Professional Documents
Culture Documents
belongs to whomever it is supposed to—like in public key the correct ones. In this process, a few of the initial states are
cryptography. User authentication based on quantum cryp- consumed and thus the authentication secret is diminished. In
tography using any kind of public channel has previously an improved version of the protocol, the states initially
been studied. Most protocols use unjammable channels and shared by Alice and Bob are catalysis states 关19兴. Using
are so-called self-enforcing; i.e., no parties other than Alice these catalysis states as the shared secret only Alice and Bob
and Bob are involved. However, a realistic QKD environ- will be able to make the correct local transformations 关20,19兴
ment instead suggests that a jammable public channel be- of another pair of states. The correctness of this transforma-
tween Alice and Bob should be considered. Moreover, con- tion is verified between Alice and Bob and used as an au-
trary to self-enforcing protocols, we believe it is desirable thentication. What is interesting about this procedure is that
that Alice and Bob need not share an initial secret. Due to the shared secret information, the catalysis states, is kept
this, and to prevent ‘‘man-in-the-middle’’ attacks, the intro- intact.
duction of a trusted authority, Trent, becomes inevitable also These protocols described above involve only Alice and
for QKD. The authentication between Alice and Bob will Bob. Recently, Zeng and Zhang 关21兴 studied the same basic
instead pass via Trent, who can verify 共necessarily over un- idea as in 关13兴 and 关14兴; however, their work was more in the
jammable channels兲 to each user the identity of the other. context of user authenticated secret key distribution. Trent is
This is partly addressed in Ref. 关21兴. introduced to generate the initial secret. In the protocol, Al-
Unjammable channels like those between Alice-Trent and ice and Bob each have a two-particle entangled state
Bob-Trent can be guaranteed by ‘‘personal’’ authentication 关Einstein-Podolsky-Rosen 共EPR兲 pairs兴 from which one par-
of such a kind that you make when you visit your bank to get ticle each is sent to and measured by Trent. He uses the
your personal identification number code, together with clas-
method of entanglement swapping 关22兴 to generate a joint
sical authentication techniques, e.g., authentication codes 关2兴.
key to be used by Alice and Bob. Following this, the joint
In principle, if necessary, arbitrarily long authentication
key should be used for user authentication in an EPR-type
seeds can be exchanged for this purpose.
As a first indication that quantum authentication could be quantum cryptography 关6兴 protocol with the basis choice
possible we consider the method of Crépeau and Salvail made from the joint session key, similar to 关13兴 and 关14兴.
关13兴. It provides a simple solution without Trent: if there is a The main purpose of the present work is to address the
shared secret string between the true Alice and Bob, then use issue of user authentication and data integrity by quantum
the secret string for the selection of the polarization basis in methods. This also goes under the name of quantum authen-
the Bennett-Brassard 1984 共BB84兲 four-state quantum cryp- tication. As pointed out, in a realistic scenario we cannot
toprotocol 关5兴 and send a known code word over the channel. justify self-enforcing protocols, and so therefore we feel the
Having no a priori information regarding the basis choice, arbitrator unavoidable. With Trent’s help, and with a jam-
the eavesdropper will inevitably make errors in his or her mable channel at Alice and Bob’s disposal, we will provide
detection. Independently, Huttner, Imoto, and Barnett pro- means for Alice and Bob to agree upon a secret key using
posed a very similar idea in Ref. 关14兴, again using the basis QKD. If we have a channel, or a combination of channels,
encoding to test the correspondence between two strings. that can provide us with data integrity, we can then use this
The problem, however, as stressed in 关13兴, is that in the to perform user authentication. Furthermore, we will show
authentication process a dishonest party or an eavesdropper that the same objectives as in 关21兴, using an arbitrator, can be
should not be able to extract any information about the initial achieved in a less complex fashion using either nonentangle-
secret, even through repeated attempts. In 关13兴, no solution ment or entanglement-based protocols.
