Advertisement

Comment on “A practical protocol for three-party authenticated quantum key distribution”

  • Yi-Ping Luo
  • Wen-Han Chou
  • Tzonelih Hwang
Article
  • 149 Downloads

Abstract

Guan et al. (Quantum Inf Process 13(11):2355–2374, 2014) proposed a three-party authenticated quantum key distribution protocol which allows two participants to authenticate each other and eventually share a session key between them with the help of a trusted center (TC), who has pre-shared a master key with each participant, respectively. After a successful authentication and key distribution process, TC and the participants update their master keys, respectively. However, this study points out that Guan et al.’s scheme suffers from the intercept-and-measure attack and information leakage problem, and has the synchronization problem.

Keywords

Quantum key distribution Authentication Information leakage Intercept-and-measure attack Synchronization Quantum fingerprinting 

1 Introduction

Distributing a secure key between two participants is an important issue in cryptography. In 1984, Bennett and Brassard [1] used the property of quantum mechanics to establish the first quantum key distribution (QKD) protocol (also called BB84 protocol). After that, many QKD protocols [2, 3, 4, 5, 6, 7, 8, 9] have been proposed. The security of these protocols also depends on the assumption of an authenticated classical channel, i.e., the channel is either unjammable or authenticated. However, in practice the assumption of the authenticated classical channel seems impractical. In particular, without this assumption, these protocols will suffer from the man-in-the-middle attack [10]. Therefore, how to assure authentication feature in a QKD protocol has become an important issue in designing of QKD [11].

In 2014, Guan et al. [12] proposed a three-party authenticated QKD (AQKD) protocol to realize the QKD and authentication simultaneously. In their protocol, two participants can authenticate each other and distribute a secure session key with the help of a trusted center, TC, without using authenticated classical channel. In this case, TC has to pre-share a master key with each participant, respectively. After a successful authentication and key distribution process, both TC and participants update their master keys, respectively.

However, this study points out three security loopholes in Guan et al.’s scheme: (1) A malicious participant can get the other participant’s master key by using the intercept-and-measure attack; (2) The master keys of two participants could be leaked; (3) Master key synchronization problem is inevitable. The rest of this paper is organized as follows. Section 2 gives a brief review of Guan et al.’s scheme. Section 3 demonstrates three security issues in detail. Section 4 summarizes the results.
Table 1

Qubit \(\left| {Q_A} \right\rangle ^{i}\) generation

\(\left| {Q_A} \right\rangle ^{i}\)

\(\left( {C\oplus K_{{ TA}}} \right) ^{i}=0\)

\(\left( {C\oplus K_{{ TA}}} \right) ^{i}=1\)

\(K_{{ TA}}^i =0\)

\(\left| 0 \right\rangle \)

\(\left| 1 \right\rangle \)

\(K_{{ TA}}^i =1\)

\(\left| + \right\rangle \)

\(\left| - \right\rangle \)

Here, i denotes the ith bit of the sequence

2 Review of Guan et al.’s scheme

In this section, a brief review of Guan et al.’s three-party AQKD scheme is presented. In their scheme, two participants (Alice and Bob) can mutually authenticate each other and then establish a k-bit session key \(K_S\) with the help of a trusted center (TC), with whom Alice and Bob pre-share long-term secret keys \(K_{{ TA}}\) and \(K_{{ TB}}\) (i.e., master keys), respectively. A linear \(\left[ {n,k,t} \right] \) code \(C_k^n \) is used to encode a k-bit \(K_S \) into an n-bit code word C for correcting t errors. The procedure of Guan et al.’s scheme is described by the following steps:
Step 1

(Key encoding) The TC randomly chooses a session key \(K_S\) and encodes \(K_S\) into the code word C by the introduced linear code \(C_k^n\).

Step 2

(Qubits generation) TC calculated \(C\oplus K_{{ TA}} \) and then generates n qubits \(\left| {Q_A } \right\rangle \) based on \(C\oplus K_{{ TA}}\) and \(K_{{ TA}}\) as shown in Table 1. Similarly, TC generates n qubits \(\left| {Q_B } \right\rangle \) based on \(C\oplus K_{{ TB}}\) and \(K_{{ TB}}\).

Step 3

(Qubits transmission) TC sends \(\left| {Q_A } \right\rangle \) and \(\left| {Q_B } \right\rangle \) to Alice and Bob, respectively.

