Processing

Please wait...

Settings

Settings

Goto Application

1. WO2011002276 - QUANTUM KEY DISTRIBUTION IN TERMS OF THE GREENBERGER-HORNE-ZEILINGER STATE - MULTI-KEY GENERATION

Note: Text based on automatic Optical Character Recognition processes. Please use the PDF version for legal matters

[ EN ]

Quantum Key Distribution in Terms of the GreenBerger-Horne-Zeilinger State - Multi- Key Generation

Field of Invention

The present invention is related to quantum cryptography. Precisely, it provides a method to carry out quantum key distribution between multiple users via Greenberger-Horne-Zeilinger states.

Background of the Invention

Quantum cryptography is one of the most fruitful applications in the quantum information theory. Among others, quantum key distribution (QKD) is a method allowing two or more legitimate users of a communication channel to establish two or more exact keys. This will be in the form of a random and secret sequence of bits. The advantage of the quantum cryptography over the classical one lies in the following: the former follows the quantum laws, e.g., the Heisenberg uncertainty principle, no-cloning theorem and the quantum correlations, to protect the distribution of the cryptographic keys. Therefore, the message and the key are secure since the legitimate users can easily detect the eavesdroppers. Various protocols have been developed in the framework of the quantum cryptography. Most of these protocols follow the original three constructs, namely, the BB84 protocol, the B92 protocol and the EPR protocol.

Entanglement is one of the main ingredients in the quantum information theory. Based on this property, various protocols have been developed. The known "ping-pong" protocol has been given to achieve deterministic direct communication between the legitimate users. This protocol has advantages and disadvantages; it allows the transmission of either a secret key or the plaintext message. Nevertheless, it is insecure (quasi-secure) when it is operating in a noisy (perfect quantum) channel.

In the entanglement protocols, the Einstein-Polosky-Rosen state (EPR) has been used to distribute the quantum-cryptographic key. The security has been checked either by the violation of the Bell inequalities or by the correlation of the EPR. Furthermore, Greenberger-Horne-Zeilinger states (GHZs) have been already involved in the quantum cryptography. These states are distinguished by a large Hubert space compared to the EPR. In the GHZs protocols one can have two or more legitimate users, hi the two users case, the distribution of the GHZs particles and the quantum states are asymmetrical between the users, hereinafter referred to as Alice and Bob. Additionally, the security can be established via the correlation of the GHZ triplet state, as illustrates in G. Zeng quant-ph/0001044, for example. In the multi-user case, say three users, which include a sender, a recipient and supervisor. The supervisor controls the entanglement and information transmission between the sender and the recipient. The users can get the key only by joint cooperation. In this respect, the protocol is secured against the dishonest user (if one exists).

The GHZs has been used in the quantum secure direct communication and in the teleportation, too. It is worth mentioning that the simultaneous quantum direct communication between users based on the GHZs has been developed by X.-R. Jin, X. Ji, Y.-Q. Zhang, S. Zhang, S.-K. Hong, K.-H. Yeon, C-I. Um, Phys. Lett. A 354 (2006) 67. However, it is shown in F. Gao, S.-J. Qin, Q.-Y. Wena and F.-C. Zhuc Physics Letters A 372 (2008) 3333-3336 that this protocol is not secure. Finally, the GHZs has been experimentally implemented by various means, e.g., using entanglement swapping starting from three down converters (as of M. Zukowski, A. Zeilinger, H. Weinfurther, Ann. N.Y. Acad. Sci. 755 (1995) 91), using two pairs of entangled photons (as of D. Bouwmeester, J. W. Pan, M. Daniell, H. Weinfurther, A. Zeilinger, Phys. Rev. Lett. 82 (1999) 1345), based on dipole- induced transparency in a cavity-waveguide system (as of J. Qian, Y. Qian, X.-L. Feng, T. Yang, S.-Q. Gong, Phys. Rev. A 75 (2007) 032309), in the framework of the superconducting circuits (as of L. F. Wei, Yu-xi Liu, F. Nori, Phys. Rev. Lett. 96 (2006) 246803) and nuclear magnetic resonance (as of R. J. Nelson, D. G. Cory, S. Lloyd, Phys. Rev. A 61 (2000) 022106).

