This article appeared in a journal published by Elsevier. The attached copy is furnished to the author for internal non-commercial research and

Transcription

1 This article appeared in a journal published by Elsevier. The attached copy is furnished to the author for internal non-commercial research and education use, including for instruction at the authors institution and sharing with colleagues. Other uses, including reproduction and distribution, or selling or licensing copies, or posting to personal, institutional or third party websites are prohibited. In most cases authors are permitted to post their version of the article (e.g. in Word or Tex form) to their personal website or institutional repository. Authors requiring further information regarding Elsevier s archiving and manuscript policies are encouraged to visit:

2 Optics Communications 283 (2010) Contents lists available at ScienceDirect Optics Communications journal homepage: Secure quantum sealed-bid auction with post-confirmation Zhiwen Zhao a, Mosayeb Naseri b,, Yuanqing Zheng a a College of Information Science and Technology, Beijing Normal University, Beijing , China b Islamic Azad University, Kermanshah Branch, Kermanshah, Iran article info abstract Article history: Received 12 January 2010 Received in revised form 7 April 2010 Accepted 10 April 2010 Keywords: Quantum communication GHZ state Quantum sealed-bid auction A new secure quantum auction with post-confirmation is proposed, which is a direct application of the multi-particle super dense coding scheme to the auction problem. In this scheme all bidders use M groups n- particle GHZ states to represent their bids. Different from classical auction protocols and the previous secure quantum sealed-bid auction protocols, in the present scheme, by introducing a post-confirmation mechanism the honesty of the quantum sealed-bid auction is guaranteed, i.e., malicious bidders cannot collude with auctioneers. Also by sharing secret keys with the bidders the auctioneer could insure the anonymity of the bidders Elsevier B.V. All rights reserved. 1. Introduction Cryptography has been one of the most fruitful applications coming out of the quantum information theory and it appears to be practically implemental in the nearest future among quantum technologies [1]. Since the pioneering quantum key distribution (QKD) was presented by Bennett and Brassard in 1984 [2], a number of QKD protocols based on quantum mechanics have been proposed [2 13]. On the other hand, quantum secure direct communication (QSDC) schemes have been proposed and attracted much attention [14 16]. Different from QKD protocols which aim to generate a private key between communication users, the QSDC protocols ensure the security of direct communication without establishing any secret key beforehand and then encrypting the secret messages. Recently, one of us proposed a quantum sealed-bid auction protocol using QSDC based upon GHZ states [17]. For the sake of simplicity, we call this protocol Naseri's protocol in the rest of this paper. In a sealed-bid auction, bidders simultaneously submit bids to an auctioneer without knowing other participants' bids; and the highest bidder will be the winner. The crucial issue of any auction protocol is its security. Each secure auction protocol includes one auctioneer, one third party or auction host and many bidders (sometimes an auctioneer plays the role of third party in auction protocols). Essentially the most important requirements of secure auction can be summarized as follows [18 20]: (1) Anonymity: all bidders can keep anonymity in an auction, even if the bid is opened, i.e., no one can gain access to other bidder's information, except the auction host. In addition, only the Corresponding author. address: sepehr1976@yahoo.com (M. Naseri). auction host stores the bidder's information, therefore, it can maintain anonymity in the auction, even after the bid is opened. (2) Public verifiability: all the bidding prices and the winning prices can be verified by anyone, i.e., everybody should be able to see all the bids and verify that the auctioneer chosen the biggest one to prevent the dishonest auction host or auctioneer cheating bidders and performing a conspiracy with a malicious bidder. (3) Accountability of bidder: the auction cannot be interrupted by any malicious bidders with a dishonest bid without being detected. That