Step 4

(Key decoding) Upon receiving the sequence \(\left| {Q_A } \right\rangle \), Alice measures \(\left| {Q_A } \right\rangle \) using the basis indicated in \(K_{{ TA}}\) to obtain \(\left( {{C}'_A \oplus K_{{ TA}}} \right) \). Similarly, Bob gets \(\left( {{C}'_B \oplus K_{{ TB}}} \right) \). After that, Alice calculates \(\left( {{C}'_A \oplus K_{{ TA}}} \right) \oplus K_{{ TA}}\) to obtain \({C}'_A \), Bob gets \({C}'_B =\left( {{C}'_B \oplus K_{{ TA}} } \right) \oplus K_{{ TB}}\).

Step 5

(Error correction) Alice and Bob use error correction code \(C_k^n \) to correct \({C}_A^{'}\) and \({C}_B^{'}\), and then obtain \(C_A \) and \(C_B \), respectively. Hence, Alice and Bob can obtain the session keys \((K_S)_A \) and \((K_S)_B \), respectively.

Step 6

(Key consistence verification) Alice generates a time stamp t. After that, she computes \(V_1 =e_{(K_S )_A }(U_A \cdot t)\) and sends \(V_1 \) to Bob. Here, \(e_{(K_S )_A }\) is an encryption algorithm using the session key \((K_S )_A \) and “\(\cdot \)” denotes string concatenation, and \(U_A \) is the identity of Alice. Upon receiving \(V_1\), Bob decrypts \(V_1\) using \((K_S )_B\), obtaining \(U_A\,\cdot \,{t}^{'}=d_{(K_S)_B }(V_1)\), where \(d_{(K_S )_B} \) is a corresponding decryption algorithm using the session key \((K_S )_B\). Then, Bob computes \(V_2 =e_{(K_S )_B }({t}^{'}+1)\) and sends \(V_2\) to Alice. Alice calculates \(d_{(K_S )_A }(V_2 )\) and obtains \({t}'+1\). Subsequently, Alice compares \({t}'+1\) with \(t+1\). If the comparison holds, it indicates that \(C_A =C_B =C\) (i.e., \((K_S )_A =(K_S )_B =K_S\)). They go to Step 7. Otherwise, Alice aborts the session.

Step 7

(Key evolution) TC chooses a hash function f from a class of \(\{0,1\}^{2n}\rightarrow \{0,1\}^{n}\) universal hash functions and announces it. Then TC and Alice compute \(K^{\prime }_{{ TA}} =f(K_{{ TA}} \cdot C_A )\) as their new master key. TC and Bob compute their new master key \(K^{\prime }_{{ TB}} =f(K_{{ TB}} \cdot C_B )\).

3 Security loopholes in Guan et al.’s scheme

This section presents three security loopholes in Guan et al.’s scheme, i.e., an intercept-and-measure attack, the key leakage problem, and the loss of synchronization.

3.1 Intercept-and-measure attack

In this attack, we consider a malicious insider, Bob, who intends to obtain Alice’s secret master key \(K_{{ TA}}\). Here we assume that Bob has the capability of establishing an ideal channel between TC and Alice. Bob intercepts \(\left| {Q_A } \right\rangle \) in Step 3 and sends a fake quantum sequence to Alice randomly in the states of \(\left\{ {\left| 0 \right\rangle ,\left| 1 \right\rangle ,\left| + \right\rangle ,\left| - \right\rangle } \right\} \). Subsequently, Bob measures \(\left| {Q_A } \right\rangle \) based on his master key \(K_{{ TB}}\). That is, if \(K_{{ TB}}^i =0\), he measures \(\left| {Q_A } \right\rangle ^{i}\) with Z-basis \(\left\{ {\left| 0 \right\rangle ,\left| 1 \right\rangle } \right\} \), where i denotes the ith bit of the sequence. Otherwise, X-basis \(\left\{ {\left| + \right\rangle ,\left| - \right\rangle } \right\} \) is used. After that, Bob obtains the i-bit measurement result \({H}_A^{'i}\) and compares it with \(H_{B}^i \) (which is obtained in Step 4). If the comparison result is negative, i.e., \({H}_A^{'i} \ne H_B^i \), then Bob knows \(K_{{ TA}}^i \ne K_{{ TB}}^i \). So Bob can get these bits in \(K_{{ TA}}\) whose measurement result is different from \(K_{{ TB}}\). Since a fake quantum sequence cannot pass the verification in Step 6, the protocol will fail and the same secret keys will be reused. In the next round, Bob performs the same attack on the other bits of \(K_{{ TA}}\). After several rounds, Bob can obtain Alice’s master key.

