Counterfactual Quantum Deterministic Key Distribution

Transcription

1 Commun. Theor. Phys. 59 ( Vol. 59, No. 1, January 15, 013 Counterfactual Quantum Deterministic Key Distribution ZHANG Sheng (Ǒ, WANG Jian (, and TANG Chao-Jing (» School of Electronic Science and Engineering, National University of Defense Technology of China, Changsha , China (Received November 9, 011; revised manuscript received September 4, 01 Abstract We propose a new counterfactual quantum cryptography protocol concerning about distributing a deterministic key. By adding a controlled blocking operation module to the original protocol [T.G. Noh, Phys. Rev. Lett. 103 ( ], the correlation between the polarizations of the two parties, Alice and Bob, is extended, therefore, one can distribute both deterministic keys and random ones using our protocol. We have also given a simple proof of the security of our protocol using the technique we ever applied to the original protocol. Most importantly, our analysis produces a bound tighter than the existing ones. PACS numbers: Dv, Hk, 4.50.Ar, 4.50.Dv Key words: quantum key distribution, quantum cryptography, quantum communication 1 Introduction Quantum key distribution (QKD, [1 3] which enables two distant parties to establish a secure key based on fundamental principles of quantum mechanics, is one of prominent technologies in these decades, and exhibiting big advantages over its classical counterpart with security aspect. Since the first QKD protocol (BB84 [1] was proposed by Bennett and Brassard in 1984, QKD has been developed theoretically and experimentally to be one of the most promising technologies in the future, e.g., there have been a good many of variants following by the well-known BB84 protocol [4 7] and new technologies of the QKD engineering have been found to make it more friendly to people. [8] In addition, there is another interesting application in quantum cryptography, which is well known as quantum secure direct communication (QSDC. More interestingly, it is found that QSDC can also be applied to deterministic key distribution. Let us make a brief introduction on this topic: The first QSDC protocol, in which deterministically encoded Bell states are employed, was presented by Long and Liu. [9] Interestingly, in the very beginning, this protocol mostly impressed us by its high efficiency, rather than the origin of QSDC. [10] In 001, the notion of QSDC was declared by Boström and Felbinger, who announced another QSDC protocol, best known as the ping-pong protocol. [11] Unfortunately, their protocol was soon proved to be completely broken in a lossy channel. [1] The first meaningful QSDC protocol was presented by Deng and Long using block transmission. [13] Later, they announced another QSDC protocol using quantum one-time-pad. [14] In the same year, Cai et al. improved the ping-pong protocol with two-step ever induced in Ref. [13] and gave another QSDC protocol based on single photons. [15] Also, it was reported that quantum dense coding can be used for QSDC, [16] and Xiu et al. independently declared a QSDC protocol using quantum dense coding. [17] Recently, Wang presented a new protocol for three-party QSDC with a set of ordered M Einstein Podolsky Rosen pairs, and extended it into a quantum sealed-bid auction protocol. [18] Recently, Noh proposed a novel QKD protocol ( Noh 09 protocol [19] using a striking phenomenon commonly termed as quantum counterfactual effect, which is initiated by the idea of interaction-free measurement. [0 1] In fact, quantum counterfactuality is one of the marvellous applications of quantum interference, which is widely used in quantum computation. For example, it can be used to construct a duality computer [] and implement secure communications. [3] The Noh09 protocol is generalized as follow: Alice randomly prepares a photon chosen from the orthogonal set { H, V } and injects it into a Michelson-type interferometer connected with Bob s laboratory. A beam splitter (BS is placed before the output port of Alice s lab to randomly direct the photon. Consequently, part of the photons are reflected by the BS and redirected to Alice s detectors, i.e., these photons are not going through the channel. On the other hand, Bob, for each photon, randomly selects a polarization, which is crucial to control the interference of the two pulses split by the BS, i.e., the reflected pulse and transmitted one, using a polarization beam splitter and a optical switch. Above settings are specialized to induce the counterfactual effect, hence Bob can anti-intuitively deduce the secret bit from clicks of the detectors rather than the results of the measurement. Followd by Noh s effort, Yin et al. [4] have proved the security of Noh s protocol using the technique ever applied to the security proof of the conventional QKD protocols. [5] Motivated by the theoretical interest of the quantum counterfactual effect, we try in this paper to extend Noh s Supported by the National Natural Science Foundation of China under Grant No c 013 Chinese Physical Society and IOP Publishing Ltd