is to say, the auction host can verify each bid when the bidder casts a bid. (4) Fairness: all sealed-bids are opened at the same time, and the third party or the auctioneer cannot collude with a malicious bidder to cheat the other bidders. (5) Non-repudiation: the property of non-repudiation is that both the bidder cannot deny having cast his/her bid and the auction host cannot deny that he has received the bid from the bidder. (6) Traceability: the winning bidder can be identified when the auction is finished. Since the first secure quantum auction scheme was proposed, it has attracted much attention by the researchers [21 24]. Yang et al [22], Qin et al [23] have shown that the Naseri's protocol does not complete the task of a sealed-bid auction fairly, i.e., they have shown that a dishonest bidder can obtain all the other secret bids by two special types of attack, i.e., double Controlled NOT attack or using fake entangled particles. Furthermore, a simple possible improvement of the protocol was proposed. On the other hand, Zheng and Zhao [24], Liu et al [25] have published other remarks on the protocol. It is apparently that with the improvements presented in [21 24], the Naseri's protocol does complete the task of a sealed-bid auction /$ see front matter 2010 Elsevier B.V. All rights reserved. doi: /j.optcom

3 Z. Zhao et al. / Optics Communications 283 (2010) fairly. But as mentioned in [21], one of the main sources of insecurity of the protocol still remains! In fact; in any secure auction protocol the possibility of collusion of the bidders with the auctioneer should be mentioned and the protocol should contain a security method which guarantees that if one of the bidders or a group of the bidders decide to collude with the auctioneers, they would not succeed. It is clear, the original article, does not present such a method to bind the collusion of the bidders with the auctioneer. In this paper, a new secure quantum sealed-bid auction protocol is presented to ensure the fairness of the sealed-bid auction, which can detect and defeat the collusion between any malicious bidders and dishonest auctioneer and guarantee the anonymity of the bidders. The rest of this paper is organized as follows: In the next section we review Naseri's protocol and its improved versions. The new quantum sealed-bid auction protocol is presented in Section 3. For convenience, as an example a three-party auction is described in Section 4. Finally, some remarks and results presented in the paper are to be set forth and discussed in Section Review of Naseri's quantum sealed-bid auction protocol Let us give a brief introduction of Naseri's protocol [17]. In Naseri's protocol, the auction model consists of one auctioneer, Alice, and n 1 bidders, Bob, Charlie,... and Zach. The auctioneer Alice generates M groups of n-particle GHZ states ( ψ ijk y abc z, i, j, k,,y=0, 1). Then Alice keeps particles and sends b particles to Bob, c particles to Charlie,..., z particles to Zach, respectively. Then all of the bidders confirm to Alice that they have received all the particles. After eavesdropping detection, bidders encode their bids by performing unitary operations, I,iσ y (I denotes 0, and iσ y denotes 1, respectively) on their own particles and send the encoded particles back to Alice. Afterwards, Alice encodes her final secret message with one of the four unitary operations I, σ x,iσ y, σ z (I, σ x,iσ y, σ z denote 00, 01, 10, and 11, respectively) on her own particles. Then Alice performs n-particle GHZ basis measurements, and publicly announces the initial states and the measurement outcomes. According to the initial states and measurement outcomes, every bidder can deduce other bidders' secret bids, and the winner can be determined. In Ref. [21], a security loophole in Naseri's protocol was pointed out, and a possible improvement on the protocol was proposed. The original is insecure against the attacks with double Controlled NOT operations or fake entangled particles. It has been demonstrated that a malicious bidder can obtain all the bids of honest bidders before Alice's public announcement, and therefore, Naseri's protocol is insecure and unfair. Then to prevent the malicious bidder from stealing the secret bids before the public announcement phase, the auctioneer can send additional decoy particles [25,26] along with the particle sequences of the bidders, and the