- Email: [email protected]
An efficient quantum deniable authentication protocol without a trusted center
Accepted Manuscript Title: An Efficient Quantum Deniable Authentication Protocol without A Trusted Center Author: Wei-Min Shi Yi-Hua Zhou Yu-Guang Yang Xin-Lan Zhang Jan-Biao Zhang PII: DOI: Reference:
S0030-4026(16)30376-X http://dx.doi.org/doi:10.1016/j.ijleo.2016.04.103 IJLEO 57586
To appear in: Received date: Accepted date:
29-2-2016 19-4-2016
Please cite this article as: Wei-Min Shi, Yi-Hua Zhou, Yu-Guang Yang, Xin-Lan Zhang, Jan-Biao Zhang, An Efficient Quantum Deniable Authentication Protocol without A Trusted Center, Optik - International Journal for Light and Electron Optics http://dx.doi.org/10.1016/j.ijleo.2016.04.103 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
*Manuscript
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
An Efficient Quantum Deniable Authentication Protocol without A Trusted Center Wei-Min Shi, Yi-Hua Zhou, Yu-Guang Yang, Xin-Lan Zhang, Jan-Biao Zhang College of Computer Science and Technology, Beijing University of Technology, Beijing 100124, China;
Abstract: Recently, we first proposed a quantum deniable authentication protocol based on the property of unitary transformation and quantum one-way function, but the previous scheme need the help of a trusted center and its quantum efficiency is only 25%[Quantum Inf Process. (2014). doi:10.1007/s11128-014-0743-9]. In order to improve the above scheme efficiency, a simple and effective quantum deniable authentication protocol without a trusted center is proposed. Utilizing the method of key agreement and encryption mechanism, this scheme can provide that only the specified receiver can identify the true source of a given message and the specified receiver cannot prove the source of the message to a third party by a transcript simulation algorithm. Finally, efficiency analysis results show quantum efficiency of this scheme will be 50% and it also has the remarkable advantages of consuming fewer quantum resources and lessening the difficulty and intensity of necessary operations. In addition, security analysis results show that this scheme also satisfies the basic security requirements of deniable authentication protocol such as completeness, deniability, and can withstand forgery attack, impersonation attack and inter-resend attack. Keywords: Quantum deniable authentication, A Trusted Center, Bell states
1 Introduction Deniable authentication protocol is a special cryptographic authentication protocol. Compared with the traditional authentication protocols, the deniable authentication protocol has two basic characteristics [1-3]: (1) Only the specified receiver can identify the true source of a given message; (2) The specified receiver cannot prove the source of the message to a third party. Because of the above two characteristics, the deniable authentication protocols have many specified applications over Internet. For example, if a customer wants to buy something from a seller, he(she) can make an offer to the seller and create an authenticator of his(her) offer to make sure that the seller can authenticate that the offer is really from the buyer. Furthermore, the customer hopes the seller cannot prove to the source of the offer to a third party for his(her) privacy protected. Another example would be that: in electronic voting, a candidate can’t coerce a voter to vote for him because when he threatens the voter, the voter can forge another voter and claims the forged one is the real one. Note that only the intended receiver can authenticate the message, the candidate can’t identify whether the vote he gets from the voter is the real one. And the receiver can’t prove to the candidates what the voter really sends. So, there is no way that the candidate can get the voter’s vote. A deniable authentication protocol generally can provide freedom from coercion in electronic voting system and secure negotiation over the Internet [4-6]. Now, the proposed quantum identity authentication schemes [7-14] only involved W.-M. Shi() College of Computer Science and Technology, Beijing University of Technology, Beijing 100124, China; e-mail:[email protected]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
authentication between two communicators, but communications with deniability capability are often desired in the above electronic applications. In 2014, Shi et al. first proposed a quantum deniable authentication protocol [15] based on the property of unitary transformation and quantum one-way function. However, this previous scheme need the help of a trusted center (TC) and its quantum efficiency is only 1/4. To improve the efficiency of the previous scheme, a simple and effective quantum deniable authentication protocol without a trusted center is proposed and satisfies the basis security requirements of deniable authentication protocol: (1) Completeness: Completeness of an authenticated protocol means that if the sender and the intended receiver follow the protocol, the receiver can always authenticate the source of the message; (2) Deniability: The deniability of an authenticated protocol means that the receiver can simulate all the transmitted information between him and the sender, so he cannot prove to any third party where the message is from, because the third party cannot identify whether the message is from the sender or is forged by the receiver himself. That is, the protocol is deniable.
