Skip to main content

ORIGINAL RESEARCH article

Front. Phys., 13 July 2022
Sec. Quantum Engineering and Technology
This article is part of the Research Topic Multiparty Secure Quantum and Semiquantum Computations View all 19 articles

Authenticated Multiparty Quantum Key Agreement for Optical-Ring Quantum Communication Networks

Li-Zhen GaoLi-Zhen Gao1Xin Zhang
Xin Zhang2*Song Lin
Song Lin3*Ning WangNing Wang2Gong-De Guo
Gong-De Guo2*
  • 1College of Computer Science and Information Engineering, Xiamen Institute of Technology, Xiamen, China
  • 2College of Computer and Cyber Security, Fujian Normal University, Fuzhou, China
  • 3Digital Fujian Internet-of-Things Laboratory of Environmental Monitoring, Fujian Normal University, Fuzhou, China

Quantum communication networks are connected by various devices to achieve communication or distributed computing for users in remote locations. In order to solve the problem of generating temporary session key for secure communication in optical-ring quantum networks, a quantum key agreement protocol is proposed. In the key agreement protocols, an attacker can impersonate a legal user to participate in the negotiation process and eavesdrop the agreement key easily. This is often overlooked in most quantum key agreement protocols, which makes them insecure in practical implementation. Considering this problem, the function of authenticating the user’s identity is added in the proposed protocol. Combining classical hash function with identity information, we design the authentication operation conforming to the characteristics of quantum search algorithm. In the security analysis of the proposed protocol, quantum state discrimination is utilized to show that the protocol is secure against common attacks and impersonation attack. In addition, only single photons need to be prepared and measured, which makes our protocol feasible with existing technology.

1 Introduction

Communication is the exchange and transmission of information between people in a certain way. With the development of communication technology, people pay more attention to the privacy and security of data. In the present communication networks, RSA public key scheme is widely used for secure communication since it depends on the mathematical problem of large integer decomposition. However, the famous quantum factorization algorithm proposed by Shor [1] shows that this scheme is no longer safe. To ensure the security of communication, the research of quantum cryptography attracts people’s attention. In contrast to the security of classical cryptography that are based on the assumption of computational complexity, the security of quantum cryptography relies on quantum-mechanics principles, which makes it unconditionally secure in theory. Since the first quantum key distribution protocol (BB84 protocol) was proposed [2], people try to solve some secure communication tasks with quantum cryptography, including quantum key distribution(QKD) [24], and quantum secure direct communication (QSDC) [57].

In addition to key distribution, key agreement (KA) is another major method of key establishment and plays a key role in the field of cryptography. In a key agreement protocol, two or more users in communication networks can agree on temporary session keys to achieve secure communication. As a significant cryptographic primitive, key agreement is flexibly used in multiparty secure computing, access control, electronic auctions, and so on. However, as the concept of quantum computer was put forward, classical key agreement was found to be as vulnerable to quantum computation as classical key distribution. Therefore, quantum key agreement (QKA) has been naturally proposed and has recently become a new research hotspot.

In 2004, [8] proposed the first two-party QKA protocol, which was designed based on the correlation of measurement results of EPR pairs. Unfortunately, this protocol is insecure, as shown in Ref. [9]. That same year, [10] proposed a fair and secure two-party QKA protocol based on BB84. Afterwards, researchers expands the number of negotiators from two to multiple parties to fit the actual scenarios. [11] proposed the first multi-party QKA (MQKA) protocol with Bell states and entanglement exchange in 2013. But in the same year, [12] pointed out that the protocol was unfair, then proposed a new MQKA protocol with single photons. Later [13] introduced two unitary operations and proposed the circle-type MQKA to improve the execution efficiency. Since then, many scholars have used various properties of quantum mechanics to design a few subtle MQKA protocols [14,15].

Actually, these protocols are only theoretically secure. Once they are used in practice, they will inevitably encounter the same problem as classical key agreement, namely, the impersonation attack. That is, an attacker may impersonate a legal user to participant in the protocol. Moreover, in classical key agreement protocols [1619], the authentication of users is usually considered to protect against this particular attack. However, this is often overlooked in QKA. Although in some MQKA protocols, authentication of classical channels has been required to prevent classical messages from being tampered, message authentication is different from identity authentication. Therefore, in designing a secure QKA protocol, the authentication of users should be considered as in other authenticated quantum cryptographic protocols [2024].

In this paper, an authenticated MQKA protocol for optical-ring quantum networks is proposed. The result shows that when all users perform the protocol honestly, they can get the correct negotiation key simultaneously. According to our analysis, the protocol in the network is secure against both common attacks and impersonation attacks.

2 Preliminaries

2.1 Review of Communication Network

Let us start with a brief review of quantum communication networks. A communication network is a data link in which isolated individuals share resources and communicate through physical connections of various devices. The classical communication networks mainly consists of three parts: transmission, switching and terminal. According to the topological structure, it can be divided into bus, star, tree, ring and mesh types. Evidently, different types of networks are flexibly applied to different scenarios. This also provides the foundation for the study of quantum communication networks.

Similar to classical communication networks, quantum communication networks can be classified into four types in terms of topology, which are: a passive-star network, an optical-ring network, a wavelength-routed network, and a wavelength-addressed bus network [2527]. Among them, since the optical-ring topology is lower cost in the construction of the network, it is more conducive to promotion and studied by more people. In 2002, [28] have proposed an efficient multiuser quantum communication network, which can realize the QKD between arbitrary two users in the cascaded loop local networks. Inspired by them, we propose a multiparty quantum key agreement protocol in an optical-ring network.

