Improving the Control Strategy in two-way deterministic cryptographic protocols
aa r X i v : . [ qu a n t - ph ] M a y Improving the Control Strategy in two-way deterministic cryptographic protocols
Anita Eusebi ∗ and Stefano Mancini † School of Science and Technology, University of Camerino, I-62032 Camerino, Italy, EU
We introduce a new control strategy on a two-way deterministic cryptographic scheme, which relieson a suitable unitary transformation rather than quantum measurement. The study is developedfor d -ary alphabets and the particular choice of the transformation works when d is an odd primepower. It leads to an improvement of the protocol security, which we prove to increase with thealphabet order d . PACS numbers: 03.67.Dd, 03.65.Fd
I. INTRODUCTION
The pioneering protocol for Quantum Key Distribution (QKD) is known to be the BB84 [1]. This allows two remoteparties (Alice and Bob) to share a secret key by a unidirectional use of a quantum channel. It has a probabilistic character, that is, on each use of quantum channel, the sender (Alice) is not sure that the encoded symbol will becorrectly decoded by the receiver (Bob).In the last decade a new generation of protocols has been introduced realizing QKD processes in a deterministic way [2–6]. In this case Alice is sure about the fact that Bob will exactly decode the symbol she has encoded. Anotherimportant feature of the protocols defined in [3–6] is the bidirectional use of the quantum channel.As much as like extensions of BB84 to larger alphabets have been developed [7, 8], there is a number of worksextending the deterministic protocols proposed in [4, 5] to higher dimensions, in particular for a tri-dimensionalalphabet [9, 10], for a continuous infinite-dimensional alphabet [11] and for d -ary alphabets with d prime powerdimension [12].In all these cases the security of the protocol is guaranteed by a control process, which amounts to perform quantummeasurements by Alice and the subsequent comparison on the public channel of bases used by Alice and Bob.In this paper, by considering the general two-way deterministic protocol proposed in [12], we suggest a new strategyfor the control process. More precisely, we show that it can be realized by a suitable unitary transformation as well.Moreover, we study the same powerful eavesdropping attack as in [12] on the forward and backward path of thequantum channel and we obtain an improvement of the security performance. In particular we show that the securityof the protocol increases in terms of the alphabet order d .Finally, we also address the issue of Quantum Direct Communication (QDC) [3, 13–15] and see that in this casethe optimal dimension is d = 3.Our protocol is based on Mutually Unbiased Bases (MUB) [16–20], so it generally works for prime power dimensions d . But our new strategy of control is valid for only odd prime powers, then we limite our work to this case. II. THE PROTOCOL
Let us consider a qudit, i.e., a d -dimensional quantum system, and indicate with H d the associated Hilbert space.A set of orthonormal bases in H d is called a set of Mutually Unbiased Bases (MUB) if the absolute value of the innerproduct of any two vectors from different bases is 1 / √ d (the MUBness condition) [12, 16–19].At the present, no example of maximal set is known if the Hilbert space dimension is a composite number, otherwiseit is known that there exists a maximal set of d + 1 MUB in Hilbert spaces of prime power dimension d = p m with p a prime number and m positive integer [16–19]. ∗ Electronic address: anita.eusebi(at)unicam.it † Electronic address: stefano.mancini(at)unicam.it
