Optics Communications 284 (2011) 2412–2414

Contents lists available at ScienceDirect

Optics Communications

j ourna l homepage: www.e lsev ie r.com/ locate /optcom

Discussion

Intercept–resend attacks on Chen et al.'s quantum private comparison protocol andthe improvements

Jason Lin, Hsin-Yi Tseng, Tzonelih Hwang ⁎National Cheng Kung University, Department of Computer Science and Information Engineering, No.1, University Road, Tainan City 701, Taiwan, ROC

⁎ Corresponding author. National Cheng-Kung UniveScience and Information Engineering, NO. 1, Ta-Hsueh R

E-mail address: hwangtl@ismail.csie.ncku.edu.tw (T

0030-4018/$ – see front matter © 2010 Elsevier B.V. Adoi:10.1016/j.optcom.2010.12.070

a b s t r a c t

a r t i c l e i n f o

Article history:Received 19 November 2010Accepted 20 December 2010Available online 12 January 2011

Keywords:Quantum private comparisonGHZ stateIntercept–resend attack

Recently, Chen et al. presented a novel quantum private comparison (QPC) protocol using triplet GHZ state toenable two parties to compare the equality of their information without revealing the content. The protocol israther promising because it only requires single-photon measurement with the help of a semi-honest thirdparty to complete the secret comparison. However, this studywill point out that a weakness could occur in theeavesdropping check phase. That is, an intercept–resend attack could be launched by one of the twoparticipants to reveal the information content of the other participant—a result that contradicts to the securityrequirement of a QPC. Fortunately, two solutions are possible to avoid the attack.

rsity, Department of Computerd., Tainan, Taiwan.. Hwang).

ll rights reserved.

© 2010 Elsevier B.V. All rights reserved.

1. Introduction

The pioneer work of quantum private comparison (QPC) wasproposed by Yang et al. in 2009 [1,2]. The main goal of a QPC protocolis to compare the equality of information between two partieswithout revealing the actual content. Several applications such asquantum voting [4,5] and quantum auction [6–9] are based on thistechnique. Recently, Chen et al. proposed a novel QPC protocol viatriplet Greenberger–Horne–Zeilinger (GHZ) state [3]. Their schemehas the following nice features:

1. The third party (TP) helping the two users to accomplish thecomparison does not have to be fully trusted. That is, the TP willfaithfully follow the procedure of the protocol, take records of allintermediate computations, and would not be corrupted by theoutsider. However, he/she might also try to reveal the privateinformation content of the users from the records.

2. By merely using single-photon measurements, both players canacquire a one-time-pad key for encrypting their information,respectively.

3. Although TP will know which bit of the two players is identical (ordifferent), he/she will not be able to obtain the actual bit value.

4. The protocol compares a portion of information instead of one bitat a time to avoid content leakage.

However, this paper tries to show that in the eavesdropping checkprocess of their QPC, an insider is possible to launch the intercept–resendattack to reveal the other user's secret information content, which

contradicts a security requirementof aQPC. Fortunately, this problemcanbe easily solved with a carefully designed eavesdropping check process.

The rest of this paper is organized as follows. Section 2 reviewsChen et al.'s QPC scheme via GHZ state. Section 3 points out theproblem and gives two solutions to remedy the loophole. Finally,Section 4 briefly concludes the result.

2. Review of Chen et al.'s QPC scheme

In this section, a brief review of Chen et al.'s QPC protocol is given.Suppose that Alice and Bob are two users who want to compare theequality of their information via the help of a semi-honest third party(TP) to arbitrate the result of the comparison. TP must always followthe procedure of the protocol and will not be corrupted by the outsideeavesdropper. TP may also try to derive Alice's and Bob's comparedcontent, but he/she can only infer it from the public information andthe records of intermediate computations. Under the above three-party scenario, Chen et al.'s QPC scheme can be described in thefollowing steps (see also Fig. 1):

