Efficient semi-direct three-party quantum secure exchange of information

Physics Letters A 360 (2007) 518–521 www.elsevier.com/locate/pla

Efficient semi-direct three-party quantum secure exchange of information Nguyen Ba An Korea Institute for Advanced Study, 207-43 Cheongryangrni 2-dong, Dondaemun-gu, Seoul 130-722, Republic of Korea Institute of Physics and Electronics, 10 Dao Tan, Thu Le, Ba Dinh, Hanoi, Viet Nam Received 15 July 2006; accepted 1 August 2006 Available online 7 September 2006 Communicated by V.M. Agranovich

Abstract We reconsider a recent publication [X.R. Jin, X. Ji, Y.Q. Zhang, S. Zhang, S.K. Hong, K.H. Yeon, C.I. Um, Phys. Lett. A 354 (2006) 67] on three-party quantum secure direct communication based on GHZ states and detect a drawback in it. We then modify it to be a valid protocol with the decoding rule worked out explicitly. Finally, we propose a way to double the efficiency of the modified protocol to economize the quantum resource. © 2006 Elsevier B.V. All rights reserved. Keywords: 03.67.Hk; 03.65.Ud Keywords: Semi-direct secure exchange of information; GHZ-states

The marriage between quantum mechanics and information science gave birth to a beautiful daughter named quantum information science. One of the most matured branch of quantum information science is quantum cryptography [1] that provides an unconditional way of secure communication. Though quantum entanglement (or entanglement for short) is not compulsorily required for absolute security [2–4], using entanglement for cryptographic tasks is intriguing and in many cases favorable. Furthermore, there exist connections between schemes with and without using entanglement [5]. A quantum key distribution protocol based on entanglement was originally investigated in [6]. But quantum key distribution is not either a prerequisite stage of secure communication. Recently, a number of quantum schemes have been suggested to securely communicate without a prior key distribution. These have been referred to as quantum secure direct communication [7,8]. In [9] the so-called “pingpong” protocol is proposed to allow decoding the encoded bits instantaneously and directly during the execution of the protocol. The “ping-pong” protocol is however insecure against the disturbance attack [10]. The “quantum dialogue” protocol proposed in [11], which offers a direct way of exchanging con-

E-mail address: [email protected] (N. Ba An). 0375-9601/$ – see front matter © 2006 Elsevier B.V. All rights reserved. doi:10.1016/j.physleta.2006.08.071

fidential messages, defeats the disturbance attack but, in turn, it is vulnerable to the intercept-resend attack [12]. Both the weaknesses in [9] and [11] are surmounted in [13] (see also [14]). Secure direct communication within a multiparty network is also of great interest and there have been a lot of papers devoted to that topic (see, e.g. [15–17] and the references therein). In this Letter we focus on a recently published protocol [18] for quantum secure direct communication between three parties, hereafter called the J-protocol for short. Our purpose is threefold. First, we carefully re-examine the J-protocol and we discover that it suffers a drawback and cannot function in its full power as claimed in [18]. Second, we modify the J-protocol to get rid of the drawback as well as to work out the explicit decoding rule. And, finally, we propose a way to double the efficiency of the modified protocol to save the expensive quantum resource. Throughout this Letter we use ⊕ for an addition mod 2. The elementary aim of the J-protocol is as follows. Alice has two secret bits a  , a, Bob has one secret bit b, Charlie has one secret bit c and they want to mutually exchange their secrecy among themselves simultaneously and directly without any prior key distributions. Let us briefly recapitulate the J-protocol which consists of the following steps. (i) Alice prepares a GHZstate |Ψxyz ABC = (|0, y, zABC + (−1)x |1, y ⊕ 1, z ⊕ 1ABC )/ √ 2 of three qubits A, B and C with x, y, z chosen randomly be-

N. Ba An / Physics Letters A 360 (2007) 518–521

tween 0 or 1 and known only to Alice. (ii) Alice keeps qubit A with herself and sends qubit B (C) to Bob (Charlie). (iii) Alice (Bob, Charlie) encodes her (his) secrecy by applying on qubit A (B, C) the unitary operator Aa  a (Bb , Cc ) where A00 = B0 = C0 = |00| + |11|, A10 = B1 = C1 = |01| − |10|,

A01 = |01| + |10|, A11 = |00| − |11|.

