Lightweight authenticated quantum key distribution protocols with key recycling
11 Lightweight authenticated quantum key distribution protocols with key recycling
Jun Gu , Tzonelih Hwang * Department of Computer Science and Information Engineering, National Cheng Kung University, No. 1, University Rd., Tainan City, 70101, Taiwan, R.O.C. [email protected] * Responsible for correspondence:
Tzonelih Hwang Distinguished Professor Department of Computer Science and Information Engineering, National Cheng Kung University, No. 1, University Rd., Tainan City, 70101, Taiwan, R.O.C. Email: [email protected] TEL: +886-6-2757575 ext. 62524
Abstract
Quantum key distribution (QKD) has been developed for decades and several different QKD protocols have been proposed. But two difficulties limit the implementation of most QKD protocols. First, the involved participants are required to have heavy quantum capabilities, such as quantum joint operation, quantum register, and so on. Second, a hypothetical authenticated classical channel is used in most of the existing QKD protocols and this assumed channel does not exist in reality. To solve both the above limitations at the same time, this study proposes three lightweight authenticated QKD protocols with key recycling and shows these proposed protocols are robust under the collective attack.
Keywords:
Quantum key distribution; Lightweight quantum key distribution; Collective attack
1. Introduction
In 1984, Bennet et al. [1] proposed the first quantum key distribution (QKD) protocol to help the involved participants share an unconditionally secure key. Subsequently, several QKD protocols [2-8] have been proposed in decades. However, most of these QKD protocols [2-5] have two difficulties in implementation. First, these QKD protocols need all the participants to have heavy quantum capabilities, such as quantum joint operation, quantum register, and so on. That means a participant with only limited quantum capabilities cannot be involved in these protocols. Second, an assumed authenticated classical channel is the prerequisite for running these protocols. That is, all the above QKD protocols adopt an ideally authenticated classical channel where the transmitted information cannot be modified and the identities of the communicating parties cannot be impersonated. To solve the first problem, Boyer et al. proposed two semi-quantum key distribution (SQKD) protocols [9] where a classical participant who just has restricted quantum capacities can be involved. In Boyer et al.’s SQKD protocols, the classical participants are restricted to perform three out of the following four operations: (1) preparing qubits in Z-basis { 0 , 1 } , (2) measuring qubits with the Z-basis, (3) reordering the qubits via different quantum delay lines, and (4) reflecting the qubits. Afterward, various types of semi-quantum protocols [10-14] have been proposed. However, Julsgaard et al.’s study [15] showed that the photons are difficult to be held, even for a short time. Hence, the operation of reordering appears to be quite difficult for implementation. To make the semi-quantum protocols easier for implementation, Hwang et al. [16] proposed the definition of lightweight quantum protocol. Lightweight quantum protocol allows the lightweight participants to be involved in the protocol. Here, the lightweight participants are restricted to perform only two out of the following four operations: (1) preparing qubits in Z-basis, (2) measuring qubits with the Z-basis, (3) performing single-photon unitary operations, and (4) reflecting the qubits. According to this definition, several well-known protocols can be considered as lightweight quantum protocols, such as BB84 [1], E91 [8], and several measurement-device-independent protocols [6, 7]. To solve the second problem, several authenticated quantum protocols have been proposed. Different from the above quantum protocols needing an assumed ideal authenticated classical channel, the authenticated quantum protocols use pre-shared keys to help the participants authenticate with each other. Besides, compared with the classical authentication protocols, the quantum authentication protocols has an advantage that the pre-shared keys are protected by quantum mechanics [17]. If there is no eavesdropper been detected, the pre-shared keys can be reused as newly pre-shared unconditional secure keys. However, if an eavesdropper is detected, most of the authenticated quantum protocols have to discard all the pre-shared keys and the participants should share new keys again for running the protocols. And that could be very complicate and also difficult in implementation. To solve it, an existing concept of quantum key recycling [18-20] can be used for designing the authenticated quantum protocols. That is, even an eavesdropper has been detected, parts of the pre-shared keys still can be reused as unconditional secure pre-shared keys. This study proposes three lightweight authenticated quantum key distribution (LAQKD) protocols where both the above mentioned lightweight property and authentication property can be achieved simultaneously. With these proposed protocols, the participants are allowed to have various lightweight quantum capabilities. The proposed LAQKD protocols can be suitable for many scenarios in reality. That means, the participants do not need to change their quantum capabilities for adapting a special QKD protocol anymore. They can choose an appropriate LAQKD protocol according to their own quantum capabilities instead. Besides, different from almost all the existing authenticated quantum protocols where the pre-shared master keys have to be discarded encountering an eavesdropping, most of the pre-shared keys used in the proposed LAQKD protocols can be recycled even when an eavesdropping is detected. For each proposed LAQKD protocol, a key recycling rate analysis is given to show the recycling threshold of each pre-shared key. Moreover, to demonstrate the pros and cons of the proposed LAQKD protocols as compared to several existing QKD protocols more comprehensively, a concept of transmission time cost for quantum protocol is first introduced and defined in this study. That is, for most of the existing studies, the designing of a quantum protocol just focus on getting a better qubit efficiency, needing fewer quantum capabilities or using some quantum resources which are easier for implementation. However, to achieve these requirements, some extra costs have to be paid and these extra costs have never been shown in the comparison part. The missing part makes it difficult to truly show the pros and cons of each protocol. In this study, a new concept named transmission time cost is defined to make the comparison more comprehensive. The rest of this paper is organized as follows. Section 2 shows the details of three proposed LAQKD protocols. Section 3 uses collective attack analysis to show that the proposed protocols are robust. Section 4 analyzes the expectation of the key recycling rate of the proposed protocols. Section 5 first introduces the definition of transmission time cost and then compares the proposed protocols with several well-known QKD protocols. At last, a conclusion is given in Section 6.
2. Three LAQKD protocols
In this section, three LAQKD protocols are proposed and described one by one.