2 8 Communications in Theoretical Physics Vol. 59 protocol to a more general one, which enables two parties to distribute either random or deterministic keys. We also give a simple proof of the security of our protocol, using the technique we ever applied to prove the security of Noh s protocol, and our analysis produces a bound tighter than Yin et al s. At last, we further discuss about the underlying security problem in implementing a counterfactual quantum key distribution system. Our Protocol Suppose that Alice wants to share a deterministic key, denoted by S k = {s 1, s,...,s n }, with Bob, consequently, they run the following protocol (Refer to Fig. 1 for a better understanding of the protocol: Fig. 1 Experimental implementation of the protocol. It is seen that the presented scheme is as the same as the one in Ref. [19], except that a PBS (PBS and optical switch (SW are placed in Alice s Lab in order to modulate a deterministic key. S1 Alice prepares a random bit sequence S t = {s 1, s,..., s m }, and inserts each bit of the sequence into S k in a random order. Let us denote the resulting sequence by S a, in which sequence S t is used for a random test. S Alice randomly chooses a polarized state from the orthogonal set { H, V }, denoting the horizontal polarization and vertical polarization, respectively. Then she sends the single-photon pulse to Bob. S3 Bob randomly selects a polarization to control the optical switch SW1, the channel is blocked by SW1 only if Bob s polarization is consistent with that of the photon. S4 Alice also chooses a polarization to control her optic switch SW, however, the polarization is determined by the secret bit s i in S a. Without loss of generality, we assume that Alice chooses H if s i = 1, and v for s i = 0. Similarly, path d is blocked only if Alice s polarization is consistent with that of the photon. S5 Either detector D 1 or D clicks, Alice increases the index i by 1, otherwise the index remains the same. S6 Repeat from S to S5 until i = n + m. S7 Alice and Bob reveal the results that which detector clicks for each round. S8 Alice and Bob make a random test on the results. They do it as follow: First, they check the rates of detectors, the protocol will be aborted if the rates are far from normal. Second, Alice tells Bob where and what the test sequence S t is, and Bob correspondingly reveals his polarizations for S t, the protocol is aborted if the inconsistent rate is beyond the agreed one. S9 If the protocol is not aborted, Bob obtains the deterministic key, denoted by S k, from the rest of his polarizations for which D 1 or D clicks. Generally, S k, which is the raw key, should be equal to S k in a noiseless channel. Note that it is crucial to place PBS and SW in Alice s lab in order to distribute a deterministic key, otherwise the protocol turns to be as the same as the one in Ref. [19], which only allows two parties to share a random key. Here, we give a simple example to explain how the deterministic key is shared in the presented protocol. Suppose that Alice wants to transmit the bit 1 to Bob, and she chooses H in S. Due to the presence of the BS, the single-photon pulse will be split into two sub-pulses, which go to path a and b, respectively. Therefore, the state after the BS can be written as ψ 0 = R H a 0 b + T 0 a H b, (1 where R and T denote the reflectivity and the transmissivity of the BS, and 0 a(b is the vacuum state in mode a(b. In S3 and S4, both Alice and Bob will perform the blocking of their own pathes according to their choices of the polarization. The difference is that Bob s polarization is randomly chosen. If Bob s polarization is H, then the blocking occurs in path b. Consequently, the interference is destroyed. Otherwise, if Bob chooses V, the interference keeps. Since the two states, i.e., H and V, arrive at SW1 through different pathes due to the presence of PBS1, Bob only needs to block the path at two different timings. Similarly, PBS and SW are used to perform the blocking of path d. From Ref. [19], it is known that only the events that the photon is in path d can be used to create a key. Therefore, we technically assume that the initial state, i.e., H, is now in path d. Let us focus back on S4. According to the bit 1, Alice should have chosen the polarization H, then the blocking