Step 1. TP prepares N triplet GHZ states all in jΨ1⟩ = 1ffiffi2

p j000⟩ +ðj111⟩Þ = 1

2 j+++⟩ +ð | +−− ⟩+ |−+− ⟩+ |−−+ ⟩).Here, quantum states {|0⟩, |1⟩} are measured by R basis, andstates {|+⟩, |−⟩} are measured by D basis, in which j+⟩ =1ffiffi2

p j0⟩ + j1⟩ð Þ and j−⟩ = 1ffiffi2

p j0⟩− j1⟩ð Þ. Later, TPdivides theseNGHZ states into three sequences SA, SB, and ST, which includesthe first, the second, and the third particles of all GHZ states,respectively. After the above preparation, TP retains thequantum sequence STand sends the sequence SA to Alice, SB toBob.

Step 2. To ensure the security of quantum channel, Alice randomlycollects sufficient amount of photons from SA as a set of

Fig. 1. The scenario of Chen et al.'s QPC protocol.

2413J. Lin et al. / Optics Communications 284 (2011) 2412–2414

checking qubits. Then she announces the positions of thechecking set in public to the other two parties: Bob and TP. Foreach qubit in the checking set, Bob decides its measuring bases(i.e., R basis or D basis). He publicly notifies the information ofmeasuring bases to Alice and TP. Subsequently, all partiesmeasure the corresponding checking particles in the checkingsetwith thebases chosen by Bob. If all parties'measuring resultsare inconsistent to the correlation of |Ψ1⟩, and the error rateexceeds a rational threshold, then TPwill terminate theprotocoland restart from Step 1. Otherwise, there is no eavesdropper,and the protocol will continue to the next step.

Step 3. Let the remaining photons in SA, SB, and ST be denoted as PA, PB,and PT, respectively. Alice uses D basis to measure PA, and Bobuses the same basis to measure his PB. The classical bit ofthe measuring result is defined as “0” (“1”) if the result is|+⟩

(|−⟩). For instance, if a sequence of measuring result is (|−⟩|+⟩|+⟩|−⟩|−⟩... |+⟩), then the corresponding classical bits willbe (10011...0). After the measurement above, Alice and Bob willderive a key-bit string KA and KB, respectively.

Step 4. Alice sequentially picks up a portion of her information thathas not yet been compared, which denoted as bit string x.Meanwhile, Bob picks up the corresponding part of hisinformation to form bit string y. Both x and y here shouldhave the same length as the keys KA and KB. Subsequently,Alice performs bit-wise exclusive-OR operation between xand KA to obtain CA (i.e., CA=x⊕KA), and so does Bob performthe same operation between y and KB to obtain CB (i.e.,CB=y⊕KB). Furthermore, in order to decline the transmissioncost, Alice and Bob collaborate together to compute the bit-wise exclusive-OR result C of CA and CB (i.e., C=CA⊕CB) andthen send the result to TP via public channel.

Step 5. TP performs a unitary operation I (=|0⟩⟨0|+|1⟩⟨1|) or σz (=|0⟩⟨0|− |1⟩⟨1|) on each qubit of PT according to thecorresponding bit value of C. Applying I operation willretain the original state of D basis photon, whereas applyingσz operation will change the state of D basis photon from |+⟩

to |−⟩ (or |− ⟩ to |+⟩). If C's ith bit is “0”, then TP performsoperation I on the ith particle of PT. Otherwise, TP performsoperation σz on the ith particle of PT.

Step 6. For each particle in PT, TP performs the D basis measurement. Ifany |−⟩ exists in themeasuring result, TP halts the protocol andpublishes “1” to indicate the “inequality” of their information.Otherwise, TP repeatedly executes Step 1 to Step 6 until all

information have been compared completely and then publish“0” to indicate that the information of Alice and Bob is identical(i.e., all particles are measured as |+⟩). Since Alice and Bob donot know the exact different bit of information, they could notderive each other's content when the result is negative.

Chen et al.'s QPC protocol is based on the entanglement correlationof GHZ state |Ψ1⟩. In their scheme, each GHZ state can secretlycompare one classical bit of information. In the eavesdropping checkof Step 2, Alice determines the set of checking qubits, whereas Bobdecides their measuring bases. The measuring results of thesechecking photons are used to check the presence of eavesdroppers.However, this checking strategy brings up a loophole for Alice or Bobto maliciously launch an intercept–resend attack. More details of theattack will be discussed in Section 3.

