Quantum Identity Authentication in the Counterfactual Quantum Key Distribution Protocol.

In this paper, a quantum identity authentication protocol is presented based on the counterfactual quantum key distribution system. Utilizing the proposed protocol, two participants can verify each other's identity through the counterfactual quantum communication system. The security of the protocol is proved against individual attacks. Furthermore, according to the characteristics of the counterfactual quantum key distribution system, we propose an authenticated counterfactual quantum key distribution protocol based on a novel strategy of mixing the two types of quantum cryptographic protocols randomly. The authenticated quantum key distribution can also be used to update the extent of the authentication keys.

1. Introduction

Quantum mechanics has produced immense influence in information security. The widely used public key cryptography algorithms such as the RSA public key algorithm are facing serious threat of quantum computation [1]. Meanwhile, quantum computation also promotes new kinds of cryptographic protocols that can combat the powerful computation capability of quantum computer. Interestingly, quantum mechanics could be a sharp spear to break cryptographic systems and also a strong shield to protect our privacy. Research shows that quantum key distribution (QKD) can provide information theoretic security between two distant and authenticated parties [2,3,4,5]. Various QKD protocols have been proposed utilizing different quantum coding technologies, as well as the other types of quantum cryptographic protocol, such as quantum secure direct communication [6,7,8,9,10,11], quantum secret sharing [12,13,14,15,16,17], quantum private querying [18,19,20,21,22,23] and so on [24,25,26].

Counterfactual QKD protocols employ a very interesting coding method where the valid key bits are generated when no photons have been transmitted in the public channel. Since no photons to be intercepted and captured for the signals of the valid key bits, it is very difficult for the adversaries to carry on an effective attack. Because of the above characteristics, the counterfactual QKD has attracted a lot of attention since its first appearance. In 2009, Noh proposed a QKD protocol [27] inspired by the counterfactual phenomena in quantum world [28] and the counterfactual computation [29]. The next year, Sun et al. proposed a high efficiency version of counterfactual QKD utilizing more beam splitters [30]. The same year, Yin et al. proved the security of Noh’s protocol strictly [31]. During the next few years, many experiments on counterfactual QKD protocol have been performed [32,33,34,35]. In the theoretic study of counterfactual quantum communication technology, some scholars analyzed the security of counterfactual QKD on real environment [36,37,38,39,40,41], while others proposed other types of quantum cryptographic protocols with counterfactual quantum communication technology, such as direct quantum communication [42,43,44], quantum private query [45], and so on [46,47,48,49,50,51,52,53].

As described above, the counterfactual QKD protocol has been proven secure in theory [31], however, the security is based on several necessary conditions, such as the perfect quantum detectors, the perfect single-photon source, true random number generator and so on. Secure and reliable identity authentication is one of the key requirements of the security of the counterfactual QKD. Realizing identity authentication with quantum technology has many potential advantages such as higher security, higher efficiency and immunity to certain kinds of replay attacks. Therefore, we propose a quantum identity authentication (QIA) protocol that can be used in the counterfactual QKD protocol to identify the communication parties. Furthermore, due to the characteristics of the counterfactual quantum communication technology, the combined processes of the counterfactual QKD protocol and the proposed QIA protocol can be used to extend the length of authentication keys with almost arbitrary expanded proportion. This paper is organized as follows. In Section 2, we briefly review the processes of the counterfactual QKD and an alternative version, which our QIA protocol is based on. The specific process of the counterfactual QIA protocol is proposed in Section 3. With the QIA protocol in Section 3, we propose an authenticated counterfactual QKD protocol in Section 4. A brief conclusion is given in Section 5.

2. Review of the Counterfactual Quantum Key Distribution Protocol

The main purpose of this paper is to verify the participants’ identities in the counterfactual QKD system. As a foundation protocol, the counterfactual QKD protocol [27] is briefly introduced in this section. Utilizing the interference system in Figure 1, the counterfactual QKD can help Alice and Bob generate a secure key based on the signals where no photons have traveled through the public channel. Note that, in Figure 1, C is the optical circulator; OD is the optical delay to make the two paths a and b be the same; OL is the optical loop and SW is the optical switch, which help Bob choose the pulse in specific polarization to the detector D2; FM is the faraday mirror, which reflects the pulse while turns the state of the pulse to the orthogonal polarization; and D1 can discriminate the polarizations of the pulse. The processes can be described as follows.

