Secure Dialogue Without a Prior Key Distribution - CiteSeerX

Journal of the Korean Physical Society, Vol. 47, No. 4, October 2005, pp. 562∼567

Secure Dialogue Without a Prior Key Distribution Nguyen Ba An∗ School of Computational Sciences, Korea Institute for Advanced Study, Seoul 130-722 (Received 30 March 2005) An entanglement-based quantum protocol to securely exchange information between two legitimate partners, Alice and Bob, is proposed. The superdense coding feature is exploited judiciously to achieve high efficiency; i.e., in a protocol run, one active qubit traveling back and forth combined with two public classical bits (cbits) enables Alice and Bob to process four secret cbits in a dialogue fashion. Namely, Alice (Bob) is able at the same time to send two secret cbits to Bob (Alice) and to read Bob’s (Alice’s) two other secret cbits. The security against eavesdropping attacks is ensured by two types of controlling modes: one relies on single-qubit measurements, and the other relies on two-qubit Bell analyses. PACS numbers: 03.57.Hk, 03.65.Ud Keywords: Secure communication, Entanglement, Superdense coding

private key x, which is known to nobody else, to get M back from F (M ). Nowadays “public key” systems are used worldwide: for instance, on the Internet. In particular, one of the most interesting applications of the “public key” system has been the Rivest-Shamir-Adleman (RSA) one [4] whose security relies on the extreme difficulty of factorizing a large integer I. (For instance, to factorize I ≈ 10100 , a modern computer capable of performing 1010 divisions per second would take about 1040 seconds, much much longer than our Universe’s age of about 3.8 × 1017 seconds ≈ 12 billion years!) Although the RSA does not require any key distribution, its security is apparently unproven. Thanks to Shor’s quantum algorithms [5, 6], if a quantum computer is ever built, the RSA will fall apart because factorization would be an easy task. (For instance, a number 100 decimal digits long can be factorized in a fraction of a second !) Fortunately, quantum key distributions (QKD) that underpin their proven security with the laws of quantum physics appear possible. There exist various protocols of QKD among which the typical ones are the BB84 protocol [7], the E91 protocol [8], the B92 protocol [9], the 4 + 2 protocol [10], the 6-state protocol [11], the 3-state protocol [12], etc. However, all of the above-mentioned protocols are quantum resource consuming, at least 50 % of the quantum bits (qubits) should be sacrificed during the key establishment. Also, they are randomized processes, nobody can deterministically know which qubit in which protocol run will contribute to the key and bear an indirect character. The actual secret key is established by neither of the legitimate partners, but, instead, by the protocol itself at its completion. During the last few years, attention has been paid on

I. INTRODUCTION In cryptography, if Alice and Bob, the two legitimate partners, share a secret key K, which is a long enough random string of classical bits (cbits), then Alice is able to send her message M to Bob absolutely securely. For that purpose, Alice encrypts her message by simply adding M and K cbit by cbit. The resulting text C, the ciphertext, is then sent via any (insecure) classical channel to Bob, who is able to decrypt C by subtracting the same key K, also cbit by cbit, to get back Alice’s original message M. Eve, the malevolent eavesdropper, who is supposed to sit in the line, can have a perfect copy of C, but can by no means understand the content of M because she does not know the secret key K. This scheme was proven to be 100 % secure [1] if K is used only for a single communication, hence, the name “one-time pad”, also called the Vernam code [2] or the “private key” scheme. The “one-time pad” scheme is, however, inconvenient. It faces a problem with how to securely transfer the key because all classical means of transmission are fundamentally insecure! In this regard, another crypto-scheme referred to as the “public key” scheme [3] proves to be very useful and is based on a so-called one-way function F (x) such that calculating F from a given x is easy, but not vice versa. For communication, Bob uses his private key x to calculate F. Then, he reveals F to the whole world, say, by putting F in the “yellow pages” of a public cryptographic directory. Alice takes this F to encrypt her message M to be C = F (M ) and sends C to Bob. Upon receipt of the ciphertext C, Bob is able to use his ∗ E-mail:

[email protected]

