Quantum identity authentication based on ping-pong ... - Springer Link

Quantum Inf Process (2014) 13:2535–2549 DOI 10.1007/s11128-014-0808-9

Quantum identity authentication based on ping-pong technique without entanglements Hao Yuan · Yi-min Liu · Guo-zhu Pan · Gang Zhang · Jun Zhou · Zhan-jun Zhang

Received: 17 September 2013 / Accepted: 4 August 2014 / Published online: 22 August 2014 © Springer Science+Business Media New York 2014

Abstract A quantum identity authentication scheme based on ping-pong technique without entanglements is proposed. It can verify the legitimate user’s identity and update the initial authentication key for reuse. The security of the proposed scheme is extensively analyzed and accordingly confirmed in the case of general individual attacks. The present scheme owns high efficiency due to the use of single-particle states in a two-way quantum channel. Moreover, the scheme is economical and feasible with present-day technique. Keywords Quantum identity authentication · Ping-pong technique · Single-particle state 1 Introduction With the development of modern society, electronic communications become more and more frequent in our everyday life, such as shopping over the Internet, drawing money from automated teller machines, transacting finance between different banks, and transmitting personal (or commercial, governmental, military and diplomatic) E-mail in network. In all these instances, to guard other one against impersonating the

H. Yuan (B) · G. Pan · G. Zhang · J. Zhou Department of Material and Chemical Engineering, West Anhui University, Lu’an 237012, China e-mail: [email protected] Y. Liu Department of Physics, Shaoguan University, Shaoguan 512005, China Z. Zhang School of Physics and Material Science, Anhui University, Hefei 230039, China e-mail: [email protected]

123

2536

H. Yuan et al.

legitimate users to implement the communication, identity of communication users are necessarily authenticated. Classical identification generally employs secret key as password to ensure security. However, the existing classical identification schemes merely rely on the complexity of mathematical algorithms. Therefore, theoretically speaking, they are not absolutely secure, which makes accidentally merchant, bank or individual lose money and government, military leak intelligence. Furthermore, the potential powerful quantum commuter poses a serious menace to security of classical identification schemes. With its unconditional security, quantum identity authentication (QIA) has become a research focus and may be put into real-life use around the corner in the foreseeable further. In 1995, Crepeau ´ et al. [1] first proposed a QIA scheme, which is based on quantum oblivious transfer [2]. Unfortunately, quantum oblivious transfer has been proved insecure against the so-called collective attacks by Mayers [3]. In 1999, Duˇs ek et al. [4] presented a secure identity authentication proposal by combining a classical identification procedure and quantum key distribution. Nonetheless, strictly speaking, the proposal is not a pure QIA scheme. In 2000, Zeng et al. [5] put forward a quantum key verification scheme by utilizing Einstein–Podolsky–Rosen (EPR) pairs and Bell theory. In the same year, Ljunggren et al. [6] presented some user authentication protocols by introducing a third-party trusted authority. In 2002, Mihara [7] gave three quantum identification schemes by using entangled state and unitary operation. In 2005, Zhou et al. [8] offered a cross-center quantum identification scheme based on teleportation and entanglement swapping in quantum optics. In 2006, taking advantage of the correlation of GHZ states, Lee et al. [9] proposed two protocols of quantum direct communication schemes with authentication. However, in 2007, Zhang et al. [10] has revealed that Lee et al’s protocols are insecure in the case that the authenticator is required to be prevented from knowing the secret message in priori. They have modified Lee et al’s two protocols such the protocol securities are assured. Nonetheless, neither in the two original protocols nor in their modified versions, the authentication key cannot be reused. So far, more and more QIA schemes [1–21] have been presented. It should be mentioned, by employing properties of multipartite entangled states and quantum controlled-NOT gate, Zhang et al. [11] proposed a QIA protocol (referred to as ZZZX QIA protocol hereafter) based on ping-pong technique. The distinct advantage of the ZZZX QIA protocol is that the authentication key can be updated for reuse. Incidentally, the so-called ping-pong technique in quantum cryptography was first proposed by Bostrom ¨ and Felbinger [22] in 2002 using entanglement, and it has attracted much attention [23–26] over the last several years and become mature so far. In this paper, we will propose a QIA scheme also based on the ping-pong technique. However, it is worthy to emphasize that in our scheme, we will use single-particle states and the single-qubit operation instead of the multipartite entangled states and the two-qubit controlled-NOT gate operation in the ZZZX QIA scheme. Such replacements will make our scheme much simpler and more feasible. Comparing with the existing QIA schemes, the present scheme has three distinct advantages: One is consuming lesser quantum resource and no classical information while obtaining maximum capacity and efficiency; the second is only single-particle operations or measurements are used in the present scheme, which is more feasible with the present-day technique; the third

123

Quantum identity authentication

2537

is verifying the legitimate user’s identity at the same time updating the authentication key to use in the next communication. The present paper is outlined as follows. In Sect. 2, we will propose a QIA scheme via the ping-pong technique without entanglement (i.e., utilizing single-particle states as quantum channel). In Sect. 3, we will extensively analyze the security of our scheme with respect to various attack strategies. The influences of imperfect quantum channel are briefly discussed in Sect. 4. Finally, in Sect. 5, we will make a brief summary.