Figure 1

The schematic of the counterfactual QKD [27]. Here, C is the optical circulator; OD is the optical delay to make the two paths a and b be the same; OL is the optical loop and SW is the optical switch, which help Bob choose the pulse in specific polarization to the detector D2; FM is the faraday mirror, which reflects the pulse while turns the state of the pulse to the orthogonal polarization; and D1 can discriminate the polarizations of the pulse.

(1) At the beginning, Alice triggers the single-photon source S to emit a short optical pulse containing a single photon at a certain point in time. The photon is prepared in either horizontal polarization , which represents the classical bit 0, or vertical polarization , which represents 1. Afterwards, the pulse will be divided into two paths, a and b, when it passes the beam splitter (BS). The whole system can be described as one of the two orthogonal states where R and T are the reflectivity and transmissivity of BS, and R+T = 1. The state represents the vacuum state in the path k, where .

(2) Bob randomly chooses a bit 0 or 1 and, utilizing the polarizing beam splitter (PBS) and the optical loop (OL), switches different polarized pulse to the detector according to the above bit. Precisely, if Bob chooses 0 (1), he switches the pulse in the state () to the detector . In fact, when the pulse in path b reaches the PBS at Bob’s side, it would directly go to the optical switch (SW) if the pulse were horizontally polarized, and if the pulse were vertically polarized, it would be reflected by the PBS, pass through the OL, be reflected by PBS again, and then go to SW. Thus, if the pulse were in state , it would arrive at SW a certain period of time (, where L is the length of OL and c is the speed of time) later than the situation of . Therefore, Bob can choose to switch different polarized states to the detector by the control of the switch time.

(3) At last, Alice and Bob announce which detector clicks. If only detects a photon with the correct polarization, they establish a key bit, otherwise, the result will be used to detect eavesdropping. In fact, if Alice’s and Bob’s bits are identical, the pulse in path b will be absorbed by , and the pulse in path a will be divided into two parts towards and , respectively. In this situation, the three detectors , and will click with the probabilities , and T, respectively. If Alice’s and Bob’s bits are different, the pulse in path b will be reflected back to BS. The faraday mirror (FM) alters the state of the pulse to the orthogonal state while reflects it, therefore, the pulse will determinately pass the OL once and be reflected by the PBS twice, before or after the reflection of FM. The two paths a and b are set with the same length, so the two pulses will complete the interference at BS, with the same polarization state and a phase difference of . In this situation, always clicks but never. Therefore, Alice and Bob would share an identical bit when only clicks. In ideal cases, the shared bit is secure since no photons have passed through the public channel if clicks alone.

Generally, to achieve the highest key rate, R and T are set to be and . Considering the situation of 50:50 BS, there is an alternative version (see Figure 2) of the above protocol.

Figure 2

The schematic of the alternative version of the counterfactual QKD [33]. The alternative version uses two half wave plates HWP and HWP, instead of the OL and SW, to implement the random choices of the participants. Another difference is that the alternative version uses mirrors (M) instead of faraday mirrors in the original one.

In this alternative version proposed by Brida et al. [33], Bob uses a half wave plate (HWP) and a PBS to accomplish the same task with that in the original protocol. The effect of the half wave plate can be described as follows, where is the angle between the incident and the fast axis. The two faraday mirrors are replaced by two mirrors. In Step (1), by adjusting the angle of HWP, Alice randomly rotates the state of the single-photon pulse to or . In Step (2), Bob randomly performs or to the coming pulse by adjusting the angle of HWP to be 0 or , where

For convenience of reading, we list another two operations, which will be used later,

When the pulse passes BS the first time, the state becomes one of the following states, which are exactly the same with Equations (1) and (2), ignoring the global phase or introduced by HWP. Here, we assume that S always emits a pulse in state . When Alice’s and Bob’s choices are 0 and , respectively, the pulse in path b has been reflected back to BS at Alice’s side, the state of the photon after the pulse passes BS the second time will become or similarly when Alice’s and Bob’s choices are and 0, the state would be where the subscripts represent the path leading to the corresponding detectors. Thus, the same as the original protocol, always clicks in this situation. Correspondingly, the key should be generated when clicks.