2 Quantum deniable authentication protocol without a trusted center Our quantum deniable authentication protocol involves two entities: a sender Alice and a receiver Bob. This scheme includes the following four phases: Initialization, Authentication, and Verify. 2.1 Initialization The sender Alice shares n EPR pairs in the state | i (i 1,2,...., n) with the receiver Bob through a secure way, where | i
1 (| 0 Ai | 0 Bi |1 Ai |1 Bi ) , two qubit sequences 2
| A {| A1 ,| A2 ,.....,| An } and | B {| B1 ,| B2 ,.....,| Bn } are kept by Alice and Bob, respectively. 2.2 Authentication The sender Alice generates the authentication information of n-bit classical message M in accordance with the following steps. Authentication_Step1: Alice chooses a random sequence rA {0,1}
2n
and performs
unitary operation on | A according to the value of rA . That is n
| K A r 2 i 1r 2 i | Ai i 1
where
A
A
(1)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
00 I | 0 0 | |11 |, 01 x |1 0 | | 01 |, 10 i y | 01 | |1 0 |,
(2)
11 z | 0 0 | |11 | Similarly, Bob chooses a random sequence rB {0,1}
2n
and performs unitary operation on
| B according to the value of rB . That is n
| K B r 2 i 1r 2 i | Bi i 1
B
(3)
B
Key_Agreement_Step2: For ensuring the security of the quantum channel, eavesdropping check is performed such as ref.[18] . Alice and Bob prepares m n decoy photons, respectively. The decoy photons are randomly prepared in one of the four states {| 0,|1,| ,| } . Then Alice and Bob randomly inserts these decoy photons into the sequence | K A and | K B and yields a new sequence | K A and | K B , respectively. Alice sends | K A to Bob and Bob sends | K B to Alice. Afterwards, the eavesdropping check between Alice and Bob is performed. For example, Alice and Bob perform the eavesdropping check to | K A in accordance with the following steps: (1) After confirming that Bob has received the entire sequence | K A , Alice announces the positions of the decoy photons; (2) Bob measures the corresponding particles in the sequence | K A by using X basis or Z basis at random, here X {| ,| } and Z {| 0,|1} ; (3) After measurement, Bob informs his outcomes to Alice who computes error rate. If sufficiently few errors are found they go to the next step otherwise they repeat the protocol. (4) Bob deletes the decoy photons from | K A , and gets | K A . The procedure for the eavesdropping check between the Bob and Alice on | K B is the same as the mentioned above. Finally, Alice gets | K B . Authentication_Step3: Alice and Bob performs unitary operation on | K B and | K A according to the value of rA and rB , respectively. That is
n
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
| K AB r 2 i 1r 2 i | K Bi i 1
A
(4)
A
n
| K BA r 2 i 1r 2 i | K Ai i 1
B
(5)
B
According to using the anticommutativity of nontrivial Pauli operators as follows[19]:
r
r
r2 i 1r2 i r2 i 1r2 i IF r2 i 1r2 i r2 i 1r2 i
r
r
r2 i 1r2 i r2 i 1r2 i IF r2 i 1r2 i r2 i 1r2 i
2 i 1 2 i rA A
2 i 1 2 i rA A
2 i 1 2 i rB B
B
2 i 1 2 i rB B
B
B
B
A
A
A
A
A
A
A
A
B
B
(6)
B
(7)
B
n
| K AB r 2 i 1r 2 i | K Bi i 1
A
A
n
r 2 i 1r 2 i r 2 i 1r 2 i | Bi i 1
A
A
B
B
n
r 2 i 1r 2 i r 2 i 1r 2 i | Bi i 1
B
B
A
(8)
A
n
| K BA r 2 i 1r 2 i | K Ai i 1
A
A
n
r 2 i 1r 2 i r 2 i 1r 2 i | Ai i 1
B
B
A
A
Alice and Bob measures | K AB and | K BA on the basis Z {| 0 ,|1} , respectively. At last, Alice and Bob share a secret key K . Moreover, according to the above key agreement steps, (1)
(0)
Alice and Bob can share a new secret key K using K as the initial key K . And so on, (i ) ( i 1) Alice and Bob can share a new secret key K using K as the initial key, where i 1,2,...., n . Authentication_Step4: Alice transforms n-bit classical message M into n-qubit photon states | Q {| q1 ,| q2 ,.......,| qn } . Authentication_Step5: Alice computes | f (Q ) . Here
f :| Q | f (Q ) is a class
quantum on-way functions proposed by Gottesman and Chuang in Ref.[20]. Authentication_Step6: Alice performs the rotation transformation to | f (Q ) according to the value of K . That is n
| S RK (| f (Q ) ) xKi zKi 1 | f (Q ) i 1
(9)
Finally, message authentication code on M is | S . Alice sends {| S , M , T } to Bob by a secure channel, where T is a timestamp. 2.3 Verify After receiving {| S , M , T } from Alice, Bob will execute the following steps: Verify_Step1: If T is valid, Bob performs the rotation transformation to | S according
to the value of K . That is 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
n
| f (Q ) RK (| S ) xKi zKi 1 | S
(10)
i 1
Verify_Step2: states
Bob
transforms
n-bit
| Q {| q1 ,| q2 ,.......,| qn }
and
classical
message M into
computes
| f (Q )
,
n-qubit
photon
then
verifies
whether | f (Q ) | f (Q ) , if this equation holds, Bob accepts M . Otherwise, Bob rejects it.
