iliary qubits are only sent from Alice to Bob for one times. .... Alice and Bob share n EPR pairs as the authentication key which is in any ..... We will discuss it in fu-.
Proceedings of the 5th WSEAS International Conference on Applied Computer Science, Hangzhou, China, April 16-18, 2006 (pp1004-1009)
Quantum authentication protocol using entangled states Dexi Zhang Xiaoyu Li College of Computer Science and Technology College of Information Engineering Xuchang University Zhengzhou University Xuchang City, 461000 the People’s Republic of China Zhengzhou City, 450052 the People’s Republic of China Abstract: In this paper we provide a quantum authentication protocol. The two parties share a sequence of EPR(Einstein-Podolsky-Rosen) pairs as the authentication key. To authenticate each other, one party creates auxiliary qubits and make them interact with the authentication key. After measurement in selected basis, he or she affirm the other’s identity. We shown that no one without the authentication key can pass the authentication process. So the protocol is secure. The authentication key is reusable if there are no eavesdroppers and errors in transmission. Key–Words: Quantum cryptography, quantum authentication, EPR pair, CNOT operation, security, reusable.
1 Introduction One of the most important applications of quantum information theory is quantum cryptography. Quantum cryptography is a field that integrates quantum mechanics with cryptograph. The fundamental principles of quantum physics guarantee its security. The first quantum key distribution (OKD) protocol is proposed by C. H. Bennett and G. Brassard [1]. Since then much research work has been done in quantum cryptography, such as quantum key distribution [26], quantum secret share [7,8,9], quantum bit commitment [10-11], quantum information hiding [1214], and information theory for quantum cryptography [15]. Experimentes on QKD has also been accomplished successfully. In 1992, BennettBessette and Brassard first realized BB84 protocol in laboratory[16]. Recently QKD in optical fiber has been achieved [17] beyond 150 km and in free space has been implemented over a distance of 1 km [18]. There is another important problem in cryptography: authentication. If Alice and Bob want to build a key by classical or quantum key distribution protocol, they must affirm each other’s identity at first. So authentication key must be distributed to both sides in order to verify the counterpart’s identity. Quantum authentication is better than classical one in potential useful ways. For example, if an eavesdropper breaks in Alice’s office while she is not present. In classical cryptography the eavesdropper can make a copy of Alice’s authentication key without leaving any trace behind from which Alice may percept his existence. So he can pass the authentication. That is to
say, the authentication protocol can no longer work. But in quantum authentication protocol, the authentication key is quantum states. Quantum no-cloning theorem forbids eavesdropper to copy the authentication key. So quantum authentication provides capacity of theft-detection much as quantum key distribution provides security against eavesdropping. Recently several quantum authentication schemes [19-26] have been proposed. Zeng’s [19] protocol uses EPR pairs as the first authentication keys, and then uses classical keys distributed via quantum key distribution. Barnum’s [20] and Jensen and Schack’s [21] schemes use entanglement and catalysis. Zhang’s scheme [22] accomplishes the authentication using an auxiliary qubit. Ljunggren’s protocol [23] performs authentication integrated with quantum key distribution in virtue of an arbitrator. Li and Barnum’s scheme [24] takes EPR pair as identity token and uses auxiliary EPR pairs to fulfill the authentication. Barnum [25] and Kuhn [26] discussed quantum authentication using both quantum and classical key. In this paper we provide a scheme using EPR pairs as the authentication key. They create auxiliary qubits and have them interact with the authentication. Then the authentication is accomplished by a measurement in select basis. There is no classical information exchange needed and the authentication key is reusable. In some sense our protocol is analogous to Zhang’s because both them use entangled states as authentication key and create auxiliary qubits to interact with the key. But Zhang’s scheme requires that the auxiliary qubits are sent twice between Alice and Bob. Alice creates auxiliary qubits and sends them to Bob. After Bob
Proceedings of the 5th WSEAS International Conference on Applied Computer Science, Hangzhou, China, April 16-18, 2006 (pp1004-1009)
receives the qubits and does some operations, he will send them back to Alice. The authentication process is finished by Alice’s operations in the end. Here we prove that it isn’t necessary at all. In our protocol auxiliary qubits are only sent from Alice to Bob for one times. Then they realize authentication up successfully. So our protocol is simpler and more practicable than Zhang’s. The paper is organized as follows. In section 2 we introduce the basic idea on which our authentication protocol is based. Then the protocol is present in section 3. Next in section 4 we prove that it’s secure. Finally we give some further discussions.
