A General Scheme for Information Interception in the Ping-Pong Protocol
The existence of undetectable eavesdropping of dense coded information has been already demonstrated by Pavičić for the quantum direct communication based on the ping-pong paradigm. However, (a) the explicit scheme of the circuit is only given and no design rules are provided; (b) the existence of losses is implicitly assumed; (c) the attack has been formulated against qubit based protocol only and it is not clear whether it can be adapted to higher dimensional systems. These deficiencies are removed in the presented contribution. A new generic eavesdropping scheme built on a firm theoretical background is proposed. In contrast to the previous approach, it does not refer to the properties of the vacuum state, so it is fully consistent with the absence of losses assumption. Moreover, the scheme applies to the communication paradigm based on signal particles of any dimensionality. It is also shown that some well known attacks are special cases of the proposed scheme.
Quantum direct communication (QDC) aims at provision of confidentiality without resorting to classic encryption. This is in contrast to quantum key distribution (QKD) technique, as no shared key is established and quantum resources take over its role. In QDC, similar to QKD, it is assumed that legitimate parties can communicate over open and authenticated classic channel.
The roots of QDC can be traced out to the QKD protocol of Long and Liu  that, after slight modification proposed as the two-step protocol , can be considered the first protocol of this kind. The ping-pong protocol  is another QDC scheme which is easier to implement at the price of lesser security margin and capacity. These initial works exploited the entanglement of EPR pairs to protect transmission of sensitive information. Ideas of these proposals have been further adapted to higher dimensional systems [4–7] and/or modified to enhance capacity via dense coding [8, 9]. The entanglement is a very fragile quantum resource and its handling is technically challenging. This motivated the work towards exploiting quantum uncertainty, a resource used by most QKD protocols. The first single-photon QDC protocol proposed by Deng and Long  has been recently demonstrated experimentally . The LM05 protocol  is the other proposal of this kind that is worth noting. The history of the development and the review of the early QDC proposals can be found in .
QDC protocols offer different level of security which usually results from the tradeoff between practical feasibility and type of quantum resource available to communicating parties. QDC protocols which process particles in blocks [2, 4] can be parametrized in such a way that probability of revealing sensitive information is arbitrarily small. However, they assume that legitimate parties have long-term quantum memory. Protocols that process particles individually are quasi-secure [13–15]. Quasi-security means that before eavesdropping detection, which is inevitable for long sequences, part of the sensitive information may be revealed to the eavesdropper. QDC is a more versatile cryptographic primitive than QKD. In fact, QDC protocols can be used as engines for key agreement. Any key agreement protocol executed in a private channel provided by a QDC protocol offering unconditional security has security comparable with QKD. Also quasi-secure QDC protocols can realize unconditionally secure QKD. However, in this case, QDC phase delivers shared sequence that is partially known to the eavesdropper. By the appropriate postprocessing, that is, privacy amplification, the eavesdropper’s knowledge on the resulting sequence can be reduced to arbitrarily small value provided that his information on the initial sequence is less than mutual information of the legitimate parties. The realization of the QKD via QDC can be potentially more efficient as the basis reconciliation step, which severely plagues efficiency of many QKD protocols, can be avoided [16–18]. Protocols of this type are referred to as deterministic QKD and some of them have been recently experimentally demonstrated [19, 20].
This paper is devoted to the analysis of the (in)security of the ping-pong protocol, an entanglement based QDC scheme . Quasi-security is provided only for perfect quantum channels  and the scheme becomes insecure when losses  and/or communication errors and imperfection of devices are taken into account . Protocol offers capacity of single bit per protocol cycle because the authenticity of the shared EPR pair is verified only by a measurement in a single basis. This limits the available encoding to phase flips. Possible capacity enhancement via dense coding leads to undetectable information leakage as demonstrated in  and usage of mutually unbiased bases in control measurements is required to preserve quasi-security of the communication . In our previous work, we have proved that this observation also holds for the qudit based protocol and that detection probability depends on the number of bases used in the control mode [7, 23]. Anyway, no explicit attack transformation has been given in the aforementioned papers. The present contribution is motivated by the appearance of the circuit  (further, it will be referred to as P-circuit) capable of undetectably intercepting information transmitted in the qubit based ping-pong protocol with the following configuration: quantum channel is perfect, legitimate parties use single basis for control measurements, and information is dense coded. In other words, the instantiation of the attack is forecasted in . Although P-circuit is applicable to perfect channels, it assumes the appearance of the vacuum states in the eavesdropper’s ancilla. In consequence, it does not well fit the existing analyses. Shortly after its appearance, a control mode that addresses detection of this specific circuit has been proposed .
