1 Introduction

In this paper, we study the application of quantum cryptography in access control in cloud computing. Models of access control in cloud computing are developed in Wang et al. (2009) and Hota et al. (2011). The model from Hota et al. (2011) is visualized in Fig. 1. The data owner stores encrypted data on the cloud which the user wants to access. The data owner distributes the decryption key and a digital certificate to the user if the access control policy permits the user to access. The user shows the certificate to the cloud and receives the encrypted data as shown in Fig. 1.

Hota et al. (2011) use classic cryptography to grant access. It is well known that once a large-scale quantum computer is built, the existing popular encryption schemes may be efficiently broken (Shor 1994). Quantum cryptography is theoretically unbreakable and will be heavily needed in the coming quantum era.

Fig. 1
figure 1

Data access in cloud computing

Full size image

In this paper, we further develop the model of access control in cloud computing proposed by Hota et al. (2011), by using quantum cryptography to grant access to agents. No entanglement is used in our protocols, which makes them implementable by current technologies. We present our quantum protocols in the framework of categorical quantum mechanics (Abramsky and Coecke 2004; Coecke and Duncan 2008; Selinger 2011; Coecke et al. 2011; Backens et al. 2016), which is the study of quantum foundations and quantum information using category theory. We choose categorical quantum mechanics because it provides us an elegant graphics language, the ZX-calculus (Coecke and Duncan 2008), to help us design and verify quantum protocols.

The structure of the rest of this paper is as follows: After a brief review of the background knowledge on quantum computation and categorical quantum mechanics in Sect. 2, we present three quantum protocols for key distribution, authentication and certification, respectively, and show that they are unconditionally secure in Sect. 3. We discuss related works in Sect. 4 and conclude this paper in Sect. 5.

2 Quantum theory

This section serves as an oversimplified introduction to quantum computation and categorical quantum mechanics. We only focus on those knowledge which is needed to understand the protocols we will present in Sect. 3.

2.1 Qubits

The building block of quantum information is quantum bit, or qubit for short. Qubits are the fundamental units of information in quantum information processing in the same way that bits are the fundamental units of information for classical information processing.

Definition 1

(qubit) A qubit \(\left[ \begin{matrix} a \\ b \end{matrix} \right] \) is a column vector in which a and b are complex numbers such that \(|a|^2 + |b|^2 =1\).

We will use the Dirac notation to denote qubits: A qubit \(\overrightarrow{\mathbf{x }} = \left[ \begin{matrix} a \\ b \end{matrix} \right] \) is denoted in Dirac notation as \(|\mathbf x \rangle \). There are four special qubits which frequently appear in the literature:

$$\begin{aligned} |0\rangle = \left[ \begin{matrix} 1 \\ 0 \end{matrix} \right] , |1\rangle =\left[ \begin{matrix} 0 \\ 1 \end{matrix} \right] , |+\rangle = \frac{1}{\sqrt{2}} \left[ \begin{matrix} 1 \\ 1 \end{matrix} \right] , |-\rangle = \frac{1}{\sqrt{2}} \left[ \begin{matrix} 1 \\ -1 \end{matrix} \right] . \end{aligned}$$

For two qubits \(|\mathbf x \rangle \) and \( |\mathbf y \rangle \), if \(|\mathbf x \rangle =c |\mathbf y \rangle \) for some complex number c, then such c is called a global phase. A global phase has no physical meaning, which means \(|\mathbf x \rangle \) and \(|\mathbf y \rangle \) represents the same physical state. For a qubit \(|\mathbf x \rangle = \left[ \begin{matrix} a \\ b \end{matrix} \right] \), the adjoin of \(|\mathbf x \rangle \) is a row vector \(\langle \mathbf x | = [ \overline{a}, \overline{b}] \), where \(\overline{a}\) and \(\overline{b}\) are the conjugate of a and b, respectively.

Table 1 Quantum gates on qubits
Full size table

2.2 Quantum gates

The operation on qubits is called quantum gates, which are mathematically represented as matrices.

