Table Of ContentAPS/123-QED
Cryptanalysis of the Hillery-Buˇzek-Berthiaume quantum secret-sharing protocol
Su-Juan Qin1,2, Fei Gao1, Qiao-Yan Wen1, and Fu-Chen Zhu3
(1. State Key Laboratory of Networking and Switching Technology, Beijing
University of Posts and Telecommunications, Beijing, 100876, China)
(2. School of Science, Beijing University of Posts and Telecommunications, Beijing, 100876, China)
(3. National Laboratory for Modern Communications, P.O.Box 810, Chengdu, 610041, China)
Email: [email protected]
(Dated: February 2, 2008)
Theparticipantattackisthemostseriousthreatforquantumsecret-sharingprotocols. Wepresent
a method to analyze the security of quantum secret-sharing protocols against this kind of attack
8 taking the scheme of Hillery, Buˇzek, and Berthiaume (HBB) [Phys. Rev. A 59 1829 (1999)] as
0 an example. By distinguishing between two mixed states, we derive the necessary and sufficient
0 conditions under which a dishonest participant can attain all the information without introducing
2 any error, which shows that theHBB protocol is insecure against dishonest participants. It is easy
to verify that the attack scheme of Karlsson, Koashi, and Imoto [Phys. Rev. A 59, 162 (1999)]
n
is a special example of our results. To demonstrate our results further, we construct an explicit
a
attackschemeaccordingtothenecessaryandsufficientconditions. Ourworkcompletesthesecurity
J
analysis of the HBB protocol, and the method presented may be useful for the analysis of other
5
similar protocols.
2
PACSnumbers: 03.67.Dd,03.67.Hk
]
h
p
- I. INTRODUCTION attackbyanexternalattacker. References[12,13,14]in-
t
n vestigatedtherelationbetweensecurityandtheviolation
a ofsomeBellsinequalitiesbyanalyzingseveraleavesdrop-
Quantum cryptography is a technique which permits
u ping scenarios. However, their analyses are incomplete
q parties to communicate over an open channel in a se-
because not all the individual attacks are covered. Ref-
[ cureway. Quantumsecretsharing(QSS)isanimportant
erence [3] showed that the HBB scheme was insecure to
branchofquantumcryptography,whichallowsasecretto
2 a skillful attack, and gave a remedy; but this analysis
be shared among many participants in such a way that
v is not systematic. Here, we consider the original HBB
8 only the authorized groups can reconstruct it. In fact, protocol and give a complete and systematic analysis of
1 there are two types in quantum secret sharing, that is,
security against a participant attack. From our analysis
4 the sharingofclassicalsecretandthatofquantuminfor-
we also get the same result as Ref. [3], and, moreover,
2 mation. The formerwasfirstproposedbyHillery, Buˇzek
we derive the necessary and sufficient (NAS) conditions
.
1 and Berthiaume [1] (called HBB hereafter), and the lat-
for a successful attack, which is more important. From
0 ter was first presented by Cleve, Gottesman and Lo [2].
the NAS conditions, we can find many attack schemes
8 Since the above pioneering works appeared, QSS has at-
easily (including the eavesdropping strategy in Ref. [3]),
0 tracted a greatdeal of attention (please see [3, 4] for the
: which will deal with the difficulty that breaking a pro-
v sharing of classical secret and [5] for that of quantum
tocol is unsystematic. Although the result is partly not
i information).
X new [3], the method (which is indeed our main aim) is.
As we know, the designing schemes and analyzing This method might be useful for the analysis of other
r
a their security are two inherent directions of cryptogra- protocols.
phy, which are opposite to but stimulate each other. The paper is structured as follows. In Sec. II, we
Each of them is necessary to the development of cryp- review the HBB protocol briefly. In Sec. III, we ana-
tography. This is also the case in quantum cryptogra- lyze generalparticipant attack strategies,and derive the
phy [6, 7, 8, 9, 10, 11]. However, because the theory NAS conditions under which a dishonest participant at-
ofquantum informationremainsstill far fromsatisfacto- tains the whole secret without introducing any error. In
rilyknown,thedevelopmentofquantumcryptanalysisis Sec. IV, we give a simple scheme to achieve the attack
relatively slow, especially in QSS. In fact, it is complex successfully. Finally, we give a conclusionanddiscussion
to analyze the security of QSS protocols because multi- in Sec. V. Cumbersome computations and formulas are
ple participants are involved and not all are honest, and summarized in the Appendix.
therefore few results [12, 13, 14] have been obtained.
