On the Security of Quantum Key Distribution Ping-Pong Protocol

Computational based cryptography might not guarantee long term security if computational algorithms, computers, and so on are made remarkable progress. Therefore, quantum cryptography with unconditionally security attracts attention. In this paper, we consider security of a two-way quantum key distribution protocol, so called Ping-Pong protocol. As a result, we introduce not only robustness but also a different information disturbance theorem, which denotes a trade-off relationship between information gained for an eavesdropper and error rate, from the related works for an attack model.


Introduction 1.Back Ground
Cryptosystems used for internet, telecommunication, and so on, guarantee security by assuming computational based problems.For instance, RSA cryptosystem and El-Gamal cryptosystem guarantee security with assuming difficulty of factorization and discrete logarithm problem, respectively.Those cryptosystems might not guarantee long term security if computational algorithms, computers, and so on are made remarkable progress.Indeed, it has been showed that we can decode a cipher text to a plain text on RSA cryptosystem by using Shor's quantum factorization algorithm [1].
Quantum key distribution (QKD) protocols are expected to guarantee unconditionally security which dose not depend on any assumption.In QKD protocols, legitimate users Alice and Bob try to share secret key used for onetime pad cryptosystem guaranteeing unconditionally security.In 1984, Bennett and Brassard proposed BB84 protocol [2] and its security proofs have been showed.Ekert proposed E91 protocol [3] by using an essential property of entanglement.
In 2002, Boström and Felbinger proposed Ping-Pong protocol [4] using the Bell state.One-way quantum channels are used for BB84, E91, and so on.On the other hand, in Ping-Pong protocol, legitimate users Alice and Bob try to share secret key by using a two-way quantum channel: Bob sends a qubit system to Alice and she sends back the qubit system to Bob after encoding a bit into the qubit state deterministically.Then, Bob obtains the bit with Probability 1 if an eavesdropper Eve dose not attack.Therefore, they can share secret key without basis reconciliation (on the other hand, they need the reconciliation in BB84 or E91).We call such a QKD protocol without the reconciliation a deterministic quantum key distribution (DQKD) protocol.In Reference [4], the authors showed a trade-off relationship between information gained for Eve and error rate used for detecting the eavesdropping.After that, several security notions of the protocol are discussed from various points of view [5][6][7][8][9][10][11][12].

Contributions
In this paper, we reconsider security of Ping-Pong protocol from a viewpoint of the relationship between information gained for Eve and a detection function of the protocol, and we focus on whether Eve can gain information of secret key without being detected.In the process, we derive an alternate information disturbance theorem which denotes such a trade-off relationship between Eve's information gain and error rate.By necessary consequence of the theorem, Eve cannot gain information without being detected; moreover, Eve gains large information which induces high error rate.Unconditionally security proofs for BB84 based on the information disturbance theorems were shown.The results gave an intuitive and informational meaning to the security of QKD protocols.Our main contribution is to give a new insight as the first step of unconditionally security proof based on the information disturbance theorems to Ping-Pong protocol.
This paper is organized as follows.In the next section, we give the original procedure of Ping-Pong protocol.In Section 3, we review several related works.In Section 4, we set our problem in the protocol and derive new information disturbance theorem.As a result, we show robustness of the protocol by using the theorem.Finally, in Section 5, we summarize this paper.

Ping-Pong Protocol [4]
Let us consider that the legitimate users Alice and Bob try to share secret key by using Ping-Pong protocol.Suppose that a quantum channel and a public channel are equipped between Alice and Bob.In the protocol, they share secret keys with a message mode and detect Eve with a control mode.The protocol consists of the following steps: Bob prepares a bipartite system in a Bell state . He sends A H to Alice over the quantum channel and keeps B H by himself.
Alice performs the following operation randomly on the system A H : Message_A: Alice generates a random number   0,1 s  and keeps it as a sifted key.She performs a unitary evolution I on the system such like , or performs a unitary evolution . She sends back the post operation system to Bob over the quantum channel.
Control_A: Alice measures the system with a projective measurement relevant to an observable and obtains an index   They repeat the above steps sufficiently many times and calculate rate P  defined as value of the number of events of i i  divided by the number of events of Control _A and B.
They abort the protocol if S , where S is a preset security parameter to detect an eavesdropper.Otherwise, they perform error correction and privacy amplification to generate secret key on the sifted keys over the public channel.

P P   P
It is also suggested that Ping-Pong protocol is applied to direct quantum communications.Alice can send Bob any massage string to choose not random bit but any bit in Message_A.However, Eve might gain the massage string when Alice and Bob abort the protocol in Step V. Therefore, we should need to discuss security notion of the application for the direct quantum communications in a wary manner.

