Improving security of the ping-pong protocol

A security layer for the asymptotically secure ping-pong protocol is proposed and analyzed in the paper. The operation of the improvement exploits inevitable errors introduced by the eavesdropping in the control and message modes. Its role is similar to the privacy amplification algorithms known from the quantum key distribution schemes. Messages are processed in blocks which guarantees that an eavesdropper is faced with a computationally infeasible problem as long as the system parameters are within reasonable limits. The introduced additional information preprocessing does not require quantum memory registers and confidential communication is possible without prior key agreement or some shared secret.


Introduction
A paradigm of quantum secure direct communication (QSDC) has been studied for the last decade [1]. QSDC protocols are designed for transmission of classic information over quantum channels but contrary to quantum key distribution (QKD) schemes, they do not require prior key agreement for confidentiality provision. The so called ping-pong protocol [2] has attracted a lot of attention, as it is provably asymptotically secure in lossless channels [3]. It has been also shown that protocol variants based on higher dimensional systems and exploiting superdense information coding also share this feature [4,11,12,15]. The problem with the ping-pong protocol security lies in P. Zawadzki (B) Institute of Electronics, Silesian University of Technology, Akademicka 16, 44-100 Gliwice, Poland e-mail: Piotr.Zawadzki@polsl.pl the fact that the offered eavesdropping detection probability per signal particle is too low [11,15]. In effect, an eavesdropper is detected with a reasonably probability only for sufficiently long sequences. In practice, such protocols cannot be used because an eavesdropper can intercept some part of the message before he is detected. To cope with this problem a two-step and/or batch processing of qubits has been proposed [5,9,12,13]. As an alternative, some additional quantum processing analogous to privacy amplification in QKD protocols has been proposed [7]. However, those solutions are not implementable with the current technology because of the requirement of the large photonic quantum memory registers [6].
The estimated security of the ping-pong protocols is even worse in noisy environments when legitimate users tolerate some level of transmission errors and/or losses. If that level is too high compared to the quality of the channel, then an eavesdropper can peek some fraction of signal particles hiding himself behind accepted quantum bit error rate (QBER) threshold [14,16]. But the possibility to intercept some part of the message without being detected renders the protocol insecurity. However, the ping-pong protocol is still an interesting object of further investigations, despite its problems with the level of the offered security level, as its remains one of not too many QSDC protocols that have laboratory implementations [10].
The method to overcome the difficulties summarized above is presented in the paper. The proposed supplementing of the ping-pong protocol with a properly designed message pre-and post-processing steps can assure the security on the level required by a given application. Although in the considered improvement the message is processed by blocks, the main advantage of the proposed approach is the elimination of quantum registers. Thus the improved protocol can be, in principle, realized in practice. Moreover, in the resulting protocol, contrary to many others QSDC protocols, the noise in quantum channel works in advantage to the legitimate users improving the security of communication. It is shown that Eve is faced with a computationally infeasible problem as long as the quality of the quantum communication falls within a prescribed margin. This renders that Eve intercepts no useful information and the improved protocol is secure.

The ping-pong protocol in short
Let us consider the seminal version of the ping-pong protocol [2] in which the message and control mode are executed only in computational basis. The communication process is started by Bob, the recipient of information, who prepares two maximally entangled qubits. Without loss of generality it may be assumed that they are in the state One of the qubits, denoted as "home", is kept confidential, while the second one, named the "travel", is sent to Alice via publicly accessible quantum channel. Alice randomly selects message mode or control mode. In message mode she applies to the travel qubit a transformation Z μ where k = 0, 1 and μ denotes the value of the encoded classic bit. The entanglement of qubits causes that Alice's local operations have non local effects. The system composed from the home and travel qubits is left unchanged or transformed into another maximally entangled state Next, the travel qubit is sent back to Bob, who performs collective measurement on both qubits. Malicious Eve may try to intercept some information encoded by Alice. Her actions are perceived by legitimate users as noise and/or losses, so a special control mode is used for the eavesdropping detection. Alice switches to the control mode in some randomly selected protocol cycles. In this mode she measures the received travel qubit and the fact of switching is announced via public classic channel. It is assumed that although public information is accessible to Eve, she can't control its content. It follows that Alice and Bob have to be able to check authenticity of the classic data what in turn implies that legitimate parties share some key or the classic channel is authenticated by some other means. Bob subsequently measures the home qubit and asks Alice to reveal the value of her measurement. Because of the fragile entanglement of the two-qubit system the result of Bob's measurement is fully determined by the value obtained by Alice. Any deviation from that correlation indicates the presence of Eve. It has been shown [2,3] that Eve by measuring the travel qubit and the ancilla can intercept at most where d denotes eavesdropping detection probability. Thus, to intercept non-zero information she has to risk detection in the control mode. As a result the protocol is asymptotically secure-Eve's activity is detected with probability approaching to one when the number of eavesdropping operations goes to infinity. Similar relations can be derived for variants employing superdense coding and higher dimensional signal particles [11,15].
Instead of mounting an incoherent attack introducing noise Eve can steal some particles as it has been proposed in [14,16]. Those attacks preserve correlations required by the control mode at the price of introduction of 25% losses. As long as legitimate users tolerate non ideal transmission efficiency, and the number of lost particles is sufficiently low, the attacks of this type are undetectable in the seminal protocol. However, they also introduce errors in the message mode also at rate 25%, and that feature can be exploited to considerably limit their usefulness.