In this paper, we present a method to analyze the se-
curityofQSSprotocolstakingthe HBBscheme [1]asan II. THE HBB PROTOCOL
example. The security of HBB has been discussed from
severalaspects. Ref. [1] analyzedan intercept-resendat- Let us introduce the principle of the HBB scheme [1]
tack bya dishonestparticipantandanentangle-measure first. The dealer Alice wants to divide her secret mes-
2
take advantage of Alice’s and Bob’s delayed information
TABLE I: Correlations between Alice’s, Bob’s measurement
about their MBs, a wise attack strategy for Charlie* is
results and Charlie’s results. Alice’s (Bob’s) measurement
asfollows. WhenthequbitsB andC aresentoutbyAl-
results are listed in the first column (line).
ice,he lets anancilla,initially insome state χ , interact
Alice/Bob x+ x− y+ y− unitarily with them (the dimensionality of t|heiancilla is
x+ x+ x− y− y+ a free variable which causes no loss in generality). After
x− x− x+ y+ y− the interaction, Charlie* sends qubit B to Bob, stores
y+ y− y+ x− x+ qubit C and his ancilla until Alice announces the MBs
y− y+ y− x+ x−
usedbythe threeparties. Finally,Charlie*measuresthe
qubitsathissitetoachievethesecretaccordingtoAlice’s
announcements.
sage between her two agents, Bob, and Charlie. At the We now describe the procedure in detail. After Alice
beginning, Alice prepares a sequence of GHZ triplets in sends out the two qubits, B and C, Charlie* intercepts
thestate(1/√2)(000 + 111 ) ,wherethesubscripts them and they interacts with his ancilla. After that, the
ABC
| i | i
A,B andC denotethethreeparticlesforAlice,Boband state of the whole system may be written as
Charlie, respectively. For each triplet, Alice keeps parti-
1
cle A and sends particle B to Bob and C to Charlie. As
Ψ = a ij ε , (1)
intheBennett-Brassard1984scheme[15]scheme,allthe | iABCE X ij| iAB| ijiCE
threepartieschooserandomlythe measuringbasis(MB) i,j=0
x or y to measure their particles and then they publish
where ε refers to the state of Charlie* after the in-
their MBs. The announcement should be done in the | iji
teraction and is normalized, and a is complex number
following way: Bob and Charlie both send their MBs to ij
that satisfies
Alice, who then sends all three MBs to Bob and Char-
lie [16]. Note that no one can learn other’s bases before 1
havingto revealhis, otherwise aspointed out in Ref. [1], a 2 =1. (2)
X | ij|
he could cheat more successfully. When the number of i,j=0
the parties who choose x is odd, the outcomes are use-
ful. Thanks to the features of the GHZ state, Charlie
and Bob can deduce the outcomes of Alice when they A. The conditions to escape detection
cooperate (see Table I [1]). To check for eavesdropping,
Alice chooses randomly a large subset of the outcomes As mentioned above, to use the information about
to analyze the error rate. That is, Alice requires Bob Alice’s and Bob’s MBs, Charlie* does not measure his
and Charlie to announce their outcomes of the samples qubits until Alice reveals them, and then he can choose
inpublic. Iftheerrorrateislowerthanathresholdvalue, different methods accordingly. Note that when Alice re-
they keep the remaining outcomes as secret key. quires Charlie* to declare his MBs, Charlie* generates a
randomsequenceofxandytoforgehisMBs,actuallyhe
doesnotmeasureanyqubit. IftheMBschosenbyallthe
III. THE ATTACK ON THE HBB PROTOCOL three parties satisfy the condition that the number of x
isodd,theresultsarekept,otherwisetheyarediscarded.