Definition 2

(quantum gate) A quantum gate \(U= \left[ \begin{matrix} a &{} \quad b \\ c &{}\quad d \end{matrix} \right] \) is an \(2\times 2\) matrix over complex numbers such that \(U U^{\dagger } =I\), where I is the identity matrix of rank 2 and \(U^{\dagger }= \left[ \begin{array}{ll} {\overline{a}} &{}\quad {\overline{c}} \\ {\overline{b}} &{} \quad {\overline{d}} \end{array} \right] \) is the transpose conjugate of U.

The following are three famous quantum gates which are widely used in the literature:

$$\begin{aligned} I= \left[ \begin{matrix} 1 &{} \quad 0 \\ 0 &{}\quad 1 \end{matrix} \right] , H=\frac{1}{\sqrt{2}} \left[ \begin{matrix} 1 &{}\quad 1 \\ 1 &{}\quad -1 \end{matrix} \right] ,X=\left[ \begin{matrix} 0 &{}\quad 1 \\ 1 &{}\quad 0 \end{matrix} \right] . \end{aligned}$$

Here I is the identity gate. H is the Hadamard gate, and X is the Pauli-X gate. The application of IX and H gates to qubits \(|0\rangle \), \(|1\rangle \), \(|+\rangle \) and \(|-\rangle \) is shown in Table 1 (with globe phase omitted). For example,

$$\begin{aligned} H |0\rangle = \frac{1}{\sqrt{2}} \left[ \begin{matrix} 1 &{}\quad 1 \\ 1 &{} \quad -1 \end{matrix} \right] \left[ \begin{matrix} 1 \\ 0 \end{matrix} \right] = \frac{1}{\sqrt{2}} \left[ \begin{matrix} 1 \\ 1 \end{matrix} \right] =|+\rangle . \end{aligned}$$

2.3 Measurement

To acquire information about a qubit, a measurement must be performed on it. In quantum computation, measurements are usually used to read out a computational result. A quantum measurement on a qubit is described by a collection \(\{M_k\}\) of \(2\times 2\) matrix satisfying

$$\begin{aligned} \sum _{k} M_k^{\dagger } M_k =I \end{aligned}$$

where \(M_k\) is called measurement operators, and the index k is used to label the measurement outcomes. Note that k is simply labels and has no special meanings. If we are to measure a qubit \(|\mathbf x \rangle \), then the probability that result k occurs is

$$\begin{aligned} p(k)= \langle \mathbf x | M_k^{\dagger } M_k | \mathbf x \rangle , \end{aligned}$$

which is calculated by matrix multiplication.

Example 1

The measurement on a qubit in the computational basis \(\{| 0 \rangle ,| 1 \rangle \}\) is \(M^c=\{M_0,M_1\}\), where

$$\begin{aligned} M_0= | 0 \rangle \langle 0 | =\left[ \begin{matrix} 1 &{}\quad 0 \\ 0 &{} \quad 0 \end{matrix} \right] , M_1= | 1 \rangle \langle 1 | = \left[ \begin{matrix} 0 &{} \quad 0 \\ 0 &{}\quad 1 \end{matrix} \right] . \end{aligned}$$

If we measure the qubit \(|+ \rangle \) by \(M^c\), then the probability of the occurrence of result-0 is

$$\begin{aligned} p(0)= & {} \langle + | M_0^{\dagger } M_0 | + \rangle \\= & {} \left[ \frac{1}{\sqrt{2}} ,\frac{1}{\sqrt{2}} \right] \left[ \begin{array}{ll} 1 &{}\quad 0 \\ 0 &{}\quad 0 \end{array} \right] \left[ \begin{array}{ll} 1 &{} \quad 0 \\ 0 &{}\quad 0 \end{array} \right] \left[ \begin{array}{l} \frac{1}{\sqrt{2}} \\ \frac{1}{\sqrt{2}} \end{array} \right] \\= & {} \left[ \frac{1}{\sqrt{2}} ,\frac{1}{\sqrt{2}} \right] \left[ \begin{array}{l} \frac{1}{\sqrt{2}} \\ 0 \end{array} \right] = \frac{1}{2} . \end{aligned}$$

A similar calculation will show that the probability of getting result-1 is also \(\frac{1}{2}\).