It can thus be seen that there exists a need for a robust way for a system and method to provide a more efficient and secure technique for communications between different users. This what we are going to show in this invention. The invention can be used in the banking system and military applications.

Summary of the Invention

The object of the present invention is to provide a quantum key distribution protocol adapted to produce more than one key at one round transmission. The protocol should be proceeded with at least one secure key. This avoids halting protocol after eavesdropper attacking. Moreover, the protocol is highly secure. This is based on the entanglement property, many keys generation and checking eavesdroppers at two stages of the protocol. The present invention provides a method of carrying out QKD between multiple users via GHZs. The method comprises generating (101) sequences of Greenberger-Horne-Zeilinger states (GHZs) by all users randomly; distributing (102) particles from each GHZs to form sub-sequences; forming (103) a number of sequences correspond to the number of users, each user keeps one of the generated subsequences (home sequence) in his work station; transmitting (104) to the each other users a separate sequence; checking (105) security of the channels through comparing the measurement outcomes of the agreed-upon portion of the particles; encoding (107) users' own key that are in the particles of the other users; transmitting (108) blocks of particles back to the corresponding user; retrieving (109) own initial sequences, wherein the keys of the other users are decoded; performing (1 10) a GHZs measurement to obtain encoded keys by each user; and checking (1 12) the purity of the keys by comparing the measurement results of the agreed-upon portion of particles at each side.

Brief Description of the Drawings

This invention will be described by way of non-limiting embodiments of the present invention, with reference to the accompanying drawing, in which:

FIG. 1 illustrates a process of quantum key distribution in accordance with one embodiment of the present invention.

Detailed Description of the Preferred Embodiments

In line with the above summary, the following description of a number of specific and alternative embodiments is provided to understand the inventive features of the present invention. It shall be apparent to one skilled in the art, however that this invention may be practiced without such specific details. Some of the details may not be described at length so as not to obscure the invention. For ease of reference, common reference numerals will be used throughout the figures when referring to the same or similar features common to the figures.

In this invention, a quantum key distribution protocol based on the Greenberger-Horne-Zeilinger states (GHZs) is provided. The particles are exchanged among the users in blocks through two steps. In this protocol, for three-particle GHZs three keys can be simultaneously generated. The advantage of this is that the users can select the most suitable key for communication. The protocol can be generalized to N users to provide N keys. The protocol has two levels for checking the eavesdroppers. Moreover, we discuss the security of the protocol against different attacks.

In one embodiment, the present invention provides a protocol using the GHZs. In particular, the protocol allows the communication between three or more legitimate users without any controllers. The number of the keys generated in this protocol depends on the number of the users and/or the number of particles in the GHZs. Typically, each key is generated for one user and/or particle in the GHZs.

In a set of the three-particle GHZs, for example, it includes eight independent states, which form a complete orthonormal basis as follows:

ψύ = JfC °°0? -r .m,λ)> N) = 73(1000) - Hi)).

^3) = ^c loo) -r ,011 >), NM) = 4f (lioo) - oil)).

Ws) = ^('01O) -r 1101}). tøe> = -^(|0W .101)}.

Φ7) = ^(;110) T |001>). |**ϊ = ^(|110) - 1OOl)).

These states can be switched from one to another by applying one of the four unitary

operators ^u ]- ** -1<V>*- , where the superscript j represents j -particle which is commonly used in the art. It is the main object in generating the keys. The users have to agree, in advance, about the following Boolean values:


Sometimes, when applying two operations on the states Wj' can give the same results as follows:

(3)

Such situation is a weakness for decoding process, however, it is an advantages in the security framework of the present protocol because it confuses eavesdroppers.