Here, we focus on this case and from now we denote the d + 1 MUB of H d by | v kt i , with k = 0 , , . . . , d and t = 0 , , . . . , d − ω the p -th root of unity e i π/p . Hence, we choose {| v t i} t =0 ,...,d − as the computational basis and usethe explicit formula given in [20] for MUB’s vectors to express the vectors of any other basis in the following compactway: | v kt i = 1 √ d d − X q =0 ω ⊖ q ⊙ t ( ω ( k − ⊙ q ⊙ q ) | v q i with k = 1 , . . . , d and t = 0 , , . . . , d − . (1)This expression satisfies the MUBness condition for d any prime power, both even and odd (see Appendix in [12]for the even case). However, in the following we make use of (1) only in the case of odd prime power dimensions.In this context, we deal with the Galois field G = F ( p m ) of d elements, according to its mathematical properties.Notice that finite fields with d elements exist if and only if d is a prime power. In particular, we denote by ⊕ , ⊙ and ⊖ respectively the addition, the multiplication and the subtraction in the field G . Usually, an element of G isrepresented by a m -tuple ( g , g , . . . , g m − ) of integers modulo p . According to this representation, ⊕ correspondsto the componentwise addition modulo p (this is a direct consequence of the fact that, for all finite fields of d = p m elements, the characteristics of the field is exactly the prime number p ).Following [20], we identify G with { , , . . . , d − } , paying attention to distinguish the operations in the field fromthe usual ones. Namely, we identify ( g , g , . . . , g m − ) with the integer g = P m − n =0 g n p n . This allows us to considerthe vector label t in | v kt i as an element of G and to write ω g with g ∈ G (notice that in this way we have ω g = ω g ).As in [12], we consider Bob sending to Alice a qudit state randomly chosen from the set {| v kt i} k =1 ,...,dt =0 ,...,d − of MUB.Then, whatever is the state, Alice has to encode a symbol belonging to a d -ary alphabet A = { , . . . , d − } in such away that Bob will be able to unambiguously decode it (notice that the alphabet A can be identified with the Galoisfield G ). Besides encoding Alice has to perform a control process to guarantee the security of the protocol. A. Encoding process
As in [12], we consider the unitary transformations V a for a ∈ A , defined by V a | v t i = ω t ⊙ a | v t i , (2)which can be regarded as the generalized Pauli Z operators.Such operator V a realizes the same shift on all the bases but the computational one, that is for k > V a | v kt i = 1 √ d d − X q =0 ω ⊖ q ⊙ ( t ⊖ a ) ( ω ( k − ⊙ q ⊙ q ) | v q i = | v kt ⊖ a i . (3)Then, Alice encoding operation will be the shift operation realized by this operator V a for a ∈ A . In such a case,Bob receiving back the state | v kt ⊖ a i can unambiguously determine a by means of a projective measurement onto the k -th basis. In fact, he will get the value b = t ⊖ a , (4)from which, knowing t , he can extract a . B. Control Strategy
Here, we propose an innovative way of realizing the control process to guarantee the security of the protocol. Insteadof the usual quantum measurement [12], we introduce the control by means of a unitary transformation applied byAlice. Such an operator should realize a permutation of vectors within each basis, to allow Bob a reliable datagathering, but not cyclic shift, to differ from the encoding.A unitary transformation W , satisfying such conditions, can be defined as acting on the computational basis in thefollowing way: W | v t i = | v ⊖ t i . (5)Then, for each other basis k , with k = 0, we have: W | v kt i = 1 √ d d − X q =0 ω ⊖ q ⊙ t ( ω ( k − ⊙ q ⊙ q ) W | v q i = 1 √ d d − X s =0 ω s ⊙ t ( ω ( k − ⊙ ( ⊖ s ) ⊙ ( ⊖ s ) ) | v s i = | v k ⊖ t i . (6)That is, W performs the Galois field opposite for each basis ( k = 0 , . . . , d ) as follows: W | v kt i = | v k ⊖ t i . (7)Notice that this transformation satisfies the condition above indicated, only when d is an odd prime power dimension.In fact, for d = 2 m the W operator reduces to the identity , which is not acceptable. It seems reasonable to supposethat it does not exist any transformation of this kind when d is a power of 2, and moreover that W is the only kindof operator with the required properties when d is an odd prime. C. Description of the protocol
Then, the protocol runs as follows:1. Bob randomly prepares one of the d qudit states | v kt i , with k = 1 , . . . , d and t = 0 , . . . , d −
