Categorical quantum cryptography for access control in cloud computing

Access control is a mechanism that is used to decide which agent has access to which resource with some specific operations. This paper is devoted to the investigation of quantum cryptography in access control. We develop three quantum protocols and use them for key distribution, identity authentication and digital certification, respectively. We analyze our protocols by the graphical language of categorical quantum mechanics. These protocols are unconditionally secure and implementable by the current technology.


Introduction
In this paper, we study the application of quantum cryptography in access control in cloud computing.Models of access control in cloud computing are developed in Wang et al. (2009) and Hota et al. (2011).The model from Hota et al. (2011) is visualized in Fig. 1.The data owner stores encrypted data on the cloud which the user wants to access.The data owner distributes the decryption key and a digital certificate to the user if the access control policy permits the user to access.The user shows the certificate to the cloud and receives the encrypted data as shown in Fig. 1.Hota et al. (2011) use classic cryptography to grant access.It is well known that once a large-scale quantum computer is built, the existing popular encryption schemes may be efficiently broken (Shor 1994).Quantum cryptography is theoretically unbreakable and will be heavily needed in the coming quantum era.
In this paper, we further develop the model of access control in cloud computing proposed by Hota et al. (2011), by using quantum cryptography to grant access to agents.No entanglement is used in our protocols, which makes them implementable by current technologies.We present our quantum protocols in the framework of categorical quantum mechanics (Abramsky and Coecke 2004;Coecke and Duncan 2008;Selinger 2011;Coecke et al. 2011;Backens et al. 2016), which is the study of quantum foundations and quantum information using category theory.We choose categorical quantum mechanics because it provides us an elegant graphics language, the ZX-calculus (Coecke and Duncan 2008), to help us design and verify quantum protocols.
The structure of the rest of this paper is as follows: After a brief review of the background knowledge on quantum computation and categorical quantum mechanics in Sect.2, we present three quantum protocols for key distribution, authen-

Quantum theory
This section serves as an oversimplified introduction to quantum computation and categorical quantum mechanics.We only focus on those knowledge which is needed to understand the protocols we will present in Sect.3.

Qubits
The building block of quantum information is quantum bit, or qubit for short.Qubits are the fundamental units of information in quantum information processing in the same way that bits are the fundamental units of information for classical information processing.
Definition 1 (qubit) A qubit a b is a column vector in which a and b are complex numbers such that |a| 2 + |b| 2 = 1.
We will use the Dirac notation to denote qubits: A qubit is denoted in Dirac notation as |x .There are four special qubits which frequently appear in the literature: For two qubits |x and |y , if |x = c|y for some complex number c, then such c is called a global phase where a and b are the conjugate of a and b, respectively.

Quantum gates
The operation on qubits is called quantum gates, which are mathematically represented as matrices.
Definition 2 (quantum gate) A quantum gate U = a b c d is an 2×2 matrix over complex numbers such that UU † = I , where I is the identity matrix of rank 2 and U † = a c b d is the transpose conjugate of U .
The following are three famous quantum gates which are widely used in the literature: Here I is the identity gate.H is the Hadamard gate, and X is the Pauli-X gate.The application of I, X and H gates to qubits |0 , |1 , |+ and |− is shown in Table 1 (with globe phase omitted).For example,

Measurement
To acquire information about a qubit, a measurement must be performed on it.In quantum computation, measurements are usually used to read out a computational result.A quantum measurement on a qubit is described by a collection where M k is called measurement operators, and the index k is used to label the measurement outcomes.Note that k is simply labels and has no special meanings.If we are to measure a qubit |x , then the probability that result k occurs is which is calculated by matrix multiplication.
Example 1 The measurement on a qubit in the computational basis {|0 , |1 } is M c = {M 0 , M 1 }, where If we measure the qubit |+ by M c , then the probability of the occurrence of result-0 is A similar calculation will show that the probability of getting result-1 is also 1 2 .
Example 2 The measurement on a qubit in the symbolic basis where If we measure the qubit |0 by M s , then the probability of the occurrence of result-+ is A similar calculation will show that the probability of getting result-− is also 1 2 .

Graphical calculus for quantum computation
The ZX-calculus introduced by Coecke and Duncan ( 2008) is a graphical calculus for quantum computation.Due to the built-in rewrite rules for diagrams, quantum computation can be performed graphically in ZX-calculus.Diagrams of the ZX-calculus consist of nodes and wires between them.A quantum gate is represented by a diagram in which there are exactly two wires connected to any node.There are three types of nodes in ZX-calculus: where the phases φ, θ ∈ [0, 2π).A green node with phase φ is called a Z (φ) node while a red node with phase θ is called a X (θ ) node.The yellow node has no phase, and it is called Hadamard node.Diagrams are read from bottom to top, that is, the wire at the bottom is considered as the input while the one on the top is the output.For example, the I and X gates can be represented by Z (0) and X (π ) nodes, respectively.Indeed, Connecting the output of one node to the input of another corresponds to the composition of operators.Therefore, The ZX-calculus contains rewriting rules that allow the derivation of equalities between diagrams.The rules related to this article are the following, where n is an integer: In the next section, we will use the following X-gates for encryption and decryption: - The qubit 1 2 1 − i 1 + i is (up to a globe phase) denoted as Example 3 If we measure the qubit | + i by M c , then the probability of the occurrence of result-0 is A similar calculation will show that the probability of getting result-1 is also 1 2 .Moreover, if we measure the qubit |−i by M c , then the probability of the occurrence of result-0 and result-1 is also 1 2 .
3 Quantum cryptography for access control ).Then, we assign key i to an agent iff the agent is permitted to access data i .Therefore, key distribution plays a central role in granting access .

