Double C-NOT Attack on a Single-State Semi-Quantum Key Distribution Protocol and Its Improvement

Abstract

Recently, Zhang et al. proposed a single-state semi-quantum key distribution protocol to help a quantum participant share a secret key with a classical participant. However, this study shows that an eavesdropper can use a double C-NOT attack to obtain parts of the final shared key without being detected by the participants. To avoid this problem, a modification is proposed here.

1. Introduction

The quantum key distribution (QKD) protocol [1] is designed to help participants share a secret key without being eavesdropped. However, in most of the existing QKD protocols [2,3,4], all the participants need to have lots of quantum capabilities, such as quantum register, quantum joint measurement, and so on. To help the participants who only have restricted quantum capacities be involved in the QKD, the semi-quantum key distribution (SQKD) protocol is proposed.

In 2007, an SQKD protocol was proposed by Boyer et al. [5]. With their protocol, a classical participant with restricted quantum capacities can share a secret key with a quantum participant who has unrestricted quantum capacities. According to Boyer et al.’s definition, the classical participants are restricted to performing parts of the following quantum operations: (1) generate qubits in Z-basis $\{|0\rangle ,|1\rangle \}$, (2) measure qubits with the Z-basis, (3) reorder the qubits via different quantum delay lines, and (4) send or reflect the qubits. Compared with most quantum cryptography protocols [6,7,8], the SQKD protocol proposed by Boyer et al. is more realistic and easier to implement. Hence, these definitions of ‘semi-quantum’ have been widely used in the subsequent designing of semi-quantum cryptography protocols, such as semi-quantum key distribution protocols [9,10,11,12,13,14], semi-quantum key agreement protocols [15,16,17,18], semi-quantum secret sharing protocols [19,20,21,22,23,24], and so on.

Recently, Zhang et al. [25] proposed a single-state semi-quantum key distribution protocol. They claimed that the proposed SQKD protocol could ensure that a quantum participant and a classical participant could share a secret key without being eavesdropped. However, this study shows that Zhang et al.’s SQKD protocol suffers from a double C-NOT attack, which can reveal parts of the final shared key to an eavesdropper. The proposed attack proves that Zhang et al.’s SQKD protocol cannot be used as a secure one anymore. Moreover, to solve this problem, a modification is proposed.

The rest of this paper is organized as follows. Section 2 briefly reviews Zhang et al.’s SQKD protocol. Section 3 shows that an eavesdropper can obtain parts of the final shared key by a double C-NOT attack and then proposes an improvement to avoid it. Finally, the conclusions are given in Section 4.

2. A Brief Review of Zhang et al.’s SQKD

In Zhang et al.’s protocol [25], four kinds of single photons, {$|0\rangle ,|1\rangle ,|+\rangle =$ $\frac{1}{\sqrt{2}}\left(|0\rangle +|1\rangle \right),|-\rangle =\frac{1}{\sqrt{2}}\left(|0\rangle -|1\rangle \right)$}, are used. Assume that Bob is a classical participant who just has the above quantum capacities {(1), (2), (4)} and that Alice is a quantum participant with unrestricted quantum capacities. Then, Zhang et al.’s SQKD protocol can be described as follows:

Step 1: Alice generates $n$ single photons in $|+\rangle$ and sends these single photons to Bob one by one.

Step 2: Bob generates a random bit sequence $K_B=\left\{k_{B1},k_{B2},\cdots ,k_{Bn}\right\}$. For the ith ($1\le i\le n$) particle received, Bob chooses one of the two following cases, according to $k_{Bi}$:

Case (a). If $k_{Bi}=0$, Bob reflects this particle to Alice directly.

Case (b). If $k_{Bi}=1$, Bob measures this particle with Z-basis and then sends a single photon in the state $|0\rangle$ back to Alice instead.

Step 3: For each particle sent back, Alice randomly uses Z-basis $\{|0\rangle ,|1\rangle \}$ or X-basis $\{|+\rangle ,|-\rangle \}$ to measure it. Then, she generates a value sequence $K_A=\left\{k_{A1},k_{A2},\cdots ,k_{An}\right\}$ according to the measurement results. That is, for the ith ($1\le i\le n$) particle, $k_{Ai}$ is decided as follows.

(1)

If the measurement result is $|1\rangle$, $k_{Ai}=0$.

(2)

If the measurement result is $|-\rangle$, $k_{Ai}=1$.

(3)

Otherwise, $k_{Ai}=-1$.

Step 4: Alice announces all the positions where $k_{Ai}=-1$ and discards these values in $K_A$ to obtain $K_A^{\prime }$. Then, Bob discards the corresponding bits in $K_B$ to derive $K_B^{\prime }$.

Step 5: To check the eavesdropping, Bob randomly chooses half bits in $K_B^{\prime }$ and announces their positions and values. Subsequently, Alice checks whether the announced positions and values are the same as $K_A^{\prime }$ or not. If the error rate exceeds a predetermined value, this protocol will be aborted. Otherwise, Alice and Bob discard the announced bits in $K_A^{\prime }$ and $K_B^{\prime }$ to obtain the final shared key $K_{AB}$, respectively.

3. Double C-NOT Attack and Counterattack on Zhang et al.’s Protocol

Zhang et al. claimed that the above SQKD protocol could ensure that the final shared key is secure. However, this section points out that Zhang et al.’s SQKD protocol suffers from a double C-NOT attack. That is, an eavesdropper Eve who has unlimited quantum capabilities can use a double C-NOT attack to obtain parts of the final shared key without being detected. Additionally, Section 3.2 analyzes the leakage rate of the final shared raw key in Zhang et al.’s SQKD protocol. Finally, to avoid this loophole, a simple modification is proposed here.