 (1)

(iv) Bob (Charlie) returns his qubit B (C) to Alice.1 (v) Alice performs a GHZ-state measurement on qubits A, B, C with an outcome {x  , y  , z } if she finds |Ψx  y  z ABC . (v) Alice publicly announces {x, y, z, x  , y  , z } according to which each party can simultaneously decode the others’ secrecy.

0 0 0 0 0 0 0

0 0 0 1 1 0 1

0 0 1 0 1 1 0

0 0 1 1 0 1 1

0 1 0 0 0 1 1

0 1 0 1 1 1 0

0 1 1 0 1 0 1

0 1 1 1 0 0 0

1 0 0 0 1 1 1

1 0 0 1 0 1 0

1 0 1 0 0 0 1

1 0 1 1 1 0 0

1 1 0 0 1 0 0

1 1 0 1 0 0 1

1 1 1 0 0 1 0

1 1 1 1 1 1 1

1 0 1 0 0 0 0

1 0 1 1 1 0 1

1 1 0 0 1 0 1

1 1 0 1 0 0 0

1 1 1 0 0 1 1

1 1 1 1 1 1 0

1 0 1 0 0 1 1

1 0 1 1 1 1 0

1 1 0 0 1 1 0

1 1 0 1 0 1 1

1 1 1 0 0 0 0

1 1 1 1 1 0 1

1 0 1 0 0 1 0

1 0 1 1 1 1 1

1 1 0 0 1 1 1

1 1 0 1 0 1 0

1 1 1 0 0 0 1

1 1 1 1 1 0 0

Table 2 {x  , y  , z } versus {a  , a, b, c} for {x, y, z} = {0, 0, 1} a a b c x y z

0 0 0 0 0 0 1

0 0 0 1 1 0 0

0 0 1 0 1 1 1

0 0 1 1 0 1 0

0 1 0 0 0 1 0

0 1 0 1 1 1 1

0 1 1 0 1 0 0

0 1 1 1 0 0 1

1 0 0 0 1 1 0

1 0 0 1 0 1 1

Table 3 {x  , y  , z } versus {a  , a, b, c} for {x, y, z} = {0, 1, 0} a a b c x y z

0 0 0 0 0 1 0

0 0 0 1 1 1 1

0 0 1 0 1 0 0

0 0 1 1 0 0 1

0 1 0 0 0 0 1

0 1 0 1 1 0 0

0 1 1 0 1 1 1

0 1 1 1 0 1 0

1 0 0 0 1 0 1

1 0 0 1 0 0 0

Table 4 {x  , y  , z } versus {a  , a, b, c} for {x, y, z} = {0, 1, 1} a a b c x y z

0 0 0 0 0 1 1

0 0 0 1 1 1 0

0 0 1 0 1 0 1

0 0 1 1 0 0 0

0 1 0 0 0 0 0

0 1 0 1 1 0 1

0 1 1 0 1 1 0

0 1 1 1 0 1 1

1 0 0 0 1 0 0

1 0 0 1 0 0 1

Since the rule for decoding is not transparently stated in [18] our primary purpose is to try to work out it explicitly. Targeting at that purpose we reconsider the J-protocol in full detail. Our concrete results which express the closed connection between the announced data {x, y, z, x  , y  , z } and the parties’ secrecy {a  , a, b, c} are shown in Tables 1–8. Analyzing the eight tables above which may look confusing at first sight we are able to figure out the following general relationships. Namely, when x ⊕ y ⊕ z is even we always have a  = x  ⊕ y  ⊕ z ,

(2)

while a, b, c satisfy either a = x  ⊕ y  ⊕ z ,

b = y  ⊕ y,

c = z ⊕ z

(3)

or

Table 1 {x  , y  , z } versus {a  , a, b, c} for {x, y, z} = {0, 0, 0} a a b c x y z

519

1 Here, for simplicity, we assume that qubits B and C are not attacked during their round trip from and to Alice. The security of the quantum channel is ensured by a checking procedure in Step II of the J-protocol.