Unlike the scheme of [28], the communication network in this paper only considers one loop, not a cascade. As shown in Figure 1, the network consist of three parts. 1) A third party. The third party is to facilitate communication between users on the network. 2) Users. Linked via coupled fibers and distributed in the communication network. 3) Switch. At each node, there is a “space optical switch”, which is usually closed. Whenever a session key is required to be established, the photons are transmitted through the optical fiber among all users.

FIGURE 1
www.frontiersin.org

FIGURE 1. An optical-ring quantum communication network. The third party and users of the network are linked with their loop by the coupled fibers. By the “space optical switch”, the photons can be received by the right users.

2.2 Review of Quantum Search Algorithm

Let us introduce Grover’s search algorithm [29], which is used in the protocol. Suppose that we want to search a target |φmn⟩ = |mn⟩, m, n ∈ {0, 1}, in the database of a set of two-qubit states, i.e.,

|φ̃xy=12|0+1y|1|0+1x|1,(1)

where x, y ∈ {0, 1}. In order to search the target, two specific unitary operations need to be performed on |φ̃xy. Namely, the phase reversal operation Umn = I − 2|φmn⟩⟨φmn| and the amplitude amplification operation Vxy=2|φ̃xyφ̃xy|I. After executing these two unitary operations, we get

VxyUmn|φ̃xy=|φmn.(2)

In this paper, since the global phase has no effect on results, it can be ignored.

In addition, the unitary operation Umn has two good properties, which have been used to design some quantum cryptographic protocols [30,31]. We suppose that a total of r operations of Umn are performed on a two-qubit state. On the one hand, when the number of r is odd, there is

UmrnrUm2n2Um1n1=Umn,(3)

where m = m1m2 ⊕⋯ ⊕ mr and n = n1n2 ⊕⋯ ⊕ nr, the symble ⊕ indicates bitwise Exclusive OR. In combination with Eq. 2, we know that the deterministic measurements can be obtained by single-particle measurement with basis MBZ = {|0⟩, |1⟩} at last. When the number of executions is even, there is

UmrnrUm2n2Um1n1|φ̃xy=|φ̃mn,(4)

where m = xm1m2 ⊕⋯ ⊕ mr and n = yn1n2 ⊕⋯ ⊕ nr. Then, the measurements can be obtained by single-particle measurement with basis MBX = {| + ⟩, | − ⟩}.

In our protocol, the user encodes his private input by unitary operation Umn. In addition, to assure that the protocol satisfies the characteristics of Grover’s algorithm after identity encoding, we design the identity encoding operations as U00 and U01U10 respectively. In the protocol, the user always encodes his identity information after private input encoding, that is, the encoded quantum state is U00Umn|φ̃xy or U01U10Umn|φ̃xy. Furthermore, there exists Um1n1Um2n2=Xm1m2,n1n2. So when the identity encode is U00, the private input stays the same. Otherwise, on the basis of Eq. 3, U01U10Umn=Um̄n̄, where m̄=m1,n̄=n1, which means the private input is flipped once.

3 Quantum Key Agreement Protocol With Identity Authentication

Now, let us describe the proposed quantum key agreement protocol for optical-ring quantum communication networks, which can realize the key negotiation between arbitrary N users in the networks. In this network, a third party P0 is semi-trusted, who can perform the operation Umn. Suppose there are M users in the network and any N of them perform the quantum key agreement. That is, the switches for N users are turned on at the proper time, while the switches for the remaining MN users are constantly off.

Without loss of generality, assume that the first N users participant in the negotiation, denoted as P1, P2, …, PN. They can not only perform the operations Umn and Vxy, but also have the ability to prepare and measure single particles. They want to negotiate a session key K with the help of P0, where K = S1S2 ⊕⋯ ⊕ SN, and Si is Pi’s private input with length of 2n. Furthermore, each user has an identity information IDi of length l. In order to ensure the legitimacy of these users’ identity, it is necessary for Pi(i = 1, 2, …, N) to complete the identity authentication with P0, who shares master key k̄i with Pi. It should be noted that the switches for PN, …, PM are always closed, i.e., photons can be transmitted directly from PN to P0. The general process of this protocol is shown in Figure 2.

FIGURE 2
www.frontiersin.org

FIGURE 2. (Color online) The detailed performance of the proposed protocol, in which different colored circles represent the particles prepared by different users.

In this quantum communication network, multi parties are connected by a quantum channel and a classical public channel. The quantum channel consists usually of an optical fiber. The classical channel, however, can be any communication link. Users and the third party can send classical messages via the classical channel, and these messages cannot be tampered with by anyone. That is, this transmitted classical message is required to be authenticated. Typically, the public classical channel can be achieved by broadcasting. However, it is worth noting that message authentication is different from identity authentication. So, we still need to verify the identity of each user. In the following, a description of the procedure for the protocol is given.

Step 1: P0 and Pi(i = 1, 2, …, N) generate a random sequence r0 and ri respectively and declare them through the classical channel. Then P0 selects a hash function f: 2 → 2n and declares it. P0 and each user calculate their authenticated message hi=fk̄i(IDirir0), where ∥ denotes string concatenation.

Step 2: Each user Pi(i = 1, 2, …, N) generates a random bit sequence Li = (li,1, li,2, …, li,2n) and Bi = (bi,1, bi,2, …, bi,2n) with length of 2n. In the process with Pi as an initiator, an ordered sequence Ti of n two-qubit states is prepared by Pi according to Li:

Ti=|φ̃li,1,li,2,|φ̃li,3,li,4,,|φ̃li,2n1,li,2n,(5)

where, the tth quantum state is |φ̃li,2t1,li,2t{|φ̃00,|φ̃01,|φ̃10,|φ̃11}.