Quantum key distribution
The scenario for the three-pass protocol is the following -Alice lives in a country where the police open all mails.
-Bob wants to send an object to Alice.
-Bob has a strongbox which is big enough for several locks, but Alice does not have any key for any of those locks.
How can Bob securely send the object to Alice?They may use the following three-pass protocol: 1. Bob puts the object into the box, locks it, and sends it to Alice. 2. Alice locks the box with her own lock and sends it back to Bob. 3. Bob unlocks his lock and sends the box to Alice again.
Alice finally unlocks her lock and gets the object.
In classical cryptography, this protocol can be realized by using the classical exclusive-OR operation ⊕.However, such realization is insecure under eavesdropping.On the other hand, the quantum cryptographic protocol we will propose is safe under eavesdropping because the quantum no-cloning theorem prevents the copy of non-trivial quantum states (Yanofsky and Mannucci 2008).
Figure 2 shows our quantum three-pass protocol for a sender (agent 1) to send his key to a receiver (agent 2).At the beginning of the protocol, agent 1 encrypts the string element-wise and sends the resulting string to agent 2. Then agent 2 encrypts the ciphertext and sends the result back to agent 1. Agent 1 then decrypts the string and sends it to agent 2. Now agent 2 decrypts the string and gets the key.
The correctness of our protocol is guaranteed by the rules (S) and (I D) of the ZX-calculus.The (S) rule ensures that the sequential application of X-gates can be summed up, while the (I D) rule says the application of an X (2nπ) gate is the same as the identity operator.
Theorem 1 The quantum three-pass protocol is correct.
Therefore, the operations of the two agents apply in the protocol amounts to an identity operator, which means the qubit is correctly transferred.
The security of most existing protocols of key distribution for access control relies on the computational complexity of problems like prime factorization.Therefore, once a quantum computer is built, these protocols may be compromised in polynomial time (Shor 1994).Conversely, our protocol is secure with respect to quantum computers, since it provides unconditional security.In the plaintext, the probability of the appearance of 0 and 1 is both 0.5.For a qubit |0 , if we encrypt it and then measure the ciphertext with the computational qubit basis {|0 , |1 }, then with probability 0.5 we will get |1 .This is because with probability 1 4 the key is X ( π 2 ) and X ( 3π 2 ), and the measurement of |+i and |−i using standard basis will give us |1 with probability 0.5.With probability 1 4 , the key is I and X , respectively, and the measurement using standard basis will give us |1 with probability 0 and 1, respectively.Therefore, the probability of finding |1 after the encryption of |0 is 1 4 ×0+ 1 4 ×0.5+ 1 4 ×1+ 1 4 ×0.5 = 0.5.Similar analysis of other cases will show that our cryptographic scheme is unconditional secure.Moreover, our

Quantum authentication
The quantum three-pass protocol is still vulnerable to the man-in-the-middle attack.We apply an authentication protocol to react to the man-in-the-middle attack.We assume every user has registered a secret key to the data owner and the owner, which can be used to authenticate the user's identity.
Figure 3 shows our protocol for agent 2 to authenticate the identity of agent 1.In this protocol, the two agents have a private key K 1 , K 2 , respectively, and share a key K s .Every symbol k i is taken from {X (0), X ( π 2 ), X (π ), X ( 3π 2 )}.There are four stages in this protocol.In the first stage, agent 1 generates a binary string, encrypts it by the shared key and sends it to agent 2. In the second stage, agent 2 first decrypts the ciphertext and keeps the result, then it generates a binary string and encrypts it by both the shared key and its private key.Agent 2 then sends the ciphertext to agent 1.In stage 3, agent 1 first decrypts the ciphertext by the shared key, then encrypts it by the string it generated in the first stage, with bit 0 being treated as quantum gate I and bit 1 being treated as quantum gate X .Then, it sends the ciphertext to agent 2. Finally, in stage 4 agent 2 decrypts the ciphertext by using both the string it obtained in the stage 2 and its private key.Then agent 2 tests if the plain text is the same as the text it generated in the second stage.The authentication succeeds if and only if the two plaintexts are identical.
Just like in the quantum three-pass protocol, the encryption scheme in our authentication protocol is unconditional secure when the keys are comprised of quantum gates randomly chosen from {X (0), X ( π 2 ), X (π ), X ( 3π 2 )}.Note that the keys can be comprised of other quantum gates such as {Z (0), Z ( π 2 ), Z (π ), Z ( 3π 2 )}.According to Reference Juan et al. (2011), to avoid the substitute-Bell-state attack, there must be at least one quantum gate which can realize the transformation between two complementary quantum observables.

