Quantum Secure Direct Communication Based on Chaos with Authentication

Dazu HUANG1;2�, Zhigang CHEN1, Ying GUO1;3, and Moon Ho LEE3

1School of Information Science and Engineering, Central South University, Changsha 410083, China2Department of Information Management, Hunan College of Finance and Economics, Changsha 410205, China

3Department of Information and Communication Engineering, Chonbuk National University, Chonju 561-756, Korea

(Received May 30, 2007; accepted September 13, 2007; published November 26, 2007)

A quantum secure direct communication protocol based on chaos is proposed with authentication. Ithas an advantage over distributing the secret message directly and verifying the communicators’identities with the assistance of a trusted center. To ensure the security of the secret message and theprocess of verification, the initial order of the travel particles is disturbed according to a chaotic sequencegenerated secretly via the general Arnold map. Security analysis demonstrates that the present scheme issecure against several attack strategies, such as the man-in-the-middle attack and Trojan horse attack.

KEYWORDS: quantum secure direct communication, authentication, chaos, quantum cryptography, securityanalysis

DOI: 10.1143/JPSJ.76.124001

1. Introduction

In 1984, Bennett and Brassard proposed the BB84 proto-col,1) which is proved to be a secure protocol. After that,many quantum key distribution (QKD) schemes have beenproposed.2–6) However, the nondeterministic property in thestandard QKD schemes leads to the loss of numerous qubitssince many qubits have to be discarded. In recent years, aquantum secure direct communication (QSDC) has beenproposed, which is able to transmit secret messages directlywithout establishing a shared private key to encrypt. SinceBeige et al.7) proposed a QSDC protocol in 2002, manyQSDC schemes have been presented.8–17) Most of the QSDCprotocols are based on the secret transmission order ofparticles. Moreover, they almost follow the same mode: afterconfirming that the receiver receives all particles, the senderannounces the secret order of the particles through a publicchannel. In fact, it is very difficult to perform in an actualcommunication, and it is also insecure against some attacks,such as the Trojan horse attack. How can the operation beperformed efficiently and securely? So far to our knowledge,no one has presented any related scheme and technology.

Furthermore, the previous QKD or QSDC protocols arebased on the legitimate communicators. In the real world,the legitimate communicators may be impersonated by anattacker; thus these protocols are insecure against the man-in-the-middle attack. When Alice communicates with BobEve can impersonate Alice to deceive Bob; on the otherhand, she can also impersonate Bob to deceive Alice.Finally, Eve will obtain two keys KAE and KBE, where KAE

is the key between Alice and Eve, and KBE is the keybetween Bob and Eve. Therefore, Eve can easily decrypt theciphertext between Alice and Bob without being detected. Inorder to solve this problem, several protocols on quantumidentity verification have been proposed.18–26) In refs. 18–21,some pure qubit authentication schemes are presented; inrefs. 22–24, identity authentication protocols in QKD areproposed; in ref. 25, QSDC with authentication is presentedfor the first time in 2006; and in ref. 26, a comment andimprovement on ref. 25 is given.

In view of the above problem, we proposed a quantum

secure direct communication protocol based on chaotic mapwith authentication. Mutual identity verification and directcommunication are completed simultaneously in a one-way channel. Identity verification can be implemented bycorrectly sharing the Einstein–Podolsky–Rosen (EPR) pairsusing Bell’s theorem.27) Quantum direct communication isbased on the secret order of the particles, and the secret orderrelies on a chaotic map with the essence of cryptographicsecurity, and the key of the chaotic map comes from sharingEPR pairs between communicators after authentication. Ourscheme improves the security and applicability of quantumcommunication compared with the previous QSDC scheme.

This paper is organized as follows. In §2, the basictheorem of the general Arnold map is presented in a simplemanner. In §3, the quantum direct communication protocolis described in detail. We discuss the security in §4. Finally,the conclusion is given.

2. Basic Theorem of General Arnold Map

A chaotic system has a good cryptographic featurebecause of its pseudo randoness and extreme sensitivity tothe initial conditions; thus, chaotic maps have been appliedextensively in cryptography.

