Quantum authentication protocol using Bell states

Xiaoyu LiCollege of Information Engineering

Zhengzhou UniversityZhengzhou City, Henan Province, 450001

the People’s Republic of Chinaiexyli@zzu.edu.cn

Liju ChenXi’an Communication Institute

Xi’an City, Shanxi Province, 710106the People’s Republic of China

chenliju0801@sina.com

Abstract

A quantum authentication protocol is presented in thispaper. It is based on the correlations of the EPR(Einstain-Podolski-Rosen) pair which is a two-qubit system in one ofthe four Bell states. The two parties share a sequence ofEPR pairs as the authentication key. To authenticate eachother, they need to create auxiliary particles and make theminteract with the authentication key. Then one can affirmthe other’s identity by performing the Bell states measure-ment. No one without the authentication key can pass theauthentication process. So the protocol is secure. No clas-sical channel and classical information exchange is neededin the authentication process. After the authentication pro-cess, the authentication key can be turned into the originstate. So the authentication key can be reused.

1 Introduction

Quantum information science is the integration of classi-cal information and quantum mechanics. Quantum effectsgive quantum information science much more power thanclassical information science. One of the most importantfields in quantum information science is quantum cryptog-raphy. As known classical cryptography is based on thecomplexity of computation while in quantum cryptographythe principle laws of quantum mechanics guarantee the un-conditional security of a well-designed protocol. The firstquantum key distribution (OKD) protocol is proposed byC. H. Bennett and G. Brassard [1]. Since then much re-search work has been done in quantum cryptography, suchas quantum key distribution [2-6], quantum secret share[7,8,9], quantum bit commitment [10-11], quantum infor-mation hiding [12-14], and information theory for quan-tum cryptography [15]. Experiments on QKD have alsobeen accomplished successfully. In 1992, BennettBessetteand Brassard first realized BB84 protocol in laboratory[16].

Then QKD in optical fiber has been achieved [17] beyond150 km and in free space has been implemented over a dis-tance of 1 km [18].

There is another important problem in cryptography: au-thentication. For example, if Alice and Bob want to build akey by classical or quantum key distribution protocol, theymust affirm each other’s identity at first. So authenticationkey must be distributed to both sides in order to verify thecounterpart’s identity. A quantum authentication protocol isbetter than classical one in the following two ways. In clas-sical cryptography , first, if an eavesdropper, such as Eve,breaks in Alice’s office while she is not present, she canmake a copy of Alice’s authentication key without leavingany trace behind from which Alice may percept his exis-tence. So later Eve can impersonate Alice to pass the au-thentication. Second, if Eve catches the information thatAlice sends to Bob by which Bob affirms Alice’s identity,she can make a copy of it. Then she can sends the infor-mation to Bob while Alice is not present. Obviously Bobcan’t percept that the other is not Bob but an eavesdropper.So Eve can pass the authentication, too. That is to say, theauthentication protocol can no longer work. But in quan-tum authentication protocol, both the authentication key andthe information exchanged in authentication process can becoded in quantum state. Quantum no-cloning theorem for-bids eavesdropper to copy them. So quantum authenticationprovides capacity of theft-detection much as quantum keydistribution provides security against eavesdropping.

Recently several quantum authentication protocols [19-26] have been proposed. Zeng’s [19] protocol uses EPRpairs as the first authentication keys, and then uses classi-cal keys distributed via quantum key distribution. Barnum’s[20] and Jensen and Schack’s [21] protocols use entangle-ment and catalysis. Zhang’s protocol [22] accomplishes theauthentication using an auxiliary qubit. Ljunggren’s pro-tocol [23] performs authentication integrated with quantumkey distribution in virtue of an arbitrator. Li and Barnum’sprotocol [24] takes EPR pair as identity token and uses aux-

