CHIN. PHYS. LETT. Vol. 29, No. 11 (2012) 110305
Cryptanalysis and Improvement of a Quantum Network System of QSS-QDC
Using 𝜒-Type Entangled States *
GAO Gan(高干)1** , FANG Ming(方鸣)2 , CHENG Mu-Tian(程木田)3
1
Department of Electrical Engineering, Tongling University, Tongling 244000
2
Jiang Huai College of Anhui University, Hefei 230031
3
School of Electrical Engineering and Information, Anhui University of Technology, Maanshan 243002
(Received 31 May 2012)
In the paper [Chin. Phys. Lett. 29 (2012) 050303] of Hong et al., two quantum secret sharing protocols were proposed. We study the security of the second protocol and find that it is insecure. Acting as the communication
center, Trent may eavesdrop Alice’s secret messages without introducing any error. Finally, a feasible improvement of the second protocol is given.
PACS: 03.67.Dd, 03.67.Hk, 03.67.−a
DOI: 10.1088/0256-307X/29/11/110305
Quantum key distribution (QKD) allows two separate parties, the sender Alice and the receiver Bob,
to share a secret key over a long distance. Different
from classical key distribution, it can offer unconditionally secure communication. In 1984, Bennett and
Brassard proposed the first QKD protocol[1] by using
four quantum states. Since then, QKD has attracted
much attention and all kinds of QKD protocols[2−10]
have been proposed. Of course, not only QKD
has progressed quickly, but also other cryptographic
tasks have been given, such as quantum teleportation (QT),[11] quantum secure direct communication
(QSDC),[12−14] and quantum secret sharing (QSS).
The first QSS protocol,[15] which uses three- and fourparticle Greenberger–Horne–Zeilinger (GHZ) states,
was proposed by Hillery, Buzk and Berthiaume in
1999. This protocol has elegantly shown the essence
of QSS, in which a secret message is split into several
pieces by a boss, and each agent holds a piece, and no
subset of agents is sufficient to extract the boss’s secret message, but the entire set is. Up to now, plenty
of theoretical and experimental QSS protocols[16−33]
have been designed. Not only has the QSS protocol
design attracted a great deal of attention, but also its
security analysis[34] . In general, the security analysis
of a QSS protocol is more complicated than those of
QKD and QSDC protocols. In a QSS protocol, not all
of the participants are credible, and a dishonest participant has more power to attack the protocol than
an outside eavesdropper. Thus, we should pay more
attention to the attack of a participant when designing
a QSS protocol.
Recently, Hong et al.[33] used 𝜒-type entangled
states[35] to propose two novel QSS protocols. For
the sake of simplicity, hereafter we will call them the
HHLY1 protocol and HHLY2 protocol, respectively.
In HHLY1 protocol, we see that there are three par-
ticipants, Trent, Bob and Charlie, and Trent shares
his secret with Bob and Charlie. In the HHLY2 protocol, there are four, Trent, Alice, Bob and Charlie,
and Trent acts as a communication center and creates quantum channels among legitimate users, and
lets Alice share her secret with Bob and Charlie. Obviously, the HHLY2 protocol is more interesting than
the HHLY1 protocol. Hong et al. claimed that the
HHLY2 protocol is secure after its security under several kinds of attacks was proved. However, this is
not a fact. In this Letter, we give a special attack
strategy on the HHLY2 protocol. Before giving it, we
provide a brief review of the HHLY2 protocol[33] as follows: (1) Trent produces 𝑁 𝜒-type entangled states,
and divides them into four sequences: AT-sequence,
B-sequence, T-sequence, C-sequence. He sends ATsequence to Alice with decoy qubits 𝑎𝑡, and sends Bsequence to Bob with decoy qubits 𝑏, and sends Csequence to Charlie with decoy qubits 𝑐, and keeps
T-sequence with him. After confirming that the three
sequences have been received, they start to check the
security of the sequence transmissions. Trent publicly announces the positions and states of qubits 𝑎𝑡,
𝑏 and 𝑐. Alice, Bob and Charlie measure their decoy
qubits using the same basis as Trent used to determine the error rate of the quantum channels. If this
exceeds the threshold, the communication is aborted.