2 Basic Idea An EPR pair is a two-qubit system which is in one of the four Bell states: 1 |Φ+ >= √ (|00 > +|11 >) 2 1 |Φ− >= √ (|00 > −|11 >) 2 1 |Ψ+ >= √ (|01 > +|10 >) 2 1 |Ψ− >= √ (|01 > −|10 >). (1) 2 The Bell state measurement is a measurement on a two-qubit system in which one uses the Bell states as the basis. Complete Bell state measurement has been realized recently [27,28]. Now let’s introduce the basic idea of our authentication protocol. Assuming that Alice and Bob share n EPR pairs as the authentication key in which any pair is in one of the four Bell states, For example, an EPR pair is in the state 1 |Φ+ AB >= √ (|0 >A |0 >B +|1 >A |1 >B ) (2) 2 in which the subscript ’A’ expresses that the qubit is at Alice’s hands and ’B’ expresses that it is at Bob’s hands. Alice creates an auxiliary qubit (called qubit X) in the state 1 (3) |ϕ >X = √ (|0 >X +|1 >X ). 2 Then she performs a CNOT operation on qubit X and qubit A at her hands in which the control qubit is qubit X and the target qubit is qubit A. So the state of the whole three-qubit system(qubit A, qubit B, qubit X) is S = 12 (|0 >X |0 >A |0 >B + |0 >X |1 >A |1 >B + |1 >X |1 >A |0 >B + |1 >X |0 >A |1 >B ).
(4)
Then Alice sends qubit X to Bob. When Bob receives it, he does a CNOT operation on qubit B and qubit X in which the control qubit is qubit X and the target qubit is qubit B. So the state of the whole three-qubits system is turned into S = + + + = ⊗
1 2 (|0
>X |0 >A |0 >B |0 >X |1 >A |1 >B |1 >X |1 >A |1 >B |1 >X |0 >A |0 >B ) √1 (|0 >X +|1 >X ) 2 (|0 >A |0 >B +|1 >A |1 >B ).
(5)
Obviously we can see that it comes back as origin. Alice and Bob share the EPR pair in |Φ+ AB > and the auxiliary qubit is in |ϕ >X . Bob can measures qubit X in basis { √12 (|0 >X +|1 >X ), √12 (|0 >X −|1 >X )}. For simplicity, we rewrite the basis as {|+ >X , |− >X }. So Bob will get measurement outcome |+ >X with certainty. Similarly it is easy to + prove that if the EPR pair in |Φ− AB >, |ΨAB > or − |ΨAB >, we get the same result. Later in section IV we will prove that Bob can affirm with a great probability that the one on the other side must be Alice if he always get |+ >X to n EPR pairs. Nobody except Alice and Bob can fulfill the authentication process. So we can design an authentication protocol based on the idea above. Noting that the state of any EPR pair is unchanged after the authentication process, so the authentication key can be reused for next authentication process.
3 Quantum authentication protocol using entangle states Now we provide our quantum authentication protocol. Alice and Bob share n EPR pairs as the authentication − key which is in any state of the set {|Φ+ AB >, |ΦAB > − , |Ψ+ AB >, |ΨAB >}. Alice holds qubit A while Bob holds qubit B. So the sequence of the n states can be 1 , ψ 2 , ...ψ n ). Alice and Bob written as ψ = (ψAB AB AB even don’t need to know about the sequence ψ. They only hold qubit A and qubit B of each EPR pairs respectively. If Alice want to prove her identity to Bob, they do as follows. (1) Alice creates n auxiliary qubits in the state |ϕ >X = |+ >X . Then she performs CNOT operation on qubit A and qubit X to each EPR pair in which qubit A is the target qubit and qubit X is the control qubit. (2) Alice sends all the auxiliary qubits to Bob in sequence.
Proceedings of the 5th WSEAS International Conference on Applied Computer Science, Hangzhou, China, April 16-18, 2006 (pp1004-1009)
(3) After receiving the auxiliary qubits, Bob does CNOT operation on qubit X and qubit B to each EPR pair in which qubit X is the control qubit and qubit B is the target qubit. (4) Bob measure all the auxiliary qubits in basis {|+ >X , |− >X }. If all the measurement outcomes are |+ >X , the authentication succeeds. Bob is sure that the one on the other side is Alice. If there are too many measurement outcomes |− >X , the authentication fails. Bob affirms that the one on the other side isn’t Alice. Similarly if Bob wants to prove his identity to Alice, the two parties just perform the same steps as above except that they exchange their roles in the authentication process.