Now let us give a complete discussion of the security Therefore Charlie* knows Alice’s and Bob’s MBs for ev-
of the HBB scheme. As pointed out in Refs. [17, 18, 19], eryusefultripletwhichcanbe utilizedinthe subsequent
a participant generally has more advantages in an at- steps. When some triplets are chosen by Alice to detect
tack than an outside eavesdropper in the secret-sharing eavesdropping,Charlie*thenmeasureshiscorresponding
protocols. If a QSS protocol is secure for a dishonest qubits and announces outcomes accordingto Alice’s and
participant, it is secure for any eavesdropper. Therefore, Bob’sMBs. Nowweexploretheconditionstheymustbe
to analyzethe security,weshouldconcentrateour atten- satisfiedifCharlie*wantstoescapefrombeingdetected.
tion on participant attack. Without loss of generality, LetusfirstconsiderthecasewherebothAliceandBob
we assume the attacker is Charlie, denoted Charlie*. He measure their qubits in x direction,and of course,Char-
seeks to learn Alice’s secret himself without introducing lie* declares x. The state of the whole system Ψ
ABCE
| i
any error during the eavesdropping check. In order to can be rewritten as
3
1
Ψ ABCE = [ x+ A x+ B(a00 ε00 +a01 ε01 +a10 ε10 +a11 ε11 )CE
| i 2 | i | i | i | i | i | i
+ x+ A x− B(a00 ε00 a01 ε01 +a10 ε10 a11 ε11 )CE (3)
| i | i | i− | i | i− | i
+ x− A x+ B(a00 ε00 +a01 ε01 a10 ε10 a11 ε11 )CE
| i | i | i | i− | i− | i
+ x− A x− B(a00 ε00 a01 ε01 a10 ε10 +a11 ε11 )CE].
| i | i | i− | i− | i | i
We can see from Table I that without eavesdropping, collapses to ϕx−x+ or ϕx−x− with equal probabil-
if Alice’s and Bob’s results are x+x+ or x x , Char- ity. So to |get infiormat|ion ofiAlice’s result, x+ or
− −
lie*’s announcement should be x+, otherwise, his an- x , Charlie* should distinguish between two mixed
−
nouncement should be x−. In a convenient depiction, states ρx+ = 21|ϕx+x+ihϕx+x+|+ 12|ϕx+x−ihϕx+x−| and
iwzeedd,ewnhoetne AChliacer’lsiea*n’sdsBtaotbe’sarses|ϕuljtmskanriewjmhiacnhdisknn,owrmhearle- wρxi−th=equ21a|lϕax−pxr+ioirhiϕpx−roxb+a|b+ilit21y|.ϕxG−exn−eirhaϕllxy−,xt−he|roecacruerrtiwnog
j,k x,y and m,n +, . To avoid being found ways to discriminate between two states, minimum er-
∈ { } ∈ { −}
out, Charlie* should have the ability to discriminate ror discrimination and unambiguous discrimination. In
completely between the two sets ϕx+x+ , ϕx−x− , Ref. [21], the authors showed the minimum failure prob-
{| i | i}
{|ϕx+x−i,|ϕx−x+i}. As shown in Ref. [20], two sets S1, ability QF attainable in unambiguous discrimination is
S2 can be perfectly discriminated if and only if the sub- always at least twice as large as the minimum-error
spaces they span are orthogonal. So the scalar products probability P in ambiguous discrimination for two ar-
E
of Charlie*’s states have to satisfy four constraints: bitrary mixed quantum states. So we should take the
ambiguous discrimination to get the maximum informa-
ϕx+x+ ϕx+x− =0, tion. Utilizing the well-known result [22]that to dis-
hhhϕϕxx−+xx+−|||ϕϕxx−+xx+−iii==00,, (4) wcriitmhinaapteriobreitwpreoebnatbwiloitimesixpe1dasntadteps2,ρr1esapnedctρi2veolyc,cuwrhrienrge
hϕx−x−|ϕx−x+i=0. p1+p2 =1, the minimum-error probability attainable is
From Eqs. (3) and (4), we obtain PE = 21 − 21kp2ρ2−p1ρ1k, where kΛk=Tr√Λ†Λ, we get
the minimum-error probability to discriminate between
a∗00a01 ε00 ε01 a∗11a10 ε11 ε10 =0, ρx+ and ρx− under the constraints of Eq. (6)
aa∗0001a120hhε0a0∗0||1εa1100ii−−ε01a∗1ε11a001+hhεa11∗1||0εa0011ii=ε100,ε01 a10 2 =0, (5) PE = 12(1−4|a00|·|a10|). (7)
||a00||2−−a∗00a11hhε00||ε11ii+a∗11a00hhε11||ε00ii−−||a11||2 =0. Considering the other three cases (see the Appendix A)
Similarly,theconstraintsarethenfoundintheAppendix withsimilarstrategy,wegetthe same resultsas Eq. (7).
