New Probabilistic Quantum Key Distribution Protocol

Abstract

On the basis of entanglement swapping of Bell states, Hwang et al. proposed a probabilistic quantum key distribution (PQKD) protocol Quantum Inf. Comput. 11(7-8), 615–637 (2011). Recently, Lin et al. Quantum Inf. Comput. 14(9-10), 757–762 (2014) proposed a unitary operation attack on Hwang et al.’s PQKD. However, unlike the unitary operation attack, this work points out that a malicious participant in Hwang et al.’s PQKD protocol can manipulate the secret key. As a result, the security requirements of a PQKD protocol, i.e., fairness, cannot be satisfied in their protocol. Moreover, the same attack can also crack the fairness requirement of the existing quantum key agreement (QKA) protocols. To overcome both problems, this paper proposes a new PQKD protocol based on the order rearrangement of the transmitted photons. Furthermore, the rearrangement method can also solve the key manipulation attack in QKA protocols.

1 Introduction

Quantum key distribution (QKD), which allows a sender to distribute a pre-determined secret key to a receiver through the transmission of quantum signals, is one of the most important research topics in quantum cryptography. Since the first QKD protocol was presented by Bennett and Brassard [1] in 1984 (also known as BB84), a variety of QKD protocols have been proposed [2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19]. Although the QKD protocols provide unconditional security [20, 21], they must assume that the participants are mutually trusted [22]. That is, they always follow the protocol and one participant must accept the key decided by the other participant.

In contrast to the QKD protocols, the participants in a quantum key agreement (QKA) and a probabilistic quantum key distribution (PQKD) are assumed to be mutually untrusted. A QKA protocol [23,24,25,26,27] is one whereby two or more participants negotiate a key over quantum channels and classical channels on the basis of their exchanged messages. Unlike QKA protocols, Hwang et al. [28] proposed the first PQKD protocol using Bell states and entanglement swapping, where two mutually suspicious participants can share an unpredictable key based on quantum mechanics. The PQKD protocol has the following features:

1. 1.

   Unpredictability: The key distributed is an unpredictable key.

2. 2.

   Fairness: No one can pre-determine the key even with a single bit advantage.

3. 3.

   Effectiveness: The intrinsic measurement uncertainty and entanglement swapping of photons are applied to facilitate the generation as well as distribution of a random key.

Recently, Lin et al. [29] proposed a unitary operation attack on Hwang et al.’s PQKD protocol. One malicious participant can manipulate the secret key by using the unitary operation attack without being detected. However, unlike the unitary operation attack, this paper reveals a common problem in these QKA protocols [23,24,25,26,27] and the PQKD protocol [28]. The problem further enables a key manipulation attack that threatens the security of these protocols. This study takes Hwang et al.’s PQKD protocol [28] as an example to show the key manipulation problem. That is, a legitimate but malicious participant can manipulate the secret key.

In order to avoid the unitary operation attack and the key manipulation attack, this paper proposes a new PQKD protocol using the entanglement swapping of Bell states and reordering of the transmitted qubits. Therefore, the malicious participant cannot obtain the correct secret key by performing a unitary operation attack and a key manipulation attack. Finally, two untrusted participants generate a random fairness secret key by using the entanglement swapping of Bell states.

The rest of this paper is organized as follows. Section 2 introduces Bell states and the entanglement swapping of Bell states. Section 3 reviews Hwang et al.’s PQKD protocol. Section 4 discusses the key manipulation problem of Hwang et al.’s protocol. Section 5 describes the proposed PQKD protocol. Section 6 analyzes the security and the fairness of the proposed PQKD protocol. Finally, Section 7 concludes our results.

2 Background

The Einstein-Podolsky-Rosen (EPR) pair, also called the Bell state, is a two-particle quantum entangled state. It can be described by four orthogonal maximal states as follows:

$$\left|\left.{\phi }^{+}\right\rangle \right.\mathrm{=}\frac{\mathrm{1}}{\sqrt{\mathrm{2}}}\left( \left|\left.00\right\rangle \right.\mathrm{+}\left|\left.\mathrm{11}\right\rangle \right.\right)\mathrm{=}\frac{\mathrm{1}}{\sqrt{\mathrm{2}}}\mathrm{(}\left|\left.\mathrm{++}\right\rangle \right.\mathrm{+}\left|\left.\mathrm{--}\right\rangle \right.\mathrm{)}$$