Step 3: Pi performs the identity encoding operation on the tth quantum state of the sequence Ti according to the values of hi,t and bi,2t−1. Concretely, when hi,tbi,2t−1 = 0, Pi performs U00; otherwise, he performs U01U10. Then the encoded sequence is denoted as T̃i,i1, which is sent to the next user Pi⊞1 over the quantum channel, where ⊞ (⊟) represents addition (subtraction) module N + 1.

Step 4: At this point, Pi⊞1 opens his switch to receive the photons emitted by Pi. When Pi⊞1 receives the sequence T̃i,i1, he will perform corresponding operation to encode his own private input si⊞1,2t−1, si⊞1,2t. Namely, Pi⊞1 performs the unitary operation Usi1,2t1,si1,2t on the tth quantum state. After that, Pi⊞1 performs his identity encoding similar to Step 3, and sends the encoded particle string T̃i,i2 to the user Pi⊞2.

Step (g + 3) (g = 2, 3, , N): Similar to Steps 4 and 3, Pig encodes his private input and identity information. After that, he sends the encoded sequence T̃i,i(g+1) to Pi⊞(g+1). Notice that P0 knows the hash values of all users. When the sequence of particles is transmitted to P0, he calculate h0,t=i=1Nhi,t. Based on the result, P0 performs his identity encoding on the sequence. That is, if h0,t is 0, he performs U00; Otherwise, he performs U01U10.

Step (N + 4): When all users Pi(i = 1, 2, …, N) receive the sequence T̃i,i from Pi⊟1, they publish the random bit string Bi in random order. Then, Pi calculates B2t1=i=1Nbi,2t1(t=1,2,,n) and performs different operations as shown in follows.

1) When B2t−1 is 0, Pi measures the single photon with basis MBX directly to get the measurement result |φ̃wi,2t1,wi,2t, then he can extract the session key:

ki,2t1ki,2t=si,2t1si,2twi,2t1wi,2tli,2t1li,2t.(6)

2) When B2t−1 is 1, according to the classical bit sequence Li, the unitary operation Vli,2t1,li,2t is performed on the tth two-qubit state in the quantum sequence, then the particles are measured with basis MBZ to obtained the result |φwi,2t1,wi,2t. The agreement key is extracted as

ki,2t1ki,2t=si,2t1si,2twi,2t1wi,2t11.(7)

Obviously, each user Pi can obtain the agreement keys Ki = (ki,1, ki,2, ki,3, ki,4, …, ki,2N−1, ki,2N).

Step (N + 5): The eavesdropping detection process is executed. Namely, all users choose δn samples to detect whether malicious or forged users exist. Specifically, each user Pi randomly selects δnN samples from Ki, and declares these samples’ positions. Then, he requires the other users Pj(ji) to announce the corresponding part of Kj. Since only legitimate users know the correct hash values and make the hash values satisfy h0(i=1Nhi,t)=0, the users can get a consistent negotiation key by step (N + 4). Afterwards, Pi calculates the error rate according to his ki,m and the other users’ kj,m. That is, the number of inconsistencies in the sample as a proportion of the total sample size. If the error rate exceeds a certain threshold, the protocol is abandoned. Otherwise, the other users Pj(ji) perform similar actions. It should be noted that there are no common elements in the samples selected by all users. Finally, the remaining particles form their session key.

To illustrate the negotiation process more clearly, we give an example with (N = 3, M = 5). Similarly, we assume that P1, P2 and P3 are involved in key negotiation and the switches for P4 and P5 are always off. In this case, P1, P2 and P3 respectively hold secret inputs with length of 8 (i.e. n = 4), S1 = 01,101,011, S2 = 01,000,100, and S3 = 10,110,001 and identity information with length of 6, ID1 = 010,110, ID2 = 001,101, ID3 = 100,011. By the following steps, they can agree on a session key, K = S1S2S3.

In Step 1, each user Pi(i = 1, 2, 3) gets the random string ri. In addition, P0 generates r0. Then, they can obtain the hash values hi according to the selected hash function. In the next step, P1(P2, P3) generates two random 8-bit strings L1 and B1 (L2 and B2, L3 and B3). From L1(L2, L3), P1(P2, P3) prepares the single photons to obtain the two-particle sequence T1(T2, T3). The concrete values of these classical bit sequences are listed in Table 1.

TABLE 1
www.frontiersin.org

TABLE 1. The classical sequences of the example.

After that, they proceed to the encoding phase of the protocol. The process with P1 as the initiator is described in detail, where the sequence T1 is back to P1 after being encoded by all users. Concretely, in Step 3, P1 performs the unitary operations U00U00U01U10U01U10 to encode his identity information. Afterwards, P1 transmits the encoded sequence T̃1,2 to P2. When P2 receives the sequence from P1, he encodes his private input and identity information by performing unitary operations in Step 4, and sends to P3. Similarly, P3 also performs encoding operations. It is worth noting that the sequence T̃1,0 sent from P3 to P0 passes through P4 and P5. When P0 receives the sequence, he calculates h0 = 1,000, which means his operations are U01U10U00U00U00. After that, P0 sends the encoded sequence to P1. Obviously, the transmission process of particle sequences, which are prepared by P2 and P3, is similar to the above process. The variations of quantum states in three sequences are shown in Table 2. In Step 7, when all users receive the travelling particles T̃1,1,T̃2,2,T̃3,3, they make the random strings Bi public in random order. P1 (P2, P3) calculates B2t−1 = 0,010. Therefore, P1 (P2, P3) performs IIV11I (IIV01IIIV11I). After that, they measure with appropriate measurement basis. By corresponding calculation, they get K1, K2, K3 respectively. Apparently, if there is no eavesdropping, K1 = K2 = K3 = 10,011,110.

TABLE 2
www.frontiersin.org

TABLE 2. Change of the particle sequences during the encoding phase of the three-user protocol.