1, and sends it toAlice.2. Alice, upon receiving the qudit state has two options.a) With probability c = 0, she performs a control by applying the unitary operator W ( Control Mode ). Shethen sends back to Bob the resulting state.b) With probability 1 − c , she encodes a symbol a ∈ A by applying the unitary operator V a ( Message Mode ).She then sends back to Bob the resulting state.3. Bob, upon receiving back the qudit state, performs a measurement by projecting over the basis to which thequdit state initially belonged.4. At the end of the transmission, Alice publicly declares on which runs she performed the control mode and onwhich others the message mode. It is important to remark at this point that Alice does not announce thebases because she did not perfom any measurement. For noiseless channel and no eavesdropping, Bob will haveobtained the qudit resultant from the action of W operator in the control mode runs, while he will have got theencoded symbol a in the message mode runs. III. SECURITY OF THE PROTOCOL
At first, we consider the most elementary of individual attacks: the
Intercept-Resend . Suppose Eve, to learn Alice’soperation, performs projective measurements on both paths of the travelling qudit, randomly choosing the measuringbasis. She will steal the whole information for each message mode run, indipedently from the chosen basis.However, in each control mode run, she can guess the correct basis (the same of Bob) with probability 1 /d , andin this case she is not detected at all. If otherwise Eve chooses the wrong basis, which happens with probability( d − /d , she still has a probability 1 /d to evade detection. The last is exactly the probability that a vector belongingto the wrong basis by chance will be projected back to the correct vector of the original basis by Bob’s measurement.Then, this means that Alice and Bob reveals Eve with probability ( d − /d , which is greater than the result foundin [12].Now, we are going to evaluate the security of the protocol against a more powerful individual attack, alreadydiscussed in [12]. It is known that, quite generally, in individual attacks Eve lets the carrier of information interactwith an ancilla system she has prepared and then try to gain information by measuring the ancilla. In this protocol,she has to do that two times, in the forward path (to gain information about the state Bob sends to Alice) and in thebackward path (to gain information about the state Alice sends back to Bob, hence about Alice’s transformation).Moreover, by using the same ancilla in the forward and backward path, Eve could benefit from quantum interferenceeffects (see Fig. 1).As proposed in [12], the attack is described as controlled shifts C { V l } l ∈ A : H d ⊗H d → H d ⊗H d , where the controlleris the traveling qudit while the target is in the Eve’s hands, and it is defined as follows: | v t i| v t i C { V l } l ∈ A −−−−−−−→ | v t i V l = t | v t i = | v t i| v t ⊖ t i . (8)We remark that, in this definition, the controller as well as the target states are considered in the dual basis for thesake of simplicity. Other choices (except the computational basis) will give the same final results.Then, we consider Eve intervening in the forward path with ( C { V l } l ∈ A ) − , defined by | v t i| v t i ( C { V l } l ∈ A ) − −−−−−−−−−→ | v t i V ⊖ t | v t i = | v t i| v t ⊖ ( ⊖ t ) i = | v t i| v t ⊕ t i , (9)and with C { V l } l ∈ A in the backward path. BE − c ca | v kt i| v i V a AB EB C { V l } l ( C { V l A } l ∈ ) − A ∈ W A FIG. 1: The scheme summarizing our protocol. Labels B and E stand for Bob’s and Eve’s qudit systems respectively. Label A denotes Alice’s operation on Bob’s qudit. ( C { V l } l ∈ A ) − and C { V l } l ∈ A represent the eavesdropping operations on the forwardand backward path respectively. A. Message Mode
Now, let us analyze in detail the transformations of the quantum states on an entire message mode run.
Attack on the forward path.
The initial Bob state is one of the d states | v kt i , with k = 1 , . . . , d and t = 0 , . . . , d −
1. Then, Eve initially preparesthe ancilla state | v i E in the dual basis and performs the controlled operation. Hence, we get | v kt i B | v i E ( C { V l } l ∈ A ) − −−−−−−−−−→ d − X h =0 h v h | v kt i| v h i B | v i E = d − X h =0 h v h | v kt i| v h i B | v h i E . (10) Encoding.
The Bob’s qudit state undergoes the shift V a with a ∈ A , then from (10) we get V a −−→ d − X h =0 h v h | v kt i| v h ⊖ a i B | v h i E . (11) Attack on the backward path.