Before describing the proposed Protocol 1, we first introduce the environment adopted in it. There are two participants Alice and Bob, who just have two lightweight quantum capabilities: generating Z-basis qubits and performing single photon unitary operations, involved in the protocol. They try to use an n m -bits pre-shared master key = , , , n m K k k k to share a secure session key K of n bits with the help of an untrusted third party (TP). Here, n is the length of the raw key further shared in the protocol, m is the length of a hash function [21] output and n is the number of bits extracted from n by performing a private amplification on the raw key. Besides, a backup master key = , , , l K k k k is also pre-shared between Alice and Bob where l is a large enough number. The K is used for making up the length of K . That is, if an eavesdropper is detected during the execution of this protocol, parts of K will be discarded and parts of it can be recycled for further use. However, the length of the recycling part may be insufficient. To solve this problem, parts of K can be used for making up the length of K . In the proposed Protocol 1, both the quantum channels and the classical channels used are noiseless, but all the transmitted qubits and classical bits on them can be modified by anyone. Then, the proposed Protocol 1 can be described step by step as follows (Figure 1): Step 1 : Alice (Bob) generates a random bit sequence = , , , nA A A A
R r r r ( = B R , , , nB B B r r r ) and then performs a hash function [21] on A R ( B R ) to obtain A h R ( B h R ). Step 2 : Alice (Bob) generates n m Z-basis single photons to form an ordered qubit sequence = , , , n mA A A A
Q q q q ( = , , , n mB B B B Q q q q ) according to || A A
R h R ( || B B
R h R ). That is, if the i th bit in || A A
R h R ( || B B
R h R ) is ‘0’, then the i th qubit in A Q ( B Q ) is . Otherwise, the i th qubit is . Afterward, Alice (Bob) performs unitary operations I or
1= ( 0 0 0 1 + 1 0 1 1 )2 H on A Q ( B Q ) according to K to obtain A Q ( B Q ). That is, if =0 i k , Alice and Bob perform the operation I on iA q and iB q , respectively. Otherwise, an operation H is performed on iA q and iB q . Finally, Alice and Bob send A Q and B Q to TP. Step 3 : After TP receives A Q and B Q , he/she performs Bell measurement on each qubit pair , i iA B q q in order and announces the measurement results. Step 4:
As shown in Table 1, Alice and Bob deduce a bit sequence = , , , n m
M m m m from the measurement results. For example, if =0 i k and the measurement result is , then =1 i m . Here, we can find that M is expected to be equal to || A B A B
R R h R h R . Step 5:
Alice (Bob) computes the equation || A A
M R h R ( || B B
M R h R ) to obtain || B B
R h R ( || A A
R h R ). Then, Alice (Bob) performs the hash function on the obtained B R ( A R ) and checks whether B h R ( A h R ) is equal to B h R ( A h R ). If they are not equal, there must be an eavesdropper during the qubit transmission processes. Then, this protocol will be aborted. Otherwise, Alice and Bob extract the session key K by performing privacy amplification [22] on the raw key A R . Figure 1. Protocol 1: LAQKD protocol with generation and unitary operation Table 1. The relationship of each bit, qubit and measurement result in Protocol 1 K || A A
R h R , || B B
R h R A Q , B Q Measurement result M
0 0 , 0 , or , or , or , or , or , or , or , or Different from Protocol 1, in Protocol 2, Alice and Bob just have the lightweight quantum capabilities of measuring qubits with Z-basis and performing single photon unitary operations. Moreover, two master keys = , , , n K k k k and = , , , n K k k k are pre-shared between Alice and Bob. Two backup master keys = , , , l K k k k and = , , , n K k k k are also pre-shared. The same as Protocol 1, an untrusted TP is involved in the protocol and both the quantum channels and the classical channels used in this protocol are noiseless. Then, the proposed Protocol 2 can be described as follows (Figure 2):
Step 1’ : TP generates n Bell states , , , , , , n nA B A B A B
B q q q q q q in and picks out all the first particles and all the second particles in B to form two ordered particle sequences = , , , nA A A A Q q q q and = , , , nB B B B
Q q q q , respectively. Then, he/she sends A Q and B Q to Alice and Bob, respectively. Step 2’:
Alice (Bob) performs unitary operations I or H on A Q ( B Q ) according to K to obtain A Q ( B Q ). Here, the performing rules are the same as in Step 2 of the first proposed protocol. Then, Alice (Bob) uses Z-basis to measure each qubit in A Q ( B Q ) to obtain = , , , nA A A A R r r r ( = , , , nB B B B R r r r ). Finally, according to Table 2, Alice deduces , , , n A
R r r r R and Bob deduces B R R K . Step 3’:
Alice and Bob divide R into two bit sequences R and R according to K . That is, if =0 i k , then i r belongs to R . Otherwise, i r belongs to R . Subsequently, Alice (Bob) performs a hash function on R ( R ) to obtain h R ( h R ). Then, Alice (Bob) sends h R ( h R ) to Bob (Alice). Step 4’:
After receiving h R ( h R ), Alice (Bob) performs the hash function on the held R ( R ) to check whether the received hash function result is equal to the computational one. If they are not equal, there must be an eavesdropper during the qubit transmission processes. Then, this protocol will be aborted. Otherwise, Alice and Bob extract the session key K by performing privacy amplification on R . Table 2. The relationship of each bit, qubit and measurement result in Protocol 2 , A B
Q Q K Measurement result A R B R R A B
Q Q
0 0 0
A B
Q Q
1 1 1 1
A B
Q Q
0 1 0
A B
Q Q
1 0 1
Figure 2. Protocol 2: LAQKD with measurement and unitary operation In the proposed LAQKD protocol 2, the eavesdropping detection is done by detecting whether the initial state is indeed or not. Moreover, the participants can check the initial states by themselves. Therefore, any eavesdropper, even the TP, can be detected if some malicious behavior occurs. As a result, it means that TP can be considered to be untrusted. A formal proof of robustness under collective attack will be given in Section 3. In Protocol 3, Alice and Bob just have the lightweight quantum capabilities of reflecting qubits and performing single photon unitary operations. The master key = , , , n m
K k k k and the backup master key = , , , l K k k k are pre-shared between Alice and Bob. The same as the above two protocols, the quantum channels and the classical channels used in this protocol are noiseless and an untrusted TP is involved in the protocol. Moreover, a unitary operation
1= ( 0 0 0 1 + 1 0 1 1 )2 H is used in this protocol. The H can transform the qubits from one to the other. The transformation relationship is shown as follows:
01 10
HHHH
The proposed Protocol 3 can be described as follows (Figure 3):
Step 1* : TP generates n m single photons in the state and divides them into two ordered qubit sequences = , , , n mA A A A Q q q q and = , , , n mB B B B Q q q q . Then, he/she sends A Q and B Q to Alice and Bob, respectively. Step 2*:
Alice (Bob) generates an n -bits random number = , , , nA A A A R r r r ( = , , , nB B B B R r r r ) and performs a hash function on A R ( B R ) to obtain A h R ( B h R ). Step 3*:
Alice (Bob) performs j H , the j j times unitary operation H on A Q ( B Q ) according to || A A
R h R ( || B B
R h R ) and K (as shown in Table 3). Here, for the i -th qubit in A Q ( B Q ), = 2 i iA j k r = 2 i iB j k r . For example, if =1 i k and =1 iA r , then Alice performs 3 times H on A Q . After this, the qubit sequences A Q ( B Q ) are transformed into A Q ( B Q ). Then, Alice (Bob) sends A Q ( B Q ) back to TP. Step 4*:
Upon receiving A Q and B Q , TP performs Bell measurement on each qubit pair , i iA B q q and announces the measurement results. Step 5*:
According to Table 3, Alice and Bob can obtain a bit sequence = , , , n m
M m m m from the measurement results. For example, if =0 i k and the measurement result is , then =1 i m . Here, we can find that M is expected to be equal to || A B A B
R R h R h R . Step 6*: (The same as Step 5) Alice (Bob) computes the equation || A A
M R h R ( || B B
M R h R ) to obtain || B B
R h R ( || A A
R h R ). Then, Alice (Bob) performs the hash function on the obtained B R ( A R ) and checks whether B h R ( A h R ) is equal to B h R ( A h R ). If they are not equal, there must be an eavesdropper during the qubit transmission processes. Then, this protocol will be aborted. Otherwise, Alice and Bob extract the session key K by performing privacy amplification on the raw key A R . Table 3. The relationship of each bit, qubit and measurement result in Protocol 3 A Q B Q K , A B
R R , A B
H H A Q B Q Measurement result M A B
Q Q
0 0 , 0 , H H
A B
Q Q or , H H
A B
Q Q or , H H
A B
Q Q or , H H
A B
Q Q or , H H
A B
Q Q or , H H
A B
Q Q or , H H
A B
Q Q or , H H
A B
Q Q or Figure 3. Protocol 3: LAQKD with reflection and unitary operation In this protocol, any malicious behavior, even from the TP, can be detected by the participants by checking the announced Bell measurement results. Hence, the TP can be considered to be untrusted here.