-562-

Secure Dialogue Without a Prior Key Distribution – Nguyen Ba An

new kinds of quantum cryptographic protocol [13–20] allowing ones in urgent circumstances to securely and directly communicate without a prior key distribution. Particularly, the so-called ping-pong protocol (PPP) [14] has been of considerable interest. Although the PPP is secure against an intercept-resend attack (IRA) and an entangle-measure attack (EMA), it remains insecure against a disturbance attack (DA) [15,19] and Q-attacks (QA) [17]. Furthermore, it is designed just for one-way communication; i.e., only Alice can send her message to Bob, but not the other way around. Recently, there have appeared quantum protocols [18, 19] in which two-way communications become possible; i.e., Alice and Bob are able to exchange their messages at the same time much like in a dialogue, hence, the name “quantum dialogue” [19]. Unfortunately, the “quantum dialogue” protocol turns out to be vulnerable to an IRA, as pointed out in Ref. 20. In this work, we shall improve the “quantum dialogue” protocol to guarantee its security against an IRA. This is achieved by combining simultaneously two types of controlling modes: one relies on single-qubit measurements as in Ref. 14, and the other relies on two-qubit Bell analyses as in Ref. 19.

-563-

- (6), can be written in a single formula as 1 |Ψµ,ν iht = √ (|1ih Cµ,ν |0it + |0ih Cµ,ν |1it ) 2

(7)

where µ, ν ∈ {0, 1}, C0,0 = ˆ1, C0,1 = σx , C1,0 = iσy , C1,1 = σz , and σx,y,z are the Pauli matrices. With such an entangled source, the exchange of messages proceeds step by step as follows: 1. Bob sets n = 0. 2. Bob sets n = n + 1, produces a state Ψkn ,ln h t , n n keeps the home qubit hn with himself, but pings the travel qubit tn to Alice. 3. Bob informs Alice that he has pinged a qubit to her. 4. Alice does nothing if she is not informed by Bob of an intended message exchange; otherwise, she confirms to Bob her receipt of a qubit. 5. Bob does nothing if Alice does not confirm a qubit receipt to him; otherwise, he decides to switch either to a control mode of type 1 (CM1) or to a message mode (MM). Then he lets Alice know of his decision.

II. THE PROTOCOL Suppose that Alice has a secret message A, A = {(i1 , j1 ), (i2 , j2 ), . . . , (iN , jN )},

(1)

and Bob has another secret message B, B = {(k1 , l1 ), (k2 , l2 ), . . . , (kN , lN )},

(2)

with in , jn , kn , ln ∈ {0, 1} and N 1. It is assumed that a reliable classical channel is accessible by both Alice and Bob. Even so they cannot exchange their messages securely because Eve, though not being able to modify the classical information, can perfectly eavesdrop on it. Therefore, as a rule, for secure communication, dual usage of quantum and classical channels is required. Let Bob have a quantum source producing entangled photon pairs in any of the four orthonormal Bell states 1 |Ψ0,0 iht = √ (|1ih |0it + |0ih |1it ) , 2 1 |Ψ0,1 iht = √ (|1ih |1it + |0ih |0it ) , 2 1 |Ψ1,0 iht = √ (|1ih |1it − |0ih |0it ) , 2 1 |Ψ1,1 iht = √ (|1ih |0it − |0ih |1it ) , 2

(3) (4) (5) (6)

where the subscript h (t) stands for “home” (“travel”) while {|0i , |1i} denotes two orthogonal photon polarization degrees of freedom. These four Bell states, Eqs. (3)