3. Intercept–resend attacks and the improvements

This sectionpresents the intercept–resendattacksperformedbyeachuser. Two solutions to remedy the loophole are also given here.

3.1. The intercept–resend attacks

Both Alice and Bob can act as the dishonest insider to derive theother player's information content.

Case 1. Intercept–resend attack for Alice.

Suppose that Alice is the dishonest insider. She first intercepts thephoton sequence SB (from TP to Bob) in Step 1 and then uses D basis torandomly measure a number of photons, TB, in SB, where TB has thesame length as PB in Step 3 of Chen et al.'s scheme. Subsequently, toprevent TP from discovering this attack in the comparison phase ofStep 4, Alice generates a new single-photon sequence P′B with thesame photon states as TB, and replaces TB with P′B to form a newsequence S′B. She resends S′B to Bob and announces the photonpositions excluding the particles in P′B as the positions of the checkingparticles during the public discussion in Step 2. After the eavesdrop-ping check, Bob will measure P′B with D basis to obtain a one-time-padkey KB as described in Step 3. Since Alice knows all the photon states ofP′B, she can naturally obtain Bob's key KB in Step 4 and further retrieveBob's secret information content from CB (the exclusive-OR result ofKB and Bob's information content).

Case 2. Intercept–resend attack for Bob.

Bob may also be the dishonest insider. He first intercepts sequenceSA and then performs D basis measurement on all particles in SA (fromTP to Alice in Step 1). Subsequently, Bob creates a new bunch ofsingle-photon sequence S′A with the same photon states as SA andresends it to Alice. After Alice receives S′A in Step 2, she will announcethe positions of the checking set. Meanwhile, Bob will choose to usethe D basis to measure the checking set. Naturally, Bob will not bedetected in the public discussion phase. Since Bob knows all themeasuring results of S′A, he can hence obtain Alice's encrypted key KA

and further reveal Alice's secret information content in Step 4.

3.2. Two improvements of Chen et al.'s scheme

Two solutions to avoid the attacks are proposed here. The first oneis to let the TP choose the checking set in the eavesdropping check.The second solution uses the technology of decoy photons.

Solution 1. TP decides the checking set.

The first solution is to let TP decide the positions and themeasuring bases of the checking set in Step 2. Under this situation,

2414 J. Lin et al. / Optics Communications 284 (2011) 2412–2414

if Alice performs the intercept–resend attack, for each checking

photon, she will be detected with a probability of14. For instance,

suppose that (qTi ,qAi ,qBi ) is the ith GHZ state in sequences ST, SA, and SBchosen by TP to execute the eavesdropping check. Alice interceptsSB and measures qB

i with D basis. Afterwards, Alice resends a photonwith the same photon state as qB

i (i.e., |+⟩ or |−⟩) to Bob. Ifunfortunately TP announces to use R basis as the measuring basis,Alicewill be caughtwith a probability of

12(i.e., j + ⟩ = 1ffiffi

2p j0⟩ + j1⟩ð Þ

and j−⟩ = 1ffiffi2

p j0⟩− j1⟩ð Þ). Since TP has a probability of12to choose

R basis, the probability of detecting the attack in one checking photon

is14(12 × 1

2 = 14), i.e., with a probability of

34, the eavesdropper will not

be detected. Thus, if there are n checking photons, the probability of

detecting the eavesdropper is 1− 34

� �n

, which is close to 1 if n is largeenough.

Similarly, if Bob performs the intercept–resend attack, then he willhave 25% probability to be detected on each checking photon decidedby TP. And thus, he will be caught in the public discussion if thenumber of checking photons is large enough.

Solution 2. TP uses decoy photons.