for other cases. Finally, we obtain results from Eqs. (5), ThemutualinformationbetweenAliceandCharlie*in
(A.3), (A.6) and (A.9) : terms of Shannon entropy is given by
IAC =1+P logP +(1 P )log(1 P ). (8)
a∗00a01 ε00 ε01 =a∗00a10 ε00 ε10 =0, E E − E − E
aa∗0∗010aa1111hhhεε0010|||εε1111iii==aa∗1∗001aa1110hhhεε1001|||εε1110iii==00,, (6) NEqosw. t(h2)eatnasdk(6is).mUasxiinmgiztihnegLIaAgCrawngitehmtuhleticpolinesrtrmaeinthtsodof,
||aa0001||==||aa1110||,. we attain the maximum ImACax =1 under conditions
ε00 ε01 = ε00 ε10 = ε00 ε11 =0,
OAlbicveioaunsldy,BCohbawrlhiee*nchainssoupcecreaetdioinnsessactaipsfiyngEdqe.te(6ct)i.onby |hhaε0001|||ε=10|iia=01|hhε=01|||aε1101|ii==|hhaε1110|||=ε1112ii.=0, (9)
Now, we have the NAS conditions for a dishonestpar-
B. The maximum information the attacker can ticipant to attack HBB successfully. Therefore the HBB
attain protocol is insecure (in its original form). Obviously,
ε00 , ε01 , ε10 , and ε11 are orthogonalto each other,
| i | i | i | i
After escaping from detection, Charlie* measures which indicates that a dishonest participant need pre-
the remaining qubits to deduce Alice’s secret. Now pare one additive qubit at least. It is easy to verify that
let us compute the maximum information that Char- the eavesdropping strategy in Ref. [3] is a special exam-
lie* can gain. From Eqs. (3) and (6), we can see pleofourresults,wheretwoadditivequbitsareusedand
if Alice’s result is x+, Charlie*’s state collapses to a00|ε00i= 21|000i,a01|ε01i=−12|001i,a10|ε10i= 21|110i,
|ϕx+x+i or |ϕx+x−i with equal probability, otherwise and a11|ε11i=−21|111i.
4
Ψ0 Ψ1 Ψ1 Ψ2
A A U
B H B V
C C W
E=|0i E
{ {
FIG.1: QuantumcircuitrepresentingtheinteractionofChar- Alice’s,Bob’sOperations Charlie*’Operations
lie*’s ancilla E,with qubitsB, C.
FIG.2: Quantumcircuitonthedetectionqubits. HereU,V,
W∈ {H,SH}, and S = |0ih0|+i|1ih1|. The ‘meter’ symbol
denotesaprojectivemeasurementinthecomputationalbasis
IV. AN EXAMPLE OF SUCCESSFUL ATTACK z. H (SH) can transform z basis into x (y) basis. Charlie*
performs his operations according to the MBs of Alice and
Bob to avoid being detected.
According to Eq. (9), we can construct some attack
schemes easily. Here we give an even simpler scheme
thanRef.[3]withonlyoneadditivequbit. Generally,the four states
ancilla is the standard state 0 . We choose a00 ε00 =
12|1001i1, a0w1h|εi0c1hi=sat21is|0fy1iE, aq1.0|ε(19|0)i.i=C21o|m10pia,rainngd tah1e1||εi1n1iiitia=l |ϕx+y+i= 21(|00i−i|01i+|10i+i|11i)CE,
−2| i 1
state with the state after interaction (see Eq. (1)), we ϕx+y− = (00 +i01 + 10 i11 )CE, (12)
can derive the operations performed by Charlie*. | i 2 | i | i | i− | i
1
Nowwe describe the attackorderly. Charlie*prepares |ϕx−y+i= 2(|00i−i|01i−|10i−i|11i)CE,
the ancilla E in state 0 . After Alice sends out two
| i 1
qubitsB andC,Charlie*interceptsthem,performsH = |ϕx−y−i= 2(|00i+i|01i−|10i+i|11i)CE.
