266 97 9MB
English Pages 254 Year 2012
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
CRYPTOGRAPHY, STEGANOGRAPHY AND DATA SECURITY
CRYPTOGRAPHY
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
PROTOCOLS, DESIGN AND APPLICATIONS
No part of this digital document may be reproduced, stored in a retrieval system or transmitted in any form or by any means. The publisher has taken reasonable care in the preparation of this digital document, but makes no expressed or implied warranty of any kind and assumes no responsibility for any errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of information contained herein. This digital document is sold with the 2012. clear ProQuest understanding that the publisher is not engaged in Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, Ebook Central,
CRYPTOGRAPHY, STEGANOGRAPHY AND DATA SECURITY Additional books in this series can be found on Nova’s website under the Series tab.
Additional E-books in this series can be found on Nova’s website under the E-book tab.
PRIVACY AND IDENTITY PROTECTION Additional books in this series can be found on Nova’s website under the Series tab.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Additional E-books in this series can be found on Nova’s website under the E-book tab.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
CRYPTOGRAPHY, STEGANOGRAPHY AND DATA SECURITY
CRYPTOGRAPHY PROTOCOLS, DESIGN AND APPLICATIONS
KAMOL LEK Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
AND
NARUEMOL RAJAPAKSE EDITORS
New York Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012 by Nova Science Publishers, Inc. All rights reserved. No part of this book may be reproduced, stored in a retrieval system or transmitted in any form or by any means: electronic, electrostatic, magnetic, tape, mechanical photocopying, recording or otherwise without the written permission of the Publisher. For permission to use material from this book please contact us: Telephone 631-231-7269; Fax 631-231-8175 Web Site: http://www.novapublishers.com NOTICE TO THE READER The Publisher has taken reasonable care in the preparation of this book, but makes no expressed or implied warranty of any kind and assumes no responsibility for any errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of information contained in this book. The Publisher shall not be liable for any special, consequential, or exemplary damages resulting, in whole or in part, from the readers’ use of, or reliance upon, this material. Any parts of this book based on government reports are so indicated and copyright is claimed for those parts to the extent applicable to compilations of such works.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Independent verification should be sought for any data, advice or recommendations contained in this book. In addition, no responsibility is assumed by the publisher for any injury and/or damage to persons or property arising from any methods, products, instructions, ideas or otherwise contained in this publication. This publication is designed to provide accurate and authoritative information with regard to the subject matter covered herein. It is sold with the clear understanding that the Publisher is not engaged in rendering legal or any other professional services. If legal or any other expert assistance is required, the services of a competent person should be sought. FROM A DECLARATION OF PARTICIPANTS JOINTLY ADOPTED BY A COMMITTEE OF THE AMERICAN BAR ASSOCIATION AND A COMMITTEE OF PUBLISHERS. Additional color graphics may be available in the e-book version of this book. LIBRARY OF CONGRESS CATALOGING-IN-PUBLICATION DATA Cryptography : protocols, design, and applications / editors, Kamol Lek and Naruemol Rajapakse. p. cm. Includes index. ISBN: (eBook) 1. Data encryption (Computer science) 2. Cryptography. I. Lek, Kamol. II. Rajapakse, Naruemol. QA76.9.A25C846 2011 005.8'2--dc23 2011038358
Published by Nova Science Publishers, Inc. † New York Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
CONTENTS
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Preface
vii
Chapter 1
Quantum Cryptographic Protocols and Quantum Security Laszlo Gyongyosi and Sandor Imre
Chapter 2
Low-Cost Mutual Authentication Protocols Mu’awya Naser, Pedro Peris-Lopez, Mohammad Rafie and Rahmat Budiarto
Chapter 3
A Highly Efficient Visual Cryptography for Halftone Images Kai-Hui Lee, Pei-Ling Chiu and Yie-Tarng Chen
113
Chapter 4
Multi Layer QKD Protocol Using Correlated Photon of Dark Soliton Array in a Wavelength Router P. Youplao, S. Mitatha and P.P. Yupapin
133
Chapter 5
Chaos-Based Cryptosystem in Different Modes of Block Encryption Rhouma Rhouma and Safya Belghith
145
Chapter 6
The Mathematical Cryptography of the RSA Cryptosystem Abderrahmane Nitaj
159
Chapter 7
Quantum Secure Communication A. El Allati
187
Chapter 8
Security Risk Measuring and Forecasting Stefan Rass
213
Index
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
1 91
237
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
PREFACE Cryptography is the practice and study of hiding information. Modern cryptography intersects the disciplines of mathematics, computer science, and electrical engineering. Applications of cryptography include ATM cards, computer passwords, and electrical commerce. In this book, the authors present current research in the study of the protocols, design and application of cryptography. Topics discussed include quantum cryptography protocols and quantum security; visual cryptography for halftone images; mathematical cryptography of the RSA cryptosystem; multi-layer QKD protocol using correlated photon of dark soliton array in a wavelength router and low-cost mutual authentication protocols. (Imprint: Nova) The Quantum Key Distribution (QKD) primitives are already well known schemes and represent a mature field of research. On the other hand, there are so many new Quantum Cryptographic (QC) primitives in the quantum world which have been developed within the last few years, that their popularity cannot be compared to the popularity of the well known QKD protocols. The tools of quantum information processing allow us to realize ―quantumversions‖ of classical cryptographic primitives, and it also extends the possibilities. The elements of quantum information processing allow us to define many new — classically unimaginable — protocols. Currently, the authors have no quantum computers, but they will become practical in the near future. When this comes true, it will then be a very important problem to construct quantum security protocols and methods which can resist the unimaginable power of quantum computers. Chapter 1 gives a summary of the currently known and the most recent developments in secret and private quantum communications. The authors focus on the newest developments, and the Quantum Cryptographic primitives, which are designed to change the classical crypto-protocols to quantum-based protocols. Security protocols can be classified under several categories. The first category classifies protocols into full-fledged, simple, lightweight, and ultralightweight. The second category includes high-cost and low-cost protocols. These categories are based on cryptographic primitives used in relation to the cost of applying these primitives in any designed protocol. The first category can be considered a subcategory of the second category: full-fledged and simple protocols can be both high-cost and low-cost security protocols, whereas lightweight and ultralightweight protocols are low-cost security protocols. The third category classifies security protocols based on conventional and unconventional categories, where unconventional categories refer to primitives that are not yet considered standards in the cryptography domain. With these categories in mind, the rest of Chapter 2 focuses only on
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
viii
Kamol Lek and Naruemol Rajapakse
low-cost lightweight and ultralightweight security protocols belonging to unconventional primitives. These security protocols are used to achieve mutual authentication between the tag and the reader. The visual secret sharing (VSS) technique applies the concept of a secret sharing scheme to encrypt a secret image into multiple shares; when the participants stack each of their shared transparencies on each other, the secret image becomes apparent. The visual secret sharing for multiple secrets technique (VSSM) allows for the encryption of a greater number of secret images in a given image area. Previous research on VSSM schemes has a pixel expansion problem that limits the capability to increase the capacity of secret image encryption. Moreover, in most VSSM schemes, the display quality of the recovered images decreases as the amount of secret image encryption increases. These drawbacks limit the applicability of existing VSSM schemes. Although the pixel expansion problem recently has been solved, this research is applicable only for binary secret images, and the problem of the display quality degradation remains. In Chapter 3, the authors propose a highly efficient encryption algorithm to address this problem. The proposed algorithm adopts a novel encryption approach that includes visual cryptography (VC)–based encryption and an error correction technique. The authors’ approach eliminates the pixel expansion problem and is applicable to binary and halftone secret images simultaneously. The experimental results demonstrate that the proposed approach not only can increase the capacity efficiency of VSSM schemes, but also can maintain an excellent level of display quality in the recovered secret images. Chapter 4 proposes a new protocol of the multi layers quantum router generated by using the multiplexed dark soliton pulses within a microring resonator system. Initially, the multi dark solitons are input into a microring system, where the dynamic dark solitons are controlled and the required quantum states generated. The multivariable quantum key distribution can be formed by using the correlated photon pair of each dark soliton center wavelengths, where the quantum keys (codes) are generated and recovered via the quantum processor in the wavelength router. In application, the secure information with high capacity can be performed incorporating the quantum keys via the quantum processor in the multivariable quantum router. In Chapter 5 the authors propose to use a spatiotemporal chaotic map in the design of a new cryptosystem in different modes of block encryption. Performance and security analysis show the effectiveness and the robustness of the proposed cryptosystem. The proposed cryptosystem is compared to the encryption standard AES and has been found faster. Invented in 1977 by Rivest, Shamir and Adleman, the RSA cryptosystem has played a very important role in the development of modern cryptography. Its various applications in industry, Internet, banking, online shopping, cell phones, smart cards, secure information transfers and electronic signatures have made RSA a standard at the heart of modern technologies. Chapter 6 explores the mathematics behind the RSA cryptosystem including the encryption, decryption and signature schemes of RSA. The authors give a survey of the main methods used in attacks against the RSA cryptosystem. This includes the main properties of the continued fraction theory, lattices, the LLL algorithm of Lenstra, Lenstra and Lovász and the lattice reduction based technique of Coppersmith for solving modular polynomial equations. Chapter 7 presents the quantum cryptography as new means for securing communication remotely using quantum physics. Different to traditional classical cryptography which employs various mathematical techniques to encrypt secret messages. These lead us to pass
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Preface
ix
the review on the description of protocols from classical to quantum. Also the laws of quantum physics offer many interesting resources for processing and communicating of information that cannot be decrypted by any amount of computational effort. In the end, the quantum cryptography has been recently extended from discrete-variable systems to continuous-variable systems for reaching high secret key rates, despite the presence of losses in the quantum communication channel. Predicting security incidents and forecasting risk are two essential duties when designing an enterprise security system. Despite a huge amount of cryptographic primitives being available, their assembly needs care to avoid introducing vulnerabilities through the interplay of components. Studying the security of compound systems composed from different cryptographic primitives is a highly nontrivial task and subject of recent research. Unfortunately, the related research is mostly focused on low-level crypto-primitives, and a unified framework for security and risk assessment on a higher level seems yet missing. The authors present a decision-theoretic risk-management framework that permits a quantitative assessment of the security that a given enterprise information infrastructure enjoys. Based on an attacker-defender model, the authors can quantify security of a given system in probabilistic terms. This analysis is independent of the particular type of cryptosystem, and equally well applies to information-theoretically secure primitives, as well as to intractabilitybased (i.e. public-key) systems or symmetric cryptography. The latter two see ongoing progress in terms of security and attacks, and the success and acceptance of either approach depends on trust to a considerable extent. This confidence is supported by regularly appearing research results indicating the security or vulnerability of different primitives. A decisiontheoretic framework naturally permits incorporating this information into probabilistic assertions about the overall security of the system, conditional on all the information that is available. As this process is automatable, the authors can devise a Bayesian learning strategy to continuously update the quality of protection and forecast the risk that we bear when relying on a given set of cryptographic primitives. The required evidence for Bayesian inference about the security of particular system components can be obtained from various sources, including security patches, software updates, scientific or industrial research result notifications retrieved through RSS feeds. Using appropriate stochastic distribution models, the authors obtain closed-form expressions for the times when to expect the next security incident and when a re-consideration of a security system or component becomes advisable. The authors illustrate their results in Chapter 8, using examples.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
In: Cryptography: Protocols, Design and Applications ISBN: 978-1-62100-779-1 Editors: K. Lek and N. Rajapakse, pp. 1-89 © 2012 Nova Science Publishers, Inc.
Chapter 1
QUANTUM CRYPTOGRAPHIC PROTOCOLS AND QUANTUM SECURITY Laszlo Gyongyosi* and Sandor Imre Department of Telecommunications, Budapest University of Technology and Economics, Magyar tudosok krt, Hungary
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Abstract The Quantum Key Distribution (QKD) primitives are already well known schemes and represent a mature field of research. On the other hand, there are so many new Quantum Cryptographic (QC) primitives in the quantum world which have been developed within the last few years, that their popularity can not be compared to the popularity of the well known QKD protocols. The tools of quantum information processing allow us to realize “quantumversions” of classical cryptographic primitives, and it also extends the possibilities. The elements of quantum information processing allow us to define many new — classically unimaginable — protocols. Currently, we have no quantum computers, but they will become practical in the near future. When this comes true, it will then be a very important problem to construct quantum security protocols and methods which can resist the unimaginable power of quantum computers. This chapter gives a summary of the currently known and the most recent developments in secret and private quantum communications. We focus on the newest developments, and the Quantum Cryptographic primitives, which are designed to change the classical crypto-protocols to quantum-based protocols.
1. Introduction Quantum information can be used in key distribution protocols, authentication protocols, public key methods, private secret sharing such as in quantum data hiding primitives, realizing a classically unreachable level of security. With the help of secret and private quantum communication protocols, absolutely secure communication can be realized in future communication networks. Every classical and currently used cryptographic primitive
*
E-mail address: [email protected]
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
2
Laszlo Gyongyosi and Sandor Imre
and protocols can be replaced in the future with a quantum protocol. As we will see in this chapter, in most cases this can be done with a significantly higher level of security. Our goal is to show the world what lies beyond the world of Quantum Cryptography. The QKD primitives are already well known schemes (such as the well known BB84, B92, Sixstate QKD, Differential Phase Shift QKD, etc.) and represent a mature field of research. On the other hand, there are so many new Quantum Cryptographic primitives in the quantum world which have been developed within the last few years, that their popularity can not be compared to the popularity of the well known BB84, B92 or other quantum cryptographic protocols. This chapter also discusses some cryptographic problems which are currently not solved in the quantum approaches. This chapter is organized as follows. In the first part of this chapter, we overview the current state of private quantum communications. We discuss the properties of private quantum channel, and the most recent results on the private capacity of the quantum channel, using an easily accessible interpretation and language. We give an overview of the most important security protocols such as quantum bit commitment, quantum secret sharing, quantum digital signatures, quantum public key protocol and of interesting aspects of secure quantum communications. After we have introduced the basic properties of the secure transmission of the quantum states, in the second part we start to describe the not so wellknown cryptographic primitives of the quantum world. We also draw a conclusion about the difference between the classical and the quantum protocols. Finally, as we overviewed the protocols of private quantum communication, we also show some interesting approaches such as quantum money and uncloneable quantum bill. The complete historical background with the description of the most important works can be found in the Further Reading section.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
1.1. Historical Background 1994 was a very important year in the history of quantum information and computation. In this year, the importance of quantum security protocols was first revealed: Shor published the quantum prime factoring algorithm [Shor94]. Currently we have no quantum computers, however quantum computing can be used to break all classical encryption schemes, since their security relies on a hard computational problem (such as factoring primes): but this problem ceases being so hard for quantum computers! This result was the most important milestone since the main results of Quantum Information Theory were laid down in the 1970s, and eliminated much of the scepticism which had met the topic of quantum computing. Quantum Computing has demonstrated its usefulness in the last decade with many new scientific discoveries. The quantum algorithms were under intensive research during the end of the twentieth century. But after Shor published the prime factorization method, and Grover introduced the quantum search method, results in the field of quantum algorithms tapered off somewhat. In the middle of the 90s, there was a silence in the field of quantum algorithms and this did not change until the beginning of the present century. This silence has been broken by the solution of some old number theoretic problems, which makes it possible to break some very strong cryptosystems. Notably, these hard mathematical problems can now be solved by polynomial-time quantum algorithms. Later, these results have been extended to
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Quantum Cryptographic Protocols and Quantum Security
3
other number theoretic problems, and the revival of quantum computing is more intensive than ever. On the other hand, these very important quantum algorithms cannot be used if there is no a stable framework of physical implementations which stands behind these theoretical results. There are many new results which have been published in the last decade on the development of such physical implementations, and many new paradigms have been provided. These physical implementations make it possible to use the theoretical results of quantum computation, such as quantum algorithms, and these developments give the theoretical background to the processing of quantum information. At the end of the twentieth century many new practical developments were realized, and many novel results introduced into the field of quantum computation and quantum information processing. Anther important research field regarding the properties of the physical implementations of quantum information is related to the decoherence and the preciseness of the measurement outcomes. Many researchers started to analyze the question, whether entanglement can help to increase the precision of quantum computation and the probabilities of the right measurement outcomes. The limitations of these quantum algorithms are a different question. This problem has brought about the need for the evolution of a new field in quantum computation: quantum complexity theory. The main task of this field is to clarify the computational limitations of quantum computation, and to analyze the relationship between classical problem classes and quantum problem classes. As the quantum computer becomes a reality, the classical problem classes have to be regrouped, and new subclasses have to be defined. The most important question is the description of the effects of quantum computational power on NP-complete problems. According to our current knowledge, quantum computers cannot solve NP-complete problems, hence if a problem is NP-complete in the terms of classical complexity theory, then it will remain NP-complete in terms of quantum complexity theory. On the other hand, as has been shown by Mosca and Stebila [Mosca06], there are still many open questions, and it is conceivable that new results will be born in the near future regarding this problem field. The last decade has introduced some new physical approaches to realize quantum circuits in practice. The design of quantum circuits involves the physical manipulation techniques of quantum states, the development of quantum states and the various techniques of measurement of the output. In the beginning of the evolution of this field in quantum computation, quantum states were identified with spins or other special degrees of freedom, with the ability to realize a two-level quantum system. In the last decade this concept has been changed, and it has been shown that quantum systems can be realized by collective system manipulation. Many new techniques have been developed in the last decade to implement a quantum computer in practice, using linear optics, adiabatic systems and entangled physical particles. Quantum security is not based on computational complexity, but on the no-cloning theorem, which was established by Wooters and Zurek in 1982 [Wootters82]. How the nocloning theorem got its name is told in the work of Peres from 2002 [Peres02]. The impossibility of copying an unknown quantum state provides a very strong theoretical background for the further quantum protocols, and it also makes a very strong distinction between the classical and quantum world.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
4
Laszlo Gyongyosi and Sandor Imre
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
1.2. Quantum Information Theory The theoretical background of communication over quantum channels is based on the fundamental results of quantum information theory. The actual state of quantum information theory reflects our current knowledge of the quantum world, and it also determines the success of quantum communication protocols and techniques. The primary employment of quantum information theory is to describe quantum channel capacities, to measure entanglement, and to analyze the information-theoretic security of quantum cryptographic primitives. One of the most important questions in quantum information theory is the description of the capacities of noisy quantum channels. In the case of quantum information theory, we have to distinguish between classical and quantum information, either of which could be sent through the channel. If we would like to handle the errors of a quantum channel, and would like to construct efficient error-correcting schemes, or would like to describe the benefits of entanglement, then we have to know the fundamental theoretical background which allows us to realize these advanced results in practice. Quantum information theory is the corner-stone of quantum communication and quantum information processing. The current state of quantum information theory draws a picture from the currently available limits and possibilities in quantum information processing, such as from the applications of these results in practice. The security of quantum cryptographic protocols and other private quantum communication schemes are also limited by the actual state of quantum information theory. The phenomena of the quantum world cannot be described by the fundamental results of classical information theory. Quantum information theory is the natural extension of the results of classical information theory. But quantum information theory brings something new into the global picture and helps to complete the missing, classically indescribable and even unimaginable parts. Quantum information theory lays down the theoretical background of quantum information processing and synthesizes it with other aspects of quantum mechanics, such as quantum communication, secure and private quantum channels, or quantum error correction. With the help of quantum information theory the information transmission through the quantum channel can be discussed for both classical and quantum information. The transmission of classical information through a quantum channel can be defined by a formula very similar to the classical Shannon channel coding theorem. On the other hand, the transmission of quantum information through a quantum channel has opened new dimensions in the transmission of information. As follows from the connection defined between classical and quantum information theory, every classical and quantum protocol can be described by using the elements of quantum information theory.
1.3. Emerging Quantum Influences It is unquestionable that Quantum Cryptography is the most popular cryptographic primitive among the set of private and secure quantum communication protocols. Quantum Cryptography was the first cryptographic protocol that illustrated the power of quantum information in secret quantum communications. The theoretical background of quantum cryptography was proposed by Wiesner in the early ’70s of the twentieth century with his
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
5
quantum money, however, these results were published only later in the ‘80s. Although, his idea was not implemented in practice, Bennett and Brassard in 1984 constructed the first quantum cryptographic protocol, called BB84 [Bennett84]. Later, many variants of the basic quantum cryptographic protocol have been developed, and quantum security has been extended to quantum analogues of the digital signature and public key protocols [Bennett85], [Bennett91], [Bennett92], [Bennett92a-92c], [Brandao10]. The most important result in the field of quantum cryptographic protocols was proved by Ekert, who showed that the phenomenon of quantum entanglement can be exploited in quantum cryptography [Ekert91]. In the evolution of the various secure and private quantum protocols the first main result was the development of quantum cryptography. Later, it was followed by quantum bitcommitment, quantum oblivious transfer, and quantum secret sharing. Later, authentication of quantum messages, quantum digital signatures, quantum fingerprinting, quantum money, and quantum copy-protection have been investigated. In a compressed view, the evolution of the secure and private quantum protocols can be depicted as shown in Fig. 1.
QKD
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Quantum Private Channel
Quantum Public Key
Quantum Money
Quantum Fingerprinting
Quantum Copy-Protection
Quantum Digital Signature
Quantum Uncloneable Encryption
Figure 1. The evolution of quantum security protocols. Many new directions have been developed from the original quantum cryptography protocol.
In the first decade of the twentieth-first century, a very intensive progress can be observed, however there are still many open questions and technical problems. From the viewpoint of the success of quantum cryptography, it is a very important task to make it maximally compatible with currently used optical networks. Quantum cryptographic schemes
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
6
Laszlo Gyongyosi and Sandor Imre
have been implemented in practice both in free-space and optical-fiber based implementations, however the distances and the speed of the key agreement are currently very limited, and depend on the properties of the environment. The protocols of quantum security and authentication can be implemented in the current network environment, however the efficiencies of the currently available schemes differ from each other. Besides the currently still unsolved questions, quantum security and privacy schemes will guarantee the security of future communication systems. As the quantum computers become reality, every classical scheme and currently used scheme will be broken.
2. Private Communication on the Quantum Channel A quantum channel can be used for the transmission of different types of information. One of the most important applications of quantum channels is the transmission of secret and private information.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
2.1. The Private Quantum Channel Quantum channels provide a way to realize unconditionally secure communication with the help of quantum states. Private quantum communication techniques are based on the fundamental properties of quantum mechanics [Bouda04], [Bouda04a]. These methods use the fact that quantum states cannot be cloned, and any eavesdropping activity can be detected by the disturbance of the quantum system. On the other hand, as in the case of classical cryptographic primitives, the quantum states also can be used to maximally randomize the original input, hence the quantum channel will transmit a totally random quantum state. For example, in the case of quantum cryptography, the quantum states are unknown, random states, and classical information will help to use this random quantum information. In the case of the basic version of quantum cryptography, the distributed key is used as a one-time-pad (OTP) [Schneier96], however other private quantum protocols exist, which use different encoding schemes. In every private and secure quantum protocol, the main purpose is to ensure that the eavesdropper will not be able to get any information by various tricky eavesdropping strategies. The private and secret quantum communication protocols use different methods to achieve this primary goal. To achieve the privacy of the quantum states, Alice has to encrypt the quantum states using random unitary transformations. In the most general model of private quantum communication, Alice would like to send to Bob an arbitrary message through the quantum channel, using an encrypted quantum state. Alice has the original message, and she generates an encoder key that describes the unitary operator which was applied in the encryption process. I.e., the encoder key specifies which of the unitary operators was applied by Alice. In the process of the encryption, every unitary transformation had some a given probability of being realized. If these probabilities are uniformly distributed, then an eavesdropper has no chance to identify which transformation was realized by the sender. The generated encoder key of Alice’s determines which unitary transformation sequence was applied to the input quantum states, and these encoded quantum states will be sent through the quantum communication channel. However, this is not the full picture, because
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
7
Alice has an ancillary quantum state, too, and the unitary encryption operators will be applied to these two systems: the original input quantum system and the ancillary system. It follows that the Hilbert space of the encoding unitary operations will be larger than was the Hilbert space of the original message. Alice will apply U , the unitary encoding operation, on the tensor product of the input quantum system and the ancillary quantum system. This ancillary system is required to simulate the environment, and in the decoding process it simply can be removed by the partial trace operation.
Classical Key
ρA 0
U
ρA
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 2. Alice’s unitary encryption transformation realizes a private quantum communication channel.
Now, let us describe the private quantum channel, based on our previous statements. The general model of the transmission of private information through a quantum channel is shown in Fig. 2. Alice’s input quantum system is denoted by ρ A . This system is encoded by a classical key, the output of the transformation is an encrypted quantum system ρ A . But, what of interest has to have happened in this step? After Alice has encrypted her original message into a sequence of quantum bits, in which sequence the quantum states are rotated randomly by the randomly chosen unitary transformations, she puts these quantum states into the quantum channel and sends them to Bob. Alice would like to know for sure that Eve cannot decrypt these quantum states. In the encrypting process, Alice has generated an encoder key, which key determines the type of the unitary transformation which was applied to the given quantum state. Eve does not know Alice’s encoder key, hence she has no information about which unitary transformation was applied to the actual quantum state. It also follows, that it is possible to send private information through a quantum channel, since, without the knowledge of the encryption unitary operator, Eve will see the same system state for every input messages, independently from what the original message was. It follows that after the encryption operation, Eve will not be able to distinguish between the messages which were originally sent by Alice. This type of quantum communication channel is called a private quantum channel. If we have a private quantum channel, then it is possible to send quantum states through the quantum channel in a physically indistinguishable form — in the
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
8
Laszlo Gyongyosi and Sandor Imre
form of private information. If the parties use a private quantum channel, then an eavesdropper Eve, in every case, will see only a maximally mixed environment, which gives only zero bits of information about what the original message was. The model of private quantum channel is depicted in Fig. 3. Alice’s side is modeled by random variable X = { pi = P ( xi )} , i = 1,… N . Bob’s side can be modeled by another random variable Y. The Shannon entropy for the discrete random variable X is denoted by H ( X ) , N
which can be defined as H ( X ) = −∑ pi log ( pi ) , for conditional random variables, the i =1
probability of the random variable X given Y is denoted by p ( X Y ) . Alice sends a random variable to Bob, who produce an output signal with a given probability. Eve’s cloner in the quantum channel increases the uncertainty in X, given Bob’s output Y.
H (X )
H (X Y)
H (X )−H (X Y)
Alice’s pure qubit
Eve’s quantum cloner
Bob’s mixed input state
ρA
L
L ( ρA ) = σ B
Quantum Cloner
Random state
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Cloned state
Figure 3. The attacker model and the entropies.
The informational theoretical noise of Eve’s quantum cloner increases conditional
Shannon entropy H ( X Y ) , where
NX NY
H ( X Y ) = ∑∑ p ( xi , y j ) log p ( xi y j ) ,
(1)
i =1 j =1
Alice’s pure state is denoted by ρ A , Eve’s cloner modeled by an affine map L , and Bob’s mixed input state is denoted by L ( ρ A ) = σ B . We can use the fact, that for random variables X and Y, H ( X , Y ) = H ( X ) + H (Y X ) , where H(X), H ( X , Y ) and H (Y X ) are defined by probability distributions. The encoding scheme applied by Alice ensures that the quantum state, which was sent into the quantum channel, contains only zero bits of information about the original message, hence the mutual information between them is equal to zero. Since the mutual information is symmetric, it also holds in reverse, hence the original message gives only zero bits of
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Quantum Cryptographic Protocols and Quantum Security
9
information about the encrypted state and the applied unitary operator. In the general approach of private quantum communication channels, this zero mutual information has to hold in every case, however we can define a simpler and less strict condition for private quantum communication. If we would like to construct a private quantum channel from an engineering viewpoint, and we would like to make it more easily applicable in practice, then we have to introduce the concept of the nearly perfectly secure private quantum communication channel. As its name suggests, the result of Alice’s encoding transformation is not a maximally mixed state. Instead of a maximally mixed quantum state, Alice transforms the pure input states into a quantum informational ball centered at the origin of the Bloch sphere with radius r . This type of nearly perfectly secure encryption is called the 2r -secure encryption scheme [Bouda04]. For a perfectly secure protocol, this radius is equal to zero, hence r = 0 and Alice’s encoding transmission will encode the pure input states into a maximally mixed state, centered at the origin of the Bloch sphere. It has been proven that in many practical applications it is enough to use the 2r -secure encryption scheme to achieve maximal security. We note, the inventor of the 2r -secure encryption scheme used the trace distance instead of the quantum relative entropy function. Here, we give a more representative, mathematically equivalent model using the geometrical interpretation of the quantum channel. Now, let’s see what are the main differences between the perfectly secure and the 2r -secure encryption scheme. While the 2r -secure encryption scheme approximates perfect security, it also allows very small differences between the outputs of Alice’s encoder limited within the sphere of radius r , centered at the origin of the Bloch sphere, while for the perfect encoder every output state is equal to the center of the Bloch-sphere. The differences between the maps of the perfectly secure encryption and the nearly perfectly secure 2r -secure encryption scheme in the Bloch sphere representation are illustrated in Fig. 4.
Figure 4. The comparison of the maximally secure and the 2r-secure encoding schemes.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
10
Laszlo Gyongyosi and Sandor Imre
To give a short summary of the results of this section, a quantum communication channel is private [Bouda04] if and only if for all possible input messages ψ ψ and with an initial environment ρ Env. , there exists a set of unitary transformations U i with probabilities pi for which
∑ pU ( ψ i
i
ψ ⊗ ρEnv. )Ui† = I . 1 2
i
(2)
In either scheme, Alice’s encoder gets an input message, and she generates an encrypted output, whose quantum state will be closer to the center of the Bloch sphere than the original density matrix of the original input message was. This statement is an important and necessary property of private quantum communication. In a simplistic picture, it means that if Alice has an input density matrix ρ = ∑ λi ρi , where the ρi represents the i-th state of the i
input message, and the λi are the eigenvalues with
∑λ
i
= 1 , then the output of her encoding
i
transformation will be a nearly maximally mixed system state σ = ∑ λiσ i , where σ i is the i
output for the given ρi input state. As we have stated, if we would like to construct a maximally secure quantum channel, then each output of Alice should be a maximally mixed 1 quantum state: denote this system state by σ 0 = I . 2 In the other scheme, the overall output system state will be a nearly maximally mixed quantum state σ = ∑ λiσ i , and it will be in a ball centered at the origin of the Bloch sphere
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
i
with r-length radius. For this encoding scheme, the following statement holds between the input system and the output system states. The quantum informational distance—using relative entropy function as a distance measure—between the output density matrix σ = ∑ λiσ i and a maximally mixed state will be less than or equal to the quantum i
informational distance between the input density matrix ρ = ∑ λi ρi and a maximally mixed i
state. This statement is geometrically represented in Fig. 5. This result confirms our previous statement, thus the encrypted quantum system will be closer to the maximally mixed quantum state than the original input message was. This distance can be expressed in terms of the quantum relative entropy function which has a geometrical interpretation, in the form of the quantum informational ball. The smaller informational distance between the encrypted output and the maximally mixed state is a natural consequence of the security of the quantum channel, since such a smaller informational distance means that the output state cannot become more distinguishable from a maximally mixed quantum state, than the original input was, moreover, theoretically it has to be as close to as possible to the “ideal” maximally mixed state.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
11
Figure 5. The quantum informational distances between the input and the maximally mixed output state (a) and between the 2r-encoder’s output and the maximally mixed state (b).
Now assume that Alice has four input density matrices {ρ1 , ρ2 , ρ3 , ρ4 } which represent
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
the input message. These states are pure states, hence they are geometrically on the surface of the Bloch ball. These pure states are linearly independent, and they cover the whole Bloch ball. The average of these states is a maximally mixed state, centered in the origin of the Bloch sphere.
Figure 6. The output of an unconditionally secure encoding scheme is a maximally mixed state, independent of the input of the channel.
If Alice would like to construct a maximally secure encoding scheme, then she has to generate a maximally mixed state for every input state, hence
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
12
Laszlo Gyongyosi and Sandor Imre
1 2
σ1 = σ 2 = σ 3 = σ 4 = I .
(3)
In this phase, Alice uses unitary operators which will map the input state to a maximally mixed state - or into a nearly maximally mixed state - depending on the input conditions. As a summary of this subsection, if Alice generates an output system σ = ∑ λiσ i from i
the input messages ρ = ∑ λi ρi , then the output states have to be within a small ball inside i
the original Bloch sphere, centered at the origin of the Bloch sphere. Using the quantum relative entropy function as distance measure between density matrices, we can express the informational distance of the input states and the output states from the center of the Bloch sphere as follows:
⎛ ⎛ 1 ⎞ 1 ⎞ D⎜ ρ = ∑λi ρi I ⎟ ≥ D ⎜σ = ∑λσ I⎟, i i 2 ⎠ 2 ⎠ i i ⎝ ⎝
(4)
which also implies that the radius of the smallest ball of the output states is less than or equal ⎛ 1 ⎞ to the radius defined by the distance D ⎜ ρ = ∑ λi ρi I ⎟ . 2 ⎠ i ⎝
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
2.2. The Private Capacity of a Quantum Channel One of the most adequate measures of the security of a quantum channel is its private capacity. This measures the capacity of the quantum channel for secret quantum communication, and it’s capability for quantum cryptography, and private quantum communication. Private capacity gives us the maximal rate of private classical communication. The private capacity P ( N ) of a quantum channel N describes the maximum rate at which the channel is able to send classical information through the channel correctly, but in secure mode. Security here means that an eavesdropper will not be able to access the encoded information without revealing her/himself. The single-use (using one time the quantum channel) private capacity can be expressed as P ( ) ( N ) = max I ( A : B ) − I ( A : E ) , 1
all pi , ρi
(5)
where I ( A : B ) and I ( A : E ) are the quantum mutual information between Alice and Bob, and Alice and the eavesdropper, Eve. The true private capacity can be determined by the asymptotic private capacity P ( N ) , i.e. it can be computed from the multiple use of the quantum channel. We also use the maximization of mutual information and we optimize over all possible source distributions and encoding schemes of Alice as
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
13
⊗n 1 P( N ) = lim max ( I ( A: B) − I ( A: E) ) . n→∞ n all pi , ρi
(6)
H ( A)
H ( A B)
H ( A E)
Encoding
Quantum Channel
Eavesdropper
ρ1
N1
L1
N1 ( ρ1 ) = σ 1
ρ2
N2
L2
N 2 ( ρ2 ) = σ 2
ρn
Nn
Ln
N n ( ρn ) = σ n
H ( B) Decoding
P(N )
Figure 7. The asymptotic private capacity of a quantum channel. The private capacity measures the maximum achievable private information by Bob in the presence of an eavesdropper.
According to (6) the private capacity describes the maximal secure information that can be obtained by Bob on an eavesdropped quantum communication channel. The eavesdropper, Eve, attacks the quantum channel, and she steals I ( A : E ) from the information sent by
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Alice. The general sketch of the asymptotic P ( N ) private capacity is illustrated in Fig. 7. The eavesdropper is denoted by L . An important corollary from (6), while the quantum mutual information itself is additive, the difference of two quantum mutual information functions is not (i.e. we need the asymptotic version to compute the true private classical capacity of a quantum channel.) For private capacity the following relation holds between the asymptotic private capacity (n channel uses) and the single-use (one channel use) private capacity:
P ( N ) ≥ max ( I ( A : B) − I ( A : E) ) ,
(7)
all pi , ρi
As follows from (7), the single-use formula of the private capacity is not equal to the asymptotic formula, hence the asymptotic private capacity is greater than or equal to the single-use private capacity. These discoveries imply that the private capacity of quantum channels is not additive. On the other hand, as has been shown later, there exist quantum channels for which the asymptotic private capacity P ( N ) and the single-use private capacity P( ) ( N ) are equal: 1
these channels are called degradable channels. As in the case of the measure of classical capacity and the quantum capacity of the quantum channels, in the case of private capacity we would like to send information through a Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
14
Laszlo Gyongyosi and Sandor Imre
Asymptotic private capacity
Single use private capacity
=
Degradable Quantum Channel
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 8. For a degradable quantum channel, the asymptotic private capacity is equal to the single-use private capacity. For other quantum channel models, this condition does not hold.
noisy quantum channel. The noise arises from the environment, or it can represent an eavesdropper on the quantum channel. While in the case of classical capacity we transmit classical information, in the case of private capacity we would like to send classical information through the channel in a form inaccessible to the environment or to an eavesdropper. The amount of maximal transmissible private information is less than or equal to the maximal classical capacity, and in general, the quantum capacity is less than or equal to the classical private capacity. The maximum transmittable classical information through a quantum channel is bounded above by the maximal amount of transmittable classical information, and bounded below by the quantum capacity of the quantum channel. We note that counterexamples can be found, in which the quantum capacity can exceed the private capacity. This relation also shows that the quantum information sent through the quantum channel is private information, on the other hand not every private information is quantum information. Classical Capacity
Private Classical Capacity
Quantum Capacity
Figure 9. The generalized relation between the classical capacity, private classical capacity, and quantum capacity of a quantum channel. We note, that in each case, counterexamples can be found in which the quantum capacity is greater than the private capacity or the classical capacity. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
15
The fact that classical private information cannot exceed the “ordinary” non-private classical information is trivial. These capacities cannot be exceeded by the single-use capacity, except in some very special cases. In Fig. 9 we illustrate the relation between the classical capacity, private capacity and quantum capacity of a quantum channel. The private capacity of a quantum channel measures the information in the classical manner. The private capacity describes the classical information which can be sent through the quantum channel in secure form from Alice to Bob, without any information leaked about the original message to an eavesdropper. The private capacity measures this information, in a classical form, and the generalized model of the private capacity of the quantum channel is illustrated in Fig. 10. The first output of the channel is denoted by
σ B = N ( ρA )
,
(8)
.
(9)
the second “receiver” is the environment, with state
σ E = E ( ρA )
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
The single-use classical private capacity from these quantities can be expressed as the maximum of the difference between two mutual information quantities. The first mutual information measures the classical information transmitted between Alice and Bob, the second quantity measures the information leaked to the environment. The maximum of the difference between these two quantities gives us the maximum transmittable classical private information.
ρA 0
N
σ B = N ( ρA )
σ BE
σ E = E ( ρA )
Figure 10. The private capacity of a quantum channel.
The asymptotic private capacity can be expressed by the classical maximum mutual. Here, we give an equivalent definition for private capacity and show, that the private capacity also can be rewritten using the Holevo quantity [Schumacher2000], as follows:
1 ⊗n P( N ) = lim max ( XAB − XAE ) , n→∞ n all pi , ρi where
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
(10)
16
Laszlo Gyongyosi and Sandor Imre
XAB =S( NAB ( ρAB ) ) − ∑ piS( NAB ( ρi ) )
(11)
XAE =S( NAE ( ρ AE ) ) − ∑ piS( N AE ( ρi ) )
(12)
i
and
i
measure the Holevo quantities between Alice and Bob, and Alice and the eavesdropper Eve, respectively, and
ρAB = ∑ pi ρi and ρAE = ∑ pi ρi . i
(13)
i
The additivity of private capacity is currently an active area of research in quantum information theory. The very strong non-additivity of private capacity has been shown by Smith [Smith09b], and by Li and Winter et al [Li09]. Many of these discoveries were made in 2008 and 2009 [Smith08a-d], [Smith09a] and the latest results were discovered just in 2010 [Cubitt10] and 2011[Smith11].
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
2.3. The Non-additivity of Private Information We still have many open questions regarding the additivity of private capacity. Generally, it is known that additivity fails, however special cases can be found in which the one shot single capacity is equal to the asymptotic capacity. This fact will have an important consequence: for those quantum channels the asymptotic private capacity will violate the additivity property. This result also can be extended to the asymptotic classical capacity and the asymptotic quantum capacity. In 2008 Smith and Smolin showed that the non-additivity of the private capacity can be extended in a different way [Smith08a], since this property can be used in the superactivation of zero-capacity quantum channels. (The superactivation makes possible to use low (zero) capacity quantum channels for information transmission, i.e. the channels can activate each other.) As has been shown by their work, there exist quantum channel combinations for which the individual private capacities are equal to zero, however the joint combination of the two channels possesses a non-zero capacity. As can be concluded from these results, the classical private capacity of the quantum channel is closely related to the quantum capacity of the quantum channel. Later, Li and Winter et al. constructed a channel combination for which the entanglement-assisted quantum capacity is greater than the classical capacity. This construction uses a second channel, called the erasure channel, to activate the entanglement assisted capacity of the first channel. They found that if the first channel is combined with this second channel, then it is possible to transmit more classical information through the quantum channel, than the classical capacity of the first channel. An important conclusion is that, the private capacity of the joint channel construction is greater than the sum of the individual private capacities of the quantum channels. As can be concluded from this channel construction, the additivity of the private capacity depends on the types of the channels used in the construction. On the other hand, in general, the achievable joint private capacity will
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
17
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
not be greater than was initially the private capacity: the exception to this general rule is only if a good combination can be found. We note that in this combination, the first quantum channel has private capacity greater than zero, while only the second channel has zero private capacity. What follows from this construction? The maximum transmittable information through the quantum channel depends not just on the quantum channel itself, but also on the second channel which is used together with the original channel. With the help of this construction, a counterexample to the additivity of the private capacity has also been shown. The results presented by Li and Winter et al. [Li09], demonstrated that the private capacity is also non-additive. This fact makes it harder to compute the private capacity of the quantum channel, since it cannot be given by the single-use formula. The correct form of the private capacity is the asymptotic formula, which also implies that the computation of the asymptotic capacity is a harder computational problem. In their construction, the violation of the additivity of private capacity has arisen from the special channel construction in which they combined the first channel—which has very small private capacity—and an erasure quantum channel, which is a channel completely useless for information transmission. As has been shown by Smith and Smolin [Smith08a], it is possible to find channel combinations, for which the classical joint channel capacity of this construction is small, while the quantum capacity is large. They have found a combination for which the joint HSW channel capacity is less than or equal to two, while the quantum capacity of the same combination is greater than or equal to 1 log ( d ) , (14) 2 where d is the dimension of the input. In their combination, the dimension of the input is considered to be infinite. However, to activate this channel-construction, they had to give two maximally entangled states to the inputs of the two channels. The first channel has some private capacity, while the second one is a completely useless quantum channel. After these maximally entangled states have been fed to the two channels, the system becomes “quantum probabilistic,” and various possible outcomes will appear, with different probability amplitudes. The success of the whole construction is based on the working mechanism of the second channel, which is a completely useless channel—from an information-theoretic viewpoint. This second channel does the following: it erases the input with probability 50%, and leaves it untouched with 50% probability, which working mechanism is theoretically equal to a zerocapacity channel, since it is able to transmit the input correctly only with 50% probability. Based on the two possible outputs of the second channel, we can distinguish between the two cases. In the first case we will get capacity log ( d ) , while in the second case, we have a transmission with zero quantum coherent information. The probabilities of the working1 modes are equally . 2 The achievable quantum capacity for this channel construction is equal to the average of 1 the capacities of the possible outcomes, which is equal to the previously stated log ( d ) , 2
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
18
Laszlo Gyongyosi and Sandor Imre
while the initial classical capacity was limited to less than or equal to two. It can be also concluded from these results that the “hidden space” of this construction can be exploited only if the dimension of the input d is sufficiently large. The results shown in the previous section have illustrated the non-additivity of private capacity. Both Li et al. [Li09], and Smith and Smolin [Smith08a], have confirmed that the private capacity of a quantum channel is very strongly non-additive, similarly to the quantum capacity. The violation of the additivity of private capacity also underlines the fundamental difference between classical information theory and quantum information theory. We note, that such special cases can be found in which additivity is not violated, and the single-use private capacity of the channel will be equal to the asymptotic channel capacity. In both channel constructions, the increasing of the initially available private capacity was possible by using entangled quantum states and a second, completely useless 50% eraser quantum channel. The non-additivity property of the private capacity could have some very important consequences in the secret communications of the future, and these results provide a fundamental theoretical background for the construction of the practical implementations of the future.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
3. Quantum Bit Commitment In this section we give an overview of those results of secure quantum communication which lie outside the world of quantum cryptography. However, the main problem is the same, since the two legitimate parties would like to communicate securely even in the presence of an eavesdropper. Nowadays, the security of most QKD protocols have been proven, and the field of “postQKD” is currently a very active field of research. On the other hand, there are several other quantum protocols which purpose to ensure private communication through a quantum channel. These protocols would like to do something other than the classical quantum key distribution protocols, and the main task of these protocols is not secret key distribution. Some of these protocols describe a basic, mainly theoretical problem, however they can be a very useful basis for the more complex security schemes. The problem of bit commitment is principally a theoretical problem. In classical systems it is possible to construct cryptographic primitives based on the bit commitment scheme, and the question naturally arises, whether is it possible to do the same in the case of a quantum system? It is an important question, because if the possibility or the impossibility of the bit commitment in a quantum system is not proved, than we cannot be sure of the reliability of those protocols which are based on this problem or other variants of the same basic problem. So, why is it important to know whether it is possible to implement the bit commitment protocol in quantum systems? The bit commitment protocol can be the principle behind other, more complex cryptographic protocols, such as secure multi-party protocols, other cryptographic primitives, and private quantum communication methods.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
19
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
3.1. History of Quantum Bit Commitment The earliest version of the quantum bit commitment protocol was published by Bennett and Brassard, in the same year as the BB84 QKD [Bennett84]. Later, this scheme was modified by Brassard and Crépeau [Brassard91] and Brassard in 1998 has shown an method of defeating the classical version with quantum computers [Brassard98]. The security problems of these schemes were shown by an entanglement-based attack and the photonsplitting attack. The modified protocol is very similar to the originally defined quantum bit commitment scheme, however the impossibility of the scheme was proved shortly after its publication. The next quantum bit commitment protocol was the BCJL (Brassard, Crépeau, Jozsa and Langlois) quantum bit commitment scheme [Brassard93], which was considered to unconditionally secure. The protocol solves some critical problems of the previous quantum bit commitment schemes, but, contrary to the new ideas, the impossibility of the scheme also has been proven. The EPR-based attack against the BCJL protocol was introduced by Mayers [Mayers96]. The protocol was vulnerable against these types of attack, and any belief of the unconditionally security of the protocol has vanished. Later, this attack was extended to all other possible quantum bit commitment schemes. These results have confirmed the conjectures on the impossibility of unconditionally secure quantum bit commitment scheme. The EPR-based attacks on the ideal quantum bit commitment protocol were published in 1996, and later Lo and Chau showed a modified version of the attack on the non-ideal version of the protocol [Lo96]. We note, that there is no significant difference in the steps of the various attacks, since the main difference is only that in the case of the non-ideal scheme, some information is leaked to the environment. The proof of Mayers [Mayers96] (and later in [Mayers97]) and Lo and Chau [Lo96] has deep relevance in the security analysis of the various types of quantum bit commitment protocol. The EPR-attack works for all possible quantum bit commitment protocols, in which Alice sends a single bit, which bit can be in two possible states. The proof of the attack consists of a modified version of the basic quantum cryptography protocol, which modified protocol version was presented by Yao [Yao95]. The Mayers-Lo-Chau attack [Mayers96], [Lo96] uses the fact that the quantum channel can be used in an “equivalent to classical” mode, in which the quantum channel transmits classical information with the help of the quantum states, but without the possible advantages of quantum entanglement. If the quantum states transmit classical information, then there is no quantum correlation in the communication, hence any correlations between the sender’s and the receiver’s side can be at most classical. As has been shown in the proof of the attack, there is no difference between the classical and the quantum correlation—at least, from the viewpoint of the success of the attack. As we will see in this section, the quantum bit commitment protocol can be “hacked” and attacked successfully with the help of entanglement. Before this fact had become know, many tried to prove that an absolutely secure bit commitment was achievable in quantum systems, but these attempts all failed. These failed attempts did not take into account the fundamental differences between classical and quantum information. As we will see here, bit commitment in quantum systems is theoretically impossible, and this fact cannot be changed by the addition of other “layers” to these basically wrong proofs.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
20
Laszlo Gyongyosi and Sandor Imre
Before we start to discuss the question of the possibility or the impossibility of bit commitment in quantum systems, let’s examine the problem of bit commitment itself. In the problem of bit commitment, the sender, Alice would like to send a bit to Bob in such a way that Bob has no chance to know the value of the bit, before Alice has decided to reveal it. I.e., Alice controls the whole process, Bob just receives the bit, but he has no chance to use it until Alice has given permission to him. We can use a simplified picture, in which Alice puts his bit into a box, she closes it and sends to Bob. Bob receives the box, but he can not look inside the box until Alice has given permission.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
3.2. Description of Quantum Bit Commitment In the problem of bit commitment, the sender, Alice would like to send a bit to Bob in such a way that Bob has no chance to know the value of the bit, before Alice has decided to reveal it. Furthermore, Bob can be sure that Alice has not modified her bit after she has committed it. The protocol can be divided into two main phases, called the commit phase and the reveal phase: both phases are controlled by Alice. Bob receives the bit, but he has no chance to use it until Alice has given access to him. We can use a simplified picture of classical bit commitment, in which Alice puts a copy of her bit (e.g., her yes or no vote encoded into logical 0 and 1) into a box, she locks it with a key and sends the box to Bob. Bob receives the box, but he can not look inside the box until Alice has given permission e.g., in a voting system it is highly preferred that parties do not reveal any information about others’ votes before each participant has been sent his/her decision. Later, when Alice wants Bob to be familiar with her vote, sends the key and her vote to Bob. Bob opens the box using the key and checks whether the sent vote and the content of the box are equal. If not then Alice cheating comes to light. Interestingly, the primary role of the box is not carrying Alice’s vote, but allowing Bob to check Alice’s correctness. Now, we emphasize two important properties of the bit commitment protocol. The first one is called the binding property. It states that Alice is not able to change her vote after she has committed it (stored into the box). The second, the hiding (concealing) property states that Bob cannot open the box without Alice’s permission. The quantum bit commitment itself can be regarded rather more a theoretical than experimental problem; however, it provides the theoretical background for many other very important cryptographic problems. From an engineering point of view, it is important to see clearly how the secure quantum bit-commitment works and whether the secure bit commitment is possible or not at all. Why do we want to answer this question? Well, while the bit commitment problem in itself can be regarded as a very simple cryptographic primitive, several, more complex and important cryptographic primitives can be built based on its theoretical proof. The bit commitment protocol plays an important role in the multi-party security protocols, such as the quantum voting problem, in the coin flipping problem or in the security proofs of some NP-Complete security problems. These results are already proven in classical systems, and the same connection can be drawn between the quantum cryptographic protocols and quantum bit commitment. That is the main reason, why we are so interested in the theoretical background and correctness of the problem of quantum
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
21
bit commitment. We note, the quantum bit commitment protocol is already demonstrated in practice with fiber optics quantum communication systems. While in the classical bit commitment problem we have classical bits, in the quantum version we use quantum states. First, we show the steps of the protocol if we have unentangled tensor product states, then we discuss the entanglement-assisted version, where Alice will use an EPR state in the protocol. In both cases our goal is to preserve the logical information (e.g., Yes/No during voting) encoded into quantum states. The general model of the bit commitment problem is illustrated in Fig. 11. Phase 1. Alice puts her bit into a box, closes it and sends to Bob
1 bit
Alice
Bob
Phase 2. Alice sends the key of the box to Bob
key
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Alice
Bob
Figure 11. The problem of bit commitment. Alice cannot change her bit after she puts into the box, but on the other hand, Bob cannot “open the box” until Alice reveals it.
3.2.1. Quantum Bit Commitment without Entanglement – The Hiding Property In the commitment phase – if entanglement is not accessible by Alice – she encodes vote 0 in the
{ 0 , 1 } rectilinear basis
ψ0 = 0 while vote 1 is encoded in the
or
ψ0 = 1
,
(15)
{ + , − } diagonal basis as
ψ1 = + =
1 2
(0
+1
)
or ψ 1 = − =
1 2
(0
− 1 ),
(16)
selecting among the two basis vectors according to uniform probability distribution in each case. To implement this encoding scheme Alice applies on her vote either transformation I to do nothing or X to invert or H to rotate by π4 and XH to rotate by − π4 . Next, Alice sends the qubit to Bob. Bob receives the quantum state and stores it for later measurement. It is very important to emphasize, that by encoding the voting value into a
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
22
Laszlo Gyongyosi and Sandor Imre
quantum state using non-orthogonal bases Alice ensures, that even if Bob opens the box (measures the quantum bit) then he will have any information neither about the quantum state nor about her vote carried by the qubit! In this way the hiding property is guarantied by quantum mechanics (no-cloning theorem). In the reveal phase Alice sends a classical message m ∈ {00,01,10,11} , where the first bit (i.e., the Least Significant Bit) identifies her vote and in this way it assigns the decoding (measurement) basis for Bob while the second bit refers to which basis state was chosen within the basis. After Alice has transmitted her two-bit classical message to Bob, he measures the qubit sent by Alice in the basis according to the first bit of Alice’s classical message m either in the
{0 ,1}
or in the
{+ , −}
bases. If the measurement result of Bob differs from the
second bit sent by Alice, then Bob concluded that Alice cheated in the protocol i.e., she has violated the binding property. We note, that measuring in the diagonal basis can be replaced by performing a Hadamard transform and a measurement in the linear basis. Here transform H plays the role of the inverse of the encoding Hadamard transform. Based on the received message m Bob performs a measurement in compliance with the LSB bit. Alice’s classical message m sent through a classical channel to Bob can identify the following quantum decoding table 00 ⇒ ψ 0 = 0 , 10 ⇒ ψ 0 = 1 , 01 ⇒ ψ 1 = + ,
(17)
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
11 ⇒ ψ 1 = − .
As we will show, the quantum bit commitment protocol is not absolutely secure, and, despite many attempts, an absolutely secure bit commitment in quantum systems is theoretically impossible [Mayers96], [Lo96]. (We note, that it is true for the classical bit commitment scheme, too, since there is no classical bit commitment scheme exists for which the perfectly binding and perfectly hiding hold at the same time. On the other hand it makes possible to construct “imperfectly secure” classical bit commitment schemes for practical purposes.) Before we would allow using entanglement, we give a short analysis on the security of the protocol. We assume that the quantum channel is noiseless, and only unitary transformations can be used by the parties. In the commit phase, Alice generates state ψ 0 or
ψ 1 uniformly according to (15) and (16). Bob has no chance to know the value of the original bit, because his knowledge about the two possible states is equal to a maximally mixed state 1⎛1 1 1 ⎞ 1⎛1 ⎞ 1 σ = ⎜ 0 0 + 1 1 ⎟+ ⎜ + + + − − ⎟= I . (18) 2⎝ 2 2 2 ⎠ 2⎝2 ⎠ 2 In the reveal phase, Alice reveals the value of her bit – i.e., she gives the key to Bob to open the box. This means that hiding has been fulfilled and thus Bob can not cheat. What about binding? Can Alice hurt this property?
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
23
3.2.2. Entanglement-Assisted Quantum Bit Commitment – The Binding Property Now, Alice exploits entanglement in order to cheat. Obviously Alice wants Bob nothing to reveal, therefore she operates for Bob eyes like in the previous protocol but only like and not exactly. In the corrupted protocol—corrupted from Bob’s viewpoint —Alice has no vote at all at the beginning! First of all she prepares a Bell state
β 00 =
1 2
( 00
+ 11 ) .
(19)
Next one half of this EPR state is kept by Alice while the second qubit is sent to Bob. Tracing out any of the qubits from β 00 will result in a maximally mixed state with density
I , i.e., Bob can not access any information, hiding is still guaranteed. 2 Now, Alice decides to send her vote to Bob and to manipulate the content of the box (i.e., the previously sent half EPR pair) so that Bob can not reveal her trick. If she wants to announce a 0 vote then she measures her qubit in the { 0 , 1 } basis. This collapses the EPR matrix
state either into 0 0 or into 1 1 . Obviously the LSB bit of m shall be set to 0 according to her vote and the second bit to her measurement result. In the first case she sends m = 00 to Bob, suggesting Bob to make a measurement on his qubit containing 0 in the linear basis, resulting in 0 , too. Therefore, Bob will see no difference between the measurement result
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
bit and the second bit of m. Assuming Alice wants to communicate vote 1 then she measures her qubit in the
{ + , − } basis or equivalently, she performs first a Hadamard transform ( H ⊗ I ) β 00
(( H 0 ) 0 + ( H 1 ) 1 ) = 2
=
1
=
1
=
2 1 2
(+
0 + − 1 )=
(0
+ + 1 − ),
and makes a measurement in the
{0 ,1}
0 −1 ⎞ 1 ⎛ 0 +1 0 + 1⎟ ⎜ 2⎝ 2 2 ⎠
1 (0 0 +1 0 + 0 1 −1 1 2
)
(20)
basis. The message m consist of vote 1 and the
measurement result 0 or 1. In possession of m, Bob measures in the diagonal basis 0 if the second bit is 0 and 1 if the second bit equals 1. Equivalently he can use transform H −1 = H which turns (20) to I ⊗H 1 (21) ( 0 + + 1 − )⇒ 1 ( 0 0 + 1 1 ) 2 2 and the linear basis to measure.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
24
Laszlo Gyongyosi and Sandor Imre
The appearance of quantum entanglement in the protocol makes it impossible to construct an absolutely secure bit commitment protocol. Alice’s cheating strategy is completely unimaginable in classical systems, since it is based on the advanced properties of quantum mechanics.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
3.3. Security of the Bit Commitment Protocol It is now accepted as a fact, that quantum bit commitment is not possible. The discovery of the impossibility of quantum bit commitment was a very important result from the viewpoint of the evolution of the quantum security and privacy protocols, and hence of the security of future quantum communications. Although the attempts to prove the security all failed, some of them contain interesting results. The correctness or the possible implementation of a quantum bit commitment protocol was not clear until the end of the 90s. Many authors tried to proof the security of the quantum bit commitment protocol, however these proofs were all wrong. After the theoretical impossibility of the scheme became widely known, some other attempts have again appeared. In these attempts, the authors have tried to manipulate the proofs with intricate encodings and measurement settings. Later, the impossibility of the quantum bit commitment scheme was extended from the condition of absolutely secure to the ε -secure scheme. These papers just confirmed that an unconditionally secure quantum bit commitment is not possible, however these attempts have also revealed the possibility of a not unconditionally secure quantum bit commitment. A quantum bit commitment scheme with lower security assumptions can be constructed, based on quantum one-way functions. Although these lower-security protocols do not implement the standard quantum bit commitment protocol, their background is very similar. These schemes use a four-party bit commitment scheme, in which the presence of the four parties—instead of the originally defined two parties—makes it possible to apply a lower-security version of the originally constructed model. And there is another very important difference between these “lower-security” schemes and the originally defined quantum bit commitment scheme the latter does not implement any quantum mechanical effects such as entanglement. The problem of quantum bit commitment is very closely related to the problem of quantum coin tossing, however the input requirements of the quantum coin tossing protocol is much weaker than the input conditions of the quantum bit commitment protocol. In the coin tossing problem, Alice and Bob communicate with each other, and if both parties are honest, then each possible outcome of the protocol has equal probability. In the basic version of the quantum coin tossing scheme, the possible outcomes are the “zero,” “one,” and “reject” messages. If both parties are honest, then the outcome probabilities of the “zero” and “one” are equally 50%, if one of the parties is not honest, then the outcome of the protocol will be a “reject” message. The quantum coin tossing scheme would be implementable with the help of the quantum bit commitment scheme, however, just as in the case of quantum bit commitment, a perfect realization of this protocol is not possible. The attacks against the protocol are the same as in the case of the quantum bit commitment scheme. The Mayers–Lo–Chau attack [Mayers96], [Lo96] has shown the vulnerabilities of the protocols, and has shown that the quantum coin tossing, and its various versions, cannot be implemented in practice with unconditionally
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
25
security. On the other hand, with weaker conditions, a “sufficiently secure” version of the quantum coin tossing protocol can be defined, and the previously shown versions of the quantum bit commitment scheme can be used for this purpose.