Otherwise, the process is continued. (2) Alice encrypts her messages by performing four unitary operations (𝑈00 = |0⟩⟨0| + |1⟩⟨1|, 𝑈01 = |0⟩⟨1| + |1⟩⟨0|,
𝑈10 = |0⟩⟨1| − |1⟩⟨0|, 𝑈11 = |0⟩⟨0| − |1⟩⟨1|) on ATsequence. Then she sends AT-sequence back to Trent
with decoy qubits 𝑎𝑡′ . (3) After confirming that Trent
has received AT-sequence, Alice announces the positions and initial state of decoy qubits 𝑎𝑡′ . Trent measures the corresponding qubits using a proper basis
and determines the error rate of the quantum chan-
* Supported
by the National Natural Science Foundation of China under Grant Nos 11205115 and 11004001.
author. Email: gaogan0556@163.com
© 2012 Chinese Physical Society and IOP Publishing Ltd
** Corresponding
110305-1
CHIN. PHYS. LETT. Vol. 29, No. 11 (2012) 110305
nels. If the error rate exceeds the threshold of the
channel, the communication is aborted. Otherwise,
the process continues. (4) Trent performs a Bell state
measurement on qubits 𝐴𝑇 and 𝑇 , and announces his
measurement outcomes. (5) Bob and Charlie measure qubits in B-sequence and C-sequence with the
{|0⟩, |1⟩} basis, respectively. If Bob and Charlie collaborate, they can get Alice’s secret message.
In the HHLY2 protocol, Trent acts as a communication center, similar to a telephone company,
a server, etc. Whether he can eavesdrop Alice’s
secret messages is not discussed in Ref. [33]. In
fact, this should be discussed. Reviewing previous
papers,[36−40] we see whether the communication center (the telephone company, the server, etc.) in them
can eavesdrop secret messages and are all discussed.
Moreover, it is known that if the communication center can obtain secret messages without being detected,
the designed protocol is insecure in essence. Next,
we show that the HHLY2 protocol is not secure since
Trent can eavesdrop Alice’s secret messages without
introducing any error. His attack strategy is described
in detail as follows: in step (1), Trent produces not
only 𝑁 𝜒-type entangled states,
√ but also 𝑁 Bell states
−
𝜓12
= (|0⟩1 |1⟩2 − |1⟩1 |0⟩2 )/ 2. He takes out qubit 1
from each Bell state to form 1-sequence, and the remaining qubits 2 form 2-sequence. Trent inserts decoy
qubits 𝑎𝑡 not into AT-sequence, but 2-sequence. Then,
he sends 2-sequence, instead of AT-sequence, to Alice.
Alice does not know that the sequence she receives is
a fake one at all. After Trent announces the positions
and states of decoy qubits 𝑎𝑡, she uses a corresponding basis to measure each decoy qubit. As a matter
of fact, she and Trent are checking the security of 2sequence transmission, which is known by only Trent.
After checking the security, Alice encrypts her secret
messages by performing four unitary operations on 2sequence. Afterward, she inserts decoy qubits 𝑎𝑡′ to
2-sequence and sends it back to Trent. After Trent
receives it, he and Alice start to analyze whether the
traveling of 2-sequence from Alice to him is attacked.
In order to do this, Alice needs to announce the positions and the states of decoy qubits 𝑎𝑡′ . Since knowing
the positions, Trent gets rid of decoy qubits 𝑎𝑡′ from
2-sequence and makes a Bell state measurement on
qubits 1 and 2. Thus he easily gets Alice’s unitary operation. Then Trent performs the eavesdropped unitary operation on qubit 𝐴𝑇 , and performs a Bell state
measurement on qubits 𝐴𝑇 and 𝑇 , and announces his
measurement outcome.
Through the above analysis, we conclude that the
HHLY2 protocol is insecure. The reason that its security leak exists is that the process of judging whether
Trent is credible does not appear, in other words, Alice has no ability to prevent Trent from eavesdropping. If she adds this aspect of ability, the protocol
will become secure. In what follows, we give a modified HHLY2 protocol that can withstand the above
attack.
(1) Trent produces 𝑁 𝜒-type entangled states
|𝜒00 ⟩𝑎𝑐𝑏𝑑 , where each is is equivalent to |𝜒00 ⟩𝑎𝑏𝑐𝑑
shown in Ref. [7]. He takes particle 𝑏 from |𝜒00 ⟩𝑎𝑐𝑏𝑑
to form B-sequence [𝑃1𝑏 , 𝑃2𝑏 , 𝑃3𝑏 , . . . , 𝑃𝑁𝑏 ], and particle
𝑑 to form D-sequence [𝑃1𝑑 , 𝑃2𝑑 , 𝑃3𝑑 , . . . , 𝑃𝑁𝑑 ], and the
remaining partner particles 𝑎, 𝑐 form AC-sequence
[𝑃1𝑎 , 𝑃1𝑐 , 𝑃2𝑎 , 𝑃2𝑐 , . . . , 𝑃𝑁𝑎 , 𝑃𝑁𝑐 ]. In addition, Trent produces three batches of decoy particles (𝑏′ , 𝑑′ and 𝑎𝑐′ ),
where each decoy particle is randomly in one of |0⟩,
|1⟩, |+⟩, and |−⟩. Then he inserts 𝑏′ , 𝑑′ and 𝑎𝑐′ batches
into B-sequence, D-sequence and AC-sequence, respectively, and sends B-sequence, D-sequence and ACsequence to Bob, Charlie and Alice, respectively. By
the way, here the block transmission[12] is employed.
