Abstract
This paper explores a new security problem in controlled quantum dialogue (CQD) protocols, where the communicants may try to conspire to communicate without the controller’s permission. According to our survey, all the previous CQD protocols suffer from this attack. In order to resolve this problem, we also present an improvement protocol. The security analyses show that the improved scheme is secure under this and other well-known attacks.
Similar content being viewed by others
References
Ji, X., Zhang, S.: Secure quantum dialogue based on single-photon. Chin. Phys. 15(7), 1418 (2006)
Gao, F., Guo, F., Wen, Q., Zhu, F.: Revisiting the security of quantum dialogue and bidirectional quantum secure direct communication. Sci. China Ser. G Phys. Mech. Astron. 51(5), 559–566 (2008)
Tan, Y.-G., Cai, Q.-Y.: Classical correlation in quantum dialogue. Int. J. Quantum Inf. 06(02), 325–329 (2008)
Shi, G.-F.: Bidirectional quantum secure communication scheme based on bell states and auxiliary particles. Opt. Commun. 283(24), 5275–5278 (2010)
Man, Z.-X., Xia, Y.-J.: Controlled bidirectional quantum direct communication by using a GHZ state. Chin. Phys. Lett. 23(7), 1680 (2006)
Xia, Y.-J., Man, Z.-X.: Controlled quantum n-party simultaneous direct communication. Commun. Theor. Phys. 48(1), 79 (2007)
Xia, Y., Song, J., Nie, J., Song, H.-S.: Controlled secure quantum dialogue using a pure entangled GHZ states. Commun. Theor. Phys. 48(5), 841 (2007)
Dong, L., Xiu, X.-M., Gao, Y.-J., Chi, F.: A controlled quantum dialogue protocol in the network using entanglement swapping. Opt. Commun. 281(24), 6135–6138 (2008)
Ye, T.-Y., Jiang, L.-Z.: Improvement of controlled bidirectional quantum direct communication using a GHZ state. Chin. Phys. Lett. 30(4), 040305 (2013)
Liu, Z.-H., Chen, H.-W.: Comment on “improvement of controlled bidirectional quantum direct communication using a GHZ state” [chin. phys. lett. 30 (2013) 040305]. Chin. Phys. Lett. 30(7), 079901 (2013)
Qin, S.-J., Wen, Q.-Y., Meng, L.-M., Zhu, F.-C.: Comment on “controlled dsqc using five-qubit entangled states and two-step security test”. Opt. Commun. 282(13), 2656–2658 (2009)
Gao, F., Qin, S.-J., Wen, Q.-Y., Zhu, F.-C.: Cryptanalysis of multiparty controlled quantum secure direct communication using Greenberger–Horne–Zeilinger state. Opt. Commun. 283(1), 192–195 (2010)
Xiu, X.-M., Dong, L., Gao, Y.-J., Chi, F., Ren, Y.-P., Liu, H.-W.: A revised controlled deterministic secure quantum communication with five-photon entangled state. Opt. Commun. 283(2), 344–347 (2010)
Kao, S.-H., Tsai, C.-W., Hwang, T.: Comment on: Supervisory asymmetric deterministic secure quantum communication. Int. J. Theor. Phys. 51(12), 3868–3875 (2012)
Tseng, H.-Y., Tsai, C.-W., Hwang, T.: Controlled deterministic secure quantum communication based on quantum search algorithm. Int. J. Theor. Phys. 51(8), 2447–2454 (2012)
Wootters, W.K., Zurek, W.H.: A single quantum cannot be cloned. Nature 299(5886), 802–803 (1982). doi:10.1038/299802a0
Li, C.-Y., Zhou, H.-Y., Wang, Y., Deng, F.-G.: Secure quantum key distribution network with bell states and local unitary operations. Chin. Phys. Lett. 22(5), 1049 (2005)
Li, C.-Y., Li, X.-H., Deng, F.-G., Zhou, P., Liang, Y.-J., Zhou, H.-Y.: Efficient quantum cryptography network without entanglement and quantum memory. Chin. Phys. Lett. 23(11), 2896 (2006)
Shannon, C.E.: A mathematical theory of communication. SIGMOBILE Mob. Comput. Commun. Rev. 5(1), 3–55 (2001)
Cai, Q.-Y.: Eavesdropping on the two-way quantum communication protocols with invisible photons. Phys. Lett. A 351(1–2), 23–25 (2006)