2 The QIA scheme based on ping-pong technique without entanglements In our scheme, the QIA system consists of two parties, say Alice and Bob. Alice is assumed to be a reliable certification authority (CA), while Bob is a common user. To prevent the eavesdropper Eve extracting some useful secret message by impersonating the legitimate user, Bob’s identity needs to be verified when he communicates with Alice, or logins in a network where Alice is the authentication center. Moreover, the authentication key needs to be updated for reuse after the identity verification. Suppose Alice and Bob have in prior shared a binary key K = {k1 , k2 , . . . , k2n } as the authentication key. The following four-step scheme can achieve the goal of simultaneously updating the authentication key and verifying the user’s identity. (S1)CA’s preparation Alice prepares an ordered n-particle sequence. For each particle in the sequence, its state to be prepared is not completely random but partially determined by the value of a corresponding bit in the authentication key. For the i-th particle, its corresponding bit is k2i (1 ≤ i ≤ n). If k2i = 0, it is prepared either in the state |0 or in the state |1. Otherwise, k2i = 1 and accordingly it is prepared either in the state |+ or in the state |−. Here |0 and |1 are the eigenstates of Sˆz , and |+ and |− are the eigenstates of Sˆx . Note that Alice knows exactly the state of each particle. After the preparations, Alice sends the particle sequence to the user Bob. (S2)User’s encode After receiving the particle sequence, Bob performs either the unitary operation I = |00| + |11| or U = iσ y = |01| − |10| on each particle in terms of his authentication key. That is, for the i-th (1 ≤ i ≤ n) particle, if k2i−1 ⊕ k2i = 0, then Bob performs the operation I on it. Otherwise, k2i−1 ⊕ k2i = 1 and consequently he executes the operation U . Here the symbol ⊕ represents modular 2 plus. Incidentally, the nice feature of the U operation is that it flips the state in each one of the two measuring bases sets Z = {|0, |1} and X = {|+, |−}, i.e., U |0 = −|1, U |1 = |0, U |+ = |− and U |− = −|+. (S3)User’s update After encode, Bob starts to update the authentication key.  }. For each bit k  (1 ≤ i ≤ n), Denote the updated key as K  = {k1 , k2 , . . . , k2n 2i it is determined in the following way. If k2i = 0, Bob measures the i-th particle in the Z basis. Otherwise, k2i = 1 and then Bob measures the i-th particle in the X  is 0. Otherwise, basis. If Bob’s measurement result is |0 or |+, then the value of k2i   Bob’s measurement result is |1 or |− and then the value of k2i is 1. The bit k2i−1   is determined by k2i−1 = k2i−1 ⊕ k2i ⊕ k2i . After above operations, Bob returns the ordered n-particle sequence to Alice. (S4)CA’s verification and extraction Having received the particle sequence sent by Bob, Alice can deterministically decode Bob’s secret authentication information

123

2538

H. Yuan et al.

by orderly measuring each particle in the corresponding measuring basis. The choice of the measuring basis for each particle is completely the same as that described in  (1 ≤ i ≤ n) in the updated (S3). The measurement outcomes correspond to the bits k2i key. As mentioned in (S1), Alice knows exactly the initial state of each particle. Moreover, since Bob’s operations are determined by the authentication key, Alice can infer whether the user is the legitimate one. If it is, then Alice can successfully update the authentication key for reuse. So far, we have expatiated a scheme for implementing QIA without making use of entanglements. Obviously, the proposed QIA scheme can simultaneously update the legitimate user Bob’s authentication key and verify his identity. 3 Security analyses The eavesdropper Eve can access quantum channel and might execute her evil action by manipulating it. To pass the identity authentication, she might attack the particle during its transmission in quantum channel. Here, we mainly consider two classes of individual attack strategies, i.e., the no-authentication key attack and the authentication key attack. 3.1 No-authentication key attack The no-authentication key attack is the simplest type of attack. Under this attack, Eve tries to impersonate the legitimate user Bob throughout. Explicitly, when Alice sends the traveling particle t to Bob, Eve captures it first. Then, she performs a unitary operation Ute on the traveling particle t and her auxiliary particle e (prepared, say, in the state |χ e ). Given the particle t is in the state | jt with j ∈ {|0, |1, |+, |−}, the action of the unitary operation Ute may be described as follows, Ute | jt χe  → α j | jt je  + β j | j¯t je  + γ j | jt j¯e  + δ j | j¯t j¯e ,

