FormalPara PACS

03.67.-a03.65.-w03.65.Ud

1 Introduction

With the rapid development of quantum technology, especially the realization of quantum computing, the current classical cryptography schemes are potentially in danger. Quatum cryptography utilizes the principle of quantum mechanics to provide unconditionally secure information exchange. Since the first quantum key distribution (QKD) was proposed in 1984 [1], a lot of quantum information schemes have been proposed, such as quantum secret sharing (QSS) [2,3,4,5,6,7], and quantum teleportation [8,9,10,11,12].

In the past decade, quantum secure direct communication (QSDC) has attracted great attention of researchers. In the QSDC protocol, the secret message is transmitted directly without first establishing a key to encrypt it. The first QSDC protocol was proposed by Long and Liu in 2000 [13]. In their pionner two-step protocol, they selected an Einstein-Podolsky-Rosen (EPR) pair as the carrier qubit. The concept of quantum data block was proposed to detect eavesdropping efficiently. After that, many QSDC protocols was proposed [14,15,16,17,18,19,20]. However, most existing QSDC protocols require users to have full quantum capabilities. Obviously, it’s unrealistic for every participant to have such expensive quantum resource and the ability to prepare or measure arbitrary quantum state. To resolve these issues, in 2007, Boyer et al. [21] proposed the first semi-quantum cryptography protocol base on BB84 protocol. In this paper, participants meeting the following criteria are defined as “classical”: (1) Reflect the qubits to the sender without disturbance (referred to as REFLECT). (2) Measure the qubits in the basis and then resend the same states of these qubits to the sender (referred to as MEASURE). In 2009, Boyer et al. [22] proposed the semi-quantum key distribution (SQKD) protocol based on randomization by using single photons to further improve the concept of semi-quantum. Since then, the idea of semi-quantum was applied into different quantum information processing task. There are researches focus on semi-quantum secret sharing (SQSS) [23,24,25], semi-quantum secure direct communication (SQSDC) [26,27,28,29] and so on. In 2014, Yu et al. [28] proposed the first authenticated SQKD (ASDKD) protocol. In this paper, by pre-sharing a secret key, a quantum sender can transmit a working key to a classical receiver, and they also modify the operations of semi-quantum. In the operation of MEASURE, the classical receiver don’t need to send the measurement results back to the quantum sender. In 2016, Luo and Hwang [29] proposed the two authenticated semi-quantum direct communication protocols without any classical channel. By pre-sharing a master secret key between two communicants, a sender with advanced quantum devices can transmit a secret message to a receiver who can only perform classical operations without any information leakage. In 2017, Meslouhi et al. [30] proposed a cryptanalysis on Yu’s ASQKD protocol. In this paper, they pointed out a malicious person can recover a partial master key and launch Man-In-The-Middle attack. Besides, they proved that Bob’s operation (MEASURE or REFLECT) must be random.

Inspired by Yu et al. and Luo et al., we propose two authenticated SQSDC protocols based on Bell states by which quantum Alice can transmit a secret message directly to classical Bob. By using uncertainty principle and the quantum entanglement of Bell state, the two proposed protocols rely on the Bell states to share the secret information between Alice and Bob. Both sides of the communication can comfirm the legitimacy of each other’s identity, and the difference between these two protocols is that we introduce the quantum error correction code in the second protocol so that it can resist noise.

The rest of this paper is organized as follows. Our two SQSDC protocols is presented in Section 2 and the security analysis is discussed in Section 3. Finally, a discussion and conclusion is drawn in Section 4.

2 The Two Protocols

We suppose that quantum Alice wants to transmit n bits secret message m to semi-quantum Bob. Let’s first introduce some prior theoretical basis in these two protocols:

  1. (1)

    We assume that Alice and Bob pre-shared two secret keys k1 and k2, where k1, k2 ∈ {0, 1}n . This step can be implemented by using the semi-quantum key distribution protocol, which is proved to be unconditional secure.

  2. (2)

    When Alice sends particles to Bob, k1is used to encrypt these particles, and k2 is used to rearrange the order of the encrypted sequence. When Bob sends back particles to Alice, on the contrary, k2is used to encrypt these particles, and k1 is used to rearrange the order of the encrypted sequence.

  3. (3)

    We introduce the quantum error correction code (QECC) to protect quantum information from errors due to decoherence and other quantum noise. QECC is essential if one is to achieve fault-tolerant quantum communication and it contains the bit flip code, the sign flip code, the shor code, the Bosonic codes and the general codes. As described in Luo et al. [29], in this paper, we also conceive that the error correction code, which uses \( \frac{n}{4} \)-bit codeword to encode s-bit information using generator matrix G(xs) and can correct t codeword error bits with the error-correcting function \( D\left({y}^{\frac{n}{4}}\right) \) [31,32,33].

  4. (4)

    After performing the Z-based measurement, the encoding rules for the particles are: If the measuremet result is∣0〉, we encode it as 0. If the measuremet result is∣1〉, we encode it as 1.