3. QIA in the Counterfactual QKD System

In this section, we propose a QIA protocol, where two participants, utilizing a pre-shared classical authentication key, can verify each other’s identity through the counterfactual QKD system. The communication system we adopt here is the alternative version, which is more convenient to introduce a conjugate basis to complete the task of identity authentication. Here, we make a minor modification that the half wave plate on Alice’s side, i.e., HPB is set at the right side of BS (see Figure 3).

Figure 3

The schematic of the proposed QIA protocol and the authenticated QKD protocol. HWP is set at right side of BS in our protocol instead of left in the alternative version. Since the polarizations of the pulses detected by D0 is also used to detect the adversary in our protocol, we add a PBS and an additional detector in the D0.

Thus, the states of the photons back to Alice’s side should always be the same with their original states, and the key bits should be generated from the signals where clicks alone.

3.1. The QIA Protocol Based on the Counterfactual QKD

For the sake of description of the proposed QIA protocol, we first expound some basic concepts about the protocol and the devices in Figure 3. Before the protocol, two participants are required to pre-share a sequence of authentication keys . Each of the above keys has m+n bits, where the first m bits would be used for Alice to verify Bob’s identity, and the last n bits are for Bob to verify Alice’s identity. Alice and Bob also record the statuses of their keys, originally “valid”.

The single-photon source S in Figure 3 is supposed to always emit a pulse in state , and Alice can choose to keep its state or flip it to utilizing HWP. Ignoring the global phases, if Alice adjusts , the angle of HWP, to 0, the state of the pulse remains , and if Alice adjusts to , the state changes to . Bob also randomly chooses to flip the state of the coming pulse or not, utilizing HWP. The above processes are just the alternative version of the counterfactual QKD protocol.

To complete the task of identity authentication, the participants use the authentication key as the control bits in the manner that, if the ith bit of the authentication key is 1, Alice and Bob both rotate an additional angle of to their half wave plates, otherwise, they do nothing additionally. Thus, only the legal participants who have the authentication key can perform complete the QIA protocol legally. The concrete processes of the proposed QIA protocol are as follows.

1. Key status exchange. Alice and Bob exchange the status of their pre-shared authentication keys and choose the one with the smallest subscript among those keys which are “valid” on both Alice’s and Bob’s sides. We denote the bits of this key K as

2. Authentication of Bob’s identity. The first m pulses are used to authenticate Bob’s identity in the manner that Alice chooses her bit randomly and Bob always chooses bit 0, and both of the above choices are under control of the first m bits of K.

Alice generates a random string with m bits

For the ith pulse Alice emits into the system, she sets the angle of HWP as

For the ith coming pulse, Bob sets the angle of HWP as

Alice checks the results of and . If clicks with the probability of 100% for the pulses where = 1, and for those = 0, and click with the probability about 25% and 25%, respectively, Alice believes Bob’s identity and they go on to Step 3, otherwise, Alice skips to the last step.

3. Authentication of Alice’s identity. In this step, Bob checks Alice’s identity with the help of the last n bits of K.

Bob generates a random string with m bits

For the th pulse, Alice sets the angle of HWP as

For the th coming pulse, Bob sets the angle of HWP as

Bob checks results of . If never clicks when = 0 and clicks with the probability of 50% for both the two cases that = 1, = and = 1, = , Bob believes Alice’s identity.

4. Key status update. Alice and Bob update the statuses of K as “invalid”.

3.2. Correctness of the Proposed QIA Protocol

For the legal Alice and Bob, they can verify each other’s identity following the above processes. The unitary operations of the HWPs in different cases are shown in Equations (4)–(7). In the processes of Step 2, there are four cases about Alice’s and Bob’s choices of : , , , and . For the situation of , the state of the whole pulse when it first passes BS and HWP is

The final state, i.e., the state of the polarization and the position of the photon after (part of) it passes BS the second time, is

Here, we use to denote the state of the pulse when it first passes BS and HWP in the situation that =, to denote the state when the pulse first passes PBS in the situation that = and =, and to denote the state when the pulse passes BS the second time. For the situation of , where and

Thus, the final state of this case would be

For both above cases of Equations (21) and (25), , and would click with the probabilities of 25%, 25% and 50%, respectively. Similarly, we can calculate that

always clicks in these two cases. The calculations on the four cases coincide with the judgements at the end of Step 2.