The Arnold map was introduced by Arnold;28) it isexpressed using the following formula

xnþ1

ynþ1

� �¼

1 1

1 2

� �xn

yn

� �mod 1 ð1Þ

In ref. 29 the above formula is extended to the followingform.

xn

yn

� �¼

a b

c d

� �nx0

y0

� �mod N ð2Þ

There is a stable point in the above map; namely, theposition of the point ð0; 0Þ is invariable after n iterations. Inorder to avoid the stable point map, the map function may beextended as

xn

yn

� �¼

1 p

q pqþ 1

� �nx0

y0

� �mod M þ 1; ð3Þ

where the independent parameters p, q, and n work as thekey. Equation (3) expresses the position transformationmethod from the initial position ðx0; y0Þ to the end position�E-mail: hdz0802@tom.com

Journal of the Physical Society of Japan

Vol. 76, No. 12, December, 2007, 124001

#2007 The Physical Society of Japan

124001-1

ðxn; ynÞ; namely, modulo M calculation is executed after n

iterations, then 1 is added to obtain the result ðxn; ynÞ, whichwill be regarded as the new position of the point ðx0; y0Þ.According to the chaotic property after iterating a sufficientnumber of times, arbitrary positions close to each other willbe separated far away. Moreover, in this map, one positioncorresponds to another position strictly, and confliction innew positions of different original positions will not takeplace. Although chaos is similar to random signals, it iscertain, and the disturbance is determined absolutely bythe independent parameters p, q, and n. If these parametersare changed slightly, the disturbance will be completelydifferent; this issue may be depicted through the Lyapunovexponent.30) Thus, the original order is disturbed at random.

In recent years, many image encryption algorithms basedon chaotic theorems have been proposed. The generalArnold map of two dimensions is often used to disturb theimage pixel position. According to ref. 31, the idea ofcombining chaotic cryptography with other cryptographicsystems is a new research subject for improving the securityof cryptographic systems.

3. Quantum Direct Communication Protocol

This protocol is composed of two phases: the initial phaseand the QSDC phase. A trusted authority center, Trent, isintroduced to authenticate the participants and distributeshared EPR pairs in the initial phase. Trent is more powerfulthan other persons and does not cheat anyone. Here, Trentjust works in the first phase.

3.1 Initial phaseThis phase distributes N EPR pairs and sets up the system

between Alice and Bob as in refs. 19 and 22. The technologyof Biham et al.32) is applied to save EPR pairs. Communi-cators and the trusted center are composed of a network. IfAlice wants to send messages to Bob for the first time, theywill perform the following steps.

(1) Alice and Bob send Trent their identification numbersIDA and IDB to register in this secure network. Then Trentsets up a quantum channel between Alice and Trent, andanother between Bob and Trent.

(2) Trent applies well-known BB84 protocol1) or EPRprotocol2) to share keys with Alice and Bob, respectively:

pAT ¼ ðpAT1; pAT2; . . . ; pATNÞ; ð4ÞpBT ¼ ðpBT1; pBT2; . . . ; pBTNÞ; ð5Þ

where pATi, pBTi 2 f0; 1g ði ¼ 1; 2; . . . ;NÞ. Then Trent pre-pares two sets of N EPR pairs, which can be expressed as

j��iAT ¼1ffiffiffi2p ðj0iAj1iT � j1iAj0iTÞ; ð6Þ

j��iBT ¼1ffiffiffi2p ðj0iBj1iT � j1iBj0iTÞ; ð7Þ

where the subscripts A, B, and T represent Alice’s particle,Bob’s particle, and Trent’s particle, respectively, and j0iand j1i are eigenvectors of the Pauli operator �z. Thus, Aliceand Bob are distributed a set of particles consisting of thefirst particle of each single pair on the basis of the generalArnold map and consultation, and Trent keeps the secondparticle. The secret transmission order is generated by thegeneral Arnold map with the above key, and consultation is

conducted to select randomly the checking set and sharedEPR pairs.