(0 0 + 1 0 + 0 1 1 1)/√2 on the qubit B and
| ih | | ih | | ih |−| ih |
CNOT operation on B, E (see Fig. 1). The entangled (iii) When Alice and Bob measure their qubits in y, x
stateofAlice,BobandCharlie*isconvertedfrom Ψ0 = basis, respectively, Charlie*’s state may be one of the
√12(|000i+|111i)ABC ⊗|0iE to | i four states
1
ϕ = (00 + 01 i10 +i11 ) ,
1 | y+x+i 2 | i | i− | i | i CE
|Ψ1i= 2(|00iAB|00iCE +|01iAB|01iCE (10) 1
+10 AB 10 CE 11 AB 11 CE). |ϕy+x−i= 2(|00i−|01i−i|10i−i|11i)CE, (13)
| i | i −| i | i
1
|ϕy−x+i= 2(|00i+|01i+i|10i−i|11i)CE,
AfterAlice andBobmeasuretheirqubits,the wholesys-
1
tem is changed into |Ψ2i (see Fig. 2 and Fig. 3) which |ϕy−x−i= 2(|00i−|01i+i|10i+i|11i)CE.
varies according to their MBs. Let us describe all the
cases in detail. (iv) When Alice’s and Bob’s MBs are y, Charlie*’s state
(i) If both Alice’s and Bob’s MBs are x, Charlie*’s collapses to one of the four results
state collapses to one of the four results
1
ϕ = (00 i01 i10 + 11 ) ,
| y+y+i 2 | i− | i− | i | i CE
1 1
|ϕx+x+i= 2(|00i+|01i+|10i−|11i)CE, |ϕy+y−i= 2(|00i+i|01i−i|10i−|11i)CE, (14)
1 1
|ϕx+x−i= 2(|00i−|01i+|10i+|11i)CE, (11) |ϕy−y+i= 2(|00i−i|01i+i|10i−|11i)CE,
1 1
|ϕx−x+i= 2(|00i+|01i−|10i+|11i)CE, |ϕy−y−i= 2(|00i+i|01i+i|10i+|11i)CE.
1
|ϕx−x−i= 2(|00i−|01i−|10i−|11i)CE.
It is easy to validate that the four states are orthogo-
nal to each other in every case, which implies that they
(ii) When Alice and Bob measure their qubits in x, y can be distinguished perfectly. Consequently, Charlie*
basis, respectively, Charlie*’s state may be one of the can not only get the secret of Alice but also escape from
5
Ψ Ψ
1 2
TABLE II: The unitary operators for U, V, W in different
A U cases.
i ii iii iv
B V U H H SH SH
V H SH H SH
C U W H SH SH H
E
{ {TABLE III: Relations between Charlie*’s measurement re-
Alice’s,Bob’sOperations Charlie*’Operations sultsandhisannouncements(thefirstcolumn)forthedetec-
tion qubits.
FIG. 3: Quantum circuit on the information qubits. After
AliceandBobmeasuretheirqubits,Charlie*measuresqubit i ii iii iv
C in the same basis as Alice, and qubit E in computational 0 10, 01 10, 11 10, 01 10, 11
basis. He can deduce Alice’s results from his measurement 1 00, 11 00, 01 00, 11 00, 01
outcomes.
states in Eq. (11) are changed into
detection. In fact, we only need distinguish between two 1
differentresultsbecausethe qubits areusedtoeither de- |ϕx+x+i= √2(|00i+|11i)CE,
tecteavesdroppingordistillinformation. Thereforethere
1
are some simple ways to fulfill Charlie*’s objective. |ϕx+x−i= √2(|00i−|11i)CE, (16)
We take case (i) as an example to describe Charlie*’s
1
operations. Let us first explain how Charlie* can escape |ϕx−x+i= √2(|01i+|10i)CE,
frombeing detectedwhen the qubits arechosento check
1
elaarvaetsidornopxp+inogr. Cxh;artlhiee*rewfoarnet,shtoedneedeudcedihscisripmroinpaetredbeec-- |ϕx−x−i= √2(−|01i+|10i)CE.