Subsequently, the method that checks the securities of
the three channels by measuring decoy particles is the
same as that in Ref. [33].
(2) Alice secretly picks out some particles 𝑎, 𝑐 from
AC-sequence and randomly uses BMB1 basis, BMB2
basis (the two sets of bases were defined in Ref. [7]), 𝜎𝑧
basis or 𝜎𝑥 basis to measure particles 𝑎, 𝑐. Then she
publishes the positions of the picked particles 𝑎, 𝑐 in
AC-sequence and requires Bob and Charlie to send the
corresponding particle 𝑏 and particle 𝑑 to her. Based
on the measuring outcome on particles 𝑎, 𝑐, Alice selects the correct measuring basis (this basis is PMB1
or PMB2 that was defined in Ref. [7], 𝜎𝑧 or 𝜎𝑥 basis) to measure particles 𝑏 and 𝑑. The result being
that she can judge whether particles 𝑎, 𝑏, 𝑐 and 𝑑 are
in |𝜒00 ⟩𝑎𝑐𝑏𝑑 . Next, Alice encrypts her messages by
performing unitary operations on particles 𝑎 in ACsequence. Afterwards, she inserts the prepared 𝑎𝑐′′
batch of decoys particles to AC-sequence, and sends
AC-sequence back to Trent. By virtue of the 𝑎𝑐′′ decoy particles, the security that AC-sequence travels
from Alice to Trent can be judged.
±
±
±
(3) Trent uses {|Ψ ±
1 ⟩, |Φ1 ⟩} basis or {|Ψ2 ⟩, |Φ2 ⟩}
basis to measure particles 𝑎 and 𝑐, and publishes his
measurement outcome. According to the measurement outcome, Bob and Charlie select the appropriate
basis to measure their respective particles. If only Bob
and Charlie collaborate, they can deduce Alice’s secret
messages.
So far, we have successfully proposed a modified
HHLY2 protocol, in which there exists a process that
Alice checks whether the shared particles 𝑎, 𝑏, 𝑐 and 𝑑
are in a |𝜒00 ⟩𝑎𝑐𝑏𝑑 . This process is very important and
can force Trent to really provide |𝜒00 ⟩𝑎𝑐𝑏𝑑 for Alice,
Bob and Charlie. Implementing this process, Alice
uses some clever methods as follows: employing four
sets of measuring basis, secretly reserving measuring
outcomes, only publishing the positions, and measuring the corresponding particles received. By the way,
110305-2
CHIN. PHYS. LETT. Vol. 29, No. 11 (2012) 110305
for proof that this process is effective refer to Ref. [7].
As long as it is confirmed that particles 𝑎, 𝑏, 𝑐 and
𝑑 are in a |𝜒00 ⟩𝑎𝑐𝑏𝑑 , Trent can not perform the above
attack and has no choice but to trustily act as a communication center. In addition, we see that several
batches of decoy particle are used in our modified protocol, which can ensure that B-sequence, D-sequence
and AC-sequence are transmitted safely. Also the
method using decoy particles to check eavesdropping
is employed in the HHLY2 protocol, in fact, it is equivalent to the security checking in Ref. [1]. Therefore, we
conclude that, by virtue of decoy particles, both the
HHLY2 protocol and our modified protocol are secure
against the eavesdropping of the outside eavesdropper.
However, the most powerful eavesdropping is from an
inside dishonest participant. In the HHLY2 protocol
and our modified protocol, the communication center Trent is one of the participants, and whether he
is honest or not should be checked. We see that this
checking is not detected in the HHLY2 protocol. In
our modified protocol, it has been clearly set up. This
is the biggest difference between the two protocols.