This completes the registration procedure between Aliceand the center, and between Bob and the center.

(3) Alice prepares N EPR pairs and sends Trent the sharedN particles and her application for communication with Bob,together with N particles composed of the first particle ofeach new EPR pair. Alice transfers the shared key PAT into asequence of unitary operations on the shared N particlesaccording to their agreement. In order to verify Alice’sidentity, Trent makes joint Bell basis measurements. If theerror rate is higher than expected, they stop this protocol andstart from the initial phase. Otherwise, Trent is sure that Aliceis legitimate. Of course, the traveling particle order is alsodisturbed by making use of a chaos map with the shared key.

(4) After Trent verifies Alice’s identity, he will send Bobthe N particles received from Alice. Before Bob accepts allthe particles he also authenticates Trent’s identity as Trentdid. Thus, the N particles consisting of the first particle ofeach single EPR pair from Alice are transferred to Bob. Aliceand Bob share N EPR pairs. Of course, the chaotic map andconsultation techniques are used during this procedure.

j��iABi¼

1ffiffiffi2p ðj0iAi

j1iBi� j1iAi

j0iBiÞ; ð8Þ

where the subscripts Ai and Bi represent Alice’s particle andBob’s particle for the ith EPR pair, respectively. At thispoint, Trent has accomplished his role in securely distrib-uting the shared N EPR pairs and setting up a secure systembetween Alice and Bob.

3.2 Authentication and quantum secure directcommunication phase

The aim of authentication is to thwart the man-in-the-middle attack. First, Alice and Bob agree on the four unitaryoperations

U0 ¼ j0ih0j þ j1ih1j; ð9ÞU1 ¼ �Z ¼ j0ih0j � j1ih1j; ð10ÞU2 ¼ �X ¼ j0ih1j þ j1ih0j; ð11ÞU3 ¼ i�y ¼ j0ih1j � j1ih0j; ð12Þ

where Ui (i ¼ 0; 1; 2; 3) represents two bits of classicalinformation 00, 01, 10, and 11, respectively. In this phase,the main operations are included as follows.

(1) Alice chooses a sufficiently large subset of particlesfrom her particles of the N EPR pairs as a key set (K set:K1;K2; . . . ;Km); she encodes her key KA by performing theabove four unitary operations Uj ( j ¼ 0; 1; 2; 3) on the K set,respectively. With consideration of the fact that there arealways noise and loss in a practical channel, before encodingthe secret key on the qubits, Alice can encode the secret keyKA with a classical error correction code (ECC), such asBose–Chaudhuri–Hochquenhem (BCH) code or a Hammingcode, so that the receiver will be able to correct possibleerrors in the decoded key messages.

(2) Alice selects her remaining set of shared EPR pairs asan authentication and checking message set (A set). Shechooses a random bit string, which has no relation to the keyKA to be sent to Bob. This random bit string is used tocomplete mutual identity verification and check the securityof the channel. She encodes them on the A set by performing

J. Phys. Soc. Jpn., Vol. 76, No. 12 D. HUANG et al.

124001-2

the above four unitary operations Uj ( j ¼ 0; 1; 2; 3).(3) The above operation consumes the shared N EPR

pairs. Alice prepares N EPR pairs again as new shared N

EPR pairs for the next communication.(4) Alice prepares enough EPR pairs to be used to

transmit secret messages. Because each EPR pair cantransmit two bits of classical information, if Alice will sendBob 2M bits of information, she will generate M EPR pairsfor message transmission. Then She encodes the classicalmessages on the first particle of each single pair, respec-tively. In order to improve the transmission accuracy, shecan encode the classical messages with a classical errorcorrection code and privacy amplification before encodingthem on these qubits; this certainly needs more EPR pairs.

(5) Therefore, there are altogether 2N þ 2M particles thatare traveling to Bob, including N particles of shared EPRpairs that encode the key and authentication messages, thefirst particle of each pair of N new EPR pairs to be shared,and M EPR pairs that encode Alice’s messages. Alice ran-domly disturbs the original order of the N þ 2M particles (ex-cept for the former N particles that encode the key and veri-fication messages) On the basis of the Arnold map with thekey. Finally, Alice sends these particles to Bob one by one.