Deng, F.-G., Li, X.-H., Zhou, H.-Y., Zhang, Z.-J.: Improving the security of multiparty quantum secret sharing against Trojan horse attack. Phys. Rev. A 72(4), 044302 (2005)
Li, X.-H., Deng, F.-G., Zhou, H.-Y.: Improving the security of secure direct communication based on the secret transmitting order of particles. Phys. Rev. A 74(5), 054302 (2006)
Chong, S.-K., Luo, Y.-P., Hwang, T.: On “arbitrated quantum signature of classical messages against collective amplitude damping noise”. Opt. Commun. 284(3), 893–895 (2011)
Acknowledgments
This research is partially supported by the Ministry of Science and Technology, Taiwan, R.O.C., under the Contract No. MOST 104-2221-E-006-102-.
Author information
Authors and Affiliations
Corresponding author
Appendix: The formal security model
Appendix: The formal security model
This appendix uses the adversarial model to analyze the public discussion between Charlie and Alice in Step \(2^{\prime \prime }\)-1. Because the security of the public discussion between Charlie and Bob is the same as the one between Charlie and Alice, we omit that part in the following description.
1.1 Formal security model
Let the interactions between an adversary and the protocol participants occur only via oracle queries, which model the adversary’s capabilities in a real attack. Let A denote Alice, C denote Charlie, and P is the public discussion they participate. The participants of P can launch more than one instance. Here we allow a probabilistic polynomial time (PPT) adversary \(\mathscr {A}\) to potentially control all the communication in the network via accessing to a set of oracles as defined below. Let \(A^{i}\) denote the instance i of A. \(C^{\text {j}}\) is the instance j of C.
- Execute( \(A^{i}/C^{j}\) ,m) :
-
This query models the passive attack. An adversary can obtain all messages exchanged between \(A^{i}\) and \(C^{\text {j}}\).
- Reveal( \(A^{i}\)):
-
In this query model, if the oracle has accepted, it returns the secret quantum state between \(A^{i}\) and \(C^{\text {j}}\) to the adversary; otherwise, it returns the null value to the adversary.
- Send( \(A^{i}/C^{j}, m\) ) :
-
This query models an active attack. It returns the information corresponded to an input m that \(A^{i}\) or \(C^{\text {j}}\) would send to each other.
- Corrupt( \(A^{i}, a\) ) :
-
This query models corruption capability of the adversary. If \(a=0\), it returns a null value; otherwise, it returns the secret quantum states between \(A^{i}\) and \(C^{\text {j}}\).
- Test( \(C^{j}\) ) :
-
This query measures whether the public discussion is secure or not. By throwing an unbiased coin, b, if \(b=1\), it returns a random bit sequence with the same length as \(A^{i}\)’s measurement result. The query can only be called once.
In this model, we consider two kinds of adversaries. A passive adversary is allowed to issue the Execute and Test queries and an active adversary is additionally allowed for sending the Send query.
1.2 Definitions of security
To demonstrate the security of the first public discussion, we will give the security definition as follows.
Definition 1
(Partnering) \(A^{i}\) and \(C^{\text {j}}\) are partnered if they mutually authenticate each other.
Definition 2
(Freshness) An entity \(A^{i}\) with the partner \(C^{\text {j}}\) is freshness if the following two conditions hold:
(1) If it has accepted an measurement result \(MR\ne null\) and both the entity and its partner have not been sent a Reveal query.
(2) There is no Corrupt query that has been asked before the query Send has been asked.