In summary, we have analyzed the security of the
HHLY2 protocol and propose an effective attack on
it. Using this attack, the communication center Trent
may freely eavesdrop Alice’s secret messages without
being detected. Also we analyze the deep reason why
the HHLY2 protocol is insecure. Finally, a feasible
improvement to the HHLY2 protocol is given.
References
[1] Bennett C H and Brassard G 1984 Proc. IEEE Int. Conf.
Comput. Syst. Signal Processings (Bangalore India) (New
York: IEEE) P 175
[2] Ekert A K 1991 Phys. Rev. Lett. 67 661
[3] Bennett C H, Brassard G and Mermin N D 1992 Phys. Rev.
Lett. 68 557
[4] Deng F G and Long G L 2003 Phys. Rev. A 68 042315
[5] Li X H, Deng F G and Zhou H Y 2008 Phys. Rev. A 78
022321
[6] Gao G 2008 Opt. Commun. 281 876
[7] Gao G 2010 Phys. Scr. 81 065005
[8] Zhu C H, Pei C X, Quan D X, Gao J L, Chen L and Yi Y
H 2010 Chin. Phys. Lett. 27 090301
[9] Li C Y and Li Y S 2011 Chin. Phys. Lett. 28 120306
[10] Wang J, Zhang S, Zhang Q and Tang C J 2011 Chin. Phys.
Lett. 28 100301
[11] Bennett C H, Brassard G, Crepeau C, Jozsa R, Peres A and
Wootters W K 1993 Phys. Rev. Lett. 70 1895
[12] Long G L and Liu X S 2002 Phys. Rev. A 65 032302
[13] Man Z X and Xia Y J 2007 Chin. Phys. Lett. 24 15
[14] Piotr Z 2012 Chin. Phys. Lett. 29 010301
[15] Hillery M, Buzk V and Berthiaume A 1999 Phys. Rev. A
59 1829
[16] Karimipour V and Bahraminasab A 2002 Phys. Rev. A 65
042320
[17] Guo G P and Guo G C 2003 Phys. Lett. A 310 247
[18] Li Y M, Zhang K S and Peng K C 2004 Phys. Lett. A 324
420
[19] Deng F G, Li X H, Zhou H Y and Zhang Z J 2005 Phys.
Rev. A 72 044302
[20] Yan F L and Gao T 2005 Phys. Rev. A 72 012304
[21] Wang H F, Ji X and Zhang S 2006 Phys. Lett. A 358 11
[22] Deng F G, Li X H, Li C Y, Zhou P and Zhou H Y 2006
Phys. Lett. A 354 190
[23] Li X H, Zhou P, Li C Y, Zhou H Y and Deng F G 2006 J.
Phys. B: At. Mol. Opt. Phys. 39 1975
[24] Liu W T, Liang L M, Li C Z and Yuan J M 2006 Chin.
Phys. Lett. 23 3148
[25] Zhang Z J, Gao G, Wang X, Han L F and Shi S H 2007
Opt. Commun. 269 418
[26] Yan F L, Gao T and Li Y C 2008 Chin. Phys. Lett. 25 1187
[27] Deng F G, Li X H and Zhou H Y 2008 Phys. Lett. A 372
1957
[28] Guo Y, Huang D Z, Wen K, Zeng G H and Lee M H 2008
Chin. Phys. Lett. 25 16
[29] Gao G 2009 Commun. Theor. Phys. 52 421
[30] Zhu Z C and Zhang Y Q 2010 Chin. Phys. Lett. 27 060303
[31] Hao L, Li J L and Long G L 2010 Sci. Chin. Phys. Mech.
Astron. 53 491
[32] Shi R H, Huang L S, Yang W and Zhong H 2011 Chin.
Phys. Lett. 28 050303
[33] Hong C H, Heo J O, Lim J and Yang H 2012 Chin. Phys.
Lett. 29 050303
[34] Du M K, He B and Wang Y 2011 Chin. Phys. Lett. 28
010503
[35] Yeo Y and Chua W K 2006 Phys. Rev. Lett. 96 060502
[36] Li C Y, Zhou H Y, Wang Y and Deng F G 2005 Chin. Phys.
Lett. 22 1049
[37] Wang W Y, Wang C, Wen K and Long G L 2007 Chin.
Phys. Lett. 24 1463
[38] Wen X J, Liu Y and Zhou N R 2007 Opt. Commun. 275
278
[39] Guo Y, Shi R and Zeng G 2010 Phys. Scr. 81 045006
[40] Hong C H, Heo J O, Khym G L, Lim J, Hong S K and Yang
H J 2010 Opt. Commun. 283 2644
110305-3