The four possible final states in the processes of Step 3 are , , , and . Here, and are considered in Equations (21) and (25), and

The calculations on these four final states in Step 3 coincide with the judgements in Step 3, too. Therefore, for the legal participants who have the authentication key K, they can always authenticate each other’s identities correctly.

3.3. The Security Analysis for No-Error Cases

In fact, the security of Bob’s identity is protected by the first part of K, i.e., . The operations Bob’s operations in the first part is if = 0 and if = 1. According to the theorems on operation discrimination, the above two operations cannot be discriminated with no error probability (see Appendix A for details). If the adversary, who is forging Bob’s identity to communicate with Alice, performs an error operation on the received pulse, Alice would get a wrong measurement result. Therefore, the adversary cannot always gives Alice a correct response to pass Alice’s tests. Correspondingly, the security of Alice’s identity is protected by the second part of K, i.e., . Since the second part of the protocol only executed when the communicating peer passes Alice’s tests, the adversary cannot get any information about the string from Alice’s side. Therefore, the adversary has to face Bob’s tests without any information on the authentication key. Considering that Bob chooses his angles from randomly, the measurement results would be random if he is communicating with the adversary who has no information about . That is, the adversary cannot pass Bob’s tests without introducing any error. Above all, we can get a conclusion that the adversary cannot forge either Alice’s identity or Bob’s identity in the no-error cases.

For the more general cases, the security analysis of the proposed protocol are described in Appendix A. Specifically, for each signal, we calculate a relaxed lower bound of the minimum error probability that the adversary has to introduce in Alice’s test while forging Bob, and a relaxed lower bound of the minimum error probability that the adversary has to introduce in Bob’s test while forging Alice,

We believe that the tight bounds would be much larger, since we have made many relaxations during the derivation procedure to simplify the difficulty.

4. Authenticated Counterfactual QKD Protocol

In this section, we propose an authenticated counterfactual QKD protocol utilizing the proposed QIA protocol. The basic idea is mixing the process of the QIA protocol into the QKD protocol according to the random data generated in the QKD protocol, which can be recorded identically for the two participants without any communication. In the following authenticated QKD protocol, the length of original authentication key is independent with the length of the new generated key. Suppose the length of the key that the participants expect to generate is m, and the length of the authentication key which meets the requirement of security is n. Then, the mixing parameter of the authenticated counterfactual QKD protocol is

With the definition of r, the main processes of the authenticated QKD protocol can be briefly described as follows: once Bob’s detector has clicked r times, Alice and Bob insert one round of the QIA process presented in last section. Specifically, utilizing the devices and circuit in Figure 3, the participants can implement the authenticated counterfactual QKD protocol as follows. For convenience of the following description, we use to denote the probability that the ith signal is used for the process of QIA.

. Set-up. For the main processes described above, is convergent when i gets larger, however it is much smaller than the convergence value for small is. For example, = 0 when i ≤ r. If the adversary only attacks these signals with smaller , he is more likely to pass the participant’s test. Therefore, before the formal steps of the protocol, Alice and Bob should equalize for different is. pulses would be used in this stage, where

Alice emits single-photon pulses to the system one by one. For each pulse, Alice (Bob) randomly choose the angle of HWP (HWP) to be one of {0, , , }.

If the photon goes to Bob’s detector, i.e., clicks and and do not, they record a classical bit 1. If the photon goes back to Alice, i.e., or clicks and does not, they record a classical bit 0.

After all the pulses have been detected by the three detectors, Alice and Bob get a bit binary number. Then, they use a hash function to uniformly map the above number into the set , and denote the result as . Note that, for one single binary bit, the uncertainty is

Alice and Bob produce signals here so that the uncertainty of the bits is larger than , to make the value of totally random.

. Signal transmission and identity authentication. Utilizing the random number generated in last step, the participants start to distribute a new key while authenticate each other’s identity.

For the first pulses in this step, Alice and Bob perform the QKD process, i.e., they both randomly alter the angles of HWP and HWP to be 0 or and record the clicking situation of each detector and the state of the photon if the detector has clicked.

The th pulse is the first pulse for identity authentication. As in Steps 2.2 and 2.3 in the above QIA protocol, Alice alters the angle of HWP to be + and Bob alters the angle of HWP to be , where is the first bit of the authentication key and is a random bit.