4. Quantum Oblivious Transfer Quantum oblivious transfer is another important cryptographic problem. The problem of oblivious transfer can be summarized as follows. Alice and Bob are two parties whose do not trust each other. Bob would like to receive the message without Alice’s learning whether he received the message or not, and Bob would like to know for sure that he received the correct message, otherwise he simply drops the message. The probability that Bob receives the message is equal to 50%. Later, a modified version of the protocol has been introduced, in which Alice sends two bits to Bob, who chooses which bit he would like to receive, and he could even choose to receive both bits. The aim of the protocol is to guarantee that Alice will have no information about which bits were received by Bob. The general view of the oblivious transfer problem is shown in Fig. 12. There are many different versions of oblivious transfer, however the basic problem in all cases is the same.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Alice
N =I
Bob
Figure 12. The general view of the quantum oblivious transfer. The quantum channel is an ideal channel, and the parties are perfectly separated from each other.
4.1. History of Quantum Oblivious Transfer The version of Crépeau [Crépeau94] is secure if Bob measures the quantum state sent by Alice immediately after he receives it. Hence, the security lies in the fact that the receiver has no capability to perform post measurements on the quantum states. The security of Crépeau’s scheme relies on the fact that the receiver chooses a random basis for the measurement of the quantum state, hence Bob has no a priori information about the basis he should use before the measurement of the quantum state. It follows that in half the time, Bob will choose the correct basis, while the probability, that he measures most of the input bits correctly is very small. It has been shown that in that case, if Alice sends n quantum states to Bob, then the probability that Bob measures correctly more than the 75% of the qubits, or less than 25% of the qubits, are both negligible in practice.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
26
Laszlo Gyongyosi and Sandor Imre
On the other hand, it has been shown that with the help of the quantum bit commitment protocol, the security of the oblivious transfer problem can be guaranteed even with a receiver who is capable of performing post measurements. But in this case, the security of the oblivious transfer scheme is upper bounded by the security of the bit commitment protocol, which is the weakest link of the construction. As in the cases of quantum bit commitment and quantum coin tossing, quantum oblivious transfer is also theoretically impossible. The impossibility of the quantum oblivious transfer protocol also can be extended to the non-ideal version of the protocol. In the non-ideal version of the quantum oblivious transfer protocol, Alice could extract some information about Bob’s measurement basis, moreover the quantum states are not orthogonal—according to the noise of the quantum channel—hence Bob cannot be sure that his measurement result is 100% correct.
5. Quantum Fingerprinting
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Quantum fingerprinting is similar to classical hash techniques. Quantum fingerprinting uses quantum states to generate the quantum fingerprint, and allows the parties to share secret information through the quantum channel in a more efficient way than is possible in the case of classical systems. If Alice and Bob would like to know in a very efficient way whether or not they have the same quantum data base, without any communication allowed between them, they can use quantum fingerprints. The fingerprints then are sent to a third party, who makes the comparison, and give an answer. The most important task of quantum fingerprinting is to generate a smaller set of quantum states from a very large quantum system. The quantum fingerprinting scheme has relevance in private and secure quantum communications, since the fingerprints are generated by a one-way function, and it is not possible to recover the original system state from the quantum fingerprint.
5.1. History of Quantum Fingerprinting The quantum fingerprinting scheme has been studied by Buhrman et al. [Buhrman01], [Barnum02]. The quantum fingerprinting protocol is based on the simultaneous message passing protocol, which first was introduced by Yao [Yao95]. In this protocol, Alice and Bob receive an input and they generate a simpler output message. Moreover, they cannot communicate with each other, thus they have to use a third party, called the referee, to compare the messages. The referee, according to the inputs received from Alice and Bob, generates an output, and sends it back to Alice and Bob. A quantum fingerprint also can be used in a very noisy environment to send some information about the current system state—for example, in the case of a large database—or it can be used very efficiently in other cryptographic primitives, where the “hash states” of the original systems are required, since the size of a fingerprint is very small. The idea behind this scheme is that the fingerprint does not contain enough information to recover the original message, however it can be used to distinguish the state of the original, larger quantum system from another state of the original system. The most important advantage of quantum fingerprints is that very large quantum systems can be compared very efficiently by their fingerprints. These fingerprints are very small in comparison to the original system state. The
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
27
quantum fingerprints of the original quantum systems contain enough information to distinguish between two systems, hence a third party, called Carol or the referee, is able to distinguish between the Alice’s and Bob’s very large quantum systems. Alice and Bob generate their own quantum fingerprints from their very large quantum database, and they send it to Carol.
5.2. Description of Quantum Fingerprinting
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
In the quantum fingerprinting method, Carol has to check whether the fingerprints sent by Alice and Bob are equal or different. This comparison gives enough information about the similarities of the original systems of Alice’s and Bob’s. The size of the quantum fingerprints are logarithmic in the size of the original system state, however they are able to distinguish the original system states. If Alice and Bob have two very different quantum systems, then the generated fingerprints will be also very different, hence it is possible to Carol to make a clear comparison—however, we still have a quantum system with probability amplitudes, which makes the picture more difficult. Alice’s fingerprint
Bob’s fingerprint
ψA
ψB
Carol
Carol’s quantum circuit Figure 13. Carol compares the two quantum fingerprints received from Alice and Bob.
Now, let’s see what these problems are. Assume that we have a quantum system with n orthogonal quantum states. The size of the quantum fingerprint will be logarithmic in the size of the original n , hence it will be log ( n ) . On the other hand, to generate this fingerprint, we cannot use orthogonal quantum states, since in this case we did not compress the size of the original system. Hence we have to use non-orthogonal states in the fingerprint, which states also make it possible to characterize the original system with the help of the much smaller quantum fingerprint. On the other hand, the distance between the quantum states of the quantum fingerprint cannot be so small that the states would be indistinguishable. Similarly,
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
28
Laszlo Gyongyosi and Sandor Imre
this distance cannot be so large that the fingerprint size would be the same as that of the original system state, which would mean that we did not compress the state of the original system. So, what would be the optimal decision in this case? Let’s recall our primary goal: we would like to construct a “hash quantum state,” whose size is logarithmic in the size of the original input system. We have to choose between the maximum precision, which is available only with orthogonal states, and smaller size, which is possible only with non-orthogonal states: however, the smaller the size, the lower the probability of success of the identification. We choose the second option, hence we will use non-orthogonal states, since our first aim is the efficiency of the fingerprint scheme. On the other hand, the distance between the non-orthogonal states of the fingerprint cannot be so small, since in this case, Carol would not be able to distinguish between the states, and the original system state would not be well characterized. As an optimal solution, the fingerprint techniques use the so called “almost orthogonal” quantum states in the fingerprint. Using these states, the fingerprints generated by Alice and Bob can be distinguished with high probability. The inner product of the fingerprints will be very small, if the two fingerprints are different, while it will be nearly equal to one for very similar fingerprints. So, if Alice generates a fingerprint ψ A and Bob generates a fingerprint ψ B and they send it to Carol, then Carol’s decision will be based on the value of ψ A ψ B . These fingerprints are the hash of the original input states, hence if ψ A ψ B ≈ 0 , then the two systems differ, while if
ψ A ψ B ≈ 1 , then the two states are probably the same. However, Carol has some uncertainty in her decision, since the states are non-orthogonal states. But it is possible to construct a quantum code that allows of using only O ( log n ) quantum states in the fingerprint instead of the original system state O
( n ) . This also implies that Alice and Bob have only to send
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
O ( log n ) quantum states through the quantum channel, which makes it possible to identify the similarities and the differences between the original systems in a very efficient way.
0
H
H
M
ψA ψB
SWAP Figure 14. The verifier circuit.
At this point, we have reached the main problem of the quantum fingerprinting scheme: how could Carol compute the inner product between the quantum states and how could she decide whether ψ A ψ B is nearly equal to zero, or nearly equal to one? She cannot answer Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
29
this problem in a deterministic way. She can construct a quantum circuit, which can solve this problem, but only in a probabilistic way. The quantum circuit which can help in this problem is a very simple circuit, it contains only a Hadamard-gate and a SWAP-gate. In Fig. 14 we see Carol’s quantum circuit constructed to distinguish between the fingerprints of Alice and Bob. The input fingerprints are denoted by ψ A and ψ B . As can be seen, the outcome of this quantum circuit is probabilistic for non-orthogonal quantum states. The input fingerprint states denoted by ψ A and ψ B could contain any number of qubits, according to the size of the original input systems. This quantum circuit makes it possible for Carol to determine, at least probabilistically, whether the two fingerprints are equal or not, and hence she can conclude whether the original system states are equal or not. Carol will measure 0, if the two fingerprints are equal, hence their inner product is ψ A ψ B ≈ 1 , and she will measure 1, if the two fingerprints are different (nearly orthogonal to each other), thus ψ A ψ B ≈ 0 . Now, let’s see what the probabilities of these outcomes are. The probability of 0 is
1 ψ ψ ≈1 P ( 0) = + A B ≈1, 2 2
(22)
1 ψA ψB ≈ 0 1 − ≈ . 2 2 2
(23)
while 1 has probability P (1) =
As can be seen, when ψ A ψ B ≈ 1 , Carol can always generate the correct answer, but in
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
case ψ A ψ B ≈ 0 , she can incorrectly conclude that the original systems of Alice’s and Bob’s are equal when this is not, in fact, the case. How can the probabilities of success be increased in the latter case? If Alice and Bob send to Carol some copies from their fingerprints, and Carol repeats the test multiple times, then she can increase the probability of success. However, this step decreases the efficiency of the quantum circuit, but the error probability of the network also can be decreased. As we have seen, if the output of the quantum circuit is zero, then we can be sure of the correctness of the algorithm, while if the output results in a logical one, then the correctness of the answer is not guaranteed. As we have seen, quantum fingerprints cannot be distinguished in a deterministic way, and in some cases, the correctness of the output is not guaranteed. Now, let’s see the working mechanism of Carol’s quantum circuit. If Alice’s and Bob’s fingerprints are denoted by ψ A and ψ B , then Carol’s zero output can be generated by the following steps of the quantum circuit:
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
30
Laszlo Gyongyosi and Sandor Imre
( 0,ψ
1
0,ψ A ,ψ B
2 = =
1 2 1 2
( 0,ψ ( 0,ψ
= 0 ⊗
,ψ B + 1,ψ A ,ψ B
)
,ψ B + 1,ψ B ,ψ A
)
A
A
A
,ψ B + 1,ψ A ,ψ B + 0,ψ B ,ψ A − 1,ψ B ,ψ A
1 ( ψ A ,ψ B + ψ B ,ψ A 2
)+ 1 ⊗ 2(ψ 1
A
)
(24)
,ψ B − ψ B ,ψ A ) .
From this result, the output probability of the 0 outcome can be expressed as follows: 1 ( ψ A ,ψ B + ψ B ,ψ A )( ψ A ,ψ B + ψ B ,ψ A 4 1 = ( 2 + ψ B ,ψ A ψ A ,ψ B + ψ A ,ψ B ψ B ,ψ A ) 4 2 1 1 = + ψB ψA . 2 2
P ( 0) =
) (25)
The outcome probabilities can be used to derive the error probabilities for the case of ψ A = ψ B and ψ A ≠ ψ B . In the first case, the quantum circuit of Carol gives a correct output with error probability ψ = ψB
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
A perror
⎡ 1 (1− δ ) ⎤ 1 (1− δ ) =1− ⎢ + =0, ⎥= − 2 2 2 2 ⎣ ⎦
(26)
where δ is zero, if the two fingerprints are equal. On the other hand, in the second case, the error probability will be higher, thus the worst-case error probability for the ψ A ≠ ψ B input is ψ ≠ ψB
A perror
⎡ 1 (1 − δ ) ⎤ 1 (1 − δ ) worst −case = 1− ⎢ − = perror . ⎥= + 2 2 2 2 ⎣ ⎦
(27)
But, Carol can ameliorate this error probability to an arbitrary ε > 0 error. To reach this arbitrary ε > 0 error in the case of ψ A ≠ ψ B , Carol has to repeat k-times the test with the constructed quantum circuit, where
k ∈O ( log 2 (1 / ε ) ) .
(28)
After k-iterations, the worst-case error probability reduces to ⎛ ⎡ 1 (1 − δ ) ⎤ ⎞ ⎛ 1 (1 − δ ) ⎞ = ⎜1 − ⎢ − ⎟ , ⎥⎟ = ⎜ + ⎜ 2 ⎦ ⎠⎟ ⎝ 2 2 ⎠ ⎝ ⎣2 k
ψA ≠ψB
perror
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
k
(29)
Quantum Cryptographic Protocols and Quantum Security
31
where (1 − δ ) → 0 , hence ψ x ψ y ≤ 1 − δ , which results in a probability of making an error in the case of logical zero of worst −case perror =
1 . 2k
(30)
On the other hand, this step will increase the complexity of the protocol from O ( log n ) to O ( log ( n ) log (1 / ε ) ) . We note that this arbitrary ε > 0 error cannot exclude with unit probability the error in the answers. The “zero error” (i.e., the case of making an error when there was a logical zero) probability can be guaranteed only if the quantum fingerprints of Alice and Bob were the same. To summarize, in this section we have seen that it is possible to solve a classically O
( n ) complexity communication problem with O ( log n ) complexity in a quantum system
[Buhrman01]. In the quantum fingerprinting protocol, Alice and Bob cannot communicate with each other, a third party, called Carol, compares the fingerprints and makes a decision. The quantum fingerprints are generated by Alice and Bob individually: each fingerprints consist of O ( log n ) quantum states. The fingerprints consist of non-orthogonal quantum
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
states, called “near-orthogonal” quantum states, and Carol’s decision is, in general, probabilistic. For equal inputs the output is correct, while for different inputs the correctness in not guaranteed. We have also proved that the worst-case error probability of the output can be decreased to an arbitrarily low level: however this is possible only with some increase in the complexity.
6. Quantum Digital Signatures Quantum digital signatures are an application of the quantum fingerprinting scheme. Quantum signatures are based on non-orthogonal quantum states and have the same goal as classical digital signatures. The quantum digital signature is a string of qubits placed after the original message, a signature which is generated from the original message. In the classical system, the digital signatures can be viewed as an inverse operation of the encrypting scheme of the public key methods. In the classical manner, the digital signature is generated with Alice’s private key, while the decrypting of the message is realized by the public pair of Alice’s private key, which public key is publicly known by Bob. Alice transforms her message with her private key, which was originally defined for decoding in the classical public key crypto schemes, and sends the signed message to Bob. Since Bob knows the public key of Alice, he can verify the identity of the sender. Bob, with the help of Alice’s public key, decodes the signature, and if the message was sent by Alice, then the result of his decoding will be equal to the original message. After Bob has decoded the signature, and the result is a valid signature, then Bob can be sure that the original message was sent by Alice, and was not altered during the transmission.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
32
Laszlo Gyongyosi and Sandor Imre
6.1. History of Quantum Digital Signatures The signed quantum string can be used to identify the sender, such as can be done in a classical system. The first quantum digital signature protocol was designed by Gottesman et al. [Gottesman01], who showed that quantum states cannot, without encryption, be signed securely. This means that if a sender can read the quantum message, then he can change it, and he can generate an invalid signature for the changed message. It follows that an unknown quantum state cannot be signed without the encryption of the state—however a known one can be signed without encryption. Classical digital signature methods are built on the fundamental results of asymmetric cryptography, and they can be integrated into the classical cryptographic primitives very easily. But, how do we integrate digital signature schemes into the quantum world? In Fig. 15 we illustrate cheating with an unknown and unencrypted quantum state. The signed unknown quantum state is denoted by sign ( ψ
the signature sign ( ψ
)
) . In the cheating process, the unauthorized user reads
by the unitary transformation U . If the unknown quantum state ψ
is not an encrypted state, then anyone who can read it can change it to ϕ . Hence, anyone can generate a valid signature for the modified state, and thus a quantum signature scheme requires the encryption of the quantum states. invalid quantum state
sign ( ψ
)
U Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
sign ( ϕ
ψ →ϕ Rk
U
)
−1
does not depend on the input state
Figure 15. If Eve can read the signed quantum state, she can modify it.
The goals of the quantum digital signature scheme are the same as in the case of the classical version: the sender can be identified from the signature strings, and the original message can be recovered from the signed message. Moreover, if the message was sent by Alice, and Bob verifies that the message was sent by Alice, then the decoded message will be equal the originally sent message. As we will show, the verification of the quantum states cannot be made in a deterministic way: the output of Bob’s verification process will be probabilistic. On the other hand, the quantum version of the digital signature scheme provides us with the advantages of quantum mechanics. In the case of the classical digital signature schemes, the security of the whole system relied on the computational complexity of the oneway hash functions. In the case of the quantum version, the security is based on the properties of quantum mechanics and the properties of the quantum states. Contrary to the classical schemes [Asmuth83], [Rivest78], [Schneier96], [Shamir79], the quantum scheme cannot be broken even with unlimited computational power, and it could be a very useful alternative to
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
33
the currently widely used digital signature schemes in the advanced communication systems of the future. But what happens if two senders Alice and Carol, send a signed message with different private keys, but they generate the same signature to a given message. In a well designed scheme it is not possible, since the senders have to use a one-to-one function, which function generates different signatures for a message with different keys. As has been shown, there exist quantum versions of this type of hash functions, which can be used to construct quantum digital signature schemes. This also guarantees that an eavesdropper cannot find an inverse transformation, which can help her to know Alice’s private key, since this would be possible only if the one-way signature function would generate the same signature for a message for different private keys. According to the currently published results, the efficiency of the one-time signatures is very low if the quantum state to be signed is an unknown quantum state. The efficiency of the quantum signature scheme can be increased if the signer has to sign a known quantum state.
6.2. Description of Quantum Digital Signatures
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Quantum one-way functions will play at least as significant a role in the case of quantum digital signatures as the classical one-way functions did in the case of classical systems. The quantum digital signature scheme has to rely on a function which allows the sender to construct a quantum signature very easily and efficiently, however it also has to guarantee that its inverse cannot be computed, not even with unlimited computational power. Classical digital signature schemes are based on Lamport’s method [Lamport81]. He has shown a very useful and efficient, one-way function-based method for the verification of classical bits. The method originally was designed for the verification of classical bits, but it can be extended to quantum systems. In the Lamport protocol, Alice sends a one-bit length message, hence her message m could be m0 = 0 or m1 = 1 . Alice uses two random numbers as signatures, s0 for the zero message, and s1 for the logical one bit. The public keys e0 and e1 are generated by a one-way function f . Alice publishes this one-way function f , thus this function also can be used by Bob to verify the signature, however he has no ability to do this in the reverse direction. The e0 and e1 public keys of the s0 and s1 signatures are generated as follows:
e0 = f ( s0 )
and
e1 = f ( s1 )
.
(31)
After Alice has computed the public keys for the messages m0 = 0 and m1 = 1 , in the initial step of the protocol she sends the following I0 and I1 messages to Bob:
I 0 = ( m0 , e0 ) = ( 0, f ( s0 ) )
and
I1 = ( m1 , e1 ) = (1, f ( s1 ) )
.
(32)
Bob will use these I0 or I1 messages to verify Alice’s identity as follows. If Alice sends a message to Bob, then she will send m0 = 0 or m1 = 1 , and the signature s0 for the zero or
s1 for the logical one. The message of Alice is
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
34
Laszlo Gyongyosi and Sandor Imre
M 0 = ( m0 , s0 ) where
or
M 1 = ( m0 , s1 )
,
(33)
s0 = sig ( m0 ) and s1 = sig ( m1 ) .
(34)
The signatures of the messages m0 = 0 and m1 = 1 are generated by the sig ( ⋅) messagesignature function. Alice can choose a signature function for which the output of the signed message will be equal to the previously chosen signatures, s0 and s1 . Bob will receive the message M 0 or M 1 , and in the next step he computes the public keys e0 = f ( s0 ) and e1 = f ( s1 ) . If the public keys ei are the same as included in the initial
messages I0 and I1 , then Bob has verified Alice, otherwise he will drop the message. This scheme can be implemented by symmetric keys, however in the classical protocol every bit requires a new key for maximal security. In the classical scheme an eavesdropper can extract information from the previous messages, hence every message requires a new key. In the case of the quantum version of this protocol, the one-way function will result in a quantum state, and the keys of the one-way functions will also be realized by quantum states. While in the case of classical systems, the comparison of the secret-keys can be made easily, in the case of quantum keys, the comparison can be done only in a probabilistic way. In the quantum digital signature scheme the use of a given key will be determined by the similarities between the given quantum key and the previously used quantum key by taking the inner product between them. The comparison of the quantum keys can be achieved by the quantum circuit of the quantum fingerprinting scheme. In the case of the quantum digital signature scheme, Alice’s quantum public key is a quantum message denoted by Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
U f ( si ) ,
(35)
where si is the signature, U f is a unitary one-way function, and the state U f ( si ) consists of n qubits. The problem is the same as in the classical case, however here, the random number is represented by a quantum state si and the function is realized by a unitary operator denoted by U f . For a message mi and given si , Alice generates a signature using the following transformation:
U f si 0 where 0
⊗n
⊗n
= si U f ( si ) ,
(36)
is an n-qubit length quantum register for storing the result of the unitary
transformation. Alice will publish the initial message standard messages, she will send ( mi , si
(m , U i
f
( si )
)
to Bob, and in her
).
After Bob has received Alice’s initial message with the classical message mi and the key state U f ( si ) , he can compute the valid si by the inverse unitary transformation U −f1 for a
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security * given message, and later, he can compare it with the si
35
included in the standard, not
initially sent messages. Bob’s inverse transformation U −f1 applied to U f ( si ) yields U
−1
f
(U
f
si
)0
⊗n
= 0
⊗n
si .
(37)
* If Bob receives si , he can compare it with Alice’s publicly announced public quantum
key, using the U −f1 inverse transformation: the SWAP-circuit, as in Fig. 16.
0
H
H
M
Received signature state
si U f si
SWAP
si
Valid signature state
Alice’s announced public key
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 16. Bob compares the received signature quantum state with the valid signature quantum state. The valid signature is derived from Alice’s publicly announced quantum key.
As follows from this unitary transformation, if the output of Bob’s quantum circuit is
0
⊗n
* * , then the states U f si and U f si are equal, hence si is a valid state.
After Bob has applied the inverse unitary transformation, he will get the si which was included in Alice’s initial message as U f ( si ) . To compare the state si
derived from
U f ( si ) , and the state si* sent by Alice, Bob will use the SWAP-test, as before. In conclusion, if Bob receives a modified Si
state, which state was corrupted by Eve,
then Bob can distinguish the fake state only in a probabilistic way. Since the two states are not orthogonal, the output of the circuit will not give a deterministic answer. If the distance between the valid quantum public key state U f ( si ) and the fake quantum public key state
U f ( Si ) is U f ( Si ) U f ( si ) = τ , then the probability that Bob can distinguish between the valid and the fake states is
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
(38)
36
Laszlo Gyongyosi and Sandor Imre p = 1 − U f ( Si ) U f ( si )
2
=1− τ . 2
(39)
It follows, if Eve were able to perfectly clone the sent state, then Bob’s verifying circuit would not be able to distinguish the fake state from the valid state. The working mechanism of the quantum digital signature protocol differs in some points from the classical protocol. The quantum keys cannot be copied and distributed arbitrarily many times according to the no-cloning theorem, which also means that Alice has to generate the state U f ( si )
for every party. In the distribution process and the comparison of the
quantum key U f ( si ) , the parties can use the swap test among themselves. As we have seen in the case of the quantum fingerprinting scheme, the output of the swap-test is probabilistic, hence if the parties would like to distribute the quantum keys among themselves, they have to define a sophisticated acceptance method. The acceptance method is based on the output of the swap circuit, which compares the input quantum states. According to the difference between the valid and the currently received key, the result of the verification process can be an “accepted and transferrable to others,” “accepted but cannot be transferred to others,” or a “key rejected” message. If the parties have the swap-test quantum circuit, then the parties can distribute and verify among themselves the signature states si . In the sending process, Alice prepares the classical message m0 = 0 or m1 = 1 , and 1 2 N generates the signatures s0 , s0 ,… s0
1 2 N for the message m0 = 0 , and s1 , s1 ,… s1
for
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
the message m1 = 1 , where N is the security parameter. Alice distributes the original message and the N signature states to the parties, using an insecure channel. Alice’s sending process is shown is Fig. 17. Alice generates a classical message, and N quantum signature states.
0
m0 = 0
s10 , s02 ,… s0N Bob
Alice
1
m1 = 1
s11 , s12 ,… s1N
Figure 17. Alice generates a classical message, and N quantum signature states. 1 2 N After the i-th party has received the s0 , s0 ,… s0
1 2 N or s1 , s1 ,… s1 signature states
with the message, they prepare the quantum state
U f s0i or U f s1i for all 1 ≤ i ≤ N ,
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
(40)
Quantum Cryptographic Protocols and Quantum Security
37
i i and using the swap-test, checks whether U f s0 or U f s1 is valid or not. Each receiver will
perform the same verification process. If the receiver finds that the difference between the
U f s0i
i or U f s1
and the valid state is huge, then that state will be called an incorrect
quantum public key state.
0 Quantum public key state received from the i-th user
H
H
M
U f s0i or U f s1i U f s0 or U f s1
SWAP
Alice’s announced public key
Figure 18. The parties verify the received keys with the help of the quantum-swap circuit. If the difference between the valid quantum public key state and the received state is huge, the user rejects the state.
After the parties have counted the incorrect quantum public key states, they distribute this information among themselves. If the i-th receiver has counted inci incorrect quantum states, and there are constants for which 0 ≤ c1 < c2 ≤ 1 , then an “accepted and can be transferred to Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
others” message will be sent if and only if
inci ≤ c1 N .
(41)
This message will be an “accepted but cannot be transferred to others” message if and only if c1 N < inci < c2 N . (42) And finally, a “rejected” message will be sent to the other parties if and only if
inci ≥ c2 N .
(43)
The reliability of the quantum signature protocol can be verified using mathematical tools. If the system which realizes the quantum signature scheme has P recipients, with N security parameters and a distance of τ between the quantum states, and n is the number of the quantum bits in the key, and s is the length of the signature in classical bits, and if for this system the inequality
(
c2 N < (1 −τ 2 ) N − 2 (
− s −Pn)
( 2N ) )
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
(44)
38
Laszlo Gyongyosi and Sandor Imre
0 Quantum public key state received from the i-th user
U f s0i or U f s1i
inci ≤ c1 N
Verifier
c1 N < inci < c2 N
Circuit inci ≥ c2 N
U f s0 or U f s1
Accepted and can be transferred to others Accepted, but cannot be transferred to others
Rejected
Alice’s announced public key
Figure 19. The possible outputs of a receiver. The output is determined by the result of the quantum verifier circuit, which is based on the swap-transformation circuit.
holds, then all of the parties will receive the correct quantum key, or they will all reject it with very high probability. It has been proven that if Alice would like to cheat with the quantum states, then she has to increase the difference between the constants parameters c2 and c1 . On the other hand, she cannot increase the difference between the constants c2 − c1 , if the value of the c1 does not allow it. If the given inequality holds for the system, then an eavesdropper has no chance to sign the messages, since Eve will have − s−Pn)
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
N −2 (
2N
(45)
number of wrong keys. If Eve tries to use a false key, then the parties will discover it with probability 1 − τ 2 , hence the number of incorrect keys in the system will become
(
1 −τ 2 N − 2 (
− s−Pn)
)
2N .
(46)
This makes it very difficult for an eavesdropper to use a false key, since the parties will identify it with very high probability.
7. Quantum Authentication The quantum authentication scheme authenticates a message with quantum states and a classical key [Gottesman03]. The output of the quantum authentication scheme is an authenticated message, which is a quantum string. The quantum string will be the input of the verifier process, which produces the original message as output and results in a quantum state, which determines whether the message is acceptable or not. Bob uses quantum states to determine the validity of the message with the help of a quantum system. The two orthogonal states of the quantum system represent the possible decisions to be taken.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
39
7.1. Description of Quantum Authentication
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
The quantum digital signature method uses quantum states to identify the sender: if the receiving parties accept a message from a sender, it also implies that they have successfully identified the sender. While, in the case of the quantum digital signature protocol (see Section 6), the identity of the sender is revealed, in the case of the quantum authentication scheme, the revelation of the identity of the sender is not required. From an engineering point of view, the input conditions of the quantum authentication scheme are simpler, since they require only the validation of the message itself, without any information about the identity of the sender. Another important difference is that in the case of the quantum digital signature scheme, Alice sends a classical message and a quantum signature, hence the classical message is secured by a quantum string. In the case of quantum authentication, Alice sends a quantum message only, without any classical information. In this scheme, Alice encodes the quantum state with a classical key, and Bob decodes the quantum string with a classical key. Hence, in this case, the quantum information is encoded and decoded with the help of a classical key. We note that it is possible to use quantum keys, too, but for practical reasons, the currently developed protocols are based on classical keys. Classical keys can be handled and distributed more easily than quantum keys, and in this case, the parties do not have to use quantum keys for the encoding and the decoding of the quantum string. The security of the quantum authentication scheme is based on the fact that the message is encoded into a quantum string, and the quantum string itself provides the unconditional security of the scheme. The main differences between the functions of the quantum digital signature protocol and the quantum authentication protocol are illustrated in Fig. 20.
Quantum Protocol
Main Purpose
Quantum Digital Signature
Identification of the sender
Quantum Authentication
Validity of the message
Figure 20. The main goals of the quantum digital signature and of the quantum authentication scheme are different.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
40
Laszlo Gyongyosi and Sandor Imre
Classical Encoder Key
Classical Decoder Key
Alice’s unitary encoding transformation
Bob’s unitary decoding transformation
0 or 1
0
Bob’s quantum string
Alice’s quantum string
{ ρ1 , ρ 2 ,… ρ n }
U
U
−1
{ ρ1 , ρ 2 ,… ρ n }
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 21. Alice encrypts the quantum message with a classical key, Bob verifies it with a classical key. The output of Bob’s verification is a single qubit and the decoded quantum message.
The quantum authentication scheme is based on classical encoding and decoding keys, however the result of the encoding and the decoding transformations are realized in the form of quantum states. If Alice would like to send a valid quantum message, she has to do the following. Alice, using her classical key, transforms the quantum states of her initial quantum register. She sends the quantum states to Bob, who also has a classical key, which key is the same as Alice’s if they use the symmetric encryption scheme. After Bob has applied the decoding transformation to his received quantum string, he has a transformed quantum string, and a single qubit as output. The single qubit is devoted to indicate the acceptance or the rejection of the transformed message. Alice’s unitary encoding transformation and Bob’s unitary decoding transformation with the single qubit output is shown in Fig. 21. The single qubit determines whether the received message was valid or not. The quantum authentication protocol is designed as a message validation scheme, and its purpose is to determine the validity of the received the quantum state. As has been shown by developers of the quantum authentication protocol, the protocol works perfectly if there is no eavesdropper in the quantum channel, and in this case, the output of the protocol will always be correct, with the acceptance of the decoded quantum message. And it follows that Bob’s verifier quantum state will be in the state acc . They have given a mathematical proof for this statement, and they have called this property the completeness of the protocol. The completeness of the quantum authentication scheme can be formalized as follows. Assume that Alice sends a quantum message ψ to Bob, and Alice uses a key, k ∈ K , in the encoding process. Bob knows the key, and he will use the same classical key as Alice. The one-qubit length output state of Bob can be in an acc or rej basis state, according to the result of his decoding transformation. The completeness property of the protocol requires that Bob has to identify the protocol correctly, even if the originally sent quantum state later was
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
41
modified. In this case, the protocol has to assure that Bob can decide correctly, however, in this case the state itself is not acceptable. To formalize this property of the quantum authentication scheme, the authors of the protocol have defined an operator. This operator results in a zero if Bob has made any mistake in the decision, while it returns with a one, if his decision was perfect. The projector P can be represented by a set of two projectors { P0 , P1} . The first part of the projector describes the state of Bob’s output message, while the “second part” of the projector describes Bob’s result on the verification. In notation, the first and the second parts are distinguished by the ⊗ tensor product, and the projectors of the correct and the incorrect decisions can be defined as:
Pmistake = ( I − ψ ψ ) ⊗ ( acc acc ) = 0 ,
(47)
Pcorrect = ψ ψ ⊗ I + I ⊗ rej rej − ψ ψ ⊗ rej rej = 1 ,
(48)
and
where I is the identity matrix. The Pmistake projector correspond to the wrong decision of Bob. In this case, he accepts the message as valid, thus his “verifier part” will be equal to acc acc , however his “message part” will differ from the original message ψ ψ . This is denoted by ( I − ψ ψ
) , which represents that Bob’s message is not the valid state.
The Pcorrect projector describes the correct decision of Bob’s verification. In that case,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Bob either accepts the massage—in this case the output of the “message part” is the original density matrix ψ ψ and his “verification part” is I . If this condition does not hold, then Bob rejects the message. One of the most important aims of the protocol is to fulfill the correct decision mechanism of Bob, hence the probability of the correct decision has to be maximal. Using these operators, they have shown that the probability that the total number of correct decisions of Bob’s, for a given set of keys k ∈ K , can be expressed as
pcorrect =
1 ⎛ ⎞ Tr ⎜ Pcorrect ∑ ψ k′ ψ k′ ⎟ , K ⎝ k∈K ⎠
(49)
where ψ k′ is the decoded state of Bob’s, and for a correct decoded state the projector Pcorrect will result in Pcorrect ψ k′ = 1 . It can be concluded that this probability will reach its maximum if Pcorrect ψ k′ = 1 for all k ∈ K . We would like to maximize the pcorrect probability, hence the optimal value for it would be pcorrect = 1 . But, in practice we have to count on some error ε in the decision, so the main goal of the protocol is to guarantee a lower bound for this probability: pcorrect ≥ 1 − ε . (50)
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
42
Laszlo Gyongyosi and Sandor Imre
This requirement on the quantum authentication protocol is formalized by the soundness property of the protocol. The soundness property can be used to extend this error probability for an eavesdropped quantum communication channel. If Eve attacks the channel, and she does an E transformation on the sent quantum message, then the quantum authentication protocol guarantees that the probability of the correct decision will be at least pcorrect ≥ 1 − ε . This soundness property can be formalized as follows:
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
⎛ ⎛ 1 Tr ⎜ Pcorrect ⎜⎜ ⎜ ⎝ K ⎝
∑ B ( E ( A( ψ
k ∈K
ψ
⎞⎞
) ) ) ⎟⎟ ⎟⎟ ≥ 1 − ε , ⎠⎠
(51)
where A, E and B denote Alice’s, Eve’s and Bob’s transformations. The inventers of the quantum authentication protocol have used the completeness and the soundness properties to define the security of the protocol. As they have stated, the proposed quantum authentication protocol is secure, if the protocol satisfies the completeness and the soundness properties. According to the error ε introduced in the soundness property, the protocol is ε -secure, if this error holds for all quantum states. In the practical implementation of the quantum authentication scheme, the parties use quantum error correcting codes. With the help of the quantum error correcting codes, the errors of the transmission can be detected and fixed. As we have stated here, the security of the quantum authentication scheme relies on the correctness and the soundness property. The correctness property defines the security of the protocol without the presence of an eavesdropper, hence this property assumes the fact, that the quantum channel is absolutely noiseless and error-free without an eavesdropper. The soundness property defines the security of the scheme for an eavesdropped quantum channel. The correctness property implies only that, without an eavesdropper, Bob’s input will be equal to Alice’s output state, hence the state will be accepted. The soundness property, or the ε -secure property, states that with an eavesdropper on the quantum channel, a modified quantum state will be accepted only with probability smaller than ε . We note that the purpose of the quantum authentication scheme differs from the purpose of the classical authentications schemes. In the classical authentication scheme, it is allowed for an eavesdropper to read the message, since in the classical authentication schemes it does not matter, whether the original message is readable by Eve, or not. In a classical system the encryption and the authentication are two different tasks, and they are independent from each other. In the case of a quantum system, Alice has to start with the encryption of the unknown quantum state, otherwise it cannot be authenticated. On the other hand, in the case of the quantum authentication scheme, the data cannot be readable by Eve. In the case of the quantum authentication scheme, our most important goal is to guarantee that an eavesdropper cannot read the message, since if she can read it, she can modify it. Moreover, she can modify it in such a way that the receiver will accept the different message as an authenticated message. In that case, Bob decodes the message, and after the decoding he will find, that the modified message is valid, however it differs from the original message. As a very important conclusion—contrary to the classical case—the quantum authentication scheme implies the encryption of the quantum states, thus the quantum message cannot be readable by Eve.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
43
Classical System
Encryption
Alice
or Authentication
Quantum System
Alice
and Encryption
Authentication
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 22. In the case of a classical system, the encryption and the authentication of the messages are two different tasks. In the case of quantum system, the authentication of an unknown quantum states requires its encryption.
The main difference between the method of the authentication of a classical message and a quantum message is illustrated in Fig. 22. As follows from the previous statement, there is a fundamental theoretical difference between the authentication scheme used in a classical system and the quantum authentication scheme. In the case of the quantum version, we would like to authenticate a quantum message with a classical or quantum key, but this authentication is not possible without the encryption of the quantum states. While, in the case of a classical authentication scheme, the classical message can be signed without the encryption of the original message, such a procedure is not possible when we have a quantum message. It also follows that the quantum states cannot be signed in terms of the classical signature schemes. The main problem is that Eve can modify the original quantum message and she can modify it in such a way that Bob will conclude that the message was originally sent by Alice. In the case of a classical authentication scheme, the message cannot be changed in that, and hence it does not matter whether it is readable by Eve or not. In the case of the quantum authentication scheme, the conditions are stricter, since it is not allowed for an eavesdropper to read the quantum message, otherwise she can modify it, and Bob would even accept it in the modified form. The security of Alice’s encryption scheme can be approached as follows. Assume that Alice has two potential input messages ψ A and ψ B . Alice’s encryption scheme has error
ε , if her encoder encrypts the quantum information with the following property: Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
44
Laszlo Gyongyosi and Sandor Imre
1 Tr ( ρ A − ρ B ) ≤ ε , 2
(52)
where ρ A and ρ B are the encrypted quantum states, and ε is the error of the scheme. So, what does this requirement means? It means that Alice has no perfect encoder, hence she encrypts the plain quantum states with some error. Here, the error means, that the density matrices of the encrypted, different input quantum states are not exactly the same. Hence, there should be a difference between the output states, and they will not always be equal to the ideal maximally mixed quantum state. In practice, this ε -security allows a more usable and practical approach to achieve security with a quantum authentication scheme. For an ε secure protocol, the encrypted quantum states should be different, but the difference between the density matrices is limited by ε . We illustrate this with an example. If the quantum authentication protocol is ε -secure, than Alice’s encoder encrypts the quantum states with error 1 6
perror = 4ε ,
(53)
and to achieve this, her encoder requires at least
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
2m (1 − O ( ε ) )
(54)
classical key bits. In summary, in a quantum system, the authentication of quantum messages is not possible without the encryption of the quantum states. Hence, in a quantum system, the protocols for encryption and authentication are not separate, as in the case of classical systems: the quantum authentication protocol is an integrated encryption and authentication scheme. The security of the quantum authentication protocol has been proven mathematically, and as we have shown in this section, provided that there is no eavesdropper, Bob’s received quantum will be the same as Alice’s initial state. If an eavesdropper, Eve, tries to know the quantum state, Bob will reject the message. The security of the quantum authentication scheme holds for both pure and mixed initial input quantum states. The correctness and the soundness of the protocol have defined the security of the quantum channel, however these properties say nothing about the noise of the quantum channel. What happens, if there is no eavesdropping on the quantum channel, but the channel is noisy? The problem of noise can be handled by advanced quantum error-correcting schemes [Calderbank96], [Bacsardi09a], [Bacsardi10a], [Bacsardi10b] without any risk or any effect on the security of the protocol. The purity testing codes are a special subset of quantum errorcorrecting codes, and it has been shown that these codes can be applied in quantum message authentication schemes. The purity testing scheme checks the correctness of the entangled quantum states, and the theoretical background of these schemes is very similar to the “classical” quantum-error correction schemes. The correctness and the soundness properties can also be defined in terms of the properties of the purity testing schemes. The error of the purity testing scheme can originate from the error of the constructed error correction code, hence the security of the quantum authentication scheme is in correspondence with the puritycode construction.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
45
But what happens in the case of mixed quantum states? Well, we still have not analyzed the security of the protocol for mixed input quantum states. The mixed quantum states can be expressed as a reduced density matrix of a larger quantum system. However, the protocol also guarantees that if Alice sends a mixed quantum state through the quantum channel to Bob, then the sent quantum state cannot be replaced by any quantum state, which has the same density matrix as the original one had. As the protocol preserves the mixed quantum states, it also preserves entanglement, hence it also can be applied to realize secure transmission of entanglement through the quantum channel. The security of the mixed states and entangled states can be measured by the fidelity of the transmitted quantum states. In the case of mixed states, the fidelity is concentrated not just on the output states, but on the environment, too. If Alice sends pure states through the quantum channel, then only the fidelity of the output state has to be regarded. It has been also proven that if the protocol accepts an output state with high probability, then the fidelity of the output state has to be close to maximal, hence there is a correspondence between the success probability of the protocol and the fidelity of the transmission.
8. Uncloneable Quantum Encryption and Quantum Authentication
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
The uncloneable quantum encryption scheme is basically a generalized version of the quantum key distribution protocols, and it allows us to encrypt classical messages into quantum states. Here we discuss the uncloneable quantum encryption scheme and show, that there is a connection between the uncloneable quantum encryption scheme and the quantum authentication protocol.
8.1. Description of Uncloneable Quantum Encryption Quantum Cryptography has revealed the possibility of encoding classical information in quantum states with unconditional security. With the help of quantum information, absolutely secure communication systems can be realized in practice, and can be extended to many fields in which the classical versions cannot used to realize absolute security. The quantum schemes cannot be broken even with unlimited computational power, not even with a quantum computer. This is not true for classical schemes, which cannot provide absolutely secure communication. But with the help of quantum information schemes, and the combination of classical messages with quantum information, the classical messages can be protected from attacks even by quantum computers. With the help of uncloneable quantum encryption, the uncloneable property of the quantum states can be extended to classical messages, with similar properties as in the case of quantum cryptographic schemes: in some points the requirements are even simpler. The main purpose of the uncloneable quantum encryption scheme is to make it impossible for an eavesdropper to read or to copy the original quantum message. The uncloneable quantum encryption scheme protects classical information with the help of the properties of the quantum states.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
46
Laszlo Gyongyosi and Sandor Imre
The uncloneable quantum encryption scheme defines a method, which uses the quantum channel to send information securely through a quantum channel. The information is encoded in quantum states, and the eavesdropping mechanism of the scheme is just as the same as in the case of quantum cryptography. In the uncloneable quantum encryption scheme, Alice encodes the classical message into a quantum string, and she uses a classical key for the encoding. Classical Key
Classical PlainText message
U
{ ρ1, ρ2 ,… ρn } Encrypted Quantum Message
Figure 23. In the uncloneable encryption scheme Alice encodes a classical message with a classical key into a quantum string.
The general view of the uncloneable encryption is shown in Fig. 23.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Uncloneable Encryption
Quantum Authentication
Encryption of Quantum Messages
Figure 24. The authentication of the quantum states requires its encryption. The input conditions of the quantum authentication can be viewed as a subset of the input conditions of the uncloneable encryption scheme.
As in the case of a quantum cryptography protocol, the security of the scheme is based on the non-cloning theorem. In uncloneable quantum encryption, the quantum message cannot Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
47
be copied perfectly by an eavesdropper, any attempts to clone the message will be detected, and an intercepted quantum message cannot be used to extract some information about the original plaintext message. Based on these requirements, the uncloneable quantum encryption scheme integrates the quantum authentication scheme with secret encryption of the quantum messages. We note, this classification is a more generalized picture, and it does not depends on whether the given protocol uses classical information or not. Since the uncloneable encryption scheme can be built on the quantum authentication scheme, the uncloneable protocol can be defined in terms of the quantum authentication scheme. As has been shown, a quantum authentication scheme with error ε also realizes an uncloneable encryption scheme with error
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
15 16 ε , 2
(55)
if ε is small. The practical implementations of the uncloneable encryption scheme integrate classical linear codes for the encrypting, different codes for the distinct parts of the encrypting method. The encryption and the working mechanism of the uncloneable encryption scheme are both very similar to the basic QKD scheme. The fundamental properties of quantum mechanics, such as the no-cloning theorem, made it possible to realize secure information transmission through the quantum channel. Uncloneable quantum encryption has some connections with the quantum cryptographic schemes, since the no-cloning theorem states that the quantum message cannot be cloned by an eavesdropper, and an attacked message cannot be acceptable by Bob. On the other hand, uncloneable quantum encryption can also provide absolute security with a pseudo-random classical key, while in the case of quantum cryptographic schemes, the key has to be a truly random key. From the close connection between the quantum cryptographic schemes and the uncloneable quantum encryption scheme it follows that, in some cases, the uncloneable quantum encryption scheme can be used instead of the quantum key distribution scheme. We have seen that the difference between the uncloneable quantum encryption and the quantum key distribution scheme is relatively very small: both schemes are built on the no-cloning theorem. On the other hand, the fact that the uncloneable quantum encryption scheme remains secure in the case of pseudo-random, hence not truly random, keys allows us to extend the setting of the uncloneable quantum encryption protocol. I.e., the uncloneable quantum encryption scheme can be used in cases where the quantum key distribution scheme cannot be implemented for practical reasons. For example, if Alice and Bob have a quantum channel, but they have no ability to use truly random keys, they can instead use merely pseudo-random keys. In that case, the uncloneable quantum encryption scheme can be applied, since it provides the same security as the quantum key distribution scheme. It also follows that the uncloneable quantum encryption scheme can be extended to realize quantum key distribution. The differences between the two schemes are relatively small, no really fundamental improvements and modifications are required. The extension of the uncloneable quantum encryption scheme for quantum key distribution can be made as follows. Since the uncloneable quantum encryption protocol allows us to use a pseudo-random key, Alice can use a non-truly random number (i.e., a pseudo-random number) as a key. She chooses another
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
48
Laszlo Gyongyosi and Sandor Imre
pseudo-random number, and encrypts the second pseudo-random number with the first one, into a quantum message, and sends it to Bob through the quantum channel. The encrypted random classical messages are sent through the quantum channel, in the form of a quantum message. After Bob has received the quantum state, Alice sends to Bob the first random number in a public channel. This message is classical, hence it can be read by Eve. In that phase, Alice and Bob can be sure, that Eve has no information about the second random number, since she cannot have copied the quantum message perfectly, thus Alice and Bob will use the second random number as their new secret key. The implementation of the uncloneable quantum encryption scheme based on two pseudo-random numbers is illustrated in Fig. 25. The conclusion is, the uncloneable quantum encryption scheme can be extended to realize a quantum key distribution scheme. Public Channel First pseudorandom number
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Second pseudorandom number
⊕
U
Encrypted Quantum Message
{ ρ1,ρ2,…ρn}
−1
U
Encrypted message
⊕
Second pseudorandom number
Figure 25. Alice encodes a pseudo-random number with a second pseudo-random number into a quantum message and sends it through the quantum channel to Bob. In the next phase, she sends Bob the first pseudo-random number through a classical channel.
8.2. Security of the Uncloneable Quantum Encryption Scheme We discuss the security of the uncloneable quantum encryption scheme in two parts. First, we analyze the key distribution phase of the protocol, then in the second part we will describe the post-key distribution phase of the scheme, which mainly focuses on the capabilities of the eavesdropper.
8.2.1. The Key Distribution Phase As we have stated previously, the uncloneable quantum encryption scheme is very similar to the quantum key distribution scheme. If we would like to compare the two schemes, then we could say that the uncloneable quantum encryption scheme is a more general scheme than the quantum key distribution protocols, hence the latter can be viewed a subset of the uncloneable quantum encryption scheme. This statement can be easily understood if we consider the fact that the uncloneable quantum encryption can be used with pseudo-random keys, while the QKD requires truly random keys.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
49
This comparison also allows of analyzing the security of the uncloneable quantum encryption scheme from the viewpoint of the key distribution process. The key distribution phase of the uncloneable quantum encryption scheme is just the same as in the case of quantum key distribution, except that here the random key can be a classical pseudo-random message. Since, in the previous section we have seen that the uncloneable quantum encryption scheme is a generalization of the quantum key distribution schemes, it also follows that the security of the uncloneable quantum encryption scheme implies the security of the quantum key distribution methods. As we will see in the post-key distribution phase of the scheme, an eavesdropper can get the distributed key, and yet still has no chance to distinguish between the eavesdropped messages. This also can be extended to the distribution of the key, since in that case if she knows the first classical message, she cannot read the second message, which will be used as the key. The possibilities of an eavesdropper in the quantum encryption scheme are illustrated in Fig. 26. Eve’s results will be garbage data. The fact that the quantum key distribution scheme is a subset of the uncloneable quantum encryption schemes allows us to draw a conclusion about the security of the scheme. The uncloneable quantum encryption scheme allows of stronger security than the quantum key distribution scheme, however the overall security of the uncloneable quantum encryption scheme requires more additional classical information than does the quantum authentication scheme. We now, proceed to the next part of the security analysis of the uncloneable quantum encryption scheme. This second part covers the security of the authentication phase, which derives some important statements on an eavesdropper’s capability. Public Channel
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
First pseudorandom number
Eve’s decrypting
Imperfectly Cloned Quantum Message
{ ρ1, ρ2 ,… ρn }
U
−1
Encrypted message
⊕
Garbage data
Figure 26. The uncloneable quantum encryption scheme.
8.2.2. The Post Key Distribution Phase Assume that Alice, with the help of the uncloneable quantum encryption scheme, would like to send a message, with a previously distributed key, as we discussed in the section on the uncloneable quantum encryption scheme. Thus, Alice encrypts a message with a key into a quantum message, and sends it to Bob through the quantum channel. If the distributed key k is k , and her message is m , then she will send a quantum state ψ m to Bob. According to
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
50
Laszlo Gyongyosi and Sandor Imre
k the previous section, this ψ m
message can be used to share the classical message m
between Alice and Bob, with absolute security. At this point, we still have not yet formalized the security of the scheme, we have used just informal states. If we would like to describe formally the security of the scheme, then the following property has to be satisfied. Valid quantum state
Classical message
m
Modified message
ψ
ψ′
m′
Classical message
ε
Trace distance
Security check
Figure 27. The security check of the protocol is based on the trace distance between the valid and the modified state.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
k k The density matrix ρ = ψ m ψ m of the quantum state transmitted by Alice through the
quantum channel, averaged over the possible values of the distributed key, cannot have any correlation with the original message m . It is a natural requirement on the security of the whole scheme, but to describe it formally, we have to use the trace-distance between the possible messages as follows. The density matrix ψ ψ sent by Alice, averaged over the possible values of the key, can be expressed as
ψ ψ =
∑ψ
k m
k
K
ψ mk ,
(56)
where K is the number of the possible keys. The average density matrix ψ ′ ψ ′ for message m ≠ m′ can be taken to unconditionally secure, if for the trace distance between the averaged density matrix ψ ψ of the message m , and for the averaged density matrix
ψ ′ ψ ′ of the message m′ , 1 Tr ( ψ ψ − ψ ′ ψ ′ ) ≤ ε , 2
(57)
where ε is the error of the uncloneable quantum encryption scheme. This property makes the uncloneable quantum encryption scheme unconditionally secure, since without a knowledge of the distributed key k , the original message cannot be read. This property defines only the
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
51
security of the quantum message sent through the quantum channel, on the other hand, a phase is still missing from the uncloneable quantum encryption scheme. Assume that Eve attacks the quantum channel, and she would like to read the message m k k encoded in the quantum message ρ = ψ m ψ m . The result of her attack will be a modified
density matrix σ Bob , and this density matrix will be sent to Bob. The uncloneable quantum encryption scheme has to ensure that Bob can make the correct decision, and depending on the distance between the good and the modified density matrix, he can accept or reject it correctly. The probability that Bob will accept the modified density matrix as original, depends on the properties of the eavesdropper’s transformation. On the other hand, if Eve tries to copy the originally sent quantum state, she will have a density matrix σ Eve , which density matrix encodes her own result after the attack. The security of the uncloneable quantum encryption scheme can be formalized in terms of the eavesdropper’s density matrices, as follows. If the probability that Bob accepts message m is p ( m ) , then for any two messages m ≠ m′ , the trace distance between Eve’s density matrices σ Eve ( m ) and
σ Eve ( m′ ) has to be
1 Tr ( p ( m) σ Eve ( m) − p ( m′) σ Eve ( m′) ) ≤ ε , 2
(58)
for a proportion of the possible values of the key greater than 1 − ε . Hence, if the error ε of the uncloneable quantum encryption scheme is known, then an upper bound on the eavesdropper’s capability can be given. In this equation, the probabilities p ( m ) , p ( m′ ) of
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
the density matrices σ Eve ( m ) and σ Eve ( m′ ) can be used to derive other properties of the uncloneable quantum encryption scheme. If the difference between these probabilities is small, then the trace distance will be also small. Hence, if p ( m ) allows it, then the value of
1 Tr (σEve ( m) − σ Eve ( m′) ) 2
(59)
will be also small. And what does this result means? It means that Eve cannot tell whether Alice has sent message m or m′ , even after she knows the key k, which was used to encode and decode the given messages, and the probability that Eve will be detected is very high in both cases, independent of the message actually sent. The formulation of the security of the uncloneable encryption scheme states that the eavesdropper will not be able to distinguish between any two messages, or the states will be very hardly distinguishable. This latter statement on the security of the scheme holds also if the eavesdropper knows the key to decrypt the intercepted messages, since it does not help Eve to distinguish the messages. On the other hand, since there is some error in the system, Bob could accept some cloned messages, however this probability is negligible in the practice. A practical implementation of the scheme based on the classical four-state QKD protocol has been constructed. The implemented uncloneable quantum encryption scheme was designed with one-time pad cryptography and error-correction codes. The encoding was
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
52
Laszlo Gyongyosi and Sandor Imre
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
realized by error-correcting codes and parity checking, by different encrypting keys. In the next step, the encoded quantum states were encoded again in different bases, and this step was realized with a third encoder key. In the previously shown security analysis, the uncloneable quantum encryption scheme was initialized with the possibility that the key can be a pseudo-random key, hence the protocol can allow maximum security with a pseudo-random key. From an engineering point of view, this is a very important point, since the protocol would be much more easily implementable in practice, if the parties could achieve maximum security with pseudorandom keys. Fortunately, the previously shown security bounds still hold for pseudo-random keys, hence the same conclusions can be drawn about the security of the uncloneable quantum encryption scheme if the protocol uses pseudo-random keys. As we have seen, in both cases—truly random and pseudo-random keys—an eavesdropper can extract at least minimal information from the original message. However, the situation will change as soon as Eve can use a quantum computer, since a pseudo-random encoding cannot resist the computational power of quantum computers. As an important consequence, if we would like to use the uncloneable quantum encryption scheme in the future, when the eavesdropper can attack with a quantum computer, then we have to use truly random keys. On the other hand, as long as the classical architectures are still in use, and an eavesdropper cannot use a quantum computer, pseudo-random keys can be used with high reliability. Looking now more deeply, what can Eve achieve if she has a quantum computer? As has been shown by the authors of the uncloneable quantum encryption scheme, if an eavesdropper has a quantum computer, then she can break the pseudo-random sequence. But, that’s the most that she can do. The unconditional security of the truly random scheme still holds, and she cannot break it using quantum computers. If Eve has a classical computer, then she cannot distinguish between the truly random and the pseudo-random keys.
9. Quantum Secret Sharing The task of secret sharing is a well-known cryptographic problem in classical cryptography. As we will see here, this cryptographic problem also has a quantum analog, similar to the discussed cryptographic primitives of the chapter. The secret sharing problem has many variations, however the original problem remains the same. In the problem of secret sharing, Alice would like to share a secret bit among n participants. The participants are called shareholders. The number k specifies the shareholders needed to reconstruct the secret of Alice. Alice’s secret bit can be an arbitrary piece of information, the gist of the protocol lies in the sharing of this information, hence it relevance is secondary.
9.1. Description of Quantum Secret Sharing But the problem is not so simple, because she would like to do it in such a way, that any group of k or more users can compute the value of secret bit, but any group of k-1 users or less has no chance of knowing the value of the secret bit. If this condition holds, then the secret sharing protocol is called a ( k , n ) -threshold scheme, where k ≤ n . In the standard
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
53
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
version of the secret sharing problem, the number of “not allowed” parties is less than k. They would like to reconstruct Alice’s secret without any permission. The general model of the problem of secret sharing is illustrated in Fig. 28. In one variant of the classical version of the protocol, if the group k is equal to n, then the protocol is called secret splitting. In the model of secret sharing, only the shareholders can reconstruct the original message, however it is possible to define other groups of shareholders, which groups cannot reconstruct the message. In the definition of the secret sharing problem, the properties and the relevance of the shareholders is the same, hence there is no difference in their capabilities. However, in a practical application this condition easily could fail, since some parties could be more important. The importance of the users can be controlled by the definition of various access structures. These access structures determine which sets of users are allowed to reconstruct the secret, and with what kind of attributes they can do that. The access structures also determine the sets of user which are not allowed to reconstruct the original secret. It is allowed to give new users to a group, however it is not possible to convert a group from allowed to not allowed status, since the parties of the originally defined valid group can reconstruct Alice’s secret, despite the fact that a non-valid user has been added to group. On the other hand, by removing a non-valid user from an unauthorized set, the set will remain unauthorized. While the managing of the groups of the valid and invalid users is a rather easy task in classical systems, the problem is more complicated in a quantum system. The main difference between the classical version and the quantum versions of the protocol lies in the no-cloning theorem.
Alice’s secret quantum state
ψ1
ψ2
ψ3
ψ4
…
ψi
ψ1
ψ2
ψ3
ψ4
…
ψi
≥ k parties
ψf
< k parties
Figure 28. In the problem of quantum secret sharing only k or more users can compute the value of the secret bit.
The quantum version of the secret sharing protocol can be defined in two different approaches. It can be defined for secret sharing of classical information, and for the secret sharing of quantum information. The classical-type of the quantum protocol was defined by
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
54
Laszlo Gyongyosi and Sandor Imre
Hillery et al. [Hillery99], and their scheme was the first quantum secret sharing protocol. Later, the protocol was extended for sharing of quantum information by Cleve et al. [Cleve99] and Crépeau et al. [Crépeau02], Gottesman [Gottesman2000a]. The main difference between sharing classical information and quantum information is the no-cloning theorem.
9.2. Quantum Protocol for Sharing Classical Information
Ch an ne l
Alice
ic bl Pu
Pu bl ic
l ne an Ch
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
In that case, if the parties would like to share classical information with the help of a quantum protocol, then Alice has a classical bit with classical logical value zero or one, and she would like to share it between Bob and Charlie, with controlled authorities. In the general implementation of the protocol, Alice, Bob and Charlie share a GHZ (Greenberger–Horne– 1 Zeilinger) state ( 000 ABC + 111 ABC ) , and they will use this entangled state for secret 2 sharing of classical information. The parties measure their own state with a random basis, independently from each other. In the next step, the parties announce their bases, hence they can detect the correlations between the measurements. If the parties then find that the results are correlated, then Alice shares her secret with Bob and Charlie. In this phase, Bob and Charlie individually have no information about the secret bit, hence they have to cooperate. Alice can decide whether she sends the message to Bob, or Charlie, or both, using the key, which was generated by the GHZ state, since the correlated measurement generated a secret key between the parties. We note, that the probability that the results of the participants are correlated is only 50%. Bob and Charlie can generate a secret key among them, with the help of the GHZ state and this key can be used among themselves.