3. Security and efficiency analysis 3.1 Security analysis In this section, we give security analysis of our scheme and will show that it satisfies known key security and the basis security requirements of deniable authentication protocol such as completeness, deniability, and can withstand the forgery attack, impersonation attack and inter-resend attack. (1) Known key security: A protocol run should result in a unique secret key. If this key is compromised, it should have no impact on other secret keys. In our scheme, an attacker cannot obtain the new secret key K Bob based on other known secret keys K (i )
and rB
( i 1)
(i )
shared between Alice and
, K (i 2) ,...K (0) , because the random number rA( i )
are independent randomly selected in each time key update process, that is, the secret (i )
keys K shared between Alice and Bob have no relevance. (2) Completeness: The proposed protocol can authenticate the source of the message M Proof. In Authentication phase, the sender Alice and the receiver Bob can securely exchange
| K A and | K B by inserting some decoy particles, and the random sequence rA and rB is kept secretly by Alice and Bob, respectively. So anyone cannot generate the secret key K except Alice and Bob. When receiving {| S , M , T } , Bob can confirm the source of the message M by verifying weather | Q | Q , because only the sender Alice can generate | S using the secret key K . (3) Deniability: The proposed scheme is deniable.
Proof. Bob can impersonate Alice to simulate the transcript | S accepted by the Verify algorithm, and simulates | S as follows: Simulation _Step1: Bob transforms M into photon states | Q . Simulation _Step2: Bob performs the rotation transformation to | Q according to the value of K in his hand. That is
n
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
| S RK (| Q ) xKi zKi 1 | Q
(11)
i 1
Finally, | S is a valid message authentication code on M . (4) Forgery attack: When an attacker wants to forge the valid deniable authentication information and then send it to the intended receiver, the proposed protocol can withstand the forgery attack. Proof. This is obvious that a valid message authentication code | S is produced by the sender Alice or the receiver Bob if and only if Alice and Bob shared K . For example, an external attacker Eve wants to forge Alice’s signature for improper benefits, she should know the shared K . However, it is impossible due to the random sequence rA and rB kept secretly by Alice and Bob, and | K A and | K B is securely exchange by inserting some decoy particles in between Alice and Bob. In addition, Eve cannot get | A (or | B ) in the Initialization phase because the Bell states | i are shared between Alice and Bob by a secure way. If Eve only guesses rA and rB , the error rate for every bit should be every qubit should be probability
1 , and guesses | A (or | B ) , the error rate for 2
1 . So a valid message authentication code | S is accepted with the 2
1 . 8n
(5) Impersonation attack: The proposed protocol can withstand the impersonation attack. Proof. On the one hand, when an attacker wants to impersonate the sender Alice in order to forge effective authentication information, same as the above analysis of forgery attack, the proposed protocol can withstand the impersonation sender attack. On the other hand, when an external attacker Eve wants to impersonate the intended receiver Bob in order to verify the message authentication code generated by the sender Alice, the proposed protocol can withstand the impersonation receiver attack. That is, in the Verify phase, a verifier has to use the secret key K to verify the validity of the sender Alice’s signature | S . it is impossible that Eve gets the secret key K according to the above analysis of forgery attack. (6) Inter-resend attack: The proposed protocol can withstand the inter-resend attack. Proof. Firstly, in Authentication stage, Eve has the chance to touch | K A and | K B when they are transmitted from Alice to Bob and from Bob to Alice. However, Eve can never replicate those qubits and the decoy states ensure the security of | K A and | K B . Consequently, any effective attack on | K A and | K B will be discovered by legal users. Secondly, in Authentication stage, Eve has the chance to touch {| S , M , T } when they are
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
transmitted from Alice to Bob. On the one hand, Eve cannot modify the values of {| S , M } due to them transmitted by a secure channel. On the other hand, even Eve can modify the values of
{| S , M } , it is impossible that Eve can generate another valid authentication code | S on message M or a valid authentication code | SE on another message M E because of the property of the quantum one-way function and the security distribution of the secret key K . 3.2 Efficiency analysis In this sub-section, we will take a simple comparison between our previous scheme in ref. [15] and our current scheme from the following aspects: the cost of quantum resource, the difficulty or intensity of necessary operations, the qubit efficiency. According to refs.[21-23], the qubit efficiency hereafter is defined as
c , where c denotes the total number of q
transmitted classical bits(message bits) and q denotes the total number of qubits used. Obviously, with decoy quantum states and classical communications used for checking of eavesdropping in our protocol neglected, c equals N message bits, and q equals 2N qubits Bell states. Hence, our quantum efficiency will be
N 1 50% . 2N 2
See Table 1 for details. Where UO: Unitary Operation; QOWF: Quantum One-Way Functions; XORO: Exclusive-OR Operation; QM: Quantum Measurement; Table 1 Comparisons between our current scheme and our previous scheme in ref. [15] Schemes
Operations
Quantum
Qubit
Resource
UO
QOWF
XORO
QM
Efficiency
Ref.[15]
GHZ states
Yes
Yes
Yes
Yes
25%
our current scheme
Bell states
Yes
NO
NO
Yes
50%
Obviously, one can very easily find that our scheme has the remarkable advantages of consuming fewer quantum resources and lessening the difficulty and intensity of necessary operations and the higher qubit efficiency. In addition, our current scheme needn’t the help of a trusted center (TC) but our previous scheme need.
