Cryptanalysis on authenticated semi-quantum key distribution protocol using Bell states

Abstract

Recently, Yu et al. (Quantum Inf Process 13(6):1457–1465, 2014) proposed the first semi-quantum scheme without the need of a classical channel to generate a secret key, while employing a “master key” and the entanglement properties of Bell states. This study points out a vulnerability that allows a malicious person to recover a partial master key and to launch a successful Man-In-The-Middle attack. Accordingly, we present the most likely leakage information scenarios where an outside attacker affects the security of the proposed protocol.

Appendices

Appendix 1: The cracking algorithm in action

In this section, we run an example, based on our algorithm given in Sect. 3.2, in order to prove how we can recover the secret key \(K_3\). For that, we shorten Alice, Bob and Eve as A, B and E, respectively. We consider also, that E has recovered \(K_2\) and the communication protocol is in the second verification stage. We recall \(S_{1}\) are the measurement results that E captured and A have to broadcast publicly the MC sequence to B in order to perform the second check.

We tack the following measurement value for our example:

$$\begin{aligned} S_{1} = 1010 ,\quad MC_{1} = 10 \end{aligned}$$

(26)

where the subset ”1” design the first run. According to our attack context, E possesses both \(S_{1}\) and \(MC_{1}\). Then, she starts the algorithm as follow:

• \({\textcircled {1}}: \, {mrc}_{1}=?s_{1}\)

  $$\begin{aligned} \left\{ \begin{array}{l l} {mrc}_{1}=s_{1}=1 \quad \Rightarrow (k_{3,1}=1 \quad \text {go to} \,{\textcircled {2}}) \end{array} \right. \end{aligned}$$

• \({\textcircled {2}}: \, {mrc}_2=?s_2\)

  $$\begin{aligned} \left\{ \begin{array}{l l} {mrc}_2=s_2=0 \quad \Rightarrow (k_{3,2}=1 \quad \text {go to}\, {\textcircled {e}}) \end{array} \right. \end{aligned}$$

after reaching the step \({\textcircled {e}}\), E constructs \(K_3\) respecting the rule given by:

• Firstable, she concatenates the guessed values to form the first part.

• Then she completes the rest by ”0” until reaching the correct \(K_3\) length.

Accordingly, the first potential key is \(K_3=1100\).

Then, E has to execute the discovery algorithm for a second time by shifting the last position when we have \({mrc}_2=?s_2\) by \({mrc}_2=?s_3\) and \(k_{3,2}=0\). In other words, E has to look for all next positions \(i+1\) which satisfy the condition \({mrc}=?s_{j>i}\) given that in the position i we had previously \({mrc}=s_i\) (we fix the position of \(\frac{n-1}{2}\) ”1” and we look for the other position that satisfy the condition \({mrc}=?s_{j>i}\)). Thus, we have:

• \({\textcircled {1}}: \, {mrc}_{1}=?s_2\)

  $$\begin{aligned} \left\{ \begin{array}{l l} {mrc}_{1}=s_{1}=1 \quad \Rightarrow (k_{3,1}=1 \quad \text {go to} {\textcircled {2}}) \end{array} \right. \end{aligned}$$

• \({\textcircled {2}}: \,{mrc}_2=?s_3\)

  $$\begin{aligned} \left\{ \begin{array}{ll} {mrc}_2\ne s_3=0 \quad \Rightarrow (k_{3,2}=k_{3,3}=0 \quad \text {go to next} s_4) \\ \end{array} \right. \left\{ \begin{array}{ll} {mrc}_2=s_4=1 \quad \Rightarrow (k_{3,4}=1 \quad \text {go to} {\textcircled {e}}) \end{array} \right. \end{aligned}$$

As before, when reaching the step \({\textcircled {e}}\), E constructs \(K_3\) respecting the rule given by:

• Firstable, she concatenates the guessed values to form the first part.

• Then she completes the rest by ”0” until reaching the correct \(K_3\) length.

Accordingly, the second potential key is \(K_3=1001\).

The previous process have to be conducted by fixing the first position to ”0” and the second one to ”1” and we look for the other position that satisfy the condition \({mrc}=?s_{j>2}\) and we continue so on. Thus, in our example we can see that all keys having this form \(K_3=01??\) can not lead to \(MC=10\). So we skip this step to the next form \(K_3=001?\). Therefore, When E runs the discovery algorithm against this form, we found that \(K_3=0011\) is also a potential key. Finally, E groups all those keys in set \({\mathcal {K}}_{1}=\left\{ [1100];[1001];[0011]\right\} \) representing all candidates key satisfying:

$$\begin{aligned} S_{1}\oplus K_3=MC_{1}. \end{aligned}$$

(27)

where \(\oplus \) is a mask operation defined in Eqs. (3) and (5).

Appendix 2: Example implementing the described attack

In order to recover the \(K_3\) key and implement a full Man-In-The-Middle attack, E has to record as many as possible the measurements sequences \(S_i\) and the correspondent \(MC_i\). For that, we consider two sequences \(S_{1}=1010\) and \(S_2=1001\) and two check sequences \(MC_{1}=10\) and \(MC_2=10\). According to the process described in the previous section, E possesses two sets \({\mathcal {K}}_{1}=\left\{ [1100];[1001];[0011]\right\} \) and \({\mathcal {K}}_2=\left\{ [1010];[0011]\right\} \). Thus, it is straightforward to see that:

$$\begin{aligned} \forall K_3 \in {\mathcal {K}}_{1}&\quad&S_{1}\oplus K_3=MC_{1} \nonumber \\ \forall K_3 \in {\mathcal {K}}_2&\quad&S_2\oplus K_3=MC_2 \end{aligned}$$

(28)

however, as we constat that only \({\mathcal {K}}^{1}\cap {\mathcal {K}}^2=\left\{ [0011]\right\} \) will satisfy simultaneously the two tests. Then, we conclude that the real \(K_3\) is trivially [0011].