The state (11) undergoes a C { V l } l ∈ A operation, hence we have C { V l } l ∈ A −−−−−−−→ d − X h =0 h v h | v kt i| v h ⊖ a i B | v h ⊖ ( h ⊖ a ) i E = d − X h =0 h v h | v kt i| v h ⊖ a i B | v a i E = | v kt ⊖ a i B | v a i E . (12)Finally, Eve measures her ancilla system by projecting in the dual basis, according to the chosen initial ancillastate.We notice that the controlled operations performed by Eve, as well as her final measurement, left unchanged Bob’squdit state. Hence, Bob’s measurement by projection in the k -th basis to which the initial state belonged, alwaysallows him to obtain the symbol a Alice has encoded [see (4)].On the other hand, Eve gets | v a i with probability 1 as the result of her measurement. Therefore, she is able toexactly determine the encoded symbol a as well and she steals the whole information, quantified in bits, I E = log d , (13)on each message mode run. B. Control Mode
We would like to evaluate the probability P E Alice and Bob have to reveal Eve on each control mode run. Thesituation is different for k = 1 and k = 1, due to the Eve’s choice of using the dual basis for her ancilla. For k = 1, on the forward path with probability 1 /d we have: | v t i B | v i E ( C { V l } l ∈ A ) − −−−−−−−−−→ | v t i B | v t i E . (14)Then, Alice applies her control strategy: | v t i B | v t i E W −−→ | v ⊖ t i B | v t i E . (15)On the backward path it happens the following: | v ⊖ t i B | v t i E C { V l } l ∈ A −−−−−−−→ | v ⊖ t i B | v t ⊖ ( ⊖ t ) i E = | v ⊖ t i B | v t i E . (16)Notice that t ⊕ t = 2 ⊙ t = 2 t from 0 to p −
1, while t ⊕ t = 2 t = 2 ⊙ t from p forward being 2 < p .It results that Eve’s attack does not alter the Bob’s and Alice’s vectors, hence Bob, upon his final measurement,will get ⊖ t with probability 1. Then, Bob does not outwit Eve’s attacks: P E = 0 . (17) For k = 2 , . . . , d , on the forward path with probability ( d − /d we get: | v kt i B | v i E = d − X h =0 h v h | v kt i| v h i B | v i E ( C { V l } l ∈ A ) − −−−−−−−−−→ d − X h =0 h v h | v kt i| v h i B | v h i E . (18)Then, Alice applies her control strategy: d − X h =0 h v h | v kt i| v h i B | v h i E W −−→ d − X h =0 h v h | v kt i| v ⊖ h i B | v h i E . (19)On the backward path it happens the following: d − X h =0 h v h | v kt i| v ⊖ h i B | v h i E C { V l } l ∈ A −−−−−−−→ d − X h =0 h v h | v kt i| v ⊖ h i B | v h ⊖ ( ⊖ h ) i E = d − X h =0 h v h | v kt i| v ⊖ h i B | v h i E . (20)Notice that | v h i E = | v ⊙ h i E for 2 < p , that is in G = F ( p m ) of characteristic p > P E = d − d . (21)In summary, from the two above analized cases, we conclude that the probability for Alice and Bob to outwit Eveon each control mode run is P E = (cid:18) d (cid:19) · (cid:18) d − d (cid:19) · d − d = ( d − d , (22)where • /d is the probability with which Bob and Eve use the same basis (that is the dual basis for k = 1); • • ( d − /d is the probability of Eve choosing the basis for ancilla is different from Bob’s choice of basis for theinitial state | v kt i (then any basis but the dual one, that is k = 1); • ( d − /d is anagously the respective probability of Bob outwiting Eve.Notice that this quantity is largely greater than the analogous obtained with control strategy based upon measure-ment in [12]. Essentially that happens because here the probability P E is no longer conditioned to the probabilitythat Alice and Bob measure in the same bases (this would implicate an other factor 1 /d ). In fact, only Bob perfomsa measurement (at the end of path) and he knowns what is the correct basis over which to project (that is the one towhich the initial qudit state belonged).The behavior of P E as fuction of the order d of the alphabet is shown in Fig. 2. It can see that the probability P E of revealing Eve in each successful control mode run increases towards 1 by increasing the dimension d . Thus, theefficiency of the whole control process increases accordingly to it.