4. Discussion and Summary In this paper, we present a simple and efficient quantum deniable authentication protocol. Compared with our previous scheme such as ref.[15], our current scheme has the following differences: (1) There realizes quantum deniable authentication by using key agreement and encryption mechanism in our current scheme. This is, the message sender and the specified receiver firstly agree a shared secret key, then only they can encrypt and decrypt the message by using the rotation transformation, which can guarantee that only the specified receiver can identify the true source of a given message and the specified receiver cannot prove the source of the message to a third party by a transcript simulation algorithm;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
(2) The above efficiency analysis results show that our current scheme has the remarkable advantages. Firstly, it is the higher qubit efficiency because our current scheme quantum efficiency is 50% but ref.[15] is only 25%; Secondly, our current scheme is based on Bell states but ref.[15] is based on GHZ states, so this scheme consumes fewer quantum resources; Third, there utilizes more operations such as unitary operation, quantum one-way functions, exclusive-OR operation and quantum measurement in ref.[15]. But our current scheme only utilizes unitary operation and quantum measurement; (3) A trusted center (TC) is introduced in our previous scheme, but our current scheme needn’t the help of a trusted center (TC); (4) The above security analysis results show that this scheme also satisfies the same basic security requirements of deniable authentication protocol as ref.[15]. Acknowledgments This work is supported by the Scientific Research Common Program of Beijing Municipal Commission of Education (Grant Nos.KM201510005016); Basic Research Fund of Beijing University of Technology (No.007000514315501, X4007999201501); The National Natural Science Foundation of China (Grant Nos.61272044, 61572053); Beijing Natural Science Foundation(Grant No.4152038) References [1] X. Deng, C. H. Lee, and H. Zhu, “Deniable authentication protocols,” IEE Proceedings-Computers and Digital Techniques. England, vol.148, no.2, pp. 101-104, 2001. [2] Shao Z H. Efficient deniable authentication protocol based on generalized ElGamal signature scheme[J]. Computer Standards & Interfaces, 2004, 26(5):449-454. [3] Lee W B,Wu C C,T saur W J. A novel deniable authentication protocol using generalized ElGamal signature scheme[J]. Information Sciences, 2007, 177:1376-1381. [4] Y. Aumann and M. Rabin. Authentication, enhanced security and error correcting codes. Crypto’ 98, Santa Barbara, CA, USA, LNCS 1462, Springer-Verlag, Berlin, 1998, pp.299-303. [5] Y. Aumann and M. Rabin. Efficient deniable authentication of long messages. Inf. Conf. on Theoretical Computer Science in Honor of Professor Manuel Blum’s 60th birthday, 1998. [6] C. Dwork, M. Naor, and A. Sahai. Concurrent zero-knowledge. In Proc. 30th ACM STOC’98. Dallas TX, USA, pp.409-418, 1998. [7] DuŠek M, Haderka O, Hendrych M, et al. Quantum identification system. Phys Rev A, 1999, 60: 149-156. [8] Curty M, Santos D J. Quantum authentication of classical messages. Phys Rev A, 2001, 64: 062309 [9] Mihara T. Quantum identification schemes with entanglements. Phys Rev A, 2002, 65: 05236. [10] Zeng G H, Zhang W P. Identity verification in quantum key distribution. Phys Rev A, 2001, 61: 022303. [11] Ljunggren D, Bourennane M, Karlsson A. Authority-based user authentication in quantum key distribution. Phys Rev A, 2000, 62:022305 [12] Zhou N R, Zeng G H, Zeng W J, et al. Cross-center quantum identification scheme based on teleportation and entanglement swapping. Opt Commun, 2005, 254: 380-388.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
[13]Tian-Yin Wang, Qiao-Yan Wen, Fu-Chen Zhu. Secure authentication of classical messages with decoherence-free states. Optics Communication 282(2009)3382-3385. [14] LI Ning, ZHA XinWei , LAN Qian. Secure quantum report with authentication based on six-particle cluster state and entanglement swapping. SCIENCE CHINA Information Sciences. doi: 10.1007/s11432-012-4704-6(2012). [15] Wei-Min Shi, Yi-Hua Zhou,Yu-Guang Yang. Quantum deniable authentication protocol. Quantum Inf Process (2014) 13:1501-1510. [16] H. Yuan, J. Song, J. Zhou, G. Zhang, X.F. Wei. High-capacity Deterministic Secure Four-qubit W State Protocol for Quantum Communication Based on Order Rearrangement of Particle Pairs Int. J. Theor. Phys(2011) 50:2403-2409. [17] M.A. Nielsen, I.L. Chuang, Quantum Computation and Quantum Information, Cambridge University Press, New Delhi, 2008, p. 589. [18] A. Banerjee, A. Pathak. Maximally efficient protocols for direct secure quantum communication. Physics Letters A 376: 2944-2950, 2012. [19] Jeong Woon Choi, Ku-Young Chang, and Dowon Hong. Security problem on arbitrated quantum signature schemes. PHYSICAL REVIEW A 84, 062330 (2011).