As an example, suppose Alice’s master key \((K_{{ TA}})\) is 01010101 and Bob’s master key \((K_{{ TB}})\) is 00110011.
\(\mathbf{Step}~\mathbf{1}^{*}\)

If the code word of the session key (C) is 00000000, then TC calculates \(C\oplus K_{{ TA}} \) and \(C\oplus K_{{ TB}}\) to obtain \(G_A =01010101\) and \(G_B =00110011\), respectively.

\(\mathbf{Step}~\mathbf{2}^{*}\)

After that, TC uses \(K_{{ TA}}\) and \(K_{{ TB}}\) to generate \(\left| {Q_A } \right\rangle \,(\left| 0 \right\rangle \left| - \right\rangle \left| 0 \right\rangle \left| - \right\rangle \left| 0 \right\rangle \left| - \right\rangle \left| 0 \right\rangle \left| - \right\rangle )\) and \(\left| {Q_B } \right\rangle \,(\left| 0 \right\rangle \left| 0 \right\rangle \left| - \right\rangle \left| - \right\rangle \left| 0 \right\rangle \left| 0 \right\rangle \left| - \right\rangle \left| - \right\rangle )\) based on Table 1, respectively. TC sends \(\left| {Q_A } \right\rangle \) to Alice and \(\left| {Q_B } \right\rangle \) to Bob.

\(\mathbf{Step}~\mathbf{3}^{*}\)

Bob intercepts \(\left| {Q_A } \right\rangle \) and then uses the basis indicated in \(K_{{ TB}} \) to measure both \(\left| {Q_A } \right\rangle \) and \(\left| {Q_B } \right\rangle \), respectively, to obtain the measurement results \({H}_A^{'} \) and \({H}_B^{'}\). All the possible results of \({H}_A^{'} \) and \({H}_B^{'} \) are shown in Table 2. After that, Bob compares \({H}_A^{'i} \) and \({H}_B^{'i} \) for \(1\le i\le 8\). If \({H}_A^{'i} \ne {H}_B^{'i} \), then Bob can know that \(K_{{ TA}}^i \ne K_{{ TB}}^i \); hence, \(K_{{ TA}}^i =\overline{K_{{ TB}}^i }\). For example, suppose \({H}_A^{'} =\left| 0 \right\rangle \left| 0 \right\rangle \left| + \right\rangle \left| - \right\rangle \left| 0 \right\rangle \left| 1 \right\rangle \left| - \right\rangle \left| - \right\rangle \) and \(H_B =\left| 0 \right\rangle \left| 0 \right\rangle \left| - \right\rangle \left| - \right\rangle \left| 0 \right\rangle \left| 0 \right\rangle \left| - \right\rangle \left| - \right\rangle \). In this case, Bob compares \({H}_A^{'i} \) and \({H}_B^{'i} \) for \(1\le i\le 8\). Since \({H}_A^{'3} \ne H_B^3 \) and \({H}_A^{'6} \ne H_B^6 \), Bob knows \(K_{{ TA}}^3 \ne K_{{ TB}}^3 \) and \(K_{{ TA}}^6 \ne K_{{ TB}}^6 \). So Bob can get the third bit and sixth bit of \(K_{{ TA}} \) which are “0” and “1.” After several times, Bob can get all bits of \(K_{{ TA}} \).

Table 2

All the possible measurement results of \({H}'_A \) and \({H}'_B \)

\(\left| {Q_A } \right\rangle \)

\(\left| 0 \right\rangle \)

\(\left| - \right\rangle \)

\(\left| 0 \right\rangle \)

\(\left| - \right\rangle \)

\(\left| 0 \right\rangle \)

\(\left| - \right\rangle \)

\(\left| 0 \right\rangle \)

\(\left| - \right\rangle \)

\({H}'_A \)

\(\left| 0 \right\rangle \)

\(\left| 0 \right\rangle / \left| 1 \right\rangle \)

\(\left| + \right\rangle / \left| - \right\rangle \)

\(\left| - \right\rangle \)

\(\left| 0 \right\rangle \)

\(\left| 0 \right\rangle / \left| 1 \right\rangle \)

\(\left| + \right\rangle / \left| - \right\rangle \)

\(\left| - \right\rangle \)

\({H}'_B \)

\(\left| 0 \right\rangle \)

\(\left| 0 \right\rangle \)