A formal proof of robustness under collective attack will be given in Section 3.
3. Security analysis
This section proves that the three proposed LAQKD protocols are robust. For the proposed LAQKD protocols, the robustness [9] means that any eavesdropper attempting to obtain the final shared key will be detected by the participants. To prove the robustness of the proposed LAQKD protocols, the collective attack analysis of each proposed LAQKD protocol is given. The collective attack is the strongest type of joint attack which also can be considered as the most general attack [23]. In the three proposed LAQKD protocols, TP can be considered as the strongest eavesdropper. Hence, if TP cannot obtain the final shared key or the pre-shared keys, then no other eavesdropper can do that. In the collective attack [23], an eavesdropper can be defined as follows. (1)
An eavesdropper can entangle her/his probe quantum systems with participants’ quantum systems which are transmitted on the quantum channels and then tries to use the measurement results of his/her own probe quantum systems to obtain the final shared key or the pre-shared keys. (2)
Each quantum system may be transmitted several times in a protocol. For each time, an eavesdropper can perform a joint unitary operation on both the transmitted quantum system and his/her probe quantum system. (3)
An eavesdropper can keep his/her probe quantum systems until any later point in time. That means, he/she can choose to measure his/her probe quantum systems after obtaining some information coming from the announced information in the protocol. According to these definitions, we show that all the proposed LAQKD protocols are robust by the following theorems and proofs. Theorem 1 : In the proposed LAQKD protocol 1, no eavesdropper can obtain the final shared key K or the pre-shared key K by the collective attack without being detected. Proof : Assume TP is an eavesdropper. After Alice and Bob send their quantum systems , A B
Q Q to TP in Step 2, TP generates his/her probe quantum systems = , , , n m n m
E e E e E e E and performs a joint unitary operation E U on each pair of , , i i iA B q q e to entangle them. According to Table 1, we can find that , i iA B q q has eight cases as follows. Case 1: , = 0 , 0 i iA B A B q q ; Case 2: , = 0 , 1 i iA B A B q q ; Case 3: , = 1 , 0 i iA B A B q q ; Case 4: , = 1 , 1 i iA B A B q q ; Case 5: , = , i iA B A B q q ; Case 6: , = , i iA B A B q q ; Case 7: , = , i iA B A B q q ; Case 8: , = , i iA B A B q q ; Based on the eight cases, E U , , i i iA B q q e can be described as follows: Case 1:
00 00 01 01 10 10 11 1100 00 00 00 00 00 00 00
E iA B EAB E AB E AB E AB E
U Ee e e e (1)
Case 2:
00 00 01 01 10 10 11 1101 01 01 01 01 01 01 01
E iA B EAB E AB E AB E AB E
U Ee e e e (2)
Case 3:
00 00 01 01 10 10 11 1110 10 10 10 10 10 10 10
E iA B EAB E AB E AB E AB E
U Ee e e e (3)
Case 4:
00 00 01 01 10 10 11 1111 11 11 11 11 11 11 11
E iA B EAB E AB E AB E AB E
U Ee e e e (4) Case 5:
00 00 01 01 10 10 11 1100 00 00 00 00 00 00 0000 00 01 01 10 10 11 1101 01 01 01 01 01 01 0100 00 0110 10 10
1= 00 01 10 11212
E iA B EE i i i iABE ABE ABE ABEAB E AB E AB E AB EAB E AB E AB E AB EAB E
U EU E E E Ee e e ee e e ee
01 10 10 11 1110 10 10 10 1000 00 01 01 10 10 11 1111 11 11 11 11 11 11 11
AB E AB E AB EAB E AB E AB E AB E e e ee e e e
00 00 00 00 00 00 00 0000 00 01 01 10 10 11 1101 01 01 01 01 01 01 0100 00 01 01 10 10 11 1110 10 10 10 10 10 10 1000 00 01 01 10 10 11 1111 11 11 11 11 1100 00 01 01 10 10
1= 2
AB E E E EAB E E E EAB E E E EAB E E E e e e ee e e ee e e ee e e
11 1111 11 E e (5) Case 6:
00 00 01 01 10 10 11 1100 00 00 00 00 00 00 0000 00 01 01 10 10 11 1101 01 01 01 01 01 01 0100 00 0110 10 10
1= 00 01 10 11212
E iA B EE ABE ABE ABE ABEAB E AB E AB E AB EAB E AB E AB E AB EAB E AB
U EU E E E Ee e e ee e e ee e
01 10 10 11 1110 10 10 10 1000 00 01 01 10 10 11 1111 11 11 11 11 11 11 11
E AB E AB EAB E AB E AB E AB E e ee e e e
00 00 00 00 00 00 00 0000 00 01 01 10 10 11 1101 01 01 01 01 01 01 0100 00 01 01 10 10 11 1110 10 10 10 10 10 10 1000 00 01 01 10 10 11 1111 11 11 11 11 1100 00 01 01 10 10
1= 2
AB E E E EAB E E E EAB E E E EAB E E E e e e ee e e ee e e ee e e
11 1111 11 E e (6) Case 7:
00 00 01 01 10 10 11 1100 00 00 00 00 00 00 0000 00 01 01 10 10 11 1101 01 01 01 01 01 01 0100 00 0110 10 10
1= 00 01 10 11212
E iA B EE ABE ABE ABE ABEAB E AB E AB E AB EAB E AB E AB E AB EAB E AB
U EU E E E Ee e e ee e e ee e
01 10 10 11 1110 10 10 10 1000 00 01 01 10 10 11 1111 11 11 11 11 11 11 11
E AB E AB EAB E AB E AB E AB E e ee e e e
00 00 00 00 00 00 00 0000 00 01 01 10 10 11 1101 01 01 01 01 01 01 0100 00 01 01 10 10 11 1110 10 10 10 10 10 10 1000 00 01 01 10 10 11 1111 11 11 11 11 1100 00 01 01 10 10
1= 2
AB E E E EAB E E E EAB E E E EAB E E E e e e ee e e ee e e ee e e
11 1111 11 E e (7) Case 8:
00 00 01 01 10 10 11 1100 00 00 00 00 00 00 0000 00 01 01 10 10 11 1101 01 01 01 01 01 01 0100 00 0110 10 10
1= 00 01 10 11212
E iA B EE ABE ABE ABE ABEAB E AB E AB E AB EAB E AB E AB E AB EAB E AB
U EU E E E Ee e e ee e e ee e
01 10 10 11 1110 10 10 10 1000 00 01 01 10 10 11 1111 11 11 11 11 11 11 11
E AB E AB EAB E AB E AB E AB E e ee e e e
00 00 00 00 00 00 00 0000 00 01 01 10 10 11 1101 01 01 01 01 01 01 0100 00 01 01 10 10 11 1110 10 10 10 10 10 10 1000 00 01 01 10 10 11 1111 11 11 11 11 1100 00 01 01 10 10
1= 2
AB E E E EAB E E E EAB E E E EAB E E E e e e ee e e ee e e ee e e
11 1111 11 E e (8) In equations (1)-(8), jij . Subsequently, TP uses Bell measurement to measure each qubit pair of , i iA B q q and announces the measurement results. In Step 4 and Step 5, Alice and Bob use the measurement results to check whether there is an eavesdropper during the particle transmission processes. According to Table 1, to avoid being detected by the participants, TP must set all the parameters in the above equations (1)-(8) to meet the following conditions.