positions of the decoy particles are unknown to all the bidders. Therefore, if a malicious bidder attacks the auction with Controlled NOT operations or fake entangled particles, the eavesdropping of the malicious bidder will be detected. This modification definitely improves the security of quantum secure auction, but the possibility of collusion of a malicious bidder with the auctioneer still remains. In Ref. [23], it has been pointed out that a dishonest bidder can collude with the auctioneer to win the auction. This is a major loophole of Naseri's protocol and the improved protocol [19]. Although this problem was mentioned in both papers [19,23], no solution has been provided yet. In the following section, by introducing a post-confirmation procedure we provide a possible solution to guarantee the security and honesty of quantum sealed-bid auction. Furthermore, it is needless to say that according to the first requirement in any secure auction protocol all of the bidders should be kept anonymous in an auction, even if the bids are opened, i.e., no one can gain access to other bidder's information, except the auction host. Here, by sharing secret keys with the bidders the auctioneer or auction host could insure the anonymity of the bidders. 3. Quantum sealed-bid auction with post-confirmation In this section, we present procedures to guarantee the honesty of quantum sealed-bid auction and the anonymity of the bidders. The auction model consists of an auctioneer, Alice, and n 1 bidders, Bob, Charlie,, and Zach. They agree that the bidders perform the two unitary operations I,σ y to encode 1-bit classical secret message 0, 1, respectively, where: I = j0 0j + j1 1j; iσ y = j0 1j j1 0j The steps of a new secure quantum sealed-bid auction can be described as follows: Step 1: Auctioneer, Alice shares secret keys K AB,K AC,K AD,,K AZ with Bob, Charlie, Dick,..Zack, respectively. To ensure unconditional security, let us suppose that both keys are m-bit and distributed via QKD protocols [27,28]. Step 2: Bob, Charlie, Dick,..Zack transform their bids into an m-bit sequence L A ={l 1 A,l 2 A,,l m A }, L B ={l 1 B,l 2 B,,l m B },, L Z ={l 1 Z,l 2 Z,,l m Z } respectively. Where l i j a {0,1}. Step 3: Alice generates m+δ groups of n-particle GHZ states randomly selected from the 2 N n-particle GHZ states (( ψ ijk y abc z,i, j, k,,y=0,1)), and sends m+δ groups of b particles to Bob, m+δ groups of c particles to Charlie,... and m+δ groups of z particles to Zach. Also to prevent the dishonest bidder from stealing the secret bids, the auction host, adds some decoy photons [29,30] in the particle sequences of the bidders and the auctioneer. The principle of the decoy photon technique is that Alice prepares some photons which are randomly in one of the four non orthogonal states ( 0, 1 ) or ( +, ). Afterwards he inserts them into the transmitted sequences and makes a record of the insertion positions of the decoy photons for eavesdropping check. As the states and the positions of the decoy photons are unknown for any one, the eavesdropping done by the dishonest bidder will inevitably disturb these decoy photons and will be detected. In this way, the eavesdropping of the dishonest bidder will be revealed. Step 4: The bidders confirm Alice that they have received all the particles. Hereafter, Alice selects randomly δ subset of her particles, then she measures them using one of two measuring bases ( 0, 1 ) or ( +, ) randomly, and publicly announces the measuring bases and the positions of the particles that she selected. Afterwards, each bidder measures the particles in the same position with the same measuring bases as Alice selected. According to the initial states of the particles, her own measurement outcomes, and the measurement outcomes of the bidders, Alice can evaluate the error rate of the transmission of the particles. If there is an error, the auction will be aborted. Otherwise, the bidders store the particles leftover (m group particles) after checking eavesdropping, which are called L-particles. Then the auction continues to the next step. Step 5: To bind the collusion of the bidders with the auctioneer, each bidder prepares quantum particles and encodes the bid in such a way that 0 or 1 encodes classical secret message 0, and 1 or encodes classical secret message 1, respectively, and sends the particles along with some decoy particles to the other bidders. We call the particles, which are prepared by bidder i and sent to bidder j, C ij particles. Here, C ij particles are not necessarily identical to C ik particles (j k). When receiving C ij particles, bidder i and bidder j check the security ð1þ