FIG. 1 illustrates a process of quantum key distribution in accordance with one embodiment of the present invention. For illustration purpose, three users, Alice, Bob and

Charlie are provided for simplicity, and it is understood that more users are possible. The process starts with step 101, where Alice prepares a sequence A of n + d + d' ordered GHZ triplets, each of which forms (Λf>4-α:<)- k = l '2 n + d + d' where the superscript k denotes the order of the triplet in the sequence A. These triplets are randomly chosen from the set given in (I), and are already known to Alice. At step 102, Alice takes one particle a\; al; ah from each GHZ triplet to form three ordered particles sequences

.4, = {αj.αj... .«;-<i4rf/ i with j = i 2.3 (at step 103) Bob md Charlie, on their sites, do the same as

Alice, i.e. takes one particle from each GHZ triplet to form three sub-sequences. In the case of Bob and Charlie, they have the sequences B> =
1^ 'T1+** iUltl c> = -<?*^\ with J = 1; 1; 3, respectively.

At step 104, Alice transmits the sequences Al and A3 to Bob and Charlie, respectively. Similarly, Bob transmits the sequences Bl and B3 to Alice and Charlie, respectively and Charlie transmits Cl and Cl to Alice and Bob respectively. The sender is informed, via classical channels, before the transmission and the receivers should confirm the reception of the particles. This process is used to avoid unwanted circumstances under which Eve (possible eavesdropper) can impersonate one or both of the users. The transmission of the particles occurs in blocks and the orders of the sequences are not known for the receivers. The arrangement would increase the security of the present protocol.

At step 105, the users check the security of the channels to see if there is any the eavesdropper within the communication, which is independently carried out for each sequence. In the case of Alice's sequence A = (Al; Al; A3), Bob may have chosen randomly a large subset d of particles from the sequence Al and measures each of them using one of the two bases x or z. Then Bob publicly tells Alice and Charlie via a classical channel about the positions, the basis and the measurement outcome for each of the particles. Charlie, using the same bases, measures the corresponding particles from the sequence A3, and publicly tells the

others about the results. After that Alice applies the same procedure for the particles in the home sequence A 1.

Consequently, at step 106, the users decide whether eavesdroppers are within the communication. If the measurement outcomes are different, then Eve (or eavesdropper) is determined not within the communication, and vise versa. Similar procedures have to be executed for the sequences {B\, B3} and {C\;C2}. At this step, there is no need to evaluate the error rates since the keys have not been generated yet. The user with the home particles, i.e. Alice, should be the last one executing eavesdropper checking for the set d. This, in turn, helps in finding out the unauthorized user, if any.

At step 107, each partner would have his own key for transmitting to the others. Each partner encodes his own key in the particles of the other partners by means of the operations shown in equation (2). Each also uses one operator to act simultaneously on the two particles from the different sequences, however, in the same order. For instance, suppose that Alice wants to encode the bits 1 in they^-particle for the other partners. In this case, she should act by &χ on they* particle in the sequences 51 and Cl. The similar procedures are carried out on Bob and Charlie sites. During the encoding process the users should be careful regarding the information and the positions of the particles of the set d'. The reason is that the users will sacrifice these particles when checking the eavesdroppers in the final step.

At step 108, the encoding process ends and each user transmits the blocks of particles (message particles) back to the other partners. The parties are informed prior to the transmission and after the reception of the blocks. At step 109 the users obtain their original particles, in their new form. For instance, Alice, after a successful transmission, has the sequence A = {(«l-
where the dash means that these particles are different from the original ones since now they carry the keys. The sequences {a2'J.j = 1, ..., n + d'} and {άξ.j = 1 n + d'} include Bob and Charlie keys, respectively, and the sequence iai'J = ' n ~ d'} [se home sequence. As Alice prepared these particles initially she knows them very well. At step 110, Alice then performs the