10 1000 0011 1100 00 EE ee
00 0001 0101 0101 01 EE ee
00 0010 1001 0110 10 EE ee
10 1011 1111 1111 11 EE ee
01 01 01 01 01 01 01 0100 00 01 01 10 10 11 1111 11 11 11 11 11 11 1100 00 01 01 10 10 11 11 E E E EE E E E e e e ee e e e
00 00 00 00 00 00 00 0000 00 01 01 10 10 11 1110 10 10 10 10 10 10 1000 00 01 01 10 10 11 11 E E E EE E E E e e e ee e e e
00 00 00 00 00 00 00 0000 00 01 01 10 10 11 1110 10 10 10 10 10 10 1000 00 01 01 10 10 11 11 E E E EE E E E e e e ee e e e
01 01 01 01 01 01 01 0100 00 01 01 10 10 11 1111 11 11 11 11 11 11 1100 00 01 01 10 10 11 11 E E E EE E E E e e e ee e e e
These above conditions can be simplified into the following conditions:
10 1000 00 E e ;
11 1100 00 E e ;
00 0001 01 E e ;
01 0101 01 E e ;
00 0010 10 E e ;
01 0110 10 E e ;
10 1011 11 E e ;
11 1111 11 E e ;
01 01 01 0100 00 11 11
E E e e ;
11 1101 01 E e
11 1110 10 E e ;
00 00 00 0000 00 11 11
E E e e ;
10 10 10 1001 01 10 10
E E e e . With these conditions, the equations (1)-(8) can be simplified into the following equation group.
00 00 01 0100 00 00 0010 10 11 1101 01 01 0110 10 11 1101 01 01 0100 00 01 0100 00 00 0000 0000 00
E iA B E AB E AB EE iA B E AB E AB EE iA B E AB E AB EE iA B E AB E AB EE iA B E AB E
U E e eU E e eU E e eU E e eU E e
10 1001 0101 01 11 1100 00 01 0101 01 11 1100 00 01 0100 00 10 1000 00 01 01 ===
AB EE iA B E AB E AB EE iA B E AB E AB EE iA B E AB E AB E eU E e eU E e eU E e e (9)
The equation group (9) is the result of the collective attack on the proposed LAQKD protocol 1. TP tries to use the measurement result of his/her probe quantum system E in equation group (9) to obtain the final shared key K and the pre-shared key K . For easily understanding of the collective attack result, we re-express the equation group (9) and Table 1 into Table 4. Table 4. Collective attack on the proposed LAQKD protocol 1 MR of E MR of , A B
Q Q , A B
Q Q A R K E e AB A B
0 0
A B
1 0 , A B
0 1 , A B
1 1 E e AB A B
0 0
A B
1 0 , A B
0 1 , A B
1 1 E e AB , A B
0 0
A B
1 0 , A B
0 1 , A B
1 1 E e AB A B
0 0
A B
1 0 , A B
0 1 , A B
1 1 In Table 4, the ‘MR’ is the abbreviation of the measurement result. According to Table 4, we can find that no matter which measurement result of E is obtained by TP, he/she can obtain nothing of A R and K . For example, if the measurement result of E is E e , the corresponding , A R K can be any one of
0, 0 , 0,1 , 1, 0 , 1,1 . Moreover, A R is used for deriving the final shared key K . Hence, this collective attack analysis result shows that any eavesdropper cannot obtain the final shared key K or the pre-shared key K by performing a collective attack without being detected. Theorem 1 is proved. Theorem 2:
In the proposed LAQKD protocol 2, no eavesdropper can obtain the final shared key K or the pre-shared keys K and K by the collective attack without being detected. Proof:
Assume TP is an eavesdropper. In Step 1’, TP generates arbitrary quantum systems to form , A B
Q Q instead. Then he/she generates his/her probe quantum systems = , , , n n
E e E e E e E and performs a joint unitary operation E U on each pair of , , i i iA B q q e to entangle them. The , , i i iE A B U q q e can be described as follows.
00 00 01 01 10 10 11 11 , ,00 01 10 11 i i iE A BAB E AB E AB E AB E
U q q ea e a e a e a e (10)
Here, jj a . Subsequently, TP sends A Q and B Q to Alice and Bob, respectively. In Step 2’, Alice (Bob) performs unitary operations I or H on A Q ( B Q ) to obtain A Q ( B Q ) according to K . This part can be considered as one of the two different joint unitary operations = AB A B E
U I I I or AB A B E
U H H I is performed on the whole quantum system , , i i iA B q q e as follows. , ,00 01 10 11 i i iAB E A BAB E AB E AB E AB E
U U q q ea e a e a e a e (11) , ,000112 1011 i i iAB E A BAB E AB E AB E AB EAB E E E EAB E E E EAB E E E EAB E E U U q q ea e a e a e a ea e a e a e a ea e a e a e a ea e a e a e a ea e a e a
10 11 11
E E e a e (12) In Step 2’-Step 4’, Alice and Bob use the measurement result of , A B
Q Q to check whether there is an eavesdropper during the particle transmission processes. To avoid being detected by Alice and Bob, TP must set all the parameters in equations (10)-(12) to meet the following conditions:
01 01 E a e ;
10 10 E a e ;
00 00 E a e
11 11 E a e ; a . In this situation, the equations (11) and (12) can be transmitted into the following equation group.
1, , 00 1121, , 01 102 i i iAB E A B AB AB Ei i iAB E A B AB AB E
U U q q e eU U q q e e (13) According to the equation group (13), we can find that the measurement result of E always is E e . That means no matter which unitary operation is performed by Alice and Bob or which the exact bit of A R is, TP’s measurement result of E will always be E e . Hence, he/she can obtain nothing from the collective attack. The Theorem 2 is proved. Theorem 3:
In the proposed LAQKD protocol 3, no eavesdropper can obtain the final shared key K or the pre-shared key K by the collective attack without being detected. Proof:
Assume TP is an eavesdropper. In Step 1*, TP does not generate to be the initial states. He/she generates arbitrary quantum systems to form , A B
Q Q instead. Then he/she generates his/her probe quantum systems = , , , n m n m
E e E e E e E and performs a joint unitary operation E U on each pair of , , i i iA B q q e to entangle them. The , , i i iE A B U q q e can be described as follows.
11 1 2 2 3 3 4 4 , , i i iE A B E E E EAB AB AB AB
U q q ea e a e a e a e (14) Here, jj a . Then, TP sends A Q and B Q to Alice and Bob, respectively. In Step 3*, Alice (Bob) performs j j times unitary operation H on A Q ( B Q ) to obtain A Q ( B Q ). Here, this part can be considered as one of the eight different joint unitary operations , , , AB AB AB
U U U is performed on the whole quantum system , , i i iA B q q e . The , , ,
AB AB AB
U U U can be described as follows.