Example 2

The measurement on a qubit in the symbolic basis \(\{| + \rangle ,| - \rangle \}\) is \(M^s=\{M_+,M_-\}\), where

$$\begin{aligned} M_+= | + \rangle \langle + | = \frac{1}{2} \left[ \begin{matrix} 1 &{}\quad 1 \\ 1 &{}\quad 1 \end{matrix} \right] , M_-= | - \rangle \langle - | = \frac{1}{2} \left[ \begin{matrix} 1 &{}\quad -1 \\ -1 &{}\quad 1 \end{matrix} \right] . \end{aligned}$$

If we measure the qubit \(|0 \rangle \) by \(M^s\), then the probability of the occurrence of result-+ is

$$\begin{aligned} p(+)= & {} \langle 0 | M_+^{\dagger } M_+ | 0 \rangle = \left[ 1 ,0 \right] \left[ \begin{array}{ll} \frac{1}{2} &{} \quad \frac{1}{2} \\ \frac{1}{2} &{}\quad \frac{1}{2} \end{array} \right] \left[ \begin{array}{ll} \frac{1}{2} &{}\quad \frac{1}{2} \\ \frac{1}{2} &{}\quad \frac{1}{2} \end{array} \right] \left[ \begin{array}{l} 1 \\ 0 \end{array} \right] \\= & {} \left[ \frac{1}{{2}} ,\frac{1}{{2}} \right] \left[ \begin{array}{l} \frac{1}{{2}} \\ \frac{1}{{2}} \end{array} \right] = \frac{1}{2} . \end{aligned}$$

A similar calculation will show that the probability of getting result-− is also \(\frac{1}{2}\).

2.4 Graphical calculus for quantum computation

The ZX-calculus introduced by Coecke and Duncan (2008) is a graphical calculus for quantum computation. Due to the built-in rewrite rules for diagrams, quantum computation can be performed graphically in ZX-calculus.

Diagrams of the ZX-calculus consist of nodes and wires between them. A quantum gate is represented by a diagram in which there are exactly two wires connected to any node. There are three types of nodes in ZX-calculus:

figure a
figure b

where the phases \(\phi , \theta \in [0,2\pi )\). A green node with phase \(\phi \) is called a \(Z(\phi )\) node while a red node with phase \(\theta \) is called a \(X(\theta )\) node. The yellow node has no phase, and it is called Hadamard node. Diagrams are read from bottom to top, that is, the wire at the bottom is considered as the input while the one on the top is the output. For example, the I and X gates can be represented by Z(0) and \(X(\pi )\) nodes, respectively. Indeed,

$$\begin{aligned} Z(0)= & {} |0\rangle \langle 0|+e^{i0} |1\rangle \langle 1| = |0\rangle \langle 0|+ |1\rangle \langle 1| \\= & {} \left[ \begin{array}{l} 1 \\ 0 \end{array} \right] \left[ 1 ,0 \right] + \left[ \begin{array}{l} 0 \\ 1 \end{array} \right] \left[ 0 ,1 \right] \\= & {} \left[ \begin{array}{ll} 1 &{}\quad 0 \\ 0 &{} \quad 0 \end{array} \right] + \left[ \begin{array}{ll} 0 &{}\quad 0 \\ 0 &{}\quad 1 \end{array} \right] = \left[ \begin{array}{ll} 1 &{}\quad 0 \\ 0 &{}\quad 1 \end{array} \right] .\\ X(\pi )= & {} |+\rangle \langle +|+e^{i\pi } |-\rangle \langle -| = |+\rangle \langle +|- |-\rangle \langle -|\\= & {} \left[ \begin{array}{l} \frac{1}{\sqrt{2}} \\ \frac{1}{\sqrt{2}} \end{array} \right] \left[ \frac{1}{\sqrt{2}} ,\frac{1}{\sqrt{2}} \right] - \left[ \begin{array}{l} \frac{1}{\sqrt{2}} \\ -\frac{1}{\sqrt{2}} \end{array} \right] \left[ \frac{1}{\sqrt{2}} ,-\frac{1}{\sqrt{2}} \right] \\= & {} \left[ \begin{array}{ll} \frac{1}{2} &{}\quad \frac{1}{2} \\ \frac{1}{2} &{} \quad \frac{1}{2} \end{array} \right] - \left[ \begin{array}{ll} \frac{1}{2} &{} \quad -\frac{1}{2} \\ -\frac{1}{2} &{}\quad \frac{1}{2} \end{array} \right] = \left[ \begin{array}{ll} 0 &{}\quad 1 \\ 1 &{}\quad 0 \end{array} \right] . \end{aligned}$$