to this strict requirement was found, although it was pro- The paper is outlined as follows: In this introduction we
posed that a protocol could be built on quantum-oblivious gave a brief review of the recent work on quantum authen-
transfer. Later, however, it was shown that quantum-bit com- tication. In Sec. II we will introduce and define the condi-
mitment and quantum-oblivious transfer are not uncondition- tions for the third-party trusted authority, Trent. His role is to
ally secure 关15,16兴. provide Alice and Bob with the seeding information that will
Similar ideas along these lines, without Trent, have also increase security. In Sec. III, we present protocols for quan-
been presented by Dusek et al. in 关17兴. They propose one tum key distribution based on conventional single-photon
classical and one QKD-based solution for user authentica- quantum cryptography, providing user authentication and
tion. To address the problem in 关13兴 regarding repeated at- data integrity. In Sec. IV, we present two simple
tempts by an eavesdropper, the bits used for authentication entanglement-based quantum key distribution protocols, also
are thrown away after each interleaved comparison of their with user authentication and data integrity. Finally, in Sec.
secretly shared string. New secret bits are then refueled using V, our results are discussed and concluded.
QKD.
Another recent paper 关18兴 discusses self-enforced authen-
tication based on entanglement catalysis. In a first simple II. THIRD-PARTY TRUSTED ARBITRATOR
protocol, Alice and Bob share an ensemble of two-particle FOR QKD-BASED USER AUTHENTICATION
entangled quantum states. The initial secret in this case is
Alice and Bob’s unique knowledge of the particle states. To Obviously, it would be nice if quantum methods could
authenticate, Alice 共Bob兲 sends over a number of states from provide self-enforcing protocols. However, even if this
her 共his兲 ensemble and Bob 共Alice兲 verifies that the states are would call for some kind of ‘‘asymmetric quantum key’’
022305-2
AUTHORITY-BASED USER AUTHENTICATION IN . . . PHYSICAL REVIEW A 62 022305
022305-3
LJUNGGREN, BOURENNANE, AND KARLSSON PHYSICAL REVIEW A 62 022305
022305-4
AUTHORITY-BASED USER AUTHENTICATION IN . . . PHYSICAL REVIEW A 62 022305
1
兩 ⫾典 ⫽ 共 兩 z⫹ 典 兩 z⫺ 典 ⫾ 兩 z⫺ 典 兩 z⫹ 典 ). 共3兲
&
FIG. 4. Channel diagram for protocols 共iv兲 and 共v兲. The line
types are defined as in the previous figures, with the addition of the Shifting between these states 共actually among all four Bell
entangled-state quantum channel illustrated with a wavy dashed states兲 has been demonstrated experimentally in Bell-state
line. See text for details. analysis 关24兴. 共In the entanglement-based quantum cryptog-
raphy scheme 关6兴, however, one considers a passive version
based on sending only one of the Bell states to Alice and
suppose that the choice of states by Trent is secret informa-
Bob.兲
tion that the true Alice and Bob are given. This information
Furthermore, let us define a new linear combination of
is denoted X in Fig. 3. Bell states as
共6兲 The above is done by first keeping only bits where the
settings of the polarizers are correct. 1 1
If the data between Alice and Bob and the settings given 兩 ⌿ ⫹典 ⬅ 共 兩 ⫺ 典 ⫹ 兩 ⫹ 典 )⫽ 共 兩 z⫹ 典 兩 x⫹ 典 ⫹ 兩 z⫺ 典 兩 x⫺ 典 )
from Trent agree, Bob and Alice have again authenticated & &
each other via Trent. Let us stress the essential ingredient for
1
authentication, namely, that Alice and Bob declare their ⫽ 共 兩 x⫹ 典 兩 z⫹ 典 ⫹ 兩 x⫺ 典 兩 z⫺ 典 ), 共4兲
bases and outcome for the test bits before Trent tells how the &
outcomes should be correlated. Note once again, that if Trent
does not actively proceed with any eavesdropping on Alice 1 1
兩 ⌽ ⫺典 ⬅ 共 兩 ⫺ 典 ⫺ 兩 ⫹ 典 )⫽ 共 兩 z⫹ 典 兩 x⫺ 典 ⫺ 兩 z⫺ 典 兩 x⫹ 典 )
and Bob’s channel he will not know the authentication & &
string, nor the key, K.