We propose a generic scheme for construction of attacks that permit undetectable eavesdropping under the same assumptions: quantum channel is perfect, control measurements are executed in a single basis, and sensitive information is dense coded. Thus, our contribution can be considered as the generalization of the result given in . The presented method is applicable to systems of any dimension so it can be used to construct a plethora of new transforms. Using introduced generalization, we also demonstrate the equivalence of the attack from  and CNOT operation. In consequence, we claim that there is no need for construction of specific control modes as in , because any control mode able to detect CNOT operation is also able to detect circuit proposed in . We do not propose the attack that is undetectable by control measurements in unbiased bases. In fact, we think that the opposite is true: control measurements in mutually unbiased bases are sufficient to statistically detect coherence break of the shared entangled state and, in that way, reveal the presence of the eavesdropper .
The paper is organized as follows. In Section 2, we provide notation and concepts used in the text. Section 3 presents the main contribution. In particular, we provide a general bit-flip detection scheme, demonstrate its equivalence with the existing approaches, and introduce an attack on the qudit based protocol. In Section 4, we summarize the presented work.
2.1. Ping-Pong Protocol
The communication protocol described below is a ping-pong paradigm variant analysed in . Compared to the seminal version , it differs only in the encoding operation: the sender uses dense coding instead of phase flips. The remaining elements of the communication scenario are left intact.
Bob starts the communication process by creation of EPR pair (the assumed initial state is the same as in [3, 24] to maintain compatibility of mathematical expressions; for the qudit version of the protocol, considered in Section 3.1, it is assumed that Bob starts from the generalization of ): Then, he sends one of the qubits, further referred to as the signal/travel qubit, to Alice. Alice can in principle encode two classic bits and applying unitary transformation , where and are bit-flip and phase-flip operations, respectively. The signal particle is sent back to Bob, who detects applied transformation by a collective measurement of both qubits (Figure 1).
Passive eavesdropping is impossible. Eve has access only to the travel qubit which before and after encoding looks like maximally mixed state. Unfortunately, the described communication scenario is vulnerable to the intercept-resend attack and Alice has to check whether the received qubit is genuine. As a countermeasure, Alice measures the received qubit in computational basis (, ) in randomly selected protocol cycles and asks Bob over authenticated classic channel to do the same with his qubit (Figure 2). Her measurement causes the collapse of the shared state (1). The perfect (anti)correlation of the outcomes is preserved only if the qubit measured by Alice is the same one that was sent by Bob. If Eve inserts fake qubit, then the measured qubits are no longer correlated and some discrepancies, which are the sign of the eavesdropping, do occur. In that way, Alice and Bob can convince themselves with confidence approaching certainty that the quantum channel is not spoofed, provided that they have executed a sufficient number of control cycles.
However, the intercept-resend attack is not the only possible way of active sensitive information interception. The signal particle that travels back and forth between legitimate parties can be the subject of any quantum action introduced by Eve (Figure 3). Introduced coupling causes the encoding operation to also modify Eve’s ancilla state and Eve hopes to detect and decipher Alice’s actions by its inspection. Actions of Eve, not necessarily unitary in the affected qubit’s space, can be described as unitary operation acting in the space extended with two additional qubits, as follows from Stinespring’s dilation theorem. The control state shared by legitimate parties then takes the formwhere is some initial state of Eve’s ancilla. Eve presence is detected with probabilitywhere projection depends on initial state and the considered case is defined as
2.2. Pavičić Attack
Pavičić’s attack demonstrates the violation of ping-pong protocol security when dense coding is used. The attack does not introduce errors or losses in control and message mode and it permits eavesdropping information encoded as bit-flip operation.