First International Symposium on Data, Privacy and E-Commerce

0-7695-3016-8/07 $25.00 © 2007 IEEEDOI 10.1109/ISDPE.2007.19

128

First International Symposium on Data, Privacy and E-Commerce

0-7695-3016-8/07 $25.00 © 2007 IEEEDOI 10.1109/ISDPE.2007.19

128

iliary EPR pairs to fulfill the authentication. Barnum [25]and Kuhn [26] discussed quantum authentication using bothquantum and classical key. Li and Zhang’s protocol [27]simplified the protocol in [22]. To pass authentication, oneneeds creates auxiliary qubits and sends them once whilethe qubits needs to be sent twice in [22]’s protocol. Oppen-heim and Horodecki presented a one-pad protocol integrat-ing authentication, encryption and protection of quantuminformation [28]. Wang et al’s protocol uses quantum en-tangle states swapping to realize Multiparty simultaneousquantum identity authentication[29].

In this paper we provide a quantum authentication pro-tocol using orthogonal product states. The two parties sharea sequence of two-particle systems as the authenticationkey. To prove his identity, one creates auxiliary particlesand sends them to the counterpart. The latter can affirmits identity by performing the Bell states measurement. Noone without the authentication key can pass the authentica-tion process. So our protocol is secure. The authenticationkey is reusable since it can be turned back into the originstate after the authentication process. There are no classicalinformation exchanges in the authentication process. So un-like many previous protocols, we need no auxiliary classicalchannels.

The paper is organized as follows. In section 2 we in-troduce the basic idea on which our authentication protocolis based. Then the protocol is presented in section 3. Nextin section 4 we prove that it’s secure. Finally we give somefurther discussions and get our conclusion.

2 Basic Idea

In quantum information science a quantum two-statesystem is often called a qubit. An EPR pair is a two-qubitsystem which is in one of the four Bell states:

|Φ+ >=1√2(|00 > +|11 >)

|Φ− >=1√2(|00 > −|11 >)

|Ψ+ >=1√2(|01 > +|10 >)

|Ψ− >=1√2(|01 > −|10 >). (1)

As known Bell states are the maximumly-entangled statesof a two-qubit system. They form a complete orthogonal ba-sis vector set in which people can measure a two-qubit sys-tem. We call it the Bell state measurement. Complete Bellstate measurement has been realized in laboratory [30,31].

Now we give our basic idea. First we assume that Aliceand Bob share an EPR pair which is in the state

|Ψ+ >AB=1√2(|0 >A |1 >B +|1 >A |0 >B) (2)

in which the subscript is used to distinguish the two qutbits.Alice holds qubit A and Bob holds qubit B. To show heridentity to Bob, Alice creates an auxiliary qutbit which canbe called qutbit 1 in the state |0 >1. Then she performs aCNOT operation on quabit A and qubit 1 in which qubit Ais the control qubit and qubit 1 is the target qubit. So thewhole state of the three-qubit system is

|S >AB1=1√2(|0 >A |1 >B |0 >1 +|1 >A |0 >B |1 >1).

(3)Alice sends qubit 1 to Bob. After receiving qubit 1, Bob alsocreates an auxiliary qubit called qubit 2 in the state |0 >2.Then he does a CNOT operation on qubit B and qubit 2 inwhich the former is the control qubit and the latter is thetarget qubit. So the state of the whole four-qubit systemturns into

|F >AB12= 1√2

(|0 >A |1 >B |0 >1 |1 >2

+ |1 >A |0 >B |1 >1 |0 >2).(4)

It can be rewitten as

|F >AB12

= 12 [|0 >A |1 >B (|Ψ+ >12 +|Ψ− >12)+|1 >A |0 >B (|Ψ+ >12 −|Ψ− >12)]

= 12 (|Ψ+ >AB |Ψ+ >12 +|Ψ− >AB |Ψ− >12).