AB A B EAB A EBAB B EAAB EA BAB EA BAB EA BAB EA BAB EA B
U I I IU I H IU H I IU H H IU H H IU H H IU H H IU H H I (15) According to equations (14) and (15), we can obtain the following equations. , , i i iAB E A B E E E EAB AB AB AB
U U q q ea e a e a e a e (16) , , i i iAB E A B E E E EAB AB AB AB U U q q ea e a e a e a e (17) , , i i iAB E A B E E E EAB AB AB AB
U U q q ea e a e a e a e (18) , , i i iAB E A B E E E EAB AB AB AB
U U q q ea e a e a e a e (19) , , i i iAB E A B E E E EAB AB AB AB
U U q q ea e a e a e a e (20) , , i i iAB E A B E E E EAB AB AB AB
U U q q ea e a e a e a e (21) , , i i iAB E A B E E E EAB AB AB AB
U U q q ea e a e a e a e (22) , , i i iAB E A B E E E EAB AB AB AB
U U q q ea e a e a e a e (23)
Then, Alice and Bob send A Q and B Q to TP, respectively. Upon receiving A Q and B Q , TP performs another joint unitary operation E U on each pair of , , i i iA B q q e . The E U can be described as follows.
21 1 2 2 3 3 4 4
E yAB Exy xy xy xy xy xy xy xyAB E AB E AB E AB E
U x eb e b e b e b e (24) Here, jxyj b . Moreover, assume that ‘ ’=‘1’, ‘ ’=‘2’, ‘ ’=‘3’ and ‘ ’=‘4’, then , 1, 2, 3, 4 x y . According to the equations (16)-(24), we can obtain the following equations.
12 12 1 1 2 2 3 3 4 41 1 2 2 3 3 4 41 11 11 11 11 11 11 11 111 1 2 2 3 3 4 42 22 22 22 22 22 22 22 221 1 23 33 33 33 , , i i iE AB E A BE E E E EAB AB AB ABAB E AB E AB E AB EAB E AB E AB E AB EAB E
U U U q q eU a e a e a e a ea b e b e b e b ea b e b e b e b ea b e b
AB E AB E AB EAB E AB E AB E AB EAB E E E EAB E E E e b e b ea b e b e b e b ea b e a b e a b e a b ea b e a b e a b e a b e
EAB E E E EAB E E E E a b e a b e a b e a b ea b e a b e a b e a b e (25)
22 12 1 1 2 2 3 3 4 41 1 1 1 1 1 1 11 41 41 2 32 32 3 23 23 4 14 142 2 2 2 2 2 2 21 41 41 2 32 32 3 23 23 4 14 143 3 3 31 41 41 2 32 32 , , i i iE AB E A BE E E E EAB AB AB ABAB E E E EAB E E E EAB E E
U U U q q eU a e a e a e a ea b e a b e a b e a b ea b e a b e a b e a b ea b e a b e a
E EAB E E E E b e a b ea b e a b e a b e a b e (26)
32 12 1 1 2 2 3 3 4 41 1 1 1 1 1 1 11 41 41 2 32 32 3 23 23 4 14 142 2 2 2 2 2 2 21 41 41 2 32 32 3 23 23 4 14 143 3 31 41 41 2 32 32 , , i i iE AB E A BE E E E EAB AB AB ABAB E E E EAB E E E EAB E
U U U q q eU a e a e a e a ea b e a b e a b e a b ea b e a b e a b e a b ea b e a b e
E E EAB E E E E a b e a b ea b e a b e a b e a b e (27)
42 12 1 1 2 2 3 3 4 41 1 1 1 1 1 1 11 11 11 2 22 22 3 33 33 4 44 442 2 2 2 2 2 2 21 11 11 2 22 22 3 33 33 4 44 443 3 3 31 11 11 2 22 22 , , i i iE AB E A BE E E E EAB AB AB ABAB E E E EAB E E E EAB E E
U U U q q eU a e a e a e a ea b e a b e a b e a b ea b e a b e a b e a b ea b e a b e a
E EAB E E E E b e a b ea b e a b e a b e a b e (28)
52 12 1 1 2 2 3 3 4 41 1 1 1 1 1 1 11 11 11 2 32 32 3 23 23 4 44 442 2 2 2 2 2 2 21 11 11 2 32 32 3 23 23 4 44 443 3 3 31 11 11 2 32 32 , , i i iE AB E A BE E E E EAB AB AB ABAB E E E EAB E E E EAB E E
U U U q q eU a e a e a e a ea b e a b e a b e a b ea b e a b e a b e a b ea b e a b e a
E EAB E E E E b e a b ea b e a b e a b e a b e (29)
62 12 1 1 2 2 3 3 4 41 1 1 1 1 1 1 11 41 41 2 22 22 3 33 33 4 14 142 2 2 2 2 2 2 21 41 41 2 22 22 3 33 33 4 14 143 3 3 31 41 41 2 22 22 , , i i iE AB E A BE E E E EAB AB AB ABAB E E E EAB E E E EAB E E
U U U q q eU a e a e a e a ea b e a b e a b e a b ea b e a b e a b e a b ea b e a b e a
E EAB E E E E b e a b ea b e a b e a b e a b e (30)
72 12 1 1 2 2 3 3 4 41 1 1 1 1 1 1 11 41 41 2 22 22 3 33 33 4 14 142 2 2 2 2 2 2 21 41 41 2 22 22 3 33 33 4 14 143 3 31 41 41 2 22 22 , , i i iE AB E A BE E E E EAB AB AB ABAB E E E EAB E E E EAB E
U U U q q eU a e a e a e a ea b e a b e a b e a b ea b e a b e a b e a b ea b e a b e
E E EAB E E E E a b e a b ea b e a b e a b e a b e (31)
82 12 1 1 2 2 3 3 4 41 1 1 1 1 1 1 11 11 11 2 32 32 3 23 23 4 44 442 2 2 2 2 2 2 21 11 11 2 32 32 3 23 23 4 44 443 3 3 31 11 11 2 32 32 , , i i iE AB E A BE E E E EAB AB AB ABAB E E E EAB E E E EAB E E
U U U q q eU a e a e a e a ea b e a b e a b e a b ea b e a b e a b e a b ea b e a b e a
E EAB E E E E b e a b ea b e a b e a b e a b e (32) Subsequently, TP performs Bell measurement on , A B
Q Q and announces the measurement results. In Step 5* and Step 6*, Alice and Bob use the announced measurement results to check whether there is an eavesdropper during the qubit transmission processes. To avoid being detected by Alice and Bob, TP must set all the parameters in equations (25)-(32) to meet the following conditions: E E E EE E E E a b e a b e a b e a b ea b e a b e a b e a b e E E E EE E E E a b e a b e a b e a b ea b e a b e a b e a b e E E E EE E E E a b e a b e a b e a b ea b e a b e a b e a b e E E E EE E E E a b e a b e a b e a b ea b e a b e a b e a b e E E E EE E E E a b e a b e a b e a b ea b e a b e a b e a b e E E E EE E E E a b e a b e a b e a b ea b e a b e a b e a b e E E E EE E E E a b e a b e a b e a b ea b e a b e a b e a b e E E E EE E E E a b e a b e a b e a b ea b e a b e a b e a b e
The above conditions can be simplified into the following conditions:
E EE EE EE E a b e a b ea b e a b ea b e a b ea b e a b e
E EE EE EE E a b e a b ea b e a b ea b e a b ea b e a b e
E EE EE EE E a b e a b ea b e a b ea b e a b ea b e a b e
E EE EE EE E a b e a b ea b e a b ea b e a b ea b e a b e
According to these conditions, the equations (25)-(32) can be transformed into the following equations.