$$\left|\left.{\phi }^{-}\right\rangle \right.\mathrm{=}\frac{\mathrm{1}}{\sqrt{\mathrm{2}}}\left( \left|\left.00\right\rangle \right.\mathrm{-}\left|\left.\mathrm{11}\right\rangle \right.\right)\mathrm{=}\frac{\mathrm{1}}{\sqrt{\mathrm{2}}}\mathrm{(}\left|\left.\mathrm{+-}\right\rangle \right.\mathrm{+}\left|\left.\mathrm{-}\mathrm{+}\right\rangle \right.\mathrm{)}$$

$$\left|\left.{\psi }^{+}\right\rangle \right.\mathrm{=}\frac{\mathrm{1}}{\sqrt{\mathrm{2}}}\left( \left|\left.\mathrm{01}\right\rangle \right.\mathrm{+}\left|\left.\mathrm{10}\right\rangle \right.\right)\mathrm{=}\frac{\mathrm{1}}{\sqrt{\mathrm{2}}}\mathrm{(}\left|\left.\mathrm{++}\right\rangle \right.\mathrm{-}\left|\left.\mathrm{--}\right\rangle \right.\mathrm{)}$$

$$\left|\left.{\psi }^{-}\right\rangle \right.\mathrm{=}\frac{\mathrm{1}}{\sqrt{\mathrm{2}}}\left( \left|\left.\mathrm{01}\right\rangle \right.\mathrm{-}\left|\left.\mathrm{10}\right\rangle \right.\right)\mathrm{=}\frac{\mathrm{1}}{\sqrt{\mathrm{2}}}\mathrm{(}\left|\left.\mathrm{+-}\right\rangle \right.\mathrm{-}\left|\left.\mathrm{-}\mathrm{+}\right\rangle \right.\mathrm{)}$$

The entanglement swapping is shown in Table 1. Suppose that Alice and Bob prepare Bell states |ϕ⁺〉, respectively. Then, they exchange the second qubit of |ϕ⁺〉 and perform the Bell measurement on their first qubit and the received second qubit. After that, one of the following four measurement results, {(|ϕ⁺〉_a1b2,|ϕ⁺〉_b1a2),(|ϕ⁻〉_a1b2,|ϕ⁻〉_b1a2), (|ψ⁺〉_a1b2,|ψ⁺〉_b1a2),(|ψ⁻〉_a1b2,|ψ⁻〉_b1a2)}, appears randomly. It is obvious that Alice and Bob can derive the same unitary operation, which transforms the initial state to the measurement result.

Table 1 The entanglement swapping of Bell states

3 Review of Hwang et al.’s PQKD Protocol

Alice and Bob, two mutually untrusted communicants, wish to share a fair n-bit random key by using the entanglement swapping of Bell states. Let the four Bell states |Φ⁺〉, |Φ⁻〉, |Ψ⁺〉 and |Ψ⁻〉 represent two-bit information “00,” “01,” “10,” and “11,” respectively. Here, the classical communication channels are assumed to be authenticated, and the quantum channels are assumed to be ideal. The PQKD protocol proceeds as follows:

Step 1.:

Alice generates a sequence of n Bell states in \(|{\Phi }^{+} \rangle =\frac {1}{\sqrt {2} } (|00\rangle +|11\rangle )\),S = {s₁,s₂,…,s_n}, where \(s_{i} =\{ q_{A1}^{i} ,\text { }q_{A2}^{i} \} \),i = 1,2,…,n. She takes the second qubit to form a new sequence \(S_{B} =\{ q_{A2}^{i} \} \), and the first qubit to form the other sequence \(S_{A} =\{ q_{A1}^{i} \} \), for i = 1,2,…,n. Then, Alice arbitrarily performs a Hadamard operation H (\(=\frac {1}{\sqrt {2} } [(|0\rangle +|1\rangle )\langle 0|+(|0\rangle -|1\rangle )\langle 1|]\)) or an identity operation I (= |0〉〈0| + |1〉〈1|) on \(S_{B} =\{ q_{A2}^{i} \} \) to form a new sequence \(S_{B}^{\prime } =\{q_{A2}^{{\prime }{i}}\} \), and then sends it to Bob.