5.1. In CM1, Alice measures the qubit tn she received in the basis B+ = {|0i , |1i}, with a measurement result an ∈ {0, 1} (an = 0, 1 if |0itn , |1itn are, respectively, found) which is then sent to Bob. Bob also measures his qubit hn in the basis B+ , with a measurement result bn ∈ {0, 1} (bn = 0, 1 if |0ihn , |1ihn are, respectively, found), then checks the equality an = δkn ⊕ln ,0 (bn ⊕ 1) + δkn ⊕ln ,1 bn (δp,q is the Kronecker delta symbol while ⊕ denotes an addition mod 2). If the equality holds, he sets n = n − 1 and goes to Step 2 to continue; otherwise, he goes to Step 1 to re-initialize the whole procedure. 5.2. In MM, (a) Alice encodes her secret classical bits (cbits) in , jn by acting on the qubit tn with Cin ,jn and then pongs it to Bob. (b) Bob makes a Bell analysis on the two qubits hn and tn , with measurement outcomes xn , yn ∈ {0, 1} ((xn , yn ) = (0, 0), (0, 1), (1, 0), and (1, 1) if |Ψ0,0 ihn tn , |Ψ0,1 ihn tn , |Ψ1,0 ihn tn and |Ψ1,1 ihn tn are, respectively, found). Then, he switches either to a control mode of type 2 (CM2) or to a MM. 5.2.1. In CM2, Bob asks Alice to send him her cbits in , jn and checks the two equalities xn = in ⊕ kn and yn = jn ⊕ ln . If both the equalities hold, he sets n = n − 1 and goes to Step 2 to continue; otherwise, he goes to Step 1 to re-start.

-564-

Journal of the Korean Physical Society, Vol. 47, No. 4, October 2005

5.2.2. In MM, (a) Bob decodes Alice’s secret cbits as in = xn ⊕ kn , jn = yn ⊕ ln , and then sends the outcomes xn , yn to Alice. (b) Alice, upon receiving xn , yn , decodes Bob’s secret cbits as kn = in ⊕ xn , ln = jn ⊕yn . (c) Both Alice and Bob compare n with N. If n < N, Alice waits for the next run while Bob goes to Step 2 to continue; otherwise, (i.e., n = N ), they both finalize at Step 6. 6. The exchange of messages has been successfully completed.

state has the form 1 Ute Ψk,l ht |χie = √ (−1)k |0ih |0it + |1ih |1it 2 × (αδk⊕l,1 |χ0 ie + βδk⊕l,0 |χ1 ie ) + (−1)k |0ih |1it + |1ih |0it × (αδk⊕l,0 |χ0 ie + βδk⊕l,1 |χ1 ie )} . (11) In a CM1 run, the probability pµν that Bob finds |µih and Alice finds |νit is given by p01 = p10 =

α2 β2 , p00 = p11 = 2 2

(12)

for (k, l) = (0, 0) or (1, 1) and by As one can see from the above protocol, cbits of messages are exchanged deterministically and directly as in a dialogue, in an nth MM run, Alice asks Bob “in , jn ” and hears Bob’s answer “ln , ln .” The decoding scheme is clear because Cζ,ξ ⊗ Cµ,ν = Cζ⊕µ,ξ⊕ν ,

(8)

up to an unimportant global phase factor, and the pair state just before Bob’s Bell measurement is of the form

p01 = p10 =

α2 β2 , p00 = p11 = 2 2

(13)

for (k, l) = (0, 1) or (1, 0). By virtue of Eqs. (3) - (6), (12), and (13), the detection probability per CM1 run is derived for any possible pair of k, l as 1 2 dCM EM A = β .

(14)

(9)

In case CM1 is not executed, Alice encodes her cbits i, j on qubit t and pongs it to Bob. The system state in the pong-route becomes Cij Ute Ψk,l ht |χie = α Ψk⊕i,l⊕j ht |χ0 ie +(−1)k β Ψ |χ1 i . (15)

In case Eve tampers with the quantum channel, she will be detected by the protocol. In the next section, we shall analyze the security of the protocol against different types of attacks by Eve.

To infer useful information, Eve measures her ancilla. She will be detected in a CM2 run if she finds |χ1 ie . Since this happens with a probability of β 2 , as justified by Eq. (15), the detection probability per CM2 run is also β 2 ; i.e.,

1 ˆ 1 ⊗ Ci,j Ψk,l ht = √ (|1ih Ci,j ⊗ Ck,l |0it 2 + |0ih Ci,j ⊗ Ck,l |1it ) = Ψ . i⊕k,j⊕l

ht

k⊕i,l⊕j⊕1

ht

e

2 2 dCM EM A = β .

III. SECURITY Eve is supposed to be highly powerful and capable of doing anything allowed by the laws of Nature. In this section, we shall consider several typical types of attack by Eve.