(6) After Bob receives the 2N þ 2M particles, he makesjoint Bell basis measurements on the A set of the formerN particles. Then both Alice and Bob randomly select somebits to tell their counterparts for comparison through a publicchannel. If the error rate is higher than expected, they stopthis protocol and start from the initial phase. Otherwise,they are sure that their counterparts are legitimate and thequantum channel is secure; the authentication procedure isaccomplished, and the following process is executed.

(7) In this step Bob will get the key KB encoded on the Kset by Alice. He jointly performs Bell basis measurements,deduced the probable operations performed by Alice andcorrects possible errors with the error correction code usedby Alice in the decoded message to get the secret keyKB. Then, Alice and Bob compare HðKAÞ with HðKBÞ. IfHðKAÞ ¼ HðKBÞ, namely, K ¼ KA ¼ KB, they will acceptthis information as their shared key for this communication.Otherwise, they will stop this communication and start fromthe initial phase.

(8) On the basis of the general Arnold map, Bob uses thekey K to recover the original order of the N þ 2M particlesand saves the former N particles as the shared EPR pairsfor the next transmission. Then Bob performs Bell basismeasurement on the remaining M EPR pairs, and obtainssecret messages. Finally, Bob processes the messages usingtechniques of error correction and privacy amplification asAlice did.

(9) Alice or Bob may skip the initial phase for the nextcommunication between them.

4. Security Analysis

The security of this protocol mainly depends on the sharedmaximally EPR pairs between users; thus, the initial phase isthe key of the whole protocol, and the insecurity of sharedEPR pairs will result in the insecurity of authentication anddirect communication.

However, in the general Arnold map, a classical chaoticmap plays an important role in the whole protocol, which is

used to disturb the traveling particle’s order on the basis oftwo parties’ shared key.

4.1 Security of classic chaotic mapEquation (3) may be regarded as two chaotic systems of

one dimension ðI; ’Þ, which are processed as follows:

C ¼ ’nðpÞ ¼ ð’ð’ð’ � � �’ðpÞÞÞÞ; ð13Þ

where the initial value p is the plaintext. We obtain theciphertext C after n iterations. This system has a positiveLyapunov exponent; that is to say, there exists a point x 2 I,�X > 0, that satisfies the following:

8" > 0; 9n1; n2; 9Un1;n23 x; 8z1; z2 2 Un1;n2

; ð14Þeð�x�"Þnjz1 � z2j < j’nðz1Þ � ’nðz2Þj < eð�xþ"Þnjz1 � z2j; ð15Þ

where Un1;n2 are two domains close to each other. Equa-tions (14) and (15) demonstrate that the distance jz1 � z2jof two points that are as close as possible will becomeeð�xþ"Þnjz1 � z2j after n iterations. This means that if thelegitimate user’s key is k1 and the eavesdropper’s key is k2,although the two keys are almost equal, namely, jk1 � k2j <" � 0, the result jz1 � z2j will be very large.

The above argument implies that it is impossible for aguess attack to decipher the secret order based on the chaoticmap. Thus, throughout the paper the secret order has theessence of cryptographic security.

4.2 Security of the initial phaseIn the initial phase, at first, users and the trusted center

construct a secure network. When a user applies to registerat the center, the key is distributed by following BB84 orEPR protocols, which are unconditionally secure. Moreover,because the distribution of shared EPR pairs is based on achaotic map with the secure key, they may randomly pickout N particles of N pairs from more particles sent by thesender through their further consultation. Under the pre-sumed conditions, according to the analysis in ref. 19, mutualidentity verifications are secure and completely reliable, anyof the particles, which are intercepted and resent by Eve, canbe detected by the receiver; thus, this is efficient for thwartingthe man-in-the-middle attack. If the sender is not true thereceiver will stop communication; thus, Eve cannot obtainany meaningful particles because the particle order isdisturbed completely. Moreover, the entanglement attackis also impossible. This has been studied in ref. 32.