4 Analysis of the Protocol

For a quantum key agreement protocol, it is generally required to satisfy correctness and security, regardless of the structure of the communication network. That is, all users can get the correct session key by executing the protocol. Security, on the other hand, implies that no attacker can obtain any information about the session key without being detected. Analysis shows that it can resist not only common external and internal attacks, but also impersonation attack.

4.1 Correctness

Obviously, with the example of three users in previous section, we can easily know that the session keys obtained by all users are equal. In this section, we will give a more rigorous proof to give a more convincing conclusion.

Without loss of generality, the session key derived from the tth quantum state is taken as an example. That is, we discuss whether or not the following equation holds:

k1,2t1k1,2t=k2,2t1k2,2t==kN,2t1kN,2t.(8)

In the protocol, in order to obtain k1,2t−1k1,2t, P1 prepares the initial quantum state |φ̃l1,2t1,l1,2t in Step 2. After that, P1 and the other users perform their encoding operations on that quantum state in turn. For the sake of simplicity, let the identity of Pi be Oi,t, where, Oi,t = hi,tbi,2t−1 when i ≠ 0; O0,t=h0,t=j=1Nhj,t when i = 0. Thus, in step (N + 4), the quantum state received by P1 is in:

UO0,tUON,tUsN,2t1,sN,2tUO3,tUs3,2t1,s3,2tUO2,tUs2,2t1,s2,2tUO1,t|φ̃l1,2t1,l1,2t.(9)

In the protocol, when Oi,t = 0, UO0,t=U00; when UOi,t=1, UOi,t=U01U10. Then, the parity times of the unitary operations Uxy performed by the users are

C=O1,tO2,tON,tO0,t.(10)

By calculation, we get

C=i=1Nbi,2t1.(11)

Obviously, C = B2t−1. So, in the protocol, the users can get the number of operations performed on the quantum state by calculating B2t−1. Where, when C = 0, the unitary operation is executed an even number of times; otherwise, it is executed an odd number of times.

Due to the good reciprocity of the unitary operation Uxy, Eq. 9 can be rewritten as:

UO0,tUON,tUO3,tUO2,tUO1,tUsN,2t1,sN,2tUs3,2t1,s3,2tUs2,2t1,s2,2t|φ̃l1,2t1,l1,2t.(12)

In addition, since UxyUxy = I, the identity encoding operation UO0,tUON,tUO3,tUO2,tUO1,t has the following conclusion. When C = 0, there are

UO0,tUON,tUO3,tUO2,tUO1,t=I.(13)

When C = 1, we get:

UO0,tUON,tUO3,tUO2,tUO1,t=U11orU01U10.(14)

So, Eq. 12 is equivalent to

UsN,2t1,sN,2tUs2,2t1,s2,2t|φ̃l1,2t1,l1,2t,(15)

and

U11UsN,2t1,sN,2tUs2,2t1,s2,2t|φ̃l1,2t1,l1,2t,(16)

or

U01U10UsN,2t1,sN,2tUs2,2t1,s2,2t|φ̃l1,2t1,l1,2t.(17)

Therefore, the user P1 can perform different operations to extract the session key depending on the number of unitary operations.

As mentioned in Step (N + 4) of the protocol, when the number of unitary operations is even, according to Eq. 4, P1 directly measures the quantum state as in Eq. 15 with MBX to obtain |φ̃w1,2t1,w1,2t. From Eq. 6, we can obtain

k1,2t1k1,2t=s1,2t1s1,2tw1,2t1w1,2tl1,2t1l1,2t=s1,2t1s1,2ts2,2t1s2,2tsN,2t1sN,2t.(18)

When the number of unitary operations is odd, according to Eqs. 2 and 3, P1 needs to perform the unitary operation Vl1,2t1,l1,2t on the quantum state of Eq. 16 or Eq. 17, and then use MBZ to obtain the result |φw1,2t1,w1,2t. In terms of Eq. 7, the agreement key is extracted as follows.

k1,2t1k1,2t=s1,2t1s1,2tw1,2t1w1,2t11=s1,2t1s1,2ts2,2t1s2,2tsN,2t1sN,2t.(19)

Apparently, the agreement key is the sum of the private inputs of all users regardless of whether the number of operations is odd or even. Similarly, the quantum state |φ̃li,2t1,li,2t prepared by user Pi is obtained after being encoded by other users as

UOi1,tUsi1,2t1,si1,2tUO0,tUON,tUsN,2t1,sN,2tUOi1,tUsi1,2t1,si1,2tUOi,t|φ̃li,2t1,li,2t.(20)

In the same way, the user Pi can obtain

ki,2t1ki,2t=si,2t1si,2twi,2t1wi,2tli,2t1li,2t=s1,2t1s1,2ts2,2t1s2,2tsN,2t1sN,2t.(21)

or

ki,2t1ki,2t=si,2t1si,2twi,2t1wi,2t11=s1,2t1s1,2ts2,2t1s2,2tsN,2t1sN,2t.(22)

From Eqs. 18 and 21 or Eqs. 19 and 22, it is shown that all users receive the same agreement key, i.e., Eq. 8 holds. Therefore, the proposed protocol is correct.

4.2 Security

In this section, we analyze the security of the proposed protocol in the optical-ring quantum communication network. It not only proves that the protocol is secure against common external attacks and internal attacks, but also proves that impersonation attacks are also ineffective for this protocol.

4.2.1 External Attacks

Assuming Eve is an external attacker, who may try her best to eavesdrop on the private input Si, the session key K or the master key k̄i without being detected. Next, we will discuss these three cases.

Case 1: Eavesdropping user’s private input.

In the proposed protocol, each user has a private input. Since the private input constitutes the final session key, it is evident that it should be kept secret from others. Subsequently, we discuss that how Eve eavesdrops on the secret input of users.