Ψ GHZ Charlie
Bob Public Channel
Figure 29. Alice, Bob and Charlie share a GHZ state. The measurement results are announced through the public channel.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Quantum Cryptographic Protocols and Quantum Security
55
If Bob and Charlie have used the same bases for the measurements, then they have a secret key. Since the working mechanism of the protocol is based on the measurement of a GHZ state, the behavior of the system is rather probabilistic, and the success probability in this phase for a successful key generation is only 50%. The success of the key agreement depends on the measurement bases of Alice, Bob and Charlie. If the three parties, Alice, Bob and Charlie share a GHZ state, then they have four valid choices of the measurement bases, according to whether they use the rectilinear or the diagonal bases. But what happens if the quantum state has been intercepted by Eve between Alice and Bob, or between Alice and Charlie. The state can be modified by Eve, but it would have been done by the other party, Bob or Charlie, too. On the other hand, this damage can be controlled, if Bob and Charlie perform some measurements in a random basis, and they send the information on their basis choice to Alice, however this authentication requires a classical and authenticated channel between Alice and the parties. The eavesdropping activity can be detected and the noise of the quantum channel can be handled with some additional steps, which are called information reconciliation, similar to quantum cryptography. On the other hand, the security of the protocol implicitly requires that Alice shared the particles of the GHZ state between the parties in secret, otherwise the complete definition of the security of the scheme is a more complicated task. The eavesdropping activity between Alice and Bob, or between Alice and Charlie has to be detected in order to realize a secure quantum secret sharing. This question can be solved by the revelation and public announcement of the parties’ measurement bases, however there is also another solution for this problem. Alice can send different secret quantum bits to Bob and Charlie since she can use a quantum encoding scheme. This encoding scheme protects the value of the quantum state, and resists noise and attacks of an eavesdropper. Alice has to choose the correct encrypting scheme, similar to the quantum key distribution schemes. The generalized version of Hillery’s quantum secret sharing protocol is based on GHZ states, and uses the correlation between the particles of the GHZ states to share secret classical information with the help of the quantum states. The protocol does the same as the two party quantum cryptography protocols, however in this case, we have to establish distinct QKD protocol runs between Alice and all other authenticated parties of the protocol. We note that an authenticated classical channel is required to complete the security steps of the protocol. Hillery’s basic protocol was later augmented with the four-state QKD protocol. The steps of Hillery’s basic protocol can be summarized as follows [Hillery99]. 1. Alice would like to share her secret classical bit between Bob and Charlie. 2. Alice has a quantum channel, and an authenticated public channel with Bob, and Charlie. 3. Alice uses the four state QKD and authenticated public channel to generate a secret bit with Bob and Charlie. The two bits could be different. 4. Alice uses the distributed bit as the key to send her secret bit to Bob and Charlie. In the encryption phase, Alice encrypts her information with all of the keys, hence she applies a double encryption. She sends this double encrypted bit to Bob and Charlie. 5. Bob can decrypt only his part, and the same for Charlie. To decode the state, the parties have to collaborate to each other, since the Bob has no information about Charlie’s key, and vice versa.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
56
Laszlo Gyongyosi and Sandor Imre 6. Later, other versions of the quantum secret key sharing protocol were introduced, using entanglement-based QKD instead of the basic four state QKD, or entanglement swapping techniques.
9.3. Quantum Protocol for Sharing Quantum Information
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
In the previous part, we have analyzed the quantum secret sharing protocol, with classical information sharing. The quantum secret sharing protocol can be used to share quantum information, however, according to the no-cloning theorem, the protocol does not allow of defining various data structures for handling the behavior of the protocol and the parties. While the possible structures are more limited than in the case of sharing classical information, on the other hand, in exchange for the limited possibilities, the security arises from the properties of quantum mechanics. The secret sharing of quantum information was introduced by Cleve et al. [Cleve99] and Gottesman [Gottesman2000a], with a qutrit-based scheme. The parties can apply unitary transformations on the particles, and both the encoding and the decoding processes are realized by unitary transformations. Alice shares the entangled qutrits with the parties, and after she shared the particles, they “see nothing,” since all the particles are maximally mixed quantum states. This means that each particle leaks out information from the original secret of Alice, hence the parties have no chance to get any information about the state. From an engineering point of view, it also means that the correlation between the secret and the distributed particles is zero, thus there is no mutual information between the secret and the states of the receiving parties of the protocol. Now, one can ask, how could they use their maximally mixed quantum state, since it contains only zero bit information. The parties can reconstruct the secret, if the parties collaborate with each other [Bouda01]. Assume that Alice has an entangled qutrit in state
α 0 + β 1 +γ 2 =
1 3
(α ⎡⎣ 000
+ 111 + 222 ⎤⎦ +
β ⎡⎣ 012 + 120 + 201 ⎤⎦ +
(60)
γ ⎣⎡ 021 + 102 + 210 ⎤⎦ ) ,
and she shares one combination from the possible combinations. In the encoding phase, Alice applies a unitary transformation only on her own quantum state, hence the transformation
U (α 0 + β 1 + γ 2
)0
0 will result in one from the three possible outcomes, as shown
above. If Alice shares one particle with Bob, and the other one with Charlie, then Bob and Charlie individually have no chance to regenerate the original message, however they can do it if they collaborate with each other. As has been shown by the authors of the protocol [Bouda01], if Bob and Charlie add the value of the first share to the second share, and then the second share to the first share, then the result will be the following state:
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security 1 3
(α
0 + β 1 +γ 2
)( 00
+ 12 + 21 ) =
1 3
57
α 000 + β 112 + γ 221 .
(61)
But, how could Bob and Charlie achieve these results? They have to use special unitary transformations on their own particles. This unitary transformation can be defined as follows:
U1,2 =
∑
xy x x + y mod3 ,
hence this unitary transformation maps an input
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
(62)
x, y=0,1,2
( x, x + y )
to
( x, y ) ,
using modulo
arithmetic. In this phase, we can conclude that Alice, Bob and Charlie use a single quantum error correcting scheme, using qutrits instead of qubits. And that is the most important difference between the secret sharing of quantum information and simple error correcting schemes. This error correcting scheme and this code structure can correct the damage of one qutrit, hence Bob’s or Charlie’s qutrit can be corrected with this scheme. It follows that every quantum secret sharing scheme is a quantum error correcting scheme, however not every error correcting scheme can be used for the secret sharing of quantum information. On the other hand, since the quantum secret sharing protocol is based on quantum error correction, it also can be used to correct a qutrit of an unauthorized party, hence some information can be leaked to an unauthorized party from the secret. However, this is possible only if the secret is not a non-orthogonal state. For a non-orthogonal quantum state, the nocloning theorem makes it impossible to know the state exactly. An interesting property of the quantum secret sharing protocol is that Alice can decide whether she would like to use pure or mixed quantum system for the sharing of quantum information. However, it also reduces the number of possible participants in the protocol, since she has to destroy one particle after she created it. For example, if she uses only two qutrits, hence she reduces the pure state
α 0 + β 1 +γ 2 =
1 3
(α ⎡⎣ 000
+ 111 + 222 ⎤⎦ +
β ⎣⎡ 012 + 120 + 201 ⎤⎦ +
(63)
γ ⎡⎣ 021 + 102 + 210 ⎤⎦ ) ,
into the mixed system 1 3
(α ⎡⎣ 00 =
+ 11 + 222 ⎤⎦ + β ⎡⎣ 01 + 12 + 20 ⎤⎦ + γ ⎡⎣ 02 + 10 + 21 ⎤⎦ 1 3
(α ⎡⎣ 00
00 + 11 11 + 22 22 ⎤⎦ +
β ⎡⎣ 01 01 + 12 12 + 20 20 ⎤⎦ + γ ⎡⎣ 02 02 + 10 10 + 21 21 ⎤⎦ ) .
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
) (64)
58
Laszlo Gyongyosi and Sandor Imre
This mixed system state consists of only two qutrits, the third qutrit was destroyed by Alice. Now, the question arises: does the mixed-state version have any advantages over the pure-state protocol in the sharing of quantum information? There is no significant difference in the mixed state and the pure state versions of the protocol, hence the same security holds for the mixed state version, as for the pure state version. It follows that the security of the mixed state version of the protocol can be described by the security of the pure state version, the main difference is only that one qubit is discarded from the system. This is an important conclusion, since a new model is not needed to describe the security of the mixed state based protocol. In the general model, the parties can communicate with each other in order to regenerate the secret, but this condition can be defined in a stricter manner, too. A harder extension of the quantum secret sharing protocol is called the data hiding scheme, in which it is not allowed for the parties to communicate with each other through the quantum channel. In this case, after the particles have been shared between the parties, the possible operations are restricted to local operations, and only the classical communication channel can be used between the parties.
Alice
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Alice destroys the third qutrit
(
1 α ⎡⎣ 00 00 + 11 11 + 22 22 ⎤⎦ + 3
β ⎡⎣ 01 01 + 12 12 + 20 20 ⎤⎦ +
Bob
γ ⎡⎣ 02 02 + 10 10 + 21 21 ⎤⎦ )
Charlie
Mixed environment
Figuer 30. After Alice has destroyed the third qutrit, the result will be a mixed environment.
The general model of data hiding as an extension of the quantum secret sharing scheme is illustrated in Fig. 31. As we have seen in this section, the method of quantum secret sharing for quantum information is based on the properties of quantum error correction. The protocol also implies quantum secret key distribution, and the encryption of classical and quantum information. In all the different versions of the secret sharing protocol, the parties have to collaborate with each other to reconstruct the secret information, using either the quantum channel or the classical communication channel.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
59
Alice
b Pu
Ch an ne l
Local operations lic el
Pu bl ic
n an Ch
Charlie
Bob Local operations
Public Channel
Local operations
Figure 31. The quantum data hiding scheme as a stricter extension of the quantum secret sharing protocol. Only local unitary operations and public communication are allowed between the parties.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
10. The Quantum Public Key Scheme Public key cryptographic systems have many advantages, since these methods can be applied with high efficiency. Public key systems introduced many new algorithms, such as digital signatures and asymmetric key cryptography. A public key is a publicly announced key, and it has an inverse, called the private key. If Alice would like to send a message to Bob, then she encodes her information with Bob’s public key, and sends it to him through an insecure channel. The message can be decoded only with Bob’s private key, hence an eavesdropper has to generate Bob’s private key from his public key, which at present is a very hard problem. In the future, however, after quantum computers become operational, this statement will not hold good any longer.
10.1. History of Quantum Public Key Scheme The idea of a quantum public key scheme was published by Bennett and Brassard [Brassard94], later Gottesman and Chuang introduced a method [Gottesman01] which used quantum states as public keys. The efficiency of these early solutions was quite low. Later, Pan [Pan10], Yang [Yang03], and Kawachi et al. [Kawachi05], developed a more efficient method, and they introduced the definition of computational indistinguishability of quantum states. The efficiency of their solution was higher than that of Gottesman and Chuang [Gottesman01] since the key quantum states were generated by efficient quantum one-way functions.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
60
Laszlo Gyongyosi and Sandor Imre
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
10.2. Description of Quantum Public Key Scheme So, why do we need to discuss the quantum public key methods? The currently used classical public key methods will no longer be able to guarantee security as soon as Shor’s prime factorization algorithm, or other quantum algorithms based on quantum searching, break the currently used classical cryptographic schemes. So, the classical public key methods remain secure only in the classical setting. In analogue with the classical public key methods, the quantum public key schemes could provide security against attacks by quantum computers, which is provided by the classical public key schemes against attacks by classical computers. In this section, we discuss the properties of the quantum versions of classical public key systems. The quantum protocol also defines a public key and a private key. Alice’s private key defines a unitary transformation, and combines the results of quantum teleporting and quantum encryption. On the other hand, the currently published quantum public key methods have several limitations, since every encrypted message requires a new copy of the public quantum key. The quantum public key protocol is very similar to the quantum digital signature, see Section 6. The parties use the same key distribution method, and they apply the swap test to check the validity of the keys. As we have seen, the quantum signature scheme requires the encryption of the unknown quantum state, otherwise an unauthorized party can read and change the message, hence an invalid signature can be constructed. Currently, the efficiency of the quantum public key systems is significantly lower than the efficiency of the classical public key schemes, however there are very many open questions. As we have seen in the case of quantum digital signatures, the problem of the signature of quantum states can be increased dramatically, if instead of an unknown quantum state, the parties have to sign a known quantum state. This result also can be used in public key cryptography. In 2010, Pan and Yang introduced an efficient solution for the problem of quantum public key cryptography [Pan10]. The simplified picture of their protocol consists of Alice, Bob and a Public Register. At first, Bob sends his public quantum key to the public register. Alice will get Bob’s public key from the Public Register. After Alice knows Bob’s public quantum key, she encrypts her message—assume, for simplicity, that it is only one bit long— into a quantum state, and sends the encrypted message to Bob. The general model of their quantum public key method is based on a quantum one-way function f , which, given a value of an input, generates a quantum state as output. This one-way quantum function is used to generate the public quantum key: f ( x, ρ ) = ρ if x = 0 , (65) and
f ( x, ρ ) = σ if x = 1 .
(66)
In the quantum public key protocol, the parties will use this function to generate encoded messages and to decode them. Bob generates a public quantum key f ( x, ρ ) and sends it to the public register entity, where x is a classical message and ρ is a quantum state. If Alice would like to send a quantum message encoded with Bob’s public quantum key, then she has
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
61
to ask for Bob’s public quantum key from the public register. After Alice has received Bob’s public key from the public register, she use the relation f ( x, ρ ) = ρ if x = 0 , and
f ( x, ρ ) = σ if x = 1 . After Alice has generated her message, she sends it to Bob. The process of encoding based on the quantum public key protocol is illustrated in Fig. 32. Phase 1. Bob’s Quantum Public Key From Bob to Public Register Classical channel
Bob
N
Public Register
Quantum channel
Phase 2. Bob’s Quantum Public Key from Public Register to Alice
Public Register
N
Alice
Phase 3. Alice’s encoded message to Bob
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Alice
N
Bob
Figure 32. The quantum public key protocol.
In the key generation process, Bob randomly chooses a quantum one-way function, which, given an n-length input, produces an n-length output. This function
F : {0,1} → {0,1} is used by Bob as the private key. In the next step, Bob selects a message n
n
x , and using this message, he generates his public key with the help of his one-way quantum function F . He give as input message x to his quantum one-way function F , which produces y = F ( x) . (67)
He will use this information in the form of a quantum message, as ρ y = F ( x ) . In the next step, Bob sends his classical message x and his public quantum key ρ y = F ( x ) to the public register. If Alice would like to send a message to Bob, she has to get the key from the public register. After she receives it, she can send a message to Bob, using the following encoding scheme. She encodes a logical 0 into the quantum state ρ y = F ( x ) , while she encodes logical 1
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
62
Laszlo Gyongyosi and Sandor Imre
into a σ y = F ( x ) quantum state. After she has generated the encoded message using Bob’s public keys, she sends the message
( x, ρ
y= F ( x)
) or ( x,σ
y = F ( x)
)
(68)
to Bob. Bob will use his private key—which is the quantum one-way function F —to decode the encoded message. To decode the message, Bob has to compute
y = F ( x) ,
(69)
where F is the secret quantum one-way function—or private key—and x is the classical message of Alice. To finish the decoding, Bob has to decrypt Alice’s quantum state with his calculated private key. In this phase, Bob decodes the message with his private key y = F ( x ) , which will result in:
((
)) → 0 ,
(70)
((
)) → 1 .
(71)
y = F ( x ) : x, ρ y = F ( x )
or
y = F ( x ) : x, σ y = F ( x )
The proposed scheme can be implemented as a working quantum public key method,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
however Bob’s public key pair
{( x, ρ
y= F ( x)
) , ( x, σ
y = F ( x)
)}
can be used to encrypt just one
classical bit, hence to make it applicable in practice, Bob has to generate very many public keys. Another important question is Bob’s private key. He uses the quantum one-way function F ( ⋅) as a private key, however this function cannot be used for an arbitrarily long time, since every message leaks one bit information from the function. Bob can solve this problem provided he changes his key regularly.
10.3. Security of the Quantum Public Key Protocol The security of the quantum public key protocol is based on the quantum one-way function and the indistinguishability of the quantum messages generated by the quantum oneway function. As has been shown by the inventors of the quantum public key protocol, the protocol is able to provide information theoretic security against a chosen plaintext attack. The chosen plaintext attack is the only way to realize an attack against the quantum public key protocol. In this attack, Eve tries to choose plaintext messages in such a way that the encoded message would be equal to the plaintext. If she is able to find an input–output pair in which the output message is equal to the input, then she can extract some information about the key.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
63
It follows that it is an important point in the quantum protocol, that the output messages have to be indistinguishable for an eavesdropper, since this makes it impossible for an eavesdropper to extract any information about the secret. If Eve cannot compare the encrypted messages, then she has lost her capability of decrypting the message. As the authors have shown, in their protocol, the probability that Eve can distinguish two 1 density matrices is less than , where p ( n ) is a positive polynomial. Here, the distance p ( n) between the density matrices is measured by the trace-distance, hence this property can be rephrased in terms of probability distributions and POVM measurements. The trace distance between two quantum messages ρ and σ can be defined as
1 D ( ρ , σ ) = Tr ( ρ − σ ) . 2
(72)
The security of the quantum public key protocol lies in the fact that the maximum of the trace distance between the encrypted quantum states ρ and σ is less than or equal to
max
(
)
1 ∑ Tr Em ( E ( ρ ) − E (σ ) ) = max D( pm , qm ) , 2m
(73)
where Em is the set of POVM measurements, E is Eve’s operation on the two quantum messages ρ and σ , and pm , qm are the two probability distributions. These probability
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
distributions can be expressed as pm = Tr ( E ( ρ ) Em ) and qm = Tr ( E (σ ) Em ) , where m is the
outcome of the quantum measurement. The protocol uses GHZ states to generate maximally indistinguishable quantum states: the most important thing is to reach the maximal indistinguishability of the generated quantum states. To measure the indistinguishability of the quantum states, we use the trace distance. In the case of the quantum public key scheme, the trace distance between the messages is ⎛1⎞ D ( ρ ,σ ) = ⎜ ⎟ ⎝2⎠
n −1
=
1 , 2n −1
(74)
hence the probability that an eavesdropper can distinguish between two messages generated by the quantum public key scheme is negligible. Now, let’s see how these security assumptions can be implemented in practice. If there is an eavesdropper between Alice and Bob, she can apply two kinds of methods for attacking. In the first kind of attack, Eve would like to know the value of y = F ( x ) from the publicly announced x . Since Eve does not have Bob’s private one-way quantum function F, she has to measure the quantum state ρ y = F ( x ) or σ y = F ( x ) . If she measures one of the quantum states, then the probability that she can decrypt the message is equal to the one-time pad case. It follows
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
64
Laszlo Gyongyosi and Sandor Imre
that Eve has no chance to get any information from y = F ( x ) , hence she has to use a different strategy. Her second chance is to try to distinguish between the quantum states, however as we have seen previously, this strategy can be achieved successfully only with a very small probability. In this case, the eavesdropper’s security is less than or equal to
1 , 2n−1
(75)
hence for any polynomial there exists an n for which the distinguishably of the quantum states cannot be realized in practice.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
10.4. Eve’s Attack on the Quantum Public Key Method The quantum public key method depends very strongly on the communication between Bob and the public register, and on the communication between Alice and Bob. The question naturally arises, what will happen if there is an eavesdropper between Alice and Bob? Eve can realize a man-in-the-middle type of attack against the protocol, and can attack the quantum channel between Alice and Bob. The eavesdropper uses a superposed quantum state to replace the messages. Eve has a 1 state ( 0 + 1 ) , and she will use this state to replace one state from the n states of the 2 public key. Alice will then get a fake key from Eve, and she will use this state for encoding. Since the eavesdropper’s state is correlated, the encoder of Alice will also change the state of Eve. Eve can then get the message by measuring her own quantum state. For example, if Alice encrypts a logical zero, then she will apply a Pauli transformation, Z, and the initial 1 state of the eavesdropper will change to ( 0 − 1 ) . Now, if Eve measures her qubit, then 2 she will get a logical one as output, and hence she will know Alice’s original message. This type of attack works against the quantum public key protocol, but it is possible defend. To defend, the quantum public key method has to guarantee that Alice can reach Bob’s authenticated public keys, otherwise anybody can call themselves “Bob.” In the case of the quantum public key method, this condition can be satisfied if and only if the quantum public registers are secure, hence the public registers cannot be compromised. If these conditions hold, then it is possible to construct a secure quantum public key method, which can be extended to arbitrarily long messages.
10.5. Behind the Security of the Quantum Public Key Protocol As we have seen, the indistinguishability property of the quantum states has great importance in the security of the quantum public key method. This property can also be extended to the case of many bits. Assume that the parties would like to use a two-qubit length quantum string. The trace distance between the four possible two-qubit length quantum messages is
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
D=
1 . 2n
65
(76)
To illustrate the indistinguishability property for many bits, the authors have defined four different, two-qubit length quantum states { ρ00 , ρ01 , σ 10 , σ 11} , and they computed the trace distance between them:
D ( ρ00 , ρ01 ) =
1 1 1 , D ( ρ00 ,σ 10 ) = n − 2 , D ( ρ00 ,σ 11 ) = n − 2 . 2n − 2 2 2
(77)
If these distances between the quantum states hold, then it is possible to construct a quantum public key method, for which each of the trace distances between any two states of 1 these four states is equal to D = n . As we have depicted, the trace distances between ρ00 2 1 and the other three possible quantum states ρ01 , σ 10 and σ 11 are equal to n− 2 , thus the 2 trace distance between any two quantum states of three possible ρ01 , σ 10 and σ 11 , is less
1 . 2 The working mechanism of the protocol for multiple bits can be described just as in the one-qubit case. For example, in the case of a two-qubit length scheme, Bob generates his key in the same way: he chooses a message x, and with his private one-way function he generates two bits F ( x ) = ( y1 , y2 ) , and an n-length qubit string ρ F ( x ) =( y1 , y2 ) and sends it with the than
n−3
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
classical message x, to the public register. As in the previous case, Bob’s public key will be
( x, ρ ( ) ( ) ) . F x = y1 , y2
If Alice would like to send a message to Bob, she encrypts the message 00 into a quantum state ρ00 , the 01 into ρ01 , the 10 into σ 10 , and the 11 into σ 11 . Alice can prepare these quantum states easily, using the basic I and Z Pauli transformations. Now, we can ask the question, whether the security level will be the same for all density matrices, or not. The answer is simple, since the security of the public quantum key scheme for arbitrary message lengths is guaranteed by the fact that the trace distance between every 1 pairs of the possible quantum states is at least D = n . Thus, the extended version of the 2 quantum public key scheme is also able to guarantee the information theoretic security.
11. Quantum Money Quantum money is a very interesting practical application of the revolutionary possibilities of quantum information processing in the security systems of the future. The theoretical background behind quantum money is based on the fundamental results of quantum mechanics, such as the no-cloning theorem, and the laws of quantum physics.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
66
Laszlo Gyongyosi and Sandor Imre
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
11.1. History of Quantum Money The first idea of quantum money was introduced by Wiesner in the early 1970s, however it was never realized in practice. Quantum money uses quantum states to identity the “quantum money,” and according to this fundamental difference between the classical and the quantum approaches, quantum money cannot be cloned perfectly. Wiesner’s early proposal was seemed to be completely impracticable, hence what is followed in the next few decades is a very big silence. After Wiesner’s idea, the possibility of quantum money has been revealed again just in the late ‘90s. After Wiesner’s original idea, the ideal of quantum money has returned in a new form, using an “updated” scheme [Aaronson09], [Ambainis04], [Mosca06], [Mosca07]. The new construction is a more-effective quantum money scheme then the earlier version was, with higher efficiently, uncopyable property, and anonymity for the users of quantum money scheme. However, the basic idea of quantum money technically did not changed, - thus quantum money is realized by quantum states as in the case of the first proposes - however, the operations and the computing mechanisms were improved significantly since the first approaches were introduced. Later, the idea of quantum money has lead to the definition of the quantum bill, which is an extended version of the newer quantum money approaches defined in the late ‘90s [Stebila09]. After Wiesner’s famous quantum money, the idea of quantum money has been disappeared from the publicity, and the revelation has arrived only in the late ‘90s. As quantum money was one of the first and the earliest “theoretical implementation” of the quantum information processing in the “practice,” these schemes are also seemed to be completely impractical and “useless.” After Wiesner’s idea, Bennett and Brassard studied the possibility of quantum money, however their results were not demonstrated in practice. They defined a bank that handles and authenticates quantum money, and every quantum money can be identified with a classical serial number.
11.2. Description of Quantum Money Quantum money consists of random quantum bits, using two non-orthogonal bases. According to the no-cloning theorem, these quantum states cannot be copied perfectly, since the bases of the quantum states are unknown. The working scheme and the theoretical background of quantum money is very similar to the quantum cryptography, and the quantum states of quantum money can be verified only by the authenticating bank, who knows the bases of the quantum bits. In the verification process, the bank identifies the quantum money with the help of the order of the bases, and the classical string, which encodes the measurement results of each quantum bit. If Alice would like to authenticate her quantum money with the bank, then Alice has to send her quantum states through a quantum channel to the bank, which necessity makes the protocol very inefficient in practice. The working mechanism of the very first approach of the quantum money protocol is illustrated in Fig. 33. The method uses online verification.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
67
Later, the requirement of an online quantum channel between Alice and the bank was modified. Such new approaches were presented by Tokunaga, Okamoto and Imoto [Tokunaga03], who introduced a method in which Alice gets a new quantum state for the verification of her money. This quantum state is a random state: the bank generates it according to the stored parameters of Alice. After the bank has sent this verification state to Alice, she applies a unitary transformation to the received quantum state. This unitary transformation ensures Alice’s anonymity, and if Alice would like to buy something from the quantum shop, she will apply this unitary transformation to the quantum state received from the bank, and sends this—simpler and smaller—quantum string to the shop. The shop transmits this quantum string for verification, thus Alice does not have to arrange for a quantum channel with the bank, and after the bank has verified Alice’s identity, the bank will respond.
Online verification of Alice’s quantum money
Alice’s quantum money
ρi
{ ρ1 , ρ 2 ,… ρ n }
N
ρi
Online verification
Bank
Database
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 33. Online verification of Alice’s quantum money.
The process is summarized in Fig. 34. The protocol is secure if Eve can get only a very small part of the transmitted quantum states, however if a larger part of the sent states can be captured by the eavesdropper, then the scheme could be vulnerable and its security is not guaranteed. Later, in the late 1990s and early 2000s, new, the computationally secure, approaches were introduced. Unlike the previously introduced schemes, which were based on the physical meaning of the no-cloning theorem, these new methods are based on a complexitytheoretic interpretation of the no-cloning theorem. That is, the security of the scheme rather depends on the complexity theoretic assumptions of the eavesdropper’s capabilities, than the physical uncopiability of quantum money. This new viewpoint made it possible to define new computationally secure algorithms, and to alloy it with the properties of algorithm theory, mathematics and quantum physics. The quantum bill, which can be viewed as a new generation of the previous quantum money schemes. In their scheme, the quantum money is generated by an authorized bank, which produces the quantum states in an indistinguishable form. They have summarized the most important conditions for future quantum money schemes as follows: 1. it has to be uncloneable,
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
68
Laszlo Gyongyosi and Sandor Imre 2. it has to be verifiable off-line, 3. it has to be easily transferable and serviceable, 4. finally, it has to preserve the user’s anonymity.
The quantum states issued by the bank have to be verifiable locally, with unitary quantum transformations, and easily implementable quantum circuits. The verification of quantum money can be realized in two different ways, called the black box method and the blind method. Phase 1. The bank sends a random quantum state to Alice
Alice
ρi
N
ρi
Bank
Database Phase 2. Alice’s applies a unitary transformation and sends it to the shop
U ( ρi )
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Alice
U ( ρi )
Quantum Shop
N
Phase 3. The quantum shop sends Alice’s state to the bank
U ( ρi ) Quantum Shop
U ( ρi ) Bank
N
Database
Figure 34. Alice sends her verification state to the quantum shop, which passes it on to the bank.
However, as has been shown by the authors of these schemes, the results on the verification process are still very theoretical, and many of these are still not implemented in practice, and it is still unknown, how these methods could be implemented in practice. If these open problems can be solved in the future, then these novel ideas could result in some very important practical protocols, —and the problem of the quantum money of the future can be solved.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
69
11.3. New Models of Quantum Money Besides the fact that quantum states cannot be cloned perfectly, a secure and practically implementable protocol has to pass several different security tests and theoretical conditions. Currently, one of the most important challenges in quantum money is the possibility of the development of a scalable off-line verification scheme. The efficiency and the practicality of quantum money depend heavily on the off-line verification mechanism. The verification of the quantum states requires quantum circuits, and precise computations, and it has to be implemented very efficiently in practice, since a quantum money user will not wait long for the verification of her uncloneable quantum money. These schemes have to be at least as efficient as the current, classical schemes, with that additional layer which can be provided only by the properties of quantum mechanics. The authors of the quantum bill scheme have summarized the most important conditions for its practical implementation as follows. Quantum money has to be uncloneable, anonymous, off-line verifiable, and easily transmittable. Quantum money schemes have to use the currently available networks, optical channels, and other noisy quantum communication channels, hence its effectiveness is one of the most important questions form an engineering point of view. Later, the various models of quantum money have been distinguished by whether the quantum money for a given denomination are all identical or not. If they are all identical, then we call one a “quantum coin,” otherwise we call it a “quantum bill.” As can be seen, the quantum bill is an advanced version of the quantum coin scheme, but we briefly treat both of these approaches.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
11.3.1. The Quantum Coin In the case of the quantum coin scheme, the quantum states are issued by an authenticating bank, and they are all generated from the same quantum state for every denomination. The quantum coin scheme is just the same as the model of the use of classical coins in classical systems. The authors of the quantum coin scheme defined the protocol by the specification process of a valid quantum state and the quantum circuit required for the verification process. Quantum money, or, as it is called in this scheme, quantum coin, is an nqubit length quantum string. The quantum string issued by the authenticating bank consists of pure quantum states. The verification circuit consists of an n-qubit length input register, and another ancillary quantum register (called “the ancilla”) with some qubits. The working mechanism of the quantum coin scheme can be summarized as follows. The valid quantum states are generated by the bank. The bank is also able to store these valid quantum states, and these valid quantum money states are sent to the user through a secure quantum channel. After Alice has received her valid quantum coins from the bank, she could use them for shopping. She has to send these quantum coins to the quantum shop, using a quantum channel between Alice and the shop. On the other hand, the shop has no a priori information about the validity of Alice’s quantum coins, hence the shop has to validate them. The most important part of the protocol is the verification method. The quantum shop must use an off-line verification process, since an on-line one could not be very effectively implemented in practice. (The question, whether the quantum shop has to communicate with
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
70
Laszlo Gyongyosi and Sandor Imre
the bank or not, depends on the actual circumstances and the environment, and thus can hardly be guaranteed for all shops.) The quantum shop also can store Alice’s quantum states. In Fig. 35 we illustrate the quantum coin scheme, as it has been formulated theoretically. The verification of Alice’s quantum coins is a very important question from the viewpoint of the security of the protocol. To verify the quantum coins, the quantum shop can apply a quantum SWAP-test circuit very similar to those in quantum fingerprinting and quantum digital signature. The quantum shop uses the verified quantum coins received from the bank, so we can assume that the shop is in possession of the valid quantum money states. The authors of the quantum coin scheme have defined three input quantum registers, the first one consist of one-qubit, the second consists of an n-length quantum coin string, while the third consists of the ancillary quantum states. In the verification process, the quantum shop applies a unitary transformation to these quantum registers, and finally, the shop decides on the validity of the n-length input quantum coin by the measurement of the first, one-qubit length quantum register. Phase 1. The bank sends the valid quantum coin to Alice
{ ρ1 , ρ 2 ,… ρ n } Alice
Bank
N
Quantum Coin
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Phase 2. Alice sends her quantum coin to the shop
{ ρ1 , ρ 2 ,… ρ n } Alice
N
Quantum Shop
Phase 3. The quantum shop uses an offline verification method
{ ρ1 , ρ 2 ,… ρ n } Quantum Shop
Bank
N
Database Figure 35. The quantum coin scheme with off-line verification method.
Now, let’s see the possible outcomes of the circuit. If the output is 0, then the input quantum coin is valid, and the quantum coin can be recovered from the second quantum register. Otherwise, the output of the measurement of the first register will be 1, which means that the input quantum coin was not valid. The validator quantum circuit is a secure quantum
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
71
circuit, and the quantum shop has to keep it safe from the public. If an unauthorized person were able to build the same quantum verifier circuit, then it would be possible to construct fake quantum money. The verification circuit for Alice’s quantum coin is illustrated in Fig. 36. The communication between the quantum shop and the bank was accomplished previously.
0
M
Quantum coin
{ ρ1 , ρ2 ,… ρn } 0
⊗m
U
Quantum coin
{ ρ1 , ρ2 ,… ρn }
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 36. The verification quantum circuit for the quantum coin scheme.
The verification process can be implemented securely with the help of the black-box verification process, or, alternatively, with the help of the blind quantum verification process. This scheme allows only zero bit information to the public about the components and the unitary transformations of the quantum circuit. However, there is a difference between the security provided by the two schemes, since while the black-box scheme allows only computational security, the blind scheme allows “real” information-theoretic security.
Figure 37. Eve’s probability of “passing” depends on the overlap between the valid quantum money states and her money states. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
72
Laszlo Gyongyosi and Sandor Imre
If we analyze the uncloneable property of the quantum coin scheme, then we have to analyze the worst-case situation, in which the eavesdropper knows the verifier’s circuit. Eve would like to construct a forged quantum coin, for which the verification test will not fail. The output of the verification quantum circuit is probabilistic, and her goal is to reach a high probability for passing the verification test. If the correct output state of the verification quantum circuit is ψ , then Eve has to try to ⊗ l +1 generate an l-length quantum coin ψ ′ , which maximally overlaps with the original ψ .
The fidelity of the cloned quantum money can be appreciated using the value of the inner product. The uncloneability of the quantum coin can be rephrased as follows. If Eve has l copies from the quantum state ψ , then it is not possible for her to produce an output state such that the overlap is minimal. Hence, if Eve tries to cheat, the verifier circuit will detect it, since the overlap between the original and the fake state will be too small. Security against these types of attack can be attained if the bank issues a small number of the same quantum coin. Perfect security would be attained if there were no overlapping, i.e., if ⊗ l +1 ⊗ l +1 (78) ψ ′ ρψ ′ =0 for any ρ , but this cannot be perfectly realized in practice, at least in the case of an off-line system. I.e., an off-line verification scheme cannot be perfectly secure in the information theoretic meaning of the word, but it could be applicable and efficient in practice with enough practical security provided it is used within a well-designed environment.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
11.3.2. The Quantum Bill The main difference between quantum coin and quantum bills lies in the differences between the denomination scheme. I.e., while all quantum coins of the same denomination are identical states, the quantum bill scheme allows different quantum states of the same denomination. The quantum bill scheme also allows some classical information with the quantum states, hence the bank can issue a set of quantum states with a classical string to identity the quantum bills. The quantum bill scheme is defined by a classical and quantum pair, where the quantum states are pure quantum states, and the classical string identifies the label of the quantum string. The role of the classical string depends on the given scheme, since in the case of Wiesner’s [Wiesner83], and Bennett’s scheme [Bennett82], the classical string was used by the issuer to retrieve the details of the verification. In some other protocols, this classical string represents only the denomination of the quantum string. In Fig. 38 we show a quantum bill scheme, in which the given denomination can be realized by various quantum states. In the case of the quantum coin scheme, the quantum states cannot be chosen arbitrarily for the same denomination. As we illustrated, the quantum states ψ , ϕ and φ realize the same denomination, although they differ from each other.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
73
Quantum Money
ψ
Different quantum states
Denomination Quantum Money
Quantum Money
φ
ϕ
Figure 38. The same denomination can be realized by different quantum states.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
The verification process of quantum bills is very similar to the verification of quantum coins. The input of the verification quantum circuit is an n-length quantum register, and it contains an “ancilla” quantum register. The main difference is that the verifier has to give the denomination of quantum money by using a distinct quantum string for it. In this case, various quantum states can represent the same denomination, hence the bank has to fix the value used with the quantum shop.
0
M
Denomination
Quantum coin
{ ρ1, ρ2 ,… ρ n } 0
⊗m
U
Quantum coin
{ ρ1, ρ2 ,… ρ n }
Figure 39. The verification quantum circuit of the quantum bill scheme.
The output of the circuit is a classical bit and a quantum output register, as illustrated in Fig. 39. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
74
Laszlo Gyongyosi and Sandor Imre
The verification of the quantum coins can be made by either the black box scheme or by the blind authentication scheme. In theory, the black box scheme provides the verification of the quantum states without any online communication, hence it can be realized without the help of the bank. The verification of the quantum states is one of the most important part of the various quantum money schemes, here we give a short summary of both of these verification methods. Assume that the parties would like to verify an input quantum state ψ . The quantum state is verified by a quantum oracle which is defined as
Uψ = I − 2 ψ ψ . The Uψ oracle recognizes the state ψ
(79)
by flipping the sign of the phase of the state ψ
, thus for a valid input state ψ , the output of the verification is
Uψ ψ = − ψ ,
(80)
and
Uψ ϕ = ϕ
(81)
for an invalid quantum state ϕ , where ϕ is orthogonal to ψ . These methods can be summarized as
Uψ = I − 2 ψ ψ .
(82)
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
A verification circuit with oracle Uψ can be constructed in a very simple way, using elementary quantum circuits. The quantum circuit requires only two Hadamard transformations and a measurement circuit, plus the Uψ unitary oracle transformation itself. The black box verification model constructed for the verification of the input quantum state is illustrated in Fig. 40. The output of the quantum circuit will be 1 if the input state is a valid state ψ , and it will be 0 if the input is a quantum state ϕ
orthogonal to the valid state ψ , i.e, when
ϕ ψ = 0 . If the input state is a valid state, then the original quantum state can be recovered, since the unitary transformation of the circuit leaves it unchanged. This is a very important property of the verifier quantum circuit, since it allows of integration into bank transfers or other transactions. It also makes quantum money reusable in practice, and increases the robustness of quantum money scheme. On the other hand, the decoherence of the quantum states make it impossible to reuse the quantum states arbitrarily many times, however if a “noisy” piece of quantum money passes the measurement test, then the verifier quantum circuit projects it back to the original, hence the quantum circuit can be used to “correct” a noisy but valid input. The quantum verifier circuit can identify the valid quantum states, however the scheme is also reliable for invalid inputs. The security of the scheme relies on the fact that if an
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
0
M
H
H
75
Quantum coin
Quantum coin
{ ρ1, ρ 2 ,… ρ n }
{ ρ1, ρ 2 ,… ρ n }
Uψ
Figure 40. The quantum circuit of the black box authentication scheme with a quantum oracle.
0
H
H
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Noisy, valid quantum money
N
M Noiseless, valid quantum money
{ ρ1 , ρ 2 ,… ρ n }
Uψ
{ ρ1 , ρ 2 ,… ρ n }
Figure 41. If a “noisy” but valid input passes the measurement test, then the verifier quantum circuit projects it back to the original piece of quantum money.
unauthorized user has k copies from a quantum state ψ , then it is not possible by the use of the quantum oracle Uψ = I − 2 ψ ψ which its difference from the valid ψ
to produce an invalid quantum money state ρ for ⊗k
state is negligible.
11.3.3. Advanced attack model In the previous section, we have assumed that the unauthorized Eve would like to use just an invalid quantum state. But this is just one part of the story, since the eavesdropper can use a quantum oracle for the attack. The ingredients of the complete attack are the invalid multiple quantum states, and the Uψ quantum oracle. Eve uses this quantum oracle to decide
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
76
Laszlo Gyongyosi and Sandor Imre
whether her cloning was successful or not. Eve uses her k-copies of invalid quantum states, hence we have to modify the security conditions for a secure quantum money scheme as follows. For the same verification quantum circuit as we have presented before, if Eve would like to construct an invalid quantum state ρ with ψ
⊗ k +1
ρψ
⊗ k +1
≥ p , then she has to send at
least ⎛ 2n p ⎞ Ω⎜ −k⎟ ⎜ k log k ⎟ ⎝ ⎠
(83)
queries to the quantum oracle Uψ . It follows from this result, as has been proven by the authors, that the quantum oracle is unforgeable if the number of the issued coins is large enough. The mathematical background and the proofs are given by the authors in their paper, with the conclusion that the quantum coin scheme is resistant even to the advanced type of attack.
11.3.4 .Verification with Blind Quantum Computation
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
In the previous section we have seen that the quantum states can be verified with the black box construction. On the other hand, the security of quantum money scheme can be also achieved by blind quantum computation. The blind quantum computation method defines the security between Alice and Bob, and it allows Alice to perform any computations on her own quantum state, and Bob will know only zero bits of information about Alice’s input state, Alice’s operation, and Alice’s output. The logical scheme of blind quantum computation is illustrated in Fig. 42. Alice’s blind transformations
Allowed information for Bob
0
N=
Quantum money
{ ρ1 , ρ 2 ,… ρ n }
1 I 2
U
Figure 42. This scheme allows zero information to Bob. The information received can be viewed as a maximally randomized state with zero bit information.
In the earliest versions of the protocols, Alice and Bob had to perform a huge amount of quantum communications, hence the protocol was inefficient. As has been shown by Childs Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
77
[Childs05], this quantum communication can be achieved by quantum teleportation, however it requires sharing the entanglement, which could be also a problematic question. In his scheme, the bank is “Alice,” the quantum shop is “Bob,” who implements the verification quantum circuit blindly for the quantum bank. Bob receives quantum money from the bank, and verifies the quantum coin with the help of his quantum verifier circuit. In the verification process, Bob communicates with the bank through the quantum channel, who will get a result which determines the validity of the input quantum state. Child’s scheme is illustrated in Fig. 43. Entanglement
Ψ
{ ρ1 , ρ 2 ,… ρ n } Quantum Shop
N
Bank
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Verification Quantum Circuit
Figure 43. In Child’s scheme, the quantum shop receives quantum money from the bank, and verifies the quantum coin with the help of a quantum verifier circuit.
There were some attempts at other approaches, however it has been concluded that the black-box verification scheme is an easier way to implement the verification in practice. The blind quantum communication scheme requires teleportation, or else huge quantum communications. The method of Childs is not so effective, however this scheme is still more efficient than of that approach in which Bob has to teleport the quantum money to Alice, and she then has to send it back with the result of the verification to Bob. In Child’s method the verification is realized by Bob, using “non quantum teleportation-based” communications. The main goal of some other approaches was to increase the efficiency of the scheme by a reduction of the quantum communications. They reduced the quantum part to the distribution of the quantum states, and the other ingredients of the protocol were realized by classical communication. These schemes do not require online quantum communications, or entanglement sharing, and the bank has to store only the classical parts of the verification steps. The security of these schemes is still an open question, and as they have stated, the constructed scheme does not guarantee security against coherent attacks.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
78
Laszlo Gyongyosi and Sandor Imre
12. Conclusions The quantum security and privacy protocols are designed for the same purposes as the classical ones: they have to ensure the confidentiality of the information, the integrity of the messages, and the availability of the information to authorized users. As in the case of classical cryptosystems, the quantum cryptosystems have also evolved. The first important result was the birth of quantum cryptography. The various private and authentication quantum protocols were developed mainly in the late 1990s. The development of quantum cryptographic protocols has revealed that other quantum-based cryptographic protocols can be designed and applied in many new fields of secret communications. The combination of quantum physics and information theory makes it possible to realize unconditionally secure communication in practice. The fusion of the theoretical results of quantum information theory and the practical results of quantum optics and optical communications allows the users of future communication networks to use unbreakable quantum communication in practice with high efficiency, able to resist all possible attacks by classical and quantum computer architectures. Until practical quantum communications systems become available, unconditionally secure communication may seem just an interesting result of information theory. But as these quantum communication schemes become reality, the connections between the theoretical and practical results will fundamentally change.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
13. Further Reading In this chapter we did not discussed the QKD protocols in detail. About the background of quantum cryptography and about how the no-cloning theorem got its name, see the work of Peres from 2002 [Peres02] or the work of Paterson et al. from 2004 [Paterson04]. We also suggest the book of Imre and Balázs from 2005 [Imre05], or the work of Brassard on the brief history of quantum cryptography [Brassard06]. Wiesner’s idea on quantum conjugate coding can be found in details in Wiesner’s work from 1983 [Wiesner83], however it is not the first version of his paper, since his paper was accepted just a few years after he submitted a modified version of the original one (in which he originally introduced the idea of quantum money in the 1970s). Wiesner’s idea was the main motivation factor behind the first quantum cryptography protocol, the BB84. Further detail about the protocol developed by Bennett and Brassard can be found in [Bennett82] and [Bennett84]. Further information about the B92 protocol can be found in [Bennett92]. An important step was made by Artur Ekert in 1991 [Ekert91], who showed that it is possible to perform quantum key distribution with entangled states,—however in 1990 he was unaware of the results of Bennett and Brassard’s from 1984 (see [Bennett84]). We note that a few years before Ekert’s paper, an article was published about the possibility of communication by EPR states in 1982, by Dieks [Dieks82]. As proven by Bennett, Brassard and Mermin [Bennett92a], the scheme of Ekert [Ekert91] and the scheme of Bennett and Brassard [Bennett84] provide the same level of information theoretic security. The relevance of optical fiber links for quantum communication was strongly emphasized by Agrawal et al. [Agrawal97]. A fast implementation of the standard BB84 QKD was shown by Niederberger et al. [Niederberger05]. The information-theoretic bounds on secret key fractions were studied by Renner [Renner05] and Van Assche et al.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Quantum Cryptographic Protocols and Quantum Security
79
[Assche04]. Asymmetric cloning machines have been discussed for eavesdropping on quantum cryptography in [Cerf2000]. The DPS QKD protocol was studied by Inoue et al. in 2003, see [Inoue03]. About quantum cryptography on multiuser optical fiber networks see [Townsend97]. For further information about classical versions of these quantum protocols see [Blakley79], [Blum82], [Bohm89], [Carter79], [Carter81], [Chaum88], [Chaum88a], [ElGamal85], [Feldman87], [Rivest78], [Schneier96], [Shamir79], [Trappe02], [Yao86]. The concept of private classical capacity was introduced by Devetak in [Devetak03], and one year later by Cai et al. in 2004 [Cai04]. Private capacity measures classical information, and it is always at least as large as the single use quantum capacity (or the quantum coherent information) of any quantum channel. As shown in [Devetak05a], for a degradable quantum channel, the private capacity is equal to the coherent information of the channel, moreover for this channel the private capacity is additive [Devetak05a],—however for a general quantum channel these statements do not hold. The properties of private information via the Unruh effect was studied by Bradler et al. in 2009, for details see [Bradler09]. The additivity of private information would also imply the fact that shared entanglement cannot help to enhance the private capacity for degradable quantum channels. The complete proof of the private capacity of the quantum channel was made by Devetak [Devetak03], who also cleared up the connection between classical private capacity and the quantum capacity. As was shown by Smith et al. in 2008 [Smith08d], the classical private capacity of a quantum channel is additive for degradable quantum channels, and closely related to the quantum capacity of a quantum channel (moreover, Smith has shown that it is equal to the quantum coherent information for degradable channels), since in both cases we have to “protect” the quantum states: in the case of private capacity the enemy is called Eve (the eavesdropper), while in the latter case the name of the enemy is “environment.” As was shown in [Devetak03], the eavesdropper in private coding acts as the environment in quantum coding of the quantum state, and vice-versa. This “gateway” or “dictionary” between the classical capacity and the quantum capacity of the quantum channel was published by Devetak in 2003 [Devetak03], in 2005 by Devetak and Shor [Devetak05a], and later, in 2008 by Smith and Smolin [Smith08d], using a different interpretation. Further information about the private capacity of a quantum channel can be found in [Devetak03] [Devetak05b] [Bradler09] [Li09] [Smith08d] [Smith09a] [Smith09b]. The noisy processing and the distillation of private quantum states was studied by Renes and Smith in 2007, for details see [Renes07]. For further details about the properties of private quantum communications we suggest the works of Ambainis [Ambainis2000], [Ambainis02], [Ambainis04], Biham [Biham97], [Biham97a], Bouda [Bouda01], [Bouda03], [Bouda03a-03c], [Bouda04], Brassard [Brassard86], [Brassard91], [Brassard93], [Brassard94], [Brassard97], [Brassard98], Buhrman [Buhrman01], Chau [Chau97], Cheung [Cheung99], Chor , Cleve [Cleve99], Devetak [Devetak08], Eisert [Eisert05], Mayers [Mayers96], [Mayers98], [Mayers99], Nayak [Nayak02], Oppenheim [Oppenheim03], and Peres [Peres95]. The possibility that quantum messages can be authenticated was demonstrated by Barnum [Barnum99], [Barnum02], Crépeau [Crépeau88], [Crépeau01], [Crépeau02], and Oppenheim and Horodecki [Oppenheim03]. The anonymous quantum communication was studied by Brassard et al. in 2007, for details see [Brassard07]. The sharing of quantum secrets has been studied by Cleve [Cleve99], Gottesman [Gottesman2000], [Gottesman2000a], [Gottesman01], [Gottesman03], [Gottesman04], its practical realization
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
80
Laszlo Gyongyosi and Sandor Imre
by Hillery and Buzek [Hillery99]. The quantum version of the classical oblivious transfer protocol [Rabin81] was introduced by Crépeau [Crépeau88], [Crépeau90], [Crépeau90a], [Crépeau94] and by Bennett et al. [Bennett91]. The quantum data hiding protocol was originally developed by DiVincenzo, Leung, and Terhal in 2001 [DiVincenzo01] and DiVincenzo, Hayden, and Terhal in 2002 [DiVincenzo02]. Security issues of quantum security and privacy protocols were studied by Gisin et al. [Gisin01], Fujiwara et al. [Fujiwara99], Gottesman [Gottesman01], [Gottesman03], [Gottesman04], Grassl [Grassl97], Hardy [Hardy98], [Hardy04], Hayden [Hayden03], Shor [Shor2000], [Shor97], Preskill [Preskill97], [Preskill98], Smolin [Smolin92], and Terhal [Terhal01]. Methods of uncloneable encryption and quantum digital signatures have been published by Gottesman et al. [Gottesman03], and quantum fingerprinting was invented by Buhrman et al. in 2001 [Buhrman01]. Further information about multiple-access quantum communication can be found in [Yen05] and [Yard06]. In 2001, Winter [Winter01], in 2005 Yard [Yard05a], [Yard05b] and Yen et al. [Yen05], in 2008, Czekaj and Horodecki [Czekaj08], and Hsieh et al. [Hsieh08], Yard, Devetak and Hayden [Yard05b], published the details of its theoretical and physical properties, and its achievable capacities. About the connection between quantum privacy and quantum coherence, see the work of Schumacher and Westmoreland from 1998 [Schumacher98a]. Further information about remote state preparation can be found in Abeyesinghe’s work from 2003 [Abeyesinghe03]. Some information about identication via quantum channels can be found in [Ahlswede02]. The distillation of a secret key and entanglement from quantum states was published by Devetak and Winter in 2005 [Devetak05b]. An article about the mathematical background of the copy-protection of quantum states was published by Aaronson in 2006 [Aaronson09]. Later in 2011, Gyongyosi and Imre showed a method of probabilistic quantum copy-protection, and they also gave the mathematical background of their approach, for details see [Gyongyosi11e]. About the verification methods of quantum money schemes, see the work of Broadbent et al. [Broadbent08] and Stebila from 2009 [Stebila09]. Mosca and Stebila [Mosca06], [Mosca07] and Aaronson [Aaronson09] have shown some very interesting results on the verification of quantum money, and they have designed a complete framework, which could play a fundamental role in the quantum money of the future. Moreover, Stebila has introduced an improved concept, called the quantum bill, for details see [Mosca07]. The quantum authentication scheme was defined by Barnum [Barnum02], Gottesman et al. [Gottesman2000a], [Gottesman03], and Oppenheim [Oppenheim03]. Contrary to the new ideas, the impossibility of quantum bit-commitment scheme also has been proven, for details see [Cheung99], [Crépeau01], [Dumais2000], [Hardy04], [Yuen2000], [Yuen2000a]. About the application of superadditvity and superactivation, see the works of Gyongyosi and Imre [Gyongyosi10], [Gyongyosi10a], [Gyongyosi10b], [Gyongyosi10c], [Gyongyosi10d], [Gyongyosi11a], [Gyongyosi11b] and [Gyongyosi11c]. About the relation between quantum complexity classes and the classical complexity classes, see the work of Aaronson from 2008 [Aaronson08] . In this work, the author also gives a great conclusion on the limits of future quantum computers. About other aspects of quantum communication complexity see the work of Buhrman et al. from 2010 [Buhrman10]. An article with a similar idea to that of his previous paper from 2006, for details see
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
81
[Aaronson06], on the relation of quantum copy-protection and quantum money was published in 2009, for details see [Aaronson09].
Author Biographies Laszlo Gyongyosi received the M.Sc. degree in Computer Science with Honors from the Budapest University of Technology and Economics (BUTE) in 2008. He obtains Ph.D. degree in 2011 at the Department of Telecommunications, BUTE. His research interests are in Quantum Computation and Communication, Quantum Channel Capacity, Quantum Cryptography and Quantum Information Theory. He is currently completing a book on advanced quantum communications, and he teaches courses in Quantum Computation. In 2009, he received Future Computing Best Paper Award on quantum information, in 2010, he was awarded the Best Paper Prize of University of Harvard, USA. In 2010, he obtained a Ph.D. Researcher Grant from University of Arizona, USA., and in 2011 from Stanford University, USA.. Sandor Imre was born in Budapest in 1969. He received the M.Sc. degree in Electronic Engineering from the Budapest University of Technology (BUTE) in 1993. Next he started his Ph.D. studies at BUTE and obtained dr. univ. degree in 1996, Ph.D. degree in 1999 and DSc degree in 2007. Currently he is carrying his teaching activities as Head of the Dept. of Telecommunications of BUTE. He was invited to join the Mobile Innovation Centre of BUTE as R&D director in 2005. His research interest includes mobile and wireless systems, quantum computing and communications. Especially he has contributions on different wireless access technologies, mobility protocols and reconfigurable systems.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
References [Aaronson08] S. Aaronson, "The Limits of Quantum Computers". Scientific American. (2008). [Aaronson09] S. Aaronson. Quantum copy-protection and quantum money. In preparation, (2009). [Abeyesinghe03] A. Abeyesinghe and P. Hayden. Generalized remote state preparation: Trading cbits, qubits, and ebits in quantum communication. Physical Review A, 68(6):062319, December (2003). [Agrawal97] G. Agrawal, Fiber-Optic Communication Systems “Wiley, New York". (1997). [Ahlswede02] R. Ahlswede and A. J. Winter. Strong converse for identication via quantum channels. IEEE Transactions in Information Theory, 48(3):569-579, arXiv:quant-ph/0012127, (2002). [Ambainis02] A. Ambainis. Lower bound for a class of weak quantum coin flipping protocols. quant-ph/0204063, (2002). [Ambainis04] A. Ambainis, H. Buhrman, Y. Dodis and H. Rohrig. Multi party quantum coin flipping. In 19th IEEE Annual Conference on Computational Complexity (CCC'04). (2004). [Ambainis2000] A. Ambainis, M. Mosca, A. Tapp, and R. de Wolf. Private quantum channels. In FOCS2000, pages 547-553, quant-ph/0003101. (2000).
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
82
Laszlo Gyongyosi and Sandor Imre
[Asmuth83] C. Asmuth and J. Bloom. A modular approach to key safeguarding. IEEE Transactions on Information Theory, IT-29(2):208-210, (1983). [Assche04] G. Van Assche, J. Cardinal, and N. J. Cerf, IEEE Trans. Inf. Theory 50, 394. (2004). [Bacsardi09a] L. Bacsardi, L. Gyongyosi, S. Imre: Solutions For Redundancy-free Error Correction In Quantum Channel, International Conference on Quantum Communication and Quantum Networking, October 26 – 30, 2009, Vico Equense, Sorrento peninsula, Naples, Italy, (2009). [Bacsardi10a] L. Bacsardi, L. Gyongyosi, S. Imre: Using Redundancy-free Quantum Channels for Improving the Satellite Communication, PSATS 2010, 2nd International ICST Conference on Personal Satellite Services, Section on Satellite Quantum Communications, 4-6 February 2010, Rome, Italy, accepted. Lecture Notes of The Institute for Computer Sciences Social-Informatics and Telecommunications Engineering (ISSN: 1867-8211) (2010). [Bacsardi10b] L. Bacsardi, L. Gyongyosi, M. Berces, S. Imre: Quantum Solutions for Future Space Communication, in "Quantum Computers", Nova Science Publishers, (2010). [Barnum99] H. Barnum. Quantum secure identification using entanglement and catalysis. quantphj9910072, (1999). [Barnum02] H. Barnum, C. Crépeau, D. Gottesman, A. Smith, and A. Tapp, Authentication of quantum messages. In FOCS2002, 2002.quant-ph/0205128. (2002). [Bennett82] C. H. Bennett, G. Brassard, S. Breidbard, and S. Wiesner. Quantum cryptography, or unforgeable subway tokens. In D. Chaum, R. Rivest, and A. T. Sherman, eds., Advances in Cryptology – Proc. CRYPTO ’82 . Plenum Press, (1982). [Bennett84] C. Bennett and G. Brassard, Quantum cryptography: public key distribution and coin tossing, Int. conf. Computers, Systems Signal Processing, Bangalore, India, December 10-12,175-179. (1984). [Bennett85] C. Bennett and G. Brassard, Quantum public key distribution system IBM Technical Disclosure Bulletin, 28, 3153-3163. (1985). [Bennett91] C. Bennett, G. Brassard, C. Crépeau and M.-H. Skubiszewska. Practical quantum oblivious transfer. In Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology, pages 351-366, (1991). [Bennett92] C. Bennett, G. Brassard and A. Ekert, Quantum Cryptography, Sc. Am. 267 , 2633. (1992). [Bennett92a] C. Bennett, G. Brassard and N. Mermin, Quantum Cryptography without Bells theorem, Phys. Rev. Left. 68 , 557-559. (1992). [Bennett92b] C. Bennett, Quantum cryptography using any two non orthogonal states, Phys. Rev. Lett. 68, 3121-3124. (1992). [Bennett92c] C. Bennett and S. Wiesner. Communication via one- and two-particle operators on Einstein-Podolsky-Rosen states.Phys.Rev.Lett.,69:2881-2884, (1992). [Biham97] E. Biham and T. Mor, Bounds on Information and the Security of Quantum Cryptography, Phys.Rev.Lett. 79 , 4034-4037. (1997). [Biham97a] E. Biham and T. Mor, Security of Quantum Cryptography against collective attacks, Phys. Rev. Lett. 78 , 2256-1159. (1997). [Blakley79] G. Blakley. Safe guarding cryptographic keys. In Proceedings of the National Computer Conference, volume 48, pages 242-268, (1979).