occurs. Definitely, the photon will be detected at D 1. After revealing the results in S7, Bob is able to confirm Alice s bit. Explicitly, the fact that the photon is in path d immediately implies that Bob s polarization is consistent with the photon, here it should be H. Further, the fact that the photon is detected at D 1 means to Bob that the secret bit is consistent with the photon. Combining the two, Bob obtains the secret bit. We should point out that the presented protocol can also be used to create random keys. This can be achieved simply by replacing the deterministic sequence S k = {s 1, s,...,s n } by a random one. Therefore, our protocol seems to be more general than the original one. 3 Security In this section, we give a simple proof of the security of our protocol with an acceptable assumption that

3 No. 1 Communications in Theoretical Physics 9 all the devices are perfect. A more rigorous one, e.g., the device-independent security, where the non-signaling principle provides the fundamental security, [6] is thus beyond our topic now. To obtain a tight bound of Eve s information, we use the technique we have ever applied to the proof of Noh s protocol. [7] 3.1 Eve s Attack In conventional QKD schemes, the eavesdropper Eve usually launches a collective attack, or a more powerful one, e.g., joint attack. We usually model the attack as follow: Eve entangles her ancilla with the intercepted states and performs a unitary operation on her ancillas and the intercepted states, she will not measure her ancillas until all the classical information is revealed, thus, Eve s information is bounded by the optimal measurement on these states. Note that it is crucial in this strategy that Eve performs a unitary on the ancilla and the intercepted state, which are hence entangled with each other, unfortunately, it becomes invalid if Eve uses the same strategy to attack a CQC protocol, because it is impossible for her to entangle her ancilla with the signal state. Conservatively speaking, it is open for the CQC protocols that whether the coherent attack is powerful than the individual one. At least, the individual attack model is more intuitive when we try to prove the security of CQC protocols. With no loss of generality, we give the description of a general intercept-resend attack as follows: Eve misleads Alice and Bob to sift a secret bit on the photon which is traveling in the channel, so that she is able to intercept the signal. Consequently, part of the key is revealed to Eve since it is transmitted to Bob through the channel. Further, Eve then trys to corrupt the other part of the key to which Eve has no access. The purpose is straightforward, she has to minimize the amount of the information that she is unable to obtain. Here, we argue that Event E 1 is corrupted if at least one detector except D 1 clicks at the same time. A simple way to corrupt E 1 is that Eve sends a fake signal to Alice or Bob, resulting in an abnormality that two detectors click. Now, we begin to model this attack. First, our protocol can be formalized as Φ out =U p φ in = 1 ir ξ 00p0 q q=p B p a 0 b ξ 00p0 q q p B (i R p a 0 b + T 0 a p b T ξ000p q q=p B 0 a p b RT q q=p B p a 0 b {c 1 ( ξ p000 + ξ 0p00 + c ( ξ 0p00 + ξ 0p00 }. ( In Eq. (1, variable p and q take the value H and V independently, ξ xyzw denotes the fictive subsystem which are the measurement results of the four detectors D 1, D, D 3 and D 4, respectively. According to this formalism, Eve s attack can be described as a unitary operator U E, satisfying Φ out = U E Φ out e E = 1 i RT p a 0 b q q=p B ( {x,y,z,w x y=p,z w 0} R p a 0 b q q=p B ( i R p a 0 b q q p B ( α 1 xyzw ξ xyzw 0 E + α 1 p000 ξ p000 0 E + α 1 0p00 ξ 0p00 0 E {x,y,z,w z=p,x y w 0} {x,y,z,w x y z 0,w 0} α xyzw ξ xyzw 0 E + α 00p0 ξ 00p0 0 E α 3 xyzw ξ xyzw 0 E + α 3 p000 ξ p000 0 E + α 3 0p00 ξ p000 0 E + α 3 00p0 ξ 00p0 0 E T 0 a p b q q=p B (α 4 p000 ξ p000 p E + α 4 0p00 ξ 0p00 p E + α 4 00p0 ξ 0p00 p E + α 4 000p ξ 000p p E T 0 a p b q q p B (α 5 p000 ξ p000 p E + α 5 0p00 ξ 0p00 p E + α 5 00p0 ξ 00p0 p E + α 5 000q ξ 000q p E. (3 It follows Eq. (3 that the corruption inevitably disturbs the system, as the terms in demonstrate. Also, the interception occurs in the cases where the photon travels in the channel, i.e., path b. Obviously, Eve can not extract any information from the corruption, this is denoted by 0 E. 3. Eve s Information Followed by the attack model, it is easy to compute the bound of the mutual information between Alice and Eve, I AE, by the binary shannon entropy function, h(x = xlog x (1 xlog(1 x. For simplicity, we assume that the corruption is trivial, due to the neglectable dark counter rate, concerning about the fact that the in-