12 1 1 1 1 1 2 2 2 21 11 11 4 44 44 2 22 22 3 33 33 , , i i iE AB E A BAB E E AB E E
U U U q q ea b e a b e a b e a b e (33)
22 1 3 3 3 3 4 4 4 42 32 32 3 23 23 1 41 41 4 14 14 , , i i iE AB E A BAB E E AB E E
U U U q q ea b e a b e a b e a b e (34)
32 1 3 3 3 3 4 4 4 42 32 32 3 23 23 1 41 41 4 14 14 , , i i iE AB E A BAB E E AB E E
U U U q q ea b e a b e a b e a b e (35)
42 1 1 1 1 1 2 2 2 21 11 11 4 44 44 2 22 22 3 33 33 , , i i iE AB E A BAB E E AB E E
U U U q q ea b e a b e a b e a b e (36)
52 1 1 1 1 1 3 3 3 31 11 11 4 44 44 2 32 32 3 23 23 , , i i iE AB E A BAB E E AB E E
U U U q q ea b e a b e a b e a b e (37)
62 1 2 2 2 2 4 4 4 42 22 22 3 33 33 1 41 41 4 14 14 , , i i iE AB E A BAB E E AB E E
U U U q q ea b e a b e a b e a b e (38)
72 1 2 2 2 2 4 4 4 42 22 22 3 33 33 1 41 41 4 14 14 , , i i iE AB E A BAB E E AB E E
U U U q q ea b e a b e a b e a b e (39)
82 1 1 1 1 1 3 3 3 31 11 11 4 44 44 2 32 32 3 23 23 , , i i iE AB E A BAB E E AB E E
U U U q q ea b e a b e a b e a b e (40)
Assume that
E E E f a b e a b e , E E E f a b e a b e , E E E f a b e a b e and
E E E f a b e a b e , then the equations (33)-(40) can be represented as the following equation group.
12 1 1 222 1 3 432 1 3 442 1 1 252 1 1 362 1 , ,, ,, ,, ,, ,, , i i iE AB E A B E EAB ABi i iE AB E A B E EAB ABi i iE AB E A B E EAB ABi i iE AB E A B E EAB ABi i iE AB E A B E EAB ABi i iE AB E A B
U U U q q e f fU U U q q e f fU U U q q e f fU U U q q e f fU U U q q e f fU U U q q e , ,, ,
E EAB ABi i iE AB E A B E EAB ABi i iE AB E A B E EAB AB f fU U U q q e f fU U U q q e f f (41) The equation group (41) is the result of the collective attack on the proposed LAQKD protocol 3. TP tries to use the measurement result of his/her probe quantum system E in equation group (9) to obtain the final shared key K and the pre-shared key K . For easily understanding of the collective attack result, we re-express the equation group (41) and Table 3 into Table 5. Similar to the proof of Theorem 1, according to Table 5, we can find that no matter which measurement result of E is obtained by TP, he/she can obtain nothing of A R and K . The Theorem 3 is proved. Table 5. Collective attack on the proposed LAQKD protocol 3 MR of E MR of , A B
Q Q , A B
H H A R K E f AB , H H
0 0 , H H
1 0 , H H
0 1 , H H
1 1 E f AB , H H
0 0 , H H
1 0 , H H
0 1 , H H
1 1 E f AB , H H
0 0 , H H
1 0 , H H
0 1 , H H
1 1 E f AB , H H
0 0 , H H
1 0 , H H
0 1 , H H
1 1
The above three theorems and the corresponding proofs show that all the proposed three LAQKD protocols are robust.
4. Key recycling
Section 3 shows that, in the three proposed LAQKD protocols, no eavesdropper can obtain the pre-shared keys K and K without being detected. That means, if no eavesdropper has been detected in the protocol, the pre-shared keys can be reused next time. However, if the participants find an eavesdropper during running the protocol, do the pre-shared keys still can be reused? In most of the existing authenticated quantum protocols [17, 24-26], if an eavesdropper has been detected, all the pre-shared keys must be discarded. Different from these existing authenticated quantum protocols, however, the proposed LAQKD protocols can recycle parts of the pre-shared keys when an eavesdropper has been detected. This section gives the expectation of the key recycling rate. Here, for a pre-shared key K , the key recycling rate rate K is defined as follows. ( ) ( )( ) bit K leakage Krate K bit K The ( ) bit K is the number of bits of the whole K and the ( ) leakage K is the maximal leakage bits in the protocol. According to the key recycling rate, if an eavesdropper has been detected in the protocol, the involved participants just need to discard parts of the pre-shared keys and the remaining parts still can be used in next time. Before analyzing the key recycling rate in each proposed LAQKD protocol, some background is introduced here. The [27] pointed out that there is a maximal probability of 85.4% to obtain the correct value of the four single photons . That is, suppose that the values of single photons are equal to ‘0’ and the values of single photons are equal to ‘1’. Then, for a single photon sequence , , , n S s s s where each photon i s is randomly chosen from , the maximal probability of obtaining the correct value of i s is 85.4%. According to Shannon’s entropy log x H X p x p x where p x is the probability of possible values x , the maximal information leakage of the value of i s is bit. Besides, the i s will collapse after obtaining the value of it. The [28] showed that, without knowing the exact value of i s , the basis of i s cannot be obtained. Moreover, if the value of i s is known, the maximal information leakage of i s ’s basis is 0.40 bit. For example, assume there is a classical bit a and i s is generated according to a . That is, if =0 a , then = 0 i s . Otherwise, = i s . Theoretically, the maximal information entropy of a obtained from i s is 0.4 bit. Similarly, the i s will collapse after obtaining the basis of it. According to the above two studies [27] [28], we can get the following lemma. Lemma 1:
For one qubit which is randomly chosen from the four single states , the basis of this qubit cannot be obtained from this qubit itself.
