Controlled quantum dialogue robust against conspiring users

Abstract

This paper explores a new security problem in controlled quantum dialogue (CQD) protocols, where the communicants may try to conspire to communicate without the controller’s permission. According to our survey, all the previous CQD protocols suffer from this attack. In order to resolve this problem, we also present an improvement protocol. The security analyses show that the improved scheme is secure under this and other well-known attacks.

Appendix: The formal security model

This appendix uses the adversarial model to analyze the public discussion between Charlie and Alice in Step \(2^{\prime \prime }\)-1. Because the security of the public discussion between Charlie and Bob is the same as the one between Charlie and Alice, we omit that part in the following description.

1.1 Formal security model

Let the interactions between an adversary and the protocol participants occur only via oracle queries, which model the adversary’s capabilities in a real attack. Let A denote Alice, C denote Charlie, and P is the public discussion they participate. The participants of P can launch more than one instance. Here we allow a probabilistic polynomial time (PPT) adversary \(\mathscr {A}\) to potentially control all the communication in the network via accessing to a set of oracles as defined below. Let \(A^{i}\) denote the instance i of A. \(C^{\text {j}}\) is the instance j of C.

Execute( \(A^{i}/C^{j}\) ,m) :

This query models the passive attack. An adversary can obtain all messages exchanged between \(A^{i}\) and \(C^{\text {j}}\).

Reveal( \(A^{i}\)):

In this query model, if the oracle has accepted, it returns the secret quantum state between \(A^{i}\) and \(C^{\text {j}}\) to the adversary; otherwise, it returns the null value to the adversary.

Send( \(A^{i}/C^{j}, m\) ) :

This query models an active attack. It returns the information corresponded to an input m that \(A^{i}\) or \(C^{\text {j}}\) would send to each other.

Corrupt( \(A^{i}, a\) ) :

This query models corruption capability of the adversary. If \(a=0\), it returns a null value; otherwise, it returns the secret quantum states between \(A^{i}\) and \(C^{\text {j}}\).

Test( \(C^{j}\) ) :

This query measures whether the public discussion is secure or not. By throwing an unbiased coin, b, if \(b=1\), it returns a random bit sequence with the same length as \(A^{i}\)’s measurement result. The query can only be called once.

In this model, we consider two kinds of adversaries. A passive adversary is allowed to issue the Execute and Test queries and an active adversary is additionally allowed for sending the Send query.

1.2 Definitions of security

To demonstrate the security of the first public discussion, we will give the security definition as follows.

Definition 1

(Partnering) \(A^{i}\) and \(C^{\text {j}}\) are partnered if they mutually authenticate each other.

Definition 2

(Freshness) An entity \(A^{i}\) with the partner \(C^{\text {j}}\) is freshness if the following two conditions hold:

(1) If it has accepted an measurement result \(MR\ne null\) and both the entity and its partner have not been sent a Reveal query.

(2) There is no Corrupt query that has been asked before the query Send has been asked.

The advantage of the adversary \(\mathscr {A}\) is measured by the ability of distinguish a legal measurement result from a random value. We define Succ to be an event that \(\mathscr {A}\) correctly guesses the bit b , which is chosen in the Test query. Hence, the advantage of \(\mathscr {A}\) in the attacked scheme P is defined as: \(Adv_{P}\left( \mathscr {A}\right) =\left| 2\times Pr\left[ Succ\right] -1\right| \). We argue that the public discussion P1 is secure, as \(Adv_{P1}\left( \mathscr {A}\right) \) is negligible. Precisely, the adversary \(\mathscr {A}\) does not have any advantage to obtain the correct measurement result between the participants.

1.3 Security analysis

In the following description, we show that the public discussion, P, holds several security properties, which are required for a secure quantum cryptographic public discussion. Let the maximum advantage of the adversary with running time Tm be for a certain task denoted as \(Adv_{Task}\left( Tm\right) \). The following advantages will be used in the analyses.

\(Adv_{Qubit}^{Clone}\left( Tm\right) \) The advantage for cloning a qubit.

\(Adv_{A}^{Forge}\left( Tm\right) \) The advantage for impersonate himself/herself as Alice (A).

Lemma 1

The advantage for cloning a qubit, \(Adv_{Qubit}^{Clone}\left( Tm\right) \), is negligible.

Proof

The quantum no-cloning theory has already been a well-known theory. Here we briefly describe the proof. \(\square \)

Assume that for an input qubit \(q_{i}\) with an arbitrary state, there exists a clone operation U. The clone operation can be defined as follows:

$$\begin{aligned} \begin{array}{lll} U\left| 0\right\rangle _{i}\left| e\right\rangle _{o} &{} = &{} \left| 0\right\rangle _{i}\left| 0\right\rangle _{o}\\ U\left| 1\right\rangle _{i}\left| e\right\rangle _{o} &{} = &{} \left| 1\right\rangle _{i}\left| 1\right\rangle _{o}\\ U\left| +\right\rangle _{i}\left| e\right\rangle _{o} &{} = &{} \left| +\right\rangle _{i}\left| +\right\rangle _{o}, \end{array} \end{aligned}$$