(1)

where the coefficients α j , β j , γ j and δ j are complex and satisfy |α j |2 + |β j |2 | + |γ j |2 + |δ j |2 = 1, the subscripts t and e refer, respectively, to the traveling particle ¯ = 0. Eve keeps the traveling particle t and and Eve’s auxiliary particle, and  j| j sends her auxiliary particle e to Alice. When receiving the particle e, Alice cannot know it comes actually from a forger and accordingly mistakes it as the particle t. As a consequence, she will follow the procedure explained in the preceding section. That is, if the traveling particle t is prepared in the state |0 or |1 at the beginning, now Alice measures the received particle e in the Z basis. Otherwise, the initial state of the traveling particle t is |+ or |−. In this case, Alice measures the received particle e in the X basis. According to the Eq. (1), one can see that, the measurement outcomes ¯ The former occurs with probability of |α j |2 + |β j |2 while should be either | j or | j. the latter with the probability of |γ j |2 + |δ j |2 . However, it should be noticed that, only one of the two measurement outcomes is legitimate. If k2i−1 ⊕ k2i = 0, the former is. Otherwise, the latter is. Therefore, with certain probability, Alice can judge whether the quantum channel is disturbed in terms of her measurement outcome. Alternatively,

123

Quantum identity authentication

2539

with certain probability, Eve’s attack can be detected. The detection probability of Eve’s attack is j (2) Pk2i−1 ⊕k2i =0 = |γ j |2 + |δ j |2 . in this situation of k2i−1 ⊕ k2i = 0, or j

Pk2i−1 ⊕k2i =1 = |α j |2 + |β j |2 ,

(3)

in the situation of k2i−1 ⊕ k2i = 1. Note that, with equal probability 1/2, the value of k2i−1 ⊕ k2i is 0 or 1, and with equal probability 1/4, the traveling particle t is initially prepared in the state |0, |1, |+ or |−. Therefore, the total detection probability for each communication is Pd =

1 1 j 1 j (Pk2i−1 ⊕k2i =0 + Pk2i−1 ⊕k2i =1 ) = (Pk2i−1 ⊕k2i =0 + Pk2i−1 ⊕k2i =1 ) = . 2 8 2 j

(4) This indicates that the proposed scheme is unconditionally secure under the noauthentication attack strategy. 3.2 Authentication key attack Compared with the no-authentication key attack, the authentication key attack is more severe and subtle. Instead of completely impersonating the legitimate user Bob, under the authentication key attack, Eve attacks the quantum channel to only try to extract some useful information on the authentication key, then she uses the eavesdropped key to pass the CA’s identity authentication. Incidently, using this class of attack strategy, if Eve can successfully eavesdrop the original authentication key even if her eavesdropping action will be detected finally, or can successfully eavesdrop the updated authentication key without emerging her eavesdropping action, then her eavesdropping action is completely successful. These attacks can be divided into three types, i.e., the measure-resend attack, the intercept-resend attack, and the entangle-measure attack. As a matter of fact, our present scheme is immune to the types of attacks mentioned above. This can be concluded from the following detailed analyses. 3.2.1 Intercept-resend attack strategy on channel particles In this attack, Eve may first prepare her own ordered n-particle sequence (called the fake particle sequence). For each particle in the sequence, its state is prepared completely randomly in one of the four states {|0, |1, |+, |−}. Note that, Eve knows exactly the state of each particle. When CA’s n-particle sequence (called the real particle sequence) is traveling from Alice to Bob, Eve intercepts and stores it. Then, she sends the fake particle sequence to Bob. When Bob returns the particle sequence to Alice after his encode and update, Eve intercepts it. She orderly measures each particle by using the measuring basis which the initial state of the particle belongs to. Through such measurements, Eve wants to infer Bob’s encodes on the fake particles.

