Quantum no-key protocols for secret transmission of quantum and classical message

# Quantum no-key protocols for secret transmission of quantum and classical message

## Abstract

A theoretical framework of quantum no-key (QNK) protocol has been presented. As its applications, we develop three kinds of QNK protocols: the practical QNK protocols, the QNK protocol based on quantum perfect encryption, and the QNK protocols based on Boolean function computing. The security of these protocols is based on the laws of quantum mechanics, other than computational hypothesis.

###### keywords:
quantum cryptography, quantum no-key protocol, quantum message oriented, man-in-the-middle attack, unconditional security

## 1 Introduction

The earliest group of quantum message oriented protocols is suggested in Boykin00 (); Ambainis00 (); Nayak07 (), which can be regarded as a quantum version of one-time pad, the sender and the receiver must preshare secretly a classical key. Later, a public-key encryption scheme of quantum message is proposed Yang03 (). Recently, this kind of public-key cryptosystems has been developed Yang10 ().

Here we consider another technique to securely transmit quantum message, so called quantum no-key (QNK) protocol. No-key protocol was first proposed by Shamir Menezes97 (). It is a wonderful idea to transmit classical messages secretly in public channel, independent of the idea of public-key cryptosystem and that of secret-key cryptosystem. However, the protocol presented is computationally secure, cannot resists a man-in-the-middle(MIM) attack. Yangli02a (); Yangli02 () develop a quantum from of no-key protocol based on single-photon rotations, which can be used to transmit classical and quantum messages secretly. It can be seen that the security of the QNK protocol is based on the laws of quantum mechanics, so it is beyond computational hypothesis. Yangli03 () proposed a protocol based on quantum computing of Boolean functions. This protocols is constructed with inherent identifications in order to prevent MIM attack. Similar to the idea of QNK protocol, Kanamori et al.Kanamori05 () proposed a protocol for secure data communication, Kye et al.Kye05 () proposed a quantum key distribution scheme, and Kak Subhash07 () proposed a three-stage quantum cryptographic protocol for key agreement.Wu09 () presents a practical QNK protocol, and studied a new kind of attack named unbalance-of-information-source (UIS) attack. This kind of attack may also be effective to quantum secure direct communication protocols, such as those in Beige01 (); Bostrom02 (); Deng2003 (); Deng2004 ().

In this paper, we establish a theoretical framework of QNK protocol in Section 2. Then we discuss some practical QNK protocols in Section 3. Based on quantum perfect encryption, we proposed a more general QNK protocol in Section 4. Finally, some protocols based on Boolean function computing are discussed in Section 5.

## 2 Essentials of quantum no-key protocol

### 2.1 Classical no-key protocol

Shamir’s no-key protocol Menezes97 () is an encryption scheme to transmit messages without preshared keys. Assume encryption functions and are commutative, . His idea is as follows:

1. Alice encrypts the message with and sends Bob the message .

2. Bob encrypts with and sends Alice the message .

3. Alice decrypts through and sends Bob

 C3=DA(EB(EA(M)))=DA(EA(EB(M)))=EB(M).
4. Bob decrypts with to get .

The key point of this idea is that the two encryption functions and must be commutative,

 EB(EA(∗))=EA(EB(∗)). (1)

### 2.2 Some basic results relative to QNK protocol

Lemma 1: Operators and are unitary similar. If there exists unitary transformations and such that , then

 [NP−1⊗(PM)T−I]→B=0,P−1BP=A;

or

 [N⊗MT−P−1⊗PT]→A=0,P−1AP=B;

where is unitary, are realignments of A, B, respectively.

Proof: Operators and are unitary similar, so there exists unitary transformation satisfying . From , it can be inferred that . Then we can conclude . That is .

Operators and are unitary similar, so there exists unitary transformation satisfying . From , it can be inferred that . Then we can conclude . That is , where and is unitary.

Theorem 1: Given four groups of operators , each group is a complete orthogonal basis of unitary operator space. If , then

 [e−iφ(k,l)N⊗MT−A†k⊗ATk]−→B†l=0,∀k,l,

where is a unitary transformation only depending on , and is a unitary transformation only depending on .

Proof: Because is a complete orthogonal basis of unitary operator space, there exists satisfying .