(5)

Finally Bob performs the Bell state measurement on thetwo-qubit system consisting of qubit 1 and qubit 2. Fromequation(5) we find that Bob will get measurement out-comes |Ψ+ >12 or |Ψ− >12. He can’t get measurementoutcomes |Φ+ >12 or |Φ− >12 at all. In section 4 wewill prove that if an eavesdropper wants to cheat Bob byimpersonating Alice, he or she can’t prevent Bob from get-ting outcomes |Φ+ >12 or |Φ− >12. That is to say, Bobwill find that the one on the other isn’t Alice. So we candesign a authentication protocol based on the idea above.Alice and Bob may share EPR pairs as the authenticationkey. Moreover, from equation (5) we can notice that whenBob gets measurement result |Ψ+ >12, the state of the two-qubit system consisting of qubit A and qubit B turns backto the origin state |Ψ+ >AB . If Bob gets measurement re-sult |Ψ− >12, the state of the two-qubit system consistingof qubit A and qubit B is |Ψ− >AB . Then Bob can does a−σz operation on qubit B in which

σz =(

1 00 − 1

). (6)

The state of the whole two-qubit system of qubit A andqubit B turns back into |Ψ+ >AB . So we can find that theauthentication key doesn’t change after the authenticationprocess. So it can be reused.

129129

3 Quantum authentication protocol usingBell states

Now we provide our quantum authentication protocol.Alice and Bob share n EPR pairs which is in the state|Ψ+ >AB as authentication key. Alice holds qubit A whileBob holds qubit B for each EPR pair. If Alice wants toprove her identity to Bob, they do as follows.(1) Alice creates n auxiliary qubits which can be denoted asqubit 1 in the state |0 >1. Then she performs a CNOT op-eration on qubit A and qubit 1 for each EPR pair in whichqubit A is the control qubit and qubit 1 is the target qubit.(2) Alice sends all the auxiliary qubits to Bob in sequence.(3) After receiving the qubits from Alice, Bob creates n aux-iliary qubits which is denoted as qubit 2 in the state |0 >2

for each EPR pairs. Then for each EPR pairs he performs aCNOT operation on qubit B and qubit 2 in which the formeris the control qubit and the latter is the target target qubit.(4) Bob performs the Bell state measurement on each two-qubit system composed of the qubit 1 and qubit 2. If Bobgets only |Ψ+ >12 or |Ψ− >12. The authentication processsucceeds. Bob is sure that the one on the other side is Al-ice. If he gets too many measurement outcomes |Φ+ >12

or |Φ− >12. the authentication fails. Bob assures that theone on the other side isn’t Alice.(5)If the authentication succeeds, Bob does the followingoperations to recover the authentication key. To each mea-surement, Bob performs σz operation on qubit B of thecorresponding EPR pair if he gets measurement outcome|Ψ− >12 while Bob performs nothing if he gets measure-ment outcome |Ψ+ >12. So the authentication key turnsback into the origin state. It can be reused for the next au-thentication process in future.

Similarly if Bob wants to prove his identity to Alice, thetwo parties just perform the same steps as above except thatthey exchange their roles in the authentication process.

4 Security of the protocol

In this section we prove that no one who hasn’t the au-thentication key could pass the authentication process. Soour protocol is secure.

Assuming that Eve wants to impersonate Alice when Al-ice isn’t present, she may create fake qubits(named qubit E)and sends them to Bob, with hope of passing the authentica-tion. Without of losing generosity, we assume that the stateof any qubit that Eve created can be expressed as

ρE = p1|0 >< 0|+ p2|1 >< 1| (7)

in which p1+p2 = 1. Obviously qubit E is in a mixed state.It can be looked on as an average of two pure state |0 >E

and |1 >E with probabilities p1 and p2. As known if we

do any operation including measurements on a mixed-statesystem, we will just get an average result of the two resultwhich we do the same operation on the two pure state re-spectively. So what we need to do is to consider as if thestate was |0 >E or |1 >E respectively and average the re-sult with probabilities p1 and p2. When Bob receives qubitE, he will think that it is from Alice. So he does as our pro-tocol asks. First he creates his auxiliary qubit in the state|0 >2 and performs CNOT operation on qubit 2 and qubitB in which the former is the target qubit and the latter isthe control qubit. So the state of the whole three-systemcomposed of qubit A, qubit B and qubit 2 is

|S >AB2=1√2(|0 >A |1 >B |1 >2 +|1 >A |0 >B |0 >2).