4 Security of the protocol In this section we prove that no one who hasn’t the authentication key could pass the authentication process. So our protocol is secure. Now we assuming that an eavesdropper, for example Eve, wants to impersonate Alice to pass the authentication while Alice is not present. According to our protocol she must sends n qubits to Bob. Eve can only create fake qubits and send them to Bob because she has no authentication key. In general the state of the any qubit which Eve sends to Bob can be described as ρE =
2 �
pi |ϕi >EE < ϕi |
(6)
i=1
in which |ϕi >E = ai |0 >E +bi |1 >E , p1 + p2 = 1, and |ai |2 + |bi |2 = 1. As known a mixed state is composed of some pure states. So the measurement outcome of the mixed state is the sum of the measurement outcomes of these pure states when we measure these pure states respectively. So what we need to do is to consider |ϕ1 >E = a1 |0 >E +b1 |1 >E and |ϕ2 >E = a2 |0 >E +b2 |1 >E respectively and sum the outcomes up. Now we discuss it in detail. Without losing generality, we assume that the states of the EPR pair is |Φ+ AB >. First let’s consider pure states |ϕ1 >E . When Bob receives the qubit E from Eve, he performs CNOT operation on qubit E and qubit B according to our protocol in which qubit B is the target qubit and qubit E is the control qubit. So the state of the whole three-qubit system turns into S1 =
√1 2
( + + +
a1 |0 >E |0 >A |0 >B a1 |0 >E |1 >A |1 >B b1 |1 >E |0 >A |1 >B b1 |1 >E |1 >A |0 >B ).
(7)
Then Bob measures qubit E in basis {|+ >E , |− >E } according to the protocol. As known |+ >= |− >=
√1 (|0 2 √1 (|0 2
>E +|1 >E ) >E −|1 >E ).
(8)
>E +|− >E ) >E −|− >E ).
(9)
From equation(8) we have |0 >= |1 >=
√1 (|+ 2 √1 (|+ 2
Obviously equation(7) can be turned into S1 =
1 2
[a1 (|+ >E +|− >E )|0 >A |0 >B + a1 (|+ >E +|− >E )|1 >A |1 >B + b1 (|+ >E −|− >E )|0 >A |1 >B + b1 (|+ >E −|− >E )|1 >A |0 >B ]. (10) If Bob measures it, the probabilities that he gets outcomes |+ >E and |− >E are P1+ = = = P1− = = =
|E < +|S1 > |2 ( 12 )2 (|a1 |2 + |a1 |2 + |b1 |2 + |b1 |2 ) 1 2 |E < −|S1 > |2 ( 12 )2 (|a1 |2 + |a1 |2 1 2.
+ |b1 |2 + |b1 |2 )
(11) So the probability that Bob gets the correct result |+ >E is 12 . Doing the same reasoning, to pure state |ϕ2 >E , the probability that Bob gets the outcomes |+ >E and |− >E is P2+ = = = P2− = = =
|E < +|S2 > |2 ( 12 )2 (|a2 |2 + |a2 |2 + |b2 |2 + |b2 |2 ) 1 2 |E < −|S2 > |2 ( 12 )2 (|a2 |2 + |a2 |2 1 2.
+ |b2 |2 + |b2 |2 )
(12) Similarly the probability that Bob gets the correct result is also 12 . So taking one with another the probability that Bob gets the correct result for ρE is 1 1 1 P = p1 P1+ + p2 P2+ = p1 + p2 = . 2 2 2
(13)
+ If the states of the EPR pair is |Φ− AB >, |ΨAB >, or − |φAB >, performing the same reasoning we can get that the probability for Bob to gets the correct result is also 12 . So we come to a conclusion that the probability that Bob gets the correct result to each EPR pair is 1 2 . There are n EPR pairs in the authentication key. So
Proceedings of the 5th WSEAS International Conference on Applied Computer Science, Hangzhou, China, April 16-18, 2006 (pp1004-1009) −
the probability that Bob gets correct results to all EPR pair, in other words, Eve passes the authentication, is 1 Perror = ( )n . 2
(14)
EPR pair is |ΦAB >. After the CNOT operation the state of the whole four-qubit system(qubit A, qubit B, qubit X, qubit E) turns into Γ=
1 2
If n=1000, we get 1 Perror = ( )1000 ≈ 10−300 . 2
(15)
Obviously this probability is too small to imagine, that is to say, it’s impossible for Eve to pass the authentication. So our protocol is secure under this attack. Now let’s consider a more complex attack. Eve monitors the authentication process between Alice and Bob and tries to obtain some useful information. Then she attempt to cheat Bob while Alice is out. It can be proved that such attack can’t succeed yet. We give a detailed discussion as follows. When Alice sends the auxiliary qubits to Bob, Eve can catch them. But first Eve can’t measure these qubits because she can’t get any useful information by doing so. For example, assuming that the state of the EPR pair is |Φ+ AB >, after Alice perform the CNOT operation according to the protocol, the state of the whole three-qubit system is 1 2
|0 >B |1 >B |0 >B |1 >B ).
