Physics Letters A 360 (2007) 748–750

www.elsevier.com/locate/pla

Comment

Comment on: “Quantum exam”[Phys. Lett. A 350 (2006) 174]

Fei Gao a,∗, Qiao-Yan Wen a, Fu-Chen Zhu b

a School of Science, Beijing University of Posts and Telecommunications, Beijing 100876, Chinab National Laboratory for Modern Communications, P.O. Box 810, Chengdu 610041, China

Received 10 March 2006; received in revised form 23 June 2006; accepted 4 August 2006

Available online 17 August 2006

Communicated by P.R. Holland

Abstract

The security of quantum exam [B.A. Nguyen, Phys. Lett. A 350 (2006) 174] is analyzed and it is found that this protocol is secure forany eavesdropper except for a dishonest “student” who takes part in the exam. The particular attack strategy is demonstrated and a possibleimprovement of this protocol is presented.© 2006 Elsevier B.V. All rights reserved.

PACS: 03.67.Hk; 03.65.Ud; 03.67.Dd

Keywords: Quantum cryptography; Cryptanalysis; Entanglement

In a recent Letter [1] a novel protocol called quantum examwas proposed. In this protocol a teacher Alice wants to organizean exam with her remotely separated students Bob 1, Bob 2,. . . , and Bob N . As in a classical exam, all the problems andBobs’ solutions should not be leaked out and, more importantly,any Bob cannot obtain other examinees’ solutions. However,we find that the latter confidentiality constraint is not perfectlysatisfied in this protocol. That is, a dishonest Bob can cheat inthe exam. In this Comment we demonstrate this hidden troubleand then present a possible improvement of the quantum examprotocol.

Let us introduce the quantum exam first. In fact there are twosimilar quantum exam protocols presented in Ref. [1]. We willtake the first one (i.e., the so-called absolutely secure protocol)as our example. For simplicity we use the same notations as thatin Ref. [1]. The whole protocol is a little complicated and herewe only describe the related part, that is, the solution-collectingpart (including the entanglement-sharing process). In this stage

DOI of original article: 10.1016/j.physleta.2005.09.071.* Corresponding author.

E-mail address: hzpe@sohu.com (F. Gao).

0375-9601/$ – see front matter © 2006 Elsevier B.V. All rights reserved.doi:10.1016/j.physleta.2006.08.016

Alice generates a large enough number of ordered nonidenticalstates

|Φp〉ap1p...Np = 1√2

(|0s1p s2p . . . sNp 〉ap1p...Np

(1)+ |1s̄1p s̄2p . . . s̄Np 〉ap1p...Np

),

where snp = 0 or 1, ∀1 � n � N , and s̄np = snp ⊕ 1 (⊕ de-notes an addition mod 2). Note that the value of snp is knownonly to Alice. For each |Φp〉 Alice stores qubit ap and sendsqubits 1p , 2p, . . . , Np to Bob 1, Bob 2, . . . , Bob N , respec-tively. Afterwards, Alice selects a subset of the entangled states{|Φl〉} to detect eavesdropping. More concretely, for each |Φl〉,Alice measures the qubit al randomly in the basis Bz or Bx andinforms every Bob to perform the same measurement on hiscorresponding qubit. Then they check the security of the entan-glement distribution process by verifying

(2)jzal

= δ0,snlj znl

+ δ1,snl

(jznl

⊕ 1)

for every n = 1,2, . . . ,N (when Bz was used) or

(3)jxal

=N∏

n=1

jxnl

F. Gao et al. / Physics Letters A 360 (2007) 748–750 749

(when Bx was used), where j represents the measurement re-sult, jz

al(j z

nl) = {0,1} corresponding to obtaining {|0〉, |1〉} and

jxal

(jxnl

) = {+1,−1} corresponding to obtaining {|+〉, |−〉}. Ifthere is no eavesdropping detected, the shared entanglement canbe used for solution-collecting some time later. When needed,Alice and Bobs measure the remaining ordered |Φp〉-states{|Φm〉am1m...Nm} in basis Bz and record the outcomes as the se-cure keys. Let {jz

am} and {jz

nm} denote the keys belonging to

Alice and Bob n, respectively. Every Bob uses his key as aone-time-pad to encrypt his solution and sends it to Alice. Withthe knowledge of jz

amand snm Alice can obtain each Bob’s key

[see Eq. (2)]. Consequently, at the end of the exam Alice willcorrectly decrypt Bobs’ messages and obtain every Bob’s solu-tion.

