IEEE COMMUNICATIONS LETTERS, VOL. 20, NO. 7, JULY 2016
1369
Quantum Network Coding Against Pollution Attacks Tao Shang, Member, IEEE, Zhuang Pei, Xiao-Jie Zhao, and Jian-Wei Liu Abstract— Quantum network coding is vulnerable to pollution attacks, especially when using classical channel as auxiliary resource. On this basis, this letter proposes a secure quantum network coding scheme against pollution attacks. The scheme uses quantum homomorphic signature for the efficient authentication of different data sources so as to detect pollution attacks in the butterfly network. Furthermore, with the help of trusted intermediate nodes, it can locate a corrupt data source. Analysis results show that the proposed quantum network coding scheme can defend against pollution attacks with high fidelity, fewer resource consumption, and lower rate region. Index Terms— Quantum network coding, quantum homomorphic signature, pollution attacks, data source authentication.
I. I NTRODUCTION
N
ETWORK coding [1] has been introduced into quantum network for its good potential to improve network transmission efficiency. Since Hayashi et al. proposed the quantum network coding protocol for crossing two qubits (also known as “XQQ”) [2] and the quantum network coding scheme with prior entanglement [3], many quantum network coding schemes have been proposed [4]–[9]. As we know, the security of quantum communication is assured by physical principles of Heisenberg uncertainty principle and quantum no-cloning theorem. However, with the study of quantum cryptography, quite a few effective attack strategies have been proposed, such as intercept-resend attack, entanglement-swapping attack, teleportation attack, etc. Until now, the security mechanism for quantum network coding is still very few. Due to the encoding characteristics, quantum network coding suffers from pollution attacks like classical network coding. If an attacker injects a corrupt packet at upstream nodes, all packets of downstream nodes will be polluted for reason of encoding. For example, in Hayashi’s scheme with prior entanglement [3], attackers can easily wiretap and falsify packets to realize pollution attacks and prevent message recovery. As shown in Figure 1, an attacker can tamper the packet X 2 over the classical channel D2 between A2 and M1 . As a result, B1 and B2 cannot decode the original states correctly. Hence it is necessary to verify the identity of data source to defend against such attacks. Manuscript received January 28, 2016; revised March 24, 2016; accepted April 30, 2016. Date of publication May 6, 2016; date of current version July 8, 2016. This work was supported by the National Natural Science Foundation of China (No.61571024, 61272501), the National Basic Research Program of China (No.2012CB315905) and the Research Promotion Grants for KUT-SSP. The associate editor coordinating the review of this letter and approving it for publication was X. Zhou. T. Shang, X.-J. Zhao, and J.-W. Liu are with the School of Electronic and Information Engineering, Beihang University, Beijing 100191, China (e-mail:
[email protected];
[email protected]; liujianwei@ buaa.edu.cn). Z. Pei is with the Sino-French Engineer School, Beihang University, Beijing 100191, China (e-mail:
[email protected]). Digital Object Identifier 10.1109/LCOMM.2016.2564378
Fig. 1.
Pollution attack for Hayashi’s scheme with prior entanglement.
As homomorphic signature scheme can authenticate data source and allows intermediate nodes to generate a new signature by directly manipulating original signatures without encryption operation, it is widely applied in classical network coding to defend against pollution attacks. If quantum homomorphic signature scheme is feasible in quantum network coding, it will be very helpful to enhance the security of quantum network communication, beyond quantum network coding. Recently, the quantum homomorphic signature scheme has been proposed [11]. By introducing quantum homomorphic signature into the typical quantum network coding scheme with prior entanglement, we design a secure quantum network coding scheme against pollution attacks. The main contributions of our work are: (1) The first quantum network coding scheme against pollution attacks is proposed. The derived properties indicate our scheme can detect pollution attacks and even locate a corrupt data source with the information of trusted intermediate nodes. (2) Signature copy problem for multiple verification is well solved. With signature copy operation, a node can perfectly copy multiple signatures according to the number of next-hops, which will not be restricted by quantum no-cloning theorem. II. R ELATED W ORKS By creatively treating entanglement swapping as a quantum homomorphic operation, Shang et al. [11] proposed the first quantum homomorphic signature scheme. As shown in Figure 2, A1 and A2 are signers, M1 is an aggregator who generates a new homomorphic signature from received signatures, M2 is a verifier, and ⊕ denotes the operation of exclusive OR. The scheme is described as the following: (1) Setup Step 1: Ai (i = 1, 2) shares its secret key Yi with M2 by quantum key distribution protocol. Here Yi ∈ {00, 01, 10, 11}.