2.1 The ASQDC Protocol

We assume that the quantum channels here are assumed to be noiseless and lossless. The procedure of this protocol is described in the following steps:

  1. Step 1:

    Quantum Alice prepares N = 4n(1 + δ) + kbits Bell states from{| ϕ+〉, | ψ+〉}, where n is the length of the secret message and δis a fixed parameter, and k is the length of eavesdropping checking qubits. If the ith bit of message is zero, Alice produces the state\( \mid {\phi}^{+}\Big\rangle =\frac{1}{\sqrt{2}}{\left(|00\Big\rangle +|11\Big\rangle \right)}_{12} \). Otherwise, she produces the state\( \mid {\psi}^{+}\Big\rangle =\frac{1}{\sqrt{2}}{\left(|01\Big\rangle +|10\Big\rangle \right)}_{12} \). Note that the state∣ϕ+〉 is used to encode the bit 0: If the first and second qubits of the state (q1andq2) are measured separatedly in Z-basis, according to the encoding rules, we always haveq1 ⊕ q2 = 0. Similarly, we uses the state∣ψ+〉 to encode the bit 1. After that, Alice generates a sequence of Bell states S = (S1, ..., Sn)based on the secret message m, and a sequence of Bell statesC = (C1, ..., Ck)based on the checking photons. Alice divides each Bell states of the sequence S into the first qubit as home sequence (H) and the second qubit as travel sequence (T). Alice divides the sequenceC into two ordered sequences with the same length, CA = {C11, ..., C1k} andCB = {C21, ..., C2k}. To resist the two kinds of Trojan horse attacks [34,35,36], Bob must place a wavelength filter and a photon number spliter (PNS) before he receives the qubits.

  2. Step 2:

    Alice encrypts the travel sequence (T) with key k1 and gets the sequence\( Q={E}_{k_1}(T) \), then she rearranges the two sequences Q and CB with key k2and gets the sequence\( {S}_N={R}_{k_2}\left(Q,{C}_B\right) \). Alice keeps home sequence (H) and CA and sends SN to Bob. It should be noted that the encryption and decryption algorithm used by these two protocol must be classical algorithm.

  3. Step 3:

    After receiving the sequenceSN, Bob uses key k1to decrypt it and restores the correct order of sequence Tand CB with keyk2. For sequenceT, he uses the Z-basis (∣0〉, ∣ 1〉) to measure the qubits and keeps the result to composeMRB. Bob encrypts the sequence CB with key k2 and get the new sequence\( {C}_{BE}={E}_{k_2}\left({C}_B\right) \), and he reoders CBE with key k1 to get\( {C}_{BE R}={R}_{k_1}\left({C}_{BE}\right) \). Then Bob sends CBER back to Alice.

  4. Step 4:

    When Alice receives the sequenceCBER, she can restore the correct order of CBER to get CBE with keyk1, and she decrypts CBE with key k2 to get the sequence which name isCBD. Alice performs Bell measurement on CBD and CA to obtainCN, and she cheak whether each corresponding set of two qubits in CN is consistent with the initial eavesdropping checking qubits sequenceC. More specifically, ifCN = C, it means that the transmission between Alice and Bob is secure. Otherwise, they will terminate the protocol and restart it.

  5. Step 5:

    Alice performs Z-basis measurement on sequence Hand gets the measurement resultMRA. Alice can get a binary key string kabased on the encoding rules: When MRA is in state∣0〉, she assigns the value of ka to 0. Otherwise, the value of ka is 1. Bob gets a binary key string kb according to the same encoding rules.

  6. Step 6:

    Alice publishes her keychainska. Then Bob uses ka and kb to recover the secret message bym = ka ⊕ kb. More specifically, Bob performs the XOR operation for each bit pair in ka andkb.

2.2 The Noise-Resistant ASQDC Protocol

Noise exists in the real communication environment and it will change the quantum qubit state. In order to resist noise in the quantum channel, we use the linear error correction code with our protocol 2.

  1. Step 1★:

    Alice follows the same steps of Sect. 2.1 to generate the sequence HandT. Then Alice generates the checking value of the eavesdropping sequence C randomly in the bit of 0 and 1. After that, Alice divides the sequence C into CA and CB and calculates the codeword of CB under QECC, denoted asCBECC.

  2. Step 2★:

    Same as Protocol 1.

  3. Step 3★:

    Bob gets the sequence CBECC and T with key k1andk2. For sequenceT, he performs the same procedures as Protocol 1 to obtainMRB. Bob uses the key k1andk2 to encrypt and reorder theCBECC, and sends back the new sequence CBECCN to Alice.

  4. Step 4★:

    After Alice receivesCBECCN, she reoders and decrypts it to recovery CBECC based on the key k1andk2. Through the same process as Protocol 1, Alice performs Bell measurement on CBECCN and CA to obtainCNECC. Similarly, ifCNECC = C, it means the message transfer process is secure. Otherwise, the protocol must be shut down and restart.

  5. Step 5★:

    Alice and Bob obtain the binary key string ka and kb after the same operation as Step 5 in Protocol 1.

  6. Step 6★:

    Alice publishes her keychainka, and Bob performs XOR operation to recover the secret message bym = ka ⊕ kb.