−
tween ϕx+x+ , ϕx−x− and ϕx+x− , ϕx−x+ . A
{| i | i} {| i | i} From Eq. (16), we can see clearly that the measurement
particularly simple circuit to achieve this task is illus-
results, 01 or 10, imply that Alice’s secret is x , and 00
trated in Fig. 2 (Here U = V = W = H). Concretely, −
or 11 indicate x+.
after the operations of CNOT and W, the four states in
For other cases (ii), (iii) and (iv), Charlie* can also
Eq. (11) are converted into
distinguishbetweenthecorrespondingstatesbychoosing
different U and W according to Table II, avoid being
1 detectedbyannouncinghisresultsaccordingtoTableIII
ϕ = (01 + 10 ) ,
| x+x+i √2 | i | i CE and then deduce Alice’s secret according to Table IV.
1
|ϕx+x−i= √2(|00i−|11i)CE, (15)
V. CONCLUSION AND DISCUSSION
1
|ϕx−x+i= √2(|00i+|11i)CE, The object of QSS protocols is to transmit a secret in
1 such a way that only the authorized groups can access
|ϕx−x−i= √2(−|01i+|10i)CE. it, and no other combination of parties can get any in-
formation about it. The worst case for QSS protocols
is that some participants are dishonest, and try to find
ThenCharlie*measureseachqubitincomputationalba- thesecretbythemselves. Therefore,participantattackis
sis. If the measurement results of C, E are 00 or 11, themostseriousthreatforthesecurityofQSSprotocols,
Charlie*’s announcementis 1 (correspondingto 1 , x− and that is exactly what we study. The purpose of this
| i | i
or y hereafter),otherwisehis announcementis 0(cor-
−
res|poniding to 0 , x+ or y+ hereafter). According to
| i | i | i
Table I, we can see no error occurs, and therefore Char-
TABLE IV: Relations between Charlie*’s measurement re-
lie* can escape from being detected.
sultsandAlice’ssecret (thefirst column)fortheinformation
We now discuss how Charlie* can obtain the secret qubits.
information from his qubits. He only needs distinguish
i ii iii iv
bgeettwAeleince’{s|ϕsexc+rxe+tix,|+ϕxo+rx−xi}. aTnhde{c|iϕrcxu−ixt+tio,|aϕcxh−iexv−ei}thtios 0 00, 11 00, 11 10, 01 10, 01
− 1 10, 01 10, 01 00, 11 00, 11
task is illustrated in Fig. 3. After the U operation, the
6
paper is to give a method to analyze a participant at-
tack in QSS. We introduce this method taking the HBB
scheme [1] as an example. A dishonest participantinter- Ψ ABCE =
| i
cepts all the qubits, they interact with his ancilla, and 1
he then resends them out. He then measures his qubits 2[|x+y+i(a00|ε00i−ia01|ε01i+a10|ε10i−ia11|ε11i)
after other participants reveal their useful information. +x+y− (a00 ε00 +ia01 ε01 +a10 ε10 +ia11 ε11 )
By discriminating between two mixed states, we obtain | i | i | i | i | i
the NAS conditions under which the dishonest partici- +|x−y+i(a00|ε00i−ia01|ε01i−a10|ε10i+ia11|ε11i)
pant can attain all the information without introducing +x−y− (a00 ε00 +ia01 ε01 a10 ε10 ia11 ε11 )].
| i | i | i− | i− | i
anyerror. ThisresultshowsthattheHBBprotocolisin- (A1)
secure (in its originalform). Finally, we give anexample
achievingtheproposedattacktodemonstrateourresults According to Table I, when Alice’s and Bob’s results are
further. x+y+ or x−y−, Charlie*’s announcement should be y−,
otherwise, his announcement should be y+. Therefore,
Although the result that the HBB scheme is insecure
Charlie*shouldbe capableofdistinguishingbetweenthe
(in its original form) is not new, the method of analyz-
ing the participant attack is, to our knowledge. The two sets, ϕx+y+ , ϕx−y− and ϕx+y− , ϕx−y+ , to
{| i | i} {| i | i}
avoid being detected. That is
treatment we have presented appears to cover all indi-
vidualparticipantattacksallowedbyphysicallaws. This
mwwoietuthhldosdobmeceuansmefbouedliifianpcdapteliisoeidgnns.tinogWorteehlebarteelsideimvsecihlatehrmaQtesStaShnisdprmaonteoathclyoozlds- hhhϕϕϕxxx−++yyy++−|||ϕϕϕxxx−++yyy−+−iii===000,,, (A2)
ing their security. On the one hand, we can construct hϕx−y−|ϕx−y+i=0.