The advantage of the adversary \(\mathscr {A}\) is measured by the ability of distinguish a legal measurement result from a random value. We define Succ to be an event that \(\mathscr {A}\) correctly guesses the bit b , which is chosen in the Test query. Hence, the advantage of \(\mathscr {A}\) in the attacked scheme P is defined as: \(Adv_{P}\left( \mathscr {A}\right) =\left| 2\times Pr\left[ Succ\right] -1\right| \). We argue that the public discussion P1 is secure, as \(Adv_{P1}\left( \mathscr {A}\right) \) is negligible. Precisely, the adversary \(\mathscr {A}\) does not have any advantage to obtain the correct measurement result between the participants.
1.3 Security analysis
In the following description, we show that the public discussion, P, holds several security properties, which are required for a secure quantum cryptographic public discussion. Let the maximum advantage of the adversary with running time Tm be for a certain task denoted as \(Adv_{Task}\left( Tm\right) \). The following advantages will be used in the analyses.
\(Adv_{Qubit}^{Clone}\left( Tm\right) \) The advantage for cloning a qubit.
\(Adv_{A}^{Forge}\left( Tm\right) \) The advantage for impersonate himself/herself as Alice (A).
Lemma 1
The advantage for cloning a qubit, \(Adv_{Qubit}^{Clone}\left( Tm\right) \), is negligible.
Proof
The quantum no-cloning theory has already been a well-known theory. Here we briefly describe the proof. \(\square \)
Assume that for an input qubit \(q_{i}\) with an arbitrary state, there exists a clone operation U. The clone operation can be defined as follows:
where \(\left| e\right\rangle _{o}\) denotes the output qubit, and \(\left| e\right\rangle \) is an arbitrary initial state. Because \(\left| +\right\rangle _{i}=\frac{1}{\sqrt{2}}\left( \left| 0\right\rangle +\left| 1\right\rangle \right) _{i}\), it implies that \(U\left| +\right\rangle _{i}\left| e\right\rangle _{o}= \frac{1}{\sqrt{2}}\left( U\left| 0\right\rangle _{i}\left| e\right\rangle _{o}+U\left| 1\right\rangle _{i}\left| e\right\rangle _{o}\right) = \frac{1}{\sqrt{2}}\left( \left| 0\right\rangle _{i}\left| 0\right\rangle _{o}+\left| 1\right\rangle _{i}\left| 1\right\rangle _{o}\right) \). However, \(U\left| +\right\rangle _{i}\left| e\right\rangle _{o}= \left| +\right\rangle _{i}\left| +\right\rangle _{o}= \frac{1}{\sqrt{2}}\left( \left| 0\right\rangle _{i}\left| 0\right\rangle _{o}\right. \left. +\left| 0\right\rangle _{i}\left| 1\right\rangle _{o}+\left| 1\right\rangle _{i}\left| 0\right\rangle _{o}+\left| 1\right\rangle _{i}\left| 1\right\rangle _{o}\right) \), which is not equal to \(\frac{1}{\sqrt{2}}\left( \left| 0\right\rangle _{i}\left| 0\right\rangle _{o}+\left| 1\right\rangle _{i}\left| 1\right\rangle _{o}\right) \). The contradiction shows that the qubit cannot be cloned. Hence \(Adv_{Qubit}^{Clone}\left( Tm\right) \) is negligible.
Lemma 2
Suppose that there exists an attacker \(\mathscr {A}\), who impersonates as Alice (A) with the running time Tm in the public discussion. Then the advantage of \(\mathscr {A}\), \(Adv_{A}^{Forge}\left( Tm\right) =Adv_{Qubit}^{Clone}\left( Tm\right) \).