4 3196 Z. Zhao et al. / Optics Communications 283 (2010) of C ij particles by measuring the decoy particles in the same measuring bases. If there is an error, the auction will be terminated. Otherwise, all of the bidders store the leftover C ij particles in their sites. Then the auction continues to the next step. In fact, here 2C2 N 1 ðn 1Þ! =2 2! ðn 1 2Þ! = ðn 1ÞðN 2Þ of particle groups are exchanged between the bidders. Needles to say, that without knowing the proper basis, it is impossible for the bidders to reveal any useful information about the other's secret bids by measuring their C ij particles. Step 6: If no error happens, to get the secret encrypted bids, any one of the bidders encrypts his/her secret bids L B ={l 1 B,l 2 B,,l m B },, L Z ={l 1 Z,l 2 Z,,l m Z } with the key K AB, K AC,..,K AZ respectively, L B = K AB L B ={l B 1,l B 2,...,l B m},...,l Z = K AZ L Z ={l Z 1,l Z 2,...,l Z m}. Then any one of the bidders encodes their encrypted bids by applying unitary operations, I, iσ y on his/her L-particles and sends them back to the auctioneer, i.e., if the i-th bit of the j-th bidder's secret encrypted bid is zero, l j i=0, he/she performs I= on his/her particles, if l j i=1 he/she applies I= on his/her particles. Afterwards all of the bidders send their encoded particles back to Alice. Step 7: After receiving all of the L-particles from the bidders, Alice performs n-particle GHZ basis measurement on the remaining groups a, b, c,...and z particles. It is clear that according to the initial states, the measurement outcomes and the secret keys K AB,K AC,K AD,...,K AZ, the candidate winner can be determined. Step 8: In order to check the honesty of the auction, the candidate winner (for example i-th bidder) has to publicly announce the proper basis of C ij particles. So any one of the bidders can measure his C particles with the correct measurement basis. So if the measurement outcomes of the bidders C particles are match up with the auctioneer's announcement. The honesty of the auction will be ensured. 4. An example: three-party quantum sealed-bid auction For the sake of clearness, we provide an example of three-party quantum sealed-bid auction with post-confirmation. In this simple model, we suppose there are an auctioneer, Alice, and two bidders, Bob and Charlie who are share secret keys K AB =0010 and K AC =0101 with Alice. Also suppose that Bob's secret bid is 1111, Charlie's secret bid is 1001, So Bob's secret encrypted bid is 1101, Charlie's secret encrypted bid is The three-particle GHZ state is in the form of jψ ijk abc = 1 pffiffiffi 2 j 0; i; j + ð 1Þ k j0; P i; P j Where i, j, k =0,1, i = i 1,j = j 1 ( denotes the addition modulo 2), and the subscripts a, b, c indicates the particles belonging to Alice, Bob, and Charlie, respectively. At first Alice generates 4+δ groups of three-particle GHZ states randomly in one of the 2 3 =8 three-particle GHZ states (( ψ ijk y abc z, i,j,k,, y=0,1)), and sends 4+δ groups of the b particles to Bob, 4 +δ groups of the c particles to Charlie. In the 4+δ groups, δ groups will be used to detect the existence of eavesdropping in the quantum channel, and 4 groups will be used to encrypt and transmit secret messages. Once Bob and Charlie confirm Alice that they have received all the b particles and c particles, Alice selects δ particles, measures them with one of two measuring bases ( 0, 1 ) or ( +, ) randomly, and publishes the measurement bases and the positions of δ particles. Hereafter, Bob and Charlie measure δ particles in the same positions with the same measurement bases as Alice chose, and inform Alice their measurement outcomes. With the knowledge of the initial states, her measurement results on a particles, and the measurement results of Bob and Charlie, Alice can determine whether or not there is any abc ð2þ eavesdropping in the quantum channel. If an error exists, Alice terminates the auction. Otherwise, they go on to the next step. Suppose the leftover 4 groups of three-particle GHZ states, after the eavesdropping detection, are { ψ 000 abc, ψ 000 abc, ψ 010 abc, ψ 100 abc } and Bob keep the b particles, while Charlie stores the c