However, there is a drawback in that the security is underthe assumption that the center does not cheat anyone in theinitial phase. If Trent is dishonest he can successfullyperform the man-in-the-middle attack and get all transmittedmessages between Alice and Bob without being detected.This risk only exists in this phase because in the second phaseTrent’s participation will introduce errors and be detected.

In other words, it is impossible for both the shared EPRpairs and the key between the user and the center to be stolenand leaked out; thus, the exclusive channel system betweenAlice and Bob, which is set up by sharing EPR pairs, isabsolutely secure.

4.3 Security of authentication and communication phaseThe presented scheme enables us to simultaneously verify

mutual identity and directly transmit deterministic messages

J. Phys. Soc. Jpn., Vol. 76, No. 12 D. HUANG et al.

124001-3

through a one-step communication scheme. Even if Eveintercepts all the particles sent by Alice this phase is alsosecure for the following reasons.

(1) The former N particles are composed of only oneof each shared EPR pair, and another set of particles is inBob’s location at all the time. Each particle’s state may bewritten as24)

� ¼1

2

1 0

0 1

� �;

Eve can never obtain any available message of EPR pairsfrom one particle of the EPR pair. Moreover, the commu-nicators can not only verify mutual identity (to thwart theman-in-the-middle attack) on the basis of the security of theshared EPR pairs but also check the eavesdropping actionthrough the error rate on the A set. Therefore, Eve cannotextract anything; she can only introduce interference whichwill result in a high error rate.

(2) During communication session, new shared EPR pairsfor next session are automatically prepared and distributed inthe initial phase. Therefore, the use of the shared EPR pairsand the key is similar to the one-time pad password scheme.

(3) The particles of N EPR pairs to be shared and M EPRpairs that encode Alice’s messages are disturbed using thegeneral Arnold map. The secret order has an absolutecryptographic security, which depends on the security of thekey. In view of the above reason (2), it is impossible for Eveto get the key to calculate the original order of the particles,and thus she cannot distinguish the partners of each pairand take a valid measurement, let alone decipher the orderof EPR pairs. Of course, the communicators may randomlyselect some message bits to check eavesdropping action, butbecause it is impossible for the key to be leaked even if thecommunication is terminated owing to interference, thesecret message is still secure and can be transmitted againwith a new key.

The trusted center is only used to verify two parties anddistribute the shared EPR pairs, and does not participate infurther communication; namely, in the latter authenticationand communication phase even if the center is controlledby Eve, Eve cannot obtain any useful messages, and hereavesdropping will be detected by legitimate users. More-over, our proposed protocol is secure against the Trojanhorse attack, as described in ref. 16, on the basis of itsidentity verification scheme, one-step communication, one-time pad property, and chaotic disturbance with a key.

In the meantime, there are two obvious weaknesses in ourprotocol. One is the preservation of the shared EPR pair andthe sharing key, and the preservation time being very shortaccording to current technology. However, we believe thata long correction time for the entanglement pair must berealized in the future. The other is that the trusted center mayinitiate the man-in-the-middle attack in the initial phase;thus, this protocol excessively relies on the center’s honest,and this needs further investigation.

5. Conclusion

On the basis of chaotic disturbance, a quantum securedirect communication protocol with authentication is pro-posed. We flexibly combine identity verification with the

general Arnold map in our scheme, and identity authenti-cation and deterministic message transmission are complet-ed simultaneously in a one-way channel. Direct messagetransmission is based on the secret order of transmittingthe particles, and the secret order relies on a chaotic mapwith the essence of cryptographic security. Identity verifi-cation and the key of the general Arnold map depend on thecorrection of the shared EPR pairs using Bell’s theorem. Theshared EPR pairs and the key are used only once, as inthe secure one-time pad protocol. EPR pair effects, otherquantum mechanical effects and the cryptographic propertyof the chaotic map ensure security against some attacks, suchas the man-in-the-middle attack and Trojan horse attack.Furthermore, our scheme also improves the applicability ofquantum direct communication compared with the previousQSDC schemes.