Related Works
In this section, we review several related works focusing on security of Ping-Pong protocol against several attacks.
In Reference [4], Boström and Felbinger not only proposed Ping-Pong protocol but also analyzed security of the protocol against an attack that an eavesdropper Eve performs any quantum operation on the quantum channel from Bob to Alice.Eve tries to obtain information of a secret key with distinguishing two kinds of qubits encoded by Alice.They show a relationship between information gain for Eve and error rate of bits on the control mode by using Holevo's bound as the limit of obtaining information for Eve.On the other hand, in this paper, we show an alternate relationship against the same attack model by using trace distance applied to security proof with the information disturbance theorems easily.
In Reference [6], Wójcik proposed an attack focusing imperfect quantum channel and analyzed the relationship between mutual information for Alice and Eve and mutual information Alice and Bob.Eve prepares two quantum systems in an ancillary system and an empty mode, respectively, and she performs a Hadamard gate and a SWAP gate on the systems and a qubit sent by Bob.As a result, it was shown that Eve can gain information without being detected if the quantum channel is imperfect.In Reference [7], Zhang, Man, and Li improved the attack indicated by Wójcik.Those attacks are effective in obtaining information on the original protocol with imperfect channels.However, in Reference [10], Boström and Felbinger claimed that Ping-Pong protocol becomes secure if a simple modification is applied to the protocol.
In Reference [11], we dealt with the protocol with perfect quantum channel and derived a trade-off inequality between indistinguishability for Eve and error rate of the bits on the control mode.We applied fidelity to indistinguishability of the qubits encoded by Alice.Fidelity is also suited to be a method for deriving the information disturbance theorems.We also introduced a variant of the protocol and showed the relevant trade-off inequality on the variant protocol.
Recently, in Reference [12], Miszczak and Zawadzki generalized Wójcik's approach.They dealt with general imperfect (noisy) quantum channel described as Kraus representation and considered security of the protocol in the setting based on quantum bit error rare (QBER).Error caused by Eve's attack is hidden behind QBER caused by environment systems.They showed an estimation method for QBER on the protocol and showed an example of estimation of QBER on a depolarizing channel.
A series of DQKD protocols based on Ping-Pong protocol was proposed.In Reference [13], DQKD protocol so called LM05 was proposed.This protocol is a kind of DQKD protocols without entanglement.A similar protocol without entanglement so called four-state protocol was proposed [14].In Reference [15,16], Lu et al., and Beaudry et al. analyzed security of four-state protocol and LM05 on the perfect quantum channels, respectively.In Reference [17], Fung et al. showed a relationship between delayed privacy amplification and security of DQKD protocols without entanglement.

Analysis
We consider security analysis of Ping-Pong protocol against the following attack model: On the perfect quantum channel from Bob to Alice, an eavesdropper Eve performs a quantum operation on each system A H .She obtains the system A H operated by Alice on the perfect quantum channel from Alice to Bob and gains information of secret key by distinguishing quantum states.
The purpose of the analysis is to obtain a first step for theoretical proofs of unconditional security based on the information disturbance theorems.
Eve prepares s quantum system E H in a state  and performs a unitary evolution on the bipartite system We call e error rate for 1 bit.Note that e plays a role of efficiency of detecting function directly if we preset S P 0 P P  .In this case, we detect Eve by using Control_A and B if and only if holds.In Mes-sage_A, the post operation state is given by 0 Let A and be random variables expressing values of in Message_A and results of guessing a key s for Eve, respectively.We try to estimate Shannon's mutual information  ;  I A E , which is regarded as information gain for Eve, by using trace distance.Trace distance for two quantum states  and  is defined as, Trace distance takes a value from 0 to 1 and Therefore, trace distance is regarded as distinguishability of two quantum states.
We obtain the following inequality: We substitute e into the above inequality, then, we obtain the following theorem.

P
Theorem 1.In Ping-Pong protocol, the following tradeoff relationship between information gain for Eve and error rate on the control mode holds.

 
; 2 e I A E P  .
The trade-off inequality has two meanings: The inequality means a trade-off relationship between information gain for Eve and error rate, i.e., if the attack yields Eve large information gain, it induces large error rate.

Conclusion
We derived the alternate information disturbance theorem on Ping-Pong protocol against the attack model.The theorem showed that Eve cannot gain information without being detected; moreover, the larger Eve gain information, the larger error rate becomes.However, full proof of unconditionally security of the protocol based on the information disturbance theorem is not known.Therefore, we mention full proof on perfect and imperfect situation as future works.Moreover, it should be needed to discuss security notion, definition, and so on by using a unified method such as on theory of modern cryptography.
Alice chooses Control_A, Bob measures the system B H with the measurement relevant to z  and obtains an outcome  0 holds.Moreover, Eve cannot gain information without being detected if Alice and Copyright © 2013 SciRes.JQIS