbitrarily adjusting a path length with an additional phase variable δ and scans it for her phase controller \({\Psi }\left( {\updelta } \right)\) until she gets maxima in VA for the Bob prepared test bit. Then, Alice sends a cue to Bob. For this, Bob sends the same test bits encoded by \(\varphi \in \left\{ {0,\pi } \right\}\). Now, first, Bob randomly selects \(\varphi \in \left\{ {0,\pi } \right\}\) for the light pulse E4 and sends it to Alice along with E3 (see Fig. 2). Second, Alice randomly sets her phase controller Ψ with either δ or δ + π measures VA. Third, Allice publically announces her measurement result. Alice never announces her phase choice either for \(\psi\) or δ. Fourth, Bob measures his VB and publically announces whether Alice’s measurement is correct or not. Then, Alice knows secretly and deterministically whether the δ is correct or wrong: Table 3 is for the case of non-π-phase shifted δ. For the wrong case, Alice simply added a π phase to δ to fix it. The sequence 2–5 may be repeated until successful or to have a batch code for network initialization. As mentioned in Table 2, each network initialization must be performed for each bit if there is no sifting.

[Sequence].

  1. 0.

    Initially Alice resets the MZI network by disturbing the MZI with her phase controller \({\Psi }\left( \delta \right)\) and scans \(\delta\) until she gets \(V_{A} = \pm 1\) for the test bits provided by Bob. The δ is a phase variable added to her phase basis \(\psi \in \left\{ {0,\pi } \right\}\). Then, Alice gives a cue to Bob.

  2. 1.

    Bob randomly selects his phase basis \(\varphi \in \left\{ {0,\pi } \right\}\), encodes his light with \(\varphi\), and sends it to Alice.

  3. 2.

    Alice measures VA and publically announces the result.

  4. 3.

    Alice resend the \(\varphi\)-set light after encoding it with \(\delta + \psi\).

  5. 4.

    Bob measures VB and publically announces whether Alice’s result is correct (O) or not (X).

  6. 5.

    Alice resets her phase basis \(\psi \in \left\{ {0,\pi } \right\}\) to either \(\psi \in \left\{ {\delta ,\pi + \delta } \right\}\) or \(\psi \in \left\{ { - \delta ,\pi - \delta } \right\}\) depending on the Bob’s announcement: end of network initialization: correctness

  7. 6.

    The sequence 2–5 may be repeated if not successful or to have a batch code with different δ values: order (N = 2–10).

Eve can also do the same job as Alice does with an arbitrary value of \(\delta^{{\prime }}\). In the same analogy Eve may get the same but unsynchronized fringe pattern due to \(\delta \ne \delta^{{\prime }}\). The chance of \(\delta = \delta^{{\prime }}\) is extremely low as shown in the BER map in Fig. 3a. Here, the BER map resolution is determined by the detector’s sensitivity which is very high (> 104 V/W at GHz) for commercially available photodiodes. Thus, the eavesdropping-immune MZI security can be obtained by network initialization. To surprise, this MZI security is achieved by all classical means to satisfy the present unconditionally secured cryptography. One might repute that Eve’s intervention may cause a VA shift so that the initialization sequence could results an error. It could be true, but a consistent VA shift does not affect the unconditional security at all, otherwise, reveals Eve’s existence. Thus, the network initialization can be used as authentication.

With the sifting in Table 2, the network initialization does not have to be repeated. The expected overall key distribution rate in Table 2, therefore, would be half of the usual data traffic rate. Without sifting, however, the network initialization must be performed for each bit to avoid the memory-based attack: see Section S4 of the Supplementary Information. With the network initialization for each bit without sifting the key distribution speed for Table 2 (without sifting) may be slowed down.

The man-in-the-middle attack

The man-in-the-middle attack represents for ‘intercept and resend,’ where Eve behaves as Alice to Bob. As discussed in the network initialization, however, this attack cannot be successful to break the inner-shard determinacy of MZI. The inner-shard determinacy is the intrinsic property of the MZI coherence as explained in Figs. 1, 2 and 3. In other words, the MZI channel configuration between Bob and Alice cannot be exactly duplicated for Eve due to the system independency in coherence. Either single tapping or double tapping in Fig. 2, the phase synchronization between Alice and Eve cannot be achieved by any means. Thus, the man-in-the-middle attack should be failed for the proposed scheme.