GHZs measurement on the ordered n + d' GHZs and compares the measurement outputs with the initial forms of the states to obtain the keys of Bob and Charlie. For instance, if Alice initially prepared one of the triplets in the state ^) and the measurement result is 1^). From equations (1) and (2), Alice has the relation f^'s/— σχ σχ \ψι). According to the equation (2), Alice knows with certainty that Bob and Charlie bits are 1 and 1, respectively, and so on. At the same time Bob and Charlie perform the same procedures of the steps 109 and 110, for which, at step 111, each user would obtain three keys, i.e. one own key and two keys for the others in the communication. At this moment there is no overlap between the users since each one has retrieved his own sequence of the GHZs in its new forms. Thus they cannot check the eavesdroppers based on the entanglement property as provided in C. H. Bennett, G Brassard, N. D. Mermin, Phys. Rev. Lett. 68 (1992) 557 10. In this case, the users can use the virtue of the set d '.

At step 112, the senders know the positions of the particles of the set d' and the information included. They designed their keys based on the bits provided by these particles which are excluded from the generic keys. For illustration of this scenario, the set d' of Alice is provided therein below, the rest shall be applied accordingly. Alice publicly informs Bob and Charlie via a classical channel about the set d\ i.e. the positions of the particles and the bases which should be used for the measurement but not the results. Bob and Charlie follow Alice's prescription and they announce the measurement results sequentially, i.e. Bob announces the measurement of the first particle, then Charlie the second one, then Bob and so on. Such process is sufficient to detect any dishonest user, if present. If there are overlaps between the results of the measurements then the key is secured, which otherwise they should evaluate the error rate for this key. Then the users should follow the same steps for the sequences B and C. Comparison among these three error rates drives the users to choose the most suitable key for the communication. Moreover, based on the positions of the particles in the set d' the users can bring some diversions to delude Eve, i.e. by using particular types of swapping entanglement and/or shifting process for the bits of the final keys. Nevertheless, they should agree in advance.

At step 113, when the communication is determined as secured, the communication between the users are considered successful at step 114. If the communication is determined to be unsecured, the present protocol is restarted from step 101.

In another embodiment, the protocol can be extended to N parties. In this case, at the end of the protocol, the users obtain N keys. Each user generates a sequence of N particles in the GHZs, which has the form:


where 3p>3pΛP = 1 ; - - iV) are bits 0 or 1 according to the specified states. The users should follow the same steps generally discussed above. The users obtain the generic key by making a comparison among the N keys. The larger the numbers of the keys, the higher the probability of obtaining a secured key because it would be difficult for Eve to efficiently attack many keys at the same time. She is vulnerable enough at least for one of the keys.

In view of the foregoing, the present protocol provides two levels of security, i.e. before and after the encoding process. Generally, Eve will only be able to get information on the keys if she manages to obtain information about the particles before and after the encoding process. This, of course, requires that the users did not detect her in the step 105.

In another scenario, for example, suppose that Eve managed to attack the traveling particles without disturbing the channels, i.e. a double-CNOT attack, the mutual information between different users are unity, i.e., Hj = 1 where i; j = A;B;C;E. If the users are going to use only a message authentication as a security strategy, they would never be able to detect the double-CNOT attack. Generally, the double-CNOT attack mechanism includes, in a forward path, Eve performs a first CNOT gate between the particles in transit from Alice to Bob and to Charlie (control qubits) and her ancillae (target qubits). The second CNOT gate is executed in a backward path. In a case of Alice's particles, the scenario of the 2CNOT attack includes Alice keeping the first particle in her site and sending the second and third ones to Bob and Charlie, respectively. Eve executes her ancillae .°>2'i0}/ with the transit particles and performs the first CNOT gate as:

£W!«'i,|0)f O;f ) = |*o = Λ)\ \)$ )• (5)


It is obvious that the CNOT gate creates an entangled state composed from the traveling qubits and the Eve's ancillae. Suppose that Bob and Charlie act, respectively, by

~ (3)

/(2)and σ* on their corresponding particles according to their own keys. Thus,

/(2>*i3)l*0 + |l) l)|l>f |0)|l>f ). (6)