It can be seen that the solution-collecting process com-prises mainly a multipartite quantum key distribution (MQKD)scheme. Because the one-time-pad is perfectly secure here, thesecurity of the whole process lies on that of the key distrib-ution. As we know, the state |Φp〉ap1p...Np has a property of

positive parity, i.e., jxap

∏Nn=1 jx

np= +1. This wonderful prop-

erty is subtly employed to detect eavesdropping in the quantumexam protocol [see Eq. (3)]. As a result, the two constraintsEqs. (2) and (3) can make the exam secure against various kindsof attacks [1]. However, we take notice of another property of|Φp〉ap1p...Np , that is, one can entangle an ancilla |0〉 into themultipartite entangled state by a controlled-NOT (CNOT) op-eration and then disentangle it out from the obtained state byanother CNOT operation. The control qubits of the two CNOToperations can be any two qubits in |Φp〉ap1p...Np and the tar-get is the ancilla. For example, for a certain p, the multipartiteentangled state and the ancilla compose a composite system

|Γ 〉1 = |Φ〉a1...N |0〉g= 1√

2

(|0s1s2 . . . sN 〉a1...N |0〉g(4)+ |1s̄1s̄2 . . . s̄N 〉a1...N |0〉g

),

where the subscript g represents the ancilla. If one performs aCNOT operation Ckg (the first subscript k denotes the controlqubit and the second one g denotes the target qubit) on the qubitk (1 � k � N ) and the ancilla, the state of the system changesinto

|Γ 〉2 = 1√2

(|0s1s2 . . . sN 〉a1...N |sk〉g(5)+ |1s̄1s̄2 . . . s̄N 〉a1...N |s̄k〉g

).

Now if one performs another CNOT operation Crg on the qubitr (1 � r � N ) and the ancilla, he (she) will obtain

|Γ 〉3 = 1√2

(|0s1s2 . . . sN 〉a1...N |sk ⊕ sr 〉g+ |1s̄1s̄2 . . . s̄N 〉a1...N |s̄k ⊕ s̄r 〉g

)

= 1√2

(|0s1s2 . . . sN 〉a1...N |sk ⊕ sr 〉g+ |1s̄1s̄2 . . . s̄N 〉a1...N |sk ⊕ sr 〉g

)

(6)= |Φ〉a1...N |sk ⊕ sr 〉g.

It can be seen that the ancilla is disentangled out from the multi-partite entangled state and, more importantly, the original state|Φ〉a1...N is left alone. As a result, if an eavesdropper Eve uti-lizes the above operations to eavesdrop, she will introduce noerrors. Furthermore, when Eve measures the ancilla in basis Bz

she will obtain sk ⊕sr definitely. Since the value sk ⊕sr implies,as described as following, the correlation of the measurementresults of qubits k and r , we call the state |Φ〉a1...N “correlationelicitable”. It can be shown that this property gives a dishonestBob the chance to cheat in the exam. Without loss of general-ity, suppose the dishonest student is Bob r and he wants to stealBob k’s solution (maybe Bob k is an outstanding student), hecan adopt the following strategy to achieve his goal.

(i) For each p, Bob r prepares an ancilla |0〉 and performstwo CNOT operations Ckpgp and Crpgp as described abovewhen Alice distributes the multipartite entangled states{|Φp〉ap1p...Np }.

(ii) Bob r measures each ancilla in basis Bz and obtains skp ⊕srp with certainty.

(iii) Cooperating with Alice, Bob r executes the legal processto detect eavesdropping and get key bits. After the ac-tions (i) and (ii), as analyzed above, all the carrier states{|Φp〉ap1p...Np } remain unchanged and no disturbance isintroduced. Therefore, Alice cannot detect the eavesdrop-ping and Bob r will correctly obtain the intended keybits {jz

rm}.

(iv) Bob r gains Bob k’s key bits {jzkm

} by simple calculation.More specifically, Bob r deletes the data correspondingto the check states {|Φl〉} from the bits {skp ⊕ srp }, andobtains the remaining ordered bits {skm ⊕ srm}, which cor-respond to the carrier states {|Φm〉am1m...Nm} and the keybits {jz

rm}. It should be emphasized that, for a certain m,

the measurement outcomes of the ancilla skm ⊕ srm im-plies the relation between two key bits jz

kmand jz

rm, that

is, jzkm

⊕ jzrm

= skm ⊕ srm . [From Eq. (1) we can see thateither jz

km= skm , jz

rm= srm or jz

km= s̄km , jz

rm= s̄rm hold.]

Therefore, with the knowledge of {skm ⊕ srm} and {jzrm

},Bob r can easily get the key bits {jz

km} of Bob k by calcu-

lating jzkm

= skm ⊕ srm ⊕ jzrm

for each m.(v) Bob r cheats when Alice collects the solutions. Obviously,

with the help of {jzkm

}, Bob r can decrypt the messagesent from Bob k to Alice and copy Bob k’s solution atwill.

By this strategy, a dishonest student can steal any other ex-aminees’ solutions. Moreover, the eavesdropping is not diffi-cult to realize because it needs only facilities similar to thatof the legal parties. One may argue that, in the above ex-ample, if Bob r is far away from the quantum channel be-tween Alice and Bob k he cannot continually perform the twoCNOT operations in a certain time. In fact there is no needto worry about it. Bob r does not need to take a round tripbetween his and Bob k’s quantum channels. He can ask hisfriend, say Charlie, who stands in Bob k’s channel, to performthe first CNOT operation Ckpgp and then send the ancilla tohim.