attack strategies easily according to the NAS conditions
Then we get
when a protocol has security loopholes. On the other
hand, we can show that protocol is secure if the attack a∗00a01 ε00 ε01 +a∗11a10 ε11 ε10 =0,
conditionscannotbereached. Forexample,applyingthis h | i h | i
method to the enhanced protocol [3], we can show it is a∗00a10hε00|ε10i−a∗11a01hε11|ε01i=0, (A3)
secure (Such analysis is beyond the scope of this paper). a01 2 ia∗01a10 ε01 ε10 ia∗10a01 ε10 ε01 a10 2 =0,
| | − h | i− h | i−| |
a00 2+ia∗00a11 ε00 ε11 +ia∗11a00 ε11 ε00 a11 2 =0.
| | h | i h | i−| |
(2) When Alice, Bob and Charlie* choose the MBs y, x,
y, respectively, Ψ can be rewritten as
Acknowledgments ABCE
| i
Ψ =
ABCE
| i
We thank the anonymous reviewer for helpful com- 1
ments. This work is supported by the National [y+x+ (a00 ε00 +a01 ε01 ia10 ε10 ia11 ε11 )
2 | i | i | i− | i− | i
HighTechnologyResearchandDevelopmentProgramof
China, Grant No. 2006AA01Z419; the National Natu- +|y+x−i(a00|ε00i−a01|ε01i−ia10|ε10i+ia11|ε11i)
ral Science Foundation of China, Grant Nos. 90604023, +y−x+ (a00 ε00 +a01 ε01 +ia10 ε10 +ia11 ε11 )
| i | i | i | i | i
60373059;theNationalResearchFoundationfortheDoc- +y−x− (a00 ε00 a01 ε01 +ia10 ε10 ia11 ε11 )].
| i | i− | i | i− | i
toral Program of Higher Education of China, Grant
(A4)
No.20040013007; the National Laboratory for Modern
Communications Science Foundation of China, Grant According to Table I, the results, y+x+ or y x , imply
− −
No. 9140C1101010601; the Natural Science Foundation Charlie*’sannouncementshouldbey ,andothersimply
−
of Beijing, Grant No. 4072020;and the ISN Open Foun- y+. For the same reason, we let
dation.
ϕy+x+ ϕy+x− =0,
hhϕϕyy−+xx+−||ϕϕyy−+xx+−ii==00,, (A5)
h | i
APPENDIX A: CONSTRAINTS ON CHARLIE*’S hϕy−x−|ϕy−x+i=0.
PROBES
We then have
In this appendix, we find the conditions which Char- a∗00a01 ε00 ε01 a∗11a10 ε11 ε10 =0,
lie*’soperationsneedsatisfywhennoerrorsaretooccur h | i− h | i
in the procedure of detection in other three cases. a∗00a10hε00|ε10i+a∗11a01hε11|ε01i=0,
(1) When Alice, Bob and Charlie* choose the MBs |a01|2+ia∗01a10hε01|ε10i+ia∗10a01hε10|ε01i−|a10|2 =0,
x, y, y respectively, the whole system |ΨiABCE can be |a00|2+ia∗00a11hε00|ε11i+ia∗11a00hε11|ε00i−|a11|2 =0.
rewritten as (A6)
7
(3) When Alice, Bob and Charlie* choose the MBs y, We then have
y, x, respectively, Ψ can be rewritten as
ABCE
| i
Ψ =
ABCE
| i
1
[y+y+ (a00 ε00 ia01 ε01 ia10 ε10 a11 ε11 )
2 | i | i− | i− | i− | i
+y+y− (a00 ε00 +ia01 ε01 ia10 ε10 +a11 ε11 )
+|y−y+i(a00|ε00i ia01|ε01i+−ia10|ε10i+a11|ε11i) a∗00a01hε00|ε01i+a∗11a10hε11|ε10i=0,
+|y−y−i(a00|ε00i−+ia01|ε01i+ia10|ε10i a11|ε11i)]. a∗00a10hε00|ε10i+a∗11a01hε11|ε01i=0, (A9)
| i | i | i | i− | (Ai7) |a01|2−a∗01a10hε01|ε10i+a∗10a01hε10|ε01i−|a10|2 =0,
a00 2+a∗00a11 ε00 ε11 a∗11a00 ε11 ε00 a11 2 =0.