4 30 Communications in Theoretical Physics Vol. 59 formation revealed to Eve in the misleading procedure is much more than that in the corruption step. First, one can easily obtain the probability distribution of the four events, p 1 = α 1 p000 + α 3 p000 + α 4 p000 + α 5 p000, (4 p = α 1 0p00 + α 3 0p00 + α 4 0p00 + α 5 0p00, (5 p 3 = α 00p0 + α 3 00p0 + α 4 00p0 + α 5 00p0, (6 p 4 = α 4 000q + α 5 000q, (7 and the error rates for each event, p 1 e = α 3 p000 + α 5 p000, (8 p e = α3 0p00 + α 5 0p00, (9 p 3 e = 0, (10 p 4 e = α5 000q. (11 Next, we can compute the mutual information between Alice and Eve, using the formula I AE = I(A I(A E and the binary shannon entropy function, thus, one obtains ( T I AE = + p4 e p 4 R. (1 In addition, the mutual information between Alice and Bob I AB can be obtained in the same way. In other words, we also obtain the bound of Bob s information, [ ( p 1 I AB = (p 1 + p 1 h e + p ] e. (13 p 1 + p Evidently, the protocol is secure if and only if it satisfies I AB I AE > 0. From Eqs. (1 and (13, it is obvious that it is possible that our protocol achieves a positive key rate. Therefore, our protocol is secure under the general intercept-resend attack. More intuitively, one obtains I AE = 0 and I BE = RT/ if there is no eavesdropping in the channel, i.e., we set p 4 = p 4 e = T and p 1 e = p e = 0, p 1 + p = RT/. 4 Discussion It is well known that the practical security of a reallife quantum cryptographic system, e.g., a commercial QKD system, is far from its theoretical expectation, because practical deviations from the theoretical model open the possibility of attacks, such as the PNS attack [8 9] and trojan horse attack. [30] Up to date, increased number of loopholes in existing commercial QKD systems have been found. [31 37] With no exception, our protocol has the same problem that there may be similar or even unknown loopholes in implementing a real-life system. In particular, we show below that the detector efficiency of a practical implementation of our protocol might be a loophole to launch special attacks to our protocol. From Eq. (1, it is easy to find that Eve should try to reduce the probability of event E 4 and induce less errors as possible as she can, if she desires to escape from the test, and obtain more information without being noticed. Explicitly, she could try to probe Bob s polarization before she transmits the intercepted photon to Bob. In an ideal case, she has no way to succeed without being noticed, because there will be an observable increment on the term p 4. [19] However, an imperfect detector with a curve-like efficiency function (see Fig. may open the door for Eve to probe Bob s polarization with a bigger probability of success. More specifically, the mismatch of the time-respond functions of SW and the efficiency of the detector, immediately indicates that this loophole can be exploited to launch a time-shift attack. More interestingly, further investigation is required on the question that whether the CQC systems exhibit observable security advantages over the conventional ones as people expect in the future. Fig. Mismatch of the Functions of SW and the Detector efficiency in the time coordinate. The rectangle and the curve denote the functions of SW and the detector D 4, respectively. 5 Conclusion The idea of distributing a secure key based on quantum counterfactual effect gives birth to a novel protocol, [19] which shows some security advantages, such as the immunity to the PNS attack, [9] over the conventional ones. It is known in conventional QKD protocols that the information carrier, i.e., a quantum state chosen from unconjugated basis, is transmitted through the channel. In sharp contrast, no signal state is traveling in the channel in a CQC protocol, whereas a secure key can be generated. Motivated by the theoretical interest on quantum counterfactual effect, we extend the original protocol by Noh to one which also distributes deterministic keys between remotely separated parties, by adding a similar module deployed also in Bob s lab to Alice s end. As a consequence, the key is no longer dependent on the initial polarization of the photon, which is the key to realize the deterministic key distribution. Most importantly, We give a simple proof of the security of our protocol under the general intercept-resend attack, which is forejudged to be more available than the coherent attack in the CQC settings. We also discuss that the detector efficiency could be the loophole that Eve can exploit to launch a successful attack in a real-life implementation of our protocol, thus, we hope that our work could contribute to implementing a secure CQC system in the future.