1
IV. ENTANGLEMENT-BASED QKD WITH USER
⫽ 共 兩 x⫹ 典 兩 z⫺ 典 ⫺ 兩 x⫺ 典 兩 z⫹ 典 ). 共5兲
&
AUTHENTICATION
Now the set of states 兩 典 苸 兵 兩 ⫹ 典 , 兩 ⫺ 典 , 兩 ⌿ ⫹ 典 , 兩 ⌽ ⫺ 典 其 has
Let us now show two protocols for authenticated key dis-
the feature that 具 ⫹ 兩 ⫺ 典 ⫽ 具 ⌿ ⫹ 兩 ⌽ ⫺ 典 ⫽0.
tribution based on entangled states. Whereas in 关21兴, for each
Furthermore, all states are not orthogonal, as
shared bit two entangled states are used, one for Alice and 兩 具 ⫹ 兩 ⌿ ⫹ 典 兩 2 ⫽ 兩 具 ⫹ 兩 ⌽ ⫺ 典 兩 2 ⫽1/2 and 兩 具 ⫺兩 ⌿ ⫹典 兩 2
one for Bob, followed by an entanglement swapping mea- ⫹ ⫺ 2
⫽ 兩 具 兩 ⌽ 典 兩 ⫽1/2. We will use this feature in the protocols
surement 关22兴, in our protocol only one initial two-particle below. The main idea is for Trent to pick states from a set of
entangled state per shared bit is needed, which would make a nonorthogonal base states and send them to Alice and Bob.
substantial simplification in practice. In the present scheme, Since the states are nonorthogonal, Mallory cannot intercept
as illustrated in Fig. 4, Trent has a pool of entangled states. them and reliably measure their properties. A second feature
For each bit he wants to establish, he sends the first particle we will use in the protocol is that Alice and Bob will first
from the entangled state to Alice, and the other to Bob. Note declare their information for authentication based on their
that the present protocol uses some ideas from quantum se- respective measurements. After this, Trent will release which
cret sharing 关27,28兴. As in 关21兴, using entanglement, Trent quantum state was sent, allowing Alice and Bob to cross
will only be required to broadcast extra information regard- check independently to see if the information released was
ing which entangled states he sent in each case. correct. An impersonator like Mallory will not be able to
Before going into the protocols, let us reiterate some basic release the correct information, and Alice and Bob will know
properties of entangled photon states. A two-photon en- that the public and/or quantum channel has been tampered
tangled state, such as that generated from a type-II paramet- with.
ric down-conversion crystal 关23兴, can be written as
A. Four-state entanglement-based QKD with user
authentication „iv…
1
兩典⫽ 共 兩 z⫹ 典 兩 z⫺ 典 ⫹e i ␣ 兩 z⫺ 典 兩 z⫹ 典 ), 共1兲 Using two-particle quantum entanglement with Trent pro-
& viding the states, we keep assumption 共A⬘兲 on Trent. Let us
022305-5
LJUNGGREN, BOURENNANE, AND KARLSSON PHYSICAL REVIEW A 62 022305
TABLE I. Correlation of measurement outcomes given that If the data between Alice and Bob and the settings given
Trent has sent a certain two-particle entangled state. from Trent agree, Bob and Alice have again authenticated
each other via Trent. Let us stress the two essential ingredi-
Bob ents for authentication: first, the control of the sign of the
Alice z⫹ z⫺ x⫹ x⫺
correlation between the bits done by Trent, and second the
⫺ ⫹ ⫹
z⫹ ⌿ ⌽⫺ fact that Alice and Bob declare their bases and outcome for
z⫺ ⫹ ⫺ ⌽⫺ ⌿⫹ the the test bits before Trent tells how the outcomes should
x⫹ ⌿⫹ ⌽⫺ ⫹ ⫺ be correlated. Note that, since we do the eavesdropping test
x⫺ ⌽⫺ ⌿⫹ ⫺ ⫹ using data from Trent, it is not necessary to use the encoding
procedure in 关6兴, where a test of the violation of a Bell in-
equality 关26兴 is used to detect the eavesdropper. Consider the
as starting states pick 兩 ⫺ 典 and 兩 ⫹ 典 as one base, and 兩 ⌽ ⫺ 典 eavesdropper using a Bell analyzer to perform eavesdrop-
and 兩 ⌿ ⫹ 典 as the other. The user authentication and key dis- ping. If so, in half the cases he will make the right choice; in
tribution scheme illustrated with Fig. 4 is as follows: the other half he will not. On average, the eavesdropper will
impair a 25% BER, as well as induce the same BER in the