(3)

where \(\left| e\right\rangle _{o}\) denotes the output qubit, and \(\left| e\right\rangle \) is an arbitrary initial state. Because \(\left| +\right\rangle _{i}=\frac{1}{\sqrt{2}}\left( \left| 0\right\rangle +\left| 1\right\rangle \right) _{i}\), it implies that \(U\left| +\right\rangle _{i}\left| e\right\rangle _{o}= \frac{1}{\sqrt{2}}\left( U\left| 0\right\rangle _{i}\left| e\right\rangle _{o}+U\left| 1\right\rangle _{i}\left| e\right\rangle _{o}\right) = \frac{1}{\sqrt{2}}\left( \left| 0\right\rangle _{i}\left| 0\right\rangle _{o}+\left| 1\right\rangle _{i}\left| 1\right\rangle _{o}\right) \). However, \(U\left| +\right\rangle _{i}\left| e\right\rangle _{o}= \left| +\right\rangle _{i}\left| +\right\rangle _{o}= \frac{1}{\sqrt{2}}\left( \left| 0\right\rangle _{i}\left| 0\right\rangle _{o}\right. \left. +\left| 0\right\rangle _{i}\left| 1\right\rangle _{o}+\left| 1\right\rangle _{i}\left| 0\right\rangle _{o}+\left| 1\right\rangle _{i}\left| 1\right\rangle _{o}\right) \), which is not equal to \(\frac{1}{\sqrt{2}}\left( \left| 0\right\rangle _{i}\left| 0\right\rangle _{o}+\left| 1\right\rangle _{i}\left| 1\right\rangle _{o}\right) \). The contradiction shows that the qubit cannot be cloned. Hence \(Adv_{Qubit}^{Clone}\left( Tm\right) \) is negligible.

Lemma 2

Suppose that there exists an attacker \(\mathscr {A}\), who impersonates as Alice (A) with the running time Tm in the public discussion. Then the advantage of \(\mathscr {A}\), \(Adv_{A}^{Forge}\left( Tm\right) =Adv_{Qubit}^{Clone}\left( Tm\right) \).

Proof

Suppose that \(\mathscr {A}\) impersonates as Alice. In Step 1 of the proposed scheme, the controller sends a quantum sequence to Alice and discusses the decoy photons with Alice in Step 2. If \(\mathscr {A}\) can successfully impersonate as Alice, then she can send her fake photon to Alice, and the controller cannot detect the problem. When the controller sends the qubit sequence \(S_{12}^{\prime }\) to Alice, \(\mathscr {A}\) constructs an attack \(\beta \) to clone every qubit in \(S_{12}^{\prime }\). The sequence of the cloning outputs is denoted as \(\hat{S_{12}^{\prime }}\). Then \(\beta \) sends the original sequence \(S_{12}^{\prime }\) to Alice. Alice will acknowledge the controller that she has received the qubits. Then the controller will announce the bases and positions of the decoy photons to Alice. Alice will select the corresponding qubits from \(S_{12}^{\prime }\) and measure them in the bases the controller announced. Alice then transmits all the measurement results to the controller and he/she can compare the measurement results and his/her initial states of decoy photons to detect the existence of the eavesdroppers. Because this public classical information is transmitted via the authenticated channel shared between Alice and the controller, \(\beta \) cannot forge or modify them. Here \(\beta \)’s goal is to successfully clone the qubits from \(S_{12}^{\prime }\) to \(\hat{S_{12}^{\prime }}\). \(\beta \) runs a subroutine and simulates its attack environment, and gives all the required public parameters to \(\mathscr {A}\). Without losing the generality, assume that \(\mathscr {A}\) does not ask queries on the same message more than once. \(\beta \) maintains a list \(L_{CloneQubit}\) to ensure identical responding and avoid collision of the queries. \(\beta \) simulates the oracle queries of \(\mathscr {A}\) as follows:

Send-query :

The send query is classified into the following types:

• Send\(\left( C^{j},S_{12}^{\prime }\right) \): \(\beta \) clones every qubits in the quantum sequence \(S_{12}\) and forms the output qubits as a new sequence \(\hat{S_{12}^{\prime }}\). \(\beta \) returns \(\hat{S_{12}^{\prime }}\) to \(\mathscr {A}\).

• Send\(\left( A^{i},ok\right) \): Alice sends the acknowledgement to the controller for receiving qubits. \(\beta \) direct pass the collected information to \(\mathscr {A}\).

• Send\( \left( TC,pos \& bases\right) \): The controller announces the positions and bases of the decoy photons to Alice. \(\beta \) direct pass the collected information to \(\mathscr {A}\).

• Send\(\left( C^{i},mr\right) \): Alice sends the measurement results to the controller. \(\beta \) stores these results for the test query.

Execute-query :

When \(\mathscr {A}\) asks for an Execute( \(A^{i}\),\(C^{j}\) ) query, \(\beta \) returns the transcript \( \left\langle \hat{S_{12}^{\prime }},\text{ Send }\left( A^{i},ok\right) ,\text{ Send }\left( C^{j},pos \& bases\right) \right\rangle \) to \(\mathscr {A}\) by using the simulation of send query.

Test-query :

When \(\mathscr {A}\) makes the test query, if the query is not asked in the first session, then \(\beta \) will abort it; otherwise, \(\beta \) randomly chooses a bit b. If \(b=0\), \(\beta \) returns the value of Send\(\left( A^{i},mr\right) \); otherwise, \(\beta \) returns a random string to \(\mathscr {A}\). The adversary has to distinguish the random string from a legal measurement result. In order to do that, if the quantum could be cloned, \(\mathscr {A}\) can measure the qubits from \(\hat{S_{12}^{\prime }}\) by using the positions and bases obtained from the query Send\( \left( C^{j},pos \& bases\right) \). Then the adversary can successfully get the legal measurement results; hence, the random string and the legal measurement results can be distinguished. Hence the adversary’s advantage, \(Adv_{Alice}^{Forge}\left( Tm\right) =Adv_{Qubit}^{Clone}\left( Tm\right) \).