From the th pulse, the participants start to insert the process of QIA into the QKD according to the random data of the clicks of the detectors. Precisely, each time the click times of reaches an integral multiple of r, they insert one round of the QIA process immediately until the authentication process for Bob’s identity has finished.

Alice checks Bob’s identity according to Step 2.4.

If the test for Bob’s identity passes, they continue to transmit the rest QKD signals and authenticate Alice’s identity by repeating the processes from to but perform the operations in Steps 3.2–3.4 instead of these in Steps 2.2–2.4, respectively.

. Eavesdropping detection. Alice and Bob first check the validity of each other’s identity. If the identity authentication passes, they continue to the rest part of the counterfactual QKD protocol to generate a new key and use part of the new key to update the authentication keys.

In the above protocol, the processes of QIA and QKD are mixed randomly; however, they are performed independently. More specifically, the sequence of the signals for QIA and ones for QKD are random for the adversaries. On the other hand, each signal is either used for QIA or for QKD, but never for both. Because of such independence, the correctness of the above protocol is obliviously established considering the correctness of the counterfactual QKD protocol [27,31] and the counterfactual QIA protocol presented in the last section, as is the security of the process of QIA and the process of QKD. The only new factor which may influence the security of the whole protocol is that the adversary may discriminate the two type of signals, i.e., the signals for QKD and the signals for QIA, and then only attack the signals for QKD. Next, we proved that the adversary cannot discriminate the two type of signals.

Firstly, the two types of signals cannot be discriminated precisely. For a QKD signal, Alice randomly sets her angle as 0 or , and the reduced density matrix for the state in path b is

For a QIA signal in the first part, Alice’s operation set is , and the reduced density matrix for the state in path b is which is the same as . For the second part of QIA, Alice’s operation set is , and the reduced density matrix for the state in path b is

The minimum error probability to discriminating and is which is close to 1/2, the probability of random guess. Furthermore, the discrimination operation will inevitably disturb the pulse in path b and introduce errors in the authentication process or the detection mode of QKD.

Secondly, we analyze the probability of being a QIA pulse for each signal. The expectation of the above probability can be deduced by calculating the average interval of two QIA signals, which is

Then, both sides of the above equation are multiplied by ,

By subtracting the two equations, we have

Suppose

Then,

We can get

So that,

Substituting Equation (44) into Equation (40), we have where p = 1/4. This implies that every D+1 signals contain one QIA signal on average. Therefore, the average probability for a pulse to be a QIA signal is

However, it is difficult to propose a strategy where the above probability is totally identical for each signal. As for the proposed protocol, the probability of the lth signal to be a QIA one is

The the graphs of function for different values of r are given in Figure 4.

Figure 4

The graphs of function when r = 10 (the red line), 15 (the green line), and 20 (the blue ine).

We can see that the probability tends to be stable when l is larger than . The adversary cannot effectively reduce the error rate introduced by his attack utilizing the probability distribution of the type of the signals. Therefore, if the adversary wants to attack a proportion of the QKD signals, she will have to disturb a similar proportion of the QIA signals, which will cause a failure result in the QIA part.

5. Conclusions

In this paper, we first propose a quantum identity authentication protocol that can be realized in the counterfactual quantum communication system. Then, we propose an authenticated counterfactual QKD protocol by mixing the processes of the proposed QIA protocol and the counterfactual QKD protocol in [33]. In this authenticated counterfactual QKD protocol, the two independent processes of QKD and QIA mixed randomly for any third party except the two participants, therefore, the adversaries cannot discriminate between a QIA signal and a QKD signal. Any attempts to perform a man-in-the-middle attack to the process of QKD will disturb the signal in the QIA process and cause a failure result in the identity authentication. Since the two processes are independent, the length of the authentication key is only related to the expected confidence degree for the participants’ identities, and is not concerned with length of the newly generated key in QKD. Therefore, the key expansion in our protocol can be extremely high in theory. The problem is that the proposed protocol can only be performed in noiseless channels since any channel loss or dark count would mess up the whole process of the protocol. Once a channel loss or dark count happens, Alice and Bob cannot synchronize the random data to control the signal type. Despite this, we think the idea of identity authentication in this paper is promising in theory and might inspire practical QIA protocols and authenticated QKD protocols designed in similar ways. The theory of high key-expand-ability QIA protocols in noisy channel will also be our future work.