Fault-tolerant controlled deterministic secure quantum communication using EPR states against collective noise

Abstract

This paper proposes two new fault-tolerant controlled deterministic secure quantum communication (CDSQC) protocols based only on Einstein–Podolsky–Rosen (EPR) entangled states. The proposed protocols are designed to be robust against the collective-dephasing noise and the collective-rotation noise, respectively. Compared to the existing fault-tolerant controlled quantum communication protocols, the proposed protocols not only can do without a quantum channel between the receiver and the controller as the state-of-the-art protocols do, but also have the advantage that the number of quantum particles required in the CDSQC protocols is reduced owing to the use of the simplest entangled states.

Appendix: formal security model

This appendix uses the adversarial model to analyze the public discussion between the controller and Alice in Step 2. Note that the security of the public discussion between Alice and Bob in Step 4 is the same as the one between the controller and Alice, and hence we omit that in the following description.

1.1 Formal security model

The security model of the interactions between an adversary and the protocol participants occurs only via oracle queries which model the adversary’s capabilities in a real attack. Let A denote Alice, C denote the controller, and P is the public discussion they participate. The participants of P can launch more than one instance. Here, we allow a probabilistic polynomial time (PPT) adversary \(\mathscr {A}\) to potentially control all the communication in the network via accessing to a set of oracles as defined below. Let \(A^{i}\) denotes the instance i of A. \(C^{\text {j}}\) is the instance j of C.

• Execute(\(A^{i}\),\(C^{j}\)) The query models the passive attack. An adversary can obtain all messages exchanged between \(A^{i}\) and \(C^{\text {j}}\).

• Reveal(\(A^{i}\)) In this query model, if the oracle has accepted, it returns the secret quantum state between \(A^{i}\) and \(C^{\text {j}}\) to the adversary; otherwise, it returns the null value to the adversary.

• Send(\(A^{i}/C^{j},m\)) This query models an active attack. It returns the information corresponded to an input m that \(A^{i}\) or \(C^{\text {j}}\) would send to each other.

• Corrupt(\(A^{i}\),a) This query models corruption capability of the adversary. If \(a=0\), it returns a null value; otherwise, it returns the secret quantum states between \(A^{i}\) and \(C^{\text {j}}\).

• Test(\(C^{j}\)) This query measures whether the public discussion is secure or not. By throwing an unbiased coin, b, if \(b=1\), it returns a random bit sequence with the same length as \(A^{i}\)’s measurement result. The query can only be called once.

In this model, we consider two kinds of adversaries. A passive adversary is allowed to issue the Execute and Test queries, and an active adversary is additionally allowed for sending the Send query.

1.2 Definitions of security

To demonstrate the security of the first public discussion, we will give the security definition as follows.

Definition 1

(Partnering) \(A^{i}\) and \(C^{\text {j}}\) are partnered, if they mutually authenticate each other.

Definition 2

(Freshness) An entity \(A^{i}\) with the partner \(C^{\text {j}}\) is freshness if the following two conditions hold:

1. (1)

   If it has accepted an measurement result \(MR\ne null\) and both the entity and its partner have not been sent a Reveal query.

2. (2)

   There is no Corrupt query has been asked before the query Send has been asked.

The advantage of the adversary \(\mathscr {A}\) is measured by the ability of distinguish a legal measurement result from a random value. We define Succ to be an event that \(\mathscr {A}\) correctly guesses the bit b , which is chosen in the Test query. Hence, the advantage of \(\mathscr {A}\) in the attacked scheme P is defined as: \(Adv_{P}\left( \mathscr {A}\right) =\left| 2\times Pr\left[ Succ\right] -1\right| \). We argue that the public discussion P1 is secure, as \(Adv_{P1}\left( \mathscr {A}\right) \) is negligible. Precisely, the adversary \(\mathscr {A}\) does not have any advantage to obtain the correct measurement result between the participants.

1.3 Security analysis

In the following description, we show that the public discussion, P, holds several security properties, which are required for a secure quantum cryptographic public discussion. Let the maximum advantage of the adversary with running time Tm be for a certain task denoted as \(Adv_{Task}\left( Tm\right) \). The following advantages will be used in the analyses.

\(Adv_{Qubit}^{Clone}\left( Tm\right) \): The advantage for cloning a qubit.

\(Adv_{A}^{Forge}\left( Tm\right) \): The advantage for impersonate himself/herself as Alice (A).

Lemma 1

The advantage for cloning a qubit, \(Adv_{Qubit}^{Clone}\left( Tm\right) \), is negligible.

Proof

The quantum no-cloning theory has already been well proven in several researches [47]. Here, we show the decoherence-free states also satisfy this theory. Assume that for every pair of input qubits \(q_{i}q_{j}\) with an arbitrary state, there exists a clone operation U. The clone operation can be defined as follows:

$$\begin{aligned} \begin{array}{lll} U\left| 01\right\rangle _{ij}\left| ee\right\rangle _{kl} &{} = &{} \left| 01\right\rangle _{i}\left| 01\right\rangle _{kl}\\ U\left| 10\right\rangle _{ij}\left| ee\right\rangle _{kl} &{} = &{} \left| 10\right\rangle _{i}\left| 10\right\rangle _{kl}\\ U\left| \Psi ^{+}\right\rangle _{ij}\left| ee\right\rangle _{kl} &{} = &{} \left| \Psi ^{+}\right\rangle _{ij}\left| \Psi ^{+}\right\rangle _{kl}, \end{array} \end{aligned}$$