Proof : Assume i s is a qubit randomly chosen from . If we try to obtain i s ’s basis from the qubit itself, according to the study [28], the following two conditions must be met simultaneously. (1) The exact value of i s must have been obtained. (2) The quantum particle i s has not collapsed yet. However, according to the study [27], we can find that if we obtain i s ’s value from the qubit itself, then this qubit will collapse. Hence, the above two conditions cannot be satisfied at the same time. As a result, we cannot obtain i s ’s basis from the qubit itself. The Lemma 1 is proved. K in the proposed LAQKD protocol 1 According to Lemma 1, in the proposed LAQKD protocol 1, if an eavesdropper TP wants to obtain the pre-shared key K , he/she must obtain the exact values of , i iA B q q first. In , 1 i iA B q q i n m , the values of , 1 i iA B q q i n are decided by , A B
R R and the values of , 1 i iA B q q n i n m are decided by , A B h R h R where , A B h R h R are derived from , A B
R R . Here, when , A B
R R and , A B h R h R are considered separately, both of them can be considered as random. Hence, TP cannot obtain the bases of , 1 i iA B q q i n or the bases of , 1 i iA B q q n i n m separately. According to this, TP just has two strategies to obtain K as follows. Strategy 1: TP obtains parts information of , A B
R R from , 1 i iA B q q i n and then uses the obtained information to deduce parts of K from , 1 i iA B q q n i n m . Strategy 2: TP obtains parts information of , A B h R h R from , 1 i iA B q q n i n m and then uses the obtained information to obtain parts of K from , 1 i iA B q q i n . In Strategy 1, the maximal information leakage of , A B
R R from , 1 i iA B q q i n is n n bits. The expected information leakage of , A B h R h R from the obtained n bits is mn mn bits. Hence, we can consider that TP obtains m -bit values of , 1 i iA B q q n i n m . Then, for per leakage bit, TP maximally can obtain 0.4 bit of K . Hence, the maximal information leakage of K from the whole , 1 i iA B q q i n m is m m bits. In Strategy 2, the maximal information leakage of , A B h R h R from , 1 i iA B q q n i n m is m bits. All the leakage bits can be considered as the value leakage of , 1 i iA B q q i n . Then, the maximal information leakage of K still is m . Hence, no matter which attack strategy is chosen by TP, the maximal information leakage of K is m bits. The key recycling rate rate K is ( ) ( ) 0.33 0.67( ) bit K leakage K n m m n mrate K bit K n m n m . K and K in the proposed LAQKD protocol 2 Different from Protocol 1, in Protocol 2, the , A B h R h R are directly announced. Hence, the information leakage of , A B
R R can be considered as m bits and then the information leakage of K is m m bits. Then, the key recycling rate of K is ( ) ( ) 0.8( ) bit K leakage K n mrate K bit K n . For the K which is used to choose the positions for dividing R into A R and B R . TP just can obtain the information of K from the announced , A B h R h R . Hence, the maximal information leakage of K is m bits. The key recycling rate of K is ( ) ( ) 2( ) bit K leakage K n mrate K bit K n . K in the proposed LAQKD protocol 3 The key recycling rate of K in protocol 3 is the same as it in protocol 1. That is, because K in protocol 3 is used to perform H on each qubit, K can be considered as the bases of , 1 i iA B q q i n m . Moreover, the values of , 1 i iA B q q i n m are decided by the || , || A A B B
R h R R h R . Here, the decision methods of both the value and bases of , 1 i iA B q q i n m are the same as those in the proposed Protocol 1. Hence, the key recycling rate of K is the same as it in the proposed Protocol 1 where n mrate K n m .
5. Comparison
This section compares the three proposed LAQKD protocols with several existing authenticated quantum key distribution protocols [16, 22, 26]. Before comparing, a new concept named transmission time cost should be introduced first here.
For a quantum protocol, the transmission time cost is used to quantify the qubits and the classical bits transmission time needed for running the protocol. According to our knowledge, this study is the first one to propose the transmission time cost concept for quantum protocols. Most of the existing quantum protocols just focus on getting a better qubit efficiency, needing fewer quantum capabilities or using some quantum resources which are easier for implementation. However, to achieve these requirements, several existing quantum protocols need to cost a lot of the transmission time. For example, Sun et al.’s [29] proposed an improvement on Liu et al.’s [30] quantum key agreement protocol. In Liu et al.’s protocol, every involved participant needs to generate and sends a qubit sequence to every other participant. In Sun et al.’s improved protocol, every participant just needs to generate one qubit sequence and then transmits it among all the involved participants one by one. Though Sun et al.’s improvement has a higher qubit efficiency by its qubit transmission method, this qubit transmission method must cost a lot of time. That is, in Liu et al.’s protocol, all the qubit transmission processes can be carried out simultaneously. Hence, if assuming that the time cost of waiting for qubit transmission one time is ‘1’, then the time cost of qubit transmission processes in Liu et al.’s protocol is only ‘1’. In Sun et al.’s protocol, for one qubit sequence, it should be transmitted N times where N is the number of involved participants. According to this, the qubit transmission time cost of Sun et al.’s protocol is ‘ N ’. Hence, though the higher qubit efficiency Sun et al.’s improved protocol has, Liu et al.’s protocol has the less qubit transmission time cost. So it is difficult to determine which protocol is more efficient. To make the comparison of quantum protocols more comprehensive, the transmission time cost should be considered. The transmission time cost ( TTC ) of a protocol is defined as ‘the minimum waiting time of the qubit transmission and classical bit transmission for running a protocol’. Here, the ‘minimum’ means that if several transmission processes can be carried out simultaneously, then these processes are just considered as one time. Assume that the time cost of transmitted qubits is the same as the time cost of transmitted classical bits, then & TTC TTC q TTC b TTC q b where
TTC q and
TTC b are the minimum waiting time of all the qubit transmission processes and the classical bit transmission processes, respectively. & TTC q b denotes some transmission processes where both the qubits and the classical bits can be transmitted simultaneously. In this part, the comparisons of the three proposed LAQKD protocols and several existing quantum key distribution protocols are shown. Because this study is the first to satisfy both the authentication and all participants are lightweight. Hence, there are no similar protocols to compare with the proposed protocols. To solve this problem, the comparison is divided into two parts. First, in Table 6, the proposed protocols are compared with a lightweight quantum key distribution (LQKD) protocol [16]. Second, in Table 7, the comparison among the proposed protocols and two authenticated quantum key distribution (AQKD) protocols is given [22, 26]. The comparison includes the qubit efficiency, the bit number of pre-shared master keys, the quantum resources, the quantum capabilities, the key recycling and the transmission time cost.
Qubit efficiency (QE) : The qubit efficiency is used to quantify the number of quantum particles needed for sharing a secure session key. Several existing quantum protocols [22, 26] use the equation bQE q to quantify it. Here, QE is the abbreviation of the qubit efficiency, b denotes the bits of final shared raw key and q is the total number of used quantum particles in the protocol. The less QE the better qubit efficiency is. Bit number of pre-shared master keys (PSK) : The bit number of pre-shared master keys is used to quantify the cost of key management for running a protocol. The pre-shared master keys in each protocol mean that the involved participants need to hold the keys for a long time for running a protocol when they need.
Quantum resources (QR):
Quantum resources is used to denote what quantum states are needed for running a protocol. Such as single photon, Bell state, Cluster state and so on. Quantum capabilities (QC):
Quantum capabilities are used to describe the quantum capabilities of each participant and TP needed for running a protocol.
Key recycling (KR) : The key recycling rate is used to quantify how many bits of the pre-shared master keys can be recycled when an eavesdropper has been detected. Here, if a protocol discards all the pre-shared master keys when an eavesdropper has been detected, then the key recycling rate is denoted as N/A.