1558-2558 © 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
1370
Fig. 2.
IEEE COMMUNICATIONS LETTERS, VOL. 20, NO. 7, JULY 2016
Quantum homomorphic signature model. Fig. 3.
Step 2: M1 prepares two Einstein-Podolsky-Rosen (EPR) pairs φ + 12 , φ + 34 , and sends the particle 2i (denoted as |ψ2i ) to Ai . (2) Sign Ai performs a unitary operation U (X i ⊕ Yi ) on the particle 2i after receiving it from M1 . The unitary operator U is chosen according to the value of X i ⊕ Yi and the rule of 00 → I, 01 → σx , 10 → σz, 11 → −i σ y . The particle 2i after transformation, namely ψ 2i , is exactly the signature of Ai . (3) Combine Step 1: Ai sends the signature particle 2i (namely ψ 2i ) and the classical bits X i ⊕ Yi to M1 . Step 2: M1 generates quantum homomorphic signature by entanglement swapping. Concretely, M1 performs a Bell measurement on the particles (1, 3) and gets ψ 13 ; correspondingly, (2, 4) would collapse to a certain the particles Bell state ψ 24 . ψ 4 is the homomorphic signature of M1 . Step 3: M1 sends the classical information X 1⊕Y1 ⊕ X 2 ⊕Y2 and the particles (1, 3, 2, 4) (namely ψ 13 ⊗ ψ 24 ) to M2 . (4) Verify Step 1: M2 obtains ψ 13 by performing a Bell measurement on the particles (1, 3), and obtains ψ 24 by performing a Bell measurement on the (2, 4). particles Step 2: By comparing ψ 24 with |ψ24 , M2 will obtain an operator U (Z ) which satisfies ψ 24 = c (Z ) U (Z )(4) |ψ24 , with |c (Z )| = 1. Here |ψ24 is the entanglement swapping result of the particles (2, 4) without performing unitary operations on them with |ψ13 = ψ 13 . Step 3: M2 compares X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 with Z . If X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 = Z , M2 accepts the signature. Otherwise, M2 denies the signature. After analysis, two problems are found in Shang et al.’s scheme. Firstly, only one node can achieve signature verification. Hence the scheme does not completely suit for defending against pollution attacks in quantum network coding, where two or more destination nodes need to authenticate data source by verifying a signature. Secondly, the signature sent from M1 to M2 can be easily forged if the classical bits X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 and the particles (1, 3, 2, 4) were captured by an attacker. Suppose that the state (1, 3) of the particles after the entanglement swapping is ψ 13 = ψ + 13 , then the state of the particles (2, 4) should be ψ 24 = c · U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4) ψ + 24 . As we know, the verifier accepts
Quantum network coding scheme against pollution attacks.
the signature as long classical message Z and as the received the Bell state ψ 24 satisfy ψ 24 = c · U (Z )(4) ψ + 24 (here Z = X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 ). If an attacker replaces the classical bits X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 by a corrupt data E while preparing two entangled particles (5, 6) with |ψ56 = c · U (E)(4) ψ + 24 , the verifier would accept the signature according to the received information E and the particles (1, 3, 5, 6). In other words, the attacker has forged the signature successfully. III. Q UANTUM N ETWORK C ODING S CHEME In Hayashi’s scheme with prior entanglement, classical bits are indispensable to perfect quantum network coding. To assure that these classical bits are from senders rather than attackers, we introduce the quantum homomorphic signature scheme into the butterfly network as shown in Figure 3. Esepcially, we should solve the two problems mentioned above. The main ideas are described as follows: (1) we can add a signature copy operation at the intermediate node M2 to generate another copy of the signature S3 . As we know, after the Bell measurement by M1 , the particles (1, 3) and (2, 4) fall into Bell states. In order to precisely copy the signature S3 , M2 just needs to two EPR prepare pairs |ψ56 and |ψ78 such that |ψ56 = ψ 13 , |ψ78 = ψ 24 . Now |ψ56 |ψ78 is in the same state as ψ 13 ψ 24 , and the particle 8 can be viewed as a copy of the homomorphic signature S3 . In fact, a node can copy multiple signatures according to the number of next-hops. (2) to solve the signature forgery problem between M1 and M2 , we need to guarantee the confidentiality of unitary operator for signature generation. We can transmit X i ⊕ K i instead of X i ⊕ Yi in our new scheme. Here K i is another key pair shared between a signer and a verifier and K i ∈ {00, 01, 10, 11}. Assume that an attacker can capture and falsify information over quantum channels or classical channels. Our objective is to guarantee that the receivers can verify the identity of data source by means of quantum signature verification during the process of network coding. The two senders A1 and A2 share two pairs of the maximally entangled state φ + in prior. The first pair has two particles A1,1 and A2,1 , and the second pair has two particles A1,2 and A2,2 . A1 owns two particles A1,1 and A1,2 . A2 owns the other two particles A2,1 and A2,2 .