(8)Now let’s consider qubit E. For pure state |0 >E , the stateof the whole four-qubit system consisting of qubit A, qubitB, qubit E and qubit 2 is

|S >ABE2= 1√2

(|0 >A |1 >B |0 >E |1 >2

+ |1 >A |0 >B |0 >E |0 >2).(9)

It can be rewritten as

|S >ABE2= 12 (|0 >A |1 >B (|Ψ+ >E2 +|Ψ− >E2)+ |1 >A |0 >B (|Φ+ >E2 +|Φ− >E2)).

(10)It’s easy to find that if Bob performs the Bell state mea-surement on the two-qubit system consisting of qubit E andqubit 2 as our protocol asks, he will get measurement results|Φ+ >, |Φ− >, |Ψ+ > and |Φ− > with equal probability14 . According to our protocol, only the last two results is le-gal. So the probability that Eve escaping from being foundby Bob is only 1

2 . On the other hand, for pure state |1 >E ,the state of the whole four-qubit system is

|S >ABE2= 1√2

(|0 >A |1 >B |1 >E |1 >2

+ |1 >A |0 >B |1 >E |0 >2).(11)

It can be rewritten as

|S >ABE2= 12 (|0 >A |1 >B (|Φ+ >E2 −|Φ− >E2)+ |1 >A |0 >B (|Ψ+ >E2 −|Ψ− >E2)).

(12)If Bob performs the Bell state measurement on the two-qubit system consisting of qubit E and qubit 2, he will getmeasurement results |Φ+ >, |Φ− >, |Ψ+ > and |Φ− >with equal probability 1

4 , too. Doing the same reason-ing, we can conclude that probability that Eve escapingfrom being found by Bob is also 1

2 . So for the mixed stateρE = p1|0 >< 0| + p2|1 >< 1| which is just the state ofqubit E, the probability that Eve escaping from being foundby Bob is

P =12p1 +

12p2 =

12

(13)

130130

in which p1 + p2 = 1. As our authentication protocol asks,Eve needs to send n qubit to Bob. So the probability thatshe cheats Bob successfully is

Perror = (12)n. (14)

If n=1000,

Perror = (12)1000 ≈ 10−300. (15)

It’s a number too small to imagine. So we can conclude thatit’s impossible for Eve to pass the authentication.

Now let’s consider another strategy of attack that Evemay take. When Alice sends qubit 1 to Bob, Eve may catchthem and try to get some information to help her possiblecheating in future. We can prove it’s impossible for Eve tosucceed. It’s useless for Eve to measure qubit 1 becausenow the state of the whole three-qubit system consisting ofqubit A, qubit B, qubit 1 is

SAB1 =1√2(|0 >A |1 >B |0 >1 +|1 >A |0 >B |1 >1).

(16)If Eve measures qubit 1, she will just get result |0 >1 and|1 >1 with equal probability 1

2 . It contains no informa-tion. So doing such things does no good to Eve. Moreover,it will cause the state of the authentication key collapse toa product states, or in other words, Eve destroyed the au-thentication key! So the authentication protocol no longerworks. Alice and Bob will abandon it and try to build a newauthentication key. So Eve has still no chances to pass theauthentication.

So far we have showed that this quantum authenticationprotocol is secure.