[20] Gottesman D, Chuang I. Quantum digital signature. arXiv: quant-ph/0105032, 2001. [21] Hwang, T., Lee, K.C.: EPR quantum key distribution protocols with 100% qubit efficiency. IET Inf. Secur. 1(1), 43-45 (2007). [22] Chen, J.H., Lee, K.C., Hwang, T.: The enhancement of Zhou et al.’s quantum secret sharing protocol. Int. J. Mod. Phy. C 20(10), 1531-1535 (2009). [23] Shih, H.C., Lee, K.C., Hwang, T.: New efficient three-party quantum key distribution protocols. IEEE J. Sel. Top. Quantum Electron. 15(6), 1602-1606 (2009). [24] Buhrman H, Cleve R, Watrous J, et al. Quantum fingerprinting. Phys Rev Lett, 2001, 87: 167902
S0030-4026(16)30376-X http://dx.doi.org/doi:10.1016/j.ijleo.2016.04.103 IJLEO 57586
To appear in: Received date: Accepted date:
29-2-2016 19-4-2016
Please cite this article as: Wei-Min Shi, Yi-Hua Zhou, Yu-Guang Yang, Xin-Lan Zhang, Jan-Biao Zhang, An Efficient Quantum Deniable Authentication Protocol without A Trusted Center, Optik - International Journal for Light and Electron Optics http://dx.doi.org/10.1016/j.ijleo.2016.04.103 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
*Manuscript
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
An Efficient Quantum Deniable Authentication Protocol without A Trusted Center Wei-Min Shi, Yi-Hua Zhou, Yu-Guang Yang, Xin-Lan Zhang, Jan-Biao Zhang College of Computer Science and Technology, Beijing University of Technology, Beijing 100124, China;
Abstract: Recently, we first proposed a quantum deniable authentication protocol based on the property of unitary transformation and quantum one-way function, but the previous scheme need the help of a trusted center and its quantum efficiency is only 25%[Quantum Inf Process. (2014). doi:10.1007/s11128-014-0743-9]. In order to improve the above scheme efficiency, a simple and effective quantum deniable authentication protocol without a trusted center is proposed. Utilizing the method of key agreement and encryption mechanism, this scheme can provide that only the specified receiver can identify the true source of a given message and the specified receiver cannot prove the source of the message to a third party by a transcript simulation algorithm. Finally, efficiency analysis results show quantum efficiency of this scheme will be 50% and it also has the remarkable advantages of consuming fewer quantum resources and lessening the difficulty and intensity of necessary operations. In addition, security analysis results show that this scheme also satisfies the basic security requirements of deniable authentication protocol such as completeness, deniability, and can withstand forgery attack, impersonation attack and inter-resend attack. Keywords: Quantum deniable authentication, A Trusted Center, Bell states
1 Introduction Deniable authentication protocol is a special cryptographic authentication protocol. Compared with the traditional authentication protocols, the deniable authentication protocol has two basic characteristics [1-3]: (1) Only the specified receiver can identify the true source of a given message; (2) The specified receiver cannot prove the source of the message to a third party. Because of the above two characteristics, the deniable authentication protocols have many specified applications over Internet. For example, if a customer wants to buy something from a seller, he(she) can make an offer to the seller and create an authenticator of his(her) offer to make sure that the seller can authenticate that the offer is really from the buyer. Furthermore, the customer hopes the seller cannot prove to the source of the offer to a third party for his(her) privacy protected. Another example would be that: in electronic voting, a candidate can’t coerce a voter to vote for him because when he threatens the voter, the voter can forge another voter and claims the forged one is the real one. Note that only the intended receiver can authenticate the message, the candidate can’t identify whether the vote he gets from the voter is the real one. And the receiver can’t prove to the candidates what the voter really sends. So, there is no way that the candidate can get the voter’s vote. A deniable authentication protocol generally can provide freedom from coercion in electronic voting system and secure negotiation over the Internet [4-6]. Now, the proposed quantum identity authentication schemes [7-14] only involved W.-M. Shi() College of Computer Science and Technology, Beijing University of Technology, Beijing 100124, China; e-mail:[email protected]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
authentication between two communicators, but communications with deniability capability are often desired in the above electronic applications. In 2014, Shi et al. first proposed a quantum deniable authentication protocol [15] based on the property of unitary transformation and quantum one-way function. However, this previous scheme need the help of a trusted center (TC) and its quantum efficiency is only 1/4. To improve the efficiency of the previous scheme, a simple and effective quantum deniable authentication protocol without a trusted center is proposed and satisfies the basis security requirements of deniable authentication protocol: (1) Completeness: Completeness of an authenticated protocol means that if the sender and the intended receiver follow the protocol, the receiver can always authenticate the source of the message; (2) Deniability: The deniability of an authenticated protocol means that the receiver can simulate all the transmitted information between him and the sender, so he cannot prove to any third party where the message is from, because the third party cannot identify whether the message is from the sender or is forged by the receiver himself. That is, the protocol is deniable.