SHANG et al.: QUANTUM NETWORK CODING AGAINST POLLUTION ATTACKS
The quantum network coding scheme against pollution attacks is described as the following: Step 1: The sender Ai prepares its state |ϕi , then Ai shares its keys Yi and K i with B1 and B2 by quantum key distribution protocol. Here Yi , K i ∈ {00, 01, 10, 11}. Step 2: The node M1 prepares two EPR pairs φ + 12 , φ + 34 , and sends the particle 2i (denoted as |ψ2i ) to Ai . Step 3: Ai performs a Bell measurement on the system |ϕi ⊗ Ai,i , and the measurement result + is mapped to classical φ → 00, φ − → 10, bits X according to the rule of i + ψ → 01, ψ − → 11. Through quantum teleportation, the state of the remaining particle A1,2 at A1 becomes U (X 2 )−1 |ϕ2 and the state of the remaining particle A2,1 at A2 becomes U (X 1 )−1 |ϕ1 . Step 4: Ai generates the signature of X i , namely Si = U (X i ⊕ Yi ) |ψ 2i . In other words, the particle 2i after transformation (ψ 2i ) would be the signature of the sender Ai . Step 5: Ai performs a unitary operation U (X i )−1 on its remaining particle. Then the state of the particle A1,2 at A1 will become U (X 1 )−1 U (X 2 )−1 |ϕ2 = c (X 1 , X 2 ) U (X 1 ⊕ X 2 )−1 |ϕ2 , where |c (X 1 , X 2 )| = 1; the state of the particle A2,1 at A2 will become U (X 2 )−1 U (X 1 )−1 |ϕ1 = c (X 1 , X 2 ) U (X 1 ⊕ X 2 )−1 |ϕ1 , where |c (X 1 , X 2 )| = 1. Step 6: A1 sends the particle A1,2 after transformation, namely c (X 1 , X 2 ) U (X 1 ⊕ X 2 )−1 |ϕ2 , to B2 . A2 sends the particle A2,1 after transformation, namely c (X 1 , X 2 ) U (X 1 ⊕ X 2 )−1 |ϕ1 , to B1 . Then the sender Ai sends the classical bits Ci = X i ⊕ K i and its signature particle 2i to M1 . Step 7: The node M1 performs Bell measurements on the particles (1, 2) and (3, 4) to obtain the measurement results V1 = ψ 12 and V2 = ψ 34 . M1 records the information {C1 , C2 , V1 , V2 } which will be used to locate a corrupt data source when pollution attack happens. Then M1 sends the classical bits X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 and the particles (1, 2, 3, 4) (i.e., ψ 12 ⊗ ψ 34 ) to the node M2 . Step 8: The node M2 first performs Bell measurements on the particles (1, 3) and (2, 4) to obtain ψ 13 and ψ 24 . Now the particle 4 is the homomorphic signature generated by entanglement swapping. Then M2 can make a copy of the signature by preparing two EPR pairs |ψ56 and |ψ78 , with |ψ56 = ψ 13 , |ψ78 = ψ 24 . After that, M2 sends the classical information X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 and the quantum particles (1, 3, 2, 4) to B1 , and then sends the classical information X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 and the quantum particles (5, 6, 7, 8) to B2 . Step 9: The receiver B1 completes data source authentication by verifying the signature according to its received particles (1, 3, 2, 4) and classical bits X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 . B1 performs a Bell measurement on the particles (1, 3) to obtain ψ 13 , and performs a Bell measurement on the particles (2, 4) to obtain ψ 24 . Assume that |ψ24 is the entanglement swapping result of the particles (2, 4) without performing unitary operations on them while |ψ13 = ψ 13 is satisfied. By comparing ψ 24 with |ψ24 , B1 will obtain an operator U (Z ) such that ψ 24 = c (Z ) U (Z )(4) |ψ24 . B1 can calculate X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 according its received
1371
information X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 and the keys K 1 , K 2 , Y1 and Y2 . Then B1 compares X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 with Z . If X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 = Z , B1 would confirm that the classical bits X 1 and X 2 are from the senders A1 and A2 . Otherwise B1 would conclude that the data has been falsified. Similarly, the receiver B2 completes data source authentication by verifying the signature according to its received particles (5, 6, 7, 8) and classical bits X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 . Step 10: If the receiver Bi verifies the signatures successfully, Bi first calculates the result of X 1 ⊕ X 2 according to the keys Y1 , Y2 and the information X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 . Then Bi performs the unitary operation U (X 1 ⊕ X 2 ) on its received particle to recover the original quantum state. Concretely, B1 recovers U (X 1 ⊕ X 2 ) U (X 1 ⊕ X 2 )−1 |ϕ1 = |ϕ1 and B2 recovers U (X 1 ⊕ X 2 ) U (X 1 ⊕ X 2 )−1 |ϕ2 = |ϕ2 . Here, the phase factor c(X 1 , X 2 ) is ignored. IV. S CHEME A NALYSIS A. Security Property 1: In our scheme, any corrupt packet which prevents receivers from recovering original states would be detected. Proof: As mentioned above, during the signature verification process B1 will first derive a unitary operator U (Z ) by comparing ψ 24 with |ψ24 such that ψ 24 = c (Z ) U (Z )(4) |ψ24 . Here Z = X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 . Assume that an attacker modifies packets and the packet B1 receives after modification is denoted as E, then the following two cases may occur: Case 1: E = X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 . In this case, the modified packets will pass the signature verification, but will not be found out. As the modification does not affect the decoding process, B1 and B2 can still recover the original quantum states. Therefore, such modification will not be treated as an attack. Case 2: E = X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 . In this case, the modified packets cannot pass the signature verification and will be found out by B1 and B2 . All in all, any corrupt packet which prevents receivers from recovering original states would be detected. Property 2: With the information of trusted intermediate nodes, our scheme can locate a corrupt data source. Proof: As mentioned above, if the signature verification successes at the receiver B1 , it would confirm that the classical bits X 1 and X 2 are from the source nodes A1 and A2 . However, if the verification fails, B1 can only conclude that the information has been modified somewhere in the network, but cannot locate the corrupt data source. Assume that the intermediate node M1 is a trusted node. Here “trusted” means that the node would not modify any packet and can share all the keys Y1 , Y2 , K 1 , K 2 . In this case, with the help of the trusted node M1 , B1 can find out the corrupt packet and locate the corrupt data source. Concretely, when B1 finds out data corruption by verifying the signature, it notifies M1 to transmit the information {C1 , C2 , V1 , V2 } to it (see Step 6 of Section III).
1372
Fig. 4. Particles consumed. (a) Case with homomorphic signature. (b) Case without homomorphic signature.
Consider that V1 = ψ 12 = U (X 1 ⊕ Y1 )(2) |ψ12 and V2 = ψ 34 = U (X 2 ⊕ Y2 )(4) |ψ34 , B1 can obtain X 1 ⊕ Y1 and + X 2 ⊕ Y2 by comparing V1 and V2 with the original states φ φ + . If X i ⊕Yi = Ci ⊕ K i ⊕Yi , B1 can conclude and 12 34 that X i ⊕K i has been modified before M1 and the modification of data occurs in the channel Di . Otherwise, B1 can confirm that the modification of data occurs in the channels F, G 1 , G 2 instead of D1 and D2 . If the intermediate node M2 is also a trusted node, we can further locate with accuracy in which channel of F, G 1 , G 2 the modification occurs. B. Performance (1) Fidelity Assume that the input state is |ψ and the output state is ρ, √then the fidelity between the two states is defined as F = ψ| ρ |ψ. Theorem 1: The fidelity of our quantum network coding scheme with quantum homomorphic signature is 1. Proof: As we know, Hayashi’s scheme with prior entanglement can transmit two qubits crossly and perfectly over the butterfly network. Note that all the operations we introduce into the new scheme would not affect the fidelity of transmitting unknown qubits. Hence the fidelity of our scheme is the same as that of Hayashi’s scheme, namely 1. (2) Particles consumed In order to securely transmit two qubits over the butterfly network by Hayashi’s scheme with prior entanglement, quantum signature needs to be introduced to achieve data source authentication. In our scheme, 8 quantum particles are needed in each transmission process. 4 of the 8 particles are used to generate homomorphic signature and the other 4 particles to copy the signature. This can be seen from Figure 4(a). By contrast, if we generate a signature at each node instead of using homomorphic signature, 10 quantum particles will be needed, which can be seen from Figure 4(b). Hence, our scheme saves 2 quantum particles in each transmission process, and saves 2n particles during n transmission processes. The amount of saved particles increases linearly with transmission. (3) Rate region In our scheme, each channel can optionally transmit one qubit or two bits as required. Definition 1 (Rate Region for Butterfly Network [10]): If a protocol uses the network n times along with other allowed resources, and communicates m 1 ,m 2 of