Bit error rate: BER

In QKD, QBER strongly depends on Eve’s strategy for sifting rate, the transmission distance, and detector’s noise such as dark count rate and efficiency34. As a result, QBER can reach at a few percent3,34. On the contrary, the present protocol belonging to a classical cryptography is independent of detector’s dark count noise and efficiency as well as sifting rate because Eve’s intrusion is openly allowed and bright coherent light is used as a key carrier. The upper bound of BER of the present protocol is determined by both network errors and computational complexity as mentioned in the section of memory-based attack. The BER for long-haul fiber-optic communications networks has already been widely accepted to be less than one part per ten billions35. Thus, the cryptographic BER of the present protocol may be combined with computational complexity, \(BER = BER_{net} + BER_{comp}\), where \(BER_{net} \) is related with current fiber-optic-based network BER, and \(BER_{comp}\) is related with a key length as mentioned in the section of memory-based attack. A key length as short as 128 bit long results in \(BER_{comp} = \left(\frac{1}{2}\right)^{126}\) ~ 10−38, where no algorithm exists to decode random numbers. Although the upper bound of BER of the present protocol determined by \(BER_{net}\) may be increased by Eve’s intrusion, a smart Eve may not deteriorate it. Due to the Initialization process, however, Eve’s gain should be limited by the lower bound of \(BER_{comp}\). More detailed analysis is beyond the present scope.

Applications

Owing to strong demand in both wired and wireless communications, the information traffic in an optical fiber has increased three folds every two years over the last thirty years35,36. In optical fiber backbone networks, a traffic speed of 100 Gbps per (wavelength) channel has already been deployed for 80 channels in a dense wavelength division multiplexing system, resulting in a total capacity of 8 Tbps in a single-core optical fiber37. Thus, the capacity per fiber will reach its theoretical upper bound of 100 Tbps in a decade. Eventually a multicore fiber may replace current single-core fibers in the near future to overcome the channel capacity saturation38. In the multi-core fiber, a relative path-length drift caused by environmental noises such as vibrations and temperatures should be frozen due to spatial proximity between them in a few micron scale. Thus, the basic infrastructure of the double channels satisfying the MZI scheme for the present cryptography can be easily provided (see Fig. S3 of the Supplementary Information).

For the applications, current 10–100 km spaced EDFA fiber-optic networks may be fit, where the MZI length becomes unlimited due to the coherence nature of light even with coherent amplifications of EDFA. This unlimited transmission distance is the 2nd novelty of the present cryptography, where photon cloning by EDFA is basically phase-locked coherence process, resulting in only a fixed phase shift. The fixed phase shift in the cloning process can be dynamically adjusted in real time via visibility monitoring with laser locking techniques23,24.

In conclusion, a coherence optics-based classical key distribution protocol was proposed, analyzed, and discussed to overcome the limitations in both classical and quantum cryptographies. The unconditional security of the proposed cryptography was obtained in a classical regime by using quantum superposition of MZI transmission channels and unitary transformation of MZI matrix. To prevent the system from typical cryptoanalysis such as memory-based attack and man-in-the-middle attack, sifting and network initialization protocols were presented and discussed for the unconditionally secured key distribution. In addition, the network initialization can also be adapted for authentication. By definition of coherence optics, the presented cryptography should be compatible with current fiber-optic communications networks at ~ Gbps key rate. Thus, the proposed protocol has potential for one-time-pad cryptography which is the long lasting goal in human history for coming information era. Eventually, all-optical computers39 may be combined with the present scheme for all-in-one secured information networks. The proposed cryptography is also applicable for wireless40 or satellite41 communications via MIMO42 technologies (discussed elsewhere). Therefore, the round-trip unitary transformation based on MZI path superposition with non-canonical variables opens a door to new physics beyond QKD limited to a quantum regime.