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Quantum Cryptographic Protocols and Quantum Security
83
[Blum82] M. Blum. Coin flipping by telephone: A protocol for solving impossible problems. In Proceedings of the 24th IEEE Computer Conference (CompCon), pages 133-137, (1982). [Bohm89] D. Bohm. Quantum Theory. Courier Dover Publications, (1989). [Bouda01] J. Bouda and V. Buzzek. Entanglement swapping between multi-qudit systems. Journal of Physis A, 34(20):4301-4311, (2001). [Bouda03] J. Bouda and M. Mariniszyn. Encryption of classical information: using quantum channel to detect eavesdropping. Poster at the Third Conference of the ESF programme Quantum Information Theory and Quantum Computing, Erie, (2003). [Bouda03a] J. Bouda and V. Buzzek. Security of the private quantum channel. Journal of Modern Optics, 50:1071-1077, (2003). [Bouda03b] J. Bouda and V. Buzzek. Encryption of quantum information. Int. J. Found. Comput. Si., 14(5):741-756, (2003). [Bouda03c] J. Bouda and V. Buzzek. Purification and correlated measurements of bipartite mixed states. Phys.Rev.A,65(3):4304-4307, (2002). [Bouda04] J. Bouda, Encryption of Quantum Information and Quantum Cryptographic Protocols, PhD Thesis, (2004). [Bouda04a] J. Bouda and M. Ziman. Limits and restrictions of PQC. (2004). [Brandao10] F. Brandao and J. Oppenheim, “Public Quantum Communication and Superactivation,” arXiv:1005.1975. (2010). [Bradler09] K. Bradler, P. Hayden, and P. Panangaden. Private information via the Unruh effect, Journal of High Energy Physics 08, 074 (2009). [Brassard86] G. Brassard, C. Crépeau and J. Robert. Information theoretic reductions among disclosure problems. In Proceedings of the 27th IEEE Symposium on Foundations of Computer Science, pages 168-173, (1986). [Brassard91] G. Brassard and C. Crépeau. Quantum bit commitment and coin tossing protocols. In Advances in Cryptology: CRYPTO'90 Proceedings, pages 49-61, (1991). [Brassard93] G. Brassard, C. Crépeau, R. Jozsa, and D. Langlois. A quantum bit commitment scheme provably unbreakable by both parties. In Proceedings of the 1993 IEEE Symposium on Foundations of Computer Science, pages 362-371, (1993). [Brassard94] G. Brassard and L. Salvail. Secret-key reconciliation by public discussion. In Advances in Cryptology: EUROCRYPT'93 Proceedings, pages 410-423, (1994). [Brassard97] G. Brassard, C. Crépeau, D. Mayers, and L. Salvail. A brief review on the impossibility of quantum bit commitment. quant-ph/9712023, (1997). [Brassard98] G. Brassard, C. Crépeau, and D. Mayers. Defeating classical bit commitment with a quantum computer. quant-ph/9806031, (1998). [Brassard06] G. Brassard. Brief history of quantum cryptography: A personal perspective, eprint arXiv:quant-ph/0604072. (2006). [Brassard07] G. Brassard, A. Broadbent, J. Fitzsimons, Sébastien Gambs, and Alain Tapp. Anonymous quantum communication. In Kurosawa, pp. 460–473. doi:10.1007/978-3540-76900-2_28. eprint arXiv:0706.2356. (2007) [Broadbent08] A. Broadbent, J. Fitzsimons, and E. Kashefi. Universal blind quantum computation, eprint arXiv:0807.4154, (2008). [Buhrman01] H. Buhrman, R. Cleve, J. Watrous and R. de Wolf. Quantum fingerprinting. Physical Review Letters, 87(16): 167902, 2001.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
84
Laszlo Gyongyosi and Sandor Imre
[Cai04] N. Cai, A. Winter, and R. Yeung, “Quantum privacy and quantum wiretap channels,” Problems of Information Transmission, vol. 40, no. 4, pp. 318–336, (2004). [Calderbank96] R. Calderbank and P. Shor. Good quantum error-correcting codes exist .Phys. Rev.A,54:1098, (1996). [Carter79] J. Carter and M.N. Wegman. Universal hash functions. Journal of Computer and System Sciences, 18:143-144, (1979). [Carter81] J. Carter and M. Wegman. New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences, 22: 265-279, (1981). [Cerf2000] N. Cerf, Asymmetric quantum cloning machines in any dimension, J.Mod.Opt. 47 187, http://arxiv.org/abs/quant-ph/9805024, (2000). [Chau97] H. Chau and, H.-K.Lo. Making an empty promise with a quantum computer. Fortshritte der Physics, 46:507-520, quant-ph/9709053. (1998). [Chaum88] D. Chaum, A. Fiat, and M. Naor. Untraceable electronic cash (extended abstract). In S. Goldwasser, ed., Advances in Cryptology – Proc. CRYPTO ’88 , volume 403 of LNCS, pp. 319–327. Springer, (1988). [Chaum88a] D. Chaum. Privacy protected payments: Unconditional payer and/or payee untracability. In Smartcard 2000 . North Holland, (1988). [Cheung99] C. Cheung. On the possibility of unconditionally secure quantum bit commitment. quant-ph/9909048, (1999). [Childs05] A. Childs. Secure assisted quantum computation. Quantum Information and Computation, 5(6):456–466, eprint arXiv:quantph/0111046, (2005). [Cleve99] R. Cleve, D. Gottesman, and H. Lo. How to share a quantum secret. Phys. Rev.Lett.,85:648-651, quant-ph/9901025. (1999). [Crépeau88] C. Crépeau. Equivalence between two favours of oblivious transfer. In Advances in Cryptology: CRYPTO'87 Proceedings, pages 350-354, (1988). [Crépeau90] C. Crépeau and J. Kilian. Weakening security assumptions and oblivious transfer. In Advances in Cryptology: CRYPTO'88 Proceedings, pages2-7, (1990). [Crépeau90a] C. Crépeau. Correct and private reductions among oblivious transfers. PhD thesis, MIT, (1990). [Crépeau94] C. Crépeau. Quantum oblivious transfer. J.Mod.Opt.,41(12):2445-2454, (1994). [Crépeau01] C. Crépeau, F. Leegaree, and L. Salvail. How to convert the favor of a quantum bit commitment. In Advances in Cryptology: EUROCRYPT 2001 Proceedings, pages 6077, (2001). [Crépeau02] C. Crépeau, D. Gottesman, and A. Smith. Secure multiparty quantum computation. InSTOC2002, pages 643-652, quant-ph/0206138. (2002). [Cubitt10] T. Cubitt, D. Leung, W. Matthews and A. Winter, Improving Zero-Error Classical Communication with Entanglement, Phys. Rev. Lett. 104, 230503 (2010), arXiv:0911.5300[quant-ph] [Czekaj08] L. Czekaj and P. Horodecki. Nonadditivity effects in classical capacities of quantum multiple-access channels. arXiv:0807.3977, (2008). [Devetak03] I. Devetak, “The private classical capacity and quantum capacity of a quantum channel,” IEEE Trans. Inf. Theory, vol. 51, pp. 44–55, arXiv:quant-ph/0304127, (2005). [Devetak05a] I. Devetak and P. Shor. The capacity of a quantum channel for simultaneous transmission of classical and quantum information. Communications in Mathematical Physics, 256:287-303, (2005).
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Quantum Cryptographic Protocols and Quantum Security
85
[Devetak05b] I. Devetak and A. Winter. Distillation of secret key and entanglement from quantum states. Proceedings of the Royal Society A, 461:207-235, (2005). [Devetak08] I. Devetak, A. W. Harrow, and A. Winter. A resource framework for quantum Shannon theory. IEEE Transactions on Information Theory, 54(10):4587- 4618, (2008). [Dieks82] D. Dieks. Communication by EPR devices. Physics Letters A, 92:271, (1982). [DiVincenzo01] D. DiVincenzo, D. Leung, and B. Terhal. Quantum data hiding. Quantph/0103098, (2001). [DiVincenzo02] D. DiVincenzo, P. Hayden, and B. Terhal. Hiding quantum data. Found. Phys.,33(11):1629-1647, quant-ph/0207147. (2003). [Dumais2000] P. Dumais, D. Mayers, and L. Salvail. Perfectly concealing quantum bit commitment from any quantum one-way permutation. In Advances in Cryptology: EUROCRYPT 2000 Proceedings, pages 300-315, (2000). [Eisert05] J. Eisert and M. M. Wolf, “Gaussian quantum channels,”, arXiv:quantph/0505151. (2005). [Ekert91] A. Ekert. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett., 67:661, (1991). [ElGamal85] T. ElGamal, ”A public key Cryptosystem and a Signature Scheme Based on Discrete Logarithms.” IEEE Transactions on Information Theory 31(4) (1985). [Feldman87] P. Feldman. A practical scheme for non interactive verifiable secret sharing. In Proceedings of the 28th Annual Symposium on the Foundations of Computer Science, pages 427-437, (1987). [Fujiwara99] A. Fujiwara and P. Algoet. One-to-one parameterization of quantum channels. Phys.Rev.A,59(5):3290-3294, (1999). [Gisin01] N. Gisin, G. Ribordy, W. Tittel,and H. Zbinden. Quantum cryptography. Quantph/0101098, (2001). [Gottesman2000a] D. Gottesman. On the theory of quantum secret sharing. Phys.Rev. A,61:042311, quant-ph/9910067. (2000). [Gottesman01] D. Gottesman and I. L. Chuang. Quantum digital signatures. quantph/0105032, (2001). [Gottesman03] D. Gottesman. Uncloneable encryption. Quantum Information and Computation, 3:581-602, quant-ph/0210062. (2003). [Gottesman04] D. Gottesman, H. Lo, N. Land J. Preskill, Lutkenhaus, Security of quantum key distribution with imperfect devices. Quantum Information and Computation, 4(5):325-360, quant-ph/0212066. (2004). [Grassl97] M. Grassl, T. Beth, and T. Pellizzari. Codes for the quantum erasure channel. Phys.Rev.A,56:33-38, quant-ph/9610042. (1997). [Gyongyosi10] L. Gyongyosi, S. Imre, “Novel Geometrical Solution to Additivity Problem of Classical Quantum Channel Capacity”, The 33rd IEEE Sarnoff Symposium - Princeton University, Apr. 2010, Princeton, New Jersey, USA. (2010). [Gyongyosi10a] L. Gyongyosi, S. Imre, Information Geometrical Analysis of Additivity of Optical Quantum Channels, IEEE/OSA Journal of Optical Communications and Networking (JOCN), IEEE Photonics Society & Optical Society of America, ISSN: 1943-0620; (2010). [Gyongyosi10b] L. Gyongyosi, S. Imre: Algorithmical Analysis of Information-Theoretic Aspects of Secure Communication over Optical-Fiber Quantum Channels, Journal of
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
86
Laszlo Gyongyosi and Sandor Imre
Optical and Fiber Communications Research, Springer New York, ISSN 1867-3007 (Print) 1619-8638 (Online); (2010). [Gyongyosi10c] L. Gyongyosi, S. Imre: Information Geometric Security Analysis of Differential Phase Shift QKD Protocol, Security and Communication Networks, John Wiley & Sons, Ltd. ISSN: 1939-0114; (2010) (In Press). [Gyongyosi10d] L. Gyongyosi, S. Imre: Algorithmic Solution to Superactivation of ZeroCapacity Optical Quantum Channels, Photonics Global Conference (PGC) 2010, Nanyang Technological University, IEEE Photonics Society, Nature Photonics, Suntec City, Singapore, (2010). [Gyongyosi11a] L. Gyongyosi, S. Imre: Information Geometric Superactivation of Classical Zero-Error Capacity of Quantum Channels, Progress in Informatics, Quantum Information Technology, Quantum Information Science Theory Group, National Institute of Informatics, Tokyo, Japan, Print ISSN : 1349-8614, Online ISSN : 13498606; (2011.) [Gyongyosi11b] L. Gyongyosi, S. Imre: Informational Geometric Analysis of Superactivation of Asymptotic Quantum Capacity of Zero-Capacity Optical Quantum Channels, Proceedings of SPIE Photonics West OPTO 2011, ISBN: 9780819484857, Vol: 7948, (2011). [Gyongyosi11c] L. Gyongyosi, S. Imre: Efficient Quantum Repeaters without Entanglement Purification, International Conference on Quantum Information (ICQI) 2011, (The Optical Society of America (OSA), University of Rochester), University of Ottawa, Ottawa, Canada. (2011). [Gyongyosi11e] L. Gyongyosi, S. Imre: Novel Quantum Information Solution to CopyProtection and Secured Authentication, International Journal of Internet Technology and Secured Transactions (IJITST), ISSN (Online): 1748-5703, ISSN (Print): 1748569X; (2011). [Hardy98] L. Hardy. Spooky action at a distance in quantum mechanics. Contemporary physics, 39: 419, (1998). [Hardy04] L. Hardy and A. Kent. Cheat sensitive quantum bit commitment. Phys. Rev. Lett.,92:157901, quant-ph/9911043. (2004). [Hayden03] P. Hayden, D. Leung, P. Shor, and A. Winter. Randomizing quantum states: Constructions and applications. quant-ph/0307104, (2003). [Hillery99] M. Hillery, V. Bužek, and A. Berthiaume. Quantum secret sharing. Phys. Rev. A,59:1829, (1999). [Hsieh08] M.Hsieh, I. Devetak, and A. Winter. Entanglement-assisted capacity of quantum multiple-access channels. IEEE Transactions on Information Theory, 54(7):3078-3090, (2008). [Imre05] S. Imre, F. Balázs: Quantum Computing and Communications – An Engineering Approach, Published by John Wiley and Sons Ltd, (2005). [Inoue03] K. Inoue, E. Waks, and Y. Yamamoto, Differential-phase-shift quantum key distribution using coherent light, Phys. Rev. A 68, 022317 (2003). [Kawachi05] A. Kawachi, T. Koshiba, H. Nishimura, and T. Yamakami, ”Computational indistinguishability between quantum states and its cryptographic application.” Advances in Cryptology-EUROCRYPT 2005: 268-284. (2005). [Lamport81] L. Lamport, „Password Authentication with Insecure Communication,” Communications of the ACM, 24 (11), (1981).
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Quantum Cryptographic Protocols and Quantum Security
87
[Li09] K. Li, A. Winter, X. Zou, and G. Guo, “Private Capacity of Quantum Channels is Not Additive,” Physical Review Letters, vol. 103, no. 12, p. 120501, arXiv:0903.4308, (2009). [Lo96] H. Lo and H. Chau. Is quantum bit commitment really possible? Phys. Rev. Lett.,78:3410, quant-ph/9603004, (1997). [Mayers96] D. Mayers. The trouble with quantum bit commitment. quant-ph/9603015, (1996). [Mayers97] D. Mayers. Unconditionally secure quantum bit commitment is impossible. Phys. Rev. Lett.,78:3414, quant-ph/9605044. (1997). [Mayers98] D. Mayers. Unconditional security in quantum cryptography. quant-ph/9802025, (1998). [Mayers99] D. Mayers, L. Salvail, and Y. Chiba-Kohno. Unconditionally secure quantum coin tossing. quant-ph/9904078, (1999). [Mosca06] M. Mosca and D. Stebila. Uncloneable quantum money. In Canadian Quantum Information Students’ Conference (CQISC) 2006, Calgary, Alberta, August 2006. url http://www.iqis.org/events/cqisc06/papers/Mon-1130-Stebila.pdf. (2006). [Mosca07] M. Mosca and D. Stebila. A framework for quantum money. In Quantum Information Processing (QIP) 2007, Brisbane, Australia, (2007). [Nayak02] A. Nayak and P. Shor. On bit-commitment based quantum coin flipping. quantph/0206123, (2002). [Niederberger05] A. Niederberger, V. Scarani and N. Gisin, Phys. Rev. A 71, 042316 (2005). [Oppenheim03] J. Oppenheim and M. Horodeki. How to reuse a one-time pad and other notes on authentication and protection of quantum information. quant-ph/0306161, (2003). [Pan10] J. Pan and L. Yang, ”Quantum Public-Key Encryption with Information Theoretic Security.” e-print arXiv:1006.0354. (2010). [Paterson04] K. Paterson, F. Piper, and R. Schack. Why quantum cryptography?, eprint arXiv:quant-ph/0406147, (2004). [Peres95] A. Peres. Quantum theory: Concepts and methods, volume57 of The fundamental theories of physics. Kluwera academic publishers, (1995). [Peres02] A. Peres. How the no-cloning theorem got its name. arXiv:quantph/0205076, (2002). [Preskill97] J. Preskill, Quantum Computing: Pro and Con arXiv:quant-ph/9705032. (1997). [Preskill98] J. Preskill. Lecture notes on quantum information processing. http://www.theory.alteh.edu/people/preskill/ph229/#leture. (1998). [Rabin81] M. Rabin. How to exchange secrets by oblivious transfer. Technical report TR81,Aiken Computation Laboratory, Harvard University, (1981). [Renes07] J. Renes, G. Smith. Noisy processing and the distillation of private quantum states. Phys. Rev. Lett. 98, 020502 (2007). [Renner05] R. Renner, N. Gisin, and B. Kraus, Phys. Rev. A 72, 012332, (2005). [Rivest78] R. Rivest, A. Shamir, and L. Adleman, ”A method for obtaining digital signatures and public-key cryptosystems.” Communications of the ACM 21(2): 120-126 (1978). [Schneier96] B. Schneier. Applied Cryptography. John Wiley & Sons, (1996). [Schumacher98a] B. Schumacher and M. Westmoreland, "Quantum privacy and quantum coherence", Physical Review Letters 80, 5695-5697 (1998). [Schumacher2000] B. Schumacher and M. Westmoreland, "Relative Entropy in Quantum Information Theory" 2000, LANL ArXiV e-print quant-ph/0004045, (2000).
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
88
Laszlo Gyongyosi and Sandor Imre
[Shamir79] A. Shamir. How to share a secret. Communications of the ACM, 24(11):612-613, (1979). [Shor94] P. Shor. Algorithms for quantum computation: discrete logarithms and factoring. In Proc. 35th Ann. IEEE Symp. Foundations of Comp. Sci., pp. 124–134. IEEE Press, doi:10.1109/SFCS.1994.365700. eprint arXiv:quant-ph/9508027, (1994). [Shor97] P. Shor. Polynomial time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAMJ. Comp.,26(5):1484-1509, (1997). [Shor2000] P. Shor and J. Preskill. Simple proof of security of the BB84 quantum key distribution protocol. Phys. Lett. Lett.,85:441, quant-ph/0003004. (2000). [Smith08a] G. Smith, J. Smolin. Additive extensions of a quantum channel. IEEE Information Theory Workshop Proceedings (2008). [Smith08b] G. Smith, J. Renes, J. Smolin. Structured codes improve the Bennett-Brassard-84 quantum key rate. Phys. Rev. Lett. 100, 170502 (2008). [Smith08c] G. Smith, J. Smolin, A. Winter. The quantum capacity with symmetric side channels. IEEE Trans. Info. Theory 54, 9, 4208-4217 (2008). [Smith08d] G. Smith. The private classical capacity with a symmetric side channel and its application to quantum cryptography. Phys. Rev. A 78, 022306 (2008). [Smith09a] G. Smith, John Smolin. Can non-private channels transmit quantum information? Phys. Rev. Lett. 102, 010501 (2009). [Smith09b] G. Smith and J. A. Smolin, “Extensive Nonadditivity of Privacy,” Physical Review Letters, vol. 103, no. 12, p. 120503, Sep. arXiv:0904.4050. (2009). [Smith11] G. Smith, J. A. Smolin and J. Yard, Gaussian bosonic synergy: quantum communication via realistic channels of zero quantum capacity, arXiv:1102.4580v1, (2011). [Smolin92] J. Smolin, Experimental Quantum Cryptography, J. Cryptology 5, 3-28. (1992). [Stebila09] D Stebila Classical Authenticated Key Exchange and Quantum Cryptography, PhD Thesis, 2009. [Terhal01] B. Terhal, D. DiVinenzo, and D. Leung. Hiding bits in Bell states. Phys. Rev. A, 86:85807-85810, quant-ph/0011042. (2001). [Tokunaga03] Y. Tokunaga, T. Okamoto, and N. Imoto. Anonymous quantum cash. In ERATO Conference on Quantum Information Science (EQIS) 2003, (2003). [Townsend97] P. Townsend, „Quantum cryptography on multiuser optical fiber networks,” Nature 385, 47 (1997). [Trappe02] W. Trappe and L. Washington. Introduction to cryptography with coding theory. Prentice Hall, (2002). [Wiesner83] S. Wiesner. Conjugate coding. SigatNews,15-19:78, (1983). [Winter01] A. Winter. The capacity of the quantum multiple access channel. IEEE Transactions on Information Theory, 47:3059-3065, (2001). [Wootters82] W. Wootters and W. H. Zurek. A single quantum cannot be cloned. Nature, 299:802–803, doi:10.1038/299802a0. (1982). [Yang03] L. Yang, ”A public-key cryptosystem for quantum message transmission.” Proceedings of the SPIE - The International Society for Optical Engineering 5631(1): 233 236.(e-print arXiv:quant-ph/0310076). (2005). [Yao86] A. Yao. How to generate and exchange secrets. In Proceedings of the 27th FOCS, pages 162-167, (1986).
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Cryptographic Protocols and Quantum Security
89
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
[Yao95] A. Yao. Security of quantum protocols against coherent measurements. In Proceedings of the 1995 ACM Symposium on Theory of Computing, pages 67-75, (1995). [Yard05a] J. Yard. Simultaneous classical-quantum capacities of quantum multiple access PhD thesis, Stanford University, Stanford, CA,arXiv:quantchannels. ph/0506050.(2005). [Yard05b] J. Yard, I. Devetak, and P. Hayden. Capacity theorems for quantum multiple access channels. In Proceedings of the International Symposium on Information Theory, pages 884-888, Adelaide, Australia, (2005). [Yard06] J. Yard, P. Hayden, and I. Devetak. Quantum broadcast channels, arXiv:quantph/0603098., (2006). [Yen05] B. Yen and J. Shapiro. Multiple-access bosonic communications. Physical Review A, 72(6):062312, (2005). [Yuen2000] H. Yuen. Unconditionally secure quantum bit commitment is possible.quantph/0006109, (2000). [Yuen2000a] H. Yuen. Anonymous key quantum cryptography and unconditionally secure quantum bit commitment.quant-ph/0009113, (2000).
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
In: Cryptography: Protocols, Design and Applications ISBN: 978-1-62100-779-1 Editors: K. Lek and N. Rajapakse, pp. 91-111 © 2012 Nova Science Publishers, Inc.
Chapter 2
LOW-COST MUTUAL AUTHENTICATION PROTOCOLS Mu’awya Naser1,*, Pedro Peris-Lopez2,†, Mohammad Rafie1,‡ and Rahmat Budiarto3,§ 1
School of Computer sciences, Main Campus, Unvirisity Sains Malaysia, Pinang Malaysia 2 Information Security and Privacy Lab, Technic-al University of Delft 3 InterNetWorks Research Group School of Computing UUM CAS Universiti Utara Malaysia Sintok, Kedah, Malaysia
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Introduction Security protocols can be classified under several categories. The first category classifies protocols into full-fledged, simple, lightweight, and ultralightweight. The second category includes high-cost and low-cost protocols. These categories are based on cryptographic primitives used in relation to the cost of applying these primitives in any designed protocol. The first category can be considered a subcategory of the second category: full-fledged and simple protocols can be both high-cost and low-cost security protocols, whereas lightweight and ultralightweight protocols are low-cost security protocols. The third category classifies security protocols based on conventional and unconventional categories, where unconventional categories refer to primitives that are not yet considered standards in the cryptography domain. With these categories in mind, the rest of the present research focuses only on low-cost lightweight and ultralightweight security protocols belonging to unconventional primitives. These security protocols are used to achieve mutual authentication between the tag and the reader. Low-cost mutual authentication protocols use simple and inexpensive computational operations, including Pseudo-Random Number Generator (PRNG), Cyclic Redundancy Code *
E-mail address: [email protected] E-mail address: [email protected] ‡ E-mail address: [email protected] § E-mail address: [email protected] †
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
92
Mu’awya Naser, Pedro Peris-Lopez, Mohammad Rafie et al.
(CRC) checksum, rotation functions, as well as Mixbit functions and simple bitwise operations such as XOR, AND, and OR. The rest of this chapter describes the lightweight and ultralightweight security protocols. The main protocols proposed for each group are analyzed to show the weaknesses in each protocol.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Lightweight Mutual Authentication Protocols (Vajda and Buttyán, 2003) proposed the first low-cost, lightweight mutual authentication protocol based on challenge-and-response authentication. Their proposal was a simple protocol that provides a basic security level and that can be strengthened, for example, by adding a non-linearity function and mixed operation as well as by using different keys and compressions as suggested by (López, Castro, and Garnacho, 2008). Subsequently, (Karthikeyan and Nesterenko, 2005), (Ari Juels, 2005), and (Duc, Park, Lee, and Kim, 2006) proposed new security schemes that conform to Gen-2 tags and use PRNG and CRC instead of hash functions or other expensive conventional cryptography schemes. The characteristics of lightweight protocols are defined as their capability to provide secure protocols that support PRNG and simple functions, such as CRC, but not cryptographic hash functions (H. Chien, 2007). (Ari Juels, 2005) designed a protocol that discovers cloned tags by storing an initial personal identification number (Chih-Yung, Chien-Ping, and Fang-Yuan) at the tag memory and at the back-end database for identification. Before starting the session with the tag, the back-end database generates a PIN-set of size qJ, which includes the PIN for the tag to be communicated, and then transmits the PIN-set to the reader. In turn, the reader sends the PINset to the tag, where only the legitimate tag can identify its PIN within the set. The probability of an attacker guessing the PIN correctly is 1/qJ. This protocol by Juels was a lightweight, but it enhanced the security level only to O(qJ). Eventually, the protocol was broken by several researchers, but it provided the basis for designing lightweight protocols. The next section describes the major lightweight protocols considered in the present research.
The Karthikeyan and Nesterenko Protocol (Karthikeyan and Nesterenko, 2005) developed a secure tag identification algorithm based on matrix multiplication and simple bitwise XOR operations. Figure 1 illustrates this algorithm. Each tag and reader stores a key (K) and two matrices. The key represents a vector of size q; q=rp, where r is an integer, and is changed for every identification session. The tag stores two matrices (M1 and M2-1) of size p×p while the reader stores the inverse of these matrices (M1-1, M2). The key and matrices are chosen randomly for each tag. In matrix multiplication, the M1 in the tag is multiplied by the key for that session to produce a new matrix (X) that uniquely identifies the tag. X will be sent to the reader in a message and forwarded to the back-end database to look for a match and authenticate the tag if a match is found. If a match is found, the database calculates the values Y using Y= (K1 ⊕ K2 ⊕ Kr,)M2, generates a new X value (Xnew), calculates Z using Z= (XnewM1-1)M2, and then sends Y and Z in a message to
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Low-Cost Mutual Authentication Protocols
93
the tag via the reader for verification. When Z is verified, the reader is authenticated by the tag using the equation YM2-1=?(K1 ⊕ K2 ⊕ Kr,). Figure 1 depicts the protocol design.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 1. Secure tag identification algorithm.
Karthikeyan and Nesterenko (2005) claimed that their algorithm is secure against the anticipated threats of radio frequency identification (RFID) systems. Eventually, (H.-Y. Chien and Chen, 2007) proved otherwise by introducing three attacks against this algorithm, namely, denial of service (Dos), replay, and individual tracing attacks. (H.-Y. Chien and Chen, 2007) claimed that the secure tag identification algorithm is vulnerable because the tag does not authenticate the received value Z when it is updating the key. Thus, if an attacker manages to replace the Z value with a fake Z value, then the tag will still update the key using the fake Z value. Consequently, a Dos attack will be successful because the legitimate reader and the tag will not be able to authenticate each other. Furthermore, the attacker can replay the value Y of the previous legitimate session in the next session, thereby cheating the tag in wrongly accepting the request and access the tag accordingly. They also claimed that the data transmitted over several sessions could be recorded and that launching the abovementioned attack several times would allow the attacker to trace the tag. Hence, the anonymity property of the scheme is violated.
The Duc et al. Protocol (Duc, et al., 2006) developed an RFID protocol based on a session key-synchronization that uses the combined CRC and PRNG techniques. Initially, each tag and the back-end server store three corresponding values that match each other: the Electronic Product Code (EPC) and the access code (PIN password) of the tag as well as the initial key (K0). The key is derived from a random seed number (seed) using the PRNG and stored as K1=f(seed) in both the tag and the database. Figure 2 illustrates this protocol. As shown in Figure 2, to start a session, the reader first sends a request query to the tag. The tag then computes the values for the first message using M1=CRC (EPC||r) ⊕ Ki and C=CRC(M1 ⊕ r), where r is a random nonce and k is the secret key for the ith session. Subsequently, the tag sends the values of M, C, and r to the reader, which in its turn sends this message to the back-end server, after the back-end server and the reader have authenticated each other. Note that in this scheme, the reader and the back-end database are treated as two separate entities. Next, the back-end server verifies the values by re-computing them using
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
94
Mu’awya Naser, Pedro Peris-Lopez, Mohammad Rafie et al.
the same functions with the values stored on its side and the received nonce, and then matches the computed values to those received from the tag. If the equation holds, the tag is successfully authenticated; otherwise, the tag is rejected and the process stops.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 2. The Duc et al. protocol.
Subsequently, the back-end server calculates its message for the tag using M2=CRC (EPC||PIN||r) ⊕ Ki and forwards the value to the tag via the reader. Similarly, when the tag receives the message, it also computes M2 using local values (i.e., PIN, r, EPC, and Ki) and then verifies whether the received M2 value matches with the locally computed M2. If the equation holds, the database is successfully authenticated, and the mutual authentication is completed; otherwise, the tag rejects the request and the process stops. Finally, both the backend server and the tag update their shared keys as Ki+1=f(Ki) upon receiving the “end session” command from the reader. Duc et al. (2006) claimed that their protocol can achieve privacy protection and mutual authentication. Eventually, (H.-Y. Chien and Chen, 2007) revealed three weaknesses in their protocol. (H.-Y. Chien and Chen, 2007) claimed that the scheme could not defend the tags and readers against Dos attacks, detect the disguise of tags, and provide forward secrecy. Chien and Chen (2007) argued that the Dos attacks would succeed if the “end session” command sent to the tag was intercepted during the execution of this command, at which point the shared key between the tag and the back-end server would be out of synchronization. Moreover, if the “end session” command to the back-end server is intercepted, the backend server will hold the old key; hence, a counterfeit tag can replay the old data (i.e., M1, C, and r) to disguise itself as a legitimate tag. Finally, they claimed that the scheme could not provide forward secrecy based on the assumption that if a tag is compromised, the attacker will obtain the values stored by the tag (i.e., EPC, Pin, and Ki). Accordingly, the attacker can verify whether a communication is performed by the same tag by using the M1, M2, and r data transmitted in the previous sessions by computing M1 ⊕ M2 to derive the value CRC(EPC ⊕ r) ⊕ (EPC||PIN||r) and by using the compromised values (i.e., EPC, PIN, and Ki) as well as the eavesdropped r. The attacker can execute a similar computation to verify whether it came from the same tag and, as a result, trace the tag To address the weaknesses of the protocols by Karthikeyan and Nesterenko (2005) and Duc et al.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Low-Cost Mutual Authentication Protocols
95
(2006), they also proposed a new scheme that conforms to the Gen-2 standards and improves the security performance for this category in general. Their protocol is described in the next section.
The Chien and Chen Protocol
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
The protocol of (H.-Y. Chien and Chen, 2007) consists of two phases: the initialization phase and the authentication phase. In the initialization phase, two random values, K0 and P0, are stored in the tag (K is the initialization key; P is the access key) and matched with two session values in the database, where Kold=Knew=K0, and Pold=Pnew=P0. Each tag (x) also stores another value for the EPC for the tag (EPCx), whereas the reader stores EPCx and another field (Data) for the related tag information. Figure 3 illustrates this protocol.
Figure 3. The Chien and Chen protocol.
In the authentication phase, the reader sends a random nonce (N1) as a challenge to the tag. The tag generates another random nonce (N2), computes M1 using M1=CRC(EPC||NR||NT) ⊕ Ki, and then sends these values to the database through the reader together with N2. Subsequently, the database iteratively picks up an entry consisting of Kold, Knew, Pold, Pnew, EPC, and Data stored in its database, computes the values Iold=M1 ⊕ Kold and Inew=M1 ⊕ Knew, and then checks which of Iold and Inew matches with the CRC(EPCx||N1||N2) computed by the database itself. The process is repeated for each entry in the database until a match is found. If a match is not found, it sends a “failure” message to the reader to stop the process. Otherwise, the tag is successfully authenticated, and the database identifies which keys are used (“old” or “new”). Consequently, the database computes for M2=CRC(EPCx||N2) ⊕ Pt, where t is equal to the “old” or “new” key, depending on which value (Kold or Knew, respectively) satisfies the previous match. Next, the database updates the Kold=Knew, Pold=Pnew, Knew=PRNG(Knew), and Pnew =PRNG(Pnew) values and then sends the values of M2 and Data to the reader, which in turn sends them to the tag. Finally, the tag verifies whether the equation M2 ⊕
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
96
Mu’awya Naser, Pedro Peris-Lopez, Mohammad Rafie et al.
Pt=CRC(EPC||N2) holds. If so, the tag updates the keys as Kt_i+1=PRNG(K t_i+1) and P t_i+1=PRNG(Pi+1) for the next access and ends the session. Chien and Chen (2007) claimed that their design of updating keys simultaneously could defend against Dos and replay attacks. However, in the same year, (Lo and Yeh, 2007) revealed that the protocol suffers from several weaknesses in terms of performance efficiency, such as the heavy computation load on the protocol when finding the matching data-entry at the back-end server side during the authentication phase. Moreover, they also claimed that the protocol does not provide anonymity and forward security. Details about these attacks can be found in their research. The authors also proposed a new scheme that is resilient against Dos and replay attacks aside from providing excellent privacy protection such as anonymity and forward secrecy. They also found that the protocol is vulnerable to Dos and replay attacks. In addition, (T. Yeh, Wang, Kuo, and Wang, 2010) confirmed the findings of the analysis by (Lo and Yeh, 2007) on the performance efficiency of the protocol. Yeh et al. (2010) described how the protocol of Chien and Chen (2007) scheme suffers from database overloading and lack of privacy in terms of anonymity and forward security.
The Li et al. Protocol
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
In 2007, (Y.-Z. Li, Cho, Um, and Lee, 2007) proposed a protocol simply based on a shared pseudonym and an XOR function. Given that the tag and the database share only a secure ID (Sid) in the initialization phase, two random numbers (n1 and n2) generated by the tag are used to mark the segments of Sid to produce two partial IDs (Pid) using PID1L= f (SID, n1) and PID2R= f (SID, n2). Figure 4 illustrates the protocol of Li et al.
Figure 4. The Li et al. protocol.
The protocol starts when the reader sends inquiry information to the tag along with a generated random number (R). The tag computes R’ using R’=R ⊕ PID1L ⊕ PID2R, and then sends R’, n1, and n2 values in one message to the reader. The reader sends these values to the Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Low-Cost Mutual Authentication Protocols
97
tag with the initial R. The server iteratively searches the database for all Sids and verifies the tag by checking whether PID’=? R’ ⊕ R=(PID1L, n1) ⊕ (PID2R, n2). If PID’ does not match, then the process stops; otherwise, the database computes for PID”=f (SIDi, n1, n2) and sends it to the tag through the reader. The tag verifies the value using its local values. If PID”does not match, the tag sends “NO” to the reader, which in turn terminates the protocol; otherwise, the tag sends “OK” to the reader and forwards it to the database. Finally, if the database receives an “OK” message, the server replies to the reader with the collected Sid information of the reader. Note that in this scheme, the reader and the back-end database are treated as two separate entities because the reader represents a smart reader (Y.-Z. Li, et al., 2007). Li et al. (2007) conducted security and efficiency analyses and claimed that the protocol is more efficient than the previously proposed schemes. They found that their protocol is more secure against replay, eavesdropping, and spoofing attacks as well as against location privacy exposure. Eventually, (H.-Y. Chien and C.-W. Huang, 2007) discredited the protocol by proving that it is vulnerable to disclosing the secret value Sid. Given that an attacker can eavesdrop on the communication and record the data R’, R, n1, n2, and PID”, the attacker can compute for R’ ⊕ R to obtain PID1L ⊕ PID2R. Using all these partial Sid information, the attacker can run the process repeatedly to disclose fully all the bits of Sid. In addition, they also revealed that the protocol is vulnerable to replay attacks and proposed an improvement by introducing a rotation function to the protocol of Li et al.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
The Chien and Huang Protocol In 2007, (H.-Y. Chien and C.-W. Huang, 2007) reported that the protocol of (Y.-Z. Li, et al., 2007) is vulnerable to replay attacks. Accordingly, they proposed an improvement by adding a rotation function to the protocol. Figure 5 illustrates the protocol of Chien and Huang.
Figure 5. The Chien and Huang protocol.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
98
Mu’awya Naser, Pedro Peris-Lopez, Mohammad Rafie et al.
In the initialization phase, each tag and the database share an l-bit secret key (x). The function g( ) represents a random number generator. First, the reader generates a random number R1 and sends it to the tag. Subsequently, the tag generates a random number R2, computes for the value ğ=g(R1 ⊕ R2 ⊕ x), rotates Sid to obtain SID’ using SID’= rotate(SID, ğ), calculates R’ using R’=Left(SID’ ⊕ ğ), and then replies to the reader with a message containing R2 and R’. The reader sends the received value together with R1 to the database. Upon receiving R’, R, and R2, the database server iteratively picks up one candidate Sid from the database, computes for ğ=g(R1 ⊕ R2 ⊕ x) and SID’= rotate(SID, ğ), and then checks whether Left(SID’ ⊕ ğ)=?R’. If a match is not found, the database responds with “failure”; otherwise, the matched Sid is taken as the tag identification. Next, the database computes for R”=Right(SID’ ⊕ ğ) and then sends R” via the reader to the tag, which in turn checks whether Right(SID’ ⊕ ğ)=?R” to authenticate the reader. After the reader is authenticated successfully, the tag sends an “OK” message to the reader, which in turn forwards the information to the database; otherwise, it responds with a “no find” message. Upon receiving the “OK” message, the server transmits the Sid to the reader; otherwise, the reader stops the protocol. (H.-Y. Chien and C.-W. Huang, 2007) claimed that the protocol is resilient against traceability, Dos, and replay attacks. Nevertheless, (Lei, Yong, Cai, and Na-na, 2009) and (Yong, Lei, Na-na, and Tao, 2010) proved that the protocol of Chien and Huang does not offer forward secrecy because the key (x) is not updated during the authentication process; that is, an attacker can deduce the previous secrecy from the secret information currently exposed. (Deursen and Radomirovi, 2009) also illustrated an algebraic replay attack against the protocol of Chien and Huang. Recently, a new lightweight authentication protocol for low-cost RFID has been proposed by (H.-Y. Chien and Huang, 2010). The authors claimed that this new protocol has improved the security and computational performance and that it has better forward secrecy and resistance to Dos attacks. They stated that this protocol is an improvement of the protocol of Li et al. They also indicated that their proposed protocol reduces the computational cost in identifying a tag from O(n) to O(1). More details on this protocol can be found in (H.-Y. Chien and Huang, 2010).
The Chen and Deng Protocol Similar to their predecessors, (C.-L. Chen and Deng, 2009) also proposed a Gen-2 compliant mutual authentication protocol. In their protocol, both the tag and the back-end database server share a key (K), a random nonce value (N), and an EPC identifier, which is stored in a non-volatile memory (EPCT). The protocol is composed of two phases: the registration phase and the communication phase. In the registration phase, the tag and the reader must register in the database separately before they can communicate with each other. Each tag is assigned to two unique vales (Ni and Ki) to identify the ID of each tag (EPCTi, where i denotes the ith tag, 1≤ i ≥ n, and n is the total number of tags). Both the tag and the database store these values. Each reader is identified by its ID (IDR) and stores the set of values identifying the tags {(N1,K1),(N2,K2),…,(Ni,Ki)}. The purpose of the registration phase is to allow only registered readers to communicate with the registered tags to ensure
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Low-Cost Mutual Authentication Protocols
99
legitimacy. The complete details on the registration phase can be found in (C.-L. Chen and Deng, 2009). The next section describes the communication phase. Figure 6 illustrates the protocol of Chen and Deng during the communication phase. In this phase, after successful registrations, when a reader wants to access the ith tag, the reader computes for the value CRC(Ni ⊕ RND) and then sends the tag a message containing a query message (Mreq), the computed value CRC(Ni ⊕ RND), and the random number (Rnd) used to compute for the value. Subsequently, the tag computes for CRC(Ni’ ⊕ RND) using the Ni stored in it and then matches this value with the one received from the reader. If the two values match, the tag authenticates the reader, generates a new random number (RNDnew), and then computes for two new values (X and Y) using X=Ki ⊕ EPCTi ⊕ RNDnew and Y=CRC(RNDnew ⊕ Ni’ ⊕ X. Afterwards, the tag sends the RNDnew, X, and Y to the reader. Similarly, the tag re-computes for Y and matches it with the value received from the tag. If the two values match, the reader authenticates the tag and completes the mutual authentication.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 6. The Chen and Deng protocol.
Based on the analysis conducted, the authors claimed that their protocol is resilient against counterfeit tags and readers, man-in-the-middle attacks, and Dos attacks as well as provides privacy protection and location privacy. However, (Burmester, de Medeiros, Munilla, and Peinado, 2009)) demonstrated how this scheme is vulnerable to replay attacks. Only one interrogation is required to obtain the X and Y values. The tag is impersonated by computing a valid random number as well as the X and Y values.
The Qingling et al. Protocol Another example of a Gen-2-compliant mutual authentication protocol is that proposed by (Qingling, Yiju, and Yonghua, 2008), which is based on a challenge-response authentication scheme. Initially, the tag and the database store two shared private 32-bit values that correspond to the Tag IDentifier (TID). Figure 7 illustrates the protocol of Qingling et al. Initially, each tag (x) stores its ID (TIDx) and its access password (aPWx), whereas the database stores the records of all tags containing these sets of values [(TID1, aPW1), (TID2, aPW2),…, (TIDi, aPWi)]. For each session, the reader first generates a 16-bit random number Rr and then sends a message containing Query and Rr to the tag. Upon receiving this message,
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
100
Mu’awya Naser, Pedro Peris-Lopez, Mohammad Rafie et al.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
the tag generates a 16-bit random number Rt, and computes for Mxl, Mxh, and ciphertext Mx using the equations Mxl=CRC (TIDxl*Rt*Rr), Mxh=CRC (TIDxh*Rt*Rr), and Mx= (Mxl Π Mxh)*aPWx, respectively. Subsequently, the tag encrypts Mxl Π Mxh with aPWx to generate a ciphertext and then sends a message containing Mx and Rt to the reader, which in turn adds Rr to the message and forwards it to the back-end database server. For each local TIDi and aPWi values, the server verifies whether the equation Mx*aPWi=CRC(TIDil*Rt*Rr) П CRC(TIDil*Rt*Rr) holds. If there is no match, the process stops with failure; otherwise, the tag is successfully identified and authenticated. Likewise, the server, after successful tag authentication, computes for Mil, Mih, and ciphertext Mi using the formulas shown in Figure 7 and then sends Mi to the tag. Finally, the tag checks whether Mi is correct. If it is correct, the reader is successfully identified and authenticated; otherwise, the process fails and stops. According to Qingling et al., their protocol is resilient against spoofing, replay, and Dos attacks as well as against traffic analysis and tracking attacks. However, (Burmester, et al., 2009) claimed that there are possibilities for replay attacks against their protocol due to the linearity aspect of the CRC. The full details of these possibilities are described in their original paper (Burmester, et al., 2009). Burmester et al. also reviewed another Gen-2compliant mutual authentication protocol proposed by (H. Sun and Ting, 2008). The protocol of Sun and Ting is described in the next section.
Figure 7. The Qingling et al. protocol.
The Sun and Ting Protocol In 2008, (H. Sun and Ting, 2008) proposed a lightweight authentication protocol based on Gen-2 called Gen2+, which uses PRNG and CRC only. In this scheme, each tag and the back-end server share a random l-word-string called keypool (K), which is stored together with its EPC. Figure 8 illustrates the protocol by Sun and Ting. The protocol starts when the reader sends a query to the tag. The tag then draws a 16-bit pseudorandom number (RN16) as two 8-bit addresses. These two numbers mark a segment of the keypool stored in this tag. Let [a: b] denote the segment (substring) from the ath word to
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Low-Cost Mutual Authentication Protocols
101
the bth word of keypool k. At the same time, the tag calculates the CRC residue of k[a, b] and keeps the residue centralkey (ck). If a ≥ b, the segment k[a : b] contains the words from a to b; otherwise, k[a : b] = k[a : l − 1]|| k[0 : b]. After completing the calculation, the tag sends the value RN16 to the database.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 8. The Sun and Ting Gen2+ protocol.
The database computes the central key ck’ by computing a check message for every k in the database and removes the keypools k with different ck, creating a reduced database. Subsequently, the database compute the CRC(k[a, b]) of all remaining keypools in the reduced database. Next, the database forwards the ck’ value to the tag. Upon receiving ck’, the tag computes ck=CRC(k[a, b]) for the locally stored keypool and then compares it with ck’. If their Hamming distance is greater than a threshold t (typically t=1), the tag does not respond; otherwise, the tag authenticates the reader and sends the locally stored EPC to the reader. After the reader has proven itself to the tag, the reader can check the validity of the tag by reading the whole keypool and comparing it with the record in the database. If the attacker tries to recover the whole keypool from the previous captured sessions, the reader can update the keypool of the tag by memory write. The full details describing the process of creating ck’ and validating ck by the database server can be found in the original paper (H. Sun and Ting, 2008). Moreover, according to Sun and Ting (2008), their protocol is secure against tracing and skimming attacks as well as tag spoofing and tag cloning attacks. However, (Burmester, et al., 2009) revealed how this protocol can be clearly subjected to replay attacks because only the tag contributes to the randomness of protocol flows. An attacker only needs to eavesdrop on one interrogation for a tag to obtain the required protocol flows. Furthermore, they also claimed that the protocol of Sun and Ting is also vulnerable to a complex statistical attack, where an attacker eavesdrops on a number of tag interrogations and then replays the tag flows to the reader, thereby changing adaptively the last challenge. This makes it possible for the attacker to build up gradually sufficient information about the CRC of the words in a tag keypool to clone the tag. The full attack details can be found in (Burmester, et al., 2009).
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
102
Mu’awya Naser, Pedro Peris-Lopez, Mohammad Rafie et al.
Ultralightweight Mutual Authentication Protocols Chien (2007) classified the Ultralightweight Mutual Authentication Protocols , which is one of the authentication protocol classes aside from full-fledged, simple, and lightweight. UMAP uses only simple bitwise operations, such as XOR, AND, and OR, as well as rotation functions and Mixbit functions. UMAP is suitable for applications with limited memory and processing capabilities, such as low-cost RFID tags. In 2006, the first ultralightweight protocols were proposed by Peris-Lopez et al. when they introduced in several publications a family of UMAP inspired by the Minimalist Cryptography proposed by (A Juels, 2005). The UMAP family consists of EMAP (Pedro Peris-Lopez, Julio Hernandez-Castro, Juan EstevezTapiador, and Arturo Ribagorda, 2006), LMAP (P Peris-Lopez, JC Hernandez-Castro, JM Estevez-Tapiador, and A Ribagorda, 2006b), and M2AP (P Peris-Lopez, J Hernandez-Castro, J Estevez-Tapiador, and A Ribagorda, 2006c). The next section describes the UMAP family and two other major ultralightweight protocols related to the present research as well as the attacks proposed against each protocol.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
The M2AP, EMAP, and LMAP Protocols In 2006, three separate protocols were introduced that became known as the UMAP family due to their shared characteristics. These protocols were M2AP (a minimalist mutualauthentication protocol for low-cost RFID tags) (P Peris-Lopez, J Hernandez-Castro, et al., 2006b), EMAP (an efficient mutual-authentication protocol for low-cost RFID tags), and LMAP (a real lightweight mutual-authentication protocol for low-cost RFID tags).(P PerisLopez, JC Hernandez-Castro, JM Estevez-Tapiador, and A Ribagorda, 2006a) M2AP, EMAP, and LMAP are protocols based on the index-pseudonym (IDS), which is 96 bits in length. An IDS is an index of a table row that stores all the information about a tag. Each tag is associated with a key, which is divided into four parts of 96 bits in length each (K = K1 || K2 || K3 || K4). The tag needs 480 bits of rewritable memory for each update after a successful authentication. A total of 96 bits of static memory are required for the identification value (ID). These protocols use simple bitwise operations, such as modular addition, AND, Not, OR, and XOR. All costly operations, such as random number generator and multiplication, are executed on the side of the reader. These protocols also assume that both the backward and forward channels can be listened to by an attacker. Nevertheless, the communication between the reader and the database is considered secure. Thus, the reader and the back-end database server are treated as one entity. Each protocol consists of four stages: tag identification, mutual authentication, indexpseudonym updating, and key updating. (T. Li, Wang, and Deng, 2008) summarized these three protocols for better analysis. A summary of mutual authentication procedures is shown in Figure 9. The stages of the protocols are described as follows: Tag Identification: The reader sends a “hello” message to the tag, to which the tag replies with its current IDS. Using this IDS, only an authorized reader can access the secret key of the tag (K = K1 || K2 || K3 || K4), which is required for the next phase. Mutual Authentication: The reader generates sub-messages A, B, and C using two pregenerated random numbers (n1 and n2) and then sends them to the tag. The tag authenticates the reader and obtains n1 from the sub-messages A and B, and n2 from C. Next, the tag
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Low-Cost Mutual Authentication Protocols
103
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 9. The M2AP, EMAP, and LMAP protocols (T. Li, et al., 2008).
generates D (LMAP) and E (M2AP and EMAP) before passing them to the reader. The authentication process is completed if the reader obtains the tag’s ID by processing the submessages D or E. Index-pseudonym and key updating: After the tag and the reader are mutually authenticated, they update the index-pseudonym and the key using the equations shown in Figure 10. The EMAP protocol uses a parity function, where the 96 bit number X is divided into 24 4-bit blocks. Each block has a total of 24 parity bits. More details are explained in EMAP (P Peris-Lopez, J Hernandez-Castro, J Estevez-Tapiador, and A Ribagorda, 2006a). All three protocols share almost the same basic characteristics in terms of operations, number of authentication steps, and the required memory size. The only difference between these protocols is the number of basic operations: EMAP has the highest number of basic operations given that it has an additional parity function in the protocol, which is considered a basic operation. In the original publications, the proponents of the UMAP family conducted a security analysis for each protocol and claimed that their protocols are secure against some well-known attacks, such as man-in-the-middle, replay, and forgery. Eventually, many attacks have been proposed against M2AP, EMAP, and LMAP since their publication. These attacks are categorized into two: active attacks and passive attacks. Some examples of active attacks are man-in-the-middle, desynchronization, and replay attacks, whereas passive attacks include eavesdropping. In general, these protocols have a major drawback because all the operations they use are triangular functions (Klimov and Shamir, 2005). The output bits of these functions depend on the leftmost input bits only rather
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
104
Mu’awya Naser, Pedro Peris-Lopez, Mohammad Rafie et al.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 10. Index-pseudonym and key updating in M2AP, EMAP, and LMAP (T. Li, et al., 2008).
than on all the input bits. Furthermore, the composition of triangular operations always results in a triangular function, consequently making the work of a cryptanalyst easier. Other studies have also proved that the UMAP family is vulnerable against different attacks. Several reports have claimed that M2AP is vulnerable to passive attacks (Bárász, Boros, Ligeti, Lója, and Nagy, 2007b) (T. Li and Wang, 2007). Subsequently, (H. Chien and C. Huang, 2007) introduced a new full-disclosure attack more efficient than the previous attack schemes. Barasz described the details of a desynchronization attack in his research (Bárász, Boros, Ligeti, Lója, and Nagy, 2007a). Similarly, (T. Li and Deng, 2007) and (Bárász, Boros, Ligeti, Lója, and Nagy, 2008) also reported that EMAP has the same weaknesses as M2AP. In 2008, Li conducted another security analysis of all three members of the UMAP family and revealed the weaknesses of these protocols. In general, these protocols are vulnerable against desynchronization and full-disclosure attacks. Li also discussed several countermeasures that could be used to improve the security of the UMAP family protocols.
The Strong Authentication and Strong Integrity (SASI) Protocol In 2007, (H. Chien, 2007) suggested a new protocol called SASI to overcome the vulnerability of the previous protocols. The protocol considers the tag, reader, and back-end server as three separate entities. The protocol assumes that the communication channel between the reader and the database is secure. Nonetheless, the communication channel between the tag and the reader is unsecure. According to Chien (2007), each tag has a static identification (ID) and pre-shares an index pseudonym (IDS) and two keys (K1 and K2) with the back-end database. The length of each variable is 96 bits. SASI uses basic operations similar to the previous protocols (UMAP family), such as simple bitwise operations (i.e., XOR, AND, OR, and Addition mod 2n) and
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Low-Cost Mutual Authentication Protocols
105
Hamming weight rotation function. The tag stores two entries of the variables (IDS, K1, or K2). The first entry is the old values; the other entry is stored for the potential next values. The purpose of storing two entries of these variables is to defend against potential desynchronization attacks. The stages of the protocol are shown in Figure 11.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 11. The SASI protocol (H. Chien, 2007).
The protocol consists of three phases: tag identification, mutual authentication, and pseudonym and key updating. The old IDS variable is sent to the reader by the tag if and only if the reader fails to identify the tag on the first probe. Tag Identification: The reader sends a “hello” message to the tag, which in turn replies with its potential next IDS. If the reader finds a matched entry in the database, it proceeds to the next phase; otherwise, the reader probes the tag again and the tag replies with its old IDS. Mutual Authentication Phase: Upon finding the match for the received value in the database, the reader generates two random numbers (n1 and n2), and subsequently uses these numbers to generate messages A, B, and C based on the equation shown in Figure 11. Next, the reader sends these values to the tag. The tag extracts n1 and n2 from A and B, respectively, and then computes for K1 and K 2 , as well as the response value D. Upon receiving D, the reader uses its local value to verify D. Pseudonym and Key Updating: After the reader and the tag are mutually authenticated, they update their local index pseudonym and keys, as shown in Figure 11. The main difference between SASI and the members of the UMAP family is the addition of the rotation function, which is a non-triangular function. The rotation function is supported by the tag and is therefore an acceptable modification because it can be performed efficiently (Hernandez-Castro, Tapiador, Peris-Lopez, and Quisquater, 2008). Thus, SASI was considered resilient against all possible attacks, such as desynchronization, traceability, and disclosure attacks. However, several attacks on SASI were proposed shortly after its publication that discredited the claim despite its improvements. According to (H.-M. Sun, Ting, and Wang, 2009), SASI is vulnerable against desynchronization attacks. Moreover, D’Arco (D’Arco and De Santis, 2008) proposed
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
106
Mu’awya Naser, Pedro Peris-Lopez, Mohammad Rafie et al.
another desynchronization, identity disclosure, and full disclosure attacks against SASI. Hernandez-Castro (Hernandez-Castro, et al., 2008) presented the first passive attack against SASI, presuming that SASI uses a circular shift rotation. Nevertheless, this attack is not considered a vulnerability because SASI uses the Hamming weight rotation, which can protect against this kind of attack. (Cao, Bertino, and Lei, 2008) also proposed a Dos and traceability attack. Finally, (Phan, 2009) proved that SASI is not resistant against tracking and proposed a traceability attack on tags utilizing SASI.
The Gossamer Protocol
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Gossamer is an alternative protocol inspired by the aforementioned SASI protocol. Gossamer was proposed by (Peris-Lopez, Hernandez-Castro, Tapiador, and Ribagorda, 2009) in 2009. The difference between SASI and Gossamer is that Gossamer uses the MixBits function aside from the other operations used previously in the UMAP family and SASI. Moreover, by including the MixBits function to Gossamer aside from the circular shift rotation function, the triangular function of the previous protocols is nearly eliminated. Thus, Gossamer is more resilient against attacks than the previously proposed ultralightweight protocols.
Figure 12. The Gossamer protocol (Peris-Lopez, et al., 2009).
Similar to SASI, each tag and the back-end database in this protocol initially store a static identifier (ID), an index-pseudonym (IDS), and two keys (K1 and K2) in its memory. Aside from these values, two tuples of the old and the potential next values (IDS, K1, and K2) are Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Low-Cost Mutual Authentication Protocols
107
also stored to avoid desynchronization attacks. The communication between the reader and the back-end database is assumed to be secure; hence, both of them are considered as one entity only, as denoted by Reader. In general, the Gossamer protocol consists of three stages: tag identification, mutual authentication, and updating phase. Figure 12 illustrates the Gossamer protocol. As depicted in the figure above, in the tag identification phase, the reader first sends a “hello” message to the tag, to which the tag replies with its IDSnext. Upon receiving the value, the reader searches the database for the shared keys of the tag in the database. If no match is found, the reader requests for the old IDS to identify the tag; otherwise, the protocol moves to the next step. In the mutual authentication phase, the reader generates two random nonce values (n1 and n2) and then generates n3 using the MixBits function over the two values. The reader also computes for the values A, B, and C using the equations shown in Figure 12 and then sends a message containing these values to the tag. When the tag receives the message, the tag extracts n1 from A and n2 from B, and then computes for C’ using its local values. The tag verifies that C’ is equal to the received value to confirm and authenticate the reader. Once verified, the tag then computes for the value of D and sends it to the reader. The reader already has all the required values for the value of D. Hence, when the reader receives the last message from the tag, it computes for D’ and then compares it with the received value. If the values are equal to each other, the tag is authenticated and the local values for the tag stored in the database are updated. Otherwise, the protocol ends the session unsuccessfully (without updating any values). Despite the improvements in Gossamer compared with the previous protocols, especially SASI, Bilal et al. (2009) reported that Gossamer is vulnerable to two kinds of Dos attacks: memory and computation exhaustive attacks as well as replay attacks. These attacks consequently cause desynchronization, collision of the updated IDS with the existing entry, and reduction in overall complexity. Moreover, (Ahmed, Shaaban, and Hashem, 2010) proposed two passive attacks against the Gossamer protocol that disclose its secret ID and IDSnext values, whereas (K. Yeh and Lo, 2010) introduced a desynchronization attack. More details of these attacks and the proposed solutions for each can be found in the original papers of (Bilal, Masood, and Kausar, 2009), (Ahmed, et al., 2010), and (K. Yeh and Lo, 2010).
Associated Protocols Many protocols initially inspired by the SASI protocol have been proposed as alternatives to Gossamer ((Y. Chen, Wang, and Hwang, 2006) (David and Prasad, 2009) (Lee, Hsieh, You, and Chen, 2009) (T.-C. Yeh and Wu, 2009)). An example for anti-counterfeiting and privacy protection is the protocol proposed by (Y. Chen, et al., 2006), which uses only bitwise XOR operations with a random-number shift approach, making it very efficient and requiring smaller storage space. Nonetheless, Cao and Shen (2009) proved that the protocol of (Y. Chen, et al., 2006) is vulnerable to full-disclosure attacks. Recently, Lee et al. (2009) proposed a new ultralightweight RFID protocol in which the length of each ID, IDT, and key K is 128 bit. These values are also shared by both the tag and back-end database. The tag uses simple bitwise operations only, such as XOR, AND, OR, and
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
108
Mu’awya Naser, Pedro Peris-Lopez, Mohammad Rafie et al.
left rotate Rot(A, B). Nevertheless, Peris-Lopez et al. (2009b) demonstrated that this protocol is vulnerable against desynchronization, cloning, full disclosure, and traceability attacks. Alternatively, (David and Prasad, 2009) proposed a new UMAP for low-cost RFID tags. This protocol uses bitwise AND, XOR, and Not operations. Their objectives are to achieve a strong authentication mechanism and reduce computational load on the tag without compromising its security at the same time. (Hernandez-Castro, Peris-Lopez, Raphael, and Tapiador, 2010) introduced traceability and passive tango attacks, as well as leakage of stored secrets, against the protocol of David and Prasad. For further details, the readers are referred to the full report of these aforementioned protocols.
Summary
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
This thesis is concerned about solving problems related to securing low-cost RFID protocols. A wide variety of cryptography primitive combinations were used to create different protocols conforming to low-cost tags. The present study analyzed a set of these protocols and the primitives used in each in terms of related weaknesses and vulnerabilities. Given that better protocols are developed gradually by benefiting from previous mistakes, the current study analyzed the most significant protocols under the lightweight and ultralightweight categories in terms of security concerns to establish a basis for designing more secure protocols. The main objective of the present research in investigating the conventional and unconventional cryptography primitives used in the previous protocols is to determine the most suitable set of primitives to create a more secure protocol while avoiding the mistakes committed by the previous protocols and investing in primitives that have established their resiliency.