During the process of the protocol, each user performs three operations: particle preparation, encoding private input and identity information, and single-particle measurement. Obviously, the disclosure of users’ private inputs only occurs after the encoding operations. So, Eve’s attacks mainly take place in the transmission of the particle sequence. In the following, we will consider two common attacks: intercept-resend attack and entangle-measure attack.

Intercept-resend attack. Eve firstly intercepts the particle sequence sent from Pj, and measures it. Based on the measurements, Eve re-prepares the sequence to send to Pj⊞1. In this way, Eve hopes to obtain the private input without being detected. However, this is impossible. In the protocol, the carrier particles after different encoding operation numbers belong to two sets of non-orthogonal states, which are in

|++,|+,|+,|,(23)

or

12|00|01|10|11,12|00|01+|10+|11,12|00+|01|10+|11,12|00+|01+|10|11,(24)

where, the second set can be converted into {|00⟩, |01⟩, |10⟩, |11⟩} after the unitary operation Vxy. The identity encoding of user is determined by both hash values hj and random numbers Bj. Until step (N + 4) of the protocol, Eve does not know the value of Bj. Therefore, she can only perform random operations to obtain the information. That is, she randomly chooses the measurement base. Evidently, the probability that Eve selects a right measurement basis is approximately 50%. Then, a fake particle string is prepared and sent to Pj⊞1 based on the measurement results. In this case, Eve introduces an error with a probability of (1234)=38. Hence, this attack can be easily detected in step (N + 5). In a word, Eve cannot get user’s private input without being detected in this way.

Entangle-measure attack. Assuming that Eve wants to perform the entangle-measure attack, she can intercept the travelling sequence prepared by Pj⊟1, and apply entangling operation UE between her own ancillary particles and the intercepted particles. At last, she transmits the particles to Pj. Pj just encodes his private input and identity information directly in the particles. Afterwards, the encoding sequence is transmitted to Pj⊞1, at which point Eve intercepts again. Then, she measures the ancillary particles to infer the private input Sj.

Without loss of generality, the effect of Eve’s unitary operation UE can be shown as

UE|α|E=|00|e00+|01|e01+|10|e10+|11|e11,(25)

where, |e00⟩, |e01⟩, |e10⟩, |e11⟩ are pure states determined by UE. The quantum state in the sequence intercepted by Eve again is shown in Table 3.

TABLE 3
www.frontiersin.org

TABLE 3. Quantum states after different encoding operations on the entangling state.

By simply calculating, we get the correlation between these eight states

|α7=|α0+|α4|α3=|α1+|α5|α3=|α2+|α6|α3.(26)

Obviously, there is a linear correlation between the quantum states after different coding operations. As Chefles and Barnett [32] said, the necessary and sufficient condition for distinguishing the quantum states is linear independence. Therefore, these linearly correlated quantum states cannot be unambiguous discriminated, which means Eve cannot obtain the private input Sj through the entangle-measure attack.

Case 2: Eavesdropping the session key.

Here, we discuss whether Eve is able to eavesdrop on the session key K. Since K = S1S2 ⊕⋯ ⊕ SN, Eve can generally use two methods to obtain the value of K. One is that Eve tries to eavesdrop each value of Si to infer the agreement key. However, from the analysis of Case 1, we know that Eve cannot succeed. The other method involves directly eavesdropping on the value of K. According to the analysis above, we know that Eve is unable to distinguish between two linearly correlated sets of quantum states. So, Eve will always be detected if the number of encoding operations is unknown. Then, what if she was directly involved in the protocol? Namely, she might execute the impersonation attack.

In this protocol, a semi-trusted third party, P0, is introduced to help these parties accomplish this task. So, Eve may impersonates P0 (called P̂0) to attack the protocol. In Section 4.2.2, we prove that a genuine P0 cannot attain the session key. So, we could deduce directly that P̂0 is also unable to eavesdrop successfully. Hence, in this section, we focus on the second case. Namely, Eve wants to disguise herself as one user to execute the protocol with others. Suppose Eve impersonates Pj (called P̂j). P̂j prepares the quantum carriers, and hopes attain the KPj, that is, the negotiation key of other users except Pj. In fact, this action can be detected by the authentication in step (N + 5). As k̄j is only known to the valid user Pj and P0, P̂j cannot calculate correct hash value hj. Because of the special relationship between hash values, h0=i=1Nhi, as long as any one hj is error, this relationship is broken. Consequently, the quantum states will be changed, and the measurement using the measurement basis determined by B2t−1 will result in random results. In other words, her impersonation was discovered. Therefore, the proposed protocol is secure against such attack.

Case 3: Eavesdropping the master key.

We discuss whether it is possible for Eve to eavesdrop on the master key k̄i. k̄i is shared only by users Pi and P0 and is related to the hash value hi. In the proposed protocol, the public information is identity IDi, random string ri, and hash function f. Evidently, Eve cannot infer k̄i from these public information. So, she wants to infer k̄i from hi. However, Pi does not disclose hi. In the protocol, users decide the identity operation with hi and Bi. Even if the user announces the random string in step (N + 4), Eve does not have access to any information about k̄i for B2t1=i=1N1bi,2t1, independent of hi.

4.2.2 Internal Attacks

Compared with external attackers, internal parties have greater capacity since they are involved in the execution of the protocol. In the following, we will discuss some attacks of users.

Case 1: Dishonest users’ collusion attacks.

In the case of a single dishonest user, even if he participates in the protocol, he cannot obtain the hash values of other parties from the information he knows. Therefore, he can be detected in step (N + 5) just like an external attacker. It is important to note that there is more than one dishonest user in a protocol, and the most serious case is only one honest user. Obviously, in this case, all dishonest users want to conspire to eavesdrop the private input of the only honest party and determine the final key K. If the protocol is secure in the extreme case, it is secure in others. Next, we will discuss this situation.