1. Entangle-measure Attack

Eve first tries the entangle-measure attack (EMA), which can be described as follows. Initially, Eve prepares an ancilla state |χie . In the ping-route, she entangles her ancilla with qubit t by using an unitary operator Ute : Ute |µit |χie = α |µit |χ0 ie + β |µ ⊕ 1it |χ1 ie , (10) √ where µ ∈ {0, 1}, {α, β = 1 − α2 } are the normalization coefficients (assumed to be real for simplicity), and {|χ0 ie , |χ1 ie } are the pure ancilla states uniquely determined by Ute . When qubit t arrives at Alice, the system

(16)

The EMA is, thus, detectable by either CM1 or CM2 with an equal probability β 2 . If the probability of a CM1 run is c1 and that of a CM2 run is c2 , then the total detection probability under the EMA is N/r DEM A = 1 − 1 − (c1 + c2 )β 2 , (17) where r = 1 − c1 − c2 is the effective exchange (dialogue) rate. 2. Intercept-resend Attack

In the intercept-resend attack (IRA), Eve creates her own entangled pair Ψ0,0 HT and ambushes Bob in the ping-route. When Bob pings his qubit t to Alice, Eve captures it, keeps it with herself, and, instead, sends on her qubit T to Alice. Alice cannot distinguish between T and t (i.e., she takes T for t), applies Ci,j on T, and pongs it to Bob. In the pong-route Eve captures the T and performs a Bell analysis on T and H to learn i, j. Afterwards, she applies Ci,j to the t that has been kept


with her so far and transmits the t back to Bob. Then, Eve eavesdrops in the classical channel for x, y to learn k, l. By doing so, Eve gets perfect copies of both Alice’s and Bob’s messages. The IRA is undetectable by CM2 runs, but is disclosed in a CM1 run. Since there are no correlations at all between qubits h and T, the equality a = δk⊕l,0 (b ⊕ 1) + δk⊕l,1 b when each of h and T is separately measured would hold only half of the time for any values of k, l. The detection probability of the IRA per CM1 run is dIRA = 1/2;

(18)

hence, the total detection probability under the IRA reads h c1 iN/r DIRA = 1 − 1 − . (19) 2

3. Q-attack

Recently, a new type of eavesdropping attack has been introduced in Ref. 17, which is here referred to as a Q-attack (QA) for short. In the QA, Eve initially prepares two auxiliary spatial modes x and y in the state |vacix |0iy , where |vaci labels the vacuum state. In the ping-route, Eve performs jointly on qubit t and two modes x, y an unitary operator Qtxy = SWAPtx CPBStxy Hy , with Hy being the Hadamard gate, SWAPtx the swapping gate, and CPBStxy the controlled polarizing beam splitter gate (see Ref. 17 for details). Then, in the pong-route, after Alice’s encoding, Eve performs Q−1 txy on the txy-subsystem. Finally, Eve measures modes x and y to gain Alice’s and Bob’s information. After the Qtxy operation, the state of the total system is of the form 1 Qtxy |Ψk,l iht |vacix |0iy = (−1)k |0ih + |1ih |vacit 2 × δk⊕l,0 |0ix |1iy +δk⊕l,1 |1ix |0iy (−1)k |0ih [δk⊕l,0 |1it |1ix +δk⊕l,1 |0it |0ix ] |vaciy 2 1 + |1ih [δk⊕l,0 |0it |0ix y + δk⊕l,1 |1it |1ix ] |vaciy . 2 (20)

+

If CM1 is operated, there is a probability of 1/2 that Alice finds |vacit whose origin could be due to a quantum channel, which is generally lossy. The other 1/2 probability is that Alice’s and Bob’s measurement results a and b always obey the equality a = δk⊕l,0 (b ⊕ 1) + δk⊕l,1 b. That is, CM1 is generally insufficient for detecting the QA. However, CM2 does the job. Indeed, after Alice applies Ci,j to t and Eve performs Q−1 txy on the txy -subsystem, the whole system-state −1 Qtxy Ci,j Qtxy |Ψk,l iht |vacix |0iy depends on i, j as fol-

-565-

lows: For i = j = 0, Q−1 txy Ci,j Qtxy |Ψk,l iht |vacix |0iy = |X00 i with |X00 i = |Ψk⊕i,l⊕j iht |vacix |0iy ,

(21)

implying that Eve conceals herself; i.e., the detection probability is (00)

dQA = 0.