References Ahmed, E. G., Shaaban, E., and Hashem, M. (2010). Lightweight Mutual Authentication Protocol for Low Cost RFID Tags. International Journal of Network Security and Its Applications (IJNSA), Volume 2, Number 2, April 2010. Bárász, M., Boros, B., Ligeti, P., Lója, K., and Nagy, D. (2007a). Breaking LMAP. Proc. of RFIDSec, 7. Bárász, M., Boros, B., Ligeti, P., Lója, K., and Nagy, D. (2007b). Passive attack against the M2AP mutual authentication protocol for RFID tags. In Proc. of First International EURASIP Workshop on RFID Technology (2007) Bárász, M., Boros, B., Ligeti, P., Lója, K., and Nagy, D. (2008). Breaking EMAP. Paper presented at the Third International Conference on Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007., Bilal, Z., Masood, A., and Kausar, F. (2009). Security Analysis of Ultra-lightweight Cryptographic Protocol for Low-cost RFID Tags: Gossamer Protocol. Paper presented at the Network-Based Information Systems, 2009. NBIS '09. International Conference on.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Low-Cost Mutual Authentication Protocols
109
Burmester, M., de Medeiros, B., Munilla, J., and Peinado, A. (2009). Secure EPC Gen2 Compliant Radio Frequency Identification. In P. Ruiz and J. Garcia-Luna-Aceves (Eds.), Ad-Hoc, Mobile and Wireless Networks (Vol. 5793, pp. 227-240): Springer Berlin / Heidelberg. Cao, T., Bertino, E., and Lei, H. (2008). Security analysis of the SASI protocol. IEEE Transactions on Dependable and Secure Computing, 73-77. Chen, C.-L., and Deng, Y.-Y. (2009). Conformation of EPC Class 1 Generation 2 standards RFID system with mutual authentication and privacy protection. Engineering Applications of Artificial Intelligence, 22(8), 1284-1291. Chen, Y., Wang, W., and Hwang, M. (2006). Low-Cost RFID Authentication Protocol for Anti-Counterfeiting and Privacy Protection. Asian Journal of Health and Information Sciences, 1(2), 189-203. Chien, H.-Y., and Chen, C.-H. (2007). Mutual authentication protocol for RFID conforming to EPC Class 1 Generation 2 standards. Computer Standards and Interfaces, 29(2), 254259. Chien, H.-Y., and Huang, C.-W. (2007). A Lightweight RFID Protocol Using Substring. In T.-W. Kuo, E. Sha, M. Guo, L. Yang and Z. Shao (Eds.), Embedded and Ubiquitous Computing (Vol. 4808, pp. 422-431): Springer Berlin / Heidelberg. Chien, H.-Y., and Huang, C.-W. (2010). A Lightweight Authentication Protocol for LowCost RFID. Journal of Signal Processing Systems, 59(1), 95-102. Chien, H. (2007). SASI: A new ultralightweight RFID authentication protocol providing strong authentication and strong integrity. IEEE Transactions on Dependable and Secure Computing, 4(4), 337-340. Chien, H., and Huang, C. (2007). Security of ultra-lightweight RFID authentication protocols and its improvements. ACM SIGOPS Operating Systems Review, 41(4), 83-86. Chih-Yung, C., Chien-Ping, K., and Fang-Yuan, C. (2009). An exploration of RFID information security and privacy. Paper presented at the Pervasive Computing (JCPC), 2009 Joint Conferences on. D’Arco, P., and De Santis, A. (2008). From Weaknesses to Secret Disclosure in a Recent Ultra-Lightweight RFID Authentication Protocol. Cryptology ePrint Archive. http://eprint. iacr. org/2008/470, 2008. David, M., and Prasad, N. R. (2009). Providing Strong Security and High Privacy in LowCost RFID Networks. In A. U. Schmidt and S. Lian (Eds.), Security and Privacy in Mobile Information and Communication Systems (Vol. 17, pp. 172-179): Springer Berlin Heidelberg. Deursen, T., and Radomirovi, S. (2009). Algebraic Attacks on RFID Protocols. Paper presented at the Proceedings of the 3rd IFIP WG 11.2 International Workshop on Information Security Theory and Practice. Smart Devices, Pervasive Systems, and Ubiquitous Networks. Deursen, T., and Radomirovic, S. (2008). Attacks on RFID protocols. IACR eprint archive 2008, 310. Duc, D., Park, J., Lee, H., and Kim, K. (2006). Enhancing security of EPCglobal Gen-2 RFID tag against traceability and cloning. Paper presented at the The Symposium on Cryptography and Information Security, 2006. Hernandez-Castro, J., Peris-Lopez, P., Raphael, C., and Tapiador, J. (2010). Cryptanalysis of the David-Prasad RFID Ultralightweight Authentication Protocol. RFIDSec 2010.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
110
Mu’awya Naser, Pedro Peris-Lopez, Mohammad Rafie et al.
Hernandez-Castro, J., Tapiador, J., Peris-Lopez, P., and Quisquater, J. (2008). Cryptanalysis of the SASI Ultralightweight RFID Authentication Protocol with Modular Rotations. The Computing Research Repository (CoRR) Arxiv preprint arXiv:0811.4257. Juels, A. (2005). Minimalist Cryptography for Low-Cost RFID Tags (Extended Abstract). Security in Communication Networks, 149-164. Juels, A. (2005). Strengthening EPC tags against cloning. Paper presented at the Proceedings of the 4th ACM workshop on Wireless security. Karthikeyan, S., and Nesterenko, M. (2005). RFID security without extensive cryptography. Paper presented at the Proceedings of the 3rd ACM workshop on Security of ad hoc and sensor networks. Klimov, A., and Shamir, A. (2005). New applications of T-functions in block ciphers and hash functions. International Association for Cryptologic Research 2005, 18-31. Lee, Y. C., Hsieh, Y. C., You, P. S., and Chen, T. C. (2009). A New Ultralightweight RFID Protocol with Mutual Authentication. Paper presented at the Information Engineering, 2009. ICIE '09. WASE International Conference on. Lei, H., Yong, G., Cai, Z.-y., and Na-na, L. (2009, 24-26 Sept. 2009). An Improved Lightweight RFID Protocol Using Substring. Paper presented at the Wireless Communications, Networking and Mobile Computing, 2009. WiCom '09. 5th International Conference on. Li, T., and Deng, R. (2007). Vulnerability analysis of EMAP-an efficient RFID mutual authentication protocol. Second International Conference on Availability, Reliability and Security (ARES'07). Li, T., and Wang, G. (2007). Security analysis of two ultra-lightweight RFID authentication protocols. New Approaches for Security, Privacy and Trust in Complex Environments, 109-120. Li, T., Wang, G., and Deng, R. (2008). Security Analysis on a Family of Ultra-lightweight RFID Authentication Protocols. Journal of Software, 3(3), 1. Li, Y.-Z., Cho, Y.-B., Um, N.-K., and Lee, S.-H. (2007). Security and Privacy on Authentication Protocol for Low-Cost RFID. In Y. Wang, Y.-m. Cheung and H. Liu (Eds.), Computational Intelligence and Security (Vol. 4456, pp. 788-794): Springer Berlin / Heidelberg. Lo, N., and Yeh, K.-H. (2007). An Efficient Mutual Authentication Scheme for EPCglobal Class-1 Generation-2 RFID System. In M. Denko, C.-s. Shih, K.-C. Li, S.-L. Tsao, Q.A. Zeng, S. Park, Y.-B. Ko, S.-H. Hung and J. Park (Eds.), Emerging Directions in Embedded and Ubiquitous Computing (Vol. 4809, pp. 43-56): Springer Berlin / Heidelberg. López, P., Castro, D., and Garnacho, D. (2008). Lightweight cryptography in radio frequency identification (RFID) systems. Computer Science Department, Carlos III University of Madrid. Peris-Lopez, P., Hernandez-Castro, J., Estevez-Tapiador, J., and Ribagorda, A. (2006). EMAP: An Efficient Mutual-Authentication Protocol for Low-Cost RFID Tags. In R. Meersman, Z. Tari and P. Herrero (Eds.), On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops (Vol. 4277, pp. 352-361): Springer Berlin / Heidelberg. Peris-Lopez, P., Hernandez-Castro, J., Estevez-Tapiador, J., and Ribagorda, A. (2006a). EMAP: An efficient mutual-authentication protocol for low-cost RFID tags. Paper
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Low-Cost Mutual Authentication Protocols
111
presented at the On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops. Peris-Lopez, P., Hernandez-Castro, J., Estevez-Tapiador, J., and Ribagorda, A. (2006a). LMAP: A real lightweight mutual authentication protocol for low-cost RFID tags. Paper presented at the Proceedings of the 2nd Workshop on RFID Security. Peris-Lopez, P., Hernandez-Castro, J., Estevez-Tapiador, J., and Ribagorda, A. (2006b). LMAP: A real lightweight mutual authentication protocol for low-cost RFID tags. Paper presented at the RFIDSec’06. Peris-Lopez, P., Hernandez-Castro, J., Estevez-Tapiador, J., and Ribagorda, A. (2006c). M 2 AP: A minimalist mutual-authentication protocol for low-cost RFID tags. Ubiquitous Intelligence and Computing, 912-923. Peris-Lopez, P., Hernandez-Castro, J., Tapiador, J., and Ribagorda, A. (2009). Advances in ultralightweight cryptography for low-cost RFID tags: Gossamer protocol. Information Security Applications, 56-68. Phan, R. (2009). Cryptanalysis of a new ultralightweight RFID authentication protocol— SASI. Dependable and Secure Computing, IEEE Transactions on, 6(4), 316-320. Qingling, C., Yiju, Z., and Yonghua, W. (2008). A Minimalist Mutual Authentication Protocol for RFID System and BAN Logic Analysis. Paper presented at the Computing, Communication, Control, and Management, 2008. CCCM '08. ISECS International Colloquium on. Sun, H.-M., Ting, W.-C., and Wang, K.-H. (2009). On the Security of Chien's UltraLightweight RFID Authentication Protocol. IEEE Transactions on Dependable and Secure Computing, 99. Sun, H., and Ting, W. (2008). A Gen2-based RFID authentication protocol for security and privacy. IEEE Transactions on Mobile Computing, 1052-1062. Vajda, I., and Buttyán, L. (2003). Lightweight authentication protocols for low-cost RFID tags. Paper presented at the In Proc. of UBICOMP’03. Van Deursen, T., and Radomirovic, S. (2008). Attacks on RFID protocols. IACR eprint archive 2008, 310. Yeh, K., and Lo, N. (2010). Improvement of Two Lightweight RFID Authentication Protocols. Information Assurance and Security Letters, 1, 6-11. Yeh, T.-C., and Wu, C.-S. (2009, 3-5 Dec. 2009). An enhanced ultralightweight RFID authentication protocol. Paper presented at the Pervasive Computing (JCPC), 2009 Joint Conferences on. Yeh, T., Wang, Y., Kuo, T., and Wang, S. (2010). Securing RFID systems conforming to EPC Class 1 Generation 2 standard. Expert Systems with Applications. Yong, G., Lei, H., Na-na, L., and Tao, Z. (2010). An improved forward secure RFID privacy protection scheme. Paper presented at the Proceedings of the 2nd international Asia conference on Informatics in control, automation and robotics - Volume 2.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
In: Cryptography: Protocols, Design and Applications ISBN: 978-1-62100-779-1 Editors: K. Lek and N. Rajapakse, pp. 113-132 © 2012 Nova Science Publishers, Inc.
Chapter 3
A HIGHLY EFFICIENT VISUAL CRYPTOGRAPHY FOR HALFTONE IMAGES Kai-Hui Lee1,*, Pei-Ling Chiu2,† and Yie-Tarng Chen3,‡ 1
Department of Computer Science and Information Engineering Ming Chuan University, Taipei, Taiwan, R.O.C. 2 Department of Risk Management and Insurance Ming Chuan University, Taipei, Taiwan, R.O.C. 3 Department of Electronic Engineering, National Taiwan University of Science and Technology, Taipei, Taiwan, R.O.C.
Abstract Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
The visual secret sharing (VSS) technique applies the concept of a secret sharing scheme to encrypt a secret image into multiple shares; when the participants stack each of their shared transparencies on each other, the secret image becomes apparent. The visual secret sharing for multiple secrets technique (VSSM) allows for the encryption of a greater number of secret images in a given image area. Previous research on VSSM schemes has a pixel expansion problem that limits the capability to increase the capacity of secret image encryption. Moreover, in most VSSM schemes, the display quality of the recovered images decreases as the amount of secret image encryption increases. These drawbacks limit the applicability of existing VSSM schemes. Although the pixel expansion problem recently has been solved, this research is applicable only for binary secret images, and the problem of the display quality degradation remains. In this study, we propose a highly efficient encryption algorithm to address this problem. The proposed algorithm adopts a novel encryption approach that includes visual cryptography (VC)–based encryption and an error correction technique. Our approach eliminates the pixel expansion problem and is applicable to binary and halftone secret images simultaneously. The experimental results demonstrate that the proposed approach not only can increase the capacity efficiency of VSSM schemes, but also can maintain an excellent level of display quality in the recovered secret images.
*
E-mail address: [email protected] E-mail address: [email protected] ‡ E-mail address: [email protected] †
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
114
Kai-Hui Lee, Pei-Ling Chiu and Yie-Tarng Chen
Keywords: visual secret sharing scheme, pixel expansion, visual secret sharing scheme for multiple secrets
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
1. Introduction In 1994, Naor and Shamir applied the concept of a secret sharing scheme to images using a technique referred to as visual cryptography (VC) [1]. Applying the concept of a secret sharing scheme, a secret image is encrypted into multiple component (share) images. A number of participants are each provided with one of the shares. When the participants stack their shares on each other, the secret image becomes apparent. This approach also is termed the visual secret sharing (VSS) scheme. Because the decryption process does not rely on any mathematical computations, this cryptographic approach performs well without the use of computational devices. Naor, Shamir, and many other researchers work with binary (i.e., black and white) secret images; however, recently a large volume of work has addressed gray-level and color images to extend the research area and the practicability of VC schemes [2-9]. Hou proposed VC schemes for gray-level and color images [5]. Hou’s methods decomposed a color image into three gray-level images and then transformed each gray-level image into a halftone image suitable for generating VC. Hou’s methods can be applied to the threshold VC schemes directly. Shyu’s proposed algorithms used the color decomposition and halftoning technique to share gray-level and color images [8]. Shyu’s methods, which are based on the randomgrid approach [10], can eliminate the drawbacks of pixel expansion and avoid complicated basis matrices design. Zhou et al. and Wang et al. developed a halftone VC scheme to share a secret image in halftone shares [7, 9]. Their approach provides a better quality of halftone shares and can be applied to gray-level images. Conventional VSS schemes have performance issues with respect to pixel expansion and display quality degradation. When the VC scheme is used, each secret pixel within a secret image is encrypted as a block consisting of sub-pixels in each constituent share. Thus, the area of a share is times that of the original secret image. The pixel expansion problem not only impacts the feasibility of storage requirements for a given share, but also decreases the message capacity if the available area is limited or fixed. In addition, for reasons of security, shares must contain large amounts of noise pixels to conceal traces of the encrypted secret images. These noise pixels lead to degradation of the display quality in the reconstructed images. In conventional VC schemes for binary images, the degradation is measured by the well-known metric—contrast. For example, according to Naor and Shamir’s 2, 2 -VSS scheme, each secret white pixel is encoded as four sub-pixels—two black pixels and two white pixels—thus, the contrast of the recovered image is 50%. A recovered image with lower contrast will result in the hidden content being faded and unclear. The hidden content becomes less discernable to the human eye, particularly when the cipher-text is displayed in a small font or a high-quality picture. As such, the pixel expansion factor and the display quality are the two most important metrics in evaluating a VSS scheme’s efficiency. The VSSM scheme, discussed herein, is a natural extension of conventional VSS schemes for the purpose of increasing the message capacity of VSS schemes [11-25]. The advantage of a VSSM scheme lies not only in its ability to incorporate multiple secret images simultaneously, but also to reduce the carriage and management costs for participants.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
A Highly Efficient Visual Cryptography for Halftone Images
115
The construction methodology for a VSSM scheme is more complicated than that of conventional VSS schemes, and, as a result, most previous work has focused on the 2, 2 VSSM scheme. The approaches discussed in these previous works generally can be categorized as either deterministic or probabilistic. A deterministic VSSM scheme reconstructs all black secret pixels in the recovered secret images. Such an approach typically uses a pixel-expanded codebook when encrypting secret images, resulting in the same critical defects faced with conventional VSS schemes: pixel expansion and contrast loss. On the other hand, probabilistic VSSM schemes reconstruct only the black secret pixels with a certain probability. Although this resolves the pixel expansion problem, this approach suffers from the same issues of display quality that arise with the use of a probabilistic VSS scheme [21]. Although the pixel expansion problem recently has been solved [16, 20-21, 24], the research is applicable only for binary secret images; the problem of display quality degradation remains. Therefore, a great challenge remains with respect to improving the display quality in the recovered images and extending the VSSM scheme to secret images in digital form; for example, the gray level and color images. In this chapter, we propose a novel encryption approach to the 2, 2 -2-VSSM scheme that is capable of encrypting two halftone secret images into two shares, simultaneously. The proposed approach adopts the VC-based encryption approach. First, we design a codebook, which is free of pixel expansion and contains error correction information, to encrypt secret pixels and produce two shares. Then, noises on the recovered images are totally eliminated by the proposed error correction process. This approach is applicable to both halftone and binary images in digital form, fully addressing both the problem of message capacity and the issue of display quality degradation. Moreover, the recovered images are loss-less when the proposed error correction is applied. The remainder of this chapter is organized as follows. Section 2 presents a review of related work. Section 3 presents the proposed VSSM scheme. In Section 4, we show the results of an experiment to evaluate the performance of the proposed method. Last, we summarize and conclude our work in Section 5.
2. Related Works
Figure 1. Research framework of VSSM schemes for binary secret images.
The framework underlying the VSSM schemes is depicted in Figure 1. Most of the existing research pertaining to VSSM schemes focuses solely on the 2, 2 -VSSM and the , -VSSM schemes. As such, there is a paucity of research addressing construction
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
116
Kai-Hui Lee, Pei-Ling Chiu and Yie-Tarng Chen
methodologies for general access structures (GAS). To date, research on VSSM schemes is for sharing binary secret images; we review these research results in this section.
2.1. (2, 2) VSSM Schemes Approaches to the implementation of VSSM schemes for binary secret images can be categorized as either deterministic or probabilistic. We provide a brief overview of each category below.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
2.1.1. Deterministic VSSM Schemes Depending on the number of encrypted secret images, the proposed 2, 2 -VSSM scheme can be categorized as either a 2, 2 -2-VSSM or a 2, 2 - -VSSM scheme. The former is capable of encrypting two secret images; the latter is capable of encrypting more than two secret images. Wu developed a 2, 2 -2-VSSM scheme that is capable of hiding two square secret images [11]. According to Wu’s scheme, directly stacking two shares on one another reveals the first secret image. Subsequently rotating the first share clockwise reveals the second secret image. Afterward, some researchers proposed another 2, 2 -2-VSSM scheme for binary secret images [12-13]. Although these approaches apply to different image shapes, the pixel expansion factor and the contrast ratio of the recovered images are constant, exhibiting values of 4 and 25%, respectively. Lin et al. proposed a three-phase encryption algorithm for a 2, 2 -2-VSSM scheme. In the first phase (also called the dividing and separating process), black secret pixels in each secret image were uniformly divided and separated into two disjoint sets in a totally random manner [20]. The second phase involved placing one set of the separated black pixels on two blank shares. In the third phase (also called the camouflage process), additional black pixels were randomly scattered to cover phantoms in the shares. To eliminate the phantom effect, Lin used statistical information to determine the density of these additional black pixels in the camouflage process. Although Lin’s work is the first paper to solve the pixel expansion problem for the deterministic VSSM scheme, the contrast of the recovered images ranges between 16.7% and 32.4%, which correlates highly with the content of the secret images due to the random separation process. Lin et al. also proposed a modified approach to improve the contrast of the recovered images, but their new approach does not resolve the problem [21]. Lee and Chiu developed a two-phase algorithm for encrypting two binary secret images [24]. In the first phase, they designed an unexpanded codebook for separating black secret pixels on two shares. In the second phase, they used the above-mentioned camouflage process to conceal the separated black secret pixels on the shares. The contrast of the recovered images is higher than 40% and there is less correlation to the content of the secret images. Feng et al. [17] and Shyu et al. [15, 25] developed VC-based approaches to encrypting secret images on cylindrical, circular, and square shares, respectively. The schemes proposed by Feng and Shyu are capable of incorporating more than two secret images simultaneously, but they remain subject to the pixel expansion problem; for the approach proposed by Shyu, the pixel expansion factor is 2 and for the approach of Feng, the factor is 3 . Moreover,
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
A Highly Efficient Visual Cryptography for Halftone Images the contrast ratio is the reciprocal of the pixel expansion factor; that is, 1/2 scheme and 1/3 for Feng’s scheme. .
117 for Shyu’s
2.1.2. Probabilistic VSSM Schemes
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Chen [16] developed the first probabilistic 2, 2 -VSSM scheme based on the random grid approach. Chen added a new operation, referred to as the rotating operation, to encrypt two secret images. The decryption process of Chen’s probabilistic VSSM scheme is the same as for Wu’s operations [11]. The contrast values of the recovered images are approximately 1 ⁄3 . Lin et al. (denoted as L&C) proposed another 2, 2 -2-VSSM scheme called the flip visual cryptography (FVC) scheme [19]. Based on predefined basis matrices, the proposed FVC scheme encodes two secret images into two shares. Stacking the two shares can reveal one secret image. Flipping one of the two shares and then stacking with the other share can reveal the second secret image. To eliminate the pixel expansion problem, L&C use a probability model to encode the shares. The cost is that it may cause non-harmonic disarray of the stacking result. Hence, L&C developed another expanded encryption method in that all columns of the basis matrix are used to encode the secret pixels. However, L&C’s method can achieve only 1⁄6 contrast for recovered images. Moreover, the recovered images will be expanded 6 times at least using L&C’s expanded encryption methods. Although Chen’s and L&C’s methods address the pixel expansion problem for the 2, 2 2-VSSM scheme, they maintain other defects inherent in the probabilistic method. For example, using this method, it is not possible to recover every black pixel of the original secret images. As a result, the recovered images tend to be unclear or unrecognizable when the cipher-text that is written on them is in a small font, leading to a decrease in the ciphertext capacity of the image.
2.2. (k, n)-m-VSSM Schemes Recently, Yang proposed a general , - -VSSM scheme (called , , -MVCS in Yang’s paper) [22], which can be applied on any and . The proposed approach is probabilistic and can be easily implemented on the basis of a conventional , -VCS. According to Yang’s approach, the shares are rolled into a cylinder in a manner similar to the method proposed by Hsu et al. [12]. Yang proposed the first , - -VSSM scheme, but his approach does avoid the pixel expansion problem; the pixel expansion factor is 2 when = =2. Moreover, the contrast ratio is inversely proportional to the amount of the secret image—1/2 . Based on our review of previous work, the existing approaches to VSSM schemes are for sharing binary secret images. These approaches cannot be adopted for sharing secret images in digital shares, such as gray or color secret images, and thus their practical application is limited. As such, we seek to develop an unexpanded encryption approach for halftone secret images.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
118
Kai-Hui Lee, Pei-Ling Chiu and Yie-Tarng Chen
3. Encryption Algorithm In this section, we first illustrate our methodology for sharing the halftone secret images in the 2, 2 -2-VSSM scheme. We assume the halftone images are stored in electronic form, and hence use the logical XOR operation as the stacking operation. Then we develop an error correction technique to refine the display quality of the recovered images. Finally, we propose a systematic method to extend the 2, 2 -2-VSSM scheme to the 2, 2 - -VSSM scheme.
3.1. (2, 2)-2-VSSM Schemes Using the proposed 2, 2 -2-VSSM scheme, two secret images can be simultaneously encrypted and embedded within two shares. Superimposing the two images directly atop one another reveals the first secret image. Rotating one of the shares 180° and then superimposing it on the other reveals the second secret image. Thus, two different secret images can be encrypted within the same area, which increases the image capacity of a VC scheme. To achieve this, we design a codebook that is free of pixel expansion. Assume pixels and are located at coordinates , and , within share , which has an area of 1 and 1 , then pixels. If specific coordinates satisfy the equations and are referred to as a pair of symmetric pixels. The symmetric pixels and and (resp. and ) denote a exchange positions when is rotated 180°. Let pixels (resp. ). Directly superimposing and allows for pair of symmetric pixels in share the recovery of a secret pixel pair and from the first recovered image , where and , as shown in Figure 2(a). When is rotated 180° and
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
superimposed on and
, another pair of secret pixel and , as shown in Figure 2(b).
are revealed, where
Figure 2. Stacking operations on shares (“ ” denotes logical “XOR” operation).
To recover a pair of secret pixels and correctly, it is necessary to consider where , , , and existed in images and . Table 1 lists all possible a set of pixels ways of encoding two shares, where 0 (resp. 1) represents a black (resp. white) pixel. The third and the last columns of Table 1 indicate the corresponding recovered pixels in the and . reconstructed images
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
A Highly Efficient Visual Cryptography for Halftone Images
119
Table 1. All possibilities of encoding for two shares and their corresponding recovered pixels Encoding ,
′
(0,0)
(0,1) 1
: Recovered pixels: (
Recovered Pixels1 (0,0),(0,0) (0,1),(1,0) (1,0),(0,1) (1,1),(1,1) (0,1),(0,1) (0,0),(1,1) (1,1),(0,0) (1,0),(1,0)
′
, (0,0) (0,1) (1,0) (1,1) (0,0) (0,1) (1,0) (1,1) ,
,
,
Encoding ,
′
(1,0)
(1,1)
, ′ (0,0) (0,1) (1,0) (1,1) (0,0) (0,1) (1,0) (1,1)
Recovered Pixels1 (1,0),(1,0) (1,1),(0,0) (0,0),(1,1) (0,1),(0,1) (1,1),(1,1) (1,0),(0,1) (0,1),(1,0) (0,0),(0,0)
).
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Definition 1. = {(pSE , pSE ), ( pSE , pSE )} denotes a construction-requirement set for the recovered images of a 2, 2 -2-VSSM scheme, where pSE pSE pSE pSE represents the required pattern. Pairs (pSE , pSE ) and (pSE , pSE ) are symmetric pixels within the secret images SE and SE , respectively. Pixel values pSE , pSE , pSE , and pSE lie within 0,1 . □ depicts two sets of symmetric pixels ( , ) = 1, 0 and ( , For example, ) = 0, 1 within and , respectively. This means that a white pixel and a black and within , respectively. Similarly, a black pixel and pixel must be revealed at a white pixel must be revealed at and within . Referring to Table 1, we find a set of encodings ( , ) = 1, 1 and ( , ) = 0, 1 , that satisfies the requirement. Obviously, it is not possible to satisfy all potential requirements of the 2, 2 -2-VSSM scheme via the encodings provided in Table 1. For example, no encoding result is present that corresponds to . Alternative encodings, such as those for , , , and , are suitable for recovering . Of these alternatives, the recovered images have the . That means using these alternatives will smallest Hamming distance (i.e., 1) from introduce only one noise in two symmetric pairs and thus yield recovered images with the greatest display quality for recovered images. Hence, it is reasonable to adopt these encodings . for use with On the basis of the above discussion, our goal with the codebook design is to identify a set of encodings for all possible construction requirements, subject to the following conditions: 1. Security constraint: no secret images are exposed to view in the final shares. 2. Correctness constraint: reconstructed images should reveal the secret images correctly. 3. Pixel expansion constraint: shares and reconstructed images should have the same dimension as the secret images. 4. Display quality requirement: a high-quality codebook design must keep noise as low as possible in the recovery of images.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
120
Kai-Hui Lee, Pei-Ling Chiu and Yie-Tarng Chen
To meet the security constraint, there are three conditions that must be satisfied. First, a secure encoding set must contain at least two possibilities. Because a construction requirement was encrypted by the same pattern, the shares will display some regular textures. Such shares are easily cracked by a human visual system or by a dictionary attack. In general, more encoding possibilities for a construction requirement increase the computational security of the codebook. Second, each codeword in an encoding set must contain at least two different characters. If a codeword of a specific encoding set contains only one character, it will expose a portion of the secret images in a VC construction. In an unexpanded VC construction, the alphabet set for a codeword is 0, 1 . Hence, each codeword must contain these two characters. Third, to construct random-like shares, the same character in a codeword must have an equal appearance frequency. ) and ( , ) are two pairs of symmetric pixels within shares and Assume ( , , respectively. Encoding sets C ={( , ), ( , ): , , , and 0,1 } can , if encoding set C satisfies the security tests listed below. If the be used to address recovered pixels were constructed via C , Tests 1–3 can be defined as follows: − − −
Test 1: C , |C | Test 2: C Test 3: ∑ C
2. 1,1 , 1,1 and C ∑ ∑ and C ,
,
C
0, 0 , 0, 0 . ∑ , C
,
.
The operators “ ” and “ ” represent logical “OR” and “AND” operations, respectively. Symbols in C . , , , , and , , , denote the codeword
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
|
Example 1: Assume C {{ 0, 1 , 1,1 }, { 0,0 , 0,0 }}. Using Test 1, we have | 2. Then, Test 2 can be performed as (
, 0, 1 0, 0 0, 1
)
(
,
)
(
1, 1 0, 0 1, 1
, 0, 1 0, 0 0, 0
)
(
,
)
1, 1 0, 0 0, 0
The above results indicate that a portion of the secret image will be exposed by pixel will always be encoded as “0” rather than in random patterns. Thus, in share , because is not secure. In contrast, because the second set was altered to { 1,0 , 0, 0 }, the C can satisfy Test 2. The modified set also can pass Test 3 modified encoding set for C because of the same appearance frequency for character “1” in and . The same and . situation also applies to the symmetric pair The correctness constraint, defined above, is used to verify whether or not the recovered images maintain a level of discernable contrast between black and white areas. The appearance frequency of white pixels (i.e., character “1”) can be counted as F
∑
C
,
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
A Highly Efficient Visual Cryptography for Halftone Images
121
where denotes recovered pixel encrypted by in C . Hence, for a white secret pixel, the value of F must be larger than |C |⁄2. The correctness test is as follows. |C |⁄2, − Test 4: If 0, F , , , and |C |⁄2. , , , . Otherwise, F {{ 0, 1 , 1,1 }, { 1,0 , 0,0 }, { 1,0 , 0,0 }}. The three Example 2: Suppose C possible recovered pixels , , , are { 1, 0 , 1, 0 }, { 1,0 , 1,0 }, { 0, 0 , 1, 1 }. Hence, we have F 1 1 0 2, F 0, F 3, and F
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
0
0
1
1. Obviously, pixels
will fail to reconstruct as “0” because F
cannot
pass Test 4. In other words, encoding set C cannot meet the correctness constraint. □ In Example 2, pixel has 1⁄3 probability to recover as a white pixel (i.e., character will introduce 1⁄6 noise pixels (white pixels in the “0”). That means encoding set C . These noises will decrease the display quality of the reconstructed images; example) to hence, a high-quality codebook must suppress these noises. According to the above-mentioned design principles, a 2,2 -2-VSSM scheme codebook free from pixel expansion was established, as illustrated in Table 2. It is easy to verify that the proposed codebook satisfies Test 1 through Test 4; hence, it is a correct and secure codebook for constructing 2,2 -2-VSSM schemes for halftone secret images. Construction 1. Let Codebook be used to construct a 2, 2 -2-VSSM scheme. According to the construction requirement of each symmetric pair ( , ) and ( , ) on secret images and , the dealer randomly selects an encoding , , , from C that is associated with construction requirement , . Then, share the values of selected encoding with each symmetric pair on shares. The probability of selection is equal for each encoding in an encoding set; that is, 1⁄|C |. , he For example, if a dealer would like to share the secret based on requirement , where the probability of selection for each can randomly select one encoding from C | 1⁄2. Encoding set C is capable of satisfying , with each item item is 1⁄|C ⁄ ⁄ | 1 8. having a probability of being selected equal to 1 |C Property 1. Construction 1, which uses codebook to construct the 2,2 -2-VSSM scheme, can eliminate the pixel expansion problem. Proof: In Table 2, all symmetric pixels , and , within the recovered secret images can be constructed using symmetric pixels ( , ) and ( , ), within the shares that were encoded on . Based on this, all of the images have the same dimensions. The proposed construction for the 2,2 -2-VSSM scheme does not require the use of pixel expansion. ,C ,C ,C ,C ,C ,C , and C can In Table 2, encoding sets C totally recover construction requirements for secret images. Another encoding set will introduce noise to the recovered images. For example, applying encoding set C , its recovered pixel, and , will contain 2 noise pixels (i.e., white pixels) for each; hence, ⁄|C | 1⁄4. The occurrence probabilities the occurrence probability of the noise is F of noise in , , and are also 1⁄4. Except for the above-mentioned 8 encoding sets, the remaining encoding sets will introduce 1⁄4 noise to the recovered images.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
122
Kai-Hui Lee, Pei-Ling Chiu and Yie-Tarng Chen ,
Table 2. Proposed codebook for the
Encoding1 (0,0),(0,0) (1,1),(1,1) (0,0),(0,0) (0,0),(1,0) (0,1),(0,0) (0,1),(0,1) (1,0),(1,0) (1,0),(1,1) (1,1),(0,1) (1,1),(1,1) (0,0),(0,0) (0,0),(0,1) (0,1),(0,1) (0,1),(1,1) (1,0),(0,0) (1,0),(1,0) (1,1),(1,0) (1,1),(1,1) (1,0),(1,0) (0,1),(0,1) (0,0),(0,0) (0,0),(0,1) (0,1),(0,0) (0,1),(1,0) (1,0),(0,1) (1,0),(1,1) (1,1),(1,0) (1,1),(1,1) (0,1),(0,0) (1,0),(1,1) (0,0),(0,1) (1,1),(1,0) (0,0),(0,1) (0,0),(1,1) (0,1),(0,0) (0,1),(0,1) (1,0),(1,0) (1,0),(1,1) (1,1),(0,0) (1,1),(1,0)
C
C
C
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
C
C
C C
C
1
: Encoding (
,
),(
,
- -VSSM scheme
Codebook ( ) Recovered Encoding1 Pixels2 (0,0),(0,0) (0,0),(0,0) (0,0),(0,0) (0,0),(1,0) (0,0),(0,0) (0,1),(1,0) (1,0),(0,1) (0,1),(1,1) C (0,1),(0,1) (1,0),(0,0) (0,0),(1,1) (1,0),(0,1) (0,0),(1,1) (1,1),(0,1) (0,1),(0,1) (1,1),(1,1) (1,0),(0,1) (0,0),(1,0) C (0,0),(0,0) (1,1),(0,1) (0,0),(0,0) (0,1),(1,1) C (0,1),(1,0) (1,0),(0,0) (0,0),(1,1) (0,0),(1,0) (1,0),(1,0) (0,0),(1,1) (1,0),(1,0) (0,1),(0,1) (0,0),(1,1) (0,1),(1,1) C (0,1),(1,0) (1,0),(0,0) (0,0),(0,0) (1,0),(1,0) (0,0),(1,1) (1,1),(0,0) (0,0),(1,1) (1,1),(0,1) (0,0),(0,0) (0,1),(1,0) C (0,1),(1,0) (1,0),(0,1) (0,1),(0,1) (0,0),(1,0) (1,1),(0,0) (0,0),(1,1) (1,1),(0,0) (0,1),(0,0) (0,1),(0,1) (0,1),(1,0) C (0,1),(1,0) (1,0),(0,1) (0,0),(0,0) (1,0),(1,1) (0,1),(0,1) (1,1),(0,0) (0,1),(0,1) (1,1),(0,1) (0,1),(1,0) (0,0),(0,1) (0,1),(1,0) (0,0),(1,1) (0,1),(1,0) (0,1),(1,0) (1,1),(1,1) (0,1),(1,1) C (0,1),(0,1) (1,0),(0,0) (0,0),(1,1) (1,0),(0,1) (0,0),(1,1) (1,1),(0,0) (0,1),(0,1) (1,1),(1,0) (1,1),(1,1) (0,0),(1,1) C (0,1),(1,0) (1,1),(0,0)
). 2: Recovered pixels (
,
,
,
).
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Recovered Pixels2 (0,0),(0,0) (1,0),(0,1) (1,1),(0,0) (1,0),(1,0) (1,0),(1,0) (1,1),(0,0) (1,0),(0,1) (0,0),(0,0) (1,0),(0,1) (1,0),(0,1) (1,0),(1,0) (1,0),(1,0) (1,0),(0,1) (1,1),(1,1) (0,0),(1,1) (1,0),(1,0) (1,0),(1,0) (0,0),(1,1) (1,1),(1,1) (1,0),(0,1) (1,1),(0,0) (1,1),(0,0) (1,0),(0,1) (1,1),(1,1) (0,1),(0,1) (1,1),(0,0) (1,1),(0,0) (0,1),(0,1) (1,1),(1,1) (1,0),(0,1) (0,1),(1,0) (1,1),(1,1) (1,1),(0,0) (1,0),(1,0) (1,0),(1,0) (1,1),(0,0) (1,1),(1,1) (0,1),(1,0) (1,1),(1,1) (1,1),(1,1)
A Highly Efficient Visual Cryptography for Halftone Images
123
3.2. Refine the Recovered Images The proposed VSSM scheme successfully increases image capacity and removes pixel expansion for shares; however, the introduced noise will lead to degradation of the display quality of the recovered images. In this section, an error correction method is developed to refine the recovered images. In Table 2, half of the encoding sets get 1⁄4 noise for recovered images; however, these encoding sets still have 3⁄4 possibilities to correctly decrypt the secret pixels. This property can be used to correct the recovered images. To achieve this goal, we make the following assumptions: 1. Both secret and shares are stored in 8-bit/pixel digital form. 2. Secret images are halftone and each bit of a secret pixel has the same value. That is, all bits of a pixel are either 1 or 0. 3. Each bit of a secret pixel is encrypted individually. 4. Recovered images are 8-bit/pixel images. 5. Corrected images are 1-bit/pixel images.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 3 shows the proposed decryption procedure. Recovered images are obtained by stacking two shares directly. Then, the error correction process corrects each image pixel by pixel. Each 8-bit pixel value is mapped to a 1-bit pixel value during the error correction process. In this way, noise on the resultant images (called corrected images) can be reduced while the recovered images are correctable. The corrected images are, therefore, 1-bit/pixel halftone images.
Figure 3. The proposed decryption procedure with the error correction process.
Lemma 1. Assume a 1-bit binary secret is shared with participants and that each participant holds -bits of shared information. When a set of qualified participants decrypt the secret using the information they hold, the secret bit can be recovered correctly if and only if major bits in the -bits recovered information have the same value as the secret bit. In other words, if the amount of error bits is less than ⁄2, the secret bit can be corrected. Lemma 2. A recovered image is said to be correctable if the value of pixels on the image is correctable.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
124
Kai-Hui Lee, Pei-Ling Chiu and Yie-Tarng Chen
Example 3: Assume 8-bit shared information is used in encoding set C in Table 2 . An instance of pixel values for , , , based on construction requirement are 01000010, 00100100, 00011000, and 01111110, respectively. Because the error and , according to probability to reconstruct the secret pixel is only 1⁄4 for encoding set C Lemma 1, values of , , , and can be correctly restored to 0, 0 ,0, and 1, respectively. In other words, requirement is met perfectly. □ Lemma 1 indicates that the introduced noise on the recovered images may be removed if the images are correctable. Hence, we modify the proposed Construction 1 and codebook to produce such images for the proposed 2, 2 -2-VSSM scheme. The modified 2, 2 -2-VSSM construction is as follows. Table 3. A part of modified codebook for the
,
- -VSSM scheme
Codebook ( ) Recovered Encoding Encoding1 Pixels2 (0,0),(0,0) (0,0),(0,0) (0,0),(1,0) (0,0),(0,0) (0,0),(0,0) (0,0),(1,0) (0,1),(0,1) (0,0),(1,1) (0,1),(0,0) (0,1),(1,0) (1,1),(0,0) (0,1),(1,1) C C (1,0),(1,1) (1,1),(0,0) (1,0),(0,0) (1,0),(0,0) (0,0),(1,1) (1,0),(1,1) (1,1),(1,1) (0,0),(0,0) (1,1),(0,1) (1,1),(1,1) (0,0),(0,0) (1,1),(0,1) (0,0),(0,0) (0,0),(0,0) (0,0),(0,1) (0,0),(1,1) (1,1),(1,1) (0,0),(1,0) (0,1),(0,1) (0,0),(1,1) (0,1),(0,1) (0,1),(0,1) (0,0),(1,1) (0,1),(1,1) C C (1,0),(1,0) (0,0),(1,1) (1,0),(0,0) (1,0),(1,0) (0,0),(1,1) (1,0),(0,0) (1,1),(0,0) (1,1),(1,1) (1,1),(0,1) (1,1),(1,1) (0,0),(0,0) (1,1),(1,0) (0,0),(0,1) (0,1),(1,0) (0,0),(0,0) (0,0),(1,0) (1,0),(0,1) (0,0),(1,1) (0,1),(0,0) (0,1),(0,1) (0,1),(1,0) (0,1),(0,0) (0,1),(0,1) (0,1),(1,0) C C (1,0),(1,1) (0,1),(0,1) (1,0),(0,1) (1,0),(1,1) (0,1),(0,1) (1,0),(0,1) (1,1),(0,1) (1,0),(0,1) (1,1),(0,0) (1,1),(1,0) (0,1),(1,0) (1,1),(1,1) (0,0),(0,1) (0,1),(1,0) (0,0),(1,1) (0,0),(0,1) (0,1),(1,0) (0,0),(1,1) (0,1),(0,0) (0,1),(0,1) (0,1),(0,1) (0,1),(1,1) (1,0),(1,0) (0,1),(1,0) C C (1,0),(0,0) (1,0),(1,0) (1,0),(0,1) (1,0),(1,1) (0,1),(0,1) (1,0),(1,0) (1,1),(1,0) (0,1),(1,0) (1,1),(0,0) (1,1),(1,0) (0,1),(1,0) (1,1),(0,0) 1 : Encoding ( , ),( , ). 2: Recovered pixels ( , , , ).
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
1
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Recovered Pixels2 (1,0),(0,1) (1,0),(0,1) (0,1),(0,1) (1,0),(1,0) (1,0),(1,0) (0,1),(0,1) (1,0),(0,1) (1,0),(0,1) (0,1),(1,0) (1,0),(0,1) (1,0),(1,0) (1,0),(1,0) (1,0),(1,0) (1,0),(1,0) (1,0),(0,0) (0,1),(1,0) (0,0),(0,0) (1,1),(1,1) (1,1),(0,0) (1,1),(0,0) (1,1),(0,0) (1,1),(0,0) (1,1),(1,1) (0,0),(0,0) (1,1),(1,1) (1,1),(1,1) (0,0),(1,1) (1,1),(0,0) (1,1),(0,0) (0,0),(1,1) (1,1),(1,1) (1,1),(1,1)
A Highly Efficient Visual Cryptography for Halftone Images
125
Construction 2. Let Codebook be used to construct a 2, 2 -2-VSSM scheme. According to construction requirement of each symmetric pair on secret images, the dealer randomly permutes encodings by row in C and then distributes encoding , C , to the -th bit of shared pixels in shares. □ Error correction rule. Assume denotes the value of a correctable recovered pixel in the proposed 2, 2 -2-VSSM scheme and C is the encoding set for the pixel. If the Hamming weight of is larger than |C |⁄2, the secret bit can be restored as 1, otherwise, 0. □ Based on our assumption, halftone images are stored in 8-bit/pixel format. A natural selection for the amount of encoding in an encoding set is 8. In Table 2, encoding sets C , ,C ,C ,C ,C ,C , and C contain only 2 encodings for each set. C Hence, we add 6 encodings for each set to meet the requirement. The augmented encoding sets are listed in Table 3. In the rest of this chapter, we use the term “modified codebook” to represent the collection of all encoding sets in Table 3 and encoding sets C ,C ,C , ,C ,C ,C , and C in Table 2. C Table 4. An example of Construction 2
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Original Shuffled Encodings Encodings (0,0),(0,1) (0,1),(0,0) (0,0),(1,0) (1,1),(1,0) (0,1),(0,0) (0,1),(0,0) (0,1),(0,0) (0,0),(0,1) (1,0),(1,1) (1,1),(0,1) (1,0),(1,1) (0,0),(1,0) (1,1),(0,1) (1,0),(1,1) (1,1),(1,0) (1,0),(1,1) Corrected pixels:
Recovered Pixels (0,1),(0,1) (0,1),(1,0) (0,1),(0,1) (0,1),(1,0) (1,0),(0,1) (1,0),(0,1) (0,1),(0,1) (0,1),(0,1) (0,1),(0,1)
Bit Position 0 1 2 3 4 5 6 7
Example 4: Assume that the dealer uses the modified codebook and Construction 2 to share two pairs of secret pixels (0, 1) and (0, 1). The 8-bit shared information is used as in Table 3 based on construction requirement . The original encoding set C encoding sets ( , ),( , ) are listed in the leftmost column in Table 4. According to the , , and on shares are D2 , shuffled encoding set, the 8-bit pixel values of 17 , E2 , and D4 . The 8-bit pixel values of recovered pixels , , , and are (MSB)001100002, 110011112, 000010102, and 111101012, respectively. Based on the proposed error correction rule, the 1-bit corrected value of , , , and can be correctly restored to 0, 1 ,0, and 1, respectively. □ The proposed modified codebook and Construction 2 have the following properties. Property 2. The secret images can be reconstructed well by stacking shares directly. Proof: If the modified codebook is used to construct the proposed 2, 2 -2-VSSM scheme, then the secret pixels have 3⁄4 probability to be reconstructed correctly. Hence, the recovered secret images will be revealed and be recognized by the human visual system. Property 3. The modified codebook is secure while it cooperates with Construction 2. Proof: Each encoding set in the modified codebook contains 8 encodings. Each encoding set has 4 different patterns for a symmetric pair on a share regardless of the construction requirement: 0, 0 , 0, 1 , 1, 0 , and 1, 1 . Using a 1-bit/pixel share, the dealer randomly
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
126
Kai-Hui Lee, Pei-Ling Chiu and Yie-Tarng Chen
selects an encoding from a set based on its construction requirement. These patterns have an equal probability of being chosen. In the case of cooperating with Construction 2, each pattern will appear in 8-bit pixel values of a symmetric pair twice. Hence, none can crack the secrets by analyzing these patterns from a share. Property 4. The modified codebook is correctable, if the capacity of a shared pixel is equal to 8 bits/pixel. Proof: As listed in Table 2 and Table 3, all encoding sets in the modified codebook will have 3⁄4 probability of correctly recovering the secret pixels. The codebook is used to construct the proposed 2, 2 -2-VSSM scheme by Construction 2. When a shared pixel has an 8-bit/pixel capacity, the correct bit value will be major in the shared pixel. Based on Lemma 1, all recovered pixels can be corrected. Lemma 3. A recovered image can be reconstructed without loss if all pixels on the image are correctable. These properties show that the proposed approach not only can construct the 2, 2 -2VSSM scheme without pixel expansion, but also can improve the display quality of the recovered images. Moreover, Lemma 3 indicates that using the proposed modified codebook and Construction 2 can produce loss-less recovered images for halftone images.
4. Implementation Results and Security Analysis In this section, we first conduct a series of experiments to evaluate the performance of the proposed approach. Then, we evaluate the security of the proposed algorithm using the dictionary-attack method. Finally, we compare the proposed approach with other methods.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
4.1. Performance Evaluations First, we use two sets of benchmark secret images, as shown in Figure 4, to assess the performance of the proposed VSSM scheme in terms of display quality and PSNR (peak signal-to-noise ratio) values in the recovered images following encryption and recovery. The secret images of SET-A are cipher-texts that were written by simple lines; the secret images of SET-B are high-quality pictures. The dimensions of the halftone secret images are 512 512 pixels.
(a)
(b)
(c)
(d)
Figure 4. Two sets of halftone secret images: (a) Secret image 1 (SET-A), (b) Secret image 2 (SET-A). (c) Secret image 1 (SET-B), (d) Secret image 2 (SET-B).
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
A Highly Efficient Visual Cryptography for Halftone Images
127
Experiment I The first experiment tests the performance of the proposed Construction 1, which adopts the codebook in Table 2 for constructing the 2, 2 -2-VSSM scheme. In this assessment, the pixel capacity for share and recovered images is 1 bit/pixel. Figure 5 and Figure 6 show the implementation results for SET-A and SET-B, respectively. The PSNR value of our proposed approach is approximately 14dB, which imputes the noise introduced by some encoding sets as discussed in the last section. However, the implementation results indicate that our approach is suitable for use with halftone secret images incorporating both simple and high-quality content, delivering not only clear recovered images but also images free of pixel expansion.
(a)
(b)
(c)
(d)
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 5. Implement results for SET-A: (a) Recovered image 1 (PSNR=13.94 dB), (b) Recovered image 2 (PSNR=13.77 dB), (c) Share 1, (d) Share 2.
(a)
(b)
(c)
(d)
Figure 6. Implement results for SET-B: (a) Recovered image 1 (PSNR=13.83 dB), (b) Recovered image 2 (PSNR=13.80 dB). (c) Share 1, (d) Share 2.
Experiment II The second experiment evaluates the performance of the proposed 2, 2 -2-VSSM scheme using the error correction technique. In this assessment, the pixel capacity for share and recovered images is 8 bits/pixel. The secret images are distributed to shares by Construction 2, which adopts the modified codebook in Table 2 and Table 3. Figure 7(c) and Figure 7(d) show that the use of 8-bit/pixel images for the proposed approach can achieve finer display effects and higher PSNR values for recovered images than the results in Experiment I. Figure 7(e) and Figure 7(f) present the corrected images of Figure 7(e) and Figure 7(f), respectively. Figure 7(e) and Figure 7(f) prove the proposed approach can reconstruct halftone secret images for 2, 2 -2-VSSM scheme without distortion.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
128
Kai-Hui Lee, Pei-Ling Chiu and Yie-Tarng Chen
(c)
(a)
(b)
(d)
(e)
(f)
Figure 7. Implement results for SET-B: (a) Share 1, (b) Share 2, (c) Recovered image 1 (PSNR=16.21 dB), (d) Recovered image 2 (PSNR=16.25 dB), (e) Corrected image of recovered image 1 (lossless), (f) Corrected image of recovered image 2 (lossless).
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
4.2. Security Analysis We evaluate the security property of the proposed approach using the dictionary-attack method. In this experiment, we use various dictionaries to attack shares. Our attack method is to replace all symmetric pairs in a share with a corresponding codeword in a predefined dictionary. For example, by using the first set of the codeword in Table 6, all original symmetric pairs in a share that is encoded as (1, 1), (1, 0), (0, 1), and (0, 0) will be substituted for pairs (0, 0), (1, 0), (1, 0), and (1, 1), respectively. In this experiment, we attack shares that encrypt two secrets by all possible combinations of symmetric pairs. In other words, an original pair is substituted for pairs (0, 0), (0, 1), (1, 0), or (1, 1) in an attack. Thus, we will issue 256 different attacks by using 256 different codeword sets in a dictionary for 4 possible original pairs in shares. In each attack, we use a codeword set to replace all original symmetric pairs in a specific bit plane (e.g., the most significant bit) and then analyze the security of this bit plane. Hence, all shares are generated using Construction 1 and the modified codebook. After completion of the encryption process, shares incorporate phantoms of all the secret images. In other words, each share was embedded with a portion of the information from all secret images, as shown in Figure 8. Hence, to evaluate the security level of shares more precisely, we determine the correlation between an attacked share and its corresponding phantom, rather than its association with a specific secret image. The correlation is defined as follows: ∑ ∑
and Variables respectively. Symbol
∑
,
∑
,
∑
.
represent the pixel value within the attacked share and phantom, represents the dimensions of the secret image (i.e., pixels). To
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
A Highly Efficient Visual Cryptography for Halftone Images
129
ensure the security of hidden content, the observed correlation values should be relatively low.
(a)
(b)
Figure 8. Phantoms of secret images in Figure 5: (a) Phantom on share 1, (b) Phantom on share 2.
Table 5. Attack results in the most serious attack Correlations (%) SET-A SET-B 1.90% 0.88% 0.45% 2.20%
Codeword set (in hexadecimal) SET-A SET-B 2B 53 47 4D
Table 6. The codeword sets used in the most serious attack
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Original pairs (0, 0) (0, 1) (1, 0) (1, 1)
(a)
2B (1, 1) (1, 0) (1, 0) (0, 0)
(b)
Codeword Set (in hexadecimal) 47 4D (1, 1) (0, 1) (0, 1) (1, 1) (0, 0) (0, 0) (0, 1) (0, 1)
(c)
53 (1, 1) (0, 0) (0, 1) (0, 1)
(d)
Figure 9. The attacked shares in the most serious attack: (a) Attacked share 1 (SET-A), (b) Attacked share 2 (SET-A), (c) Attacked share 1 (SET-B), (d) Attacked share 2 (SET-B).
Table 5 lists the correlation values of shares under the most serious attacks. The most serious attack means the attack produces the greatest correlation between an attacked share ( ) denotes the correlation and the corresponding phantom among all attacks. Notation between attacked share 1 (2) and its phantom. The right-half of Table 5 lists the codeword set that was used in the most serious attack. The cracked pairs of the codeword set are listed in Table 6. For example, the correlation value of attacked share 1 of SET-A is 1.90% under the most serious attack, which adopts codeword set 2B. Table 5 indicates that all attacked images have low correlation values even under the most serious attack. Figure 9 shows the attacked shares in the most serious attack. Obviously, these attacked images cannot leak anything
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
130
Kai-Hui Lee, Pei-Ling Chiu and Yie-Tarng Chen
related to the secret images or its phantoms. That proves the proposed approach can resist the dictionary attack.
4.3. Comparison with Previous Approach
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Next, we evaluate the availability of the proposed approach for binary secret images. Our previous approach for the 2, 2 -2-VSSM scheme is capable of encrypting two binary secret images without incurring any pixel expansion and can maintain high display quality for recovered images, as is the case with our proposed scheme [24]. Hence, we compare the previous approach with our scheme. Figure 10(c) and Figure 10(d) show the best recovered images in 1,000 executions, using the previous algorithm for sharing binary secret images in Figure 10(a) and Figure 10(b). Figure 10(e) and Figure 10(f) present the results of the proposed approach in this study. For fairness, the recovered images in Figure 10(e) and Figure 10(f) are not corrected. By visually comparing the results in Figure 10, it is easy to verify that the results of this study are superior to those of our previous work in terms of visual quality. Figure 10 confirms that the proposed approach also is applicable for encrypting binary secret images.
(a)
(c)
(e)
(b)
(d)
(f)
Figure 10. Comparison results of encrypting binary secret images: (a) Secret image 1, (b) Secret image 2, (c) and (d) The results of previous study [24], (e) and (f) The results of this study.
5. Conclusion In this chapter, we have developed an encryption algorithm for the 2, 2 -2-VSSM scheme for sharing halftone images. The proposed scheme resolves the main challenges presented in previous VSSM-related literature, including low effective image capacity and low quality of recovered images. The main advantage of our approach lies in the loss-less display quality of the recovered images, which can be achieved by cooperating a correctable codebook and the proposed error correction technique. The experimental results agree that the
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
A Highly Efficient Visual Cryptography for Halftone Images
131
proposed algorithm is not only capable of producing an excellent display quality and an efficient image capacity of recovered images but also effectively preserves the security of shares. These results demonstrate that our method also can be used to share binary images. This chapter makes three major contributions to the existing body of knowledge. First, we present the first encryption mechanism for sharing halftone images without pixel expansion and distortion of recovered images. Second, we propose principles for developing a codebook for visual cryptography for halftone images. Moreover, we develop an effective codebook, which not only eliminates the need for pixel expansion, but also contains correctable information for recovered images. Third, we introduce a new concept of the error correction for visual cryptography to improve the visual quality of digital recovered images. We believe that this concept can be of interest for further research in this area. These outcomes encourage us to further improve the image capacity of the proposed VSSM scheme for halftone and color images.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
References [1] M. Naor and A. Shamir, “Visual Cryptography,” Advances in Cryptology: Eurprocrypt'94, vol. 950, pp. 1-12, 1995. [2] C. Blundo, A. De Santis, and M. Naor, “Visual Cryptography for Grey Level Images,” Information Processing Letters, vol. 75, pp. 255-259, 2000. [3] C. N. Yang and C. S. Laih, “New Colored Visual Secret Sharing Schemes,” Designs, Codes and Cryptography, vol. 20, pp. 325-336, Jul 2000. [4] H. Koga, M. Iwamoto, and H. Yamamoto, “An Analytic Construction of the Visual Secret Sharing Scheme for Color Images,” IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences, vol. E84A, pp. 262-272, Jan 2001. [5] Y. C. Hou, “Visual Cryptography for Color Images,” Pattern Recognition, vol. 36, pp. 1619-1629, 2003. [6] S. J. Shyu, “Efficient Visual Secret Sharing Scheme for Color Images,” Pattern Recognition, vol. 39, pp. 866-880, May 2006. [7] Z. Zhou, G. R. Arce, and G. D. Crescenzo, “Halftone Visual Cryptography,” IEEE Transactions on Image Processing, vol. 15, pp. 2441-2453, 2006. [8] S. J. Shyu, “Image Encryption by Random Grids,” Pattern Recognition, vol. 40, pp. 1014-1031, 2007. [9] Z. Wang, G. R. Arce, and G. D. Crescenzo, “Halftone Visual Cryptography Via Error Diffusion,” IEEE Transactions on Information Forensics and Security, vol. 4, pp. 383396, 2009. [10] O. Kafri and E. Keren, “Encryption of Pictures and Shapes by Random Grids,” Optics Letters, vol. 12, pp. 377-379, 1987. [11] C. C. Wu and L. H. Chen, “A Study on Visual Cryptography,” Master Thesis, Institute of Computer and Information Science, National Chaio Tung University, Taiwan, R.O.C, 1998. [12] H. C. Hsu, T. S. Chen, and Y. H. Lin, “The Ring Shadow Image Technology of Visual Cryptography by Applying Diverse Rotating Angles to Hide the Secret Sharing,” IEEE International Conference on Networking, Sensing and Control, pp. 996-1001, 2004.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
132
Kai-Hui Lee, Pei-Ling Chiu and Yie-Tarng Chen
[13] H. C. Wu and C. C. Chang, “Sharing Visual Multi-secrets using Circle Shares,” Computer Standards and Interfaces, vol. 28, pp. 123-135, 2005. [14] M. Iwamoto, L. Wang, K. Yoneyama, N. Kunihiro, and K. Ohta, “Visual Secret Sharing Schemes for Multiple Secret Images Allowing the Rotation of Shares,” IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences, vol. E89A, pp. 1382-1395, May 2006. [15] S. J. Shyu, S. Y. Huang, Y. K. Lee, R. Z. Wang, and K. Chen, “Sharing Multiple Secrets in Visual Cryptography,” Pattern Recognition, vol. 40, pp. 3633-3651, 2007. [16] T. H. Chen, K. H. Tsao, and K. C. Wei, “Multiple-Image Encryption by Rotating Random Grids,” The 8th International Conference on Intelligent System Design and Applications, vol. 3, pp. 252-256, 2008. [17] J. B. Feng, H. C. Wu, C. S. Tsai, Y. F. Chang, and Y. P. Chu, “Visual Secret Sharing for Multiple Secrets,” Pattern Recognition, vol. 41, pp. 3572-3581, Dec 2008. [18] Z. Hou and H. Gao, “Multi-secret Images Sharing Based on Matrix Multiplication,” International Conference on Networks Security, Wireless Communications and Trusted Computing (NSWCTC '09), 2009, pp. 184-187. [19] S. J. Lin, S. K. Chen, and J. C. Lin, “Flip Visual Cryptography (FVC) with Perfect Security, Conditionally-optimal Contrast, and no Expansion,” Journal of Visual Communication and Image Representation, vol. 21, pp. 900-916, 2010. [20] T. L. Lin, S. J. Horng, K. H. Lee, P. L. Chiu, T. W. Kao, Y. H. Chen, R. S. Run, J. L. Lai, and R. J. Chen, “A Novel Visual Secret Sharing Scheme for Multiple Secrets without Pixel Expansion,” Expert Systems with Applications, vol. 37, pp. 7858-7869, 2010. [21] T. L. Lin, S. J. Horng, K. H. Lee, P. L. Chiu, T. W. Kao, R. S. Run, J. L. Lai, and R. J. Chen, “A Visual Sharing Scheme for Multiple Secrets by Camouflaging Process,” International Journal of Innovative Computing, Information and Control, vol. 6, pp. 7749-5769, 2010. [22] C. N. Yang and T. H. Chung, ”A General Multi-Secret Visual Cryptography Scheme,” Optics Communications, vol. 283, pp. 4949-4962, 2010. [23] T. H. Chen and C. S. Wu, "Efficient Multi-secret Image Sharing based on Boolean Operations,” Signal Processing, vol. 91, pp. 90-97, 2011. [24] K. H. Lee and P. L. Chiu, “A High Contrast and Capacity Efficient Visual Cryptography Scheme for the Encryption of Multiple Secret Images,” Optics Communications, vol. 284, pp. 2730-2741, 2011. [25] S. J. Shyu and K. Chen, “Visual Multiple Secret Sharing based upon Turning and Flipping,” Information Sciences, vol. 181, pp. 3246-3266, 2011.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
In: Cryptography: Protocols, Design and Applications ISBN: 978-1-62100-779-1 Editors: K. Lek and N. Rajapakse, pp. 133-144 © 2012 Nova Science Publishers, Inc.