particles. Afterwards Bob and Charlie prepare their post-confirmation particles to according to their secret bids in such a way that 0 or + encodes classical secret message 0, and 1 or encodes classical secret message 1, respectively. Given that Bob's secret bid is 1111, and Charlie's secret bid is 1001, Bob prepares his post-confirmation particles as C BC ={ 1, +, 1, }, and Charlie prepares his post-confirmation particles as C CB ={, +, 0, 1 }. Then Bob sends C BC along with some decoy particles randomly distributed in the quantum particle sequence to Charlie; Charlie sends C CB along with some decoy particles randomly distributed to Bob. When receiving the particles from each other, Bob and Charlie check the security of their quantum channel by measuring the decoy particles. If there is an error, the auction will be aborted. Otherwise, Bob and Charlie store the C CB, C BC sequences in their sites and the auction proceeds to the next step. Then Bob and Charlie encode their secret bids by performing unitary operations, I,iσ y on b particles and c particles that they stored beforehand, respectively. Since Bob's secret encrypted bid is 1101, and Charlie's secret encrypted bid is 1100, Bob encodes the b particles by performing {iσ y,iσ y,i,iσ y }, and Charlie encodes the c particles by applying {iσ y,iσ y,i,i}. So the three-particle GHZ states become {iσ y b iσ y c ψ 000 abc = ψ 010 abc, iσ y b iσ y c ψ 000 abc = ψ 010 abc, I b I c ψ 010 abc = ψ 010 abc,iσ y b I c ψ 100 abc = ψ 001 abc }. Then they transmit the particles back to Alice. After receiving all the b particles and c particles, she performs the three-particle GHZ basis measurement { ψ 010 abc, ψ 010 abc, ψ 010 abc, ψ abc, ψ 010 abc, ψ 010 abc, ψ 001 abc }. According to the initial states, the measurement outcomes and the secret keys K AB, K AC, the winner of the auction, Bob, and his bid 1101 will be publicly presented by the auctioneer. Finally, to guarantee the honesty of the auction, the winner of the auction, Bob, has to broadcast the basis each photon in C BC sequence was sent in, i.e., {( 0, 1 ),( +, ),( 0, 1 ),( +, ),}, lets Charlie measure the stored C BC sequence using the operators { , + + +, , }. So, since the results of Charlie's measurements are { 1,, 1, }, which can be decoded as 1111, the Bob's bids, Charlie will be ensured that the auction process is fair and he has to accept the auction result. If the results do not match up with Alice's announcement, the postconfirmation procedure successfully reveals the collusion between Alice and Bob. 5. Discussion and conclusions The crucial issue of any quantum sealed-bid auction is its security. In this section, we will discuss the security of the quantum sealed-bid auction with post-confirmation mechanism. In the previous papers, the security of Naseri's quantum sealed-bid auction protocol and its improved versions have been well analyzed [17,19]. Based upon the previous work, the quantum sealed-bid auction with post-confirmation mechanism can also resist the intercept-and resend attack, disturbance attack, and the attacks with double Controlled NOT operations or fake entangled particles. We will focus on the post-confirmation mechanism, and explain why this mechanism can effectively defeat the collusion between a malicious bidder and the auctioneer, while maintaining the security of the whole system. In Step 3, each bidder encodes the secret bid in quantum particles and sends the particles to other bidders. Although a malicious bidder can also get the quantum particles, without knowing the measurement bases, she/he cannot, except a pure guess, read out the secret bid. In addition, the quantum parities for different bidders from the

5 Z. Zhao et al. / Optics Communications 283 (2010) same bidder are not necessarily identical. Therefore, it eliminates the possibility of the collusion between two or more malicious bidders. In Step 6, the candidate winner is required to publicly announce her/ his measurement bases for other bidders to measure her/his quantum particles. Let us suppose Bob colludes with Alice, and Alice announces Bob's bid is 1110, which is higher than Charlie's bid. Then Bob holds Charlie's quantum particles ξ =,, 0, 0. For Charlie, the best measurement bases to publish are {( +, ),( +, ),( +, ), ( 0, 1 )}. In this case, the measurement result of the third quantum particle would be 0 with the probability of 1/2, and 1 with the