Step 2:

Upon receiving \(S_{B}^{\prime } =\{q_{A2}^{\prime {i}}\} \), Bob also generates a sequence of n Bell states in \(|{\Phi }^{+} \rangle =\frac {1}{\sqrt {2} } (|00\rangle +|11\rangle )\),T ={t₁,t₂,…,t_n}, where \(t_{i} =\{ q_{B1}^{i} , q_{B2}^{i}\} \),i= 1,2,…,n. He takes the second qubit to form a new sequence \(T_{B} =\{ q_{B2}^{i} \} \), and the first qubit to form the other sequence \(T_{A} =\{ q_{B1}^{i} \} \), for i = 1,2,…,n. He performs a permutation π on \(T_{A} =\{ q_{B1}^{i} \} \) to form a new sequence \(T^{\prime }_{A} =\{ q_{B1}^{\prime {i}}\} \) and then sends it to Alice.

Step 3:

Alice randomly chooses j positions as a check set C for an eavesdropping check. Then, she performsH on \(S_{A} =\{ q_{A1}^{i} \} \), for which the corresponding \(S_{B} =\{ q_{A2}^{i} \} \) were performed with the same H in Step 1. After that, she announces the positions of C to Bob through an authenticated classical channel.

Step 4:

Bob derives the 2n-bit raw key by performing a Bell measurement on \(S_{B} =\{ q_{A2}^{i} \} \) and \(T_{B} =\{ q_{B2}^{i} \} \), i.e., \(K_{BA} =\{ BM(q_{A2}^{1} ,q_{B2}^{1} ),BM(q_{A2}^{2} ,q_{B2}^{2} ),K ,BM(q_{A2}^{n} ,q_{B2}^{n} )\} \). Then, he sends π and the Bell measurement results K_C of C to Alice through an authenticated classical channel. He derives the key as K = K_BA – K_C. Let K be the remaining bits in K_BA after removing the checking bits in K_C.

Step 5:

Alice recovers \(T_{A} =\{ q_{B1}^{i} \} \) from \(T_{A}^{\prime } =\{ q_{B1}^{\prime {i}}\} \) on the basis of the π and derives the 2n-bit raw key as \(K_{AB} =\{ BM(q_{A1}^{1} ,q_{B1}^{1} ),BM(q_{A1}^{2} ,q_{B1}^{2} ),K ,BM(q_{A1}^{n} ,q_{B1}^{n} )\} \). It is noted that K_AB = K_BA. According to K_C received from Bob and that measured by Alice herself, Alice can detect the presence of eavesdropping. If there is no eavesdropper, then she sets K = K_AB – K_C as the key shared with Bob. Otherwise, they abort the process and start a new one.

It appears that neither Alice nor Bob can manipulate the outcome of the shared key K, because the result of entanglement swapping is unpredictable. However, this paper reveals in the following section that Bob can determine one key bit completely.

4 Key Manipulation Problem

The PQKD protocol is in a mutually untrusted environment where Alice and Bob are mutually opposed to each other. Several problems could arise from the PQKD protocol if the public discussion is not carefully designed. These are explained in the following example.

Suppose that the first bit of the raw key between Alice and Bob in Step 4 is “0.” If Bob prefers the first bit of the raw key to be “0,” then he will follow the protocol. If, however, Bob prefers the first bit of the raw key to be “1,” then he can send an incorrect KC as his fake Bell measurement result C to Alice for public discussion, which will fail eventually. Hence, they will abort the process in Step 5 and start a new one until the first bit of the raw key is “1.” Accordingly, Bob could manipulate the first bit of the raw key through the public discussion, even though the unpredictability in the Bell state entanglement swapping is applied to generate and distribute the key. Thus, the PQKD protocol fails to provide “fairness” between both participants because one bit of the final shared key can be determined by the participant who first knows the raw key of the other. The same problem can also be identified in the QKA protocols described in [23,24,25,26,27].

5 The Proposed PQKD Protocol

To solve the unitary operation attack and key manipulation attack, this section introduces a new PQKD protocol. Suppose that two untrusted participants, Alice and Bob, want to distribute an unpredictable key \({K^{M}_{P}}\) by a quantum channel. Here, the classical channels are assumed to be authenticated, and the quantum channels are ideal.

Step 1:

Alice prepares n Bell states randomly chosen from {|ϕ⁺〉,|ϕ⁻〉,|ψ⁺〉,|ψ⁻〉}. She takes all of the first qubits and second qubits from each Bell state to form the ordered sequences S_A1 and S_A2, respectively; then, Alice shuffles S_A2 to obtain \(S_{A2}^{\prime }\). Alice generates n decoy photons arbitrarily chosen from {|0〉,|1〉,|+〉,|−〉}, and then randomly inserts these decoy photons into \(S_{A2}^{\prime }\) to form \(S_{A2}^{{\prime }*}\). Similarly, Bob can produce S_B1 and \(S_{B2}^{{\prime }*}\) in the same way. Finally, Alice delivers \(S_{A2}^{{\prime }*}\) to Bob.