Because , and is unitary, it can be inferred that . Then

 CkAk=Ck(∑lαlBl)Ak=∑lαleiφ(k,l)D†l,∀k.

Let , then . Thus is a unitary transformation only depending on .

In the same way, we can acquire

 DlBl=∑kβkeiφ(k,l)A†k,∀l.

Let , then . Thus is a unitary transformation only depending on .

From and , it can be concluded that ,. Because , one can obtain , so . Because and are unitary similar, one can conclude from the Lemma 1 that

 [e−iφ(k,l)N⊗MT−A†k⊗ATk]−→B†l=0,∀k,l.

Theorem 2: Suppose satisfy the conditions in Theorem 1, and , , . Then is sufficient and necessary for .

Proof: (sufficient) From , we can know . Because , , then .

(necessary) From and , , we know that and . Because , . Then

### 2.3 Quantum commutative transformation and QNK protocol

Usually, we call two quantum transformation and are commutative if . Sometimes in this paper we prefer an entended definition: . Similar to commutative algorithm in Shamir’s classical no-key protocol, quantum commutative transformations are used to construct QNK protocol.

Let and are two sets of unitary operations, we suppose each pair of and are commutative. The QNK protocol is as follows:

1. Alice randomly selects a number , and encrypts quantum state with , and sends Bob .

2. Bob randomly selects a number , and encrypts with and sends Alice .

3. Alice decrypts with and sends Bob .

4. Bob decrypts with , and gets .

Proposition 1: Suppose both and are unitary transformations. Then the three conditions , and are equivalent.

Proof: It can be seen that, if and satisfies any one of the following conditions:

 UAUB=UBUA, (2) U†BU†A=U†AU†B, (3) UBU†A=U†AUB, (4)

then holds. Because and are unitary transformations, and . From the identity , we can deduce all of the above three identities (2),(3),(4). Thus is equivalent with any one of the three identities. This means the three conditions are equivalent.

Remark 1: Three instances of quantum commutative transformation are as follows:

1. Making a transformation directly on the bases:

 UA(∑mαm|m⟩)=∑mαm|m⊕sA⟩,
 UB(∑mαm|m⟩)=∑mαm|m⊕sB⟩,
2. Making use of an auxiliary register:

 UA(∑mαm|m⟩|s⟩)=∑mαm|m⟩|s⊕FA(m)⟩,
 UB(∑mαm|m⟩|s⟩)=∑mαm|m⟩|s⊕FB(m)⟩,
3. Making use of two auxiliary registers:

 UA(∑mαm|m⟩|0⟩|0⟩)=∑mαm|m⟩|FA(m)⟩|0⟩,
 UB(∑mαm|m⟩|0⟩|0⟩)=∑mαm|m⟩|0⟩|FB(m)⟩,

Remark 2: The protocol in this section does not have inherent identification and cannot resistant man-in-the-middle attack. For example, if Eve intercepts , she does nothing before sends it back to Alice, Alice decrypts with and sends , thus Eve can obtain the message . Therefore, we have to construct QNK protocol with personal identification.

### 2.4 Theoretical framework of quantum no-key protocol

Quantum message space is denoted as . Two sets of pair operators and are two public sets of unitary operators which performs on , where . Alice uses the set , while Bob uses the set . Suppose Alice wants to send quantum message . The framework of quantum no-key protocol is as follows:

1. Alice randomly selects a number , then performs on the quantum message , and gets . Then she sends to Bob.

2. Bob receives the message , then randomly selects . He performs on , and gets . Then he sends to Alice.

3. Alice receives , then performs on and gets . Then she sends to Bob.

4. Bob receives , then performs on and gets .

Note that the number and are selected from two independent uniform distributions.

Proposition 2: The protocol holds if and only if , .

Proof: It is obvious that the protocol holds if and only if

 ρ=V′lU′kVlUkρU†kV†lU′†kV′†l,∀ρ∈HM,∀k,l∈{0,1,⋯,d}

. That means, the protocol holds if and only if ,

According to Theorem 1, we conclude from that

 [e−iφ(k,l)N⊗MT−U†k⊗UTk]−→V†l=0,∀k,l∈{0,1,⋯,d}, (5)

where is a unitary transformation only depending on , and is a unitary transformation only depending on . Thus, the following proposition holds.

Proposition 3: Eq.(5) is a necessary condition for the protocol holding.