123

2540

H. Yuan et al.

If she succeeds, then she can perform the same unitary operations as Bob used on the real particle sequence and then sends it to Alice. By doing so, Eve can extract useful information on the authentication key and sequentially passes Alice’s identity authentication. Unfortunately, it is Alice who prepares each traveling particle, the basis (i.e., X or Z) Alice used to prepare the particle state is completely determined by the value of k2i and unknown for Eve. Therefore, the probability of Eve’s fake particles in the correct bases is only 50 %. That is, there is still 50 % probability that Eve prepares her fake particles in the wrong bases. In this case, Eve’s evil action can be found. Thus, it is only with probability of 50 % that Eve can successfully gain Bob’s encoding operation and with probability of 50 % that she can be detected. Consequently, for each communication run, the average probability that Eve’s this attack can be detected is 25 % = (0 + 1/2)/2. 3.2.2 Measure-resend attack strategy on channel particles To gain the two bits k2i−1 k2i (1 ≤ i ≤ n) of the authentication key, Eve intercepts the i-th traveling particle in the line A → B and measures it to try to extract the bit k2i . Then she resends the particle to Bob. During the transmission in the line B → A after Bob’s encode and update, Eve intercepts the traveling particle again and measures it using the same measuring basis as the first measurement used and then resends it to Alice. By comparing the first measurement result with the second one, Eve tries to infer Bob’s operation. According to the value of the bit k2i and Bob’s operation, Eve can deduce the value of the first bit k2i−1 . However, our scheme can prevent such attack. In our scheme, the traveling particle prepared by Alice may be in one of the four states |0, |1, |+ and |−. They are not all mutually orthogonal. Therefore, during the ping process, Eve cannot acquire the initial state of the particle with certainty via her measurement. Alternatively, Eve cannot obtain the certain information about the bit k2i . As the above mentioned, to obtain Bob’s operation, Eve performs a same measurement again on the traveling particle during the pong processes. Without any prior knowledge of Alice’s preparation, she may choose the measuring basis from X and Z at random. With 50 % probability, Eve may correctly select the measuring basis which Alice uses to prepare the initial state. In this case, she will not be detected at all and can distill full of Bob’s encoding operation. If otherwise Eve chooses the wrong measuring basis, she has 50 % probability to extract Bob’s encoding operation. However, there is still 50 % probability that Eve will be found by Alice. Hence, by using such attack strategy, the average possibility that Eve can successfully guess Bob’s unitary operation is 75 %, corresponding to the probability of being detected is 25 %. To be explicit, let us show an example. Suppose the two bits k2i−1 k2i of the authentication key is 11 and the i-th traveling particle prepared by Alice is in the state |+. If Eve guesses the bit k2i is 1 and measures the intercepted traveling particle in the X basis, her measurement result is undoubtedly |+. Then Eve resends the particle to Bob. Bob receives the particle and performs I operation on it, then measures it using the X basis and then resends it to Alice. Eve intercepts the particle during its transmission and then measures it in the X basis again. Eve’s measurement result is certainly |+ and resends it to Alice. In this case, Eve not only gets the two bits k2i−1 k2i of the

123

Quantum identity authentication

2541

authentication key but also passes Alice’s identity authentication. Otherwise, if Eve guesses the bit k2i is 0 and measures the intercepted traveling particle in the Z basis, the state of the particle collapses to |0 or |1 each with probability 1/2. Then she resends the particle to Bob. After receiving the particle, Bob performs the operation I on it and then uses the X basis to measure it. Whether the particle received from Eve is in the state |0 or |1, Bob’s measurement result is |+ or |− each with probability 1/2. After the measurement, Bob resends the particle to Alice. During its transmission, Eve intercepts it and measures it in the Z basis again. With probability 1/2, Eve gets the measurement result |0 and she can correctly obtain Bob’s operation is I . She deduces the two bits k2i−1 k2i of the authentication key is 00. At the same time, with probability 1/2, Eve gets the measurement result |1 and she will wrongly consider Bob’s operation is U . She deduces the two bits k2i−1 k2i of the authentication key is 10. Subsequently, Eve resends the particle to Alice. When Alice receives the particle, she uses the X basis to measure it. Alice’s measurement result is |+ with probability 1/2, and in this situation, Eve can pass Alice’s identity authentication. However, Alice’s measurement result is |− with probability 1/2 too, and in this situation, Eve’s attack can be detected by Alice. 3.2.3 Entangle-measure attack strategy on two-way channel In this kind of attack, Eve may make use of two ancillas (called ancilla ε and ancilla η) on both forward path and backward path to disturb the quantum channel. That is, when the traveling particle is sent from Alice to Bob, Eve intercepts it and performs an operation ξ1 on both traveling particle and the ancilla ε and then lets the traveling particle go on its way. Subsequently, after Bob’s encoding operation and measurement, Eve intercepts the encoded particle and performs another operation ξ2 on the encoded particle and the ancilla η. At the end of transmission, Eve measures his ancillary states ε and η. By comparing the first with the second measurement results, she tries to extract some useful information on the two-bit key. In the following, we discuss such attack with the aim of finding Eve’s optimal eavesdropping strategy, i.e., recover parameter’s values that maximize Eve’s information on the two-bit key and the probability for Eve successfully getting the authentication key minimizing the possibility of detecting Eve. Given CA’s different initial states and Eve’s ancillary states ε, the most general operation ξ1 on the traveling particle can be written as √ √ |0|ε → F|0|ε00  + D|1|ε01 , √ √ |1|ε → D|0|ε10  + F|1|ε11 , √ √ √ √ 1 |+|ε → |+( F|ε00  + D|ε10  + D|ε01  + F|ε11 ) 2 √ √ √ √ 1 + |−( F|ε00  + D|ε10  − D|ε01  − F|ε11 ), 2 √ √ √ √ 1 |−|ε → |+( F|ε00  − D|ε10  + D|ε01  − F|ε11 ) 2 √ √ √ √ 1 + |−( F|ε00  − D|ε10  − D|ε01  + F|ε11 ). 2

(5)

123

2542

H. Yuan et al.

Similarly, Eve’s attack operation ξ2 on the encoded particle can be described as √ √ |0|η → F  |0|η00  + D  |1|η01 , √ √ |1|η → D  |0|η10  + F  |1|η11 , √ √ √ √ 1 |+|η → |+( F  |η00  + D  |η10  + D  |η01  + F  |η11 ) 2 √ √ √ √ 1 + |−( F  |η00  + D  |η10  − D  |η01  − F  |η11 ), 2 √ √ √ √ 1 |−|η → |+( F  |η11  − D  |η10  + D  |η01  − F  |η11 ) 2 √ √ √ √ 1 + |−( F  |η00  − D  |η10  − D  |η01  + F  |η11 ). 2

(6)

To make the operations ξ1 and ξ2 unitary, Eqs. (5) and (6) must satisfy the following conditions: D + F = 1 = D + F , ε00 |ε10  + ε01 |ε11  = 0 = η00 |η10  + η01 |η11 .