The results, y+y+ or y y , imply Charlie*’s announce- | | h | i− h | i−| |
− −
ment should be x , and others imply x+. For the same
−
reason, we let
ϕy+y+ ϕy+y− =0,
hhϕϕyy−+yy+−||ϕϕyy−+yy+−ii==00,, (A8)
h | i
hϕy−y−|ϕy−y+i=0.
[1] M. Hillery, V. Buzˇek, and A. Berthiaume, Phys. Rev. A [12] V.ScaraniandN.Gisin,Phys.Rev.A65,012311(2001).
59, 1829 (1999). [13] V. Scarani and N. Gisin, Phys. Rev. Lett. 87, 117901
[2] R.Cleve,D.Gottesman, andH.-K.Lo,Phys.Rev.Lett. (2001).
83, 648 (1999). [14] A.Sen(De),U.Sen,andM.Zukowski,Phys.Rev.A68,
[3] A.Karlsson,M.Koashi,andN.Imoto,Phys.Rev.A59, 032309 (2003).
162 (1999). [15] C. H. Bennett and G. Brassard, in Proceedings of the
[4] D.Gottesman, Phys. Rev.A 61, 042311 (2000). International Conference on Computers, Systems and
W. Tittel, H. Zbinden, and N. Gisin, Phys. Rev. A 63, Signal Processing, Bangalore, india (IEEE, New York,
042301 (2001). 1984), pp.175-179.
G.P.GuoandG.C.Guo,Phys.Lett.A310,247(2003). [16] Alice need not publicize her MBs; it suffices if she tells
L. Xiao, G. L. Long, F. G. Deng and J. W. Pan, Phys. which instances should be used to generate a common
Rev.A 69, 052307 (2004). key.However,thisisequivalentfortheparticipantattack
L. Y.Hsu, C. M. Li, Phys.Rev.A 71, 022321 (2005). becauseadishonestparticipant canalso deducetheoth-
[5] S.Bandyopadhyay,Phys. Rev.A 62, 012308 (2000). ersMBsinthefollowingway: Hefirstwiretapstheother
L. Y.Hsu, Phys.Rev.A 68, 022306 (2003). agents MBs when they are transmitted to Alice and he
Y.M.Li,K.S.ZhangandK.C.Peng,Phys.Lett.A324, knows that the useful instances satisfy the relation that
420 (2004). the numberof x measurements is odd, so he can deduce
A.M.Lance,T.Symul,W.P.Bowen,B.C.Sanders,and Alices MBs for theuseful instances according to his and
P.K. Lam, Phys. Rev.Lett. 92, 177903 (2004). the otheragents MBs.
F.G.Deng,X.H.Li,C.Y.Li,P.Zhou,andH.Y.Zhou, [17] S.J.Qin,F.Gao,Q.Y.Wen,andF.C.Zhu,Phys.Lett.
Phys.Rev.A 72, 044301 (2005). A 357, 101 (2006).
G. Gordon1 and G. Rigolin, Phys. Rev. A 73, 062316 [18] F.G.Deng,X.H.Li,H.Y.Zhou,andZ.J.Zhang,Phys.
(2006). Rev. A 72, 044302 (2005).
[6] N.Lu¨tkenhaus, Phys.Rev. A 54, 97 (1996). [19] F. Gao, S. J. Qin, Q. Y. Wen, and F. C. Zhu, Quantum
[7] C. A.Fuchs,N. Gisin, R. B. Griffiths, C.-S. Niu,and A. Information and Computation 7, 329 (2007).
Peres, Phys. Rev.A 56, 1163 (1997). [20] S. Y. Zhang and M. S. Ying, Phys. Rev. A 65, 062322
[8] D.Bruβ, Phys. Rev,Lett. 81, 3018 (1998). (2002).
[9] D. Bruβ and C. Macchiavello, Phys. Rev, Lett. 88, [21] U. Herzog and J. A. Bergou, Phys. Rev. A 70, 022302
127901 (2002). (2004).
[10] P. W. Shor and J. Preskill, Phys. Rev. Lett. 85, 441 [22] C. W.Helstrom, Quantum detection and estimation the-
(2000). ory (Academic, NewYork, 1976).
[11] D. Gottesman and H. K. Lo, IEEE Transactions on In-
formation Theory 49, 457 (2003).