Chapter 4
MULTI LAYER QKD PROTOCOL USING CORRELATED PHOTON OF DARK SOLITON ARRAY IN A WAVELENGTH ROUTER P. Youplao, S. Mitatha and P.P. Yupapin* King Mongkut‟s Institute of Technology Ladkrabang, Bangkok, Thailand
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Abstract We propose a new protocol of the multi layers quantum router generated by using the multiplexed dark soliton pulses within a microring resonator system. Initially, the multi dark solitons are input into a microring system, where the dynamic dark solitons are controlled and the required quantum states generated. The multivariable quantum key distribution can be formed by using the correlated photon pair of each dark soliton center wavelengths, where the quantum keys (codes) are generated and recovered via the quantum processor in the wavelength router. In application, the secure information with high capacity can be performed incorporating the quantum keys via the quantum processor in the multivariable quantum router.
Keywords: Quantum protocol, Quantum network, QKD, Wavelength router, Dark soliton
1. Introduction Quantum cryptography has become the interesting technique for communication because of the perfect security can be provided in the transmission link. Moreover, the high capacity network with perfect security can be employed by using the quantum networks. Many research works have been report the use of quantum key distribution in various applications [1-4], where some of them have suggested that networks of small quantum computers be used to overcome the limitations of individual machines, creating distributed quantum systems [57], which use a quantum channel and an authenticated (but not necessarily secret) classical *
E-mail address: [email protected] (Corresponding Author)
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
134
P. Youplao, S. Mitatha and P.P. Yupapin
channel to create shared, secret, random classical bits that can be used as the cryptographic key. Therefore, we propose the use of the multi dark soliton pulse which could be experimentally generated by using a pumped laser in a fiber optic system [8]. The obtained dark soliton can be amplified and tuned by using the nonlinear ring resonator system analytically [9]. The dynamic behavior of soliton conversion, i.e. tunable optical tweezer within an add/drop filter is analyzed [10]. A concept of dark soliton array to take the multi atoms is also discussed for long distance atom transportation, whereas a soliton pulse has been used to produce the fast switching [11-12]. Dark soliton is one of the soliton properties, whereas the soliton amplitude is vanished or minimized during the propagation in media, therefore, the dark soliton detection is difficult. However, the use of dark soliton has shown the promising applications in many areas of research [13-17]. The investigation of dark soliton behaviors has been reported [18], where one point of them has shown the interesting results, where the dark soliton can be stabilized. In this work, the multiplexed solitons can be transmitted into the link via an optical multiplexer (MUX), where the dark soliton array, i.e. wavelength division multiplexing of dark soliton is formed, which may be used to form the multi wavelength soliton bands. Simulation results obtained have shown that slightly difference of soliton center wavelengths can be generated and used for packet switching applications. Moreover, the use of a quantum processor incorporating in the system can provide the quantum key distribution within the wavelength router, whereas the multivariable quantum key distribution can be employed for high capacity and security communication applications, which is proposed to be the new quantum protocol known as multi layer QKD protocol.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
2. Dark Soliton Array Generation To describe the multiplexed dark soliton pulses, which introduce the dark soliton array generation, a stationary multi dark soliton pulses are introduced into the microring resonator system as shown in Figure 1. Each of input optical fields (Ein) of the dark soliton pulses input is given by [9]
⎡⎛ z ⎡T⎤ E in (t ) = Atanh ⎢ ⎥ exp ⎢⎜⎜ ⎣ T0 ⎦ ⎣⎝ 2L D
⎤ ⎞ ⎟⎟ − iω 0 t ⎥ ⎠ ⎦
(1)
where A and z are the optical field amplitude and propagation distance, respectively. T is a soliton pulse propagation time in a frame moving at the group velocity, T = t – β1*z, where β1 and β2 are the coefficients of the linear and second-order terms of Taylor expansion of the propagation constant. LD = T02/|β2| is the dispersion length of the soliton pulse. T0 in equation is a soliton pulse propagation time at initial input (or soliton pulse width), where t is the soliton phase shift time, and the frequency shift of the soliton is ω0. This solution describes a pulse that keeps its temporal width invariance as it propagates, and thus is called a temporal soliton. When a soliton peak intensity (|β2/ Г×T02|) is given, then T0 is known. For the soliton pulse in the microring device, a balance should be achieved between the dispersion length (LD) and the nonlinear length (LNL = 1/ГφNL), where Г = n2*k0, is the length scale over which dispersive or nonlinear effects makes the beam become wider or narrower. For a soliton pulse, there is a balance between dispersion and nonlinear lengths, hence LD = LNL.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Multi Layer QKD Protocol Using Correlated Photon of Dark Soliton Array…
135
When light propagates within the nonlinear material (medium), the refractive index (n) of light within the medium is given by
n = n0 + n 2I = n0 +
n2 P A eff
(2)
where n0 and n2 are the linear and nonlinear refractive indexes, respectively. I and P are the optical intensity and optical power, respectively. The effective mode core area of the device is given by Aeff. For the series microring resonator (MRRs), the effective mode core areas range from 0.50 to 0.10 µm2 [19]. When a soliton pulse is input and propagated within a MRR, as shown in Figure1, which consists of a series MRRs. The resonant output is formed, thus, the normalized output of the light field is the ratio between the output and input fields [Eout(t) and Ein(t)] in each roundtrip, which is given by [20]
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
⎡ ⎤ 2 ⎢ ⎥ Eout (t) (1 − (1− γ) x 2 )κ = (1− γ)⎢1 − ⎥ φ Ein (t) ⎢ (1− x 1 − γ 1 − κ )2 + 4 x 1 − γ 1 − κsin2 ( ) ⎥ 2 ⎦ ⎣
(3)
The close form of Eq. (3) indicates that a ring resonator in this particular case is very similar to a Fabry–Perot cavity, which has an input and output mirror with a field reflectivity, (1−κ), and a fully reflecting mirror. κ is the coupling coefficient, and x=exp(−αL/2) represents a roundtrip loss coefficient, φ0=kLn0 and φNL=kLn2|Ein|2 are the linear and nonlinear phase shifts, k=2π/λ is the wave propagation number in a vacuum, where L and α are waveguide length and linear absorption coefficient, respectively. In this work, the iterative method is introduced to obtain the results as shown in Eq. (3), and similarly, when the output field is connected and input into the other ring resonators. The input optical field as shown in equation (1), i.e. a dark soliton pulse, is input into a nonlinear series microring resonator. By using the appropriate parameters, we propose to use the add/drop device with the appropriate parameters. This is given in details as followings. The optical outputs of a ring resonator add/drop filter can be given by the equations (4) and (5), respectively [21]. Et E in
2
=
(1 − κ1 ) − 2 1 − κ1 ⋅ 1 − κ 2 e
α − L 2
cos(k n L) + (1 − κ 2 )e −αL
1 + (1 − κ1 )(1 − κ 2 )e −αL − 2 1 − κ1 ⋅ 1 − κ 2 e
α − L 2
cos(k n L)
(4)
and Ed E in
2
=
κ 1κ 2 e
α − L 2
1 + (1 − κ 1 )(1 − κ 2 )e − αL − 2 1 − κ 1 ⋅ 1 − κ 2 e
(5) α − L 2
cos(k n L)
where Et and Ed represent the optical fields of the throughput and drop ports, respectively. β = kneff is the propagation constant, neff is the effective refractive index of the waveguide, and the circumference of the ring is L=2πR, with R as the radius of the ring. In the following, new parameters is used for simplification with φ = βL as the phase constant. The chaotic noise cancellation can be managed by using the specific parameters of the add/drop device, and the
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
136
P. Youplao, S. Mitatha and P.P. Yupapin
required signals can be retrieved by the specific users. κ1 and κ2 are the coupling coefficient of the add/drop filters, kn=2π/λ is the wave propagation number for in a vacuum, and where the waveguide (ring resonator) loss is α = 0.5 dBmm−1. The fractional coupler intensity loss is γ = 0.1. In the case of the add/drop device, the nonlinear refractive index is neglected.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 1. Schematic of generation trapping tool system, where Eins: Soliton inputs, Rs: ring radii, κs: coupling coefficients, MUX: Optical multiplexer, Rd: Add/drop radius, MRR: Microring resonator.
Figure 2. Simulation result of the dark solitons within the series microring resonators when the dark soliton input wavelength is 1.5 µm, where (a) dark soliton input, (b) and (c) dark solitons in Rings R1 and R2, (d), (e) and (f) are drop port signals.
In simulation, the generated dark soliton pulse, for instance, with 50-ns pulse width, and a maximum power of 0.5W is input into each of ring resonator systems with different center wavelengths, as shown in Figure 1. The suitable ring parameters are used, such as ring radii Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Multi Layer QKD Protocol Using Correlated Photon of Dark Soliton Array…
137
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 3. Simulation result of the dark soliton array when the dark soliton input wavelengths are 1.5, 1.52 and 1.54 µm, where (a) dark soliton array, (b) and (c), (d) and (e), (f) and (g) are the drop port signals, respectively.
and ring coupling coefficients, where R1=15.0µm and R2=10.0µm. In order to make the system associate with the practical device [19], n0=3.34 (InGaAsP/InP). The effective core areas are Aeff =0.50 and 0.25 µm2 for microring resonatros(MRRs). The waveguide and coupling loses are α =0.5 dBmm−1 and γ =0.1, respectively, and the coupling coefficients κs of the MRRs are ranged from 0.03 to 0.1. The nonlinear refractive index is n2=2.2×10−13 m2/W. In this case, the waveguide loss used is 0.5 dBmm−1. However, more parameters are used as shown in Figure 1. The input dark soliton pulse is chopped (sliced) into the smaller signals R1, R2, and the filtering signals within add/drop ring Rd are seen. We find that the output signals from R2 is larger than from R1 due to the different core effective areas of the rings in the system, which is represented by the nonlinear terms of the ring resonator. However, the effective areas can be transferred from 0.50 and 0.25µm2 with some losses. The soliton signals in Rd is entered in the add/drop filter, where the dark-bright soliton conversion can be performed by using Eqs. (4) and (5). In application, the different dark soliton wavelength is input into the series microring resonators system, whereas the parameters of system are set the same. For instance, the dark solitons are input into the system at the center wavelengths λ1 = 1.5, λ2 = 1.52 and λ3 = 1.54 µm, respectively. When a dark soliton propagates into the MRRs system, the occurrence of dark soliton collision (modulation) in multiplexer system and the filtering signals within add/drop ring (Rd) is as shown in Figure 1. The dark soliton generated by multi-light sources at the center wavelength λ1 = 1.50 µm, the filtering signals are as shown in Figure 2. Simulation results obtained have shown that the band of bright solitons is seen, whereas there is no signal at λ1 = 1.50 µm. The free spectrum
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
138
P. Youplao, S. Mitatha and P.P. Yupapin
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 4. Simulation result of the dark soliton array when the dark soliton input wavelengths are 1.56, 1.58 and 1.60 µm, where (a) dark soliton array, (b) and (c), (d) and (e), (f) and (g) are the drop port signals, respectively.
range (FSR) and the amplified power of 2.1 nm and 20 W of the dark soliton are obtained, where in this case, the spectral width(Full width at half maximum, FWHM) of 0.1 nm is achieved. In Figure3, the dark soliton array generated by multi-light sources at the center wavelength λ1 = 1.5, λ2 = 1.52 and λ3 = 1.54 µm and filtering signals is shown, respectively. Similarly, the dark soliton array generated by multi-light sources at the center wavelength λ1 = 1.56, λ2 = 1.58 and λ3 = 1.60 µm and filtering signals respectively is as shown in Figure 4, whereas the optical ring radii used are 15, 10 µm and Rd = 50 µm. From the results obtained, the parity bits (qubits) of each packet switching signals can be generated by using the upper and lower signals, where there is no signal at the center wavelength, which is suitable to form the entangle photon pair.
3. Multi Layers Quantum Router From the results obtained as shown in Figs. (2)-(4), the quantum bits can be formed by using the pair of the entangled photons which can be generated by using the correlated photons via a quantum processor (QP) as shown in Figs. 5 and 6, therefore, the synchronous data transmission with high security can be performed by using the proposed designed system. To form the synchronous qubits by using the quantum processor, let us consider that the case when the photon output is input into the quantum processor unit. Generally, there are two pairs of possible polarization entangled photons forming within the ring device, which
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Multi Layer QKD Protocol Using Correlated Photon of Dark Soliton Array…
139
are represented by the four polarization orientation angles as [0º, 90º], [135º and 180º]. These can be formed by using the optical component called the polarization rotatable device and a polarizing beam splitter (PBS). In this concept, we assume that the polarized photon can be performed by using the proposed arrangement. Where each pair of the transmitted qubits can be randomly formed the entangled photon pairs. To begin this concept, we introduce the technique that can be used to create the entangled photon pair (qubits) as shown in Figs. (5) and (6), a polarization coupler that separates the basic vertical and horizontal polarization states corresponds to an optical switch between the short and the long pulses. We assume those horizontally polarized pulses with a temporal separation of Δt. The coherence time of the consecutive pulses is larger than Δt. Then the following state is created by Eq. (6) [22-23].
Φ
p
= 1, H
1, H
s
i
+ 2, H
s
2, H
(6)
i
In the expression k , H , k is the number of time slots (1 or 2), where denotes the state of polarization [horizontal H or vertical V ], and the subscript identifies whether the state is the signal (s) or the idler (i) state. In Eq. (1), for simplicity, we have omitted an amplitude term that is common to all product states. We employ the same simplification in subsequent equations in this paper. This two-photon state with H polarization shown by Eq. (6) is input
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
into the orthogonal polarization-delay circuit shown schematically. The delay circuit consists of a coupler and the difference between the round-trip times of the micro ring resonator, which is equal to Δt. The micro ring is tilted by changing the round trip of the ring is converted into V at the delay circuit output. That is the delay circuits convert k, H to be
where t and r is the amplitude transmittances to cross and bar ports in a coupler. Then Eq. (6) is converted into the polarized state by the delay circuit as Φ = [ 1, H
+ [ 2, H = [ 1, H
s
s
+ exp(iφ s ) 2, V s ] × [ 1, H
s
+ exp(iφ s ) 3, V
1, H
i
s
+ exp(iφ i ) 1, H
+ exp[i (φ s + φ i )] 2, V + exp(iφ s ) 3,V
2, V
s
s
2, H
i
+ exp( iφ i ) 2, V i ]
] × [ 2, H i + exp(iφ i ) 2, V i ] s
2, V i ] + exp(iφ s ) 2, V
+ 2, H
i
i
s
2, H
i
s
+ exp(iφ i ) 2, H
+ exp[i (φ s + φi )] 3, V
s
3, V
i
1, H s
i
3, V
i
(7)
By the coincidence counts in the second time slot, we can extract the fourth and fifth terms. As a result, we can obtain the following polarization entangled state as (8)
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
140
P. Youplao, S. Mitatha and P.P. Yupapin
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
We assume that the response time of the Kerr effect is much less than the cavity roundtrip time. Because of the Kerr nonlinearity of the optical device, the strong pulses acquire an intensity dependent phase shift during propagation. The interference of light pulses at a coupler introduces the output beam, which is entangled. Due to the polarization states of light pulses are changed and converted while circulating in the delay circuit, where the polarization entangled photon pairs can be generated. The entangled photons of the nonlinear ring resonator are separated to be the signal and idler photon probability. The polarization angle adjustment device is applied to investigate the orientation and optical output intensity, this concept is well described by the published work [24]. The transmission part can be used to generate the high capacity packet of quantum codes within the series of micro ring resonators and the cloning unit, which is operated by the add/drop filter (RdN1), used to be Alice as shown in the schematic diagram in Figure 5. The received part (RN) can be used to detect the quantum bits via the optical link, which can be obtained via the end quantum processor and the reference states can be recognized by using the cloning unit [25], which is operated by the add/drop filter (RdN2), used to be Bob as shown in the schematic diagram in Figure 6. The synchronous bits (entangled photon pair) can be formed after a signal input with the specific wavelength (λN) is launched into the system. The remaining part of a system of the multi wavelength router is as shown in the schematic diagram in Figure 7. In operation, the packet of data in each layer (wavelength) can be generated and input into the system via a wavelength router, which is encoded by the quantum secret codes. The required data generated by specific wavelength can be retrieved via the drop port of the add/drop filter in the router, whereas the quantum secret codes can be specified between Alice and Bob. Moreover, the high capacity of data can be applied by using more wavelength carries (multi layers/wavelengths) which can be provided by the correlated photon generation. In general, the use of dark soliton array is required to form the high capacity packet switching, the synchronous data transmission is formed by using the qubits, whereas the additional advantageous is that the data security can be provided.
Figure 5. A system of Signal pulse and entangled photon generation, where RNS : ring radii coupling coefficients, RdNS: an add/drop ring radius, can be used to be the transmission part(TN).
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
κNS:
Multi Layer QKD Protocol Using Correlated Photon of Dark Soliton Array…
141
Figure 6. A system of the entangled photon pair manipulation of the receiver part (RN). The quantum state is propagating to a rotatable polarizer and then is split by a beam splitter (PBS). flying to detector
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
DN3 and DN4.
Figure 7. A schematic multi wavelength router, where Ri, Rj: ring radii and κis, κjs are the coupling coefficients, where λi: dark soliton wavelengths, QP: Quantum Processor.
4. Proposed Protocol Nowadays, there are many QKD protocol has been developing such as B92 protocol, EPR protocol, two-state protocol and others. The most widely used today is BB84 protocol, which is the first QKD protocol, invented by Bennet and Brassard [26]. For this simulation, each of object (Alice, Bob, Eve) play different role. Only the appropriate function is executed on each of workstation, depends on its role. The quantum channel and public channel object are executed on Alice’s, while Eve and Bob object are execute on different workstation respectively. In this work, we propose the use of multi layers QKD protocol which is similar to the ordinary QKD, but in this case there is more capacity which works as follow: (1)
Alice generated a length (k) of random number (0 and 1) then sends it on Quantum channel object to be ‘read’ by Bob and Eve.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
142 (2)
(3) (4)
(5)
(6)
(7)
(8)
(9)
P. Youplao, S. Mitatha and P.P. Yupapin If there is eavesdropping from Eve, Eve is the one who have to ‘read’ the Quantum channel object first. Eve can modify the bits with two kind of attack; intercept/resend or beam splitting. Then, Bob read the updated version from Quantum channel object, assuming that Bob doesn’t know about the tapping from Eve. Bob then measure the bits he ‘read’ from Quantum channel object with his selected own bases. Then, Bob ‘announce’ the bases he made to Alice via public channel, which located at Alice’s. Sifting raw key begin, Alice ‘read’ Bob’s measurement at public channel object and confirm’ to Bob the position Bob has measures in the right bases (m bits) by announce it at public channel. Next, Alice and Bob estimate error to detect eavesdropper. They both calculate and compare their bits error rate (e). If they found that their error rate is higher than maximum bits error rate (e>emax), they will suspend the communication and start all over again. (emax has predetermined value) Now, both Alice and Bob will have a shared key, which is called ‘raw key’. This key is not really shared since Alice and Bob’s version are different. They eliminate the m bits from the raw key. Both Alice and Bob then perform ‘error correction’ on their raw key to find erroneous bits in uncompared parts of keys and ‘privacy amplification’ to minimize the number of bits that an eavesdropper knows in the final key. Finally, they both will get a same string of bits, which is the shared secret key.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
4. Discussion This simulation program measure the key length of the raw key and secret key depends on different kind of attack by Eve: (1)
(2)
(3)
No Attack: When there is no attack, Eve didn’t do anything, Bob receive all bits as send by Alice. Alice will send all her generated bits to Quantum channel to be ‘read’ by Bob. Beam Splitting: When Eve attempts beam splitting, it return either 0 or 1 randomly, we assume that beam in Quantum channel have been split successfully. This will randomly change bits that have been written by Alice in Quantum channel according to how strong mirror strength have been set by Eve to split the beam (bits actually). Intercept/resend: In this attack, Eve has to read all the bits that have been written by Alice, Eve then such sending new string of random bits as long as Alice does. Practically, Alice and Bob can detect 25% of error rate in their sifted key and Eve can get 50% information from Alice.
But, because we use random bits generated by Eve, it will depend on the result when Bob and Alice compare their bits.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Multi Layer QKD Protocol Using Correlated Photon of Dark Soliton Array…
143
4. Conclusion We have proposed a new technique of multi layers quantum key distribution via a wavelength router using the correlated photon and a quantum processor, which is called parity bits synchronization. In this study, the multi wavelength signals are generated to form multivariable quantum key and packet switching data, which they are available for high capacity and security communication applications. In operation, the packet of data can be generated and input into the system via a wavelength router, which is encoded by the quantum secret codes. The advantage is that data identification can be transmitted associating with the information data, whereas the synchronous key(quantum key) can be provided between Alice and Bob by using the dark solution tail(array) to form the quantum bits(qubits) by using the correlated photons via the quantum processor. Initially, the dark soliton array is generated and used to form the multivariable packet switching data, where the sequence of data can be identified by quantum signals, whereas the security of data can be performed by using the secret codes, i.e. the same qubits. Moreover, the secret codes can also be used to form the data identification by using the parity bits (qubits) which is known as signal (data) synchronization. Finally, the required data generated by specific wavelength can be retrieved via the drop port of the add/drop filter in the wavelength router, whereas the quantum secret codes can be specified between Alice and Bob.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
References [1] G. Bonfrate, M. Harlow, C. Ford, G. Maxwell and P.D. Townsend “Asymmetric MachZehnder germanosilicate channel waveguide interferometers for quantum cryptography systems”, IEEE. Electron.. Lett., 37(2001)846-847. [2] L. Moli-S´anchez, A. Rodr´ıguez-Alonso, G. Seco-Granados, “Performance analysis of quantum cryptography protocols in optical earth-satellite and intersatellite links”, IEEE. Communications, 27(2009)1582-1590. [3] T. D. Ladd, W. J. Munro and K. Nemoto, “System design for a long-line quantum repeater”, IEEE/ACM. Networking, 17(2009)1002 -1013. [4] H. C. Shih, K. C. Lee and T. H. Wang, “New efficient three-party quantum key distribution protocols”, IEEE. Quantum Electron., 15(2009)1602-1606. [5] R. Cleve and H. Buhrman, “Substituting quantum entanglement for communication”, Phys. Rev. A., 56(1997)1201-1204. [6] J. I. Cirac, A. Ekert, S. F. Huelga, and C. Macchiavello, “Distributed quantum computation over noisy channels”, Phys. Rev. A., 59(1999)4249. [7] J. Yepez, “Type-II quantum computers”, Int. J. Modern Phys. C., 12(2001)1273-1284. [8] S.F. Hanim, J. Ali and P.P. Yupapin, “Dark soliton generation using dual Brillouin fiber laser in a fiber optic ring resonator”, Microw. and Opt. Technol. Lett., 2010. (Article in press). [9] S. Mitatha, “Dark soliton behaviors within the nonlinear micro and nanoring resonators and applications”, Progress In Electromagnetic Research(PIER), 99(2009)383-404. [10] P.P. Yupapin, T. Saktioto and J. Ali, “Photon trapping model within a fiber Bragg grating for dynamic optical tweezers”, Microw. and Opt. Technol. Lett., 2010. (Article in press)
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
144
P. Youplao, S. Mitatha and P.P. Yupapin
[11] F.G. Gharakhili, M. Shahabadi, and M. Hakkak, “Bright and dark soliton generation in a left-handed nonlinear transmission line with series nonlinear capacitors,” Progress In Electromagnetics Research(PIER), 96(2009)237-249. [12] M. Ballav and A. R. Chowdhury, “On a study of diffraction and dispersion managed soliton in a cylindrical media,” Progress In Electromagnetics Research(PIER), 63(2006)33-50. [13] Y. S. Kivshar and B. Luther-Davies, “Dark Optical Solitons: Physics and applications,” Phys. Rep., 298, 81(1998). [14] W. Zhao and E. Bourkoff, “Propagation properties of dark solitons,” Opt. Lett., 14(1989)703-705. [15] I.V. Barashenkov, “Stability criterion for dark soliton,” Phys. Rev. Lett., 77(1996)11931195. [16] D. N. Christodoulides, T. H. Coskun, M. Mitchell, Z. Chen and M. Segev, “Theory of incoherent dark solitons,” Phys. Rev. Lett., 80(1998)5113-5115. [17] B. A. Malomed, A. Mostofi and P. L. Chu, “Transformation of a Dark Soliton into a Bright Pulse,” J. Opt. Soc. Am. B., 17(2000)507-513. [18] A. D. Kim, W. L. Kath and C. G. Goedde, “Stabilizing dark solitons by periodic phasesensitive amplification,” Opt. Lett., 21(1996)465-467. [19] Y. Kokubun, Y. Hatakeyama, M. Ogata, S. Suzuki and N. Zaizen, “Fabrication technologies for vertically coupled microring resonator with multilevel crossing busline and ultracompact-ring radius”, IEEE J. Sel. Top. Quantum Electron., 11(2005)4-10. [20] P.P. Yupapin and W. Suwancharoen, “Chaotic signal generation and cancellation using a micro ring resonator incorporating an optical add/drop multiplexer,” Opt. Commun., 280/2(2007)343-350. [21] P.P. Yupapin, P. Saeung and C. Li, “Characteristics of complementary ring-resonator add/drop filters modeling by using graphical approach”, Opt. Commun., 272(2007)8186. [22] P.P. Yupapin and S. Mitatha, “Multi-users quantum key distribution via wavelength routers in an optical network,” Recent Patent in Computer Science, 2(1)(2009)14-20. [23] P.P. Yupapin and S. Suchat, “Entangle photon generation using fiber optic MachZehnder interferometer incorporating nonlinear effect in a fiber ring resonator, Nanophotonics (JNP), 1(2007)13504-1. [24] H. Hubel, M. R. Vanner, T. Lederer, B. Blauensteiner, T. Lorunser, A. Poppe1 and A. Zeilinger, “High-fidelity transmission of polarization encoded qubits from an entangled source over 100 km of fiber”, Opt. Exp., 15(2007) 7853-7862. [25] N. Pornsuwancharoen, P.P. Yupapin, “Entangled photon states recovery and cloning via the micro ring resonators and an add/drop multiplexer”, Int. J. Light and Electron Opt., doi:10.1016/j.ijleo.2008.09.034. [26] C.H. Bennet and G.Brassard “Quantum cryptography: public key distribution and coin tossing”, Proceeding of IEEE International Conference on Computer System and Signal Processing, Bangalore India, (1984)175-179.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
In: Cryptography: Protocols, Design and Applications ISBN: 978-1-62100-779-1 c 2012 Nova Science Publishers, Inc. Editors: K. Lek and N. Rajapakse, pp. 145-158
Chapter 5
C HAOS -BASED C RYPTOSYSTEM IN D IFFERENT M ODES OF B LOCK E NCRYPTION Rhouma Rhouma∗ and Safya Belghith Syscom Laboratory. Ecole Nationale d’Ingénieurs de Tunis, Tunisia
Abstract In this work we propose to use a spatiotemporal chaotic map in the design of a new cryptosystem in different modes of block encryption. Performance and security analysis show the effectiveness and the robustness of the proposed cryptosystem. The proposed cryptosystem is compared to the encryption standard AES and has been found faster.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Key Words: chaotic encryption, CBC CFB, OFB
1.
Introduction
Chaos based encryption has became a new alternative for classical cryptographic methods in the last decade. The use of chaos in the design of the secure communication is resulting from the strong connection between chaos properties and cryptography properties [1]. For example, the property of the sensitivity to initial conditions or parameters of a chaotic signal, can be seen as a small deviation in the plaintext which will cause a large change in the ciphertext in a cryptographic viewpoint. The deterministic dynamic which can cause a pseudo-random aspect of the chaotic signal find its homologue in cryptography when a deterministic process in a cryptosystem can cause a pseudo random behavior. Another property is the Ergodicity of a chaotic signal can be seen as the uniform distribution of the ciphertext for any input (plaintext) of a "well designed" cryptosystem. Theses connected properties make the use of chaos in the cryptosystems design logically natural and unav oidable. So far many cryptosystems have been proposed [3, 5, 8, 10, 15, 16, 25, 27, 30, 31] as well as cryptanalysis works [2, 4, 11–13, 17, 19, 20, 22]. Not all the proposed cryptosystems have been cryptanalysed, but the conclusions of some cryptanalysis work can be applied to ∗ E-mail
address: [email protected]
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
146
Rhouma Rhouma and Safya Belghith
many other cryptosystems, which means that there is no need to perform a cryptanalysis in a explicit way for each new published chaotic cryptosystem. The rest of this chapter is organized as follows: Section 2 presents the objective of the chapter. Section 3 describes the proposed cryptosystem in three different versions. Section 4 evaluates the performance and the security of the proposed cryptosystem through a comparison with the encryption standard AES in time speed of encryption/decryption and measures the resistance to brute force and classical attacks. Finally in Section 5 we draw some conclusions.
2.
Objective of the Chapter
The main idea of this chapter is to propose an universal encryption algorithm for any type of data including text, image, executable and geophysical files. The core of the proposed cryptosystem is a spatiotemporal chaotic map named also One-way coupled map lattices (OCML). We have used the OCML as a pseudo-random number generator to produce sequences called "keystream" used to mask in cryptographic way the plaintext (the input). In this chapter, we propose to use three different modes of block encryption (CBC, CFB and OFB), that is mean the introduced cryptosystem is proposed in three versions.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
3.
Proposed Encryption Algorithm
In cryptography, a block cipher operates on blocks of fixed length. Because messages may be of any length, and because encrypting the same plaintext under the same key always produces the same output, several modes of operation have been invented which allow block ciphers to provide confidentiality for messages of arbitrary length. The earliest modes described in the literature are ECB, CBC, OFB and CFB which will be presented in this work for their use in the proposed cryptosystem. All these modes (except ECB) require an initialization vector (IV) which is a start block to begin the process for the first plaintext block, and also to provide some randomization for the process. We refer the reader to refs. [14, 28] to more clear understanding of the different block encryption modes. We will consider the following notations in this section: N: The number of plaintexts/ciphertexts blocks. Pt : Plaintext Block of index t. The plaintext can be represented as P = P1 P2 . . . PN . Ct : Ciphertext Block of index t. The ciphertext can be represented as C = C1C2 . . .CN . Ot : Output-keystream Block of index t. Ek : The block cipher encryption operation using the key k. Dk : The block cipher decryption operation using the key k. Kt : The keystream block of index t. The Keystream can be represented as K = K1 K2 . . . KN . The core of our algorithm is a special chaotic map named the OCML. Spatiotemporal chaotic systems [18, 24, 26], which are usually modeled by one-way coupled-map lattices (OCML), have been investigated in secure communications as an alternative to lowdimensional ones.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Chaos-Based Cryptosystem in Different Modes of Block Encryption
147
The OCML is defined as: i xt+1 = (1 − ε)g(xti ) + εg(xti−1 )
(1)
Where i = 0, 1, 2 is the lattice site number, xti represents the state variable for the ith site at time t, ε = 0.99 is the coupling coefficient and g is the skew tent map [21] given by: i xt /qi , xti ∈ (0, qi ) i (2) g(xt ) = (1 − xti )/(1 − qi ), xti ∈ (qi , 1) 1. The secret key is the set: Key = (q1 , q2 , x00 , x01 , x02 ) composed by two parameters q1 and q2 , and the key sequence of the OCML x00 , x01 and x02 . 2. The keystream generation: a keystream block Kt generated from the OCML for every valid t as follows: (3) Kt = f loor(xt2 × N × 2L )mod 2ν Where The parameter L is set to 52 and ν = 8. 3. The encryption procedure: The keystream Kt is then used to encrypt the plaintext P to obtain the ciphertext C by the rules described in the next subsections according to which mode the cryptosystem is designed. The encryption operation Ek (using a key k) is as follows: Given a block Xt , the ciphered block Yt of the plaintext block Xt is generated by applying the operation Ek given by:
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Ek (Xt ) = (Xt + Kt )mod 2ν = Yt
(4)
4. The initial condition xt0 for any valid t is then generated from Ct to make the keystream dependant on the ciphertext Ct as follows: xt0 =
Ct 2ν
(5)
This initial condition is then used to update the OCML (by iterating it), to produce the next keystream and to generate the next ciphertext block as shown in Fig. 1. 5. In the decryption procedure, The recovered plaintext noted P = P1 P2 . . . PN is obtained from the ciphertext C and the regenerated keystream by the receiver by implementing the rules described in the next subsections according to which mode the proposed cryptosystem is designed. The decryption operation Dk (using a key k) is as follows: Given a block Yi , the recovered block Xi of the ciphered block Yi is generated by applying the operation Dk given by: Dk (Yi ) = (Yi − Ki )mod 2ν = Xi
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
(6)
148
Rhouma Rhouma and Safya Belghith
Figure 1. The generation and the update of the OCML: the ciphertext block is feeded back to continue iterating the OCML.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
3.1.
Design of the Cryptosystem Using the CBC Mode
Following the steps in Section 3, and given a plaintext block Pt and a keystream block Kt , the ciphertext block is generated by encrypting Pt ⊕Ct−1 like the CBC mode operation [7]. An initialization vector (IV = C0 ) is chosen randomly in the interval [1, 2v − 1] to encrypt the first ciphertext block. Hence, Ct is obtained, the OCML is updated according to Eq. 5 and Fig. 1 to generate the next keystream block. These steps are repeated until all the plaintext blocks are ciphered. See Fig. 2 which explains the encryption scenario of the cryptosystem in a CBC mode. The encryption procedure used in the CBC mode is described (See Fig. 2) by: Ct = Ek [Pt ⊕Ct−1 ] C0 = IV = [(Pt ⊕Ct−1 ) + Kt ]mod 2ν
(7)
And the corresponding CBC-decryption procedure (See Fig. 3) is: Pt = Dk [Ct ] ⊕Ct−1 C0 = IV = [Ct − Kt ]mod 2ν ⊕Ct−1
3.2.
(8)
Design of the Cryptosystem Using the CFB Mode
Following the steps in Section 3, a cryptosystem designed in a CFB mode needs an initialisation vector (IV = C0 ) which has been randomly taken from the interval [1, 2v − 1] to generate the first ciphertext block. The first keystream block K1 was generated by iterating Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Chaos-Based Cryptosystem in Different Modes of Block Encryption
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 2. Encryption algorithm in a CBC mode.
Figure 3. Decryption algorithm in a CBC mode. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
149
150
Rhouma Rhouma and Safya Belghith
the OCML from the key sequence (x00 , x01 and x02 ) until obtaining x12 , this latter will be used by applying Eq. 3. The first ciphertext block is generated by applying Eq. 9. We use this to update the OCML according to Eq. 5, we iterate the OCML and another keystream is then generated from x22 . And so on until ciphering all the plaintext blocks. The Decryption uses the same operation Ek , because in this case the encryption and the decryption are symmetric. The decryption procedure is given by Eq. 10. For the well understanding of this design, see Fig. 4. The encryption procedure used in the CFB mode is described (See Fig. 4) by: Ct = Ek [Ct−1 ] ⊕ Pt C0 = IV = [Ct−1 + Kt ]mod 2ν ⊕ Pt
(9)
And the corresponding CFB-decryption procedure (See Fig. 5) is:
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Pt = Ek [Ct−1 ] ⊕Ct C0 = IV = [Ct−1 + Kt ]mod 2ν ⊕Ct
(10)
Figure 4. Encryption algorithm in a CFB mode.
3.3.
Design of the Cryptosystem Using the OFB Mode
Following the steps in Section 3, we need an initialization vector which in this case is given by (IV = O0 ) with Ot is the output just after the Ek operation as given by Fig. 6. In this case, neither the plaintext block nor the previous ciphertext block are encrypted by the operation Ek , but the "keystream-output" Ot is the one which is encrypted (by applying Eq. 11). After this operation, the encrypted Ot is then XORed with the corresponding plaintext block Pt . The generation of the keystream Kt is in the same way like the other modes
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Chaos-Based Cryptosystem in Different Modes of Block Encryption
151
Figure 5. Decryption algorithm in a CFB mode. described in Subsections 3.1 and 3.2 The decryption procedure (given by Eq. 12) is in the same way using the operation Ek because in this case the encryption and the decryption procedures are symmetric. The encryption procedure used in the OFB mode is described (See Fig. 6) by:
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Ct = Ot ⊕ Pt = Ek [Ot−1 ] ⊕ Pt O0 = IV = [Ot−1 + Kt ]mod 2ν ⊕ Pt
(11)
And the corresponding OFB-decryption procedure (See Fig. 7) is: Pt = Ot ⊕Ct = Ek [Ot−1 ] ⊕Ct O0 = IV = [Ot−1 + Kt ]mod 2ν ⊕Ct
4.
(12)
Security and Performance Evaluation of the Cryptosystem
We note that the set of key values used in the simulations for the rest of this work is: x00 = 0.9325678017859834; x01 = 0.4123679824571098; x02 = 0.6329713279083541; q1 = 0.3456703421895465; q2 = 0.8219489045612356; And the set of parameters: ε = 0.99; L = 52; ν = 8.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
152
Rhouma Rhouma and Safya Belghith
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 6. Encryption algorithm in a OFB mode.
Figure 7. Decryption algorithm in a OFB mode.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Chaos-Based Cryptosystem in Different Modes of Block Encryption
4.1.
153
Encryption and Decryption Speed
For testing proposals the cryptosystem was implemented using Matlab 7.4.0 on a 1.6 GHz Pentium (M) with 752 Mbytes of RAM running Windows XP. The standard files from the Calgary Corpus were used [6]. There are 18 distinct files of different types, including text, executable, geophysical data, and picture. These files were also been used in testing other algorithms like in [9,29]. Four algorithms were implemented to compare their speed in the encryption/decryption process. The results were reported in Tab. 1. Based in these tests, the mean time speed for encryption/decryption for the four algorithms has been evaluated by the following equation: 1 18 SizeF (13) Timespeed = ∑ TimeF 18 F=1 where SizeF is the size in kB of the file of index F, TimeF is the time needed for a given algorithm to encrypt/decrypt the file of index F. Applying Eq. 13 using the data in Tab. 1, the mean time speed for the four algorithms is as follows: 1. Algorithm 1: The proposed algorithm in a CBC mode design: 161.43 kBs for encryption and 164.1874 kBs for decryption. 2. Algorithm 2: The proposed algorithm in a CFB mode design: 164.3810 kBs for encryption and 164.6733 kBs for decryption. 3. Algorithm 3: The proposed algorithm in a OFB mode design: 163.2713 kBs for encryption and 166.0082 kBs for decryption.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
4. Algorithm 4: The AES (Advanced Encryption standard): 56.3263 kBs for the encryption and 39.6523 kBs for decryption. It is clear that our proposed algorithm with its three versions (with CBC, or CFB or OFB design) are faster than the NIST Standard: AES which is used in the SSL encryption.
4.2.
Key Sensitivity
One characteristic of a secure cryptosystem is that two ciphertexts obtained from the same plaintexts but with slightly different keys are totally different [1, Rule 6]. In order to verify this requirement, our cryptosystem is examined using the NCCR (Number of Characters Change Rate) measure which is an analog measure to the NPCR (Number of Pixels Change Rate) in the image processing domain. This is done by searching the smallest difference between two keys such that the two resulting ciphertexts are statistically independent. The Number of Character Change Rate or NCCR is used to measure the number of characters in difference between two text files. Let S(i) and S′ (i) be the (i)th character of two text files S and S′ , respectively. The NCCR can be defined as: NCCR =
∑i D(i) × 100% N
where N is the total number of characters in the text file and D(i) is defined as: 0 i f S(i) = S′ (i) D(i) = 1 i f S(i) 6= S′ (i), Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
(14)
(15)
154
Rhouma Rhouma and Safya Belghith Table 1. Encryption and Decryption Time of Calgary Corpus Files Size (Kb)
Proposed Algorithm
AES
File
paper5 paper4 obj1 paper6 progc paper3 progp paper1 progl paper2 trans geo bib obj2 news pic book2 book1
11.954 13.286 21.504 38.105 39.611 46.526 49.379 53.161 71.646 82.199 93.695 102.400 111.261 246.814 377.109 513.216 610.856 768.771
CBC 0.0801/0.0901 0.0801/0.0801 0.1502/0.1202 0.2403/0.2403 0.2403/0.2303 0.2904/0.2904 0.3004/0.2904 0.3104/0.3305 0.4206/0.4306 0.4907/0.5007 0.5608/0.5708 0.7010/0.6109 0.6710/0.6509 1.6123/1.4521 2.2532/2.2232 3.1445/3.2647 3.6553/3.8255 4.7869/4.6166
CFB 0.0801/0.0801 0.0801/0.0801 0.1302/0.1302 0.2203/0.2403 0.2403/0.2403 0.2804/0.2904 0.2904/0.2904 0.3104/0.3104 0.4206/0.4406 0.4907/4907 0.5408/0.5608 0.7010/0.6009 0.6509/0.6610 1.6023/1.4421 2.2032/2.2332 3.3148/3.2046 3.7854/3.7654 4.6867/4.7869
100
90 CBC CFB OFB
80 70
70 60 NCCR
NCCR
CBC CFB OFB
80
60 50
50
40
40
30
30
20
20
10
10
0 −20 10
−15
−10
10
10
−5
10
0 −20 10
−15
90 CBC CFB OFB
80 70
60
60 NCCR
70
50
70 60
50
50
40
40
40
30
30
30
20
20
20
10
10 −15
−10
10
10
−5
10
Difference in x(0,0)
(c) x00 : Subkey space= 1016
0 −20 10
CBC CFB OFB
80
NCCR
80
100
90
CBC CFB OFB
−5
10
(b) q2 : Subkey space= 1016
100
90
NCCR
10 Difference in q2
(a) q1 : Subkey space= 1016 100
−10
10
Difference in q1
0 −20 10
0.2804/ 0.3205 0.2303/0.4006 0.3906/0.5408 0.6710/ 0.9714 0.7010/0.9814 0.8012/1.1517 0.8713/1.2318 0.9414/1.3519 1.2418/1.7725 1.4421/2.0530 1.6223/2.3434 1.7926/2.5236 1.9428/2.7640 4.2962/6.0787 6.5694/9.2433 8.9429/12.7884 10.6253/15.0416 13.3893/18.8872
100
90
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
OFB 0.0901/0.0901 0.0801/0.0801 0.1402/0.1302 0.2303/0.2303 0.2504/0.2504 0.2804/0.2704 0.3104/0.2904 0.3004/0.3205 0.4206/0.4206 0.4807/4807 0.5408/0.5708 0.6910/0.5908 0.6409/0.6509 1.6023/1.4621 2.1932/2.132 3.1145/3.0744 3.6753/3.6152 4.5766/4.5766
10 −15
−10
10
10
−5
10
Difference in x(0,1)
(d) x01 : Subkey space= 1016
0 −20 10
−15
−10
10
10
(e) x02 : Subkey space= 1014
Figure 8. Measure of the key sensitivity for the three mode of encryptions CBC, CFB and OFB. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
−5
10
Difference in x(0,2)
Chaos-Based Cryptosystem in Different Modes of Block Encryption
155
In Fig. 8, the results of the examination for the CBC, CFB and OFB modes are offered and they informed that the sensitivity of the ciphertext with respect to the control parameter q1 and q2 ) is around 10−16 (see figure 5(a)-(b)). On the other hand, the sensitivity with respect to the key sequence x00 and x01 was also experimentally measured as 10−16 (see figure 5(c)-(d)). For x02 , the sensitivity is 10−14 (see figure 5(e)).
4.3.
Resistance to Brute Force Attack
The secret key of our cryptosystem is given by the set of values q1 , q2 and the key sequence x00 , x01 and x02 . In order to fulfill the requirements of a complete cryptosystem design, the set of possible values of the secret keys must be carefully detailed [1, Rule 4]. The criterium to specify the key space is based on the concept of key sensitivity [1, Rule 6]. The key sensitivity is the smallest difference between two keys so that the resulting ciphertexts are totally different. As a result, the key space of our cryptosystem is going to be specified through the analysis of the sensitivity with respect to the control parameters (q1 and q2 ) and the key sequence (x00 , x01 and x02 ). From Subsection 4.2, we can derive the key space which is given by κ ≈ (1016 × 1016 ) × (1016 × 1016 × 1014 ) = 1078 , which satisfies the security requirement related to the resistance against brute-force attacks [1, Rule 15].
4.4.
Resistance to Classical Attacks
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
When cryptanalyzing a cryptosystem, the general assumption made is that the opponent knows exactly the design and working of the cryptosystem under study, i.e., he knows everything about the cryptosystem except the secret key. This is an evident requirement in today’s secure communications networks, usually referred to as Kerchoff’s principle [23]. There are four classical types of attacks, we enumerate them ordered from the hardest types of attack to the easiest: 1. Ciphertext only: the opponent possesses a string of ciphertext. 2. Known plaintext: the opponent possesses a string of plaintext and the corresponding ciphertext. 3. Chosen plaintext: the opponent has obtained temporary access to the encryption machinery. Hence he can choose a plaintext string and construct the corresponding ciphertext string. 4. Chosen ciphertext: the opponent has obtained temporary access to the decryption machinery. Hence he can choose a ciphertext string and construct the corresponding plaintext string. In each of these four attacks, the objective is to determine the key k or the keystream Kt that was used. It suffices that one of these attacks is successful to consider an algorithm insecure. We have designed the proposed cryptosystem by applying the next two rules: 1. Use either CBC or CFB or OFB mode in the design of the cryptosystem. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
156
Rhouma Rhouma and Safya Belghith
2. Make the keystream Kt generation dependent on the cryptosystem key and related to the plaintext. Applying these rules, make the cryptosystem secure against the classical attacks because an eventual attacker cannot obtain useful information by encrypting some special plaintexts since the resultant information is only related to those chosen (or known) plaintexts. When different plaintexts are encrypted, the corresponding keystreams are not the same since the generation of the keystream Kt changes if the plaintext changes by feeding every ciphertext block back as an initial condition of the OCML which will be iterated from that initial condition to generate the next keystream block. The keystream is then never reused when the cryptosystem key is reused, this fact makes the classical attacks meaningless since their core idea is based on guessing the key/keystream Kt having in mind that it never changes if the cryptosystem key doesn’t change.
5.
Conclusion
A cryptosystem was proposed in three different modes of bloc encryption. The use of CBC, CFB or OFB make the cryptosystem sensitive to any change in the plaintext or the keys. Measures have shown the effectiveness of the cryptosystem and its robustness against the most common attacks. A comparison between the cryptosystem and AES make believe that our cryptosystem is a favorite candidate to be used in real time secure communication.
References
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
[1] G. Alvarez and S. Li. Some basic cryptographic requirements for chaos−based cryptosystems. Int. J. Bifurc. Chaos, 16:2129−−2151, 2006. [2] G. Alvarez and Shujun Li. Cryptanalyzing a nonlinear chaotic algorithm (nca) for image encryption. Communications in Nonlinear Science and Numerical Simulation, 14:3743−−3749, 2009. [3] M. Amin, O. S. Faragallah, and A. A. Abd ElLatif. A chaotic block cipher algorithm for image cryptosystems. Communications in Nonlinear Science and Numerical Simulation, 15:3484−−3497, 2010. [4] D. Arroyo, G. Alvarez, J. M. Amigo, and S. Li. Cryptanalysis of a family of self−synchronizing chaotic stream ciphers. Communications in Nonlinear Science and Numerical Simulation, 16:805−−813, 2011. [5] A. Cheddad, J. Condell, K. Curran, and P. Mckevitt. A hash−based image encryption algorithm. Optics Communications, 283:879−−893, 2010. [6] Corpus. Available: ftp://ftp.cpsc.ucalgary.ca/pub/projects/text.compression.corpus. [7] W. F. Ehrsam, C. H. W. Meyer, J. L. Smith, and W. L. Tuchman. Message verification and transmission error detection by block chaining. US Patent, 4074066, 1976. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Chaos-Based Cryptosystem in Different Modes of Block Encryption
157
[8] V. Guglielmi, P. Pinel, D. Fournier-Prunaret, and A.-K. Taha. Chaos−based cryptosystem on dsp. Chaos Soliton Fract, 42:2135−−2144, 2009. [9] H. Hermassi, R. Rhouma, and S. Belghith. Joint compression and encryption using chaotically mutated huffman trees. Communications in Nonlinear Science and Numerical Simulation, 15(10):2987−−2999, 2010. [10] A.P. Kurian and S. Puthusserypady. Self−synchronizing chaotic stream ciphers. Signal Processing, 88:2442−−2452, 2008. [11] C. Li, S. Li, G. Chen, and W. A. Halang. Cryptanalysis of an image encryption scheme based on a compound chaotic sequence. Image and Vision Computing, 27:1035−−1039, 2009. [12] C. Li, S. Li, and K.-T. Lo. Breaking a modified substitution−diffusion image cipher based on chaotic standard and logistic maps. Communications in Nonlinear Science and Numerical Simulation, 16:837−−843, 2011. [13] C. Li and K.-T. Lo. Optimal quantitative cryptanalysis of permutation−only multimedia ciphers against plaintext attacks. Signal Processing, 91:949−−954, 2011. [14] Nist. Recommendation for block cipher modes of operation. NIST Special Publication, 800−38A, 2001.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
[15] V. Patidar, N. Pareek, and K. Sud. Modified substitution diffusion image cipher using chaotic standard and logistic maps. Communications in Nonlinear Science and Numerical Simulation, 14:2755−−2765, 2010. [16] V. Patidar, N. K. Pareek, and K. K. Sud. A new substitution diffusion based image cipher using chaotic standard and logistic maps. Commun Nonlinear Sci Numer Simulat, 14:3056−−3075, 2009. [17] R. Rhouma and S. Belghith. Cryptanalysis of a chaos−based cryptosystem on dsp. Communications in Nonlinear Science and Numerical Simulation, 16:876−−884, 2011. [18] R. Rhouma, S. Meherzi, and S. Belghith. ocml based colour image encryption. Chaos, Solitons and Fractals, 40(1):309−−318, 2009. [19] R. Rhouma, E. Solak, D. Arroyo, S. Li, G. Alvarez, and S. Belghith. Comment on "modified baptista type chaotic cryptosystem via matrix secret key". Physics Letters A, 373:3398−−3400, 2009. [20] R. Rhouma, E. Solak, and S. Belghith. Cryptanalysis of a new substitution−diffusion based image cipher. Communications in Nonlinear Science and Numerical Simulation, 15:1887−−1892, 2010. [21] G. Chen S. Li and X. Mou. On the dynamical degradation of digital piecewise linear chaotic maps. Int. J. Bifurc. Chaos, 15(10):3119−−3151, 2005. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
158
Rhouma Rhouma and Safya Belghith
[22] E. Solak and C. Cokal. Algebraic break of image ciphers based on discretized chaotic map lattices. Information Sciences, 181:227−−233, 2011. [23] D.R. Stinson. Cryptography: Theory and Practice. CRC Press, Boca Raton, FL, 1995. [24] G. Tang, S. Wang, H. L?, and G. Hu. Chaos−based cryptograph incorporated with s−box algebraic operation. Phys. Lett. A, 318:388−−398, 2003. [25] M. Usama, M. K. Khan, K. Alghathbar, and C. Lee. Chaos−based secure satellite imagery cryptosystem. Computers and Mathematics with Applications, 60:326−−337, 2010. [26] S. Wang, J. Kuang, J. Li, Y. Luo, H. Lu, and G. Hu. Chaos−based secure communications in a large community. Phys. Rev. Lett. E, 66 (065202):1−−4, 2002. [27] Y. Wang, K.-W. Wong, X. Liao, and G. Chen. A new chaos−based fast image encryption algorithm. Appl. Soft Comput. J., 11:514−−522, 2011. [28] Wikipidea. Block cipher modes of operation. Available at: http://en.wikipedia. org/wiki/Block-cipher-modes-of-operation. [29] K.-W. Wong and C.-H. Yuen. Embedding compression in chaos-based cryptography. IEEE Transactions on circuits and Systems II: Express Briefs, 55(11):1193−−1197, 2008.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
[30] G. Ye. Image scrambling encryption algorithm of pixel bit based on chaos map. Pattern Recognition Letters, 31:347−−354, 2010. [31] J. W. Yoon and H. Kim. An image encryption scheme with a pseudorandom permutation based on chaotic maps. Communications in Nonlinear Science and Numerical Simulation, doi:10.1016/j.cnsns.2010.01.041, 2010.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
In: Cryptography: Protocols, Design and Applications ISBN: 978-1-62100-779-1 c 2012 Nova Science Publishers, Inc. Editors: K. Lek and N. Rajapakse, pp. 159-186
Chapter 6
T HE M ATHEMATICAL C RYPTOGRAPHY RSA C RYPTOSYSTEM
OF THE
Abderrahmane Nitaj∗ Laboratoire de Math´ematiques Nicolas Oresme, Universit´e de Caen, France
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Abstract Invented in 1977 by Rivest, Shamir and Adleman, the RSA cryptosystem has played a very important role in the development of modern cryptography. Its various applications in industry, Internet, banking, online shopping, cell phones, smart cards, secure information transfers and electronic signatures have made RSA a standard at the heart of modern technologies. This chapter explores the mathematics behind the RSA cryptosystem including the encryption, decryption and signature schemes of RSA. We give a survey of the main methods used in attacks against the RSA cryptosystem. This includes the main properties of the continued fraction theory, lattices, the LLL algorithm of Lenstra, Lenstra and Lov´asz and the lattice reduction based technique of Coppersmith for solving modular polynomial equations.
1.
Introduction
The concept of the public-key cryptosystem was proposed by Diffie and Hellman [5] in 1976. Since then, a number of public-key cryptosystems have been proposed to realize the notion of public-key cryptosystems. At the moment some of them are present in industrial standards. In 1977, Ronald Rivest, Adi Shamir and Leonard Adleman [10] proposed a scheme which became the most widely used asymmetric cryptographic scheme, RSA. For instance, the RSA public-key cryptosystem is used for securing web traffic, e-mail, remote login sessions, and electronic credit card payment systems. The underlying one-way function of RSA is the integer factorization problem: Multiplying two large primes is computationally easy, but factoring the resulting product is very hard. It is also well known that the security of RSA is based on the difficulty of solving the so-called RSA problem: Given an RSA public key (e, N ) and a ciphertext c ≡ me (mod N ), compute ∗
E-mail address: [email protected]
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
160
Abderrahmane Nitaj
the plaintext m. The RSA problem is not harder to solve than the integer factorization problem, because factoring the RSA modulus N leads to computing the private exponent d, and to solving the RSA problem. However, it is not clear, if the converse is true. In the RSA cryptosystem, the public modulus N = pq is a product of two primes of the same bit size. The public and private exponent e and d satisfy the congruence
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
ed ≡ 1 (mod φ(N )), where φ(N ) = (p − 1)(q − 1) is the Euler totient function. Encryption, decryption, signature and signature-verification in RSA require the computation of heavy exponentiations. To reduce the encryption time or the signature-verification time, one can use a small public exponent e such as 3 or 216 + 1. On the other hand, to reduce the decryption time or the signature-generation time, one can be tempted to use a small private exponent d. Many attacks show that using a very small private exponent is insecure. Indeed, Wiener [12] showed in 1990 how to break RSA when d < N 0.25 using Diophantine approximations. The bound was improved by Boneh and Durfee [2] in 1999 to d < N 0.292 using Coppersmith’s lattice reduction based method [4]. In this chapter, we survey the state of research on RSA cryptography. We start from reviewing the basic concepts of RSA encryption, decryption, signature and signatureverification schemes, and subsequently review some algebraic attacks on RSA using elementary methods as well as tools from the theory of continued fractions and lattices. This includes the lattice reduction algorithm LLL of Lenstra, Lenstra and Lov´asz [8] and the technique of Coppersmith for solving univariate modular polynomial equations [4]. The rest of the paper is structured as follows. In section 2 we will introduce the basic mathematics behind the RSA cryptosystem including the encryption, decryption and signature schemes as well as some elementary attacks on the RSA cryptosystem. In Section 3, we review the theory of the continued fractions and present two applications in the cryptanalysis of RSA. In Section 4, we focus on lattices and their reduction using the LLL algorithm and review Coppersmith’s method for finding small modular roots of univariate polynomial equations and some applications in the cryptanalysis of RSA. We conclude in section 5.
2.
The Mathematics of the RSA Cryptosystem
2.1.
The Basic Mathematics
The elementary arithmetic of the RSA cryptosystem is based on the rings N, Z and ZN = Z/N Z. Definition 2.1 (Division Algorithm for Integers). Let a, b ∈ Z with b > 1. Then there exist unique q, r ∈ Z such that a = bq + r, 0 ≤ r < b. If r = 0, we say that b divides a and denote this by b|a. Definition 2.2 (Greatest common divisor). Let a, b ∈ Z. A positive integer d is the greatest common divisor of a and b if 1. d|a and d|b,
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
The Mathematical Cryptography of the RSA Cryptosystem
161
2. if c is a positive integer satisfying c|a and c|b, then c|d. The greatest common divisor of a and b is denoted by gcd(a, b). Primality and Coprimality play a central role in the arithmetic of the RSA cryptosystem. Definition 2.3 (Prime Integer). An integer p ≥ 2 is said to be prime if its only positive divisors are 1 and p. Definition 2.4 (Relatively Prime Integers). Two integers a and b are said to be relatively prime or coprime if gcd(a, b) = 1. Definition 2.5 (RSA Modulus). Let p and q be large prime numbers such that p 6= q. The product N = pq is called an RSA modulus. In the most standards of RSA, the modulus is a large integer of the shape N = pq where p and q are large primes of the same bit-size. It is clear that the most direct method of breaking RSA is to factor the RSA modulus N . Consequently, the security of RSA is mainly based on the difficulty of factoring large integers. Theorem 2.1 (The Fundamental Theorem of Arithmetic). Given a positive integer n ≥ 2, the prime factorization of n is written n = pa11 pa22 · · · pakk =
k Y
pai i ,
i=1
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
where p1 , p2 , . . . , pk are the k distinct prime factors of n, each of order ai ≥ 1. Furthermore, the factorization is unique. A very important number theoretical function in the RSA cryptosystem is the Euler totient function. Definition 2.6 (The Euler Totient Function). Given a positive integer n ≥ 2, the Euler totient function φ(n) is defined by φ(n) = #Z∗n = # a, 0 < a < n, gcd(a, n) = 1 . The set Z∗n is called the group of units modulo n.
It is easy to see that φ(p) = p − 1 whenever p is prime. The Euler totient function has many useful properties. Theorem 2.2. Let m and n two positive integers such that gcd(m, n) = 1. Then φ(mn) = φ(m)φ(n). Proof. Suppose that gcd(m, n) = 1. Consider the map π : Zmn [x]mn
−→ 7−→
Zm × Zn , [x]m , [x]n ,
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
162
Abderrahmane Nitaj
where [x]a denotes x modulo a. We want to show that π is bijective. Let x, y ∈ Zmn such that π(x) = π(y). Then [x]m = [y]m ⇐⇒ [x − y]m = 0 ⇐⇒ x − y ≡ 0 (mod m). Similarly, we get x − y ≡ 0 (mod n). Since gcd(m, n) = 1, this implies that x − y ≡ 0 (mod mn). On the other hand, |x − y| < mn. Hence x − y = 0 and x = y. This shows that π is injective. To show that π is surjective, let (a, b) ∈ Zm × Zn . Define M ∈ Zn , N ∈ Zm and x ∈ Zmn by M ≡ m−1
N ≡ n−1
(mod n),
(mod m),
x ≡ aN n + bM m
(mod mn).
Then x ≡ aN n + bM m ≡ aN n ≡ a (mod m), x ≡ aN n + bM m ≡ bM m ≡ b
(mod n).
It follows that the map π is surjective and finally bijective. Moreover, we have gcd(a, mn) = 1 if only if gcd(a, m) = 1 and gcd(a, n) = 1. This implies that π (Z∗mn ) = Z∗mn × Z∗mn . Then φ(mn) = φ(m)φ(n). Theorem 2.3. Let p be a prime number and e ≥ 1. Then φ (pe ) = pe−1 (p − 1).