\(\left| - \right\rangle \)

\(\left| - \right\rangle \)

\(\left| 0 \right\rangle \)

\(\left| 0 \right\rangle \)

\(\left| - \right\rangle \)

\(\left| - \right\rangle \)

3.2 Key leakage problem

In Guan et al.’s scheme, an eavesdropper Eve can use quantum fingerprinting technique [13] to obtain the relationship between Alice’s and Bob’s master keys. To do this, Eve intercepts \(\left| {Q_A } \right\rangle \) and \(\left| {Q_B } \right\rangle \) in Step 3 and sends fake quantum sequences to Alice and Bob, respectively, whose states are randomly chosen in \(\left\{ {\left| 0 \right\rangle ,\left| 1 \right\rangle ,\left| + \right\rangle ,\left| - \right\rangle } \right\} \). Subsequently, Eve generates single photons (ex: \(\left| 0 \right\rangle _E^{\otimes n}\)) as the auxiliary qubits to execute quantum fingerprinting. Precisely, Eve attaches one auxiliary qubit to \(\left| {Q_A } \right\rangle ^{i}\) and \(\left| {Q_B } \right\rangle ^{i}\), where i denotes the ith bit of the sequence. After that, Eve performs Hadamard operation on the auxiliary qubit and then performs controlled-SWAP operation on the three-particle quantum system. Finally, Eve once again performs Hadamard operation on the auxiliary qubit. In the following, Eq. (1) shows the transformation of the three-particle quantum system, where H denotes the Hadamard transform which maps \(\left| b \right\rangle \rightarrow \frac{1}{\sqrt{2}}\left( {\left| 0 \right\rangle +\left( {-1} \right) ^{b}\left| 1 \right\rangle } \right) \), \(b\in \left\{ {0,1} \right\} \), \({ SWAP}\) is the operation \(\left| {Q_A } \right\rangle ^{i}\left| {Q_B } \right\rangle ^{i}\rightarrow \left| {Q_B } \right\rangle ^{i}\left| {Q_A } \right\rangle ^{i}\), and \(C-{ SWAP}\) is the controlled-\({ SWAP}\) (controlled by the first qubit).
$$\begin{aligned}&\left| 0 \right\rangle _E \left| {Q_A } \right\rangle ^{i}\left| {Q_B } \right\rangle ^{i}\xrightarrow {H\otimes I\otimes I}\frac{1}{\sqrt{2}}\left( {\left| 0 \right\rangle _E +\left| 1 \right\rangle _E } \right) \left| {Q_A } \right\rangle ^{i}\left| {Q_B } \right\rangle ^{i} \nonumber \\&\quad \xrightarrow {C-{ SWAP}}\frac{1}{\sqrt{2}}\left( {\left| 0 \right\rangle _E \left| {Q_A } \right\rangle ^{i}\left| {Q_B } \right\rangle ^{i}+\left| 1 \right\rangle _E \left| {Q_B } \right\rangle ^{i}\left| {Q_A } \right\rangle ^{i}} \right) \nonumber \\&\quad \xrightarrow {H\otimes I\otimes I}\frac{1}{\sqrt{2}}\left( \frac{1}{\sqrt{2}}\left( {\left| 0 \right\rangle _E +\left| 1 \right\rangle _E } \right) \left| {Q_A } \right\rangle ^{i}\left| {Q_B } \right\rangle ^{i}\right. \nonumber \\&\quad \left. +\frac{1}{\sqrt{2}}\left( {\left| 0 \right\rangle _E -\left| 1 \right\rangle _E } \right) \left| {Q_B } \right\rangle ^{i}\left| {Q_A } \right\rangle ^{i} \right) \nonumber \\&=\frac{1}{2}\left( \left| 0 \right\rangle _E \left( {\left| {Q_A } \right\rangle ^{i}\left| {Q_B } \right\rangle ^{i}+\left| {Q_B } \right\rangle ^{i}\left| {Q_A } \right\rangle ^{i}} \right) \right. \nonumber \\&\quad \left. +\left| 1 \right\rangle _E \left( {\left| {Q_A } \right\rangle ^{i}\left| {Q_B } \right\rangle ^{i}-\left| {Q_B } \right\rangle ^{i}\left| {Q_A } \right\rangle ^{i}} \right) \right) \end{aligned}$$
(1)
After that, Eve measures the auxiliary photon by using Z-basis \(\left\{ {\left| 0 \right\rangle ,\left| 1 \right\rangle } \right\} \). If the measurement is \(\left| 1 \right\rangle \), then Eve can know \(K_{{ TA}}^i \ne K_{{ TB}}^i \). Since the protocol will be failed, the same secret keys will be reused. In this case, Eve can perform this attack several times to obtain the relationship of Alice’s master key and Bob’s master key.