The P-circuit presented by Pavičić (Figure 4) is a result of a cut-and-try procedure [24, section IV] applied to Wójcik’s circuit . It is composed of two Hadamard gates followed by the controlled polarization beam splitter (), which is a generalization of the polarization beam splitter () concept. The is a two-port gate that swaps horizontally polarized photons () entering its input to the other port () on output while vertically polarized ones () remain in their port (); that is, where denotes the vacuum state. The behaves as normal if control qubit is set to . The roles of horizontal and vertical polarization are exchanged for control qubit set to : Initially, Eve’s ancilla is initialized to the state . The action of the P-circuit from Figure 4 is then described by the following formulas: For the purpose of future analysis, let us also identify actions of the circuit under consideration onto the state : The control state (2) after entangling with Eve’s ancilla readsThis state is further used by Alice and Bob for eavesdropping check. It is clear from (3) that the attack does not introduce errors or losses in control mode and the expected correlation of outcomes is preserved in the computational basis.
Phase Flip. The phase-flip encoding applied to the coupled state leads to
Bit Flip. The bit-flip operation transforms Alice’s state to
The system state after disentangling can be deduced from (8a) and (8b):In both cases, that is, phase-flip and bit-flip encoding, the signalling subsystem behaves as if there was no coupling with the ancilla. However, Alice’s bit-flip encoding modifies Eve’s register (). The states and are orthogonal and perfectly distinguishable. In consequence, Eve can eavesdrop on bit-flip operations without introducing errors and losses in message mode as well.
This section is devoted to the analysis of the general form of the incoherent attack shown diagrammatically in Figure 3. Each cycle of the protocol is considered to be independent of the other ones. Consequently, the effectiveness of the attack is expressed in a fraction of bits eavesdropped on per communication cycle. Throughout the analysis, it is also assumed that legitimate parties rely on control mode used in the seminal version of the protocol. They locally measure possessed particles in the computational basis and verify expected correlation via the public discussion over authenticated classic channel.
3.1. Generic Bit-Flip Detection Scheme for Qubit Based Protocol
As the control mode explores outcomes of local measurements in computational basis for intrusion detection, the map has to be of trivial formto not induce errors and/or losses in control cycles. It follows that, under attack, Alice operates on the stateLet the entangling transformation additionally satisfyfor some state . The process of information encoding and disentangling from the ancilla is then described by the expressions As a result, the registers used for signalling are left untouched and decoupled but Eve’s register is flipped from to when Alice applies bit-flip operation. In consequence, Eve can successfully decode half of the message content provided that the detection states and are perfectly distinguishable. It follows that any unitary coupling transformation that satisfies (14) and (16) can be used for bit-flip detection.
3.2. Equivalence of P-Circuit and CNOT Circuit
The properties of the above generic scheme and the P-circuit  perfectly coincide. As follows from (7a), (7b), (8a), and (8b), the states and play the role of detection states and , respectively. It is also clear that transformation has properties claimed in (14) and (16). Thus, the P-circuit can be considered as an instance of the generic scheme described in Section 3.1.
However, the operator satisfying (14) and (16) can be realized in many ways. It seems that CNOT operation acting on a single qubit of Eve’s ancilla, , , , , and , is the simplest realization of the logic behind the attack. Such version is also practically feasible as the attacks involving probes entangled via the CNOT operation have been already proposed in the QKD context [26, 27]. As a result, both the CNOT circuit and P-circuit are equivalent in terms of provided information gain, detectability, and practical feasibility. Consequently, there is no need for the design of control modes that address P-circuit in a special manner .