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Proof. We have φ (pe ) = # a, 0 < a < pe , gcd(a, pe ) = 1 = # a, 0 < a < pe , gcd(a, p) = 1 = pe − # a, 0 < a < pe , gcd(a, p) > 1 .
Notice that # {a, 0 < a < pe , gcd(a, p) > 1} is the number of positive integers not exceeding pe that are not coprime to p. Such integers are p, 2p,. . . , pe−1 p. Hence φ (pe ) = pe − pe−1 = pe−1 (p − 1), which terminates the proof. If the factorization of n is given, then φ(n) can be expressed as in the following theorem. Theorem 2.4. Let n=
k Y
pai i ,
i=1
be the factorization of n ≥ 2. Then φ(n) =
k Y
piai −1 (pi − 1).
i=1
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
The Mathematical Cryptography of the RSA Cryptosystem
163
Proof. Using Theorem 2.2 and Theorem 2.3, we get k Y
φ(n) = φ
pai i
!
=
i=1
k Y
φ (pai i ) =
i=1
k Y
piai −1 (pi − 1).
i=1
As we will see later, the decryption process of RSA is based on the following result. Theorem 2.5 (Euler). Let n be a positive integer. If a is an integer such that gcd(a, n) = 1, then aφ(n) ≡ 1 (mod n). Proof. Recall that φ(n) = #Z∗n where Z∗n = a1 = 1 < a2 < · · · < aφ(n) . Suppose that gcd(a, n) = 1 and consider the set
aa1
(mod n), aa2
(mod n) .
(mod n), . . . , aaφ(n)
If aai ≡ aaj (mod n) for some i, j, then a(ai − aj ) ≡ 0 (mod n). Since gcd(a, n) = 1, then ai − aj ≡ 0 (mod n) and since |ai − aj | < n, then ai = aj . Hence
a1 , a2 , . . . , aφ(N ) = aa1
(mod n), aa2
(mod n), . . . , aaφ(N )
(mod n) .
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Next, consider the product of the integers in both sides. We get φ(n)
φ(n)
Y
Y
ai =
i=1
φ(n)
(aa1
φ(n)
(mod n)) ≡ a
i=1
Y
ai
(mod n).
i=1
Since each ai satisfies gcd(ai , n) = 1, then gcd n,
φ(n) Q i=1
we get
φ(n) Q ai , ai = 1. Simplifying by i=1
aφ(n) ≡ 1 (mod n). Let a, e and n be positive integers. A practical concern in implementing RSA and many cryptographic protocols is the computation of ae (mod n). Suppose that the binary representation of e is k X 2i ei , ei ∈ {0, 1}. e= i=0
Then
ae = · · ·
(aek )2 aek−1
2
aek−2
2
aek−3
!2
2
· · · ae0 .
We summarize the modular exponentiation in Algorithm 1. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
164
Abderrahmane Nitaj
Algorithm 1 Square-and-multiply algorithm for exponentiation in Zn INPUT: a ∈ Zn and an integer 0 < e < n whose binary representation is e = OUTPUT: b ≡ ae (mod n). 1: Set b = 1. 2: for i from k down to 0 do 3: Compute b ≡ b2 (mod n). 4: if ei = 1 then 5: Compute b ≡ ba (mod n). 6: end if 7: end for 8: Print b and stop.
2.2.
k P
2i ei .
i=0
The Basic RSA Cryptosystem
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
The RSA cryptosystem was created in 1977 by Ronald Rivest, Adi Shamir and Leonard Adleman [10]. It has become fundamental to e-commerce and is widely used to secure communication in the Internet and ensure confidentiality and authenticity of e-mail. The RSA cryptosystem is based on the generation of two random primes, p and q, of equal bit-size and the generation of random exponents, d and e satisfying ed ≡ 1 (mod φ(N )) where φ(N ) = (p − 1)(q − 1) is Euler’s totient function. The RSA modulus N is the product N = pq. The pair n and e are made public and p, q, d are secret. The integer e is sometimes called the public exponent and d the private exponent. The generation process is illustrated in Algorithm 2. The pair (N, e) is often called the public key and (N, d) the private key. Algorithm 2 : Standard RSA key generation INPUT: A number k of bits of the primes. OUTPUT: A public key (N, e) and a private key (N, d). 1: 2: 3: 4: 5: 6: 7:
Pick random primes p and q of bit-size k. Set N = pq and φ(N ) = (p − 1)(q − 1). repeat Pick a random integer e < φ(N ), until gcd(e, φ(N )) = 1. Compute d ≡ e−1 (mod φ(N )). Return (N, e) and (N, d).
Now, we describe the encryption, decryption and the signature schemes of the RSA cryptosystem. • RSA Encryption INPUT: The public key (N, e) and the plaintext message m. OUTPUT: The cyphertext c. 1. Represent the message as an integer m < N such that gcd(m, N ) = 1.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
The Mathematical Cryptography of the RSA Cryptosystem
165
2. Compute c ≡ me (mod N ). 3. Return c. • RSA Decryption INPUT: The private key (N, d) and the cyphertext c. OUTPUT: The plaintext message m. 1. Compute m ≡ ce (mod N ). 2. Return m. • RSA Signature INPUT: The public key (NA , eA ), the private key (NB , dB ), and the plaintext message m. OUTPUT: The cyphertext c and the signature S. 1. Compute c ≡ meA (mod NA ). 2. Compute S ≡ cdB (mod NB ). 3. Return c and S. • RSA Signature Verification INPUT: The private key (NA , dA ), the public key (NB , eB ), cyphertext c and the signature S. OUTPUT: The cyphertext c and the signature S.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
1. Compute S ′ ≡ S eB (mod NB ). 2. Return c and S ′ . The signature is verified if S ′ = c. To show that encryption and decryption are inverse operations, recall that ed ≡ 1 (mod φ(N )). Therefore ed = 1 + kφ(N ), for some positive integer k. Hence k cd ≡ med ≡ m1+kφ(N ) = m × mφ (N ) ≡ m (mod n), where we used Euler’s Theorem 2.5.
2.3.
Elementary Attacks on RSA
It is well known that most successful attacks on RSA, are not based on factoring the modulus N . Rather, they exploit the mathematical weakness of the RSA algorithm or the improper use of the RSA system, such as lower exponents, common modulus, and knowledge of parts of the private exponent. We shall study here two elementary attacks on the RSA system. Let N = pq be an RSA modulus with q < p < 2q. Suppose that an adversary knows the Euler totient function φ(N ) in addition to N . Then he can easily break the RSA system.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
166
Abderrahmane Nitaj
Proposition 2.6. Let N = pq be an RSA modulus. Suppose that φ(N ) is known. Then one can factor N . Proof. Suppose that N = pq and φ(N ) are known. Consider the equations in p, q ( pq = N, p + q = N + 1 − φ(N ). Then, eliminating q, we get p2 − (N + 1 − φ(N ))p + N = 0. This leads to the solutions p (N + 1 − φ(N ))2 − 4N p= , p 2 N + 1 − φ(N ) − (N + 1 − φ(N ))2 − 4N q= . 2 N + 1 − φ(N ) +
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Another well known attack on RSA makes use of the Fermat method for factoring. suppose that p and q are too close, namely |p − q| < cN 0.25 for some small constant c. de Weger [11] showed in 2002 that Fermat’s factoring method could find the primes p and q. Theorem 2.7. Let N = pq be an RSA modulus with |p − q| < cN 1/4 where c is a positive constant. Then one can factor N in time polynomial in c. Proof. Fermat’s method consists in finding two integers x, y such that 4N = x2 − y 2 = (x + y)(x − y). If x − y 6= 2, then the factorization of N is given by p=
x+y , 2
q=
x−y . 2
To find x, y, we consider the sequence of candidates for x defined by h √ i xi = 2 N + i,
q yi = x2i − 4N , i = 0, 1, . . . , k,
where [x] is the integral part of x. We stop the process when x2k − 4N is a perfect square. k k Since p = xk +y and q = xk −y , then xk = p + q. Now, suppose that |p − q| < cN 1/4 . 2 2 Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
The Mathematical Cryptography of the RSA Cryptosystem
167
Then h √ i k = xk − 2 N h √ i =p+q− 2 N √ 0, hence f N 2 ≤ 1 1 f (p) ≤ f 2 2 N 2 and √ 1 3 2 1 2N 2 < p + q < N 2. 2 This terminates the proof.
3.
Diophantine Approximations
In this section we introduce the basics of continued fractions and see how they arise out from attacking the RSA cryptosystem in some cases. For a general background we refer to [6] and [3].
3.1.
Continued Fractions
Let x ∈ R such that ⌊x⌋ 6= x where ⌊x⌋ is the integral part of x. Write x0 = x and x0 = a0 +
1 , x1
where a0 = ⌊x0 ⌋ and x1 > 1. If x1 6= 0, then write x1 = a1 +
1 , x2
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
where a1 = ⌊x1 ⌋ and x2 > 1. Next, if x2 6= 0, then write x2 = a2 +
1 , x3
where a2 = ⌊x2 ⌋ and x3 > 1. Observe that x = a0 +
1 = a0 + x1
1 1 a1 + x2
1
= a0 +
.
1
a1 +
a2 +
1 x3
Alternatively, one may write x = [a0 , a1 , a2 , x3 ]. Definition 3.1 (Continued Fraction Expansion). The continued fraction representation of a real number x will be denoted by x = [a0 , a1 , . . . , am ] where 1
[a0 , a1 , . . . , am ] = a0 + a1 +
,
1 ··· +
1 am
and m may be infinite. All ai , called partial quotients, are positive integers, except for a0 which may be any integer. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
The Mathematical Cryptography of the RSA Cryptosystem
169
Definition 3.2 (Convergent). Let x ∈ R with x = [a0 , a1 , . . . , am ]. For 0 ≤ n ≤ m, the nth convergent of the continued fraction expansion of x is [a0 , a1 , . . . , an ]. Proposition 3.1. For each n ≥ 0, define integers pn and qn as follows: p−2 = 0, q−2 = 1,
p−1 = 1, pn = an pn−1 + pn−2 , q−1 = 0,
qn = an qn−1 + qn−2 .
Then, for 0 ≤ n ≤ m, the nth convergent of the continued fraction expansion of x is [a0 , a1 , . . . , an ] = pqnn . Proof. We use induction. We have p0 = a0 p−1 + p−2 = a0 and q0 = a0 q−1 + q−2 = 1 so that p0 [a0 ] = . q0 Suppose the proposition is true for n − 1, that is [a1 , a2 , a3 , . . . , an−1 ] =
an−1 pn−2 + pn−3 . an−1 qn−2 + qn−3
Then
1 [a0 , a1 , a2 , . . . , an−1 , an ] = a0 , a1 , a2 , . . . , an−1 + an an−1 + a1n pn−2 + pn−3 = an−1 + a1n qn−2 + qn−3
(an−1 an + 1) pn−2 + an pn−3 (an−1 an + 1) qn−2 + an qn−3 an (an−1 pn−2 + pn−3 ) + pn−2 = an (an−1 qn−1 + qn−3 ) + qn−2 an pn−1 + pn−2 = an qn−1 + qn−2 pn = , qn
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
=
Hence the proposition is true for n. Proposition 3.2. For −2 ≤ n ≤ m − 1, we have pn qn+1 − qn pn+1 = (−1)n+1 . Proof. We use induction. For n = −2, we have p−2 q−1 − q−2 p−1 = −1 = (−1)−2+1 . Assume that pn−1 qn − qn−1 pn = (−1)n . Using Proposition 3.1 for n + 1, we get pn qn+1 − qn pn+1 = pn (an+1 qn + qn−1 ) − qn (an+1 pn + pn−1 ) = pn qn−1 − qn pn−1 = −(−1)n = (−1)n+1 , which terminates the proof.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
170
Abderrahmane Nitaj As a consequence, we easily get the following result.
Proposition 3.3. For 0 ≤ n ≤ m, the fraction 1.
pn qn
is in lowest terms, that is gcd(pn , qn ) =
Proof. By Proposition 3.2, for 0 ≤ n ≤ m − 1, we have pn qn+1 − qn pn+1 = (−1)n+1 , then gcd(pn , qn ) = 1 and gcd(pn+1 , qn+1 ) = 1. The following result is a direct consequence of Proposition 3.1 and Proposition 3.2. Corollary 3.4. For n ≥ 0, let Then
pn qn
be a convergent of the continued fraction expansion of x.
(a) (qn x − pn )(qn+1 x − pn+1 ) < 0. (b) |qn+1 x − pn+1 | < |qn x − pn |. Proof. (a) Write x = [a1 , a2 , a3 , . . . , an , xn+1 ] = [a0 , a1 , a2 , . . . , an+1 , xn+2 ] where xn+1 = [an+1 , . . . ] and xn+2 = [an+2 , . . . ]. For n ≥ 0, we have x−
pn xn+1 pn + pn−1 pn pn−1 qn − pn qn−1 (−1)n = − = = . qn xn+1 qn + qn−1 qn qn (xn+1 qn + qn−1 ) qn (xn+1 qn + qn−1 )
Hence
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
qn x − pn =
(−1)n , xn+1 qn + qn−1
qn+1 x − pn+1 =
(−1)n+1 . xn+2 qn+1 + qn
It follows that (qn x − pn )(qn+1 x − pn+1 ) < 0. (b) To show |qn x − pn | > |qn+1 x − pn+1 |, write xn+1 = an+1 + Then an+1 < xn+1 < an+1 + 1.
1 xn+2
with xn+2 > 1.
Hence xn+1 qn + qn−1 < (an+1 + 1)qn + qn−1 = qn+1 + qn < xn+2 qn+1 + qn , which leads to
1 1 > . xn+1 qn + qn−1 xn+2 qn+1 + qn
We get finally |qn x − pn | > |qn+1 x − pn+1 |, which terminates the proof. Theorem 3.5. For n ≥ 0, let pqnn be a convergent of the continued fraction expansion of x. Let pq be a rational number with gcd(p, q) = 1. (a) If q < qn+1 , then |qn x − pn | ≤ |qx − p|. (b) If q ≤ qn , then x − pqnn ≤ x − pq .
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
The Mathematical Cryptography of the RSA Cryptosystem
171
Proof. (a) Assume 0 < q < qn+1 . To show |qn x − pn | ≤ |qx − p|, write p and q as p = apn + bpn+1 , q = aqn + bqn+1 , where a = (−1)n+1 (pqn+1 − qpn+1 ),
b = (−1)n+1 (qpn − pqn ).
Since q < qn+1 , then the expression of q implies that ab < 0. On the other hand, we have qx − p = (−1)n+1 (aqn + bqn+1 )x − (−1)n+1 (apn + bpn+1 ) = (−1)n+1 a(qn x − pn ) + (−1)n+1 b(qn+1 x − pn+1 ). Observe that, using Corollary 3.4, the product of the terms gives ab(qn x − pn )(qn+1 x − pn+1 ) > 0. Then |qx − p| = |a(qn x − pn )| + b(qn+1 x − pn+1 ) ≥ |qn x − pn |,
and the first assertion follows. To prove (b), assume that q ≤ qn . Then x − pn = |qn x − pn | ≤ |qx − p| = x − qn qn q Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
which proves the second assertion.
p , q
In 1798 Legendre proved the following result. This is the main result from the theory of continued fractions that we use to attack RSA. Theorem 3.6. Let x ∈ R and x = ab with gcd(a, b) = 1. If
then
p q
p q
be a rational fraction such that gcd(p, q) = 1 and q < b if x −
1 p < 2, q 2q
is a convergent of the continued fraction expansion of x. p q
be a rational number with gcd(a, b) = 1. Let pqnn be a convergente of x such that qn ≤ q < qn+1 . Suppose that x − pq < 2q12 . Using Theorem 3.5, we get Proof. Let
Hence
p pn p − = − x + x − pn ≤ p − x + x − pn ≤ 2 x − q qn q qn q qn |pqn − pn q|
q 2 , and q < N . Expanding φ(N ) = (p − 1)(q − 1), we get √ N − φ(N ) = p + q − 1 < 2q + q − 1 < 3q < 3 N . On the other hand, since ed ≡ 1 (mod φ(N )), then ed = kφ(N ) + 1, for some positive integer k and, since e < φ(N ), it satisfies
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
k=
ed ed − 1 < < d. φ(N ) φ(N )
√ Using N − φ(N ) < 3 N , we have e k − = |ed − kN | N d Nd |ed − kφ(N ) − kN + kφ(N )| = Nd |1 − k(N − φ(N ))| = Nd k(N − φ(N )) < √ Nd 3k N < Nd 3k = √ . d N 1
Using k < d < 31 N 4 , we get 1
1 1 3k N4 1 √ < √ = < 2. 1 < 2 3d 2d d N d N dN 4 Hence Ne − kd < 2d12 and therefore, from Theorem 3.6, it follows that kd is one of the convergents in the continued fraction expansion of Ne . Notice that the continued fraction algorithm gives the convergents in polynomial time. Using this convergent, we get ed − 1 , k which, by Proposition 2.6, leads to the factorization of N . φ(N ) =
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
The Mathematical Cryptography of the RSA Cryptosystem
173
The bounds on the private exponent can be increased considerably when there are three instances of RSA, having the same modulus, with small private exponents. As described in [7], an unpublished attack by Guo can be used to factor the modulus when the private 1 exponents are each smaller than N 3 . Theorem 3.8 (Guo). Let N = pq be an RSA modulus. Consider three instances of RSA with a common modulus N and public exponents e1 , e2 , e3 satisfying e1 d1 ≡ 1
(mod φ(N )),
e2 d2 ≡ 1 (mod φ(N )),
e3 d3 ≡ 1 (mod φ(N )).
If all the ki and di are pairwise relatively prime and di < N then factor N can be factored in polynomial time.
1 −ε 3
for i = 1, 2, 3, with ε > 0,
Proof. Transforming the three congruences ei di ≡ 1 (mod φ(N )), i = 1, 2, 3 to equations, we get e1 d1 = 1 + k1 φ(N ),
e2 d2 = 1 + k2 φ(N ),
e3 d3 = 1 + k3 φ(N ),
where k1 , k2 , k3 are positive integers. Removing φ(N ), we get the system e1 d1 k2 − e2 d2 k1 = k2 − k1 , e1 d1 k3 − e3 d3 k1 = k3 − k1 , e2 d2 k3 − e3 d3 k2 = k3 − k2 . Dividing the first equation by d1 k2 e2 , we get e1 d2 k1 |k2 − k1 | − e2 d1 k2 = d1 k2 e2 .
|k2 −k1 | 1 d1 k2 e2 < 2(d1 k2 )2 , Theorem 3.6 implies expansion of ee12 . The last condition leads to
Under the conditions gcd(d2 k1 , d1 k2 ) = 1 and
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
that
d2 k1 d1 k2
is a convergent of the continued d1
mδ − 1. Replacing x by Xx in the rows i = m, m − 1, . . . , 1 of the table (7) and in the sequence (8) and expressing in the basis 1, x, x2 , . . . , xmδ+t−1 , we get a sequence of matrices of the shape
Mm =
Nm
N mX ..
. N m X δ−1
− − − − − − Mm−1 = − − − − − − .. .. .=. − − ··· − − ··· M1 = − − ··· − − ··· − − ··· − − ··· M0 = − − ··· − − ··· Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
,
− N m−1 X δ − − N m−1 X δ+1 − −
− −
..
. − N m−1 X 2δ−1
− −
,
− N X (m−1)δ − − N X (m−1)δ+1 − −
− −
..
. − N X (m−1)δ+δ−1
− −
− X mδ − − X mδ+1 − −
− −
− −
..
. − X mδ+t−1
,
.
Gathering the matrices, we get a triangular matrix of the form Mm Mm−1 .. M = , . M1 M0
(9)
which generates a lattice L. Obviously, we have 1
1
det(L) = N mδ · N (m−1)δ · · · N δ X 1+2+···+n−1 = N 2 m(m+1)δ X 2 n(n−1) , where n = mδ + t. Using the LLL-algorithm, we can find a small element in L that corresponds to a polynomial h(x) satisfying (d) of Theorem 4.5, namely kh(xX)k ≤ 2
n−1 4
1
det(L) n = 2
n−1 4
N
m(m+1)δ 2n
1
X 2 (n−1) .
In order to apply Theorem 4.6 on h(x), it is sufficient that kh(xX)k ≤ satisfied if m(m+1)δ n−1 1 bm 2 4 N 2n X 2 (n−1) < √ . n Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
bm √ n
, holds. This is
182
Abderrahmane Nitaj
Plugging b > N β , we find 2
n−1 4
N
m(m+1)δ 2n
1 N mβ X 2 (n−1) < √ . n
Solving for X, we get 1
−1
X < 2− 2 n n−1 N
2mnβ−m(m+1)δ n(n−1)
.
Consider the exponent of N as a polynomial in m. The exponent is maximal for m=
2nβ − δ , 2δ
which leads to the bound 1
−1
X < 2− 2 n n−1 N
β2 β2 β δ + (n−1)δ + 4n(n−1) − n−1 δ
.
This can be rewritten as 1
X < 2− 2 N
β2 −ε δ
,
where ε=
β β2 δ log n + − − . (n − 1) log N n − 1 (n − 1)δ 4n(n − 1)
Observe that ε depends on n and satisfies lim ε = 0. Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
n→+∞
Theorem 4.7 has various applications in cryptography. We will now present an attack on RSA - also due to Coppersmith - that finds the factorization of N = pq, provided that one knows half of the bits of one of the factors. Theorem 4.8. Let N = pq be an RSA modulus with p > q. If p˜ is an approximation of p with 1
|˜ p − p| < N 4 , then N can be factored in polynomial time in log N . 1
Proof. Suppose we know an approximation p˜ of p with |˜ p − p| < N 4 . Consider the polynomial fp (x) = x + p˜. Then fp (p − p˜) = p ≡ 0 mod p. Hence, x0 = p − p˜ satisfies fp (x0 ) ≡ 0 mod p,
1
|x0 | < N 4 .
1
Since p > N 2 , one can then apply Theorem 4.7 with b = p, fp (x) = x + p˜, δ = 1 and β = 21 . This gives explicitly x0 which leads to p = x0 + p˜. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
The Mathematical Cryptography of the RSA Cryptosystem
183
In 2004, Bl¨omer and May [1] improved upon Wiener’s result by showing that every public exponent e satisfying an equation ex − kφ(N ) = y with suitable bounds for x and y yields the factorization of N . The Bl¨omer-May attack makes use of Coppersmith’s method, namely Theorem 4.8. Theorem 4.9. Let c ≤ 1 and let (N, e) be an RSA public key tuple with N = pq and 1 p − q ≥ cN 2 . Suppose that e satisfies an equation ex − kφ(N ) = y with 1 1 0 < x ≤ N 4, 3
3
and |y| ≤ cN − 4 ex.
Then N can be factored in polynomial time. Proof. Rewrite the equation ex − kφ(N ) = y as ex − kN = y − k(p + q − 1). Dividing by N x, we get e − k = |y − k(p + q − 1)| . (10) N x Nx 3
Next, suppose |y| ≤ cN − 4 ex and e < φ(N ). Then k=
ex + 14 ex ex − y ex + |y| 5 < < < x. φ(N ) φ(N ) φ(N ) 4
Combining with Proposition 2.9 and using e < N , this implies an upper bound for |y − k(p + q − 1)| as follows
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
|y − k(p + q − 1)| ≤ |y| + k(p + q − 1) ≤ |y| + k(p + q) 1 3 5 ≤ cN − 4 ex + x × 3N 2 4 3 15 1 N2 x = cN − 4 ex + 4 1 15 1 N2 x < cN 4 x + 4 1 < 4N 2 x, for sufficiently large N . Plugging in (10), we get
If x satisfies 0 < x ≤
1 3
1
1 e 2 − k < 4N x = 41 . N x Nx N2
N 4 , then
the continued fraction expansion
4
1
N2 of Ne
> = . φ(N ) φ(N ) φ(N ) 4φ(N )
This implies the following upper bound for
|y| k
3
3 1 4 |y| cN − 4 ex 4 < 3 φ(N ) = cN − 4 φ(N ) < cN 4 , k 3 3 4 ex
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
where we used φ(N ) < N . Hence, using (11), we see that N − ex k +1 is is an approximation 1 |y| 4 of p + q up to an error term k < 3 cN 4 which can be transformed into an approximation p of p − q. Indeed, setting s = N − ex |s2 − 4N |, we have k + 1 and t = (p − q)2 − t2 |p − q − t| = p−q+t (p − q)2 − s2 − 4n = p−q+t (p − q)2 − s2 − 4n ≤ p−q+t (p − q)2 + 4n − s2 = p−q+t (p + q)2 − s2 = p−q+t |p + q − s| (p + q + s) = . p−q+t Observe that |p + q − s|
p − q. Then 1
4cN 4 (p + q) . |p − q − t| < p−q 1
Assuming p − q ≥ cN 2 and using Proposition 2.9, we get 1
|p − q − t|
= |α|2 . Also, the scalar product of two coherent states α and β is 1
2 +|β|2 +αβ∗ )
hβ|αi = e− 2 (|α|
.
(30)
This implies that two coherent states are approximately orthogonal within the limitation |α − β| ≫ 1. Accordingly, all coherent states form a continuum state space. Using the following equation Z 2 m! 1 αm α∗n e−β|α| d 2 α = m+1 δmn , (31) π ∞ β one can obtain
1 π
Z
∞
|αihα|d 2 α =
∞
∑ |nihn| = I.
(32)
n=0
This expression expresses the completeness relationship of the coherent states. Furthermore, while an electromagnetic field is always described using quadrature vari¯ which correspond to variables ables X and P, in quantum mechanics, two operators X¯ and P, of the quadrature position and quadrature momentum, respectively are introduced. So, the coherent state |αi satisfies X¯ = Re(α) and P¯ = Im(α), where Re(α) and Im(α) denote the real part and imaginary part of α. According to the definition of variances, one has
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
h∆X 2 i = hX 2 i − (hXi)2
,
h∆Pi = hP2 i − (hPi)2
(33)
Thus a coherent state is very easy to implement physically in experiment. As an example, the well-known distributed feed back (DFB) laser outputs coherent state directly. Ralph proposed a CV quantum cryptography scheme where the information is encoded onto a single coherent state [57]. He also proposed an entanglement-based scheme by using two squeezed beams which are orthogonal to each other before being entangled via a beam splitter. At the level of attack, Ralph explained that an eavesdropping can do three non-collective attacks in these quantum states. The first and the second attacks are known as man-in-the-middle or intercept-resend; by measuring a fixed quadrature via homodyne detection and by measuring both quadratures via heterodyne detection, respectively, for reproducing the signal based on the measured values in the end. The third attack uses a highly asymmetric beam splitter on the communication channel after which simultaneous detection of both quadratures in order to maximize information retrieval. Ralph has also considered an eavesdropping strategy based on quantum teleportation and shows again that there is a favorable trade-off between the extractable classical information and the disturbance of the signals passed on to the receiver [58]. Grosshans and Grangier implemented experimentally a quantum key distribution scheme using the nonorthogonality of coherent states [59]. They also demonstrated that this protocol is secure for any value of the line transmission rate. Initially, a line transmission below 50%, corresponding to line loss above 3 dB, was thought to render secure key
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Secure Communication
203
distribution impossible. A scheme with line loss ≤3 dB was considered secure, because the no-cloning bound for coherent states prevents Eve from obtaining better signals than Bob (when Eve replaces the lossy channel by a perfect one and employs beam-splitter based cloning of the coherent signals as the supposedly optimal eavesdropping strategy). As for the existence of secure schemes beyond the 3 dB loss limit, one should realize that the entanglement of a cv resource (two-mode squeezed states), though being degraded, never vanishes completely for any degree of the loss [60, 61]. In 1995 Bennett et al. proposed to use privacy amplification, and error correction techniques which are proposed by Brassard and Salvail in 1994 for secure communication. So, the information-theoretic condition is given by the mutual information between the participants as, ∆I = IAB − IAE = IAB − IBE > 0 (34) where IAB (IAE ) is the information rate between Alice and Bob (Eve). BB84 protocol and B92 protocol have been the fundamental protocols in quantum cryptography. Physical implementation of a QKD scheme is related on discrete variables and continuous variables.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
4.3.2. QKD with Coherent States The coherent state is a good candidate to implement the quantum communication between authorized users. This subsection describes the physical implementation of BB84 protocol using coherent state signal. F. Grosshans proposed a first continuous variable QKD protocol where exploiting phase space as efficiently as possible by using coherent states with a Gaussian modulation, called GG02 protocol in 2002. In this protocol, Alice sends coherent states modulated with a Gaussian distribution to Bob who chooses randomly to perform an homodyne detection on either one of the quadratures. Frédéric obtained the theoretical results for the protocols of quantum cryptography with continuous variables [59, 62]. These results demonstrate the possibility of a quantum key distribution via coherent states. This section defines the variables used to encode quantum information, and also the model of Gaussian quantum channel which carries these variables between Alice and Bob. In this model, we will determine the rate of secret information generated by the quantum exchange. We conclude this section with a comparison of protocols using coherent states described here and the protocols using single photons or protocols of the type of BB84. We assume that Alice sends a series of coherent states in the quantum channel, distributed with a Gaussian modulation in two quadratures XA and PA , with variance VA N0 . The description of the coherent beam protocol is as follows: 1. Alice draws two random numbers xA and pA from a Gaussian law with variance VA N0 . 2. She sends to Bob the coherent state |xA + ipA i through a quantum channel. 3. Bob randomly chooses to measure a quadrature either X or P and performs an homodyne detection along this quadrature. Bob informs Alice of his choice of quadratures via a classical public channel for exchanging information about basis. They share N couples of correlation variables.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
204
A. El Allati
4. Later, they randomly choose a subset of m indices, and compare the corresponding data (like in the BB84 protocol). For example, they perform parameter estimation for the transmission η and the excess noise ε of the quantum channel. More precisely, the parameter estimation allows Alice and Bob to upper bound Eve’s information. 5. Alice and Bob share two correlated Gaussian variables. Finally, they have to use a standard protocol for privacy amplification [23] in order to distill the private key. 4.3.3. Security Analysis The discussion of the security is an important test to any QKD protocol. Suppose that a third party (Eve) tries to intercept the information in the quantum channel. The no-cloning theorem [29], renders her trial impossible, i.e. she cannot produce and keep a perfect copy of the intercepted quantum state. The safety of this communication protocol using coherent states is discussed. It consists of studying the amount of secret information. So, the calculation of the mutual information gives an idea about this amount. The expression of the mutual information between Alice and Bob IAb contained in this transmitted modulation Gaussian by a Gaussian channel is obtained by the Shannon theorem [17]: 1 IAB = log2 (1 + SNR). 2
(35)
The Gaussian quantum channel can be modeled by the following relations,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
XB =
√
ηX (X¯A + δXA + NX,B ) ,
PB =
√
ηP (P¯A + δPA + NP,B ),
(36)
with ηX,P being the line transmission for the quadratures X or P. XA and PA the classical values of a modulation chosen by Alice according to a Gaussian centered variance < XA2 >=< PA2 >= VA N0 . During the transmission of coherent state (XA , PA ), the photon noise N0 is taken into account in terms of quantum fluctuations by δXA , δPA , where < δXA2 >=< δPA2 >= N0 . Also, the noise of the channel added in the quadratures are de2 2 >= ε scribed as < NX,B X,B , < NP,B >= εP,B . Suppose the simple cases which are ηX = ηP = η and εX,B = εP,B = εB . Using these conditions, the variance measured by Bob writes as VB N = η(V + εB ),
(37)
where V = VA + 1 which is the total variance of the modulation output of Alice. According to Shannon’s theorem, mutual information between Alice and Bob becomes as: 1 VA IAB = IBA = Log(1 + ). 2 1 + εB
(38)
During the transmission, Eve must interact with the beam of Alice for getting some signals. This interaction is similar to the signals Bob received. There are Heisenberg inequalities for the variances of noise between Bob and Eve as: 2 < NX,B >< NX,E >≥ N02
,
2 < NP,B >< NP,E >≥ N02
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
(39)
Quantum Secure Communication
205
εB εE ≥ 1.
(40)
1 1 ∆I = log2 (1 + ξB ) − log2 (1 + εE ), 2 2
(41)
then ∆I of the private key is written
hence, the useful secret information rate is: 1 V + εB ∆I = log2 . 2 1 +V εB
(42)
If εB < 1, ∆I will increase as a function of the signal modulation V which is a direct protocol security. However, in the case of noise, the transmission of channel is η. The total variance of noise is given as 1−η , (43) ξB = η the safety condition is that transmission was η > 50%, losses below 3dB, as plotted in figure 2. IA−E
IA−B
2.5
2.0
1.5
1.0
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
0.5
0.2
0.4
η
0.6
0.8
1.0
Figure 2. Mutual information of Alice-Bob and Alice-Eve.
The direct reconciliation protocols are relatively robust to excess noise, but they function as well for high transmission values of η. Modulation by Alice as the basis of the secret key, Bob and Eve are trying to guess which one Alice sent, which is known by "direct protocol". For example, if the transmission of quantum channel is less than 1/2, Eve inevitably gets more information than Bob on Alice’s key, thus they abort any secret transmission. However, the reverse protocol can exceed this limit. Its scheme is identical to that used in direct protocol: Alice sends a series of coherent states with a Gaussian modulation in the complex plane, while, Bob measures a random quadrature signal. The difference lies in the data processing: the secret key is constructed from the data measured by Bob. Thus, the theorem of Csiszar and Körner allows us to calculate the secret: ∆I = IAB − IBE (44)
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
206
A. El Allati
For bounding the secret information, Alice and Bob must find an upper bound for IBE . Using the Heisenberg inequality, the conditional variance introduces the uncertainty in Eve about measurement of Bob as, min VB/E ≥ VB/E =
1 N0 η(εB + V1 )
(45)
with V = VA + 1, then VB 1 1 1 max IBE ≤ IBE = log2 ( max ) = log2 (η2 (εB +V )(ε + )) 2 VB/E 2 V
(46)
then
1 1 max ∆I ≥ IAB − IBE = − log2 (η2 (ε + 1)(εB + )) (47) 2 V Figure 3 plots the mutual information in the case of reverse protocol. So, the protocol makes it possible to distribute the secret key with coherent states for any transmission of the quantum channel. IA−B 2.5
2.0
1.5
IA−E
1.0
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
0.5
0.2
0.4
η
0.6
0.8
1.0
Figure 3. Mutual information of Alice-Bob and Alice-Eve.
A "reverse reconciliation" protocol is the method advertised by Grosshans et al. [62]. It allowed in principle to secure the scheme for an arbitrary small line transmission rate. Reverse reconciliation basically means that Alice tries to guess what was received by Bob instead of a direct protocol where Bob guesses what was sent by Alice. In 1996, Mu et al. used a four coherent states and four specific local oscillator settings for the homodyne detection which enables the receiver to conclusively identify a bit value [63]. Another promising method to beat the 3 dB loss limit is based on a post-selection procedure (Silberhorn et al. [64]). The implementation of error correction techniques in this scheme might be less demanding than in the scheme of Grosshans et al. (2003). As for the signals in the postselection based scheme of Silberhorn, like in the scheme of Grosshans, simple coherent states suffice. The first proposals for continuous-variable QKD were based on EPR-like entanglement [65–67] and consequently not very practical. Such protocols have shown the possibility of reaching very high secret key rates, even in the presence of strong losses in the quantum communication channel. Despite this robustness to loss, their security can be affected by more general attacks where extra Gaussian
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Secure Communication
207
noise is introduced by the eavesdropper. S. Pirandola, et al proposed Continuous Variable Quantum Cryptography using Two-Way Quantum Communication for enhancing the security thresholds of the basic coherent-state protocols.
5.
Conclusion
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
To design a secure QKD scheme two important properties, i.e., the nonorthogonality and entanglement correlation, are often employed. These properties provide useful ways for transmission of information and the eavesdropping detection. In this study, we presented several secure quantum communications from discrete variables to continuous variables. The protocols permit to exchange secret information more than in the classical cryptography. In these protocols, both single photon and entangled photon states are used as the information processing carriers for secure communication. Signals are transmitted both in optical fibers and in free space. Single photon detectors are usually required, and in some protocols, Bell-basis measurements are also required. When the secure channel is established, all the eavesdropping behaviors will be discovered before the transmission of information. Besides these protocols, discrete and continuous variables protocols are also discussed. In the future, quantum technology will become more popular and demanding, where the need for and feasibility of other forms of quantum information processing becomes inevitable. As we may see from this review, the technical requirements for QSDC and DSQC are almost the same as those for QKD. We expect that in the future intensive research on quantum continuous variables, especially experimental studies of these subjects, will remain and become an active and fruitful area of research.
References [1] H. Bennett, G. Brassard, C. Crepeau, R. Jozsa, A. Pweres, W.K. Wootters, Phys. Rev. Lett. 70 (1993); J. Lee, M.S. Kim, Phys. Rev. Lett. 84 (2000) 4236. [2] Y. Yeo, Phys. Rev. A 78 (2008) 022334; E. Jung, M. Hwang, Y.H. Ju, M.-S. Kim, S.K. Yoo, H. Kim, D. Park, J.W. Son, S. Tamaryan, S.K. Cha, Phys. Rev. A 78 (2008) 012312. [3] C.H. Bennett, S.J. Wiesner, Phys. Rev. Lett. 69 (1992) 2881. [4] N.D. Mermin, Phys. Rev. A 66 (2002) 132308. [5] X. Wang, S.G. Schirmer, Phys. Rev. A 80 (2009) 042305. [6] Juan Leon, C. Sabin, Quant. Inf. 7 (2009) 187. [7] J. Lee, J. Park, S. Min Lee, Hai-W. Lee, A. Khosa, Rev. A 77 (2008) 032327. [8] A. El Allati, N. Metwally and Y. Hassouni, Transfer Information Remotely via Noise Entangled Coherent Channels, Opt. Commun. 284, 519 (2011).
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
208
A. El Allati
[9] Simon Singh. The Code Book. p. 14-20. [10] Standard FIPS PUB 46 du NIST (1977). [11] Standard ANS X9.52 de l’ANSI (1993). [12] B. Schneier. "The Blowfish Encryption Algorithm". Dr Dobbs Journal 19, 38 (1994). [13] V. R. Joan Daemen. Proposé sous le nom Rijndael (1998), standardisé par le NIST sous le standard FIPS PUB 197 (2001). [14] R. L. Rivest, A. Shamir et L. Adleman. "A method f or obtaining digital signatures and public-key cryptosystems". Commun. ACM 21, 120 (1978). [15] Standard FIPS PUB 186 du NIST (1993). [16] P. W. Shor, Algorithms for quantum computation: discrete logarithms and factoring, Proceedings of the 35th Symposium on Foundations of Computer Science, 124 134 (1994). [17] C. Shannon. "A Mathematical T heory o f Communication / Communication T heory o f Secrecy Systems". Bell System Technical Journal 27: 379-423, 623-656 (1948). [18] G. S. Vernam. "Secret Signaling System". Brevet déposé aux États-Unis sous le numéro 1,310,719 (1919). [19] C. Shannon, "Communication in the Presence o f Noise", Proc. IRE, 37, 10-21 (1949).
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
[20] S. Wiesner, "Con jugate coding". Sigact News, 15, 78-88 (1983). [21] R. P. Feynman. Simulating physics with computers. International Journal of Theoretical Physics, 21 :467-488, 1982. [22] R. P. Feynman. Quantum-mechanical computers. J. Opt. Soc. Am. B, 1 :464, 1984. [23] R. P. Feynman. Quantum-mechanical computers. Found. Phys., 16 :507-531, 1986. [24] Bennett, C.H., Brassard, G.: In: Proceedings IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, (IEEE, New York), pp. 175 (1984) [25] Bennett, C.H.: Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett. 68, 3121 (1992) [26] A. Einstein, B. Podolsky, N. Rosen, "Can quantum-mechanical description of physical reality be considered complete ?", Physical Review Letters, vol. 47, pp. 777-780, 1935. [27] P. W. Shor and J. Preskill, "Simple proof of security of the BB84 quantum key distribution protocol", Phy. Rev. Lett. 85, 441-444 (2000). [28] E. Biham and T. Mor, "Security of quantum cryptography against collective attacks", Phy. Rev. Lett. 78, 2256-2259 (1997). Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Secure Communication
209
[29] Wootters, W.K., Zurek, W.H.: Experimental quantum cryptography. Nature 299, 802 (1982). [30] I. Csiszar and J. Körner, "Broadcast channels with confidential messages", IEEE Transactions on Information Theory, vol. IT-24, no. 3, pp. 339-348, May 1978. [31] A. K. Ekert : Quantum Cryptography Based on Bell’s Theorem. Phys. Rev. Lett., 67(6):661, August 1991. [32] Gao, T., Yan, F.L., Wang, Z.X.: Deterministic secure direct communication using GHZ states and swapping quantum entanglement. J. Phys. A 38, 5761 (2005) 15. [33] Xiong, J. et al.: Unsymmetrical quantum key distribution using tripartite entanglement. Commun. Theor. Phys. 47, 441 (2007) 17. [34] Zhang, Z.J., Liu, J., Wang, D., Shi, S.H.: Comment on "Quantum direct communication with authentication". Phys. Rev. A 75, 026301 (2007) 18. [35] Huang, P., et al: Two-step unsymmetrical quantum key distribution protocol using GHZ triplet states purchase the full-text article. Journal Chine. Universities Posts and telecommunication 16, 114 (2009). [36] A. El Allati, M. El Baz and Y. Hassouni, Quantum Key Distribution with Tripartite Coherent States, Quantum Inf. Process. 10, 589 (2011).
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
[37] H. Lee, J. Lim, and H. Yang, "Quantum direct communication with authentication", Phys. Rev. A 73, 042305 (2006). [38] N. Gisin, G. Ribordy, W. Tittel et H. Zbinden, Quantum Cryptography. Rev. Mod. Phys., 74(1):145 , January 2002. [39] K. Boström and T. Felbinger, Phys. Rev. Lett. 89, 187902 (2002). [40] A. Wôjcik, Phys. Rev. Lett. 90, 157901 (2003). [41] Cai Q. Y. and Li B. W. Improving the capacity of the Bostrom-Felbinger protocol Phys. Rev. A 69, 054301 (2004). [42] F. G. Deng, G. L. Long, and X. S. Liu, Phys. Rev. A 68, 042317 (2003). [43] F. G. Deng and G. L. Long, Phys. Rev. A 69, 052319 (2004). [44] F. L.Yan and X. Zhang, Euro. Phys. J. B 41, 75 (2004) [45] C.Wang, F. G. Deng, Y. S. Li, X. S. Liu, and G. L. Long, Phys. Rev. A 71, 044305 (2005). [46] X. S. Liu, G. L. Long, D. M. Tong, and F. Li, Phys. Rev. A 65, 022304 (2002); A. Grudka and A. W´ojcik, Phys. Rev. A 66, 014301 (2002).
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
210
A. El Allati
[47] C. Wang, F. G. Deng and G. L. Long, Multi-step quantum secure direct communication using mult-particle Green-Horne-Zeilinger state. Opt. Commun., 2005, 253: 15-19. [48] Deng F. G., Li X. H., Li C. Y., Zhou P. and Zhou H. Y., Quantum secure direct communication network with Einstein-Podolsky-Rosen pairs, Phys. Lett. A, 2006, 359: 359. [49] Li X. H., Zhou P., Liang Y. J., Li C. Y., Zhou H. Y. and Deng F. G., Quantum secure direct communication network with two-step protocol, Chin. Phys. Lett., 2006, 23: 1080. [50] Li C.Y., Zhou H.Y., Wang Y., and Deng F.G., Secure quantum key distribution network with Bell states and local unitary operaitons, Chin. Phys. Lett., 2005, 22: 1049-1052 [51] A. Beige, B.-G. Englert, Kurtsiefer and H. Weinfurter, "Secure communication with a publicly known key", Acta Phys. Pol. A 101, 357 (2002). [52] Z. J. Zhang, Z. X. Man, and Y. Li, "The improved bostrom felbinger protocol against attacks without eavesdropping", Int. J. Quantum Inform. 2, 521 (2004). [53] Xiu X. M., Dong H. K., Dong L. Gao Y. J. and Chi F., Deterministic secure quantum communication using four-particle genuine entangled state and entanglement swapping, Opt. Comm. 2009, 282: 2457-2459 [54] Li Dong, Xiao-Ming Xiu, ACTA PHYSICA POLONICA B 41, 6 (2010).
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
[55] T. Gao, Controlled and secure direct communication using GHZ state and teleportation, Z. Naturforsch, A, 2004, 59: 597 [56] R. Glauber, Phys. Rev. 130 (1963) 2529; R. Gilmore, Ann. Phys. (NY) 74 (1972) 391. [57] T. C. Ralph, Phys. Rev. A 61, 010303 (2000). [58] T. C. Ralph, 2000b, Phys. Rev. A 62, 062306 (2000). [59] F. Grosshans et P. Grangier, Continuous variable quantum cryptography using coherent states. Phys. Rev. Lett. 88, 057902 (2002). [60] S. L.Braunstein,C. A. Fuchs, H. J. Kimble, and P. van Loock, "Quantum versus classical domains for teleportation with continuous variables", Phys. Rev. A 64, 022321, 2001. [61] L.M. Duan, G. Giedke, J.I. Cirac et P. Zoller, Inseparability criterion for continuous variable systems, Phys. Rev. Lett. 84, 2722 (2000). [62] F. Grosshans, G. Van Assche, J. Wenger, R. Brouni, N. J. Certf, and P. Grangier: Quantum key distribution using Gaussian-modulated coherent states. Nature 421, 238 (2003). [63] Mu, Y., J. Seberry, and Y. Zheng, 1996, Opt. Commun. 123, 344. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Quantum Secure Communication
211
[64] Ch. Silberhorn, T. C. Ralph, N. Lütkenhaus, and G. Leuchs. Phys. Rev. Lett. 89: 167901, 2002. [65] T.C. Ralph. Continuous variable quantum cryptography. Physical Review A, 61(1):010303, Dec 1999. [66] M. D. Reid. Quantum cryptography with a predetermined key, using continuousvariable Einstein-Podolsky-Rosen correlations. Physical Review A, 62(6):62308, 2000.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
[67] K. Bencheikh, T. Symul, A. Jankovic, and JA Levenson. Quantum key distribution with continuous variables. Journal of Modern Optics, 48(13):1903-1920, 2001.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
In: Cryptography: Protocols, Design and Applications ISBN: 978-1-62100-779-1 c 2012 Nova Science Publishers, Inc. Editors: K. Lek and N. Rajapakse, pp. 213-236
Chapter 8
S ECURITY R ISK M EASURING AND F ORECASTING Stefan Rass∗ System Security Group, Universität Klagenfurt, Austria
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Abstract Predicting security incidents and forecasting risk are two essential duties when designing an enterprise security system. Despite a huge amount of cryptographic primitives being available, their assembly needs care to avoid introducing vulnerabilities through the interplay of components. Studying the security of compound systems composed from different cryptographic primitives is a highly nontrivial task and subject of recent research. Unfortunately, the related research is mostly focused on low-level cryptoprimitives, and a unified framework for security and risk assessment on a higher level seems yet missing. We present a decision-theoretic risk-management framework that permits a quantitative assessment of the security that a given enterprise information infrastructure enjoys. Based on an attacker-defender model, we can quantify security of a given system in probabilistic terms. This analysis is independent of the particular type of cryptosystem, and equally well applies to information-theoretically secure primitives, as well as to intractability-based (i.e. public-key) systems or symmetric cryptography. The latter two see ongoing progress in terms of security and attacks, and the success and acceptance of either approach depends on trust to a considerable extent. This confidence is supported by regularly appearing research results indicating the security or vulnerability of different primitives. A decision-theoretic framework naturally permits incorporating this information into probabilistic assertions about the overall security of the system, conditional on all the information that is available. As this process is automatable, we can devise a Bayesian learning strategy to continuously update the quality of protection and forecast the risk that we bear when relying on a given set of cryptographic primitives. The required evidence for Bayesian inference about the security of particular system components can be obtained from various sources, including security patches, software updates, scientific or industrial research result notifications retrieved through RSS feeds. Using appropriate stochastic distribution models, we obtain closed-form expressions for the times when to expect the next security incident and when a re-consideration of a security system or component becomes advisable. We illustrate our results using examples. ∗ E-mail
address: [email protected]
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
214
1.
Stefan Rass
Introduction
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
System security is traditionally a battle of wits, in which the defender tries to protect his assets against an attacker exhibiting some unknown, perhaps random, behavior. Security incidents are notoriously difficult to observe and hard to predict, so that in most cases, fixing the problem is a matter of "post-mortem" damage limitation. Part of security risk management is estimating and limiting the potential damage suffered from security incidents, and this process strongly hinges on comprehensive and up-to-date information about the most recent threats and respective countermeasures. Security risk management is an important pillar of enterprise risk management. Since the latter fruitfully employs decision- and game-theory, it appears natural to use the same toolbox for security incident management and prediction. It goes without saying that decision support through incident prediction is only as good as the information it is based on, and will assume various sources of information available when designing a simple incident forecasting system in this chapter. Fortunately, thanks ongoing research in digital forensics and incident management, this assumption is no longer visionary and increasingly supported. Roadmap to this chapter: Risk forecasting requires a mean of numerically valuating risk in order to apply mathematical techniques for prediction. Hence, before we can go into details about risk forecasting, we need a quantitative risk measure. We will use game-theory for that matter, as motivated in Section 2. A brief technical introduction to the required concepts from game-theory is found in Section 2.1. Here, we work our way through different concepts for modeling and analysis of games, culminating in a simple risk-measure sketched in Section 2.2. Section 3 uses a practical example to illustrate the general modeling process for security risk assessment under game-theoretic perspectives. With this preparation, we come to risk forecasting in Section 4, repeatedly stressing examples for illustrative purposes. A critical discussion of open issues, further research and alternative approaches to risk forecasting is given in Section 5.
2.
A Game-Theoretic View on Security
In light of the introductory discussion, why not consider system security as the most prototypical incarnation of a non-cooperative competition? Indeed, we have two players, being the security officer versus the attacker (where we can consider any coalition of attackers as a single – perhaps more powerful – entity, without loss of generality). These two are playing a game against each other, in which the business asset under protection is the revenue that is distributed according to whatever the game’s outcome is. In the most simple form, let us consider this outcome u as binary, e.g. 1, if the attack failed; (1) u= 0, if the attack succeeded. The game-play will be about the security system defending the business asset against the chosen attack. Our goal will be finding the best security provisioning strategy such that the average utility, i.e. success-rate in case of the binary valuation (1) is maximized.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Security Risk Measuring and Forecasting
215
It is important to notice that we will exclusively consider the security officer’s view in all that follows. Usually, we would spend a considerable lot of time with identifying the adversary’s motivation or possible incentives in order to get an idea of what to expect from an attack. However, as eloquently noted in [3], we can spare these efforts when we consider the game as a zero-sum competition. Intuitively, knowing our own incentive, we ascribe the exact opposite intentions to the adversary. Technically, if we gain some utility u from a correctly functioning system, e.g. define u as in (1), then the adversary’s revenue from his attack would be −u. It is easy to justify a zero-sum competition as a worst-case scenario informally. The formal result (Lemma 2.1) is easy to formulate and even simpler to prove, yet we require some basic terminology from game-theory to state it properly.
2.1.
Elements of Game-Theory
Before going into details about game theory, we emphasize that we will solely focus on non-cooperative static games in normal form, thus leaving aside other variants or generalizations. Cooperative games, dynamic or stochastic competitions and similar enjoy a wide field of application in system security, and we refer the reader to [3] for a comprehensive overview. For our forecasting application, however, matrix-games in normal form will fully suffice. A finite non-cooperative game Γ is a triple Γ = (N, S, H) made up of the following ingredients: • a finite set N = {1, 2, . . . , n} of players,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
• where each player i ∈ N has a finite (and hence discrete) set PSi of strategies to choose from, and • gets revenue assigned, depending on his choice si ∈ PSi , and the choices of his opponents. Let us postpone examples for these ingredients until Section 3, where we describe a simple security system for a game-theoretic risk assessment and forecasting. As for now, we need some more preparation. A convenient notation to describe the compound vector of strategy choices for player i’s opponents is writing s−i to denote a vector from the set n
PS−i := PS1 × PS2 × · · · × PSi−1 × PSi+1 × · · · × PSn = ∏ PS j . j=1 j6=i
In this notation, we can define the utility function for the i-th player as a mapping fi : PSi × PS−i → R, so that player i ∈ N receives revenue fi (si , s−i ) under the scenario, i.e. strategy choice profile, (si , s−i ). An example of such an assignment has been sketched as expression (1),
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
216
Stefan Rass
and a convenient way of representing the (discrete) payoff function in a two-player game is via a labeled (payoff) matrix, (2)
(1) s1
s1
a11 .. .. . . A = s(1) ai1 i .. . . .. (1) s|PS1 | a|PS1 |,1
(2)
···
sj
···
··· .. . ··· .. .
a1 j .. . ai j .. .
··· .. . ··· .. .
···
a|PS1 |, j
···
(2)
s|PS2 |
a1,|PS2 | .. . ai,|PS2 | , .. .
a|PS1 |,|PS2 |
(1)
(2)
in which ai j ∈ R is the revenue that the corresponding player receives in scenario (si , s j ). Such games are called matrix-games, and the payoff-structure A is called the game-matrix. Collecting, for all i ∈ N, the strategy sets PSi in the family S, and all utility functionals ui in the family H, completes the game Γ as a triple. A game is called zero-sum, if ∑i∈N fi ≡ 0, i.e. if a constant amount of utility (e.g. money) is (re)distributed among the players according to their actions in the game-play. An equilibrium of a game is a strategy profile (s∗1 , s∗2 , . . . , s∗n ) ∈ ∏ni=1 PSi in which all players choose their actions so to simultaneously maximize their own outcome, i.e. each player chooses s∗i such that
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
fi (s∗i , s∗−i ) ≥ fi (si , s∗−i ) ∀si ∈ PSi
∀i ∈ N.
(2)
In other words, no player could gain more by unilaterally deviating from the equilibrium profile (observe that this does not rule out a gain by coalitions among players, but cooperative games are not needed here, as will soon become evident). It is helpful to instantiate the above condition for two players, as this better illustrates the effect of the equilibrium. To ease notation, let us write x ∈ PS1 for player 1’s, and y ∈ PS2 for player 2’s strategy. For a zero-sum game, we have f1 = − f2 so that the equilibrium condition (2) boils down to f1 (x, y∗ ) ≤ f1 (x∗ , y∗ ) ≤ f1 (x∗ , y),
(3)
also known as the saddle-point condition. It is easy to construct examples in which no such saddle-point exists in PS1 × PS2 . This issue can easily be resolved by considering infinite repetitions of a game instead of a single blow. Think of an infinite sequence in which the strategies in each repetition are drawn randomly from PSi for the i-th player. Let the revenue for player i be X j in the j-th trial, then from the weak law of large numbers, we get the long-run average payoff to satisfy 1 n
n
∑ X j → EX p
as n → ∞,
(4)
j=1
where the convergence is in probability. It is therefore natural to ask for the best randomized behavior such that the expected revenue is maximized. Hence, we make the following replacements in our game’s initial description for the i-th player: Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Security Risk Measuring and Forecasting
217
• the set of strategies PSi is replaced by the set Si of probability distributions supported on PSi . To distinguish the two, we call PSi the set of pure strategies (hence the notation), and refer to Si as the set of mixed strategies, or simply strategies for short. • the revenue function fi is replaced by the expected revenue ui (si , s−i ) = E fi (xi , x−i ),
(5)
where the expectation is w.r.t. the joint distribution of si and s−i . In general, one could invoke the law of large numbers (4) to evaluate expression (5), yet convergence is only in probability and perhaps slow, and there are much better ways to calculate the expectation directly in many of the interesting cases. For a a two-player matrixgame, the expected revenue is explicitly found as u1 (x, y) = −u2 (x, y) = xT Ay, where A is the payoff matrix for player 1 (hence, in that case there is no need employ the law of large numbers for the numerics). The general equilibrium and saddle-point conditions can straightforwardly be stated in terms of mixed strategies and expected revenues. In the case of a two-player matrix-game, the equilibrium condition takes the form xT Ay∗ ≤ (x∗ )T Ay∗ ≤ (x∗ )T Ay ∀(x, y) ∈ PS1 × PS2 ,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
and the middle expression is called the saddle-point value (or simply value) of the game. It is denoted as v(A) and defined to be v(A) = max min xT Ay = min max xT Ay. x∈S1 y∈S2
y∈S2 x∈S1
(6)
The existence of this value and its uniqueness independently of what particular saddlepoint is chosen is non-trivial to assure, and a proof was provided by John von Neumann. Later, John Nash extended von Neumann’s result from matrix games to general games. His proof of existence is essentially different and much simpler than von Neumann’s proof for matrix-games. To honor John Nash, equilibria in the sense of (2) are called Nash-equilibria. Nevertheless, we shall exclusively refer to (the simpler) matrix-games throughout the sequel. It is important to notice that although the value (6) is unique, equilibrium profiles are usually not unique. For our purposes, however, we shall only need the value, and the particular equilibrium profile that yields it is only of minor interest (yet it is important as a pointer towards possible vulnerabilities, but this is beyond the scope of this chapter). 2.1.1. Random Revenues An interesting special case occurs when the outcome as such is uncertain (random). To illustrate the problem, we use the example given in [20]: consider an infrastructure in which we have an intrusion prevention system (IPS, e.g. a firewall) and an intrusion detection system (IDS, e.g. a honey-pot) as auxiliary defense measures. From experience, we are 50% confident that the IPS will block unwanted access attempts, and that a fair amount of
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
218
Stefan Rass intrusion prevented 0.5
no damage
int. detected
data lost
0.3
no loss
0.2
0.8
damage no damage
0.2 damage
successful intrusion
Figure 1. Probability tree [20, 22]. the remaining attacks can at least be detected afterwards. We can compile this scenario into a probability tree as exemplified in Figure 1, which can be used to assign revenues in the game to be set up. However, since the auxiliary security system is not perfectly reliable, the revenue is essentially random, yet with a known distribution F that can be read off the probability tree. The general problem of uncertain payoffs in a game can be resolved easily if the distribution F of the payoffs is known [22]: let the entries in the game-matrix A be random variables Ui j ∼ F with a known distribution F. One simple trick to get rid of the nondeterminism is simply averaging over all possible outcomes w.r.t. the distribution F, i.e. we ask for the "average" expected revenue (under randomness), which is ! T EF x Ay = EF ∑ ∑ pi qiUi j = ∑ ∑ pi qi EF (Ui j ) = xT (EF (A))y. (7) Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
i
j
i
j
Hence, the whole story amounts to replacing A by EF (A) element-wise. Picking up the example from before (originally given in [22] and with simplifications found in [20]), the distribution F is Pr(no damage) = 0.5 + 0.3 · 0.8 = 0.74, Pr(damage) = 1 − Pr(no damage) = 0.26. so that the random utility is Ui j =
1, with likelihood Pr(no damage); 0, with likelihood Pr(damage).
having the expectation 1, if the attack j ∈ PS2 failed under the defense i ∈ PS1 ; EF (Ui j ) = 0.74, otherwise. that makes up the entries in the "de-randomized" game-matrix.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Security Risk Measuring and Forecasting
219
2.1.2. Domination A useful tool to reduce the size of the game-matrix is exploiting dominance relations among its entries. Let an (n × m)-game-matrix, and let two rows ai = (ai1 , ai2 , . . . , aim ) and a j = (a j1 , a j2 , . . . , a jm ) be given. Assume that aik ≤ a jk for each column k = 1, 2, . . . , m. Then player 1 is worse off by choosing strategy i ∈ PS1 than he is when he acts according to row j ∈ PS1 , because the latter choice will always give as least as good results as the alternative. We say that row j (weakly) dominates row i. It can be shown that we can safely delete the dominated row from the matrix without loosing any equilibrium solutions. Analogously, we can delete any column that pays less for player 2 than another. This process can be repeated until no further deletions are possible, and sometimes yields dramatic reductions of the game-matrix. 2.1.3. Solving Games by Linear Programming Computing Nash-equilibria of general multiplayer games is a highly nontrivial problem. The G AMBIT-software (see http://www.gambit-project.org) can do the job for general matrix-games, however, in case of two-person matrix-games, calculating a Nashequilibrium and the saddle-point value is a simple matter of linear optimization. We leave the details to the reader, and refer to the literature about game theory, such as [11] for instance.