(7)

Here, to simplify the discussion, we can set ε00 |ε01  = ε10 |ε11  = ε00 |ε10  = ε01 |ε11  = 0 and η00 |η01  = η10 |η11  = η00 |η10  = η01 |η11  = 0. Let us emphasize that under such simplification, the most representative states are preserved after the operations ξ1 and ξ2 ; therefore, its consequences are quite general. As for the nonorthogonal states, we define ε00 |ε11  = cos x, ε01 |ε10  = cos y, η00 |η11  = cos x  and η01 |η10  = cos y  with 0 ≤ x, y, x  , y  ≤ π2 . Employing transformations (5) and (6) and conditions (7), we can calculate the probability of detecting Eve. Suppose the secret two-bit key k2i−1 k2i = 00, according to the procedure of our scheme, Alice prepares the traveling particle randomly in one of the two states |0 and |1, and Bob’s encoding operation is I . First, let consider the initial state of the traveling particle is |0, and in this case, CA’s decoding can be expressed as √ √ 00  = E 2 {I [E 1 (|0|ε)]|η} = F F  |0t ε00 η00  + F D  |1t ε00 η01  |ψ|0 t √ √ + D D  |0t ε01 η10  + D F  |1t ε01 η11 . (8) From Eq. (8) one can see, Eve will be detected if CA’s decoded measurement result is not |0, corresponding to the probability of Eve’s such attack can be detected is 00 Pd (|ψ|0 ) = F D  + D F  . t

(9)

Similarly, assume the initial state of the traveling particle is |1, and in this case, CA’s decoding can be expressed as √ 00 |ψ|1  = E 2 {I [E 1 (|1|ε)]|η} = D F  |0t ε00 η00  + t √ √ + F D  |0t ε01 η10  + F F  |1t ε01 η11 .

123

√

D D  |1t ε00 η01  (10)

Quantum identity authentication

2543

From Eq. (10) one can find, Eve will be detected if the state of encoded traveling particle is not |1, leading to the probability of detecting Eve is 00 Pd (|ψ|1 ) = D F  + F D  . t

(11)

Since Alice randomly chooses the two states |0 and |1 with equal possibility, the average probability of Eve’s attack can be detected when k2i−1 k2i = 00 is given by Pd (k2i−1 = 0) = F D  + D F  .

(12)

Further calculations show the detection probability also satisfies Eq. (12) when k2i−1 k2i = 01. In the same way, we obtain the probability of detecting Eve when k2i−1 k2i = 10 or 11, which is found to be Pd (k2i−1 = 1) 1 = (1 − D D  cos y cos y  − D F  cos y cos x  2 −F D  cos x cos y  − F F  cos x cos x  ).

(13)

Combining Eqs. (12) and (13) gives the average detection probability over all CA’s initial states, 1 [Pd (2i − 1 = 0) + Pd (2i − 1 = 1)] 2 1 = (1 + 2F D  + 2D F  − D D  cos y cos y  − D F  cos y cos x  4 − F D  cos x cos y  − F F  cos x cos x  ).

Pd =

(14)

For those given parameters x, x  , y, and y  , the detection probability Pd takes the minimum (denoted d) in the condition of F = F  = 1, d ≡ minPd =

1 (1 − cos x cos x  ). 4

(15)

Above equation shows the value of d is only relative to x and x  . Note that the information that Eve can distill from his measurement result is somewhat related to the degree of orthogonality she imposes on her ancillae, the more orthogonal they are, the higher is the information achieved [27]. For the optimal Eve incoherent attack consists in a balanced one, we set x = x  , in this case Eq. (15) can be therefore rewritten as d=

1 (1 − cos2 x). 4

(16)

Obviously, when x = π/2, the value of d takes maximum 1/4, corresponding, as we will see, to Eve’s maximum information.