2 Quantum deniable authentication protocol without a trusted center Our quantum deniable authentication protocol involves two entities: a sender Alice and a receiver Bob. This scheme includes the following four phases: Initialization, Authentication, and Verify. 2.1 Initialization The sender Alice shares n EPR pairs in the state | i (i 1,2,...., n) with the receiver Bob through a secure way, where | i
1 (| 0 Ai | 0 Bi |1 Ai |1 Bi ) , two qubit sequences 2
| A {| A1 ,| A2 ,.....,| An } and | B {| B1 ,| B2 ,.....,| Bn } are kept by Alice and Bob, respectively. 2.2 Authentication The sender Alice generates the authentication information of n-bit classical message M in accordance with the following steps. Authentication_Step1: Alice chooses a random sequence rA {0,1}
2n
and performs
unitary operation on | A according to the value of rA . That is n
| K A r 2 i 1r 2 i | Ai i 1
where
A
A
(1)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
00 I | 0 0 | |11 |, 01 x |1 0 | | 01 |, 10 i y | 01 | |1 0 |,
(2)
11 z | 0 0 | |11 | Similarly, Bob chooses a random sequence rB {0,1}
2n
and performs unitary operation on
| B according to the value of rB . That is n
| K B r 2 i 1r 2 i | Bi i 1
B
(3)
B
Key_Agreement_Step2: For ensuring the security of the quantum channel, eavesdropping check is performed such as ref.[18] . Alice and Bob prepares m n decoy photons, respectively. The decoy photons are randomly prepared in one of the four states {| 0,|1,| ,| } . Then Alice and Bob randomly inserts these decoy photons into the sequence | K A and | K B and yields a new sequence | K A and | K B , respectively. Alice sends | K A to Bob and Bob sends | K B to Alice. Afterwards, the eavesdropping check between Alice and Bob is performed. For example, Alice and Bob perform the eavesdropping check to | K A in accordance with the following steps: (1) After confirming that Bob has received the entire sequence | K A , Alice announces the positions of the decoy photons; (2) Bob measures the corresponding particles in the sequence | K A by using X basis or Z basis at random, here X {| ,| } and Z {| 0,|1} ; (3) After measurement, Bob informs his outcomes to Alice who computes error rate. If sufficiently few errors are found they go to the next step otherwise they repeat the protocol. (4) Bob deletes the decoy photons from | K A , and gets | K A . The procedure for the eavesdropping check between the Bob and Alice on | K B is the same as the mentioned above. Finally, Alice gets | K B . Authentication_Step3: Alice and Bob performs unitary operation on | K B and | K A according to the value of rA and rB , respectively. That is
n
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
| K AB r 2 i 1r 2 i | K Bi i 1
A
(4)
A
n
| K BA r 2 i 1r 2 i | K Ai i 1
B
(5)
B
According to using the anticommutativity of nontrivial Pauli operators as follows[19]:
r
r
r2 i 1r2 i r2 i 1r2 i IF r2 i 1r2 i r2 i 1r2 i
r
r
r2 i 1r2 i r2 i 1r2 i IF r2 i 1r2 i r2 i 1r2 i
2 i 1 2 i rA A
2 i 1 2 i rA A
2 i 1 2 i rB B
B
2 i 1 2 i rB B
B
B
B
A
A
A
A
A
A
A
A
B
B
(6)
B
(7)
B
n
| K AB r 2 i 1r 2 i | K Bi i 1
A
A
n
r 2 i 1r 2 i r 2 i 1r 2 i | Bi i 1
A
A
B
B
n
r 2 i 1r 2 i r 2 i 1r 2 i | Bi i 1
B
B
A
(8)
A
n
| K BA r 2 i 1r 2 i | K Ai i 1
A
A
n
r 2 i 1r 2 i r 2 i 1r 2 i | Ai i 1
B
B
A
A
Alice and Bob measures | K AB and | K BA on the basis Z {| 0 ,|1} , respectively. At last, Alice and Bob share a secret key K . Moreover, according to the above key agreement steps, (1)
(0)
Alice and Bob can share a new secret key K using K as the initial key K . And so on, (i ) ( i 1) Alice and Bob can share a new secret key K using K as the initial key, where i 1,2,...., n . Authentication_Step4: Alice transforms n-bit classical message M into n-qubit photon states | Q {| q1 ,| q2 ,.......,| qn } . Authentication_Step5: Alice computes | f (Q ) . Here
f :| Q | f (Q ) is a class
quantum on-way functions proposed by Gottesman and Chuang in Ref.[20]. Authentication_Step6: Alice performs the rotation transformation to | f (Q ) according to the value of K . That is n
| S RK (| f (Q ) ) xKi zKi 1 | f (Q ) i 1
(9)
Finally, message authentication code on M is | S . Alice sends {| S , M , T } to Bob by a secure channel, where T is a timestamp. 2.3 Verify After receiving {| S , M , T } from Alice, Bob will execute the following steps: Verify_Step1: If T is valid, Bob performs the rotation transformation to | S according
to the value of K . That is 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
n
| f (Q ) RK (| S ) xKi zKi 1 | S
(10)
i 1
Verify_Step2: states
Bob
transforms
n-bit
| Q {| q1 ,| q2 ,.......,| qn }
and
classical
message M into
computes
| f (Q )
,
n-qubit
photon
then
verifies
whether | f (Q ) | f (Q ) , if this equation holds, Bob accepts M . Otherwise, Bob rejects it.
3. Security and efficiency analysis 3.1 Security analysis In this section, we give security analysis of our scheme and will show that it satisfies known key security and the basis security requirements of deniable authentication protocol such as completeness, deniability, and can withstand the forgery attack, impersonation attack and inter-resend attack. (1) Known key security: A protocol run should result in a unique secret key. If this key is compromised, it should have no impact on other secret keys. In our scheme, an attacker cannot obtain the new secret key K Bob based on other known secret keys K (i )
and rB
( i 1)
(i )
shared between Alice and
, K (i 2) ,...K (0) , because the random number rA( i )
are independent randomly selected in each time key update process, that is, the secret (i )
keys K shared between Alice and Bob have no relevance. (2) Completeness: The proposed protocol can authenticate the source of the message M Proof. In Authentication phase, the sender Alice and the receiver Bob can securely exchange
| K A and | K B by inserting some decoy particles, and the random sequence rA and rB is kept secretly by Alice and Bob, respectively. So anyone cannot generate the secret key K except Alice and Bob. When receiving {| S , M , T } , Bob can confirm the source of the message M by verifying weather | Q | Q , because only the sender Alice can generate | S using the secret key K . (3) Deniability: The proposed scheme is deniable.