2.2.
Risk Estimates from Zero-Sum Competitions
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Let us return to the zero-sum competition that models the interaction between the defender and the attacker. The optimality of the zero-sum model in terms of lower-bounding the revenue from the game formally manifests itself in form of Lemma 1 , PS2 }, and T 2.1 T([21]). Let Γ = (N, PS, H) with N = {1, 2}, PS = {PS|PS H = x Ay, x By ) be a bi-matrix game with game-matrices A ∈ R 1 |×|PS2 | , B ∈ 1| R|PS2 |×|PS T for Tplayer 1 (honest) and player 2 (adversary), respectively. Let Γ0 = (N, PS, x Ay, x (−A)y ) be the zero-sum game from player 1’s perspective (i.e. player 2 receives the payoff −xT Ay), and let v(Γ0 ) denote its value (i.e. average outcome under a Nash-equilibrium strategy in Γ0 ). Then v(Γ0 ) ≤ (x∗ )T Ay∗ for all Nash-equilibria (x∗ , y∗ ) of the game Γ. This lemma is an immediate consequence of the saddle-point condition (3); we leave the details of its proof to the reader. In fact, the result is most trivial and well-known (cf. [3] for example). The sceptic reader might oppose against this approach for the reason of the zero-sum game not accurately modeling the true behavior of the adversary. This is indeed true, and security cannot in general be considered as a zero-sum game. However, one can prove that the above bound is sharp even in the general bi-matrix case, so that the zero-sum saddle-point value is a tight bound to the real expected revenue. This limit cannot be improved without further hypotheses, and more importantly, it spares the difficult attacker profiling [7, 25] that is tied to many other approaches (e.g. [4] describes a similar formalization that requires some knowledge about the attacker’s intentions. Lemma 2.1 saves us from this need).
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
220
Stefan Rass
As a central tool in the following, we introduce the concept of vulnerability. Let us fix a scale I ⊂ R+ in which we valuate the outcome of the game. In equation (1), we had I = {0, 1}. Nominal scales, e.g. {public, confidential, top secret} (measuring the "value" or "importantness" of the document under transmission) can be mapped to discrete values I = {0, 1, 2}, and even continuous scales such as I = [a, b] with a, b ∈ R (e.g. the monetary value of documents, ranging from not important a = 0 up to significant business value of b = 10, 000, 000 dollar) are equally possible. The only technical requirement that we impose is compactness, simply calling for boundedness and closedness of I. Fortunately, every finite set and every set of the form I = [a, b] with a, b ∈ R+ satisfies this need. With a two-person zero-sum game modeling our infrastructure provisioning approach, let A ∈ In×m be the game-matrix. The vulnerability is defined as ρ(A) := max I − v(A), where max I is the largest benefit that we can get in the game, and v(A) is the game’s saddlepoint value. In a statistical context, this is known as the regret function, as it measures the difference between how much was gained, and how much would have been possible. This quantity enjoys various useful properties, in case that the game is set up over the binary scale I = {0, 1}, where utility 1 indicates success, and utility zero indicates failure: • Under the above convention on I and the utilities, ρ(A) is the maximum probability of a secret message becoming disclosed [19, Theorem 5.3.19].
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
• More generally, the expected loss r(x∗ , y∗ ) := E(x∗ ,y∗ ) [max I − u(x, y)] (where E(x∗ ,y∗ ) denotes the expectation w.r.t. a Nash-equilibrium, i.e. optimized, distribution (x∗ , y∗ )) is the decision-theoretic risk and satisfies r(x∗ , y∗ ) ≤ ρ(A) [19, Theorem 5.3.16]. • If C denotes the transcript of a secret transmission of the plain text M, then the mutual Shannon-information I(M;C) between M and C (see [6] for a comprehensive introduction to the topic), satisfies I(M;C) ≤ ρ(A) · H(M), where H(M) denotes the Shannon-entropy of the plain text’s source [19, Corollary 5.3.20]. This establishes a direct connection to information-theoretic secrecy in cryptography. • When A is referring to success or failure of a transmission, the system is ρ-reliable (meaning that a transmission failure is (un)likely with chance ≤ ρ), and accordingly 2ρ-private (i.e. two cryptograms are statistically indistinguishable up to a difference of no more than 2ρ), if the game is about secrecy [19, Theorem 5.3.21]. This establishes a connection to the notions of ε-privacy and δ-reliability as used in various cryptographic papers on perfectly secure transmission (cf. [33]). • Finally, we have the following vulnerability-based characterization of the possibility of arbitrarily secure communication [19, Theorem 5.3.34]: if ρ(A) < 1, then for any ε > 0 there is a protocol such that Alice and Bob can communicate with an eavesdropping probability of at most ε. If, however, ρ(A) = 1, then the probability of the message becoming extracted by the adversary is 1 (notice that under the above modeling, we trivially have 0 ≤ ρ(A) ≤ 1). For the above reasons, the vulnerability ρ is a valid risk-estimate on decision-theoretic grounds. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Security Risk Measuring and Forecasting
221
encrypted volume
Host H1 1. download patch
3. get secret key
Admin
4. send signed patch
User
2. verify MD5 checksum Host H2
Host H3
Figure 2. Example scenario.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
3.
Modeling
Let a security infrastructure be given, which we seek to assess with game-theoretic tools. As an example scenario, and to illustrate the ideas to follow, we will borrow the example from [20]: let an administrator be responsible for maintaining a user’s computer by regularly distributing security patches and updates. These patches are retrieved from one of three mirrors, and for security, the hash-value (say the MD5-hash) of the patch is compared to a mirror different from the one where the package is downloaded from. If the checksum turns out valid, then the user receives a signed patch, which he can install on his machine. The entire process is depicted in Figure 2. The game is now played between the administrator and the adversary, seeking to install a malicious patch containing a trojan. For that matter, he must acquire at least two of the three mirrors, in order to forge the update as well as its hash-value. To keep the example feasibly small, let us assume that there are three mirrors available, and that the adversary will not conquer more than two at the same time. Notice that no assumption besides this threshold is imposed on the adversary (i.e. we do not restrict his computational abilities in any sense or constrain him to be passive or static, much unlike in conventional cryptography). The game is therefore a matter of three possible strategies on either side. Starting with the administrator, this one can download the patch following one of three strategies, listed in Table 1a. Similarly, the adversary has three possible ways of behavior, listed in Table 1b and denoted as PS2 . The outcome of the game can be considered binary, such as in expression (1), and is (2)
s1 (1) s1 0 A = s(1) 2 1 (1) s3 1
(2)
s2
1 0 1
(2)
s3 1 1 . 0
(8)
The zero-sum game is a particular case of a diagonal game, and has the saddle-point value v(A) = 32 , giving the risk ρ(A) = 1 − v(A) = 31 . Since the game-matrix is binary, ρ(A) upper-bounds the probability of the adversary being able to substitute the update with a trojan horse.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
222
Stefan Rass Table 1. Example strategies
3.1.
(a) PS1 : Strategies for the admin
(b) PS2 : Strategies for the attacker
(1) s1 (1) s2 (1) s3
s1 (2) s2 (2) s3
query mirrors M1 , M2 query mirrors M1 , M3 query mirrors M2 , M3
(2)
attack mirrors M1 , M2 attack mirrors M1 , M3 attack mirrors M2 , M3
Modeling: The General Case
The technique used in the example can be summarized in four steps to yield the general modeling approach:
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Step 1 (Identification of provisioning strategies): With the security system at hand, the security officer will identify the different ways in which it can be used to serve the daily duties. This comprises all degrees of freedom that are open to the users when requesting a service. Examples besides the above (where the administrator is free to use any of the three mirrors for download) include multiple transmission paths, protocol suits supported in the course of SSL connections, etc. All these options are collected in a set PS1 , with each entry making up another row in the game-matrix to be constructed. Step 2 (Identification of attack scenarios): The set PS2 is made up of all attack strategies that can be identified. This process can be supported by topological vulnerability analysis [14] and respective scanning and decision support tools (e.g. [18, 32] to name just two). Attack trees and attack graphs [27] can as well be used directly for this step. However, it is important to notice that the quality of the resulting risk measure is only as good as the attack strategy listing is comprehensive. Conversely, any unknown attack strategy defeating all the known provisioning strategies will invalidate the risk estimate. Adding a new attack strategy not necessarily calls for a complete re-assessment, and the concept of domination (see Section 2.1.2) can be fruitfully exploited to recover from this (see [23] for details). Step 3 (Setting up the game-matrix): If PS1 , PS2 are fully available, then the matrix is created by systematically assessing each scenario (si , s j ) ∈ PS1 × PS2 in terms of a user-defined taxonomy I. For instance, I = {0, 1} could be used to express success (utility 1) or failure (utility 0) of a secret transmission. Other, perhaps discrete or continuous, scales are equally permissible, as long as there is a meaningful concept of "average utility" available using I. In the binary case, this average is simply a probability, but in case of a, say continuous scale, one could set I to a monetary range, in which case the average amounts to an expected monetary loss (i.e. corporate risk). If the decisive logic for that is easy to implement, then this process is fully automatable, and a meaningful choice of I ensures that results are easy to interpret and to communicate to a customer. In fact, the choice of I can be even left up to the customer himself, to have the outcome in terms of a vocabulary that is familiar to the risk-manager.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Security Risk Measuring and Forecasting
223
Step 4 (Calculating the risk measure): If the matrix A is available, then prior to putting it through a solver, it is advisable to delete dominated strategies for either player to reduce the size of the matrix. We go into details about this below. The so simplified matrix can be put through a standard solver for linear optimization. If new attack strategies are added to the matrix, then the protection can be retained without re-doing all the analysis, if one of the following two conditions is true: 1. the new attack strategy is dominated by a known attack strategy, 2. the new attack strategy does not dominate all known attack strategies.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Condition 1 is immediately clear from the definition of domination. Under this circumstance, there is no need to update the matrix at all, and all results remain unchanged. Condition 2 is less obvious, yet not difficult to prove (see [23] for the details). However, in this case, we can only assure a risk strictly below 1 so that the known results about ρ (see above) apply, yet the precise value has to be determined by re-running the analysis. It is easy to imagine a scenario in which the number of strategies grows too large to remain feasible. Fortunately, only the list of attack strategies PS2 must be comprehensive, whereas the list PS1 may be pruned when it becomes too long. If the calculated risk value comes back unacceptably high, then further entries may be added to PS1 until the risk estimate becomes better. As far as it concerns the size of PS2 , even a (computationally unbounded) threshold adversary conquering up to k out of n nodes will have exactly nk strategies. If k is not too large, then this number remains within feasible bounds. Still, the combinatorics involved with the modeling imposes some practical limitations to the approach that are to be overcome by heuristics. One such heuristic is domination (cf. Section 2.1.2). Example: Consider the network displayed in Figure 3a. Here, Alice (located at node 1) chooses two node-disjoint paths to communicate with Bob (sitting at node 4), in the presence of a passive adversary with threshold 2, i.e. no more than two nodes can be under his control at the same time. For transmitting a message m, Alice chooses a key k (onetime pad) and creates the ciphertext c = m ⊕ k (where ⊕ indicates the bitwise exclusive-or). She transmits k and c over two node-disjoint paths to Bob, who can trivially decipher the cryptogram by XOR-ing with k again. Equally obvious is Eve’s success if and only if she catches both, c = m ⊕ k and k, for otherwise, the one-time pad will perfectly protect m from disclosure (see [28] for a proof). Enumerating all the paths from Alice to Bob, and picking out those who do not intersect, we identify 34 strategies in PS1 and with 21 strategies in PS2 (this is simply the binomial 7 coefficient 2 , counting the number of two-element subsets of the set of intermediate nodes {2, 3, 5, 6, 7, 8, 9} connecting Alice with Bob). Doing the reduction by deleting dominated rows and columns, we set up a 5 × 6-matrix (Figure 3b) along with the list of undominated strategies (Figures 3c and 3d).
3.2.
Refining the Model
Coming back to risk management, let us try making this quantitative measure more accurate and suitable for forecasting. Assume that we know that the download comes from Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
224
Alice
Stefan Rass 2
3
7
9
1 8 6
5
(2)
s1 (1) s1 0 (1) s2 0 4 Bob (1) s3 1 (1) s4 1 (1) 1 s5
(a) Multipath transmission network
(2)
(2)
use path 1—6—5—4 and 1—2—3—4 use path 1—6—8—9—4 and 1—2—3—4 use path 1—7—8—5—4 and 1—2—3—4 use path 1—7—9—4 and 1—2—3—4 use path 1—7—9—4 and 1—6—5—4 (c) PS1 : Strategies for the sender
(2)
s3
s4
s5
1 1 0 0 1
1 1 1 1 0
1 0 1 0 1
0 1 0 1 1
(2)
s6 1 0 0 1 1
(b) reduced game matrix (2)
(1)
s1 (1) s2 (1) s3 (1) s4 (1) s5
(2)
s2
s1 (2) s2 (2) s3 (2) s4 (2) s5 (2) s6
attack nodes 2, 6 attack nodes 2, 7 attack nodes 6, 7 attack nodes 2, 9 attack nodes 2, 5 attack nodes 2, 8
(d) PS2 : Strategies for the attacker
Figure 3. Multipath transmission game.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
some particular web-server, to which we can assign a trust-parameter p. Notice that the concept of "trust" has not been rigorously formalized up to now, so the best we can do here is present a decent ad hoc construction that is suitable for our needs. Our trust parameter will be a probability px = Pr(component x can effectively be compromised),
(9)
where x may refer to any component of interest in the system. The game-theoretic estimate can now be refined in the sense that the outcome is uncertain and determined by a random variable X : Ω → {0, 1}, which refers to the component x either withstanding the attack (X = 0) or failing (X = 1). Connecting this with our simple trust model, we can put EX = px , and the revenue matrix A is now itself random and dependent on X. Since X is a Bernoulli random variable, it is perfectly described in terms of its first moment EX = px , and we can write A(p) (dropping the subscript x to ease notation) to denote the game’s dependence on the trust parameter p. Switching from A(X) to A(p) is justified by equation (7). Let us postpone the more detailed example until later, and let us confine ourselves to a quick illustration here. Assume that our trust parameter refers to node 7’s attack resilience, (2) (2) then the adversary can no longer mount attacks s2 and s3 with a likelihood better than 1 − p. It follows that the payoffs for these two columns will increase (from player 1’s
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Security Risk Measuring and Forecasting
225
perspective), and equation (7) yields the new payoff matrix (2)
s1 (1) s1 0 (1) s2 0 (1) s3 1 (1) s4 1 (1) 1 s5
(2)
(2)
(2)
(2)
s2
s3
s4
s5
1 1 p p 1
1 1 1 1 p
1 0 1 0 1
0 1 0 1 1
(2)
s6 1 0 . 0 1 1
This matrix gives rise to a risk measure that is now dependent on the trust parameter p, and forecasting will be the process of estimating the (future) point in time when the risk exceeds an unacceptable threshold.
4.
Risk Forecasting
The trust parameter introduced in previous paragraphs is useful only if it accurately reflects the true chance of an attack, and if it can be updated efficiently and effectively. As being a probability, the natural way of updating it appears through Bayesian updating. Sources for such updates are incident reporting systems [16], RSS feeds and many others. For simplicity, let us focus on RSS feeds in the following, which will help illustrating the general method. Suppose that a piece of information comes in that refers to a part or a class of components in our system. Then the information can be classified as follows:
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Positive: a bug-fix or security patch that increases the strength of our system. Negative: a security hole or exploit report that is awaiting a fix. Unrelated: if neither of the above applies, then the information cannot be used for automated updating. In that case, it is up to the security officer to save, interpret and use it appropriately.
4.1.
Bayesian Updating
Modeling trust via a probability distribution let us apply Bayes’ theorem in order to incorporate new information. Since our trust parameter introduced in (9) is a mere probability value, we can capture its uncertainty via a probability distribution supported on the unit interval [0, 1]. The Beta-distribution p ∼ Beta(a, b) with (real-valued) hyper-parameters a, b > 0 appears as a suitable prior model. Even more so, since the problem of choosing the hyper-parameters appropriately remains up to the security officer: if neither information nor expertise is sufficient to give a decent guess for a, b, then we can switch to a non-informative prior, which, thanks to the compact support, is the uniform distribution U [0, 1]. This model expresses no preferences among all possible choices of p ∈ [0, 1], and indeed, appears as a special case of the Beta-prior via Beta(1, 1) = U [0, 1]. Hence, regardless of whether or not are able to specify a hyper-prior different from the (non-informative) uniform distribution,
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
226
Stefan Rass
the trust parameter can be derived from the Beta-distribution on decision-theoretic grounds by taking its median (absolute loss) or expected value (quadratic loss); we will explain the details below. With a prior distribution Beta(a, b) available, we proceed by updating it repeatedly in the Bayesian way. Let a sequence of n RSS feeds x1 , . . . , xn be available and assume all of them related to the same component in our system. Assume that k among these are classified as positive updates, and n − k being negative updates (discarding irrelevant information for obvious reasons). The information x1 , . . . , xn can be considered as indicator variables, if we put 1, in case of a positive update; xi := for i = 1, 2, . . . , n. (10) 0, in case of a negative update, We wish to update the prior distribution Beta(a, b) with density π(p) conditional on the information x1 , . . . , xn , i.e. we seek π(p|x1 , . . . , xn ). By Bayes’ theorem, this is π(p|x1 , . . . , xn ) = R
π(x1 , . . . , xn |p)π(p) , [0,1]×{0,1}n dΠ(p, x1 , . . . , xn )
(11)
where the denominator is simply a normalization constant, and we can circumvent the need to evaluate the Lebesgue-Stieltjes integral w.r.t. the distribution function Π of the joint density of (p, x1 , . . . , xn ). By our convention of using indicator variables (expression (10)), the term π(x1 , . . . , xn |p) in (11) is nothing else than a binomial likelihood-function, for which the Beta-prior π(p) is conjugate [24]. Hence, the whole update boils down to updating the parameters of the Beta-prior, as follows:
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
prior distribution: p ∼ Beta(a, b) (conditional) posterior distribution: p|x1 , . . . , xn ∼ Beta(a + n − k, b + k). Following a decision-theoretic approach, we will choose the trust parameter p so that it minimizes the posterior expected loss, i.e. the posterior risk. To quantify the loss from misestimating the value pˆ instead of the correct value p, we use a nonnegative loss function L : [0, 1] × [0, 1] → R+ . Our Bayesian estimator for the trust parameter will then be p := argmin pˆ
Z
[0,1]
L(θ, p)π(θ|x ˆ 1 , . . . , xn )dθ,
(12)
i.e. the value that minimizes the posterior expected loss w.r.t. our chosen penalty function L. Several choices are permissible, and two common ones are the absolute value deviation L1 (p, p) ˆ = |p − p| ˆ or the quadratic loss L2 (p, p) ˆ = (p − p) ˆ 2 . The optimization problem (12) has different solutions, depending on whether L1 or L2 is chosen, namely [24] L1 : p is the median of the posterior distribution π(θ|x1 , . . . , xn ) L2 : p is the first moment of the posterior distribution π(θ|x1 , . . . , xn ). The above results are well-known and in no way surprising when one recalls that the arithmetic mean is the least-squares estimate of a given list of numbers (i.e. minimizes the quadratic loss), and the median has least total absolute deviation from a list of given numbers (minimization in the 1-norm).
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Security Risk Measuring and Forecasting
227
Since we chose our prior conjugate to the binomial likelihood function, the posterior is again a Beta-distribution, and sticking with the quadratic loss function, we obtain the trust parameter (combining all of the above) p = E [Beta(a + n − k, b + k)] =
a+n−k , a+n+b
(13)
where a, b > 0 and 0 ≤ k ≤ n. Observe that we can perform this update without evaluating the denominator in (11) or solving the optimization problem (12). The last expression is therefore not only approved on Bayesian grounds, but also efficiently computable. Finally, its interpretation is straightforward, as it is simply the fraction of negative among the total number of experiences that we have recorded in the past. Hence, our constructed trust parameter is formally and intuitively sound. Nevertheless, the construction is open to criticism, since the choice of the Beta-prior was arbitrary and mostly for technical convenience. Other prior distributions may yield equally interesting results, yet might come at higher computational cost. It should be noticed that updating is less trivial than it the above would make us think. In fact, the importance or impact of an update will vary, as different messages are of different severity. Simply think of bug reports that are classified as low priority, medium, severe, etc. Resolving this issue is an interesting open question for research.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
4.2.
Forecasting: The Univariate Case
Assume that the communication infrastructure usage has been modeled as a matrix A that depends on a single trust parameter p ∼ Beta(a, b), where (a, b) is the hyper-prior parameter. We refer to this as the univariate case, because A is determined by a scalar parameter p. The generalization where A depends on multiple parameters receives attention later. As our risk measure is based on information that comes in on a random base, forecasting basically means asking for the future point in time when we would expect a problem. That problem can either be an incoming negative update, or an unacceptable increase of the risk (quantified by virtue of game-theory as described above). We shall discuss both approaches separately in the following. Forecasting the next incident: Starting with the simpler case of finding the expected time until the next negative update, let us think of the incoming messages as arriving independently. The trust parameter (with hyper-parameters a, b) as constructed above, is then the chance for a negative update to arrive, and the geometric distribution tells us the number k of updates until the first negative one is received. Consequently, we ask for the predictive distribution g(k|a, b), conditional on all our information, represented via the hyper-parameter (a, b). Formally, this is g(k|a, b) =
Z 1 0
fGeo (k|p)π(p|a, b)d p =
B(b + k, a + 1) , B(a, b)
where B(·, ·) is the Beta-function (Euler’s integral of first kind) and fGeo (k|p) = (1 − p)k p, Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
(14)
228
Stefan Rass
is the density of the geometric distribution with parameter p, and π(p|a, b) is the (current) belief model for our trust parameter p (its Bayes-estimator would be the first moment of π(p|a, b)). The expected time until the next negative update is simply the first moment of the predictive density (14), i.e. ∞
N1 =
b
∑ k · g(k|a, b) = a − 1 ,
(15)
k=1
provided that a > 1. The actual "time" to wait is instantly calculated by N1 × "the average RSS update retrieval interval". Forecasting high risk: The function ρ(A(p)) is monotonous in p in the sense that p ≤ p′
implies
ρ(A(p)) ≤ ρ(A(p′ )),
(16)
provided that the element-wise utility ai j (p) obeys the same monotonous relationship. Proving the latter is up to the particular scenario at hand, however, recalling equation (7), we could adopt a rudimentary modeling approach and state that either • the outcome is ai j with probability p, or • the outcome is zero with probability 1 − p (in case of p = 0 we would have no trust at all and would assume every scenario as a failure).
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
In light of equation (7), we conclude the expected utility for scenario (i, j) ∈ PS1 × PS2 to be E(Ui j ) = p · ai j , where ai j is a constant. It follows that the monotony of A(p) in the sense of (16) is justified in this setting. Hence, every negative update will necessarily increase the risk, and we can ask for the expected time to wait until the risk exceeds a chosen threshold. If ρ(A(p)) is monotonous in p, then we can put for any risk threshold ρ0 , r0 := min {i ∈ N : ρ(A(pi )) > ρ0 } ,
(17)
where p1 , p2 , . . . is the sequence of parameters arising from a sequence of exclusively negative updates. By formula (13) with k = 0, n = i, this sequence becomes pi =
a+i , a+b+i
for i ∈ N,
(18)
and approaches 1 as i tends to infinity. In light of (9), this models a situation of no confidence in our system. Having found r0 , we can ask for the time to wait until this particular number of negative updates will be experienced (among a possibly large number of positive updates). We will use the negative binomial distribution that counts the number k of trials until a pre-specified number r of events (negative updates) is observed. Its density function is r+k−1 r fNB (k|r, p) = p (1 − p)k , k and we denote this class as NB(r, k) with parameters r ∈ N, r > 0 and p ∈ [0, 1]. Let us call k the number of updates until the number r0 of negative updates is overshot and, consequently, the acceptable risk threshold ρ0 is exceeded. Similarly as above, we can ask
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Security Risk Measuring and Forecasting
229
for the predictive distribution of k conditional on all the information we have through the hyper-parameter (a, b), which is Z 1 r0 + n − 1 B(a + r0 , b + n) fNB (n|r0 , p)π(p|a, b)d p = , gex (k|a, b) = B(a, b) n 0 where B(·, ·) is the Beta-function. The expected number of updates is obtained from the last expression via ∞ b = r0 · N1 , (19) Nex = ∑ k · g(k|a, b) = r0 · a−1 k=0 where the actual "time", as before, is obtained by taking (Nex − 1) times the average period between two updates. It is important to notice that this number is rather pessimistic, since any positive update in between will again strengten our belief in the trustworthiness of the system. Summarizing the steps for forecasting, we discover a simple procedure: 1. Model the security system as a matrix-game, depending on a trust parameter p that is Beta-distributed. Choose a prior parameter a, b > 0. 2. Fix a risk threshold ρ0 and solve the optimization problem (17) for r0 .
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
3. Determine the expected number of updates, and consequently the expected time to wait until then, using formula (19). Example: Let us revisit the example at the beginning of Section 3 to illustrate the method. Let p be our trust parameter in the sense of (9), where the "component" now refers to a mirror that is possibly compromised. Furthermore, assume that two such mirrors fail independently, so that the chance of one mirror being attacked is p, while two mirrors are under the adversary’s control with chance p2 . In light of formula (7), we ought to replace each entry in the matrix (8) by its expectation w.r.t. the random outcome according to whether or not a mirror can be compromised. Let us consider the possible cases separately, and assume that the administrator queries two distinct mirrors Mi and M j . • if only one of the hosts has been compromised, then the attack will fail, since the checksum will disagree with the downloaded patch. The utility is therefore 1. • if both mirrors have been hacked successfully, then the attack will succeed. However, this happens with chance p2 so that, by equation (7), we end up with the expected utility E(Uii ) = p2 · 0 + (1 − p2 ) · 1, because with chance 1 − p2 , the attack will fail, thus giving revenue 1 to the administrator (player 1). The so de-randomized utility matrix comes to (2)
s1 (1) s1 1 − p2 ′ A (p) = s(1) 1 2 (1) s3 1
(2)
s2
1 1 − p2 1
(2)
s3
1 1 . 1 − p2
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
230
Stefan Rass
Our next step is the specification of a hyper-prior for the trust parameter p. Let us arbitrarily a pick the values a = 10, b = 90, giving E[Beta(a, b)] = a+b = 0.1. This means that we (subjectively) consider a mirror 90% trustworthy. Now, let us assume that 200 RSS feeds have come in, 50 of which report on bugs with the mirror’s operating systems, and 40 report on respective bug-fixes. Updating our trust in the Bayesian way is most trivial by changing the parameters accordingly: we have 50 negative, and 40 positive updates, which gives the posterior distribution p ∼ Beta(a + 50, b + 40) = Beta(60, 130),
with expectation E(p) ≈ 0.3158,
thus substantially worsening our confidence in the system (naturally, as there are still 10 unfixed security vulnerabilities in there). Judging on our so-far observed situation, we can consider p as the probability of a mirror being under attack, so that the time (i.e. number of reports) until the next notification of such an incident is geometrically distributed with parameter p. Invoking formula (15) we find that the number of updates until the next incident is reported comes to 129 = 2, N1 = 60 meaning that we can soon expect another negative incident report. Let us look at the risk that we bear in this situation. Solving the above zero-sum game for its value v(A′ ) with the updated parameter p ≈ 0.3158, we find for the vulnerability
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
ρ(A′ (p)) = 1 − v(A′ (p)) ≈ 1 − 0.9668 = 0.0332. By the known properties of the vulnerability, this means that there is a 3.32% chance of a malicious update at the moment. Though we have little confidence in the system as such, this value appears still low due to our cross-checking of the patch’s hash-value against another mirror’s information in this regard. Dropping the assumption of independent attacks and assigning individual trusts to each of these mirrors would bring us to the multivariate forecasting, sketched in the next section. However, let us continue with this simplifying assumption for now. Consider a sequence of exclusively negative updates, giving the trust parameter se60+n quence pn = 60+130+n by equation (18). Define ρn := ρ(A′ (pn )), then the risk is (necessarily) increasing upon repeated negative updates. Figure 4 displays the evolution of ρn (confirming the monotony of ρ(p) w.r.t. p) with a horizontal line indicating the point at which we exceed the acceptable threshold of ρ0 = 5% risk. This happens after r0 = 22 negative updates (cf. expression (17)). Finally, formula (19) can be used to find the expected number of updates until to observe this many negative updates, which is Nex = r0 · N1 = 22 · 2 = 44, which means that – depending on the frequency of incoming notifications – there might be still some time until action is required due to unacceptably high risk (> ρ0 ).
4.3.
Forecasting: The Multivariate Case
If the game-matrix is dependent on multiple parameters, we can consider each of them separately to be dependent on negative or positive updates. As an example of such a situation, recall Figure 1, in which the probability tree was assigned subjectively chosen likelihoods for its branches. The so-far scalar optimization problem instantly becomes multivariate if we put one or more of these parameters to Bayesian updates as described above.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Security Risk Measuring and Forecasting
231
0.11 0.1 0.09
ρ(A(pi ))
0.08 0.07 0.06 0.05
ρ0
0.04 0.03 0
10
20
30
40 50 60 number of updates
70
80
90
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Figure 4. Risk evolution upon a sequence of negative updates. Let us write ~p(~n) for the vector of these parameters, depending on a set of updates. For instance, if some parameter pi captures the trust in a particular component, then there might be certain updates that concern this component, but others that are totally unrelated. Hence, it appears reasonable to consider each parameter pi in the vector p as dependent on a (sub-)set of counts ~n = (n1 , . . . , nk ). This not only casts our original scalar optimization task (17) into a multivariate nonlinear optimization problem, but as well makes the objective function nontrivial to define. As a simple ad hoc solution, one could ask for the smallest total number of updates until the risk threshold can be exceeded. That is, we ask for the existence of a scenario under which a risk increase above the acceptable limit is possible, keeping in mind that we get the earliest and thus worst-case scenario for this to happen. The nonlinear optimization problem’s objective is in this case simply the 1-norm of the counts, subject to the usual constraint on the risk measure, i.e. minimize k~nk1 ~n∈Nk (20) subject to ρ(A(~p(~n))) > ρ0 . The forecasting procedure for the univariate case can be taken as is and transferred to the multivariate case, except that we solve problem (20) in step 2.
Example: Recycling the example of our administrator a last time, assume that the mirrors run on different operating systems, thus not necessarily sharing the same vulnerabilities.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
232
Stefan Rass
Hence, we can use three trust parameters p1 ∼ Beta(a1 , b1 ), p2 ∼ Beta(a2 , b2 ), and p3 ∼ Beta(a3 , b3 ), with (artificially chosen) hyperparameters (a1 , b1 ) = (50, 40), (a2 , b2 ) = (80, 90) and (a3 , b3 ) = (100, 80). Notice that there is no longer a sequence of negative updates that we can consider, since each of these parameters must be treated separately. Hence, we have the vector-valued parameter ~p(n1 , n2 , n3 ) = (E[Beta(a1 + n1 , b1 )], E[Beta(a2 + n2 , b2 )], E[Beta(a3 + n3 , b3 )]) a1 + n1 a2 + n2 a3 + n3 , , = . a1 + b1 + n1 a2 + b2 + n2 a3 + b3 + n3 Retaining the assumption that the events of a successful hack are independent, the gamematrix now becomes (cf. Table 1a) (2)
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
A′ (p1 , p2 , p3 ) =
s1
(1) s1 1 − p1 p2 (1) s2 1 (1) s3 1
(2)
(2)
s2
1 1 − p1 p3 1
s3
1 . 1 1 − p2 p3
Solving the optimization problem (20) with a risk-constraint of ρ0 = 0.15 gives a minimum at (n1 , n2 , n3 ) = (51, 81, 54). As before, this minimum is a rather pessimistic estimate, and only marks one possible worst-case (and not necesarrily unique) scenario. That is, the earliest point in time where we would expect our risk to exceed the threshold ρ0 = 15% is after 51 + 81 + 54 = 186 negative updates. This number must always be considered in connection with the parameter values (n1 , n2 , n3 ), as for instance even 200 negative updates solely on p1 would still give a vulnerability of ρ(A′ (200, 0, 0)) ≈ 0.1194 < ρ0 , which would be considered as acceptable.
5.
Conclusion
Game-theoretic vulnerability assessment in the way we described it above has been introduced in [19] and is compactly summarized in [22]. Related attempts to formalize vulnerability and risk on game-theoretic grounds are found in [1, 5, 15, 35] and [4], as well as in [26] who uses cooperative games for the same purpose. Despite it being well-founded on decision-theoretic grounds, computational complexity is a considerable issue when implementing the approach as such. Considering communication risk (such as done in [22]) calls for identification of node-disjoint paths and enumeration of subsets of such paths. This task can be at the edge of feasibility for large networks. Heuristic approaches are needed to overcome this, which by now is still an open research problem. The model is in several ways open for improvement. Regarding the update process from RSS feed information, we need to soundly define how much an update "is related" to the system at hand. There will be notifications that are more or less relevant than others, but the procedure as described here would not account for any such differences. Furthermore,
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Security Risk Measuring and Forecasting
233
even classifying the RSS feed update as relevant is a nontrivial problem falling into the field of information retrieval and data mining. We leave this aspect aside here for its being out of the scope of this chapter, however, joint research in the area of computer security and information retrieval might be stipulated by this issue. Going one step further, we can as well ask for the quality of various online and offline resources regarding information about our security system. Taking this into account adds another dimension of complexity to the (Bayesian) updating process. However, even with all these problems in mind, most evidence obtained from however trustworthy resources is up to a subjective valuation before taken into account for an alarming system. A better indication than expertise, experience or ongoing research result reports is surely demanding, yet perhaps difficult to find. The Bayesian approach is common [8, 10, 13, 17, 30], yet alternatives based on plausibilitytheory [9] or Petri-nets [36] exist as well. Putting the statistical model to question, we could replace the Beta-prior by another (perhaps more convenient or appropriate) distribution. Such as for example, if our (trust) parameter is no longer a probability, then other distributions may come handy. On the contrary, one could as well drop the independence assumption among updates, thus invalidating the binomial likelihood. While these choices have been made for technical convenience, they impose not too stringent assumptions and appear adequate. If not, then the Bayesian updating, in particular the evaluation of the denominator in expression (11), is most likely up to numeric integration algorithms, so that closed form expressions no longer exist. Efficiency of the involved numerics in that case can become yet another bottleneck limiting performance of the forecasting system. Another open road is using the large field of timeseries forecasting with the risk estimation method sketched here. Getting into the respective details is much beyond the scope of this chapter, and therefore left to the reader. Finally, the forecasting system itself – as being part of the system – needs protection, and can (perhaps) be put to risk forecasting too. Competing approaches in risk management and risk forecasting as well take human behavior into account [29]. This reference provides a sophisticated discussion about the human intelligence quotient and its possible use in risk forecasting. Projects related to vulnerability assessment and interaction management include the MICIE project (see http://www.micie.eu/). The modeling approach pursued in this project, as well as the related NIST recommendation [31] is perfectly compatible with the vulnerability assessment based on game-theory. Other related or conceptually different approaches, besides the references above, are found in [2,12,27,34] and references therein.
References [1] A. Alazzawe, A. Nawaz, and M. M. Bayraktar. Game theory and intrusion detection systems (whitepaper). Technical report, Stanford University, 2006. [2] O. Alhazmi, Y. Malaiya, and I. Ray. Measuring, analyzing and predicting security vulnerabilities in software systems. Computers & Security, 26(3):219–228, 2007. [3] T. Alpcan and T. Ba¸sar. Network Security: A Decision and Game Theoretic Approach. Cambridge University Press, 2010.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
234
Stefan Rass
[4] T. Aven. A unified framework for risk and vulnerability analysis covering both safety and security. Reliability Engineering & System Safety, 92(6):745–754, 2007. [5] H. Cavusoglu, S. Raghunathan, and W. T. Yue. Decision-theoretic and game-theoretic approaches to it security investment. Journal of Management Information Systems, 25(2):281–304, 2008. [6] T. M. Cover and J. A. Thomas. Elements of information theory. Wiley, New York, 1991. [7] S. Evans and J. Wallner. Risk-based security engineering through the eyes of the adversary. In Proceedings from the Sixth Annual IEEE Systems, Man and Cybernetics (SMC) Information Assurance Workshop, pages 158–165. IEEE, 2005. [8] C. Fan and Y. Yu. BBN-based software project risk management. Journal of Systems and Software, 73(2):193–203, 2004. [9] N. Feng and M. Li. An information systems security risk assessment model under uncertain environment. Applied Soft Computing, 2010. (article in press). [10] F. Foroughi. Information security risk assessment by using bayesian learning technique. In Proceedings of the World Congress on Engineering, volume 1, July 2–4 2008. [11] R. Gibbons. A Primer in Game Theory. Pearson Education Ltd., 1992.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
[12] L. Grunske and D. Joyce. Quantitative risk-based security prediction for componentbased systems with explicitly modeled attack profiles. Journal of Systems and Software, 81(8):1327–1345, 2008. [13] Y. Hu, J. Chen, H. Jiaxing, L. Mei, and X. Kang. Analyzing software system quality risk using bayesian belief network. In Proceedings of the 2007 IEEE International Conference on Granular Computing, pages 93–96, 2007. [14] S. Jajodia, S. Noel, and B. O’Berry. Massive Computing, chapter Topological Analysis of Network Attack Vulnerability, pages 247–266. Springer US, 2005. [15] M. Kodialam and T. Lakshman. Detecting network intrusions via sampling: a game theoretic approach. In IEEE INFOCOM, volume 3, pages 1880–1889, San Francisco, California, USA, 2003. [16] S. Kurowski and S. Frings. Computational documentation of IT incidents as support for forensic operations. In Proceedings of the 6th International Conference on IT Security Incident Management & IT Forensics (IMF), pages 37–47. IEEE Computer Society Press, 2011. [17] E. Lee, Y. Park, and J. Shin. Large engineering project risk management using a bayesian belief network. Expert Systems with Applications, 36(3):5880–5887, 2009. [18] Combinatorial analysis utilizing logical dependencies residing on networks (CAULDRON), 2008. http://ait.gmu.edu/~csis/. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Security Risk Measuring and Forecasting
235
[19] S. Rass. On Information-Theoretic Security: Contemporary Problems and Solutions. PhD thesis, Klagenfurt University, Institute of Applied Informatics, June 2009. [20] S. Rass. Towards a rapid-alert system for security incidents. In Proceedings of the 6th International Conference on IT Security Incident Management & IT Forensics (IMF), pages 122–136. IEEE Computer Society Press, 2011. [21] S. Rass and P. Schartner. Game-theoretic security analysis of quantum networks. In Proceedings of the Third International Conference on Quantum, Nano and Micro Technologies, pages 20–25. IEEE Computer Society, February 2009. [22] S. Rass and P. Schartner. A unified framework for the analysis of availability, reliability and security, with applications to quantum networks. IEEE Transactions on Systems, Man, and Cybernetics – Part C: Applications and Reviews, 40(5):107–119, 2010. [23] S. Rass and P. Schartner. Information-leakage in hybrid randomized protocols. In J. Lopez and P. Samarati, editors, Proceedings of the International Conference on Security and Cryptography (SECRYPT), pages 134–143. SciTePress – Science and Technology Publications, 2011. [24] C. P. Robert. The Bayesian choice. Springer-Verlag, New York, 2001. [25] S. Schechter. Toward econometric models of the security risk from remote attack. IEEE Security and Privacy, 3(1):40–44, 2005.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
[26] S. E. Schechter. Computer security strength and risk: a quantitative approach. PhD thesis, Harvard University, Cambridge, MA, USA, 2004. [27] B. Schneier. Attack trees. Dr. Dobb’s Journal of Software Tools, 24(12):21–29, 1999. [28] C. Shannon. Communication theory of secrecy systems. Bell System Technical Journal, 28:656–715, 1949. [29] A. H. Shapiro. Searching for security by predicting risk. Journal of Military and Strategic Studies, 7(4):1–11, 2005. [30] T. Sommestad, M. Ekstedt, and P. Johnson. A probabilistic relational model for security risk analysis. Computers & Security, 29(6):659–679, 2010. [31] G. Stoneburner, A. Goguen, and A. Feringa. Risk management guide for information technology systems. Technical Report 800-30, National Institute of Standards and Technology, July 2002. R NESSUS – the vulnerability scanner. www.nessus.org, [32] Tenable Network Security . 2011.
[33] Y. Wang and Y. Desmedt. Perfectly secure message transmission revisited. IEEE Transactions on Information Theory, 54(6):2582–2595, 2008. Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
236
Stefan Rass
[34] G. H. Wold and R. F. Shriver. Risk analysis techniques. Disaster Recovery Journal, 1997. [35] Z. Ying, H. Hanping, and G. Wenxuan. Network security transmission based on bimatrix game theory. Wuhan University Journal of Natural Sciences, 11(3):617–620, 2006.
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
[36] D. Yu and D. Frincke. Improving the quality of alerts and predicting intruder’s next goal with hidden colored petri-net. Comput. Netw., 51(3):632–654, 2007.
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
INDEX A
C
access, 12, 20, 23, 53, 81, 88, 89, 93, 95, 96, 99, 102, 116, 155, 217 adjustment, 140 algorithm, viii, 2, 29, 60, 67, 92, 93, 113, 116, 126, 130, 131, 146, 149, 150, 151, 152, 153, 155, 156, 158, 159, 160, 164, 165, 172, 174, 175, 177, 179, 185, 188, 189, 190, 193 amplitude, 134, 139, 192, 201 annihilation, 201 ANS, 208 arithmetic, 57, 160, 161, 185, 226 Asia, 111 assessment, ix, 127, 213, 232, 233 assets, 214 atoms, 134, 188 attacker, 8, 92, 93, 94, 97, 98, 101, 102, 156, 214, 219, 222, 224 Austria, 213 authentication, vii, viii, 1, 5, 6, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 49, 55, 74, 75, 78, 80, 84, 87, 91, 92, 94, 95, 96, 98, 99, 100, 102, 103, 105, 107, 108, 109, 110, 111, 188, 201, 209 authenticity, 164 authorities, 54 automation, 111
candidates, 166 cash, 84, 88 catalysis, 82 category b, 116 cell phones, viii, 159 challenges, 69, 130, 188 chaos, 145, 158 citizens, 189 City, 86 classes, 3, 80, 102, 194 classical logic, 54 classification, 47 clone, 36, 47, 101 cloning, 3, 57, 76, 79, 84, 101, 108, 109, 110, 140, 144, 194, 203 coding, 4, 78, 79, 88, 187, 191, 192, 199, 208 coherence, 80, 87, 139 color, 114, 115, 117, 131 combinatorics, 223 commerce, vii, 191 commercial, 189, 190 communication, viii, ix, 1, 2, 4, 6, 7, 9, 10, 12, 13, 18, 19, 21, 26, 31, 33, 42, 58, 59, 64, 69, 71, 74, 77, 78, 79, 80, 81, 83, 88, 94, 97, 98, 99, 102, 104, 107, 133, 134, 142, 143, 164, 187, 188, 189, 191, 193, 194, 196, 197, 198, 199, 200, 201, 202, 203, 204, 206, 209, 210, 227, 232 communication systems, 6, 21, 33, 188 community, 158 competition, 214, 215, 219 complexity, 3, 31, 32, 67, 80, 107, 190, 197, 232, 233 compliance, 22 composition, 104 compression, 156, 157, 158 computation, 2, 3, 17, 76, 83, 84, 88, 94, 96, 107, 143, 160, 163, 190, 208 computational performance, 98 computer, vii, 3, 45, 52, 78, 83, 84, 88, 190, 191, 221, 233
B banking, viii, 159 base, 26, 192, 194, 196, 227 Bayesian learning, ix, 213 beams, 202 behaviors, 134, 143, 207 benefits, 4 boils, 216, 226 bounds, 52, 78, 173, 183, 223
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
238
Index
computing, 2, 66, 94, 99, 101, 160, 175, 189 conference, 111 confidentiality, 78, 146, 164, 188, 189, 201 Congress, 234 congruence, 160, 180 construction, 16, 17, 18, 26, 44, 66, 76, 115, 119, 120, 121, 124, 125, 126, 224, 227 convention, 220, 226 convergence, 216, 217 correlation, 19, 50, 55, 56, 116, 128, 129, 196, 197, 198, 203, 207 correlations, 19, 54, 196, 211 cost, vii, 91, 98, 117, 197, 227 covering, 234 criticism, 227 cryptography, vii, viii, ix, 4, 32, 51, 52, 59, 60, 78, 82, 85, 88, 91, 92, 108, 110, 111, 113, 114, 117, 131, 133, 144, 145, 146, 158, 159, 160, 182, 185, 187, 188, 189, 190, 200, 207, 208, 211, 213, 220, 221
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
D data mining, 233 data processing, 205 data structure, 56 database, 26, 27, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 104, 105, 106, 107 decoding, 7, 22, 31, 39, 40, 42, 56, 62, 190, 191 decomposition, 114 defects, 115, 117, 193 deficiencies, 189 degradation, viii, 113, 114, 115, 123, 157 denial, 93 density matrices, 11, 44, 51, 63 desynchronization, 103, 104, 105, 106, 107, 108 detection, 134, 192, 196, 197, 201, 202, 203, 206, 207, 217, 233 determinism, 199, 218 deviation, 145, 226 diffraction, 144 diffusion, 157 direct measure, 194 disclosure, 83, 105, 106, 108, 223 discrete random variable, 8 discrete variable, 188, 192, 203, 207 dispersion, 134, 144 displacement, 201 distillation, 79, 80, 87, 192 distribution, viii, ix, 1, 18, 36, 45, 47, 48, 49, 55, 58, 60, 77, 78, 82, 85, 86, 88, 133, 134, 143, 144, 145, 187, 188, 190, 191, 198, 200, 202, 203, 208, 209, 210, 211, 213, 217, 218, 220, 225, 226, 227, 228, 229, 230, 233 distribution function, 226 dominance, 219
E eavesdropping, 6, 44, 46, 55, 79, 83, 97, 103, 142, 189, 192, 193, 194, 195, 197, 198, 199, 202, 203, 207, 210, 220 e-commerce, 164, 189 editors, 235 electromagnetic, 202 e-mail, 159, 164 employment, 4 encoding, 6, 7, 8, 9, 10, 11, 12, 21, 22, 39, 40, 45, 46, 51, 52, 55, 56, 61, 64, 118, 119, 120, 121, 123, 124, 125, 126, 127, 188, 189, 190, 191, 193, 196, 200, 201 encryption, viii, 2, 6, 7, 9, 32, 40, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 55, 58, 60, 80, 85, 113, 115, 116, 117, 126, 128, 130, 131, 145, 146, 147, 148, 150, 151, 153, 155, 156, 157, 158, 159, 160, 164, 165, 167, 185, 189, 190, 194 engineering, vii, 9, 20, 39, 52, 56, 69, 234 entropy, 8, 9, 10, 12 environment, 6, 7, 8, 10, 14, 15, 19, 26, 45, 58, 70, 72, 79, 234 EPC, 93, 94, 95, 96, 98, 100, 101, 109, 110, 111 EPR, 21, 23, 78, 85, 141, 191, 196, 198, 199, 200 equality, 84 equilibrium, 216, 217, 219 error detection, 156 evidence, ix, 213, 233 evolution, 3, 5, 24, 188, 230, 231 execution, 94 expertise, 225, 233 exposure, 97 extracts, 105, 107
F Fabrication, 144 fairness, 130 fiber, 21, 134, 143, 144, 193 fiber optics, 21 fidelity, 45, 72, 191 filters, 136, 144 fingerprints, 26, 27, 28, 29, 30, 31 force, 146 Ford, 143 forecasting, ix, 213, 214, 215, 223, 225, 227, 229, 230, 231, 233 formula, 4, 13, 17, 228, 229, 230 foundations, 185 France, 159 freedom, 3, 198, 200, 222 fusion, 78
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Index
G game theory, 215, 219, 236 garbage, 49 guessing, 92, 156
H
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Hilbert space, 7 historical overview, 189 history, 2, 78, 83 human, 114, 120, 125, 233 human behavior, 233 Hungary, 1 hybrid, 235
239
J Japan, 86
L lattices, viii, 146, 158, 159, 160, 174 laws, viii, 65, 187, 188, 191, 192 lead, viii, 66, 114, 123, 187 leakage, 108 leaks, 56, 62 learning, ix, 25, 213, 234 light, 20, 86, 135, 140, 214, 228, 229 low-cost protocols., vii, 91 Luo, 158
I
M
ideal, 10, 19, 25, 44, 66, 191, 192, 194 identification, 28, 82, 92, 93, 98, 102, 104, 105, 107, 110, 143, 232 identity, 31, 33, 39, 41, 66, 67, 72, 106 image, viii, 113, 114, 116, 117, 118, 120, 123, 126, 127, 128, 130, 131, 146, 153, 156, 157, 158 imagery, 158 images, vii, viii, 113, 114, 115, 116, 117, 118, 119, 120, 121, 123, 124, 125, 126, 127, 128, 129, 130, 131 IMF, 234, 235 improvements, 47, 105, 107, 109 independence, 233 India, 82, 144 induction, 169, 176 industry, viii, 159 inequality, 37, 38, 179, 196, 206 information processing, vii, 1, 3, 4, 65, 66, 87, 201, 207 information retrieval, 202, 233 information sharing, 56 infrastructure, ix, 188, 213, 217, 220, 221, 227 ingredients, 75, 77, 215 initial state, 44, 200 integration, 74, 233 integrity, 78, 109 intelligence, 233 intelligence quotient, 233 interference, 140 interrogations, 101 intrusions, 234 inventors, 62, 192 investment, 234 issues, 72, 80, 114, 115, 214 Italy, 82
machinery, 155 Malaysia, 91 management, 114, 214, 233, 235 manipulation, 3, 141 mapping, 215 mathematics, vii, viii, 67, 159, 160 matrix, 10, 23, 41, 45, 50, 51, 92, 117, 157, 174, 175, 176, 181, 192, 216, 217, 219, 222, 223, 224, 225, 227, 229, 232 matter, 42, 43, 214, 219, 221 measurement, 3, 21, 22, 23, 24, 25, 26, 54, 55, 63, 66, 70, 74, 75, 142, 194, 196, 197, 198, 199, 200, 206 measurements, 25, 26, 54, 55, 63, 83, 89, 187, 199, 200, 207 media, 134, 144, 191 median, 226 memory, 92, 98, 101, 102, 103, 106, 107 message length, 65 messages, viii, 5, 7, 10, 12, 24, 26, 33, 34, 35, 38, 43, 44, 45, 47, 48, 49, 50, 51, 60, 62, 63, 64, 78, 79, 82, 103, 105, 146, 167, 187, 188, 189, 198, 199, 209, 227 methodology, 115, 118 models, ix, 14, 69, 213, 219, 228, 235 modifications, 47 modulus, 160, 161, 164, 165, 166, 167, 172, 173, 182 momentum, 201, 202 Morocco, 187 motivation, 78, 188, 215 multimedia, 157 multiplication, 92, 102 multivariable quantum key distribution, 133
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
240
Index
N naming, 192 nodes, 223, 224 normalization constant, 226
O operating system, 230, 231 operations, 7, 58, 59, 66, 91, 92, 102, 103, 104, 106, 107, 108, 117, 118, 120, 165, 187, 234 optical fiber, 78, 79, 88, 191, 192, 207 optimization, 219, 223, 226, 227, 229, 230, 231, 232 overlap, 71, 72
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
P parallel, 189, 200 parameter estimation, 204 parity, 52, 103, 138, 143 participants, viii, 52, 54, 57, 113, 114, 123, 203 password, 93, 99 permission, 20, 53 permit, 198, 207 phase shifts, 135 photons, 138, 140, 143, 188, 191, 192, 193, 194, 195, 196, 198, 199, 200, 201, 202, 203 physical laws, 188 physics, viii, ix, 65, 67, 78, 86, 87, 187, 188, 191, 208 pitch, 189 plausibility, 233 playing, 214 polarization, 138, 139, 140, 144, 192, 193, 195, 196, 198, 199, 200 preparation, 80, 81, 188, 214, 215 prevention, 217 principles, 121, 131 private information, 6, 7, 8, 13, 14, 15, 79, 188, 190 private quantum communications, vii, 1, 2, 79 probability, 6, 8, 17, 21, 24, 25, 27, 28, 29, 30, 31, 35, 38, 41, 42, 45, 51, 54, 55, 63, 64, 71, 72, 92, 115, 117, 121, 124, 125, 126, 140, 193, 194, 196, 200, 202, 216, 217, 218, 220, 221, 222, 224, 225, 228, 230, 233 probability distribution, 8, 21, 63, 202, 217, 225 probe, 105 project, 233, 234 propagation, 134, 135, 140 proposition, 169 protection, ix, 87, 94, 96, 99, 107, 109, 111, 201, 213, 214, 223, 233 purity, 44
Q quantum bits, 7, 37, 55, 66, 138, 140, 143 quantum computing, 2, 3, 81 quantum cryptography, vii, viii, ix, 5, 6, 12, 18, 19, 46, 55, 66, 78, 79, 83, 87, 88, 89, 143, 187, 188, 191, 195, 197, 199, 200, 202, 203, 208, 209, 210, 211 quantum entanglement, 5, 19, 24, 143, 199, 209 quantum fluctuations, 204 Quantum Key Distribution (QKD), vii, 1 quantum mechanics, 4, 6, 22, 32, 47, 56, 65, 69, 86, 191, 202 quantum networks, 133, 235 quantum optics, 78 quantum register, 34, 69, 70, 73 quantum state, viii, 2, 3, 6, 7, 8, 9, 10, 18, 19, 21, 22, 25, 26, 27, 28, 29, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 42, 43, 44, 45, 46, 48, 49, 50, 51, 52, 53, 55, 56, 57, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 72, 73, 74, 75, 76, 77, 79, 80, 85, 86, 133, 187, 196, 201, 202, 204 qubits, 23, 25, 29, 31, 34, 57, 69, 81, 138, 139, 140, 143, 144, 191, 192, 193, 194, 195, 196, 197, 200 query, 93, 99, 100, 222
R radio, 93, 110, 193 radius, 9, 10, 12, 135, 136, 140, 144 random numbers, 33, 96, 102, 105, 203 reading, 101, 200 real time, 156 reality, 3, 6, 78, 208 recall, 28, 165, 230 recalling, 228 reception, 188 reconciliation, 55, 83, 193, 194, 205, 206 recovery, 118, 119, 126, 144 reflectivity, 135 refractive index, 135, 136, 137 regenerate, 56, 58 rejection, 40 relational model, 235 relevance, 19, 26, 52, 53, 78 reliability, 18, 37, 52, 235 repetitions, 216 requirements, 24, 45, 47, 114, 119, 121, 155, 156, 207 researchers, 3, 92, 114, 116 resilience, 224 resistance, 98, 146, 155 resonator, viii, 133, 134, 135, 136, 137, 139, 140, 143, 144 resources, ix, 187, 192, 233 response, 105, 140 response time, 140
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
Index restrictions, 83 revenue, 214, 215, 216, 217, 218, 219, 224, 229 rings, 137, 160 risk, ix, 44, 213, 214, 215, 220, 221, 222, 223, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235 risk assessment, ix, 213, 214, 215, 234 risk management, 214, 223, 233, 234 robotics, 111 root, 180 roots, 160, 179, 185 Royal Society, 85 rules, 147, 155, 156
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
S safety, 190, 204, 205, 234 science, vii, 189 scope, 217, 233 second generation, 197 Second World, 189 secure communication, 1, 6, 45, 78, 145, 146, 155, 156, 158, 188, 190, 191, 198, 201, 203, 207, 220 security, vii, viii, ix, 1, 2, 3, 4, 5, 6, 9, 10, 12, 18, 19, 20, 22, 24, 25, 26, 32, 34, 36, 37, 39, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 55, 56, 58, 60, 62, 63, 64, 65, 67, 69, 70, 71, 72, 74, 76, 77, 78, 80, 84, 87, 88, 91, 92, 95, 96, 97, 98, 103, 104, 108, 109, 110, 111, 114, 120, 126, 128, 129, 131, 133, 134, 138, 140, 143, 145, 146, 155, 159, 161, 188, 189, 190, 191, 192, 193, 197, 200, 204, 205, 206, 207, 208, 213, 214, 215, 218, 219, 221, 222, 225, 229, 230, 233, 234, 235, 236 seed, 93 sensitivity, 145, 154, 155 shape, 161, 181 shareholders, 52, 53 showing, 183 signals, 136, 137, 138, 143, 188, 200, 202, 203, 204, 206 signal-to-noise ratio, 126 simulation, 136, 141, 142 simulations, 151 Singapore, 86 single cap, 16 skimming, 101 software, ix, 213, 233, 234 solitons, viii, 133, 134, 136, 137, 144 solution, 2, 28, 55, 59, 60, 134, 143, 179, 190, 231 state, 2, 4, 7, 8, 9, 10, 11, 12, 15, 21, 22, 23, 26, 27, 28, 32, 33, 34, 35, 36, 37, 38, 40, 41, 42, 45, 50, 54, 55, 56, 57, 58, 60, 64, 67, 68, 72, 74, 75, 76, 79, 80, 81, 139, 141, 147, 160, 187, 188, 194, 196, 197, 198, 199, 200, 201, 202, 203, 204, 210, 215, 228 states, 3, 6, 7, 9, 10, 11, 12, 17, 19, 20, 21, 22, 26, 27, 28, 29, 31, 34, 35, 36, 37, 38, 42, 44, 45, 47, 50, 51, 55, 56, 59, 63, 64, 65, 66, 67, 69, 70, 71, 72, 73, 74, 78, 79, 82, 83, 87, 88, 139, 140, 144,
241
187, 188, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210 storage, 107, 114, 190 structure, 57 substitution, 157 Sun, 100, 101, 105, 111 symmetry, 195 synchronization, 94, 143
T Taiwan, 113, 131 taxonomy, 222 techniques, viii, 3, 4, 6, 26, 28, 56, 93, 187, 188, 189, 190, 191, 192, 193, 203, 206, 214, 236 technologies, 144 technology, 188, 207, 235 telephone, 83 testing, 44, 153, 190 Thailand, 133 threats, 93, 214 TID, 99 trade-off, 202 transactions, 74 transformation, 6, 7, 9, 10, 21, 32, 33, 34, 35, 40, 42, 51, 56, 57, 60, 64, 67, 68, 70, 74, 188, 197, 200 transformations, 6, 7, 10, 22, 40, 42, 56, 57, 65, 68, 71, 74, 76 transmission, 2, 4, 6, 7, 9, 16, 17, 31, 42, 45, 47, 84, 88, 133, 138, 140, 144, 156, 188, 190, 192, 193, 196, 197, 198, 199, 200, 201, 202, 204, 205, 206, 207, 220, 222, 224, 235, 236 transportation, 134 trial, 204, 216 trustworthiness, 229
U uniform, 21, 145, 225 updating, 93, 96, 102, 103, 104, 105, 107, 225, 226, 227, 233 USA, 81, 85, 234, 235
V vacuum, 135, 136, 201 validation, 39, 40 valuation, 214, 233 variables, 8, 105, 188, 201, 202, 203, 204, 207, 210, 211, 218, 226 variations, 52 vector, 92, 146, 148, 150, 175, 176, 215, 231 velocity, 134 visual secret sharing (VSS), viii, 113, 114 visual system, 120, 125
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,
242
Index
vocabulary, 222 vote, 20, 21, 22, 23 voting, 20, 21 vulnerability, ix, 104, 106, 213, 220, 222, 230, 232, 233, 234, 235
weakness, 165, 189 web, 159, 190 web sites, 190 wireless systems, 81 wood, 189 workstation, 141
W Y yield, 119, 222, 227
Copyright © 2012. Nova Science Publishers, Incorporated. All rights reserved.
Washington, 88 wave propagation, 135, 136 wavelengths, viii, 133, 134, 136, 137, 138, 140, 141
Cryptography : Protocols, Design, and Applications, Nova Science Publishers, Incorporated, 2012. ProQuest Ebook Central,