5 Discussion and Conclusion

In our authentication protocol, there is no classical in-formation exchange needed. So we doesn’t need auxiliaryclassical channel to finish authentication. All that we needis an insecure quantum channel. We can fulfill authentica-tion process on this insecure quantum channel. It’s rather anadvantage of this protocol because many previous protocol,such as [19],22,23,25,26], need not only a quantum channelbut also an auxiliary classical channel. On the other hand,in our protocol to each EPR pais the two sides need sendonly one auxiliary qubit for one times while in [22] theyneed send an auxiliary qubit twice and in [24] they have tosend not an auxiliary qubit but an auxiliary EPR pair.

It must be pointed that the authentication key can bereused only when there are no errors or eavesdroppers exist-ing in transmission. First it is easy to find that if there are er-rors in transmission the authentication key may be changed

and can no longer be reused. Second if an eavesdropper in-tercept, she destroys the authentication key although she issure to be found and can’t pass the authentication. We maysolve this problem by error-checking technology in futurework.

We provide a quantum authentication protocol usingEPR pairs as the authentication key. The two parties createauxiliary qubits and make them interact with the authenti-cation key. At last one part can affirm the other’s identityby performing the Bell state measurement on the auxiliaryqubits. The protocol is proved to be secure. No one withoutthe authentication key can pass the authentication. No clas-sical channel and classical information exchange is needed.If there are no errors or eavesdroppers in transmission, theauthentication key can be turned into the origin state afterthe authentication is completed. So it can be reused.

Acknowledgements: This work is supported by Natu-ral Science Foundation of China (Grants 60603002);theHenan Natural Science Foundation of China (Grants0611052800);the National Natural Science Foundationof China 60496324( NSFC Major Research Program60496324 );the National Natural Science Foundation ofChina (Grants 60402016);the National Natural ScienceFoundation of China (Grants 60503047).We would thank Ruqian Lu for directing us into this re-search.

References

[1] C. H. Bennet and G. Brassard. ”Quantum cryptogra-phy: Public-key distribution and tossing”. In: Pro-ceedings of IEEE International conference on Com-puters, Systems and Signal Processing, Bangalore, In-dia, , IEEE Press, pp. 175, 1984.

[2] A. K. Ekert, ”Quantum cryptography based on Bell’stheorem”, Physical Review Letters, vol 67, pp. 661-663, 1991.

[3] C. H. Bennett, G. Brassard and N. D. Mermin, ”Quan-tum cryptography without Bell’s theorem”, PhysicalReview Letters, Vol 68, pp. 557-559, 1992.

[4] H. K. Lo and H. F. Chau, ”Unconditional Security ofQuantum Key Distribution over arbitrarily long dis-tances”, Science, Vol 283, pp. 2050-2056, 1999.

[5] A. Cabello, ”Quantum Key Distribution in the HolevoLimit”. Physical Review Letters, Vol 85, pp. 5635-5638, 2000.

[6] P. Xue, C. F. Li and G. C. Guo, ”Efficient quantum-key-distribution scheme with nonmXimally entangledstates”, Physical Review A, Vol 64, 032305, 2001.

[7] R. Cleve, D. Gottesman, and H.-K. Lo, ”How to Sharea Quantum Secret”, Physical Review Letters, Vol 83,pp. 648-651, 1999.

131131

[8] D. Gottesman, ”Theory of quantum secret sharing”,Physical Review A, Vol 61, 042311, 2000.

[9] M. Hillery, V. Buzek and A. Berthiasiaume, ”Quantumsecret sharing”, Physical Review A, Vol 59, pp.1829-1834, 1999.

[10] H.-k. Lo, H. F. Chau, ”Why quantum bit commitmentand ideal quantum coin tossing are impossible”, Phys-ica D, Vol 120, pp. 177-187, 1998.

[11] A. Kent, ”Coin Tossing is Strictly Weaker than BitCommitment”, Physical Review Letters, Vol 83, pp.5382-5384, 1999.