a = x  ⊕ y  ⊕ z ⊕ 1,

b = y  ⊕ y ⊕ 1,

c = z ⊕ z ⊕ 1. (4)

Table 5 {x  , y  , z } versus {a  , a, b, c} for {x, y, z} = {1, 0, 0} a a b c x y z

0 0 0 0 1 0 0

0 0 0 1 0 0 1

0 0 1 0 0 1 0

0 0 1 1 1 1 1

0 1 0 0 1 1 1

0 1 0 1 0 1 0

0 1 1 0 0 0 1

0 1 1 1 1 0 0

1 0 0 0 0 1 1

1 0 0 1 1 1 0

1 0 1 0 1 0 1

1 0 1 1 0 0 0

1 1 0 0 0 0 0

1 1 0 1 1 0 1

1 1 1 0 1 1 0

1 1 1 1 0 1 1

1 0 1 0 1 0 0

1 0 1 1 0 0 1

1 1 0 0 0 0 1

1 1 0 1 1 0 0

1 1 1 0 1 1 1

1 1 1 1 0 1 0

1 0 1 0 1 1 1

1 0 1 1 0 1 0

1 1 0 0 0 1 0

1 1 0 1 1 1 1

1 1 1 0 1 0 0

1 1 1 1 0 0 1

1 0 1 0 1 1 0

1 0 1 1 0 1 1

1 1 0 0 0 1 1

1 1 0 1 1 1 0

1 1 1 0 1 0 1

1 1 1 1 0 0 0

Table 6 {x  , y  , z } versus {a  , a, b, c} for {x, y, z} = {1, 0, 1} a a b c x y z

0 0 0 0 1 0 1

0 0 0 1 0 0 0

0 0 1 0 0 1 1

0 0 1 1 1 1 0

0 1 0 0 1 1 0

0 1 0 1 0 1 1

0 1 1 0 0 0 0

0 1 1 1 1 0 1

1 0 0 0 0 1 0

1 0 0 1 1 1 1

Table 7 {x  , y  , z } versus {a  , a, b, c} for {x, y, z} = {1, 1, 0} a a b c x y z

0 0 0 0 1 1 0

0 0 0 1 0 1 1

0 0 1 0 0 0 0

0 0 1 1 1 0 1

0 1 0 0 1 0 1

0 1 0 1 0 0 0

0 1 1 0 0 1 1

0 1 1 1 1 1 0

1 0 0 0 0 0 1

1 0 0 1 1 0 0

Table 8 {x  , y  , z } versus {a  , a, b, c} for {x, y, z} = {1, 1, 1} a a b c x y z

0 0 0 0 1 1 1

0 0 0 1 0 1 0

0 0 1 0 0 0 1

0 0 1 1 1 0 0

0 1 0 0 1 0 0

0 1 0 1 0 0 1

0 1 1 0 0 1 0

0 1 1 1 1 1 1

1 0 0 0 0 0 0

1 0 0 1 1 0 1

520

N. Ba An / Physics Letters A 360 (2007) 518–521

However, when x ⊕ y ⊕ z is odd we always have a  = x  ⊕ y  ⊕ z ⊕ 1,

(5)

while a, b, c satisfy either a = x  ⊕ y  ⊕ z ,

b = y  ⊕ y ⊕ 1,

c = z ⊕ z ⊕ 1 (6)

or a = x  ⊕ y  ⊕ z ⊕ 1,

b = y  ⊕ y,

c = z ⊕ z.