Step 2:

After Bob receives the sequences sent from Alice, Alice announces the measurement positions and the bases of the decoy photons in \(S_{A2}^{{\prime }*}\). According to the measurement results of decoy photons replied from Bob, Alice can check the existence of eavesdroppers. If there is no eavesdropper, she sends an acknowledgment to Bob through an authenticated classical channel. Otherwise, they abort the process and start a new one. Similarly, Bob sends \(S_{B2}^{{\prime }*}\) to Alice and performs the eavesdropping check.

Step 3:

After the eavesdropping check, Alice has two sequences S_A1 and \(S_{B2}^{\prime }\), and Bob also has two sequences S_B1 and \(S_{A2}^{\prime }\). Bob announces his shuffled information. According to the shuffled information sent from Bob, Alice can recover \(S_{B2}^{\prime }\) into the correct order of S_B2. Then, Alice performs the Bell measurement on S_A1 and S_B2 to obtain 2n bits of an unpredictable key K_P, where the K_P is “00” if the unitary operation is I, “01” if σ_z, “10” if σ_x, and “11” if iσ_y.

Step 4:

After Alice obtains the unpredictable key K_P, she announces her shuffled information of \(S_{A2}^{\prime }\). Then, Bob also can recover the correct order of S_A2 and performs the Bell measurement on S_B1 and S_A2 to obtain an unpredictable key K_P.

According to Section 2, Alice and Bob can obtain the same unpredictable key K_P. Furthermore, neither one can manipulate the unpredictable key K_P.

6 Security Analysis

In this section, we discuss the security and the fairness of the proposed PQKD protocol. The security of the proposed PQKD protocol is analyzed from the eavesdropping attack, Lin et al.’s unitary operation attack [29], and the key manipulation problem.

6.1 The Eavesdropping Attack

In order to avoid the eavesdropping attack, two untrusted participants use enough decoy photons, which are randomly generated from one of the four states {|0〉,|1〉,|+〉,|−〉}. Then, they randomly insert these decoy photons in their transmitted sequences. Because an eavesdropper does not know the bases and the positions of the decoy photons, an eavesdropper is detected in public discussion when he or she tries to measure and resend the quantum sequences. The probability of detecting an eavesdropper is \(\mathrm {1-}{\mathrm {(}\frac {3}{4}\mathrm {)}}^{d}\), where \(\frac {3}{4}\) is the probability that an eavesdropper can pass the eavesdropping check in each decoy photon, and d is the total number of decoy photons. Therefore, if d is large enough, the probability \(\mathrm {1-}{\mathrm {(}\frac {3}{4}\mathrm {)}}^{d}\) will be close to 1.

6.2 Lin et al.’s Unitary Operation Attack

In Lin et al.’s attack, the malicious communicant, e.g., Bob, can perform unitary operations on the qubits sent from Alice and resend these qubits to Alice to manipulate the secret key. However, in the proposed PQKD protocol, Alice shuffles her transmitted qubits S_A2 to \(S_{A2}^{\prime }\) in Step 1. Then, she asks Bob to announce his order first in Step 3. Because Bob does not know the correct order of \(S_{A2}^{\prime }\) before Step 4, he cannot manipulate the secret key by performing unitary operations on \(S_{A2}^{\prime }\) and resending to Alice. Therefore, the proposed protocol does not enable this attack.

6.3 Key Manipulation Problem

In order to avoid the key manipulation problem, Alice and Bob shuffle their transmitted qubits in Step 1 and Step 2. Because the measurement results are unpredictable on two different EPR pairs, the malicious communicant cannot obtain the correct secret key by performing the Bell measurement in public discussion. Therefore, the malicious participant does not deliver the fake measurement results in public discussion. The proposed PQKD protocol is fair under the key manipulation problem.

7 Conclusions

This study showed that there is a key manipulation problem in the QKA protocols and the PQKD protocol. Moreover, in order to avoid Lin et al.’s unitary operation attack [29] and the key manipulation problem, this paper proposes a new PQKD protocol based on the entanglement swapping of Bell states and order rearrangement of the transmitted photons. It also can avoid the eavesdropping attack by using decoy photons. Because the fairness of the proposed PQKD protocol is based on the order rearrangement of the transmitted photons, the PQKD protocol might be unsecure if the bit length of the shared key is too short. Therefore, how to design a secure PQKD protocol without this problem will be an interesting topic of future research.