Connecting the output of one node to the input of another corresponds to the composition of operators. Therefore,

figure c

corresponds to

$$\begin{aligned} X(\pi ) Z(\pi )= & {} (|+\rangle \langle +|+e^{i\pi } |-\rangle \langle -|)(|0\rangle \langle 0|+e^{i\pi } |1\rangle \langle 1|) \\= & {} \left[ \begin{matrix} 0 &{}\quad 1 \\ 1 &{}\quad 0 \end{matrix} \right] \left[ \begin{matrix} 1 &{} \quad 0 \\ 0 &{}\quad -1 \end{matrix} \right] = \left[ \begin{matrix} 0 &{}\quad -1 \\ 1 &{}\quad 0 \end{matrix} \right] . \end{aligned}$$

The ZX-calculus contains rewriting rules that allow the derivation of equalities between diagrams. The rules related to this article are the following, where n is an integer:

figure d

In the next section, we will use the following X-gates for encryption and decryption:

  • \(X(0)= I\)

  • \(X(\frac{\pi }{2}) =|+\rangle \langle +|+e^{\frac{\pi }{2}i} |-\rangle \langle -| = |+\rangle \langle +|- i|-\rangle \langle -| \)

    $$\begin{aligned}= & {} \left[ \begin{array}{l} \frac{1}{\sqrt{2}} \\ \frac{1}{\sqrt{2}} \end{array} \right] \left[ \frac{1}{\sqrt{2}} ,\frac{1}{\sqrt{2}} \right] - i \left[ \begin{array}{l} \frac{1}{\sqrt{2}} \\ -\frac{1}{\sqrt{2}} \end{array} \right] \left[ \frac{1}{\sqrt{2}} ,-\frac{1}{\sqrt{2}} \right] \\= & {} \left[ \begin{array}{ll} \frac{1}{2} &{}\quad \frac{1}{2} \\ \frac{1}{2} &{}\quad \frac{1}{2} \end{array} \right] - i\left[ \begin{array}{ll} \frac{1}{2} &{} \quad -\frac{1}{2} \\ -\frac{1}{2} &{}\quad \frac{1}{2} \end{array} \right] = \frac{1}{2} \left[ \begin{array}{ll} 1-i &{}\quad 1+i \\ 1+i &{}\quad 1-i \end{array} \right] . \end{aligned}$$

  • \(X(\pi )= X\)

  • \(X(\frac{3\pi }{2}) =|+\rangle \langle +|+e^{\frac{3\pi }{2}i} |-\rangle \langle -| = |+\rangle \langle +|+ i|-\rangle \langle -| \)

    $$\begin{aligned}= & {} \left[ \begin{array}{l} \frac{1}{\sqrt{2}} \\ \frac{1}{\sqrt{2}} \end{array} \right] \left[ \frac{1}{\sqrt{2}} ,\frac{1}{\sqrt{2}} \right] + i \left[ \begin{array}{l} \frac{1}{\sqrt{2}} \\ -\frac{1}{\sqrt{2}} \end{array} \right] \left[ \frac{1}{\sqrt{2}} ,-\frac{1}{\sqrt{2}} \right] \\= & {} \left[ \begin{array}{ll} \frac{1}{2} &{} \quad \frac{1}{2} \\ \frac{1}{2} &{}\quad \frac{1}{2} \end{array} \right] + i\left[ \begin{array}{ll} \frac{1}{2} &{} \quad -\frac{1}{2} \\ -\frac{1}{2} &{}\quad \frac{1}{2} \end{array} \right] \\= & {} \frac{1}{2} \left[ \begin{array}{ll} 1+i &{} \quad 1-i \\ 1-i &{} \quad 1+i \end{array} \right] . \end{aligned}$$

Applying \(X(\frac{\pi }{2})\) to \(|0\rangle \), we get

$$\begin{aligned} \frac{1}{2} \left[ \begin{matrix} 1-i &{}\quad 1+i \\ 1+i &{}\quad 1-i \end{matrix} \right] \left[ \begin{matrix} 1 \\ 0 \end{matrix} \right] = \frac{1}{2} \left[ \begin{matrix} 1- i \\ 1+i \end{matrix} \right] . \end{aligned}$$

The qubit \(\frac{1}{2} \left[ \begin{matrix} 1- i \\ 1+i \end{matrix} \right] \) is (up to a globe phase) denoted as \(|-i\rangle \) in the literature.