(22)

For i = 0, j = 1, Q−1 txy Ci,j Qtxy |Ψk,l iht |vacix |0iy = |X01 i with 1h |Ψk,l iht |X01 i = 2 |0ix + |1ix √ × |vaciy + |vacix |0iy 2 −(−1)k⊕l |Ψk⊕i⊕1,l⊕j iht |0ix − |1ix √ |vaciy + |vacix |1iy , (23) × 2 implying that Eve is detected with certainty; i.e., the detection probability is (01)

dQA = 1.

(24)

For i = 1, j = 0, Q−1 txy Ci,j Qtxy |Ψk,l iht |vacix |0iy = |X10 i with 1h |X10 i = − |Ψk,l iht 2 |0ix − |1ix √ |vaciy − |vacix |0iy × 2 −(−1)k⊕l |Ψk⊕i,l⊕j⊕1 iht |0ix + |1ix √ × |vaciy − |vacix |1iy , (25) 2 implying that Eve is detected with certainty; i.e., the detection probability is (10)

dQA = 1.

(26)

For i = j = 1, Q−1 txy Ci,j Qtxy |Ψk,l iht |vacix |0iy = |X11 i with |0iy + |1iy 1 √ |X11 i = √ |Ψk,l iht |vacix 2 2 |0i y − |1iy √ + (−1)k⊕l |Ψk⊕i,l⊕j iht |vacix ,(27) 2 implying that Eve is detected half of the time; i.e., the detection probability is (11)

dQA = 1/2.

(28)

The average detection probability per CM2 run is dQA =

1 X 1 X i=0 j=0

(ij)

qij dQA ,

(29)

-566-

Journal of the Korean Physical Society, Vol. 47, No. 4, October 2005

with qij being the probability of appearance of i and j in Alice’s message. If one assumes that qij = 1/4 ∀i, j ∈ {0, 1}, then dQA =

1 1 1 XX

4

i=0 j=0

(ij) dQA

5 = ; 8

(30)

therefore, the total detection probability under the QA is N/r 5c2 DQA = 1 − 1 − . (31) 8 4. Disturbance Attack

If only CM1 is designed as in the PPP [14], then Eve can easily misguide Alice and Bob. Since CM1 is in force only in the ping-route, it is safe for Eve to sit in the pongroute. When qubit t comes out from Alice, Eve simply measures t and forwards it to Bob [15], or she can encode her randomly chosen cbits ζ, ξ ∈ {0, 1} on qubit t by applying to it an operator Cζ,ξ [19]. By doing so, Eve remains unnoticed, but what Alice and Bob decode will just be random sequences of cbits that are absolutely meaningless. These are kinds of denial-of-service attacks, but here we call them, for short, disturbance attacks (DA) because, in essence, they disturb the message’s content without gaining any useful information. When CM2 comes into play, Eve will be detected with a nonzero probability. Namely, for the measure-andforward trick, the system state in the pong-route is 1 |Ψk⊕i,l⊕j iht = √ |1ih Ck⊕i,l⊕j |0it 2 + |0ih Ck⊕i,l⊕j |1it . (32) If Eve finds qubit t in state Ck⊕i,l⊕j |0it with probability 1/2, the ht-pair state |Ψk⊕i,l⊕j iht collapses into |1ih Ck⊕i,l⊕j |0it , which can be rewritten in the form 1 |Ψk⊕i,l⊕j iht |1ih Ck⊕i,l⊕j |0it = √ 2 + |Ψk⊕i⊕1,l⊕j⊕1 iht . (33) Alternatively, if Eve finds qubit t in state Ck⊕i,l⊕j |1it , also with probability 1/2, the ht-pair |Ψk⊕i,l⊕j iht state collapses into |0ih Ck⊕i,l⊕j |1it , which can be rewritten in the form 1 |1ih Ck⊕i,l⊕j |0it = √ |Ψk⊕i,l⊕j iht 2 − |Ψk⊕i⊕1,l⊕j⊕1 iht . (34) In either situation, there is a probability of 1/2 that Bob’s Bell analyzer yields the result x = k ⊕ i ⊕ 1, y = l ⊕ j ⊕ 1 indicating the presence of Eve; i.e., dmeasure = 1/2 DA

(35)

(see also Ref. 21). For the random encoding trick, the ht-pair state Bob will analyze is b 1 ⊗ Cζ,ξ |Ψk⊕i,l⊕j iht = |Ψk⊕i⊕ζ,l⊕j⊕ξ iht .