共1兲 Trent sends one of the entangled states 兩 典 channel. To check the agreement with the data one may sim-
苸 兵 兩 ⫹ 典 , 兩 ⫺ 典 , 兩 ⌿ ⫹ 典 , 兩 ⌽ ⫺ 典 其 , each with a probability of 41 . ply check that the BER is not above a critical value. Let us
One photon from the entangled state is sent to Alice, and the furthermore stress that, as Trent does not know the outcome
other photon is sent to Bob. Alice and Bob measure the of Alice and Bob’s measurements, he knows neither the au-
polarization of the incoming photon by switching randomly thentication string nor the secret key K established by Alice
between the z base and the x base. and Bob.
共2兲 Alice tells Bob a set of bits, their positions in the The data-sorting procedure used in the protocol is similar
transmission, and the corresponding settings of the polariz- to the ‘‘entangled entanglement’’ studied by Krenn and
ers. Zeilinger 关25兴 for three-particle entangled states 共GHZ-states
共3兲 Bob tells Alice a different set of bits, their positions in 关29兴兲, albeit here Trent does classical random selection of the
the transmission, and the corresponding settings of the polar- states. One can also easily construct 共on paper兲 a three-
izers. particle entangled version of the above protocol, in which the
共4兲 Bob and Alice randomly alternate telling the settings selection of the state sent by Trent is made purely random,
of the polarizers for all the states received. contingent upon the outcome of the measurement of his par-
共5兲 Trent broadcasts 共unjammably兲 to Alice and Bob ticle from the three-particle entangled states.
which of the entangled states he sent for all of the bits. Al-
ternatively, we may suppose that the choice of states by
Trent is secret information that the true Alice and Bob are B. Two-state entanglement-based QKD with user
given. This information is denoted by X. authentication „v…
共6兲 Alice and Bob sort their released data into four bins
Finally, let us show a simplified version of the four-state
N 1 to N 4 . In bin N 1 , they place the states pertaining to if
scheme, using only two nonorthogonal states. This scheme is
Trent sent a 兩 ⫹ 典 state. In this case they know that their
in some respects, very similar to the two-state scheme Ben-
results should be anticorrelated in the z base and correlated in
net 1992 共B92兲 关7兴. In this case, Trent will again not know
the x base. In bin N 2 , they place the states pertaining to if
which is the authentication string, nor will he know the se-
Trent sent a 兩 ⫺ 典 state. Their results should then be perfectly
cret key bits.
correlated when both are measured in the z base and anticor-
The user authentication and key distribution scheme, as
related when both are measured in the x base. In bin N 3 they
illustrated with Fig. 4, is as follows:
place the results if Trent sent a 兩 ⌿ ⫹ 典 state. In this case, if
Bob and Alice measure in different bases, the results are 共1兲 Trent sends the entangled states 兩 ⫹ 典 or 兩 ⌿ ⫹ 典 , each
correlated. Finally, in bin N 4 , they place the results if Trent with the probability 21 共remember these states are not or-
sent a 兩 ⌽ ⫺ 典 state. For this state they know that the bits thogonal兲. Alice and Bob do measurements in the polariza-
should be anticorrelated when Alice and Bob measure in tion by randomly switching between the z base and the x
different bases. All other cases they discard. In Table I we base.
have summarized the correlation relations for different set- 共2兲 Alice tells Bob a set of bits, their position in the trans-
tings of Alice and Bob polarizers. This departure from cor- mission, and the settings of the polarizers.
relation to anticorrelation gives Alice and Bob the unique 共3兲 Bob tells Alice a different set of bits, their position in
signature from Trent, which allows them user authentication. the transmission, and the settings of the polarizers.