3.3 Loss of synchronization

In Guan et al.’s scheme, after a successful verification of the session key in Step 6, TC announces a hash function f from a class of \(\{0,1\}^{2n}\rightarrow \{0,1\}^{n}\) universal hash functions to Alice and Bob, respectively. In this case, upon receiving the hash function, Alice and Bob compute \(K^{\prime }_{{ TA}} =f(K_{{ TA}} \cdot C_A )\) and \(K^{\prime }_{{ TB}} =f(K_{{ TB}} \cdot C_B )\) as their new master keys. However, if the transmissions from TC to Alice or Bob have been interrupted, the participants cannot receive any message and do not update their master keys. Then there will be a loss of synchronization on key updating between the participants and the TC. Consequently, different keys will be used to perform the protocol, and the protocol will be erroneous.

4 Conclusions

In this article, we have pointed out some security loopholes in Guan et al.’s three-party AQKD protocol. It would be interesting to design a secure and practical authenticated quantum key distribution protocol.

Notes

Acknowledgements

We would like to thank the Ministry of Science and Technology of Republic of China for financial support of this research under Contract No. MOST 105-2221-E-006-162-MY2.

References

  1. 1.
    Bennett, Ch.H., Brassard, G.: Quantum cryptography: public key distribution and coin tossing. In: International in Conference on Computers, Systems and Signal Processing, Bangalore, India, December 1984Google Scholar
  2. 2.
    Bennett, C.H.: Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett. 68(21), 3121 (1992)ADSMathSciNetMATHCrossRefGoogle Scholar
  3. 3.
    Long, G.-L., Liu, X.-S.: Theoretically efficient high-capacity quantum-key-distribution scheme. Phys. Rev. A 65(3), 032302 (2002)ADSCrossRefGoogle Scholar
  4. 4.
    Li, C., et al.: A random quantum key distribution achieved by using Bell states. J. Opt. B Quantum Semiclassical Opt. 5(2), 155 (2003)ADSCrossRefGoogle Scholar
  5. 5.
    Song, D.: Secure key distribution by swapping quantum entanglement. Phys. Rev. A 69(3), 034301 (2004)ADSCrossRefGoogle Scholar
  6. 6.
    Namiki, R., Hirano, T.: Efficient-phase-encoding protocols for continuous-variable quantum key distribution using coherent states and postselection. Phys. Rev. A 74(3), 032302 (2006)ADSCrossRefGoogle Scholar
  7. 7.
    Hwang, T., Lee, K.-C.: EPR quantum key distribution protocols with potential 100% qubit efficiency. Information Security, IET 1(1), 43–45 (2007)CrossRefGoogle Scholar
  8. 8.
    Hwang, T., Lee, K.-C., Li, C.-M.: Provably secure three-party authenticated quantum key distribution protocols. Dependable Secur. Comput. IEEE Trans. 4(1), 71–80 (2007)CrossRefGoogle Scholar
  9. 9.
    Gan, G.: Quantum key distribution scheme with high efficiency. Commun. Theor. Phys. 51(5), 820 (2009)ADSMathSciNetMATHCrossRefGoogle Scholar
  10. 10.
    Zeng, G., Zhang, W.: Identity verification in quantum key distribution. Phys. Rev. A 61(2), 022303 (2000)ADSCrossRefGoogle Scholar
  11. 11.
    Wegman, M.N., Carter, J.L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)MathSciNetMATHCrossRefGoogle Scholar
  12. 12.
    Guan, D.-J., Wang, Y.-J., Zhuang, E.: A practical protocol for three-party authenticated quantum key distribution. Quantum Inf. Process. 13(11), 2355–2374 (2014)MathSciNetMATHCrossRefGoogle Scholar
  13. 13.
    Buhrman, H., et al.: Quantum fingerprinting. Phys. Rev. Lett. 87(16), 167902 (2001)ADSCrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2017

Authors and Affiliations

  1. 1.Institute for Information Industry, CyberTrust Technology InstituteTaipeiTaiwan, ROC
  2. 2.Department of Computer Science and Information EngineeringNational Cheng Kung UniversityTainan CityTaiwan, ROC

Personalised recommendations