(7)

An important message followed from the relations (2) and (5) is that given the data set {x, y, z, x  , y  , z } everyone including an outside eavesdropper Eve can always learn the value of a  . This means that the J-protocol cannot function in its full power as reported in [18], i.e., it fails to allow Alice to securely and simultaneously exchange with the two other parties her two bits a  and a, since the bit a  inevitably becomes public after Alice publishes the values of {x, y, z, x  , y  , z }. This is the drawback of the J-protocol. To get rid of the above-mentioned drawback we can modify the J-protocol towards a protocol in which each of the three authorized parties can securely exchange only a single secret bit per round. Let the secret bits of Alice, Bob and Charlie be a, b and c, respectively. We can formally follow all the steps as described in the original J-protocol except that we change the encoding procedure. Also, we shall work out the decoding rule which is explicit and highly transparent. To do the encoding, although Bob and Charlie still encode their secrecy the same way as in [18] (i.e., with the aid of Bb and Cc defined in (1)), Alice should employ another operator Aa which we define as  A0 = B0 = C0 , (8) A1 = |01| + |10| = B1 = C1 . It is straightforward to verify that the correspondences between {a, b, c} and {x, y, z, x  , y  , z } remain the same as in the relations (3), (4), (6) and (7) (in fact, the corresponding tables in the modified protocol can be obtained from the Tables 1–8 by just removing their first row and the last eight columns). Therefore, the explicit decoding rule goes like this. According to the public announcement of {x, y, z, x  , y  , z } Alice checks whether x ⊕ y ⊕ z is even or odd. If it is even (odd) Alice compares x  ⊕ y  ⊕ z with her secret bit a. If x  ⊕ y  ⊕ z = a she infers with certainty that b = y  ⊕ y (b = y  ⊕ y ⊕ 1) and c = z ⊕ z (c = z ⊕ z ⊕ 1), otherwise (i.e., if x  ⊕ y  ⊕ z = a ⊕ 1) she surely knows that b = y  ⊕ y ⊕ 1 (b = y  ⊕ y) and c = z ⊕ z ⊕ 1 (c = z ⊕ z). Likewise, Bob (Charlie) at the same time can also with certainty learn Alice’s and Charlie’s (Bob’s) secrecy by checking the parity of x ⊕ y ⊕ z followed by comparing his bit b (c) with y  ⊕ y (z ⊕ z) and then using the proper one among the four relations (3), (4), (6) and (7). It is worth noting that for both cases of even and odd value of x ⊕ y ⊕ z there are two different relations between {a, b, c} and {x  , y  , z }. To know which one of these two relations should be used to decode each party needs to compare his/her secret bit with some combination of {x  , y  , z } as detailed above. This nice feature guarantees the secure exchange of information only among the three authorized parties, since any outside parties

have no ideas about the values of {a, b, c} so that they are unable to make the necessary comparison. Also, as it stands, the security of the modified protocol is the same as of the original J-protocol which is protected by the checking procedure described in Step II of [18]. We now discuss on the efficiency of the protocol. Let the secret bit strings Alice, Bob and Charlie want to securely exchange be {a1 , a2 , a3 , . . . , aN }, {b1 , b2 , b3 , . . . , bN } and {c1 , c2 , c3 , . . . , cN }, respectively (N  1 is assumed to be even without loss of generality). Clearly, in this protocol one secret bit is exchanged per GHZ-state and per party. That is, to exchange the whole above bit strings N GHZ-states should be consumed (we do not count those GHZ-states which are used for checking the quantum channel security in Step II of [18]). The question is: “May one do the same task with less than N GHZ-states?” Since quantum resources are very expensive answering this question would be highly desirable. In this connection, we note that after a successful exchange of the bits an , bn , cn these bits become known to any of Alice, Bob and Charlie but remain absolutely confidential from any unauthorized party. Making use of this fact we propose a way to increase the efficiency as follows. The three authorized parties use the 1st GHZ-state to exchange the bits a1 , b1 , c1 . Then they use these bits to encode the bits a2 , b2 , c2 . Namely, Alice publicly broadcasts a2 = a2 + a1 , Bob b2 = b2 + b1 and Charlie c2 = c2 + c1 . Obviously, only the three authorized parties are able to decode a2 , b2 , c2 to get a2 , b2 , c2 because nobody else but they know a1 , b1 , c1 . Next, they use the 2nd GHZ-state to exchange the bits a3 , b3 , c3 . Then they use these bits to exchange the bits a4 , b4 , c4 by Alice’s (Bob’s, Charlie’s) encoding a4 = a4 + a3 (b4 = b4 + b3 , c4 = c4 + c3 ). Again, only Alice, Bob and Charlie are the only ones who are able to learn a4 , b4 , c4 because only they have known a3 , b3 , c3 from the 2nd use of the GHZ-state. They can continue such a process until the whole strings are exchanged. As a result, Alice, Bob and Charlie need using just N/2 GHZ-states to directly exchange the bits a2n+1 , b2n+1 , c2n+1 (n = 0, 1, 2, . . .). As for the bits a2n+2 ,  b2n+2 , c2n+2 they use the encoding a2n+2 = a2n+2 + a2n+1 ,   b2n+2 = b2n+2 + b2n+1 and c2n+2 = c2n+2 + c2n+1 . Thus, they save half the quantum resource, i.e. two secret bits are exchanged per GHZ-state and per party, or in other words, the efficiency is doubled. Note that each of a2n+1 , b2n+1 , c2n+1 is used only once in the encoding so their confidentiality has not been leaked out at all, in accordance with the one-time pad strategy. The (cheap) price to pay is that only the “odd” secret bits a2n+1 , b2n+1 , c2n+1 are exchanged directly while the “even” bits a2n+2 , b2n+2 , c2n+2 are not because to learn    , b2n+2 , c2n+2 are them the three parties have to wait until a2n+2 broadcasted. By this reason we call our protocol efficient semidirect three-party quantum secure exchange of information. In conclusion, we have cured the drawback in the J-protocol for three-party quantum secure exchange of information by modifying its encoding procedure. We have also worked out explicit rules for the parties to decode each other’s secrecy unambiguously. Finally, we have shown that the efficiency of the protocol can be doubled at the price that half the secret bits will not be exchanged directly any more. We postpone the gener-