123

2544

H. Yuan et al.

As an eavesdropper, Eve wants to maximize the mutual information on the two-bit key while minimize the possibility of being detected. Now, we investigate the relationship between Eve’s extracting information on the two-bit key and the possibility of detecting Eve. Eve’s attack strategy E is composed by her operations at position ξ1 and ξ2 , and therefore, Eve’s information on the two-bit key K under the strategy E can be calculated by I (K ; E) ≡

 k,ξ

p(k, ξ ) log2

p(k, ξ ) , p(k) p(ξ )

(17)

where k is the two-bit key, i.e., k ∈ {00, 01, 10, 11}, ξ is the joint measurement results of Eve at the positions ξ1 and ξ2 , i.e., ξ = εi j ημν with i, j, μ, ν ∈ {0, 1}, p(k, ξ ) is the joint probability distribution of k and ξ , and p(k) and p(ξ ) are the marginal probability distribution of k and ξ , respectively. Next, let us calculate the mutual information I (K ; E). In the above Eq. (17), p(00) = p(01) = p(10) = p(11) = 1/4 obviously, and p(k, ξ ) = p(k) p(ξ |k) = 1 4 p(ξ |k), where p(ξ |k) is the probability distribution of ξ when k is known to be a particular value. Here, let us show an example of how to calculate the conditional probability p(ξ |k). Without loss of generality, assume k = 00 and ξ = ε00 η00 . As we have seen, if and only if the detection probability satisfies Eq. (17), Eve’s strategy is optimal. In this case, the condition F = F  = 1 applies. According to Eqs. (5) and (6), if CA’s initial state is |0, then Eve’s measurement outcomes should be ε00 η00 . Otherwise, if CA’s initial state is |1, then Eve’s measurement outcomes should be ε11 η11 . Therefore, considering the initial states may be |0 or |1 with equal probability, CA’s decoding can be described by 1 |ψ 00  = √ (|0t ε00 η00  + |1t ε11 η11 ). 2

(18)

It is should mentioned that the probability to correctly distinguish two states with overlap cos x is (1 + sin x)/2 under the optimal measurement [28]. In addition, from Eq. (18), one can find if Eve mistakes to identify one of her ancillas (i.e., ε state or η state), then she will guess wrong Bob’s operation. Nevertheless, if she mistakes twice, then she can guess right Bob’s operation. Thus, the conditional probability can be given as p(ε00 η00 |00) = (1 + sin x)/4, and we therefore obtain P(00, ε00 η00 ) = P(00)P(ε00 η00 |00) =

1 + sin x . 16

(19)

Similarly, Eve’s measurement outcome is either ε00 η00 or ε11 η11 when k=01, and one of two possible outcomes ε00 η11 and ε11 η00 when k = 10, 11. In the same way, the other joint probabilities can be calculated. Further calculations show p(ε00 η00 ) = p(ε00 η11 ) = p(ε11 η00 ) = p(ε11 η11 ) = 1/4. Thus, Eve’s extracting information on the two-bit key under the attack strategy E is given by I =

123

1 [(1 + sin x) log2 (1 + sin x) + (1 − sin x) log2 (1 − sin x)]. 2

(20)

Quantum identity authentication

2545

Fig. 1 The relationship between d and I

√ From Eq. (16), we obtain sin x = 2 d, therefore, the above equation can be reexpressed as I =

√ √ √ √ 1 [(1 + 2 d) log2 (1 + 2 d) + (1 − 2 d) log2 (1 − 2 d)]. 2

(21)

Equation (21) shows that I is a strict monotonic increasing function of d, where d is a probability in the range 0–0.25. The function is depicted in Fig. 1, from which we can see the more information Eve wants to extract from the two-bit key, the bigger Eve’s being detected probability becomes, and the maximal information Eve can get on the two-bit is 1 bit, corresponding to the probability of being detected is 25 %. Let us emphasize that I is only Eve’s extracting information from the two-bit key. Now, we discuss the possibility for Eve successfully eavesdropping the authentication key using such attack. As we have known, to acquire some useful information, Eve must measure both her ancillas, corresponding to the measurement outcomes εi j and ημν , with which Eve can successfully guess the two-bit key with a proper probability. For example, if the measurement outcome is ε00 η00 , Eve can guess the key to be one of 00 or 10 with equal probability. Given the probability c that Eve decides the key to be 00 and 1 − c to be 10, and consider the inconclusive measurement outcomes, then the probability of Eve’s successfully obtaining the authentication key is given by Ps =

√ (1 + sin x) 1 − c 1 + sin x 1+2 d (1 + sin x) c × + × = = . 2 2 2 2 4 4

(22)

Further calculations show the probability of Eve’s correctly guessing the authentication key also satisfies Eq. (22) when the measurement outcomes are the other cases (i.e., ε00 η11 , ε11 η00 , and ε11 η11 ). From above equation, we can see Ps is independent of the

123

2546

H. Yuan et al.

Fig. 2 The relationship between P and n for different detection probabilities d

parameter c at all. Thus, the possibility that Eve eavesdrops n bits of full information while without being detected reads as  P = [Ps (1 − d)]n/2 =

√ 1 (1 + 2 d)(1 − d) 4

n/2 (23)