共7兲 Alice and Bob then check their bits according to the 共4兲 Bob and Alice randomly alternate telling the settings
bins N 1 to N 4 . of the polarizers for all the states received.
共8兲 The final step is to distribute the cryptokey K, which is 共5兲 Trent broadcasts which of the entangled states he sent
done using the remaining secret bits from the bins N 1 to N 4 for all of the bits.
as before. This is done by first keeping only bits where the 共6兲 Alice and Bob sort their released data into two bins N 1
settings of the polarizers were the same. This exchanged in- and N 2 . In bin N 1 , they place the states if Trent sent a 兩 ⫹ 典
formation Y is shown in Fig. 4. state. In this case they know that their results should be an-
022305-6
AUTHORITY-BASED USER AUTHENTICATION IN . . . PHYSICAL REVIEW A 62 022305
ticorrelated in the z base and correlated in the x base. In bin and they do increase the overall security by giving ‘‘an extra
N 2 they place the states if Trent sent 兩 ⌿ ⫹ 典 state. In this case, handle’’ in the correlations. We believe that the three main
if Bob and Alice measure in incompatible bases, the results results–to send authentication information interleaved with
are correlated. the quantum key, to manipulate the Bell states used for the
共7兲 Alice and Bob then check their bits according to the key generation, and to use a nonorthogonal state base similar
bins N 1 and N 2 . to what is done in single-photon quantum cryptography—are
共8兲 The final step is the distribution of the cryptokey it- all of interest for applications of user authentication in quan-
self, which is done using the remaining secret bits from the tum cryptography. Entangled-state manipulation also has use
bins N 1 and N 2 as before. This is done by first keeping only in quantum secret sharing protocols 关27,28兴. An interesting
bits where the settings of the polarizers were the same. question, that we just commented on briefly, is to what ex-
tent three-particle entangled states can be used for authenti-
cation, similar to the case of secret sharing 关27兴. As for the
If the data between Alice and Bob and the settings given experimental feasibility of the above protocols, they would
from Trent agree, Bob and Alice have again authenticated all be possible using present-day technology; optical Bell-
each other via Trent. If an eavesdropper listens in or is not in state generation has been done by several groups, Bell-state
possession of any of the entangled states, he cannot repro- manipulation has been demonstrated, and on the receiver
duce the statistical correlations between the three persons. side only single-photon detection will be required. Of course,
Furthermore, an eavesdropper cannot successfully 共using a the feasibility does not imply that the added technical com-
Bell-state measurement兲 distinguish the two states without plexity compared to attenuated coherent-state quantum cryp-
ambiguity. If there are losses in the system, he may, how- tography using unjammable public channels will necessarily
ever, succeed in eavesdropping as is the case for two-state be justified.
quantum cryptography 关7兴.
ACKNOWLEDGMENTS
V. DISCUSSION
A. Karlsson would like to acknowledge Nobuyuki Imoto
As for the general applicability of these schemes, they and Masato Koashi of NTT Basic Research Laboratories and
still assume the existence of an unjammable public channel Soken University for Graduate Studies, and Artur Ekert of
at some instance 共one way in some protocols, two ways in Oxford University for useful discussions during the initial
other兲. Alternatively, the protocols assume that some initial part of the work. This work was supported by the European
piece of secret information is available. Also with Trent this IST FET QuComm project, the Swedish Natural Science Re-
is inevitable. However, they do allow quantum key distribu- search Council 共NFR兲, and the Swedish Technical Science
tion on a jammable public channel between Alice and Bob, Research Council 共TFR兲.