Acknowledgement

This work is supported by the National Natural ScienceFoundation of China (Grant number 60573127); and is partlysupported by Hunan Natural Science Foundation of China.

1) C. H. Bennett and G. Brassard: Proc. IEEE Int. Conf. Computer,

Systems and Signal Processings, 1984, p. 175.

2) A. K. Ekert: Phys. Rev. Lett. 67 (1991) 661.

3) G. L. Long and X. S. Liu: Phys. Rev. A 65 (2002) 032302.

4) Y. Guo and G. H. Zeng: Commun. Theor. Phys. 47 (2007) 459.

5) Q. Zhang, X. B. Wang, Y. A. Chen, T. Yang, and J. W. Pan: Phys.

Rev. Lett. 96 (2006) 078901.

6) W. H. Kye and M. S. Kim: Phys. Rev. Lett. 96 (2006) 078902.

7) A. Beige, B. G. Englert, C. H. Kurtsiefer, and H. Weinfurter: Acta

Phys. Pol. A 101 (2002) 357.

8) Q. Y. Cai and B. W. Li: Chin. Phys. Lett. 21 (2004) 601.

9) Y. Guo and G. H. Zeng: Chin. Phys. 16 (2007) 2549.

10) Y. Guo and G. H. Zeng: Int. J. Quantum Inf. 5 (2007) No. 4, 146.

11) Z. J. Zhang and Z. X. Man: Phys. Lett. A 341 (2005) 55.

12) F. G. Deng and G. L. Long: Phys. Rev. A 69 (2004) 052319.

13) Q. Y. Cai and B. W. Li: Phys. Rev. A 69 (2004) 054301.

14) Y. Xia, C. B. Fu, F. Y. Li, S. Zhang, K. H. Yeon, and C. I. Um: J.

Korean Phys. Soc. 47 (2005) 753.

15) A. D. Zhu, Y. Xia, Q. B. Fan, and S. Zhang: Phys. Rev. A 73 (2006)

022338.

16) X. H. Li, F. G. Deng, and H. Y. Zhou: Phys. Rev. A 74 (2006)

054302.

17) J. Song, A. D. Zhu, and S. Zhang: Chin. Phys. 16 (2007) 0621.

18) H. Baenum: quan-ph/9910072.

19) T. Mihara: Phys. Rev. A 65 (2002) 052326.

20) M. Curty, D. J. Santos, and E. Perrez: Phys. Rev. A 66 (2002) 022301.

21) G. H. Zeng: Chin. J. Electron. 32 (2004) 1148.

22) G. H. Zeng and W. P. Zhang: Phys. Rev. A 61 (2000) 022303.

23) D. Ljungren, M. Bourennane, and A. Karlsson: Phys. Rev. A 62 (2000)

022305.

24) Y. G. Yang, Q. Y. Wen, and P. C. Zhu: Acta Phys. Sin. 54 (2005)

3995.

25) H. Lee, J. Lim, and H. J. Yang: Phys. Rev. A 73 (2006) 042305.

26) Z. J. Zhang, J. Liu, D. Wang, and S. H. Shi: Phys. Rev. A 75 (2007)

026301.

27) J. S. Bell: Physics (N.Y.) 1 (1965) 195.

28) E. A. Arnold and A. Avez: Ergodic Problems of Classical Mechanics

(Benjamin, New Jersey, 1968) pp. 156–234.

29) Z. G. Ma and S. S. Qiu: J. Chin. Inst. Commun. 24 (2003) No. 2, 51.

30) R. S. Huang: Chaos and its Application (Wuhan University Press,

Wuhan) pp. 151–163.

31) S. S. Qiu, Y. F. Chen, M. Wu, and Z. G. Ma: J. Circuit Syst. 11 (2006)

No. 1, 98.

32) E. Biham, B. Huttner, and T. Mor: Phys. Rev. A 54 (1996) 2651.

J. Phys. Soc. Jpn., Vol. 76, No. 12 D. HUANG et al.

124001-4