3.3. An Attack on Qudit Based Protocol
The P-circuit has no straightforward generalization to qudit based version of the protocol. In contrast, the presented approach can be adapted with ease. Let Bob start communication process with creation of EPR pair:where is the qudit dimension. The travel qudit is then sent to Alice for encoding or control measurement. In control mode, the home and travel qubits are measured in the computational basis so the projection used in control equation (3) takes the form Let, by an analogy to the qubit case, and be the sets of orthonormal states of the ancilla system. These states will be further referred to as detection and probe states, respectively. The map used by Eve must be of the formto not introduce errors in control measurements. Let us additionally postulate that satisfiesthat is, advances index positions in a set of Eve’s probe states. Similarly, decrements the index positions:Let us recall that for qudits Alice usesto encode classic , “cdits” in the following way: Under attack, Alice applies encoding (24) to the state coupled according to rule (20):The travel qubit is affected by in its way back to Bob:The expression in curly braces is exactly the state that Bob expects to receive when there is no Eve (see (24)), so eavesdropping also does not affect the message. At the same time, the initial state of the ancilla is moved by positions within the set of detection states. As a result, Eve can unambiguously identify the value of cdit as long as the detection states are mutually orthogonal.
The (controlled ) gate seems to be the simplest instance of the attack paradigm. Let the detection and probe sets of states be the elements of the computational basis (, ) and the ancilla is composed of the single qudit register. The attack operation can be then implemented asIn an obvious way, requirements (21) regarding properties of are then fulfilled.
The existence of attacks able to undetectably eavesdrop on half of the dense coded information has been already forecasted in relation to qubit , qutrit , and qudit  based protocol. However, no explicit form of the attack transformation has been given. The presented result fills in this gap and provides some general guidelines on how to construct coupling transformation with desired properties.
3.4. Control Mode Able to Detect Bit-Flip Eavesdropping
The insecurity of the considered protocol results from inability to detect coupling with the control measurements in a single basis. Let us consider a qubit based protocol from Section 2.1 with control mode enhanced to measurements in two bases, namely, computational basis and its dual basis, that is, eigenvectors of gate. In the new control mode, Alice randomly selects measurement basis, performs measurement, and asks Bob to make local measurement in the same basis. The control state (9) in the absence of coupling takes the formwhere are eigenvectors of . It follows that legitimate parties expect anticorrelation (correlation) of outcomes in the computational (dual) basis. Under attack undetectable in the computational basis (14), the control equation (15) takes the following form in the dual basis: Alice measurement causes the collapse to one of the states in the curly braces. It follows that Bob can obtain outcome with equal probability, which in turn renders Eve detectability. If control bases are selected with equal probability, then bit-flip attack is detected with . The above qualitative discussion addresses bit-flip attack. The more advanced discussion on the properties of control modes based on mutually unbiased bases and in relation to attacks of any form can be found in .
A generic scheme that provides undetectable eavesdropping of bit-flip operations in the seminal version of the ping-pong protocol is introduced. It can be considered as a generalization of the P-circuit , but, in contrast, it is deduced from the very basic properties of the coupling transformation. Moreover, the proposed scheme can be realized without referring to the vacuum states so it is fully consistent with the absence of losses assumption. The CNOT gate and P-circuit are special cases of the introduced scheme so both approaches are equivalent. It follows that any control mode able to detect CNOT coupling is also able to detect the presence of the P-circuit. The control mode based on local measurements in randomly selected unbiased bases is an example of such procedure. Consequently, there is no need for special addressing of P-circuit in the security analyses. Also, the introduced scheme can be adapted to higher dimensional systems. It can be considered as the constructive proof of the existence of attacks forecasted in [2, 6, 23].
The authors declare that there are no competing interests regarding the publication of this paper.
Piotr Zawadzki acknowledges the support from the statutory sources and Jarosław Adam Miszczak was supported by the Polish National Science Center (NCN) under Grant 2011/03/D/ST6/00413.
K. Boström and T. Felbinger, “Deterministic secure direct communication using entanglement,” Physical Review Letters, vol. 89, no. 18, pp. 187902/1–187902/4, 2002.View at: Google Scholar
J. Hu, B. Yu, M. Jing et al., Experimental quantum secure direct communication with single photons. LSA, 2016.