Applying \(X(\frac{\pi }{2})\) to \(|1\rangle \), we get

$$\begin{aligned} \frac{1}{2} \left[ \begin{matrix} 1-i &{} \quad 1+i \\ 1+i &{} \quad 1-i \end{matrix} \right] \left[ \begin{matrix} 0 \\ 1 \end{matrix} \right] = \frac{1}{2} \left[ \begin{matrix} 1+ i \\ 1-i \end{matrix} \right] . \end{aligned}$$

The qubit \(\frac{1}{2} \left[ \begin{matrix} 1+ i \\ 1-i \end{matrix} \right] \) is (up to a globe phase) denoted as \(|+i\rangle \) in the literature.

Example 3

If we measure the qubit \(|+i \rangle \) by \(M^c\), then the probability of the occurrence of result-0 is

$$\begin{aligned} p(0)= & {} \langle +i | M_0^{\dagger } M_0 | +i \rangle \\= & {} \frac{1}{2} \left[ 1-i ,1+i \right] \left[ \begin{array}{ll} 1 &{}\quad 0 \\ 0 &{}\quad 0 \end{array} \right] \left[ \begin{array}{ll} 1 &{} \quad 0 \\ 0 &{}\quad 0 \end{array} \right] \frac{1}{2} \left[ \begin{array}{ll} 1+i \\ 1-i \end{array} \right] \\= & {} \frac{1}{2} \left[ 1-i ,1+i \right] \frac{1}{2} \left[ \begin{array}{ll} 1+i \\ 0 \end{array} \right] = \frac{1}{4} \times 2= \frac{1}{2} . \end{aligned}$$

A similar calculation will show that the probability of getting result-1 is also \(\frac{1}{2}\). Moreover, if we measure the qubit \(|-i \rangle \) by \(M^c\), then the probability of the occurrence of result-0 and result-1 is also \(\frac{1}{2}\).

3 Quantum cryptography for access control

Many cryptographic schemes have been designed to solve the problem of granting access (Akl and Taylor 1983; Nagy and Akl 2010; José and Hernández 2014; Choi et al. 2014). The general methodology is to first encrypt all objects, then distribute the decryption key to those authorized agents. More precisely, assume we are the owner of \(\{ data_1,\ldots , data_k\}\). We first use \(key_1,\ldots , key_n\) to encrypt those data. So we have \(Enc_{key_1}(data_1), \ldots , \) \(Enc_{key_n}(data_n)\). Then, we assign \(key_i\) to an agent iff the agent is permitted to access \(data_i\). Therefore, key distribution plays a central role in granting access .

3.1 Quantum key distribution

The scenario for the three-pass protocol is the following

  • Alice lives in a country where the police open all mails.

  • Bob wants to send an object to Alice.

  • Bob has a strongbox which is big enough for several locks, but Alice does not have any key for any of those locks.

How can Bob securely send the object to Alice? They may use the following three-pass protocol:

  1. 1.

    Bob puts the object into the box, locks it, and sends it to Alice.

  2. 2.

    Alice locks the box with her own lock and sends it back to Bob.

  3. 3.

    Bob unlocks his lock and sends the box to Alice again. Alice finally unlocks her lock and gets the object.

Fig. 2
figure 2

A quantum three-pass protocol for key distribution

Full size image

In classical cryptography, this protocol can be realized by using the classical exclusive-OR operation \(\oplus \). However, such realization is insecure under eavesdropping. On the other hand, the quantum cryptographic protocol we will propose is safe under eavesdropping because the quantum no-cloning theorem prevents the copy of non-trivial quantum states (Yanofsky and Mannucci 2008).