The relationship between P, n, and d is depicted in Fig. 2 We can see obviously that P → 0 when n is larger, whatever the value of d is. To describe a reasonable scenario, we set d = 25 %, and in this case, Eve has a probability of about 1.97 % to successfully guess 1 byte (i.e., 8 bits) of authentication information and of about 0.04 % to eavesdrop 2 bytes. From the above analysis, one can see, although Eve can eavesdrop some information on the two-bit key, the information on the authentication key may be neglected. Furthermore, since a key updating project is proposed in our scheme, obviously, even if the attacker, Eve, has obtained the old key, she cannot obtain the new key (i.e., the updated key). 3.3 Efficiency It should be pointed out that each single-particle state in this scheme can carry two bits of information, two times of that in BB84 protocol [29] and three times of that in ZZZX protocol, and almost all the single-particle states are useful for carrying the authentication information in theory, the intrinsic efficiency for qubits ηq ≡ qqut approaches the maximal value 100 %. Here qu is useful qubits and qt is the total qubits transmitted. In the BB84 protocol, there are half of n qubits will be discarded as Bob’s random measurement on the received qubits and c qubits of n2 are employed for detecting Eve, i.e., qt = n and qu = n2 − c. Thus the intrinsic efficiency of BB84 is

123

Quantum identity authentication

2547

η B B84 = n−2c 2n < 50 %. While in the ZZZX protocol, Alice and Bob need not compare the encoding basis, but only c particles are employed to detect Eve, i.e., qt = n and qu = n − c, therefore, its intrinsic efficiency is η Z Z Z X = n−c n < 100 %. Obviously, comparisons with the BB84 protocol and ZZZX protocol, the proposed scheme is more efficient. Moreover, since only employing the single-particle state as quantum channel, the total efficiency (defined by Li. et al. [30]) of the present scheme also comes up to the max. About 100 %, more efficient than the previous QIA schemes. 4 Influences of imperfect quantum channel The above analysis is based on the ideal scenario and does not take into account the influences of imperfect quantum channel (i.e., the noisy channel and the lossy channel). However, in practice, the employed quantum channel is usually imperfect. In this case, fortunately, such scheme is also secure. The proofs for the security of the proposed QIA scheme in an imperfect quantum channel are similar to that of ZZZX protocol, as they are both based on ping-pong technique. Here, we do not discuss it. Next, we briefly describe the efficiency of transmission in a lossy channel. Assume the lossy coefficient of the employed quantum channel is ζ , i.e., if CA sends n particles to Bob, then Bob only receives nζ of them. Since in our scheme a qubit travels for a two-way channel, the total lossy coefficient should be ζ 2 . Therefore, the practical efficiency of proposed scheme reads as η = ηζ 2 = ζ 2 . For comparison, in BB84 protocol, suppose Alice sends n particles to Bob, Bob only gets nζ of them, and half of the received particles will be abandoned. Moreover, Alice and Bob will take nζ −2c  out c particles from nζ 2 to detect Eve. Therefore, we can get η B B84 = 2n . This entails that√the presented scheme is more efficient than BB84 given in the condition 2 of ζ > n+ n4n−16nc when c < n/16, or of c > n/16 whatever the ζ is. 5 Summary To summarize, we have explicitly presented a feasible QIA scheme based on singleparticle ping-pong technique. It can verify user’s identity as well as update the authentication key. The security of the proposed scheme has explicitly analyzed and confirmed against some types of individual attack strategies even if in an imperfect quantum channel. Comparing with the existing QIA protocols, the proposed scheme has three distinct advantages. First of all, only batches of polarized single-particles are enough for exploit, without making use of entanglements, which will greatly reduce the required qubits resources. Secondly, in the process of communication, the encoding and decoding of secret authentication information can be realized only by performing local unitary operations and single-particle measurement, rather than the multipartite joint measurement, which will simplify the devices of the users on the network. Finally, the classical information exchanged is unnecessary, which makes such QIA scheme more secure. Furthermore, the proposed scheme is efficient and suitable for experimental realization.

123

2548

H. Yuan et al.

Acknowledgments This work is supported by the Talent Project of the West AnHui University for Outstanding Youth under Grant No. 0044113017, the National Undergraduate Innovation and Entrepreneurship Training Program Project under Grant No. 201210376008, the Program for Excellent Talents at the University of Guangdong Province (Guangdong Teacher Letter [1010] No. 79), the 211 Project of Anhui University, the Key Project of Natural Science Fund in Anhui Province under Grant Nos. KJ2013A258 and KJ2013A261, the Anhui Provincial Natural Science Foundation under Nos. 1408085MA20 and 1408085QA13, the National Natural Science Foundation of China under Grant Nos. 10874122, 10975001, 51072002, 51272003, and 61375121.