Transmission time cost (TTC):
It is used to quantify the time needed for running a protocol as shown above. Table 6. Comparison among LQKD protocols
Hwang et al.[16] Proposed protocol 1 Proposed protocol 2
Proposed protocol 3 QE nn m nn m QR Bell state Single photon Bell state Single photon
QC of TP
QC of participants
TTC
5 2 2 3
Table 7. Comparison among AQKD protocols
Li et al.[26]
Tsai et al.[22]
Proposed protocol 1 Proposed protocol 2
Proposed protocol 3 QE nn m nn m nn m PSK n m n n m l n m l n m l QR Bell state Single photon Single photon Bell state Single photon KR N/A N/A n mn m n mK nn mK n n mn m TTC
2 3 2 2 3
6. Conclusions
To make the quantum key distribution protocols more practical, this paper designs three different LAQKD protocols from two perspectives: lightweight and authenticated. Moreover, in different proposed protocols, the different lightweight quantum capabilities of the involved participants are required. Hence, with these proposed protocols, the participants can flexibly choose a suitable protocol to use according to their own lightweight quantum capabilities. Besides, different from most of the existing authenticated quantum protocols, a key recycling threshold is given for each proposed LAQKD protocol. When the eavesdropping is detected, the participants need not to discard all the pre-shared keys and share pre-shared keys again, they can recycle most parts of the pre-shared keys instead. This point also makes the proposed protocols more practical than others. Furthermore, a new concept named transmission time cost is proposed in this paper. This concept makes the comparison of quantum protocols more comprehensive. By the way, considering the real environment, all the protocols proposed in this paper have a disadvantage. That is, all the participants involved in these protocols are required to have the same lightweight quantum capabilities. For example, in the proposed LAQKD protocol 1, both Alice and Bob need to have the same quantum capabilities: generating Z-basis qubits and performing single photon unitary operations. Therefore, how to help two participants with different lightweight quantum capabilities share keys is still a problem worthy of research. Acknowledgment
We would like to thank the Ministry of Science and Technology of the Republic of China, Taiwan for partially supporting this research in finance under the Contract No. MOST 109-2221-E-006-168-; No. MOST 108-2221-E-006-107-.
References [1] Charles H. Bennet and Gilles Brassard, "Quantum cryptography: Public key distribution and coin tossing," in
Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India , 1984, pp. 175-179. [2] Charles H Bennett, Gilles Brassard, and N David Mermin, "Quantum cryptography without Bell’s theorem,"
Physical Review Letters, vol. 68, no. 5, p. 557, 1992. [3] Jennifer Ouellette, "Quantum key distribution,"
Industrial Physicist, vol. 10, no. 6, pp. 22-25, 2004. [4] Tzonelih Hwang, Chia-Wei Tsai, and Song-Kong Chong, "Probabilistic quantum key distribution,"
Quantum Information & Computation, vol. 11, no. 7-8, pp. 615-637, 2011. [5] Hoi-Kwong Lo, Xiongfeng Ma, and Kai Chen, "Decoy state quantum key distribution,"
Physical review letters, vol. 94, no. 23, p. 230504, 2005. [6] Hoi-Kwong Lo, Marcos Curty, and Bing Qi, "Measurement-device-independent quantum key distribution,"
Physical review letters, vol. 108, no. 13, p. 130503, 2012. [7] Feihu Xu, "Measurement-device-independent quantum communication with an untrusted source,"
Physical Review A, vol. 92, no. 1, p. 012333, 2015. [8] Artur K Ekert, "Quantum cryptography based on Bell’s theorem,"
Physical review letters, vol. 67, no. 6, p. 661, 1991. [9] Michel Boyer, Dan Kenigsberg, and Tal Mor, "Quantum key distribution with classical Bob,"
Physical review Letters vol. 99, p. 140501, 2007. [10] Qin Li, Wh Chan, and Dong-Yang Long, "Semiquantum secret sharing using entangled states,"
Physical Review A, vol. 82, no. 2, p. 022303, 2010. [11] Xiangfu Zou, Daowen Qiu, Lvzhou Li, Lihua Wu, and Lvjun Li, "Semiquantum-key distribution using less than four quantum states,"
Physical Review A, vol. 79, no. 5, p. 052312, 2009. [12] Wang Jian, Zhang Sheng, Zhang Quan, and Tang Chao-Jing, "Semiquantum key distribution using entangled states," Chinese Physics Letters, vol. 28, no. 10, p. 100301, 2011. [13] Jian Wang, Sheng Zhang, Quan Zhang, and Chao-Jing Tang, "Semiquantum secret sharing using two-particle entangled state,"
International Journal of Quantum Information, vol. 10, no. 05, p. 1250050, 2012. [14] Xiangfu Zou and Daowen Qiu, "Three-step semiquantum secure direct communication protocol,"
Science China Physics, Mechanics & Astronomy, vol. 57, no. 9, pp. 1696-1702, 2014. [15] Brian Julsgaard, Jacob Sherson, J Ignacio Cirac, Jaromír Fiurášek, and Eugene S Polzik, "Experimental demonstration of quantum memory for light,"
Nature, vol. 432, no. 7016, pp. 482-486, 2004. [16] Tzonelih Hwang, Yen-Jie Chen, Chia-Wei Tsai, and Cheng-Ching Kuo, "Semi-quantum Inspired Lightweight Mediated Quantum Key Distribution Protocol," arXiv preprint arXiv:2007.05804,
Quantum Information Processing, vol. 13, no. 6, pp. 1457-1465, 2014. [18] Ivan Damgård, Thomas Brochmann Pedersen, and Louis Salvail, "A quantum cipher with near optimal key-recycling," in
Annual International Cryptology Conference , 2005, pp. 494-510: Springer. [19] Boris Škorić and Manon De Vries, "Quantum Key Recycling with 8-state encoding (The Quantum One-Time Pad is more interesting than we thought),"
International Journal of Quantum Information, vol. 15, no. 03, p. 1750016, 2017. [20] Yu-Chin Lu, Chia-Wei Tsai, and Tzonelih Hwang, "Quantum Key Recycling with optimal key recycling rate based on a noise level," arXiv preprint arXiv:2004.11596,
Journal of computer and system sciences, vol. 18, no. 2, pp. 143-154, 1979. [22] Chia-Wei Tsai and Chun-Wei Yang, "Lightweight authenticated semi-quantum key distribution protocol without trojan horse attack,"
Laser Physics Letters, vol. 17, no. 7, p. 075202, 2020. [23] Eli Biham, Michel Boyer, Gilles Brassard, Jeroen Van De Graaf, and Tal Mor, "Security of quantum key distribution against all collective attacks,"
Algorithmica, vol. 34, no. 4, pp. 372-388, 2002. [24] Naya Nagy and Selim G Akl, "Authenticated quantum key distribution without classical communication,"
Parallel processing letters, vol. 17, no. 03, pp. IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 1, pp. 71-80, 2007. [26] Chuan-Ming Li, Kun-Fei Yu, Shih-Hung Kao, and Tzonelih Hwang, "Authenticated semi-quantum key distributions without classical channel,"
Quantum Information Processing, vol. 15, no. 7, pp. 2881-2893, 2016. [27] Asher Peres,
Quantum theory: concepts and methods . Springer Science & Business Media, 2006. [28] Richard Jozsa and Jürgen Schlienz, "Distinguishability of states and von Neumann entropy,"
Physical Review A, vol. 62, no. 1, p. 012301, 2000. [29] Zhiwei Sun, Cai Zhang, Banghai Wang, Qin Li, and Dongyang Long, "Improvements on “Multiparty quantum key agreement with single particles”,"
Quantum information processing, vol. 12, no. 11, pp. 3411-3420, 2013. [30] Bin Liu, Fei Gao, Wei Huang, and Qiao-Yan Wen, "Multiparty quantum key agreement with single particles,"