14 15 16
20 21 22
32 33 34 35 36
38 39 40
44 45 46 FIG. 2: The probability P E versus the dimension d (bars correspond to odd prime power numbers). IV. CONCLUDING REMARKS
In this paper, we have rivisited the deterministic cryptographic protocol of [12] which represents a generalizationto a d -ary alphabet of the bidirectional quantum cryptographic scheme of [4–6]. Here we have introduced a controlstrategy based on a suitable unitary transformation rather than quantum measurements. The latter gave an optimal d = 3 for the security. Now it results that the quantity of information that Eve can steal is the same as [12], but theprobability P E to outwit Eve increases in terms of the alphabet order d , that is the larger is the alphabet the higheris the security.As a consequence of the deterministic nature of the protocol, this can be also used for Quantum Direct Communca-tion (QDC) between legitimate users [3, 5, 12–15], that is when Alice and Bob (after authentication) communicatedirectly the meaningful message without encryption. Notice that for this kind of communication only an asymptoticsecurity can be proven.Hence, if we assume that Eve wants to perform her attack on each message mode run, without having been detectedin the previous control mode runs, then the probability is given by following geometric series:(1 − c ) + c (1 − P E )(1 − c ) + c (1 − P E ) (1 − c ) + . . . = 1 − c − c (1 − P E ) . (23)Thus, being I E the quantity of information that Eve eavesdrops in a single attack, the probability that she success-fully eavesdrops an amount of information I is − c − c (cid:0) − P E (cid:1) ! I/I E , (24)with I E and P E given in (13) and (22) respectively.In Fig. 3 we have plotted the quantity of (24), with c = 1 /
2, versus the number n of bits stolen by Eve withoutbeing outwitted for different alphabet order. It is interesting to observe that such a probability, as a function of I ,increases slowly and slowly with the alphabet order. FIG. 3: The eavesdropping success probability as a function of the maximal eavesdropped information decreases faster byincreaing d . It is plotted for different dimensions, from bottom to top d = 3 , d = 5 , d = 7 , d = 9 , d = 11 , . . . , d = 49. In this case the probability for Alice and Bob to detect Eve before she can eavesdrop a fixed amount of information,that is the complement of probability in (24), is maximal for d = 3. Notice that the optimal dimension depends onthe specific task of the protocol (QKD or QDC).We believe that this work might offer new interesting perspectives for deterministic cryptographic protocols, inparticular it could stimulate further studies about the optimal control strategy. Acknowledgments
We have the pleasure of thanking R. Piergallini for several and stimulating discussions on this subject. [1] C. H. Bennett and G. Brassard, Proc. of IEEE Int. Conf. on Computers, Systems and Signal Processing, Bangalore, India(IEEE, New York, 1984).[2] A. Beige, B.-G. Englert, C. Kurtsiefer, H. Weinfurter, J. Phys. A: Math. Gen. , L407 (2002).[3] K. Bostr¨om and T. Felbinger, Phys. Rev. Lett. , 187902 (2002).[4] Q.-Y. Cai and B.-W. Li, Chin. Phys. Lett. , 601 (2004).[5] M. Lucamarini and S. Mancini, Phys. Rev. Lett. , 140501 (2005).[6] M. Lucamarini and S. Mancini, arXiv:1004.0157.[7] H. Bechmann-Pasquinucci and W. Tittel, Phys. Rev. A , 062308 (2000).[8] N. Cerf, M. Bourennane, A. Karlsonn and N. Gisin, Phys. Rev. Lett. , 127902 (2002).[9] J. S. Shaari, M. Lucamarini and M. R. B. Wahiddin, Phys. Lett. A , 85 (2006);[10] J. S. Shaari and M. R. B. Wahiddin, Phys. Lett. A , 445 (2007).[11] S. Pirandola, S. Mancini, S. Braunstein and S. Lloyd, Nat. Phys. , 726 (2008).[12] A. Eusebi and S. Mancini, Quantum Inf. & Comp. , 950 (2009).[13] F.-G. Deng, G. L. Long and X.-S. Liu, Phys. Rev. A , 042317 (2003).[14] F.-G. Deng and G. L. Long, Phys. Rev. A , 052319 (2004).[15] Q.-Y. Cai and B.-W. Li, Phys. Rev. A , 054301 (2004).[16] I. D. Ivanovic, J. Phys. A , 3241 (1981).[17] W. K. Wootters and B. D. Fields, Ann. Phys. , 363 (1989).[18] S. Bandyopadhyay, P. O. Boykin, V. Roychowdhuri and F. Vatan, Algorithmica , 512 (2002).[19] A. Klappenecker and M. R¨otteler, Finite Fields and Applications, 137, Lecture Notes in Comput. Sci., , Springer,Berlin, (2004).[20] T. Durt, J. Phys. A: Math. Gen.38