[12] B. M. Terhal, D. P. DiVincenzo and D. W. Leung.”Hiding Bits in Bell States”. Physical Review Letters,Vol 86, pp. 5807-5810, 2001.

[13] D. P. DiVicenzo, D. W. Leung, and B. M. Terhal,”Quantum data hiding, IEEE Transactions on Infor-mation Theory” Vol 48 No.3, pp. 580-599, 2002.

[14] T. Eggeling and R. F. Werner, ”Hiding Classical Datain Multipartite Quantum States”, Physical ReviewLetters, Vol 89, 097905, 2002.

[15] B. Schumacher, ”Quantum Privacy and Quantum Co-herence”, Physical Review Letters, Vol 80, pp. 5695-5697, 1998.

[16] C.H.Bennett, F.Bessette, G.Brassard, L.Salvail andJ.Smolin, ”Experimental quantum cryptography”,Journal of Cryptology, Vol 5, No.1, pp.3-28, 1992.

[17] T. Kimura, Y. Nambu, T. Hatanaka, A. Tomita, H.Kosaka and K, Nakamura. ”Single-photon interfer-ence over 150-km transmission using silica-basedintegrated-optic interferometers for quantum cryptog-raphy”, eprints: quant-ph/0403104, 2004.

[18] W. T. Buttler et al., ”Practical Free-Space QuantumKey Distribution over 1 km” , Physical Review Let-ters, Vol 81, pp. 3283-3286, 1998.

[19] G. Zeng and W. Zhang, ”Identity verification in quan-tum key distribution”, Physical Review A, Vol 61,022303, 2000.

[20] H. Barnum, ”Quantum secure identification us-ing entanglement and catalysis”, e-prints: quant-ph/9910072, 1999.

[21] J. G. Jensen and R. Schack, ”Quantum authenticationand key distribution using catalysis”, e-prints: quant-ph/0003104, 2003.

[22] Y. S. Zhang, C. F. Li, and G. C. Guo, ”Quantum au-thentication using entangled state”, e-prints: quant-ph/0008044, 2000.

[23] D. Ljunggren, M. Bourennane and Anders Karlsson,”Authority-based user authentication in quantum keydistribution”, Physical Review A, Vol 62, 022305,2000.

[24] X. Y. Li and H. Branum, ”Quanum authencation usingentangled states”. International Journal of Foundationof Computer Science, Vol 15 No.4, pp. 609-617, 2004.

[25] H. Barnum, C. Crepeau, D. Gottesman, A. Smithand A, Tapp, ”Authentication of Quantum Messages”,Proceedings of the 43rd annual IEEE Symposium onthe Foundations of Computer Science (FOCS’02), pp.449-458, 2002.

[26] D. R. Kuhn, ”A hybrid authentication protocol usingquantum entanglement and symmetric cryprography”,e-prints: quant-ph/0301150, 2003.

[27] X. Y. Li and D. X. Zhang, ”A quantum authenticationprotocol using entangled states as authentication key”,WSEAS Transactions on Computers, Vol 5, No.5, pp.830-835, 2006.

[28] J. Oppenheim and M. Horedocki, ”How to reusea one-time pad and other notes on authentication,encryption and protection of quantum information”,Physical Review A, Vol 72, 042309, 2005.

[29] J. Wang, Q. Zhang and C. J. Tang, ”AuthenticatedMultiuser Quantum Direct Communication using En-tanglement Swapping”, e-prints: quant-ph/0605006,2006.

[30] Y. H. Kim, S. P. Kulik, Y. Shih, ”Quantum Teleporta-tion of a Polarization State with a Complete Bell StateMeasurement”, Physical Review Letters, Vol 86, pp.1370-1373, 2001.

[31] C. Cinelli, M. Barbieri, F. D. Martini, P. Mataloni,”Realization of Hyperentangled Two-Photon States”,International Journal of Laser Physics, Vol 15, No.1,124-128, 2005.

132132