750 F. Gao et al. / Physics Letters A 360 (2007) 748–750

There is a fact which should be pointed out. That is, theone who will legally take part in the protocol is prone to beomitted when we analyze various attack strategies. In fact, inmost MQKD protocols (e.g. quantum secret sharing, see [2] andreferences therein), a participant generally has more power toattack than an outside eavesdropper because the participant cantake advantage of the right to access the carrier state partly andparticipate in the process of eavesdropping detection. We callthis kind of attack “participant attack”. In the quantum examprotocols, as we can see, the eavesdropping result {skm ⊕ srm}does not seem to have much meaning for an outside eaves-dropper, but it is very useful for a participant Bob to eavesdropfurther. Therefore, as implied in Refs. [3–5], the main goal forthe security of an MQKD should be focused on preventing thedishonest participant from eavesdropping the information.

Now we discuss how to improve the quantum exam pro-tocol to prevent this kind of participant attack. To retain thefeatures of the original quantum exam protocol, our aim is tomodify it as little as possible. Since the fundamental reason ofthis threat is the speciality of |Φ〉a1...N , i.e., “correlation elic-itable”, Alice can insert some different check qubits to detectthe above attack. For example, before Alice sends the sequencesto Bobs, she inserts a certain number of single qubits into eachsequence in random positions. All these single qubits are ran-domly in one of the states {|+〉, |−〉}.1 Note that the positionsof the single qubits in these sequences are different from eachother. After all Bobs received their respective sequences, Al-ice tells each Bob the positions of these check qubits and letshim measure them in the basis Bx . Then Alice and Bob checkthe identity of these qubits. If the error rate is low enough,they proceed with other steps in the original protocol to fin-ish the quantum exam. Because, for the dishonest Bob, both thesingle qubits and the qubits from |Φ〉a1...N are in maximallymixed state ρ = 1

2 (|0〉〈0| + |1〉〈1|), he cannot distinguish thecheck qubits from others. Therefore, when the dishonest Bobwants to cheat using above strategy, he would introduce errorswith probability 1

2 once he performs a CNOT operation on acertain check qubit and his ancilla. As a result, the improvedprotocol can stand against the above participant attack. Further-more, the main frame of the original protocol is retained andit follows that the security against other kinds of attacks (suchas measure-resend attack, disturbance attack, entangle-measureattack, etc. [1]) still holds.

1 Here the role of the states {|+〉, |−〉} is just to prevent the presented attack.To acquire more security the original strategy to detect eavesdropping is stillneeded. We can also use four states {|0〉, |1〉, |+〉, |−〉} to prepare the insertedsingle qubits, which can totally ensure the security of these sequences (similarwith that of BB84 protocol [6]). We do not choose the latter choice because wetry to retain the features of the original quantum exam protocol, including itsstrategy to detect eavesdropping.

We should point out that the above modification has a dis-advantage, i.e., using additional quantum resource. In fact, withthe help of the deep insights into the original scheme, Nguyenhas also proposed two novel improvements in the Reply [7],where no additional resource is needed.

In conclusion, we show that a dishonest student can cheatin the quantum exam [1] and give a possible improvement byinserting some additional check qubits in each sequence. Weemphasize that the participant attack should not be overlookedwhen we discuss the security of a MQKD scheme, which gen-erally possesses more power in eavesdropping than the attackfrom outside.

Acknowledgements

We thank Ba An Nguyen and the anonymous reviewer forhelpful comments. This work was supported by the NationalNatural Science Foundation of China, Grant No. 60373059; theMajor Research Plan of the National Natural Science Founda-tion of China, Grant No. 90604023; the National Laboratoryfor Modern Communications Science Foundation of China;the National Research Foundation for the Doctoral Program ofHigher Education of China, Grant No. 20040013007; the Grad-uate Students Innovation Foundation of BUPT; and the ISNOpen Foundation.

References

[1] B.A. Nguyen, Phys. Lett. A 350 (2006) 174.[2] F.L. Yan, T. Gao, Phys. Rev. A 72 (2005) 012304.[3] M. Hillery, V. Bužek, A. Berthiaume, Phys. Rev. A 59 (1999) 1829.[4] A. Karlsson, M. Koashi, N. Imoto, Phys. Rev. A 59 (1999) 162.[5] F.G. Deng, X.H. Li, H.Y. Zhou, et al., Phys. Rev. A 72 (2005) 044302.[6] C.H. Bennett, G. Brassard, in: Proceedings of IEEE International Con-

ference on Computers, Systems and Signal Processing, Bangalore, India,IEEE, New York, 1984, p. 175.

[7] B.A. Nguyen, the Reply from Nguyen.