关1兴 B. Schneier, Applied Cryptography, Protocols, Algorithms and 关14兴 B. Huttner, N. Imoto, and S. Barnett, J. Nonlinear Opt. Phys.
Source Code in C 共John Wiley and Sons, New York, 1996兲. Mater. 5, 823 共1996兲.
关2兴 D. R. Stinson, Cryptography, Theory and Practice 共CRC, New 关15兴 H. K. Lo and H. F. Chau, Phys. Rev. Lett. 78, 3410 共1997兲.
York, 1995兲. 关16兴 D. Mayers, Phys. Rev. Lett. 78, 3414 共1997兲.
关3兴 M. N. Wegman and J. L. Carter, J. Comput. Syst. Sci. 22, 265 关17兴 M. Dusek, O. Haderka, M. Henrych, and R. Myska, Phys. Rev.
共1981兲. A 60, 149 共1999兲.
关4兴 A. Fiat and A. Shamir, in Advances in Cryptology: Proceed- 关18兴 H. Barnum, Los Alamos e-print quant-ph/9910072.
ings of Crypto 86, edited by A. M. Odlyzko 共Springer-Verlag, 关19兴 D. Jonathan and M. Plenio, Phys. Rev. Lett. 83, 3566 共1999兲.
New York, 1987兲, pp. 186–194. 关20兴 M. Nielsen, Phys. Rev. Lett. 83, 436 共1999兲.
关5兴 C. H. Bennett, G. Brassard, and J. Smolin, J. Cryptology 5, 3 关21兴 G. Zeng and W. Zhang, Phys. Rev. A 61, 022303 共2000兲.
共1992兲. 关22兴 J. W. Pan, D. Bouwmeester, H. Weinfurter, and A. Zeilinger,
关6兴 A. K. Ekert, Phys. Rev. Lett. 67, 661 共1991兲. Phys. Rev. Lett. 80, 3891 共1998兲.
关7兴 C. H. Bennett, Phys. Rev. Lett. 68, 3121 共1992兲. 关23兴 P. G. Kwiat, K. Mattle, H. Weinfurther, and A. Zeilinger,
关8兴 H. Zbinden, H. Bechmann-Pasquinucci, N. Gisin, and G. Ri- Phys. Rev. Lett. 75, 4337 共1995兲.
bordy, Appl. Phys. B: Lasers Opt. 67, 743 共1998兲. 关24兴 M. Michler, K. Mattle, M. Eible, H. Weinfurther, and A.
关9兴 M. Bourennane, D. Ljunggren, A. Karlsson, Per Jonsson, A. Zeilinger, Phys. Rev. A 53, R1209 共1996兲.
Hening, and J. P. Ciscar, J. Mod. Opt. 47, 563 共2000兲. 关25兴 G. Krenn and A. Zeilinger, Phys. Rev. A 54, 1793 共1996兲.
关10兴 N. Lütkenhaus, Phys. Rev. A 54, 97 共1996兲. 关26兴 J. S. Bell, Physics 共Long Island City, N.Y.兲 1, 195 共1964兲.
关11兴 N. Lütkenhaus, Phys. Rev. A 59, 3301 共1999兲. 关27兴 M. Hillary, V. Buzek, and A. Bertaiume, Phys. Rev. A 59,
关12兴 G. Brassard, N. Lütkenhaus, T. Mor, and B. C. Sanders, Los 1829 共1999兲.
Alamos e-print quant-ph/9911054. 关28兴 A. Karlsson, M. Koashi, and N. Imoto, Phys. Rev. A 59, 162
关13兴 C. Crépeau and L. Salvail in Advances in Cryptology: Pro- 共1999兲.
ceedings of Eurocrypt ’95, edited by L. C. Guillon and J. J. 关29兴 D. M. Greenberger, M. A. Horne, A. Shimony, and A.
Quisquater 共Springer-Verlag, New York, 1995兲, p. 133–14. Zeilinger, Am. J. Phys. 58, 1131 共1990兲.
022305-7