IEEE COMMUNICATIONS LETTERS, VOL. 20, NO. 7, JULY 2016
sizes n (r1 − δn ),n (r2 − δn ) bits/qubits with fidelity at least 1 − ξn for δn ,ξn → 0. Then we say that the rate pair (r1 , r2 ) is achievable. The achievable rate region is the set of all achievable rate pairs. Theorem 2: The achievable rate for ourscheme declines from (r1 , r2 ) = (1, 1) to (r1 , r2 ) = 15 , 15 compared with the perfect quantum network coding with prior entanglement between two senders. Proof: Hayashi’s scheme with prior entanglement can reach a rate pair as (r1 , r2 ) = (1, 1). This means Hayashi’s scheme can transmit two source qubits simultaneously by a single use of the network. In our scheme, we add signature mechanism for data source authentication which needs to send the extra information of signatures in the network. Obviously this would reduce the achievable rate. Compared with Hayashi’s work, to transmit two source qubits simultaneously, our scheme needs to transmit four extra particles which are sent via S1 (S2 ) → M1 → M2 → B1 for signature. Due to the capacity of channels, we need to transmit these particles by using the network four times. Then we can easily obtain that (r1 , r2 ) = 15 , 15 for our scheme. V. C ONCLUSIONS Our quantum network coding scheme with homomorphic signature can effectively defend against pollution attacks. Compared to quantum network coding scheme with ordinary signature, our scheme consumes fewer quantum particles, while the rate region of our scheme declines due to the attachment of signatures. Pollution attacks can only be detected at sink nodes so far. If pollution attacks can be detected immediately at intermediate nodes, the scheme will be more efficient and consume less resource. R EFERENCES [1] R. Ahlswede, N. Cai, S. Y. R. Li, and R. W. Yeung, “Network information flow,” IEEE Trans. Inf. Theory, vol. 46, no. 4, pp. 1204–1216, Jul. 2000. [2] M. Hayashi, K. Iwama, H. Nishimura, R. Raymond, and S. Yamashita. (2007). “Quantum network coding.” [Online]. Available: http://arxiv.org/abs/quant-ph/0601088 [3] M. Hayashi, “Prior entanglement between senders enables perfect quantum network coding with modification,” Phys. Rev. A, vol. 76, no. 4, p. 040301, 2007. [4] H. Kobayashi, F. Le Gall, H. Nishimura, and M. Rötteler, “Perfect quantum network communication protocol based on classical network coding,” in Proc. IEEE Int. Symp. Inf. Theory, Austin, TX, USA, Jun. 2010, pp. 2686–2690. [5] H. Kobayashi, F. Le Gall, H. Nishimura, and M. Rötteler, “General scheme for perfect quantum network coding with free classical communication,” in Automata, Languages and Programming, vol. 5555. Berlin, Germany: Springer, 2009, pp. 622–633. [6] H. Kobayashi, F. Le Gall, H. Nishimura, and M. Rötteler, “Constructing quantum network coding schemes from classical nonlinear protocols,” in Proc. IEEE Int. Symp. Inf. Theory, Jul./Aug. 2011, pp. 109–113. [7] S. Y. Ma, X. B. Chen, M. X. Luo, X. X. Niu, and Y. X. Yang, “Probabilistic quantum network coding of M-qudit states over the butterfly network,” Opt. Commun., vol. 283, no. 3, pp. 497–501, 2010. [8] T. Satoh, F. Le Gall, and H. Imai, “Quantum network coding for quantum repeaters,” Phys. Rev. A, vol. 86, no. 3, p. 032331, 2012. [9] T. Shang, X. J. Zhao, and J. W. Liu, “Quantum network coding based on controlled teleportation,” IEEE Commun. Lett., vol. 18, no. 5, pp. 865–868, May 2014. [10] H. Nishimura, “Quantum network coding—How can network coding be applied to quantum information?” in Proc. IEEE Int. Symp. Netw. Coding, Jun. 2013, pp. 1–5. [11] T. Shang, X. J. Zhao, C. Wang, and J. W. Liu, “Quantum homomorphic signature,” Quantum Inf. Process., vol. 14, no. 1, pp. 393–410, 2015.