Since P0 is semi-trusted in the protocol, he cannot conspire with others. When Pj is the only honest one, other dishonest users will attack P0 and Pj. For simplicity, let us take the example of three users (N = 3, M = 3). The users P1 and P3 in particular position are assumed to be dishonest, denoted as P1 and P3. The running process of the example is shown in Figure 3. The attack will be performed in the following ways.

FIGURE 3
www.frontiersin.org

FIGURE 3. Running process of the example, Qi represents the process in which the initiator is Pi.

For one thing, we discuss the attack on P0, where the dishonest users wish to obtain the hash value h0. Through the above protocol, we know h0 = h1h2h3, which means it is determined by hash values of other users. In this case, since P1 and P3 conspired, they could know both h1 and h3. In spite of this, they could only know h1h3 = h0h2, but unable to determine the specific h0 and h2. Eventually, they have to obtain the information through the negotiation process. However, even P1 and P3 conspired, no matter what kind of attack they use, the deterministic information about h0 could not be obtained. Because the encoded quantum states are nonorthogonal, they cannot be perfectly distinguished.

For another, we discuss the attack on P2, in which the dishonest users wish to obtain the identity information h2, the private input S2, or determine the final key. Since P1 and P3 failed to attack P0, it is impossible to determine whether the specific h2 is 0 or 1. Next, we discuss attacks during the protocol process. Evidently, there is no information about S2 is disclosed during Q2 in Figure 3. In the encoding process Q3, P2 encodes his own information in the last stage of transmission. Since these three transmission processes are actually synchronized, it is obvious that P1 and P3 cannot encode the pre-negotiated message in Q3 to determine the final key. So the most likely attack to obtain S2 and determine the final key occurs in Q1. In the transmission process of Q1, P1 prepares and encodes n two-qubit particles, represented as T̃1,2. Then, he sends them to P2 and shares all his information with P3. Since P3 does not know whether h2b2 is 0 or 1, he does not know whether the particles should be measured with basis MBX directly or basis MBZ after the operation V. Therefore, he can only get random results like an external attacker. To sum up, the proposed protocol is immune to this attack.

Case 2: A semi-trusted third party’s attack.

Here, P0 is semi-trusted. That is, he cannot conspire with others, but misbehave on his own. For clarity, we represent the dishonest third party as P0. P0 wishes to obtain Pj’s private input Sj or the session key K. Apparently, he has the advantage of knowing hj. However, in this protocol, the user decides what kind of identity operation to perform through the value hjbj. Even if P0* knows each person’s hash value, he would not be able to get the correct operation information before step (N + 4). In addition, due to the non-cloning theorem, it is impossible for P0 to preserve the quantum state without knowing about it. Therefore, this protocol is secure against the attack by a semi-trusted third party.

Case 3: A dishonest user’s impersonation attack.

Users may also carry out impersonation attack in addition to the attacks described above. His purpose is to determine the agreement key by himself, and succeed in cheating others to accept this fake key. Even if Pi is part of the protocol, he cannot perform correct identity encoding operation without knowing Pj’s hash value. Because the master key k̄j is only shared by Pj and P0. Just like the impersonation attack by external attacker, the measurement result is random, which is difficult to pass the detection in step (N + 5). Therefore, a forged user cannot participate in the protocol and determine the session key without being detected.

Based on the above analysis, we prove that the protocol in the context of quantum networks is secure.

4.3 Efficiency

In this section, we will discuss the particle efficiency of the proposed protocol. According to [33], the particle efficiency is defined as

η=cq+b,(27)

where, c is the length of the final shared key string, q is the number of qubits transmitted in the quantum channel, and b is the number of classical bits transmitted for decoding. In our scheme, the length of the final shared key is (2 − δ)n, the number of transmitted qubits is n*N, and the number of transmitted classical bits is 2n*N. Therefore, the particle efficiency of the proposed protocol is

η=2δ3N.(28)

Without considering the detection of particles, the particle efficiency of the example presented in this paper is η=23*3=22.2%.

Compared with [31] and [15], although they both perform multi-user quantum key agreement in an optical-ring communication network, there are differences in the specific negotiation process. Table 4 shows that our protocol is preferable as its readily accessible quantum resource, good security and high efficiency.

TABLE 4
www.frontiersin.org

TABLE 4. Comparison of several multi-party QKA protocols.

5 Conclusion

Before presenting our conclusion, we briefly discuss the hash function used in the protocol. In the protocol, we use the hash value to complete the authentication of the user. Only the legitimate user knows the correct hash value. In the absence of an impersonation attack, the hash values satisfy h0=i=1Nhi. So the selection criteria of the measurement basis is correct. Moreover, the hash values are not public. No one can obtain valid information from known information. Therefore, the introduction of classical hash function does not reduce the security of the protocol. Even if the classical hash function is corrupted by quantum computation, each user’s master key is still secure. Since the master key is only shared by the third party and users through QKD, it can achieve absolute security. In addition, the security analysis shows that no matter what kind of attacks are used, the master key cannot be obtained by attackers. In this way, the shared master key can be reused and the user’s identity can be authenticated, which greatly improves the practicability of the protocol.

In this paper, we study an authenticated quantum key agreement protocol, which is another main key establishment method in addition to quantum key distribution. This scheme enables key negotiation for any N users in optical-ring quantum networks. Each user in the protocol has his own identity information and shares a master key with a semi-trusted third party. With the help of the third party, they can simultaneously obtain the negotiated key. Security analysis shows that the protocol is secure against common attacks and impersonation attack. Furthermore, the implementation of the protocol only requires preparing and measuring single particles, which can be easily implemented with current technology. And, our method can be easily applied to other MQKA protocols with authentication in quantum networks, so that they can resist impersonation attack in practical. Since the implementation of the protocol is inevitably affected by noise, the threshold value for the error rate should be provided before implementing it. As mentioned in [34], the exact value of the threshold is determined by a variety of practical elements, such as the desired level of security, the noise level of channels, etc. Therefore, choosing an appropriate threshold is complex, which is also the case for many multi-party quantum cryptographic protocols. Combined with quantum state discrimination, we will study this issue in the future.