3.1. The Double C-NOT Attack on Zhang et al.’s SQKD Protocol

The processes of the double C-NOT attack on Zhang et al.’s protocol can be simply described as follows. For each particle sent from Alice to Bob, Eve performs a C-NOT operation ($C-NOT=|00\rangle \langle 00|+|01\rangle \langle 01|+|10\rangle \langle 11|+|11\rangle \langle 10|$) on both the transmitted particle and a target particle generated by herself. Then, Eve sends the transmitted particle to Bob. After Bob sends a particle back in Step 2, Eve performs a C-NOT operation on this particle and the corresponding target particle again. Subsequently, Eve uses the target particle to judge whether the particle sent back from Bob is the original one or not. According to this, Eve can obtain parts of $K_{AB}$.

For example, as is shown in

Table 1. States transformation during the double C-NOT attack.

Initial	1st C-NOT	${\mathit{K}}_{\mathit{B}}$	Bob’s Operation	Particle Sent Back	2nd C-NOT
$q_c,q_t$	$q_c^1,q_t^1$		$q_c^2,q_t^1$	$q_c^3,q_t^1$	$q_c^4,q_t^1$
${|+0\rangle }_{q_c{q}_t}$	${|{\mathsf{\Phi }}^{+}\rangle }_{q_c^1{q}_t^1}$	0	$\mathrm{Reflect} {|{\mathsf{\Phi }}^{+}\rangle }_{q_c^2{q}_t^1}$	${|{\mathsf{\Phi }}^{+}\rangle }_{q_c^3{q}_t^1}$	${|+0\rangle }_{q_c^4{q}_t^1}$
		1	$\mathrm{measure}\Rightarrow {|00\rangle }_{q_c^2{q}_t^1}$	${|00\rangle }_{q_c^3{q}_t^1}$	${|00\rangle }_{q_c^4{q}_t^1}$
			$\mathrm{measure}\Rightarrow {|11\rangle }_{q_c^2{q}_t^1}$	${|01\rangle }_{q_c^3{q}_t^1}$	${|01\rangle }_{q_c^4{q}_t^1}$

, assume that $q_c$ is the particle sent from Alice to Bob. Eve generates a target particle $q_t$ in the state $|0\rangle$ and performs the 1st-time C-NOT operation on $\left\{q_c,q_t\right\}$ to obtain two qubits $\left\{q_c^1,q_t^1\right\}$. Eve stores $q_t^1$ and sends $q_c^1$ to Bob. Afterward, in Step 2, Bob performs the case (a) or (b) on $q_c^1$ according to $K_B$. If Bob performs the case (b) on $q_c^1$, the measurement result is named $q_c^2$, and then Bob sends a qubit $q_c^3=|0\rangle$ back to Alice. Otherwise, Bob directly reflects the qubit $q_c^1$ to Alice, and here we also use $q_c^3$ to represent this qubit for further discussion. For $q_c^3$ sent back, Eve performs the 2nd-time C-NOT operation on $\left\{q_c^3,q_t^1\right\}$ to obtain $\left\{q_c^4,q_t^2\right\}$ and sends $q_c^4$ to Alice. Subsequently, Eve measures $q_t^2$ with Z-basis. If the measurement result is $|1\rangle$, this means that the corresponding bit in $K_B$ must be ‘1′. Moreover, according to Table 1, we can find that no matter which operation is chosen by Bob in Step 2, $q_c^4$ always matches the case result. That is, if Bob chooses the case (a), $q_c^4$ is in $|+\rangle$, which is the expected result of the case (a) in the original protocol. Similarly, if Bob chooses the case (b), $q_c^4$ will be in $|0\rangle$, which is the same as what is expected. Hence, this attack cannot be detected by the participants during the eavesdropping detection process. This means that Eve can use this attack to obtain parts of $K_{AB}$ without being detected.

3.2. Raw Key Leakage Rate Analysis

By using the above strategy, parts of the final shared key $K_{AB}$ will be obtained by Eve without being detected. If we assume that $n$ single photons $|+\rangle$ are generated in Step 1, the final share raw key $K_{AB}$ is $m$ bits, and the expected leakage bits of $K_{AB}$ are $l$, then the relationships among $n$, $m$, and $l$ can be described as $l=\frac{1}{4}m=\frac{1}{32}n$ (as shown in Figure 1). Hence, the raw key leakage rate is $\frac{l}{m}=\frac{1}{4}$.

3.3. A Solution to Avoid Double C-NOT Attack on Zhang et al.’s SQKD Protocol

As mentioned in Section 3.1, because Eve can distinguish parts of the particles measured by Bob where the measurement result of $q_c^1$ is $|1\rangle$, she can obtain parts of $K_{AB}$. Hence, if Bob and Alice discard all the bits in $K_{AB}$ where the corresponding measurement result of $q_c^1$ is $|1\rangle$, then this problem can be solved. The improved protocol is then described as follows.

Step 1′–3′ are the same as Step 1–3 in Section 2.

Step 4′: Alice announces all the positions where $k_{Ai}=-1$, and Bob announces all the positions where the measurement results are $|1\rangle$ in Step 2. Subsequently, Alice and Bob discard all the bits in the above positions in $K_A$ and $K_B$ to obtain $K_A^{\prime }$ and $K_B^{\prime }$, respectively.

Step 5′ is the same as Step 5 in Section 2.

4. Conclusions

This paper points out a double C-NOT attack on Zhang et al.’s SQKD protocol. With this attack, an eavesdropper can obtain parts of the final shared key without being detected. To solve this problem, a modification, where the involved classical participant does not need to have any extra quantum capacities, is proposed.