5 No. 1 Communications in Theoretical Physics 31 References [1] C.H. Bennett, G. Brassard, et al., Quantum Cryptography: Public Key Distribution and Coin Tossing, In Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, New York, Bangalore, India (1984 p [] A.K. Ekert. Phys. Rev. Lett. 67 ( [3] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Rev. Mod. Phys. 74 ( [4] C.H. Bennett, Phys. Rev. Lett. 68 ( [5] C.H. Bennett and G. Brassard, Phys. Rev. Lett. 68 ( [6] D. Bruss, Phys. Rev. Lett. 81 ( [7] K. Inoue, E. Waks, and Y. Yamamoto, Phys. Rev. A 68 ( [8] Bing Qi, Li Qian, and Hoi Kwong Lo, ArXiv preprint arxiv: (010. [9] G.L. Long and X.S. Liu, Arxiv preprint quantph/001056, (000. [10] G.L. Long and X.S. Liu, Phys. Rev. A 65 ( [11] K. Boström and T. Felbinger, Phys. Rev. Lett. 89 ( [1] Q.Y. Cai and B.W. Li, Phys. Rev. A 69 ( [13] F.G. Deng and G.L. Long, Phys. Rev. A 68 ( [14] F.G. Deng and G.L. Long, Phys. Rev. A 69 ( [15] Q.Y. Cai and B.W. Li, Chin. Phys. Lett. 1 ( [16] C. Wang, F.G. Deng, Y.S. Li, X.S. Liu, and G.L. Long, Phys. Rev. A 71 ( [17] X.M. Xiu, L. Dong, Y.J. Gao, and F. Chi, Commun. Theor. Phys. 5 ( [18] Z.Y. Wang, Commun. Theor. Phys. 54 ( [19] T.G. Noh, Phys. Rev. Lett. 103 ( [0] A.C. Elitzur and L. Vaidman, Found. Phys. 3 ( [1] L. Vaidman, Phys. Rev. Lett. 98 ( [] G.L. Long, Commun. Theor. Phys. 45 ( [3] C.Y. Li, W.Y. Wang, C. Wang, S.Y. Song, and G.L. Long, AIP Conf. Proc. 137 ( [4] Zhen-Qiang Yin, Hong-Wei Li, Wei Chen, and Zheng-Fu Han, Phys. Rev. A 8 ( [5] P.W. Shor and J. Preskill, Phys. Rev. Lett. 85 ( [6] Esther Hänggi, Renato Renner, and Stefan Wolf, EURO- CRYPT 010, LNCS 6110 ( [7] S. Zhang, J. Wang, C. Tang, and Q. Zhang, Chin. Phys. B 1(6 ( [8] B. Huttner, N. Imoto, N. Gison, and T. Mor. Phys. Rev. A 51 ( [9] G. Brassard, N. Lütkenhaus, T. Mor, and B.C. Sanders, Phys. Rev. Lett. 85 ( [30] N. Gisin, S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy, Phys. Rev. A 73 ( [31] V. Makarov, A. Anisimov, and J. Skaar, Phys. Rev. A 74 ( [3] C.H.F. Fung, B. Qi, K. Tamaki, and H.K. Lo, Phys. Rev. A 75 ( [33] B. Qi, C.H.F. Fung, H.K. Lo, and F.X. Ma, Quantum Inf. Comput. 7 ( [34] A. Lamas-Linares and C. Kurtsiefer, Opt. Exp. 15 ( [35] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, Nature Photonics 4 ( [36] I. Gerhardt, Q. Liu, A. Lamas-Linares, et al., Arxiv preprint arxiv: , (010. [37] C. Wiechers, L. Lydersen, C. Wittmann, D. Elser, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, New Journal of Physics 13 (