N. Ba An / Physics Letters A 360 (2007) 518–521

alization to the case of secure exchange of information among arbitrarily many parties for a future work since the explicit decoding rules may be much more complicated requiring more thorough efforts.

[4] [5] [6] [7] [8]

Acknowledgements The author thanks Korea Ministry of Information and Communication and Vietnam Ministry of Science and Technology for support.

[9] [10] [11] [12] [13] [14]

References [1] N. Gisin, G. Ribordy, W. Tittel, H. Zbinden, Rev. Mod. Phys. 74 (2002) 145. [2] C.H. Bennett, G. Brassard, in: Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, IEEE Press, New York, 1984, p. 175. [3] M. Lucamarini, S. Mancini, Phys. Rev. Lett. 94 (2005) 140501.

[15] [16] [17] [18]

521

G.P. Guo, G.C. Guo, Phys. Lett. A 310 (2003) 247. C.H. Bennett, G. Brassard, N.D. Mermin, Phys. Rev. Lett. 38 (1992) 557. A.K. Ekert, Phys. Rev. Lett. 67 (1991) 661. A. Beige, B.G. Engler, C. Kurtsiefer, H. Weinfurter, J. Phys. A: Math. Gen. 35 (2002) L407. A. Beige, B.G. Engler, C. Kurtsiefer, H. Weinfurter, Acta Phys. Pol. A 101 (2002) 357. K. Bostroem, T. Felbinger, Phys. Rev. Lett. 89 (2002) 187902. Q.Y. Cai, Phys. Rev. Lett. 91 (2003) 109801. N. Ba An, Phys. Lett. A 328 (2004) 6. Z.X. Man, quant-ph/0406230. N. Ba An, J. Korean Phys. Soc. 47 (2005) 562. Y. Xia, C.B. Fu, S. Zhang, S.K. Hong, K.H. Yeon, C.I. Um, J. Korean Phys. Soc. 48 (2006) 24. T. Gao, F.L. Fan, Z.X. Wang, J. Phys. A: Math. Gen. 38 (2005) 5761. N. Ba An, Phys. Lett. A 350 (2006) 147. F.G. Deng, X.H. Li, C.Y. Li, P. Zhou, Y.J. Liang, H.Y. Zhou, Chin. Phys. Lett. 23 (2006) 1676. X.R. Jin, X. Ji, Y.Q. Zhang, S. Zhang, S.K. Hong, K.H. Yeon, C.I. Um, Phys. Lett. A 354 (2006) 67.