Proof. Bob can impersonate Alice to simulate the transcript | S accepted by the Verify algorithm, and simulates | S as follows: Simulation _Step1: Bob transforms M into photon states | Q . Simulation _Step2: Bob performs the rotation transformation to | Q according to the value of K in his hand. That is
n
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
| S RK (| Q ) xKi zKi 1 | Q
(11)
i 1
Finally, | S is a valid message authentication code on M . (4) Forgery attack: When an attacker wants to forge the valid deniable authentication information and then send it to the intended receiver, the proposed protocol can withstand the forgery attack. Proof. This is obvious that a valid message authentication code | S is produced by the sender Alice or the receiver Bob if and only if Alice and Bob shared K . For example, an external attacker Eve wants to forge Alice’s signature for improper benefits, she should know the shared K . However, it is impossible due to the random sequence rA and rB kept secretly by Alice and Bob, and | K A and | K B is securely exchange by inserting some decoy particles in between Alice and Bob. In addition, Eve cannot get | A (or | B ) in the Initialization phase because the Bell states | i are shared between Alice and Bob by a secure way. If Eve only guesses rA and rB , the error rate for every bit should be every qubit should be probability
1 , and guesses | A (or | B ) , the error rate for 2
1 . So a valid message authentication code | S is accepted with the 2
1 . 8n
(5) Impersonation attack: The proposed protocol can withstand the impersonation attack. Proof. On the one hand, when an attacker wants to impersonate the sender Alice in order to forge effective authentication information, same as the above analysis of forgery attack, the proposed protocol can withstand the impersonation sender attack. On the other hand, when an external attacker Eve wants to impersonate the intended receiver Bob in order to verify the message authentication code generated by the sender Alice, the proposed protocol can withstand the impersonation receiver attack. That is, in the Verify phase, a verifier has to use the secret key K to verify the validity of the sender Alice’s signature | S . it is impossible that Eve gets the secret key K according to the above analysis of forgery attack. (6) Inter-resend attack: The proposed protocol can withstand the inter-resend attack. Proof. Firstly, in Authentication stage, Eve has the chance to touch | K A and | K B when they are transmitted from Alice to Bob and from Bob to Alice. However, Eve can never replicate those qubits and the decoy states ensure the security of | K A and | K B . Consequently, any effective attack on | K A and | K B will be discovered by legal users. Secondly, in Authentication stage, Eve has the chance to touch {| S , M , T } when they are
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
transmitted from Alice to Bob. On the one hand, Eve cannot modify the values of {| S , M } due to them transmitted by a secure channel. On the other hand, even Eve can modify the values of
{| S , M } , it is impossible that Eve can generate another valid authentication code | S on message M or a valid authentication code | SE on another message M E because of the property of the quantum one-way function and the security distribution of the secret key K . 3.2 Efficiency analysis In this sub-section, we will take a simple comparison between our previous scheme in ref. [15] and our current scheme from the following aspects: the cost of quantum resource, the difficulty or intensity of necessary operations, the qubit efficiency. According to refs.[21-23], the qubit efficiency hereafter is defined as
c , where c denotes the total number of q
transmitted classical bits(message bits) and q denotes the total number of qubits used. Obviously, with decoy quantum states and classical communications used for checking of eavesdropping in our protocol neglected, c equals N message bits, and q equals 2N qubits Bell states. Hence, our quantum efficiency will be
N 1 50% . 2N 2
See Table 1 for details. Where UO: Unitary Operation; QOWF: Quantum One-Way Functions; XORO: Exclusive-OR Operation; QM: Quantum Measurement; Table 1 Comparisons between our current scheme and our previous scheme in ref. [15] Schemes
Operations
Quantum
Qubit
Resource
UO
QOWF
XORO
QM
Efficiency
Ref.[15]
GHZ states
Yes
Yes
Yes
Yes
25%
our current scheme
Bell states
Yes
NO
NO
Yes
50%
Obviously, one can very easily find that our scheme has the remarkable advantages of consuming fewer quantum resources and lessening the difficulty and intensity of necessary operations and the higher qubit efficiency. In addition, our current scheme needn’t the help of a trusted center (TC) but our previous scheme need.