Security improvement
The information to be encoded is divided onto blocks [m] n with length L each. Let M = m μ be the message padded [8] to length N L. Alice and Bob use an error correcting code ECC (·) which is able to recover from the errors below QBER threshold and cryptographic function Hash (·) that returns L-bit hash of its input.
where n denotes the number of the block. The blocks [s] n form an encoded sequence S. (c) Alice calculates a protected key (d) and its hash where x is some random number.

Communication
(a) Alice quantumly sends ECC (K P) , ECC (H P) and classically x.
(b) Bob finds where E (·) denotes modifications introduced by an attack operation and/or channel imperfections, and checks equality

Postprocessing
(a) The preprocessing key is recovered as (b) When the preprocessing key is known the n-th message block is decoded as If error level in the quantum channel exceeds correction capabilities of the ECC, then s n = [s] n and based on (9) K = K . The properties of the hash function guarantee that m n is completely different from m n . Such event can be easily detect by the integrity check implemented in the higher layer what is usually the case in communication systems.

Analysis
The hash function properties guarantee that correct decoding (10) of a single message bit requires the knowledge of the correct value of the corresponding bit from the encoded sequence S and the whole preprocessing key K which in turn, based on (9), depends on protected key K P and whole encoded sequence S. It follows that it is sufficient to protect only a transmission of K P to provide message confidentiality on a reasonable level. In further analysis it will be assumed that protocol cycles in control mode are executed only during K P transmission. If the quantum channel is perfect and communicating parties did not employ any error correction then the attack on the protected key block is detected with probability 1 − (1 − d) C where C is the number of control modes. But for d < 1/2 Eve has incomplete information I (d) about message encoded by Alice, thus she has to guess a part of the key and she is faced with problem of complexity 2 (1−I (d))L . If she mounts an attack giving her complete information then she will be detected with probability close to one before any message related data is sent. On the other hand her information gain is small for the weakly detected (lim d→0 I (d) = 0) attacks and she is faced with a computationally infeasible problem as long as L is selected sufficiently large. Moreover, incoherent attacks also introduce some bit error ratio b in a message mode. Thus additionally any attack in a lossless channel will be detected by the key integrity check with probability where n denotes the number of intercepted particles. If the quantum channel is still perfect but legitimate users tolerate errors and/or losses on levels QBER and QLOSS, respectively then Eve is in a better position. This is the limiting case of the situation when Eve replaces the original imperfect quantum channel with a better one, or Alice and Bob underestimate the quality of the channel they have already been using. The non zero accepted QBER changes detectability of the incoherent attack. The interception of the entire protected key is then detected with probability where C is the number of conclusive control modes. At the same time (QBER/b)L particles can be intercepted in message mode without exceeding correction capabilities of the protection code. Thus an attack on the entire protected key is detected with probability given by and valid for 0 ≤ QBER/b ≤ 1. Which of those expressions is more decisive depends on mutual relation between C, L and b. As the connection between induced bit error rate b in the message mode and properties of incoherent attacks is not well investigated, the first of those expressions should serve as tool for parameter C selection providing desired security level. Moreover Eve is still faced with problem of key guessing of complexity 2 (1−I (d))L . Contrary to the lossless case, she may stay invisible as long as she intercepts less than QBER portion of particles. But in this case she has to solve a problem of complexity 2 (L−QBER) 2 (1−I (d))QBER . Another kind of an attack can be mounted with techniques summarized in [14,16]. Those attacks are by design undetectable in the control mode as long as the number of lost particles is within tolerance accepted by legitimate parties. In the improved version [16] induced losses are on the 25% level and may be detected by monitoring transmission quality. Unfortunately such test are not reliable and cannot be used in a quantum channel with losses exceeding that limit. However, at the same time bit error rate in message mode is also equal to b = 0.25 and expression (12) can be used The non detection probability 1 − p mic ≈ (3/4) L(1−4 QBER) is very close to zero for L = 256 and QBER of order of a few percent-a value easily satisfied by contemporary quantum channels. At the same time Eve's knowledge about the protected key is limited by mutual information I AE = 3 4 log 2 4 3 per intercepted particle [14,16]. Thus Eve is still faced with a problem of computational complexity equal to 2 (1−I AE )L .
The application of the proposed security layer has also consequences related to the efficiency of the protocol. The protected key hash (6) and protected message sequence (4) carry data which is insensitive to eavesdropping, thus there is no point to execute control modes during their transfer. This greatly improves protocol efficiency and the portion of the saved control modes can be executed during the protected key transfer improving that way the protocol properties.

Conclusion
The proposed security layer exploits inevitable errors induced by the eavesdropping in the control and message modes-a property not used so far. It is shown that properly combined primitives, which are well known in the classic cryptography, provide a layer which gives the reasonable security for the quantum deterministic communication. The function of that layer is similar to the privacy amplification known from the quantum key distribution schemes, except that proposed improvement does not introduce randomization of the information content and deterministic character of communication is preserved. The processing of the message in blocks guarantees that an eavesdropper for incoherent attacks is faced with a computationally infeasible problem as long as system parameters, such as a block length and an accepted error rate, are within reasonable limits. It is also worth noting that although primitives known from the classic cryptography have been used to build an additional layer, no key agreement or shared secrets are required for confidential communication.
The main conceptual advantage of QSDC communication over QKD protocols resides in its versatility. QSDC can be used for deterministic transmission of small portions of sensitive data without key agreement as well as for regular QKD. The proposed protocol may be attractive alternative also in this second application as the main sources of quantum resources wastage, that is, the key sifting and privacy amplification just do not appear.
Open Access This article is distributed under the terms of the Creative Commons Attribution License which permits any use, distribution, and reproduction in any medium, provided the original author(s) and the source are credited.