In the backward path Eve executes the second CNOT gate, which leads to:

uu<>nt{\Φ-ϊ:) = I*; = -4 ( °)l°!<1) + 11' b!°;) °>f 1^f = NWf M:- <7)

It is evident that the generic state is flipped, i.e. NO " 1^). In addition, the generic state and the Eve ancillae are disentangled. For Eve, it is enough to measure these ancillae in the z basis to get the information. To some extend, it is sufficient for Eve to obtain information regarding the keys. Eve cannot know the forms of the generic backward states since she would not be able to access the home particles. If Eve knows the Boolean relations from equation (2), then she may be able to obtain the keys. Such non-entangled protocol was discussed in M. Lucamarini, S. Mancini, Phys. Rev. Lett. 94 (2005) 140501 for which the double-CNOT attack is reasonably efficient. Generally, Eve does not know any information about regarding the equation (2) and hence Eve should take into account the actions of the operators ^ an(l "5V . In this regard, the probability to get the key from this protocol, via the double-CNOT attack, is 25%, since the applied operation could be, e.g., one of the set from μ(2)/(3).
Accordingly, this indicates that the double-CNOT attack cannot give Eve valuable information about the keys.

The mechanism of this attack can be explained for Alice's particles as follows. In the forward path, Alice transmits the particles to Bob and Charlie, Eve blocks the particles, stores them in the memory and sends instead her particles to Bob and Charlie. In the backward path, i.e. Bob and Charlie transmit the particles back to Alice, Eve measures these particles to get the encoded information. At this moment Eve encodes the same information in the stored particles and passes them back to Alice. This is a dangerous attack, in particular, when Eve has full control of the classical channel. The solution against this kind of attack is that the legitimate users should share a prior secret letting them authenticate the channel and make it reliable when they communicate before and after the transmission processes. For the present protocol under such consideration, such attack is not helpful for Eve, where the users can detect her through the forward path in the step 105 with high probability. For instance, suppose that Alice uses the state
where she keeps the first particle with her and sends the second and third particles to Bob and Charlie, respectively. Eve has two possibilities for choosing ancillae, namely, GHZs and z basis states. If Eve uses one of the GHZs as a faked state, according to the set provided in equation (1), Eve has a probability of 1/8 to use the correct states. In this case, she has a probability of 1/3 to keep the correct particle with her pretending to be Alice. In this case, the probability that Eve may not be revealed in the step 105, is 1/24. On the other hand, if Eve is not on the communication, the measurements of the users in a control run (for the state lφύ) yield I000/ anfl l ll> with equal probability. Suppose that Eve uses the faked states from the z basis states, and if Eve qubits are one pair of the set { 1O)BJOJc1, |l)s|l)c}5 where the subscripts B and C represent that these particles are sent to Bob and to Charlie, respectively, the measurement results corresponding to these ancillae are {(|000}, | 100}), (|011;. jlll})}. Thus Eve will be detected, because her eavesdropping introduces an error rate equal to 1/2. When Eve's ancillae are one pair of the set {|0}fl] l)c, ) l) β|0)c}5 the users would detect Eve with certainty. It illustrates that the present protocol is secured against double-CNOT attack.

In yet a further scenario, information leakage attack provided in F. Gao, S.-J. Qin, Q.- Y. Wena and F.-C. Zhuc Physics Letters A 372 (2008) 3333-3336 includes in some of the GHZ protocols, for example this that discussed in X.-R. Jin, X. Ji, Y.-Q. Zhang, S. Zhang, S.-K. Hong, K.-H. Yeon, C-I. Um, Phys. Lett. A 354 (2006) 67, the users obtain the keys only when Alice announces publicly its initial and final states. Thus Eve can easily obtain these results, and through comparing these results, Eve may obtain the keys. It has been illustrated in F. Gao, S.-J. Qin, Q.-Y. Wena and F.-C. Zhuc Physics Letters A 372 (2008) 3333-3336 that Eve can obtain three bits through the transmitted four bits. As the present protocol does not include such announcements and hence it is secure against this type of attack. We conclude by referring to the intercept-and-resend and disturbance attacks. The discussion is quite similar to that in X.-R. Jin, X. Ji, Y.-Q. Zhang, S. Zhang, S.-K. Hong, K.-H. Yeon,C.-I. Um, Phys. Lett. A 354 (2006) 67.