Data Availability Statement

The original contributions presented in the study are included in the article/supplementary material, further inquiries can be directed to the corresponding authors.

Author Contributions

All authors listed have made a substantial, direct, and intellectual contribution to the work and approved it for publication.

Funding

This work was supported by the National Natural Science Foundation of China (Grants Nos. 61,772,134, 61,976,053 and 62,171,131), Fujian Province Natural Science Foundation (Grant No. 2022J01186), the research innovation team of Embedded Artificial Intelligence Computing and Application at Xiamen Institute of Technology (KYTD202003), and the research innovation team of Intelligent Image Processing and Application at Xiamen Institute of Technology (KYTD202101).

Conflict of Interest

The authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.

Publisher’s Note

All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors and the reviewers. Any product that may be evaluated in this article, or claim that may be made by its manufacturer, is not guaranteed or endorsed by the publisher.

References

1. Shor PW. Polynomial-time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM J Comput (1997) 26:1484–509. doi:10.1137/S0097539795293172

CrossRef Full Text | Google Scholar

2. Bennett CH, Brassard G. Quantum Cryptography: Public Key Distribution and coin Tossing. In: Proc IEEE Int Conf Comput, Syst and Signal Process. Manhattan, New York: IEEE (1984). p. 175–9.

Google Scholar

3. Gisin N, Ribordy G, Tittel W, Zbinden H. Quantum Cryptography. Rev Mod Phys (2002) 74:145–95. doi:10.1103/RevModPhys.74.145

CrossRef Full Text | Google Scholar

4. Schwonnek R, Goh KT, Primaatmaja IW, Tan EYZ, Wolf R, Scarani V, et al. Device-independent Quantum Key Distribution with Random Key Basis. Nat Commun (2021) 12:1–8. doi:10.1038/s41467-021-23147-3

PubMed Abstract | CrossRef Full Text | Google Scholar

5. Long GL, Liu XS. Theoretically Efficient High-Capacity Quantum-Key-Distribution Scheme. Phys Rev A (2002) 65:032302. doi:10.1103/PhysRevA.65.032302

CrossRef Full Text | Google Scholar

6. Sun Z, Song L, Huang Q, Yin L, Long G, Lu J, et al. Toward Practical Quantum Secure Direct Communication: A Quantum-memory-free Protocol and Code Design. IEEE Trans Commun (2020) 68:5778–92. doi:10.1109/TCOMM.2020.3006201

CrossRef Full Text | Google Scholar

7. Zhang H, Sun Z, Qi R, Yin L, Long G-L, Lu J. Realization of Quantum Secure Direct Communication over 100 Km Fiber with Time-Bin and Phase Quantum States. Light Sci Appl (2022) 11:1–9. doi:10.1038/s41377-022-00769-w

PubMed Abstract | CrossRef Full Text | Google Scholar

8. Zhou N, Zeng G, Xiong J. Quantum Key Agreement Protocol. Electron Lett (2004) 40:1149–50. doi:10.1049/el:20045183

CrossRef Full Text | Google Scholar

9. Tsai CW, Chong SK, Hwang T. Comment on “quantum Key Agreement Protocol with Maximally Entangled States”. Proc 20th Crypt Info Secur Conf (2010) 2010:47–9.

Google Scholar

10. Chong SK, Hwang T. Quantum Key Agreement Protocol Based on Bb84. Opt Commun (2010) 283:1192–5. doi:10.1016/j.optcom.2009.11.007

CrossRef Full Text | Google Scholar

11. Shi RH, Zhong H. Multi-party Quantum Key Agreement with Bell States and Bell Measurements. Quan Inf Process (2013) 12:921–32. doi:10.1007/s11128-012-0443-2

CrossRef Full Text | Google Scholar

12. Liu B, Gao F, Huang W, Wen QY. Multiparty Quantum Key Agreement with Single Particles. Quan Inf Process (2013) 12:1797–805. doi:10.1007/s11128-012-0492-6

CrossRef Full Text | Google Scholar

13. Sun ZW, Zhang C, Wang BH, Li Q, Long DY. Improvements on “multiparty Quantum Key Agreement with Single Particles”. Quan Inf Process (2013) 12:3411–20. doi:10.1007/s11128-013-0608-7

CrossRef Full Text | Google Scholar

14. Sun Z, Yu J, Wang P. Efficient Multi-Party Quantum Key Agreement by Cluster States. Quan Inf Process (2016) 15:373–84. doi:10.1007/s11128-015-1155-1

CrossRef Full Text | Google Scholar

15. Lin S, Zhang X, Guo GD, Wang LL, Liu XF. Multiparty Quantum Key Agreement. Phys Rev A (2021) 104:042421. doi:10.1103/PhysRevA.104.042421

CrossRef Full Text | Google Scholar

16. Ateniese G, Steiner M, Tsudik G. Authenticated Group Key Agreement and Friends. In: Proceedings of the 5th ACM Conference on Computer and Communications Security (1998). p. 17–26. doi:10.1145/288090.288097

CrossRef Full Text | Google Scholar

17. Teng J, Wu C, Tang C. An Id-Based Authenticated Dynamic Group Key Agreement with Optimal Round. Sci China Inf Sci (2012) 55:2542–54. doi:10.1007/s11432-011-4381-x