Let us consider a special case of , . According to Theorem 2 and Proposition 2, we can infer that

Proposition 4: Suppose the conditions , are satisfied, then the protocol holds if and only if ,

Let us consider a more general framework of quantum no-key protocol, in which two ancillary states are used. Suppose Alice will send quantum message . The ancillary states used by Alice and Bob are and , respectively. The framework of QNK protocol is described as (see Figure 1):

1. Alice randomly prepare a quantum state , then performs on the quantum states and gets . Then she sends to Bob the first cipher state ,

 ρ1=trA(UA(ρA⊗ρ)U†A)≜EA(ρ).

She retains the state .

2. Bob randomly prepares a quantum state , then performs on the quantum states and gets . Then he sends to Alice the second cipher state ,

 ρ2=trB(UB(ρ1⊗ρB)U†B)≜EB(ρ1).

He retains the state .

3. Alice performs on , and sends to Bob the third cipher state ,

 ρ3=trA(U′A(ρ′A⊗ρ2)U′†A)≜E′A(ρ2).
4. Bob performs on , and gets the message ,

 ρ′=eiϕρ=trB(U′B(ρ3⊗ρ′B)U′†B)≜E′B(ρ3).

This protocol holds if and only if the four quantum operations satisfy the condition

 E′B∘E′A∘EB∘EA=eiϕI. (6)

As a special case, the unitary transformations , can be chosen as bitwise controlled-unitary transformations where the message qubits act as control qubits, and ,. In this case, , and .

### 2.5 Quantum no-key protocol with personal identification

Denote quantum message space as , identification space as . Alice and Bob preshare an identification key . The protocol is as follows:

1. Alice randomly selects a number , then performs on the quantum message associated with ancillary qubits , and gets . Then she sends to Bob.

2. Bob receives the message , then randomly selects , performs on and measures the ancillary qubits (Here it is required that satisfies ). After measurement, the message collapses to . He admits comes from Alice if the result of measurement is . While passing the identification, he uses to compute , and sends to Alice.

3. Alice receives , then performs on and measures the ancillary qubits. She admits comes from Bob if the result of measurement is . After that, she uses to compute , and sends to Bob.

4. Bob receives , then performs on and measures the ancillary qubits. He admits comes from Alice if the result of measurement is . After measurement, the message collapses to quantum message .

In this protocol, operators are unitary transformations performing on the whole space . The protocol is correct if and only if the following conditions hold: ,

 V′l(sA)Uk(sA)(ρ⊗|0⟩⟨0|)Uk(sA)†V′l(sA)†=ρ′1⊗|0⟩⟨0|, (7) U′k(sB)V′′l(sB)(ρ′1⊗|0⟩⟨0|)V′′l(sB)†U′k(sB)†=ρ′2⊗|0⟩⟨0|, (8) Vl(sA)U′′k(sA)(ρ′2⊗|0⟩⟨0|)U′′k(sA)†Vl(sA)†=ρ⊗|0⟩⟨0|. (9)

Furthermore, these three equations are equivalent to the following conditions:

 V′l(sA)Uk(sA)=UM(k,l,sA)⊗IA,∀k,l,sA, (10) U′k(sB)V′′l(sB)=U′M(k,l,sB)⊗IA,∀k,l,sB, (11) Vl(sA)U′′k(sA)=U′′M(k,l,sA)⊗IA,∀k,l,sA, (12)

where , , are unitary operators performing on and satisfy the relation , .

The preshared key are used for times to identify each other. If we require the quantum state obtained after each measurement be independent with the identification key , that means , and are independent with and , thus , , are also independent with and , the Eq.(10)(11)(12) can be written as follows:

 V′l(sA)Uk(sA)=UM(k,l)⊗IA,∀k,l,sA, (13) U′k(sB)V′′l(sB)=U′M(k,l)⊗IA,∀k,l,sB, (14) Vl(sA)U′′k(sA)=U′′M(k,l)⊗IA,∀k,l,sA, (15)

where , .

## 3 Practical quantum no-key protocol

The protocols in this section are based on rotation of single photon, and may be implemented with current technology.

Generally speaking, two rotation transformations on the Bloch sphere are not commutative, unless the axes are parallel. Thus the key technique of this protocol is that Bob’s encryption rotation and Alice’s decryption rotation must be commutative. It can be proven that in this case the two axes of rotations must be parallel.