probability of 1/2 respectively. If there are N bidders and Alice changes M-bit(s) of Bob's bid, the collusion between Alice and Bob can be successfully detected with the probability of D(N,M), DN; ð MÞ =1 1 : ð3þ NM 2 Obviously, D(N,M) tends to 1 in the limits of large NM. On the other hand, here, we will prove that our new secure quantum auction scheme does complete the task of a secure auction fairly and has the characteristics of anonymity, verifiability, accountability of bidder, fairness, non-repudiation and traceability. The anonymity of the bidders can be maintained in the auction. Since the offers of the bidders includes the keys K AB,K AC,...,K AZ which are only known by auctioneer, all of the bidders can keep anonymity in an auction, even if the bid is opened, i.e., no one can gain access to the other bidder's information, except the auction host. Also the protocol is public verifiable. Once some disagreement happens, according to the single particle sequences which are prepared and exchanged between the bidders the referee can judge whether the auction is valid or not. It is clear that in the present protocol the bidders could not deny their bids, nor can Alice disavow his verification because the secret bids include the key K AB,K AC,...,K AZ which are only known by bidders and the auctioneer. Also cannot disavow her verification. It is needless to say that the protocol has also the characteristics of accountability, traceability and fairness. In conclusion, we have analyzed a Naseri's quantum sealed-bid auction protocol and its improved versions, and pointed out that a malicious bidder could collude with a dishonest auctioneer. Moreover, we proposed a possible improvement to the original protocol by using a post-confirmation. It has been shown that the honesty of the protocol can be guaranteed in our protocol. In practical implementations, our protocol requires a long-time quantum memory to store quantum particles in each bidder's site. Unfortunately, such quantum memory is beyond current technology. With the development of new technologies, our protocol might be realized in the near future. Acknowledgements This work is supported by Islamic Azad University, Kermanshah Branch, Kermanshah, IRAN. The author would like to thank Soheila Gholipour and Yasna Naseri for their interests in this work. References [1] N. Gisin, G. Ribordy, W. Tittel, H. Zbinden, Rev. Mod. Phys. 74 (2002) 145. [2] C.H. Bennett, G. Brassard, Proceedings of the IEEE International Conference on Computers, Systems and Signal Processings, Bangalore, India, IEEE, New York, 1984, p [3] A.K. Ekert, Phys. Rev. Lett. 67 (1991) 661. [4] C.H. Bennett, Phys. Rev. Lett. 68 (1992) [5] C.H. Bennett, G. Brassard, N.D. Mermin, Phys. Rev. Lett. 68 (1992) 557. [6] C.H. Bennett, S.J. Wiesner, Phys. Rev. Lett. 69 (1992) [7] A. Cabello, Phys. Rev. A 61, (2000); 64 (2001) [8] F.G. Deng, G.L. Long, Phys. Rev. A 68 (2003) [9] X.B. Wang, Phys. Rev. Lett. 92 (2004) [10] D. Song, Phys. Rev. A 69 (2004) [11] F.G. Deng, G.L. Long, Phys. Rev. A 70 (2004) [12] G. Gao, Opt. Commun. 281 (2008) 876. [13] H. Yuan, J. Song, L.F. Han, K. Hou, S.H. Shi, Opt. Commun. 281 (2008) [14] A. Beige, B.G. Engler, C. Kurtsiefer, H. Weinfurter, Acta Phys. Pol. A 101 (2002) 357. [15] A. Chamoli, C.M. Bhandari, Quantum Inf. Process. 8 (2009) 347. [16] K. Bostrom, T. Felbinger, Phys Rev. Lett. 89 (2002) [17] F.G. Deng, G.L. Long, X.S. Liu, Phys. Rev. A 68 (2003) [18] M. Naseri, Opt. Commun. 282 (2009) [19] C.C. Chang, Y.F. Chang, Comput. Secur. 22 (2003) 728. [20] S. Subramanian, Design and verification of a secure electronic auction protocol, Proc. IEEE 17th Symposium on Reliable Distributed Systems, Washington DC, USA, 1998, p [21] Y.-M. Liu, D. Wang, X.-S. Liu, Z.-J. Zhang, International Journal of Quantum Information 7 (6) (2009) [22] Y.G. Yang, M. Naseri, Q.Y. Wen, Opt. Commun. 282 (2009) [23] Su-Juan Qin, Qiao-Yan Wen, Song Lin, Fen-Zhuo Guo, Fu-Chen Zhu, Opt. Commun. 282 (2009) [24] Yuanqing Zheng, Zhiwen Zhao, Opt. Commun. 282 (2009) [25] Yi-Min Liu, Dong Wang, Xian-Song Liu, Zean-Jun Zhang, IJQI 7 (2009) [26] F. Gao, S. Lin, Q.Y. Wen, F.C. Zhu, Chin. Phys. Lett. 25 (2008) [27] F.G. Deng, Chin. Phys. Lett. 23 (2006) [28] R. Hughes, G. Morgan, C. Peterson, J. Mod. Opt. 47 (23) (2000) 533. [29] F. Deng, G. Long, Phys. Rev. A 70 (1) (2004) [30] F. Gao, S. Lin, Q.Y. Wen, F.C. Zhu, Chin. Phys. Lett. 25 (2008) 1561.