We use qubit \(|0\rangle \) and \(|1\rangle \) to encode 0 and 1, respectively. Our key space for encryption and decryption contains 4 X-gates \(\{X(0),X(\frac{\pi }{2}),X(\pi ), X(\frac{3\pi }{2})\}\). The encryption of a qubit \(|i\rangle \) with key k is defined as \(Enc_{k}(i) = k |i\rangle \), and the decryption of a qubit \(|i\rangle \) is \(Dec_{k}(i) = k |i\rangle \), where \(k \in \{X(0),X(\frac{\pi }{2}),X(\pi ), X(\frac{3\pi }{2})\}\). We let \((X(m),X(2\pi -m))\) be a pair of encryption/decryption keys. The encryption and decryption of \(|0\rangle \), \(|1\rangle \), \(|+i\rangle \), and \(|-i\rangle \) are shown in Table 2.

Figure 2 shows our quantum three-pass protocol for a sender (agent 1) to send his key to a receiver (agent 2). At the beginning of the protocol, agent 1 encrypts the string element-wise and sends the resulting string to agent 2. Then agent 2 encrypts the ciphertext and sends the result back to agent 1. Agent 1 then decrypts the string and sends it to agent 2. Now agent 2 decrypts the string and gets the key.

The correctness of our protocol is guaranteed by the rules (S) and (ID) of the ZX-calculus. The (S) rule ensures that the sequential application of X-gates can be summed up, while the (ID) rule says the application of an \(X(2n\pi )\) gate is the same as the identity operator.

Theorem 1

The quantum three-pass protocol is correct.

Table 2 Quantum X-gates on qubits
Full size table

Proof

Suppose agent 1 chooses \((X(m_1),X(2\pi - m_1) )\) as his keys and agent 2 chooses \((X(m_2),X(2\pi - m_2) )\) as his key, then we have the following graphical derivation.

figure e

Therefore, the operations of the two agents apply in the protocol amounts to an identity operator, which means the qubit is correctly transferred. \(\square \)

Fig. 3
figure 3

Proposed protocol for authentication

Full size image

The security of most existing protocols of key distribution for access control relies on the computational complexity of problems like prime factorization. Therefore, once a quantum computer is built, these protocols may be compromised in polynomial time (Shor 1994). Conversely, our protocol is secure with respect to quantum computers, since it provides unconditional security. In the plaintext, the probability of the appearance of 0 and 1 is both 0.5. For a qubit \(|0\rangle \), if we encrypt it and then measure the ciphertext with the computational qubit basis \(\{|0\rangle , |1\rangle \}\), then with probability 0.5 we will get \(|1\rangle \). This is because with probability \(\frac{1}{4}\) the key is \(X(\frac{\pi }{2})\) and \(X(\frac{3\pi }{2})\), and the measurement of \(|+i\rangle \) and \(|-i\rangle \) using standard basis will give us \(|1\rangle \) with probability 0.5. With probability \(\frac{1}{4}\), the key is I and X, respectively, and the measurement using standard basis will give us \(|1\rangle \) with probability 0 and 1, respectively. Therefore, the probability of finding \(|1\rangle \) after the encryption of \(|0\rangle \) is \(\frac{1}{4} \times 0 + \frac{1}{4} \times 0.5 + \frac{1}{4} \times 1 + \frac{1}{4} \times 0.5 =0.5\). Similar analysis of other cases will show that our cryptographic scheme is unconditional secure. Moreover, our protocol uses only simple quantum gates and it is implementable by the current technology.

3.2 Quantum authentication

The quantum three-pass protocol is still vulnerable to the man-in-the-middle attack. We apply an authentication protocol to react to the man-in-the-middle attack. We assume every user has registered a secret key to the data owner and the owner, which can be used to authenticate the user’s identity.

Figure 3 shows our protocol for agent 2 to authenticate the identity of agent 1. In this protocol, the two agents have a private key \(K^1, K^2\), respectively, and share a key \(K^s\). Every symbol \(k_i\) is taken from \(\{X(0),X(\frac{\pi }{2}),X(\pi ), X(\frac{3\pi }{2})\}\). There are four stages in this protocol. In the first stage, agent 1 generates a binary string, encrypts it by the shared key and sends it to agent 2. In the second stage, agent 2 first decrypts the ciphertext and keeps the result, then it generates a binary string and encrypts it by both the shared key and its private key. Agent 2 then sends the ciphertext to agent 1. In stage 3, agent 1 first decrypts the ciphertext by the shared key, then encrypts it by the string it generated in the first stage, with bit 0 being treated as quantum gate I and bit 1 being treated as quantum gate X. Then, it sends the ciphertext to agent 2. Finally, in stage 4 agent 2 decrypts the ciphertext by using both the string it obtained in the stage 2 and its private key. Then agent 2 tests if the plain text is the same as the text it generated in the second stage. The authentication succeeds if and only if the two plaintexts are identical.