(36)

Obviously, unless ζ = ξ = 0, Eve is inevitably disclosed after Bob’s Bell analysis. Hence, if Eve is assumed to pick ζ and ξ as “0” or “1” with the same probability, her disturbance is detected with probability dencode = 3/4. DA

(37)

Then, the total detection probability under a DA with the measure-and-forward trick is c2 N/r measure DDA =1− 1− (38) 2 and that under a DA with the random encoding trick is encode DDA

3c2 =1− 1− 4

N/r .

(39)

5. Masquerading Attacks

Eve might think that she could masquerade as Bob to get Alice’s message with Bob being unaware. However, this strategy does not work because Alice “does nothing” (i.e., the dialogue aborts) if she gets no information about an intended dialogue via a reliable classical channel from Bob. That is why “Bob informs Alice ...” in Step 3 is necessary. Likewise, “otherwise, she confirms to Bob ...” in Step 4 is also necessary to prevent an EveBob dialogue without Alice’s knowledge. In fact, if Eve just masquerades as Alice to “talk” with Bob, she fails because Bob “does nothing” in Step 5 (i.e., the dialogue aborts) if Alice does not he is not reliably confirm to Bob that she is actually online with him.

IV. CONCLUSION This work was primarily motivated by a recent comment [20] and, in particular, by the fact that the solution in Ref. 20 does not solve the problem. Namely, in Ref. 20, a revised control mode (RCM) was suggested. Firstly, the RCM is overabundant in the sense that there is no need to choose at random between the two measurement √ bases B+ and B× = {|−i , |+i} (|±i = (|0i ± |1i)/ 2). Actually, only one measurement basis, say, B+ , suffices to detect the IRA. Using only one measurement basis economizes the classical communication cost: only the measurement result, but not the choice of bases, need be announced. Moreover, the RCM is not new at all. It was constructed before in Ref. 16, with an aim of simultaneously detecting the QA, yet, to protect against the DA, one must also utilize a message authentication method, which would lose the feature of direct communication (dialogue fashion). Secondly and more seriously, controlling


only by single-qubit measurements in the ping-route as in RCM is insufficient for protecting against DA, as was elucidated in Section III. Taking all these factors into account, we have designed two types of controls: CM1 and CM2. While CM1 controls the ping-route to detect an IRA and an EMA, CM2 controls the pong-route to protect against a QA and a DA as well as against an EMA. Our protocol is also safe for masquerading attacks. It alternatively proceeds with MM, CM1, and CM2 stepby-step while maintaining a dialogue style. The advantage of superdense coding is exploited fully to double the dialogue rate (compared with that in the PPP): In each MM run, Alice deterministically sends two cbit i, j to Bob, and, at the same time, deterministically receives two other cbits k, l from Bob. As both the ping- and the pong-route are being controlled, we hope that our protocol will also be secure against other more sophisticated types of attacks. As for the types of attacks considered here, in each run in a corresponding control mode, there is a nonzero detection probability. The level of security is assessed by using the fact that, even when the parameters c1 , c2 , and β 2 are all chosen to be as small as 1/10 (to maintain a high enough dialogue rate r = 0.8), the total measure , detection probabilities {DIRA , DEM A , DQA , DDA encode DDA } are equal to {0.998358, 0.919969, 0.999686, 0.998358, 0.999941}, {0.999997, 0.993595, 1, 0.999997, 1}, {1, 0.999487, 1, 1, 1}, and {1, 1, 1, 1, 1} for N = 100, 200, 300, and 600, respectively. This implies an asymptotic security; i.e., the total detection probability approaches 1 in the long-message limit. Of course, the partners should be aware of possible leakage of parts of their messages to Eve before she is detected. To arbitrarily shrink the leaked parts and upgrade the security level, Alice and Bob can increase the control rates c1 and c2 at the expense of slowing down the dialogue rate r. On the other hand, in order to enjoy absolute security, Alice and Bob should not avoid a prior establishment of common secret keys. To that end, they put their messages aside and locally generate secret keys KA and KB to be used later for transferring the messages. At first glance, our protocol seems to be a good one for exchanging KA and KB . Nevertheless, when Bob sends his Bell measurement result (x, y) to Alice, these (x, y) are, in fact, ciphertext of KA (KB ) encrypted by KB (KA ). This means that the parity of the corresponding cbits in KA and KB is known publicly; i.e., each of the keys has already been used one time and cannot be used another time in accordance with the “one-time pad” criterion . For that reason, Bob’s sending (x, y) in Step 5.2.2 (a) as well as in Step 5.2.2 (b) should be skipped in favor of keeping only KA secret. In this sense, our protocol, besides the dialogue feature in urgent circumstances, also serves as an effective method for Alice to transfer her secret key to Bob, thus preserving the advantages of proven security, determinism, directness, quantum resource economy and