TP in Step 1 prepares two bunches of decoy photons (RA and RB)randomly chosen from states |0⟩, |1⟩, |+ ⟩, and |−⟩. He/she mixes thesequence SAwith RA (SBwith RB) to form two new sequences S′A and S′B.S′A is sent to Alice and S′B is sent to Bob. After the two players receivethe sequences, TP announces the positions and themeasuring bases ofRA and RB. Alice and Bob will measure these decoy photonsrespectively using the corresponding bases and publicly send theresults to TP for eavesdropper detection. Since neither Alice nor Bobcan predict the positions of these decoy photons, if one of them tries toperform the intercept–resend attack, he/she will be caught with aprobability of 25% (i.e., since the decoy photon state here can be in Rbasis or D basis, the computation of the detection rate is thereforeidentical to the instance described in Solution 1).

With this approach, the qubit efficiency (ηE), here defined as

ηE =qsqt, where qt is the total number of photons (including the

checking set) used in comparison, and qs is the number of classical bitsthat can be compared [10–13], can also be improved. ηE emphasizeson computing the average classical information bits each photoncontributes to compare the equality of information. Suppose 50% ofthe transmitted photons are used in eavesdropping check. With Chenet al.'s scheme, since two triplet GHZ states can ensure one bit ofsecret comparison among two parties, the qubit efficiency therefore

leads to approximately 17% (1

3 × 2=

16≈17%). On the contrary, with

the Solution 2, since only one triplet GHZ state and two single photonsare required for comparison of one classical information bit, the qubit

efficiency is 20% (1

3 + 2=

15

= 20%).

4. Conclusions

This paper has pointed out that if the public discussion foreavesdropping check in a QPC is not designed carefully, it couldbecome a loophole that further mounts to an attack and jeopardizesthe security of the QPC. The problem in Chen et al.'s scheme is that thepositions and the measuring bases of checking set are decided by thetwo players, respectively. This leads to the insider's intercept–resendattack. Two possible solutions to avoid the attack are given in thispaper (i.e., one is to let TP decide the checking set, and the other is toadopt the decoy photon technique). Moreover, the second solutionenables an increase of qubit efficiency from 17% to 20%.

Acknowledgment

We would like to thank the National Science Council of theRepublic of China, Taiwan, for financially supporting this researchunder the Contract No. NSC 98-2221- E-006-097-MY3.

References

[1] Y.G. Yang, Q.Y. Wen, Journal of Physics A: Mathematical and Theoretical 42 (5)(2009)8 (9 pp.).

[2] Y.G. Yang, W.F. Cao, Q.Y. Wen, Physica Scripta 80 (6) (Nov. 2009)8 (4 pp.).[3] X.B. Chen, G. Xu, X.X. Niu, Q.Y. Wen, Y.X. Yang, Optics Communications 283 (7)

(Apr. 2010) 1561.[4] M. Hillery, M. Ziman, V. Bužek, M. Bieliková, Physics Letters A 349 (1–4) (Jan.

2006) 75.[5] J.A. Vaccaro, J. Spring, A. Chefles, Physical Review A 75 (1) (Jan. 2007).[6] T. Hogg, P. Harsha, K.Y. Chen, International Journal of Quantum Information 5 (5)

(Sep. 2007) 751.[7] M. Naseri, Optics Communications 282 (9) (May 2009) 1939.[8] Y.G. Yang, M. Naseri, Q.Y. Wen, Optics Communications 282 (20) (Oct. 2009)

4167.[9] Z. Zhao, M. Naseri, Y. Zheng, Optics Communications 283 (16) (Aug. 2010) 3194.

[10] T. Hwang, K.C. Lee, IET Information Security 1 (1) (Mar. 2007) 43.[11] J.H. Chen, K.C. Lee, T. Hwang, International Journal of Modern Physics C 20 (10)

(October, 2009) 1531.[12] H.C. Shih, K.C. Lee, T. Hwang, IEEE Journal of Selected Topics in Quantum

Electronics 15 (6) (November/December 2009) 1602.[13] J. Lin, T. Hwang, “An Enhancement on Shi et al.'s Multiparty Quantum Secret

Sharing Protocol”, Optics Communications 284 (5) 1468–1471.