Proposition 5: The rotation transformations on the sphere are commutative if and only if the axes are parallel.

Proof: Denote two axes are and , and the rotation transformations and represents the rotation around the axes and by an angle and an angle , respectively. Because

 (n1⋅\boldmath{σ})(n2⋅% \boldmath{σ})=n1⋅n2+i\boldmath{σ}⋅(n1×n2), (16)

therefore

 [n1⋅\boldmath{σ},n2⋅% \boldmath{σ}]=2i(n1×n2)⋅% \boldmath{σ}. (17)

For the rotation operator

 Un(φ)=exp(12iφn⋅% \boldmath{σ})=cos12φ+in⋅\boldmath{σ}sin12φ, (18)

we have

 [Un1(φ1),Un2(φ2)]=−2isin12φ1sin12φ2(n1×n2)⋅\boldmath{σ}. (19)

Suppose that both rotations are non-zero, then the two rotations are commutative if and only if the two axes are parallel.

### 3.1 Protocol for quantum message transmissionYangli02 ()

Let us consider the secret transmission of a quantum message in product state. Denote as a rotation around axis by an angle . In Bloch sphere representation, the state of a qubit can be denoted as , which can be prepared using a rotation operator , . The protocol is as follows:

1. Alice chooses qubits for transformation:

 |n10,φ1⟩,⋯,|nm0,φm⟩. (20)
2. Alice chooses randomly from a -element set

 {αk=kπK|k=0,1,⋯,2K−1}. (21)
3. Alice chooses randomly (i=1,2,m), and opens them.

4. Alice prepares single-photons, with the -th photon in the state

 |Ψi⟩A1=Uni(φAi)|ni0,φi⟩, (22)

then sends these photons to Bob one by one.

5. Bob chooses randomly from the -element set (21) by means of local random number source, and changes the polarization directions of photons separately as below:

 |Ψi⟩B1=Uni(φBi)Uni(φAi)|ni0,φi⟩, (23)

then sends back these photons to Alice.

6. Alice removes her encryption transformation of the photons and gets

 |Ψi⟩A2=Uni(φBi)|ni0,φi⟩, (24)

then sends them to Bob again.

7. Bob removes his encryption transformation of the photons and gets

 |Ψi⟩B2=|ni0,φi⟩, (25)

then he gets the message (20).

Because , are chosen from set (21) randomly and independently, Eve cannot get any information from simple intercept/resend attack. Unfortunately, These two protocols cannot defend MIM (of quantum channel only) attack, even through there is an authenticated classical channel.

Remark 3: The quantum state in the protocol should be written in the form of density matrix. However, for understanding easily, the quantum states are written in the form of ware function instead of density matrix, whenever making no confusion. We can rewrite the above protocol in the following form:

1. Alice chooses photons in this quantum state

 ρ=|n1,φ1⟩⟨n1,φ1|⊗⋯⊗|nm,φm⟩⟨nm,φm|.
2. Alice performs -qubit rotation

 UA=Un1(φA1)⊗⋯⊗Unm(φAm)

on the qubits, and get the state

 ρ1=ρA1⊗⋯⊗ρAm

where , then sends these photons to Bob one by one.

3. Bob performs -qubit rotation

 UB=Un1(φB1)⊗⋯⊗Unm(φBm)

on the state and get the state

 ρ2=ρB1⊗⋯⊗ρBm

where , then sends back these photons to Alice.

4. Alice receives these qubits and removes her rotations on the qubits by performing rotation

 U†A=Un1(−φA1)⊗⋯⊗Unm(−φAm)

on the qubits, and then gets the state

 ρ3=ρ′A1⊗⋯⊗ρ′Am

where , then sends them to Bob again.

5. Bob receives these qubits and removes her rotations on the qubits by performing rotation

 U†B=Un1(−φB1)⊗⋯⊗Unm(−φBm)

on the qubits. Since and are commutative, Bob can get the message

It can be seen that, according to Proposition 5, and are commutative if and only if the axes of rotations and are parallel for every .

### 3.2 Protocol with personal identificationYangli02 ()

Personal identification is necessary to defend MIM attack. We modified the protocol in Section 3.1 as following:

Alice and Bob share