(16)
ρX = T rAB S = 12 (|0 >X X < 0| + |1 >X X < 1|).
(17)
S=
( + + +
|0 >X |0 >X |1 >X |1 >X
|0 >A |1 >A |1 >A |0 >A
So the states qubit X is
Obviously it’s a mXimally mixed state of one qubit. If Eve measure it, she can only get |0 >X and |1 >X with equal probability 12 . That is to say, she obtain no useful information. When the state of the EPR pair is + − |Φ− AB >, |ΨAB > or |ΨAB >, we get the same conclusion. Moreover the state of the whole three-qubit system has been changed by Eve’s measurement. The authentication precess is sure to fail even if Eve sends qubit X to Bob. Alice and Bob will realize Eve’s existence. So they abandon the damaged authentication key and try to establish a new one. That is to say, Eve fails in cheating. On the other hand Eve can take a dedicate method of attack as follows. After catching qubit X, she doesn’t measure it. Instead she creates a new qubit(called qubit E) and performs CNOT operation on qubit X and qubit E in which the first one is the control qubit and the second one is the target qubit. Without losing generality, we assume the state of the
( + + +
|0 >X |0 >X |1 >X |1 >X
|0 >E |0 >E |1 >E |1 >E
|0 >A |1 >A |1 >A |0 >A
|0 >B |1 >B |0 >B |1 >B ).
(18)
Then Eve sends qubit X to Bob. When receiving it, Bob does CNOT operation according to our protocol in which qubit X is the control qubit and qubit B is the target qubit. So we have Γ=
1 2
( + + +
|0 >X |0 >X |1 >X |1 >X
|0 >E |0 >E |1 >E |1 >E
|0 >A |1 >A |1 >A |0 >A
|0 >B |1 >B |1 >B |0 >B ).
(19)
It can be rewritten as 1 [(|+ >X +|− >X )|0 >E |0 >A |0 >B Γ = 2√ 2 +(|+ >X +|− >X )|0 >E |1 >A |1 >B +(|+ >X −|− >X )|1 >E |1 >A |1 >B +(|+ >X −|− >X )|1 >E |0 >A |0 >B ]. (20) From equation(20) we can conclude that Bob will get |+ >X and |− >X with equal probability if he measure qubit X in basis {|+ >X , |− >X } according to our protocol. If the state of the EPR pair is |Φ− AB >, − |Ψ+ > or |Ψ >, Bob gets the same results. TakAB AB ing one with another, the probability for Bob to get correct result required by the protocol is only 12 . So to n EPR pairs the probability that Eve escapes from being found by Alice and Bob is
1 Perror = ( )n . 2
(21)
If n=1000, we obtain 1 Perror = ( )1000 ≈ 10−300 . 2
(22)
In other words, this kind of attack can’t succeed yet. So we come to a conclusion that Eve can’t breach our quantum authentication protocol by monitoring the the authentication process between Alice and Bob. So far we have showed that this quantum authentication protocol is secure.
5 Discussion and conclusion We must point out that in our protocol the authentication key is reusable only when the authentication
Proceedings of the 5th WSEAS International Conference on Applied Computer Science, Hangzhou, China, April 16-18, 2006 (pp1004-1009)
succeeds. That is to say, if an eavesdropper impersonates Alice in the authentication process, he or she will destroy the authentication key though he is sure to be found. So the authentication key is no longer valid. The two parties have to rebuild their key after an eavesdropper’s attack. Similarly if there are some errors in the transmission of the auxiliary qubits although no eavesdropper exists, the authentication key is destroyed, too. These problems are limits to our protocol. They may be solved by error-checking code in the authentication scheme. We will discuss it in future work. We provide a quantum authentication scheme using EPR pairs as the authentication key. The two parties create auxiliary qubits to interact with the key. At last one party verify the identity of the other through measuring the qubits. The protocol is proved to be secure. No one without the authentication key can pass the authentication. There is no classical information exchange needed in the authentication process. When the authentication is successfully completed, the authentication key is unchanged. So it can be reused. Acknowledgements: This work is supported by the National Natural Science Foundation of China 60496324( NSFC Major Research Program 60496324 ); the National Natural Science Foundation of China (Grants 60402016). We would thank Ruqian