Quantum certificate and signature
As we introduced in the first section (Fig. 1), in cloud computing the data owner sends the key together with a certificate to the user.A certificate can be created by a quantum signature (Zeng and Keitel 2002;Zou and Qiu 2010;Zou et al. 2013).An ideal signature is supposed to (at least) satisfy two properties: One is that it is unforgeable by an attacker, the other is the non-repudiation of the signer and the receiver.In our specific setting, however, we do not care whether the certificate is deniable by the receiver.This is because as the data user, the receiver needs the certificate to get the data.A rational receiver will not deny his possession of the certificate when he in fact owns it.Figure 4 shows our protocol for Fig. 4 Proposed protocol for certification quantum certification, which is simpler than most existing quantum signature protocols.
There are three agents in this protocol: Alice the signer (data owner), Bob the receiver (data user) and Trend the trust third party (cloud).We assume there is a public channel which is susceptible to eavesdropping but not to the injection or alteration of message.Alice and Trend first create a shared key before the protocol starts by the quantum three-pass protocol.Then Alice randomly generates a message (a 1 , . . ., a n ) and announces it via the public channel.Alice encrypts the message by her shared key with Trend and sends it to Bob as a certificate.Bob then sends the certificate Trend.Trend decrypts the certificate and compares it with the message Alice has announced.The certificate succeeds if and only if they are the same.
The certificate generated by this protocol is unforgeable, because the attacker can only successfully forge the certificate when he knows the shared key of Alice and Trend.But this key is generated by the quantum three-pass protocol, which is unconditional secure.On the other hand, the certificate cannot be repudiated by the signer because only she can produce the correct certificate.

Related work
The first protocol for quantum key distribution is developed by Bennetta and Brassard (1984), known as the BB84 protocol.A quantum three-pass protocol for key distribution is proposed in Kanamori and Yoo (2009).Comparing to the protocol of Kanamori and Yoo, the key space of our protocol is significantly smaller.
Many quantum authentication protocols have been proposed (Dusek et al. 1999;Barnum et al. 2002;Nagy and Akl 2007;Kanamori et al. 2009;Mosca et al. 2013).Some protocols use classical cryptography with quantum key distribution (Dusek et al. 1999).Other protocols (Nagy and Akl 2007) employ entanglement for which the entangled pairs are used as a quantum private key.The protocol proposed in Kanamori et al. (2009) is similar to ours in the sense that they also use quantum gates as elements of the keys.The difference is that while infinite many quantum gates are used in the keys of Kanamori et al. (2009), we use only four gates {X (0), X ( π 2 ), X (π ), X ( 3π 2 )}.An influential quantum signature scheme named arbitrated quantum signature was proposed by Zeng and Keitel (2002).Zou and Qiu (2010) simplifies the protocol of Zeng and Keitel by achieving arbitrated quantum signature without entangled states.Our protocol for quantum certification is even simpler than the protocol of Zou and Qiu, because we ignore the concern of the repudiation of the receiver.

Conclusion
In this paper, we study the application of quantum cryptography in access control in cloud computing.We proposed quantum protocols for key distribution, authentication and certification.We analyze our protocols by the graphical language of categorical quantum mechanics.The protocols we presented is unconditional secure and implementable by the current technology.

Compliance with ethical standards
Conflict of interest All authors declare that they have no conflict of interest.
Human participants This article does not contain any studies with human participants or animals performed by any of the authors.
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecomm ons.org/licenses/by/4.0/),which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Fig. 2 Fig. 3
Fig. 2 A quantum three-pass protocol for key distribution

Acknowledgements
Lirong Qiu has been supported by the National Nature Science Foundation of China (NO.61672553) and Ministry of Education humanities social sciences research projects (No. 16YJCZH-076).Xin Sun has been supported by the National Science Centre of Poland (BEETHOVEN, UMO-2014/15/G/HS1/04514).Juan Xu has been supported by Natural Science Foundation of Jiangsu Province, China (Grant No. BK20140823) and Chinese Postdoctoral Science Foundation (Grant No. 2013M531353).

Table 1
Quantum gates on qubits State Operation Many cryptographic scNagy and Akl 2010;signed to solve the problChoi et al. 2014)cess(Akl and Taylor 1983;Nagy and Akl 2010; José and Hernández 2014;Choi et al. 2014).The general methodology is to first encrypt all objects, then distribute the decryption key to those authorized agents.More precisely, assume we are the owner of {data 1 , . . ., data k }.We first use key 1 , . . ., key n to encrypt those data.So we have Enc key 1 (data 1 ), . . ., Enc key n (data n

Table 2
Quantum X-gates on qubits