The same could be applied in the scenario when the security of the ping-pong protocol against considerable quantum channel losses that was discussed earlier. The present protocol can be treated in a quite similar way. This is based on the fact that it is enough for her to attack one of the traveling sequences of each users, e.g. A2;Bl;C3. If the attention is focused on one qubit of each sequence, the treatment will be the same as that of the ping-pong protocol.

The present protocol is based on the entanglement property of the GHZs. During the Communications, the users (authorized) of the communication would have many keys so that they can choose the relevant one to establish the communication. There is no announcement about the forms of the states used in the present protocol and this improves the efficiency of the QKD. The proposed protocol includes a forward process where the senders transmit blocks of particles to the receivers, who encode the keys with the particles and transmit them back (backward process) to the senders. Eavesdroppers are checked in also two stages. For protocols operating via entanglement, the secret information is encoded in the whole entangled state. Therefore, Eve would not be able to obtain useful information if Eve has obtained only a part of the entangled state. Eve also cannot access the particles of the home sequences, i.e., the particles oϊA\;B2;C3>.

Further, block-data transfer among the users as provided by C. Wang, F. G. Deng, Y. S. Li, X. S. Liu, G. L. Long, Phys. Rev. A 71 (2005) 044305 too has various basic differences between the present protocol and the others. Firstly, the legitimate users can simultaneously generate various keys. Each user does not need the cooperation of the other users to obtain these keys. Eavesdroppers can be checked in the two stages under the protocol, which makes the protocol more secure.

X. R. Jin, X. Ji, Y.-Q. Zhang, S. Zhang, S.-K. Hong, K.-H. Yeon, C-I. Um, Phys.

Lett. A 354 (2006) 67, has disclosed the simultaneous quantum direct communication between users based on GHZs. Under the present protocol, the users obtain the messages only when Alice (sender) announces publicly the forms of the initial and final states under the present protocol. With this announcement, Eve can obtain most of the messages without using potential attacks. It is enough for her to compare the initial and final states. Suck attack is known as information leakage attack. The present protocol is secured against information leakage attack, among others. The general differences between previous protocol and the current one are summarized in the table below.

Generally, most of the protocols in the existing art generate only one key for the users, which can be attacked by the eavesdroppers, and hence the protocol should be halted. The users need an assistance of each other to obtain the key. When comparing with BB84 protocol, it is observed that the present protocol is deterministic, multi-key generation, two ways communication, entanglement, and it is adapted to allow more than three communication parties. When comparing with E91 that based on the Bell states, the present GHZs based protocol provide three or more keys for more than three communication parties. Similarly, when comparing with ping pong protocol which is also based on a Bell states, the present GHZs based protocol also provide multiple key generations with data lock transfer, thus more secure. Yet, when comparing with the method provided by Jin et al (Phys. Lett. A 354 (2006) 67) F. Gao et al Phys. Lett. A 372 (2008) 3333, which is a GHZs based, entanglement and one particle transfer system, the present protocol is better secured through the data-block transfer. Further, J. Wang et al Opt. Commun. 266 (2006) 732 discloses a GHZs based system that issued one shared key for establishing user communication. The users require their mutual assistance to obtain the key. When intrusion is detected, the communication is halt. The present protocol on the other hand is able to issue three or more keys without users assistance and controllers. The present protocol allows the communication to be carried on even when intrusion is detected.

In yet another embodiment, there is provided a QKD protocol adapted to provide communication between multiple users, wherein the producing multiple key from quantum GHZ states

While specific embodiments have been described and illustrated, it is understood that many changes, modifications, variations and combinations thereof could be made to the present invention without departing from the scope of the invention.