(9)

where \(\left| ee\right\rangle _{kl}\) denotes the output state, and \(\left| ee\right\rangle \) is an arbitrary initial state. Because \(\left| \Psi ^{+}\right\rangle _{ij}=\frac{1}{\sqrt{2}}\left( \left| 01\right\rangle +\left| 10\right\rangle \right) _{ij}\), it implies that \(U\left| \Psi ^{+}\right\rangle _{ij}\left| ee\right\rangle _{o}=\) \(\frac{1}{\sqrt{2}}\left( U\left| 01\right\rangle _{ij}\left| ee\right\rangle _{kl}\right. \) \(\left. +U\left| 10\right\rangle _{ij}\left| ee\right\rangle _{kl}\right) =\) \(\frac{1}{\sqrt{2}}\left( \left| 01\right\rangle _{i}\left| 01\right\rangle _{kl}+\left| 10\right\rangle _{i}\left| 10\right\rangle _{kl}\right) \). However, \(U\left| \Psi ^{+}\right\rangle _{ij}\left| ee\right\rangle _{kl}=\) \(\left| \Psi ^{+}\right\rangle _{ij}\left| \Psi ^{+}\right\rangle _{kl}=\) \(\frac{1}{2}\left( \left| 0101\right\rangle +\left| 0110\right\rangle +\left| 1001\right\rangle +\left| 1010\right\rangle \right) _{ijkl}\), which is not equal to \(\frac{1}{\sqrt{2}}\left( \left| 01\right\rangle _{i}\left| 01\right\rangle _{kl}+\left| 10\right\rangle _{i}\left| 10\right\rangle _{kl}\right) \). The contradiction shows that the qubits cannot be cloned. \(Adv_{Qubit}^{Clone}\left( Tm\right) \) is negligible.

Lemma 2

Suppose that there exists an attacker \(\mathscr {A}\), who impersonates as Alice (A) with the running time Tm in the public discussion. Then, the advantage of \(\mathscr {A}\), \(Adv_{A}^{Forge}\left( Tm\right) =Adv_{Qubit}^{Clone}\left( Tm\right) \).

Proof

Suppose that \(\mathscr {A}\) impersonates as Alice. In Step 1 of the proposed scheme, the controller sends a quantum sequence to Alice and discusses the decoy photons with Alice in Step 2. If \(\mathscr {A}\) can successfully impersonate as Alice, then she can send her fake photon to Alice, and the controller cannot detect the problem.

When the controller sends the qubit sequence \(S_{12}\) to Alice, \(\mathscr {A}\) constructs an attack \(\beta \) to clone every qubit in \(S_{12}\). The sequence of the cloning outputs is denoted as \(\hat{S_{12}}\). Then, \(\beta \) sends the original sequence \(S_{12}\) to Alice. Alice will acknowledge the controller that she has received the qubits. Then, the controller will announce the bases and positions of the decoy photons to Alice. Alice will select the corresponding qubits from \(S_{12}\) and measure them in the bases the controller announced. Alice then transmits all the measurement results to the controller, and he/she can compare the measurement results and his/her initial states of decoy photons to detect the existence of the eavesdroppers. Because these public classical communications are transmitted via the authenticated channel shared between Alice and the controller, \(\beta \) cannot forge or modify them. Here, \(\beta \)’s goal is to successfully clone the qubits from \(S_{12}\) to \(\hat{S_{12}}\). \(\beta \) runs a subroutine and simulates its attack environment and gives all the required public parameters to \(\mathscr {A}\). Without losing the generality, assume that \(\mathscr {A}\) does not ask queries on the same message more than once. \(\beta \) maintains a list \(L_{CloneQubit}\) to ensure identical responding and avoid collision of the queries. \(\beta \) simulates the oracle queries of \(\mathscr {A}\) as follows:

• Send query: The send query is classified into the following types:

• Send\(\left( C^{j},S_{12}\right) \): \(\beta \) clones every qubits in the quantum sequence \(S_{12}\), and forms the output qubits as a new sequence \(\hat{S_{12}}\). \(\beta \) returns \(\hat{S_{12}}\) to \(\mathscr {A}\).

• Send\(\left( A^{i},ok\right) \): Alice sends the acknowledgment to the controller for receiving qubits. \(\beta \) direct pass the collected information to \(\mathscr {A}\).

• Send\( \left( TC,pos \& bases\right) \): The controller announces the positions and bases of the decoy photons to Alice. \(\beta \) direct pass the collected information to \(\mathscr {A}\).

• Send\(\left( C^{i},mr\right) \): Alice sends the measurement results to the controller. \(\beta \) stores these results for the test query.

• Execute-query: When \(\mathscr {A}\) asks for an Execute(\(A^{i}\),\(C^{j}\)) query, \(\beta \) returns the transcript \( \left\langle \hat{S_{12}},\text{ Send }\left( A^{i},ok\right) ,\text{ Send }\left( C^{j},pos \& bases\right) \right\rangle \) to \(\mathscr {A}\) by using the simulation of send query.

• Test query: When \(\mathscr {A}\) makes the test query, if the query is not asked in the first session, then \(\beta \) will abort it; otherwise, \(\beta \) randomly chooses a bit b. If \(b=0\), \(\beta \) returns the value of Send\(\left( A^{i},mr\right) \); otherwise, \(\beta \) returns a random string to \(\mathscr {A}\). The adversary has to distinguish the random string from a legal measurement result. In order to do that, if the quantum could be cloned, \(\mathscr {A}\) can measure the qubits from \(\hat{S_{12}}\) by using the positions and bases obtained from the query Send\( \left( C^{j},pos \& bases\right) \). Then, the adversary can successfully get the legal measurement results, and hence the random string and the legal measurement results can be distinguished. Hence, the adversary’s advantage, \(Adv_{Alice}^{Forge}\left( Tm\right) =Adv_{Qubit}^{Clone}\left( Tm\right) \).