Lu for directing us into this research. References: [1] C. H. Bennet and G. Brassard. Quantum cryptography: Public-key distribution and tossing. In: Proceedings of IEEE International conference on Computers, Systems and Signal Processing, Bangalore, India, , IEEE Press, 1984, pp.175. [2] A. K. Ekert, Quantum cryptography based on Bell’s theorem, Physical Review Letters, 67, 1991, pp.661-663. [3] C. H. Bennett, G. Brassard and N. D. Mermin, Quantum cryptography without Bell’s theorem, Physical Review Letters, 68, 1992, pp.557-559. [4] H. K. Lo and H. F. Chau, Unconditional Security of Quantum Key Distribution over arbitrarily long distances, Science, 283, 1999, pp.20502056. [5] A. Cabello, Quantum Key Distribution in the Holevo Limit. Physical Review Letters, 85, 2000, pp.5635-5638. [6] P. Xue, C. F. Li and G. C. Guo, Efficient quantum-key-distribution scheme with nonmX-
[7]
[8] [9]
[10]
[11]
imally entangled states, Physical Review A, 64, 2001, 032305. R. Cleve, D. Gottesman, and H.-K. Lo, How to Share a Quantum Secret, Physical Review Letters, 83, 1999, pp.648-651. D. Gottesman, Theory of quantum secret sharing, Physical Review A, 61, 2000, 042311. M. Hillery, V. Buzek and A. Berthiasiaume, Quantum secret sharing, Physical Review A, 59, 1999, pp.1829-1834. H.-k. Lo, H. F. Chau, Why quantum bit commitment and ideal quantum coin tossing are impossible, Physica D, 120, 1998, pp.177-187. A. Kent, Coin Tossing is Strictly Weaker than Bit Commitment, Physical Review Letters, 83, 1999, pp.5382-5384.
[12] B. M. Terhal, D. P. DiVincenzo and D. W. Leung. Hiding Bits in Bell States. Physical Review Letters, 2001, 86: 5807-5810. [13] D. P. DiVicenzo, D. W. Leung, and B. M. Terhal, Quantum data hiding, IEEE Transactions on Information Theory Vol.48(2002) No.3 580-599. [14] T. Eggeling and R. F. Werner, Hiding Classical Data in Multipartite Quantum States, Phys. Rev. Lett. 89(2002) 097905. [15] B. Schumacher, Quantum Privacy and Quantum Coherence, Physical Review Letters, 80, 1998, pp.5695-5697. [16] C.H.Bennett, F.Bessette, G.Brassard, L.Salvail and J.Smolin, Experimental quantum cryptography, Journal of Cryptology, 5, No.1, 1992, pp.328. [17] T. Kimura, Y. Nambu, T. Hatanaka, A. Tomita, H. Kosaka and K, Nakamura. Singlephoton interference over 150-km transmission using silica-based integrated-optic interferometers for quantum cryptography, eprints: quantph/0403104. [18] W. T. Buttler et al., Practical Free-Space Quantum Key Distribution over 1 km , Physical Review Letters, 81, 1998, pp.3283-3286. [19] G. Zeng and W. Zhang, Identity verification in quantum key distribution, Physical Review A, 61, 2000, 022303. [20] H. Barnum, Quantum secure identification using entanglement and catalysis”, e-prints: quantph/9910072. [21] J. G. Jensen and R. Schack, Quantum authentication and key distribution using catalysis, eprints: quant-ph/0003104.
Proceedings of the 5th WSEAS International Conference on Applied Computer Science, Hangzhou, China, April 16-18, 2006 (pp1004-1009)
[22] Y. S. Zhang, C. F. Li, and G. C. Guo, Quantum authentication using entangled state, e-prints: quant-ph/0008044. [23] D. Ljunggren, M. Bourennane and Anders Karlsson, Authority-based user authentication in quantum key distribution, Physical Review A, 62, 2000, 022305. [24] Xiaoyu Li and H. Branum, Quanum authencation using entangled states. International Journal of Foundation of Computer Science, 15 (4), 2004, pp.609-617. [25] H. Barnum, C. Cr´epeau, D. Gottesman, A. Smith and A, Tapp, Authentication of Quantum Messages, Proceedings of the 43rd annual IEEE Symposium on the Foundations of Computer Science (FOCS’02), 2002, pp. 449–458. [26] D. R. Kuhn, A hybrid authentication protocol using quantum entanglement and symmetric cryprography, e-prints: quant-ph/0301150. [27] Y.H. Kim, S. P. Kulik and Y. Shih, Quantum Teleportation of a Polarization State with a Complete Bell State Measurement, Physical Review Letters, 86, 2001, pp.1370-1373. [28] C. Cinelli, M. Barbieri, F. De Martini and P. Mataloni, Realization of Hyperentangled TwoPhoton States, International Journal of Laser Physics, 15(1), 2005, pp.124-128