4. Discussion and Summary In this paper, we present a simple and efficient quantum deniable authentication protocol. Compared with our previous scheme such as ref.[15], our current scheme has the following differences: (1) There realizes quantum deniable authentication by using key agreement and encryption mechanism in our current scheme. This is, the message sender and the specified receiver firstly agree a shared secret key, then only they can encrypt and decrypt the message by using the rotation transformation, which can guarantee that only the specified receiver can identify the true source of a given message and the specified receiver cannot prove the source of the message to a third party by a transcript simulation algorithm;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
(2) The above efficiency analysis results show that our current scheme has the remarkable advantages. Firstly, it is the higher qubit efficiency because our current scheme quantum efficiency is 50% but ref.[15] is only 25%; Secondly, our current scheme is based on Bell states but ref.[15] is based on GHZ states, so this scheme consumes fewer quantum resources; Third, there utilizes more operations such as unitary operation, quantum one-way functions, exclusive-OR operation and quantum measurement in ref.[15]. But our current scheme only utilizes unitary operation and quantum measurement; (3) A trusted center (TC) is introduced in our previous scheme, but our current scheme needn’t the help of a trusted center (TC); (4) The above security analysis results show that this scheme also satisfies the same basic security requirements of deniable authentication protocol as ref.[15]. Acknowledgments This work is supported by the Scientific Research Common Program of Beijing Municipal Commission of Education (Grant Nos.KM201510005016); Basic Research Fund of Beijing University of Technology (No.007000514315501, X4007999201501); The National Natural Science Foundation of China (Grant Nos.61272044, 61572053); Beijing Natural Science Foundation(Grant No.4152038) References [1] X. Deng, C. H. Lee, and H. Zhu, “Deniable authentication protocols,” IEE Proceedings-Computers and Digital Techniques. England, vol.148, no.2, pp. 101-104, 2001. [2] Shao Z H. Efficient deniable authentication protocol based on generalized ElGamal signature scheme[J]. Computer Standards & Interfaces, 2004, 26(5):449-454. [3] Lee W B,Wu C C,T saur W J. A novel deniable authentication protocol using generalized ElGamal signature scheme[J]. Information Sciences, 2007, 177:1376-1381. [4] Y. Aumann and M. Rabin. Authentication, enhanced security and error correcting codes. Crypto’ 98, Santa Barbara, CA, USA, LNCS 1462, Springer-Verlag, Berlin, 1998, pp.299-303. [5] Y. Aumann and M. Rabin. Efficient deniable authentication of long messages. Inf. Conf. on Theoretical Computer Science in Honor of Professor Manuel Blum’s 60th birthday, 1998. [6] C. Dwork, M. Naor, and A. Sahai. Concurrent zero-knowledge. In Proc. 30th ACM STOC’98. Dallas TX, USA, pp.409-418, 1998. [7] DuŠek M, Haderka O, Hendrych M, et al. Quantum identification system. Phys Rev A, 1999, 60: 149-156. [8] Curty M, Santos D J. Quantum authentication of classical messages. Phys Rev A, 2001, 64: 062309 [9] Mihara T. Quantum identification schemes with entanglements. Phys Rev A, 2002, 65: 05236. [10] Zeng G H, Zhang W P. Identity verification in quantum key distribution. Phys Rev A, 2001, 61: 022303. [11] Ljunggren D, Bourennane M, Karlsson A. Authority-based user authentication in quantum key distribution. Phys Rev A, 2000, 62:022305 [12] Zhou N R, Zeng G H, Zeng W J, et al. Cross-center quantum identification scheme based on teleportation and entanglement swapping. Opt Commun, 2005, 254: 380-388.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
[13]Tian-Yin Wang, Qiao-Yan Wen, Fu-Chen Zhu. Secure authentication of classical messages with decoherence-free states. Optics Communication 282(2009)3382-3385. [14] LI Ning, ZHA XinWei , LAN Qian. Secure quantum report with authentication based on six-particle cluster state and entanglement swapping. SCIENCE CHINA Information Sciences. doi: 10.1007/s11432-012-4704-6(2012). [15] Wei-Min Shi, Yi-Hua Zhou,Yu-Guang Yang. Quantum deniable authentication protocol. Quantum Inf Process (2014) 13:1501-1510. [16] H. Yuan, J. Song, J. Zhou, G. Zhang, X.F. Wei. High-capacity Deterministic Secure Four-qubit W State Protocol for Quantum Communication Based on Order Rearrangement of Particle Pairs Int. J. Theor. Phys(2011) 50:2403-2409. [17] M.A. Nielsen, I.L. Chuang, Quantum Computation and Quantum Information, Cambridge University Press, New Delhi, 2008, p. 589. [18] A. Banerjee, A. Pathak. Maximally efficient protocols for direct secure quantum communication. Physics Letters A 376: 2944-2950, 2012. [19] Jeong Woon Choi, Ku-Young Chang, and Dowon Hong. Security problem on arbitrated quantum signature schemes. PHYSICAL REVIEW A 84, 062330 (2011).
[20] Gottesman D, Chuang I. Quantum digital signature. arXiv: quant-ph/0105032, 2001. [21] Hwang, T., Lee, K.C.: EPR quantum key distribution protocols with 100% qubit efficiency. IET Inf. Secur. 1(1), 43-45 (2007). [22] Chen, J.H., Lee, K.C., Hwang, T.: The enhancement of Zhou et al.’s quantum secret sharing protocol. Int. J. Mod. Phy. C 20(10), 1531-1535 (2009). [23] Shih, H.C., Lee, K.C., Hwang, T.: New efficient three-party quantum key distribution protocols. IEEE J. Sel. Top. Quantum Electron. 15(6), 1602-1606 (2009). [24] Buhrman H, Cleve R, Watrous J, et al. Quantum fingerprinting. Phys Rev Lett, 2001, 87: 167902