Just like in the quantum three-pass protocol, the encryption scheme in our authentication protocol is unconditional secure when the keys are comprised of quantum gates randomly chosen from \(\{X(0),X(\frac{\pi }{2}),X(\pi ), X(\frac{3\pi }{2})\}\). Note that the keys can be comprised of other quantum gates such as \(\{Z(0),Z(\frac{\pi }{2}),Z(\pi ), Z(\frac{3\pi }{2})\}\). According to Reference Juan et al. (2011), to avoid the substitute-Bell-state attack, there must be at least one quantum gate which can realize the transformation between two complementary quantum observables.

Fig. 4
figure 4

Proposed protocol for certification

Full size image

3.3 Quantum certificate and signature

As we introduced in the first section (Fig. 1), in cloud computing the data owner sends the key together with a certificate to the user. A certificate can be created by a quantum signature (Zeng and Keitel 2002; Zou and Qiu 2010; Zou et al. 2013). An ideal signature is supposed to (at least) satisfy two properties: One is that it is unforgeable by an attacker, the other is the non-repudiation of the signer and the receiver. In our specific setting, however, we do not care whether the certificate is deniable by the receiver. This is because as the data user, the receiver needs the certificate to get the data. A rational receiver will not deny his possession of the certificate when he in fact owns it. Figure 4 shows our protocol for quantum certification, which is simpler than most existing quantum signature protocols.

There are three agents in this protocol: Alice the signer (data owner), Bob the receiver (data user) and Trend the trust third party (cloud). We assume there is a public channel which is susceptible to eavesdropping but not to the injection or alteration of message. Alice and Trend first create a shared key before the protocol starts by the quantum three-pass protocol. Then Alice randomly generates a message \((a_1,\ldots , a_n)\) and announces it via the public channel. Alice encrypts the message by her shared key with Trend and sends it to Bob as a certificate. Bob then sends the certificate to Trend. Trend decrypts the certificate and compares it with the message Alice has announced. The certificate succeeds if and only if they are the same.

The certificate generated by this protocol is unforgeable, because the attacker can only successfully forge the certificate when he knows the shared key of Alice and Trend. But this key is generated by the quantum three-pass protocol, which is unconditional secure. On the other hand, the certificate cannot be repudiated by the signer because only she can produce the correct certificate.

4 Related work

The first protocol for quantum key distribution is developed by Bennetta and Brassard (1984), known as the BB84 protocol. A quantum three-pass protocol for key distribution is proposed in Kanamori and Yoo (2009). Comparing to the protocol of Kanamori and Yoo, the key space of our protocol is significantly smaller.

Many quantum authentication protocols have been proposed (Dusek et al. 1999; Barnum et al. 2002; Nagy and Akl 2007; Kanamori et al. 2009; Mosca et al. 2013). Some protocols use classical cryptography with quantum key distribution (Dusek et al. 1999). Other protocols (Nagy and Akl 2007) employ entanglement for which the entangled pairs are used as a quantum private key. The protocol proposed in Kanamori et al. (2009) is similar to ours in the sense that they also use quantum gates as elements of the keys. The difference is that while infinite many quantum gates are used in the keys of Kanamori et al. (2009), we use only four gates \(\{X(0),X(\frac{\pi }{2}),X(\pi ), X(\frac{3\pi }{2})\}\).

An influential quantum signature scheme named arbitrated quantum signature was proposed by Zeng and Keitel (2002). Zou and Qiu (2010) simplifies the protocol of Zeng and Keitel by achieving arbitrated quantum signature without entangled states. Our protocol for quantum certification is even simpler than the protocol of Zou and Qiu, because we ignore the concern of the repudiation of the receiver.

5 Conclusion

In this paper, we study the application of quantum cryptography in access control in cloud computing. We proposed quantum protocols for key distribution, authentication and certification. We analyze our protocols by the graphical language of categorical quantum mechanics. The protocols we presented is unconditional secure and implementable by the current technology.