Proof
Suppose that \(\mathscr {A}\) impersonates as Alice. In Step 1 of the proposed scheme, the controller sends a quantum sequence to Alice and discusses the decoy photons with Alice in Step 2. If \(\mathscr {A}\) can successfully impersonate as Alice, then she can send her fake photon to Alice, and the controller cannot detect the problem. When the controller sends the qubit sequence \(S_{12}^{\prime }\) to Alice, \(\mathscr {A}\) constructs an attack \(\beta \) to clone every qubit in \(S_{12}^{\prime }\). The sequence of the cloning outputs is denoted as \(\hat{S_{12}^{\prime }}\). Then \(\beta \) sends the original sequence \(S_{12}^{\prime }\) to Alice. Alice will acknowledge the controller that she has received the qubits. Then the controller will announce the bases and positions of the decoy photons to Alice. Alice will select the corresponding qubits from \(S_{12}^{\prime }\) and measure them in the bases the controller announced. Alice then transmits all the measurement results to the controller and he/she can compare the measurement results and his/her initial states of decoy photons to detect the existence of the eavesdroppers. Because this public classical information is transmitted via the authenticated channel shared between Alice and the controller, \(\beta \) cannot forge or modify them. Here \(\beta \)’s goal is to successfully clone the qubits from \(S_{12}^{\prime }\) to \(\hat{S_{12}^{\prime }}\). \(\beta \) runs a subroutine and simulates its attack environment, and gives all the required public parameters to \(\mathscr {A}\). Without losing the generality, assume that \(\mathscr {A}\) does not ask queries on the same message more than once. \(\beta \) maintains a list \(L_{CloneQubit}\) to ensure identical responding and avoid collision of the queries. \(\beta \) simulates the oracle queries of \(\mathscr {A}\) as follows:
- Send-query :
-
The send query is classified into the following types:
-
Send\(\left( C^{j},S_{12}^{\prime }\right) \): \(\beta \) clones every qubits in the quantum sequence \(S_{12}\) and forms the output qubits as a new sequence \(\hat{S_{12}^{\prime }}\). \(\beta \) returns \(\hat{S_{12}^{\prime }}\) to \(\mathscr {A}\).
-
Send\(\left( A^{i},ok\right) \): Alice sends the acknowledgement to the controller for receiving qubits. \(\beta \) direct pass the collected information to \(\mathscr {A}\).
-
Send\( \left( TC,pos \& bases\right) \): The controller announces the positions and bases of the decoy photons to Alice. \(\beta \) direct pass the collected information to \(\mathscr {A}\).
-
Send\(\left( C^{i},mr\right) \): Alice sends the measurement results to the controller. \(\beta \) stores these results for the test query.
- Execute-query :
-
When \(\mathscr {A}\) asks for an Execute( \(A^{i}\),\(C^{j}\) ) query, \(\beta \) returns the transcript \( \left\langle \hat{S_{12}^{\prime }},\text{ Send }\left( A^{i},ok\right) ,\text{ Send }\left( C^{j},pos \& bases\right) \right\rangle \) to \(\mathscr {A}\) by using the simulation of send query.
- Test-query :
-
When \(\mathscr {A}\) makes the test query, if the query is not asked in the first session, then \(\beta \) will abort it; otherwise, \(\beta \) randomly chooses a bit b. If \(b=0\), \(\beta \) returns the value of Send\(\left( A^{i},mr\right) \); otherwise, \(\beta \) returns a random string to \(\mathscr {A}\). The adversary has to distinguish the random string from a legal measurement result. In order to do that, if the quantum could be cloned, \(\mathscr {A}\) can measure the qubits from \(\hat{S_{12}^{\prime }}\) by using the positions and bases obtained from the query Send\( \left( C^{j},pos \& bases\right) \). Then the adversary can successfully get the legal measurement results; hence, the random string and the legal measurement results can be distinguished. Hence the adversary’s advantage, \(Adv_{Alice}^{Forge}\left( Tm\right) =Adv_{Qubit}^{Clone}\left( Tm\right) \).
Rights and permissions
About this article
Cite this article
Kao, SH., Hwang, T. Controlled quantum dialogue robust against conspiring users. Quantum Inf Process 15, 4313–4324 (2016). https://doi.org/10.1007/s11128-016-1370-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11128-016-1370-4