-567-

a high processing rate. As for experimental realization, our protocol is as feasible as the PPP. (See Ref. 14 for more details on the experimental feasibility.) Thus, its application could be envisaged with current technologies.

ACKNOWLEDGMENTS The author thanks C. H. Bennett, H. W. Lee, J. Kim, J. Gruska, and Z. J. Zhang for useful discussions and/or comments. This work was supported by a grant (TRQCQ) from the Ministry of Science and Technology (MOST) of Korea and by an R&D Fund No. 6G014904 from Korea Institute for Advanced Study.

REFERENCES [1] C. E. Shannon, Bell Syst. Tech. J. 28, 656 (1949). [2] G. S. Vernam, J. Am. Inst. Electr. Eng. 45, 109 (1926). [3] W. Diffie and M. E. Hellman, IEEE Trans. Inf. Theory 22, 644 (1976); M. E. Hellman, Sci. Am. 241, 146 (1979); W. Diffie, Contemporary Cryptology: The Science of Information Integrity, edited by G. Simmons (IEEE, Piscataway, New York, 1992). [4] R. L. Rivest, A. Shamir and L. Adleman, Commun. ACM 21, 120 (1978); R. L. Rivest, A. Shamir and L. Adleman, MIT Laboratory for Computer Science, Technical Report, MIT/LCS/TR-212 (1979). [5] P. W. Shor, Proceedings of the 35th Annual Symposium on the Foundations of Computer Science, edited by S. Goldwasser (IEEE Computer Society, Los Alamitos, CA, 1994). [6] P. W. Shor, SIAM J. Computing 26, 1484 (1997). [7] C. H. Bennett and G. Brassard G, Proc. IEEE Int. Conf. on Computers, Systems and Signal Processing, Bangalore (IEEE, New York, 1984). [8] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991). [9] C. H. Bennett, Phys. Rev. Lett. 68, 3121 (1992). [10] B. Huttner, N. Imoto, N. Gisin and T. Mor, Phys. Rev. A 51, 1863 (1995). [11] D. Bruβ, Phys. Rev. Lett. 81, 3018 (1998). [12] S. J. D. Phoenix, S. M Barnett and A. Chefles, J. Mod. Opt. 47, 507 (2000). [13] K. Shimizu and N. Imoto, Phys. Rev. A 60, 157 (1999); A. Beige, B. G. Engler, C. Kurtsiefer and H. Weinfurter, J. Phys. A: Math. Gen. 35, L407 (2002); F. G. Deng, G. L. Long and X. S. Liu, Phys. Rev. A 68, 042317 (2003). [14] K. Bostroem and T. Felbinger, Phys. Rev. Lett. 89, 187902 (2002). [15] Q. Y. Cai, Phys. Rev. Lett. 91, 109801 (2003). [16] Q. C. Cai and B. W. Li, Phys. Rev. A 69, 054301 (2004). [17] A. Wojcik, Phys. Rev. Lett. 90, 157901 (2003). [18] Z. J. Zhang, quant-ph/0403186 (2004). [19] Nguyen Ba An, Phys. Lett. A 328, 6 (2004). [20] Z. X. Man, quant-ph/0406230 (2004). [21] Q. Y. Cai, quant-ph/0406171 (2004).