References 1. Créau, C., Salvail, L.: Advances in Cryptology. In: Proceedings of Eurocrypt ’ 95, p. 133. Springer, Berlin (1995) 2. Bennett, C.H., Brassard, G., Créau, C., Skubiszewska, M.H.: Advances in Cryptology. In: Proceedings of Crypto ’ 91. Lecture Notes in Computer Science, vol. 576, p. 133. Springer, Berlin (1992) 3. Mayers, D.: The trouble with quantum bit commitment. e-print quant/9603015 (1996) 4. Dušek, M., Hadeˇrka, O., Hendrych, M., Myška, R.: Quantum identification system. Phys. Rev. A 60, 149 (1999) 5. Zeng, G., Zhang, W.: Identity verification in quantum key distribution. Phys. Rev. A 61, 022303 (2000) 6. Ljunggren, D., Bourennane, M., Karlsson, A.: Authority-based user authentication in quantum key distribution. Phys. Rev. A 62, 022305 (2000) 7. Mihara, T.: Quantum identification schemes with entanglements. Phys. Rev. A 65, 052326 (2002) 8. Zhou, N., Zeng, G.H., Zeng, W.J., Zhu, F.C.: Cross-center quantum identification scheme based on teleportation and entanglement swapping. Opt. Commun. 254, 380 (2005) 9. Lee, H., Lim, J., Yang, H.J.: Quantum direct communication with authentication. Phys. Rev. A 73, 042305 (2006) 10. Zhang, Z.J., Liu, J., Wang, D., Shi, S.H.: Comment on quantum direct communication with authentication. Phys. Rev. A 75, 026301 (2007) 11. Zhang, Z., Zeng, G., Zhou, N., Xiong, J.: Quantum identity authentication based on ping-pong technique for photons. Phys. Lett. A 356, 199 (2006) 12. Yen, C.A., Horng, S.J., Goan, H.S., Kao, T.W., Chou, Y.H.: Quantum direct communication with mutual authentication. Quantum Inf. Comput. 9, 376 (2009) 13. Liu, D., Pei, C.X., Quan, D.X., Zhao, N.: A new quantum secure direct communication scheme with authentication. Chin. Phys. Lett. 27, 050306 (2010) 14. Yang, J., Wang, C., Zhang, R.: Quantum secure direct communication with authentication expansion using single photons. Commun. Theor. Phys. 54, 829 (2010) 15. Tsai, C.W., Wei, T.S., Hwang, T.: One- way quantum authenticated secure communication using rotation operation. Commun. Theor. Phys. 56, 1023 (2011) 16. Sun, Z.W., Du, R.G., Long, D.Y.: Quantum secure direct communication with quantum identification. Int. J. Quantum Inf. 10, 125008 (2012) 17. Chang, Y., Zhang, S.B., Yan, L.L., Sheng, Z.: A multiparty controlled bidirectional quantum secure direct communication and authentication protocol based on EPR pairs. Chin. Phys. Lett. 30, 060301 (2013) 18. Yang, Y.G., Tian, J., Xia, J., Zhang, H.: Quantum authenticated direct communication using Bell states. Int. J. Theor. Phys. 52, 336 (2013) 19. Yu, C.H., Guo, G.D., Lin, S.: Quantum secure direct communication with authentication using two nonorthogonal states. Int. J. Theor. Phys. 52, 1937 (2013) 20. Yang, Y.G., Wang, H.Y., Jia, X., Zhang, H.: A quantum protocol for (t, n)-threshold identity authentication based on Greenberger–Horne–Zeilinger states. Int. J. Theor. Phys. 52, 524 (2013) 21. Lin, S., Huang, C., Liu, X.F.: Multi-user quantum key distribution based on Bell states with mutual authentication. Phys. Scr. 87, 035008 (2013) 22. Boström, K., Felbinger, T.: Deterministic secure direct communication using entanglement. Phys. Rev. Lett. 89, 187902 (2002) 23. Cai, Q.Y.: The “Ping-Pong” protocol can be attacked without eavesdropping. Phys. Rev. Lett. 91, 109801 (2003) 24. Cai, Q.Y., Li, B.W.: Improving the capacity of the Boström–Felbinger protocol. Phys. Rev. A 69, 054301 (2004)

123

Quantum identity authentication

2549

25. Wojcik, A.: Eavesdropping on the “ping-pong” quantum communication protocol. Phys. Rev. Lett. 90, 157901 (2003) 26. Cai, Q.Y.: Eavesdropping on the two-way quantum communication protocols with invisible photons. Phys. Lett. A 351, 23 (2006) 27. Lucamarini, M., Mancini, S.: Secure deterministic communication without entanglement. Phys. Rev. Lett. 94, 140501 (2005) 28. Gisin, N., Ribordy, G., Tittel, W., Zbinden, H.: Quantum cryptography. Rev. Mod. Phys. 74, 145 (2002) 29. Bennett, C.H., Brassard, G.: Quantum cryptography: public key distribution and coin tossing. In: International Conference of Computers in Systems and Signal Processing, Dec 1984, Bangalore, India (IEEE, New York 1984), p. 175 (1984) 30. Li, X.H., Deng, F.G., Li, C.Y., Liang, Y.J., Zhou, P., Zhou, H.Y.: Deterministic secure quantum communication without maximally entangled states. J. Kerean Phys. Soc. 49, 1354 (2006)

123