CrossRef Full Text | Google Scholar

18. Zhang L, Wu Q, Qin B, Domingo-Ferrer J. Identity-based Authenticated Asymmetric Group Key Agreement Protocol. In: Int Comput Combinatorics Conf. Berlin, Heidelberg: Springer (2010). p. 510–9. doi:10.1007/978-3-642-14031-0_54

CrossRef Full Text | Google Scholar

19. Chen Q, Wu T, Hu C, Chen A, Zheng Q. An Identity-based Cross-Domain Authenticated Asymmetric Group Key Agreement. Information (2021) 12:112–2489. doi:10.3390/info12030112

CrossRef Full Text | Google Scholar

20. Zeng G, Zhang W. Identity Verification in Quantum Key Distribution. Phys Rev A (2000) 61:022303. doi:10.1103/PhysRevA.61.022303

CrossRef Full Text | Google Scholar

21. Shi BS, Li J, Liu JM, Fan XF, Guo GC. Quantum Key Distribution and Quantum Authentication Based on Entangled State. Phys Lett A (2001) 281:83–7. doi:10.1016/S0375-9601(01)00129-3

CrossRef Full Text | Google Scholar

22. Mihara T. Quantum Identification Schemes with Entanglements. Phys Rev A (2002) 65:052326. doi:10.1103/PhysRevA.65.052326

CrossRef Full Text | Google Scholar

23. Wang Y, Lou X, Fan Z, Wang S, Huang G. Verifiable Multi-Dimensional (T,n) Threshold Quantum Secret Sharing Based on Quantum Walk. Int J Theor Phys (2022) 61:1–17. doi:10.1007/s10773-022-05009-w

CrossRef Full Text | Google Scholar

24. Lou X, Wang S, Ren S, Zan H, Xu X. Quantum Identity Authentication Scheme Based on Quantum Walks on Graphs with Ibm Quantum Cloud Platform. Int J Theor Phys (2022) 61:1–15. doi:10.1007/s10773-022-04986-2

CrossRef Full Text | Google Scholar

25. Kumavor PD, Beal AC, Yelin S, Donkor E, Wang BC. Comparison of Four Multi-User Quantum Key Distribution Schemes over Passive Optical Networks. J Lightwave Technol (2005) 23:268.

Google Scholar

26. Elkouss D, Martinez-Mateo J, Ciurana A, Martin V. Secure Optical Networks Based on Quantum Key Distribution and Weakly Trusted Repeaters. J Opt Commun Netw (2013) 5:316–28. doi:10.1364/JOCN.5.000316

CrossRef Full Text | Google Scholar

27. Fröhlich B, Dynes JF, Lucamarini M, Sharpe AW, Yuan Z, Shields AJ. A Quantum Access Network. Nature (2013) 501:69–72. doi:10.1038/nature12493

PubMed Abstract | CrossRef Full Text | Google Scholar

28. Xue P, Li CF, Guo GC. Conditional Efficient Multiuser Quantum Cryptography Network. Phys Rev A (2002) 65:022317. doi:10.1103/PhysRevA.65.022317

CrossRef Full Text | Google Scholar

29. Grover LK. Quantum Mechanics Helps in Searching for a Needle in a Haystack. Phys Rev Lett (1997) 79:325–8. doi:10.1103/PhysRevLett.79.325

CrossRef Full Text | Google Scholar

30. Hsu LY. Quantum Secret-Sharing Protocol Based on Grover's Algorithm. Phys Rev A (2003) 68:022306. doi:10.1103/PhysRevA.68.022306

CrossRef Full Text | Google Scholar

31. Cao H, Ma W. Multiparty Quantum Key Agreement Based on Quantum Search Algorithm. Sci Rep (2017) 7:45046. doi:10.1038/srep45046

PubMed Abstract | CrossRef Full Text | Google Scholar

32. Chefles A, Barnett SM. Optimum Unambiguous Discrimination between Linearly Independent Symmetric States. Phys Lett A (1998) 250:223–9. doi:10.1016/S0375-9601(98)00827-5

CrossRef Full Text | Google Scholar

33. Cabello A. Quantum Key Distribution in the Holevo Limit. Phys Rev Lett (2000) 85:5635–8. doi:10.1103/PhysRevLett.85.5635

PubMed Abstract | CrossRef Full Text | Google Scholar

34. Scarani V, Bechmann-Pasquinucci H, Cerf NJ, Dušek M, Lütkenhaus N, Peev M. The Security of Practical Quantum Key Distribution. Rev Mod Phys (2009) 81:1301–50. doi:10.1103/RevModPhys.81.1301

CrossRef Full Text | Google Scholar

Keywords: quantum communication, quantum key agreement, identity authentication, quantum search algorithm, unambiguous state discrimination

Citation: Gao L-Z, Zhang X, Lin S, Wang N and Guo G-D (2022) Authenticated Multiparty Quantum Key Agreement for Optical-Ring Quantum Communication Networks. Front. Phys. 10:962781. doi: 10.3389/fphy.2022.962781

Received: 06 June 2022; Accepted: 22 June 2022;
Published: 13 July 2022.

Edited by:

Tianyu Ye, Zhejiang Gongshang University, China

Reviewed by:

Ma Hongyang, Qingdao University of Technology, China
Xiaoping Lou, Hunan Normal University, China

Copyright © 2022 Gao, Zhang, Lin, Wang and Guo. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) and the copyright owner(s) are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.

*Correspondence: Xin Zhang, eGlhb194aW5fMDlAMTYzLmNvbQ==; Song Lin, bGluczk1QGdtYWlsLmNvbQ==; Gong-De Guo, Z2dkQGZqbnUuZWR1LmNu

Disclaimer: All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors and the reviewers. Any product that may be evaluated in this article or claim that may be made by its manufacturer is not guaranteed or endorsed by the publisher.