3 Security Analysis

In this section, we will analysis the Impersonation attack, the Intercept-and-resend attack, and the Trojan horse attack. We also analysis the reuse of the two pre-shared key and the qubits efficiency. It should be noted that, the security analysis of the noise-resistant ASQDC protocol is the same.

3.1 The Impersonation Attack

Eve may try to impersonate Alice to send a forged message to Bob. Suppose Eve generates a sequence of qubitsSNE, and sends them to Bob in Step 2. However, Eve cannot perform the correct reorder and encrypt operation on SNE without knowing the pre-shared the key k1 andk2, and the comparison will be failed. So Eve will be caught by Bob with a probability close to 1. On the other hand, Eve may try to impersonate Bob to cheat Alice by intercept the sequence SN from Alice to Bob in Step 2. Since Eve doesn’t know the secret key k1 andk2, Eve doesn’t know how to reoder the qubit sequence. Suppose Eve successfully restored the correct order of the particles, however, Eve cannot encrypt and reoder the checking qubit sequenceCBwithout known the key k1 andk2. In this case, the illegal operation of Eve will definitely be discovered.

3.2 The Intercept-and-Resend Attack

The Eve can take the intercept-and-resend attack to get the secret message m without being detected. Eve intercepts the sequence SN and measures it with the Z-basis. Then Eve generates the same states based on the measurement result and sends them to Bob. However, the original sequence SN is reordered with the checking sequenceCB and the sequence Q based onk2, where the sequence Qis obtained by the sequence T being encrypted byk1. Eve knows nothing about the key k1andk2, so Eve cannot correctly distinguish between the sequenceCBand the sequenceT, if Eve performs the wrong operation, Alice will detect the eavesdropping behavior of Eve. More importantly, the sequence is always in the hands of Alice and will not be published. Even if Eve obtains the measurement result of the sequenceT, it cannot obtain the information directly related to the message m.

3.3 The Trojan Horse Attack

Our protocol is a two-way communication process, so there may be the Trojan horse attack. The Eve or malicious Bob may implement a Trojan attack to get the secret key. To resist the two kinds of Trojan horse attacks [34,35,36], Alice and Bob must place a wavelength filter and a photon number spliter (PNS) before she and he receives the qubits. If it is found that the wavelength of the received particle is not within the previously agreed range, the protocol will terminate and redistribute the secret key.

3.4 The Analysis of the Two Pre-Share Keys

Due to the unconditional security of semi-quantum key distribution, only Alice and Bob know the secret key k1andk2. During the communication process, they must never publish the two secret pre-shared keys. After the above analysis, the malicious users cannot the two pre-shared keys by the Impersonation attack, the Intercept-and-resend attack, and the Trojan horse attack. As long as they key is well preserved, the communicants do not have to renew the secret keys, only when a failure occurs in the eavesdropping check or when the secret keys are used for a long period of time does, the new secret keys have to be shared again between Alice and Bob.

3.5 The Efficiency Analysis

The information theoretical efficiency [37] is defined as\( \eta =\frac{b_s}{q_t+{b}_t}\times 100\% \), wherebs, qt and btare the secret information bits transmitted, the total qubits used and the classical bits exchanged between Alice and Bob. Andqt = qc + d, where qc means the number of qubits used for both sending the message and dmeans the number of qubits used for checking an eavesdropping attempt. In 2017, Shukla et al. [38] have analyzed the efficiency values of these four protocols in detail and given the reasons for explanation. We use their ideas to calculate the efficiency of our two protocols. Note that: The information transfer process of our two protocols is the same.

Firstly, Bob does not need to exchange any classical information with Alice in our two protocols. So thebt = 0. We suppose the length of the secret message m is n, which means thebs = n . In order to transmit n bits of message, Alice needs to use 2n bits quantum qubits to carry them (n bits Bell states), so theqc = 2n. Alice sends the sequence CB(2n) to Bob for eavesdropping detection. Then Bob sends the encrypted sequence CB (2n) back to Alice. So we obtain thed = 2n + 2n = 4n, the qubit efficiency will be\( \eta =\frac{n}{6n+0}\times 100\%=16.7\% \). From Table 1, we can see it is obvious that the efficiency of our protocol is higher than these two protocols in Shukla et al. [38] Here we will abbreviate these two protocols as SPQSDC1, SPQSDC2, and our protocol is denoted as SQSDC.

Table 1 The comparison of qubit efficiency
Full size table

4 Discussion and Conclusion

In this paper, we proposed two authenticated SQSDC protocols, which can be used between a quantum sender and a classical receiver. The first protocol is in the ideal environment. The second protocol, with the introduction of a linear error correction code, can resist the random noise in the quantum channel. With the pre-shared key k1andk2, both proposed protocols can complete the mutual authentication. Efficiency analysis proves that our two protocols have good qubit efficiency and security analyses show that the proposed peotocol are resistant to the Impersonation attack, the Intercept-and-resend attack, and the Trojan horse attack. The pre-shared two secret keys can be reused mutiple times.