Optics Communications 283 (2010) 192–195

Contents lists available at ScienceDirect

Optics Communications

journal homepage: www.elsevier .com/ locate/optcom

Cryptanalysis of multiparty controlled quantum secure direct communication usingGreenberger–Horne–Zeilinger state

Fei Gao a,*, Su-Juan Qin a, Qiao-Yan Wen a, Fu-Chen Zhu b

a State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, Chinab National Laboratory for Modern Communications, P.O. Box 810, Chengdu 610041, China

a r t i c l e i n f o

Article history:Received 11 May 2009Accepted 17 September 2009

PACS:03.67.Dd03.67.Hk

Keywords:Quantum secure direct communicationQuantum cryptographyCryptanalysisGreenberger–Horne–Zeilinger state

0030-4018/$ - see front matter � 2009 Elsevier B.V. Adoi:10.1016/j.optcom.2009.09.047

* Corresponding author. Address: State Key LabSwitching Technology, Beijing University of Posts anBox 305, Beijing 100876, China. Tel.: +86 10 6228324

E-mail addresses: hzpe@sohu.com, gaofei_bupt@ho

a b s t r a c t

We analyze the security of multiparty controlled quantum secure direct communication usingGreenberger–Horne–Zeilinger (GHZ) state. It is shown that the receiver, using a special property ofGHZ state, can illegally obtain 33.3% of the sender’s secret without any controller’s permission. The attackstrategy is demonstrated in detail and an improvement of this protocol is discussed. The idea of thisattack might be instructive for the cryptanalysis of quantum cryptographic protocols.

� 2009 Elsevier B.V. All rights reserved.

Cryptography is the approach to assure the secrecy of the datawhich is stored or communicated in public environment. In classi-cal cryptography, the security of most cryptosystems is based onthe assumption of computational complexity. Differently, quantumcryptography [1] can obtain theoretically unconditional security byintroducing quantum mechanics principles into cryptography. Animportant application of quantum cryptography is to distributerandom key between users, which is called quantum key distribu-tion (QKD) [2–4]. Recently, quantum secure direct communication(QSDC) [5–8], another branch of quantum cryptography, appearedand attracted a great deal of attention. It allows that the sendertransmits directly the secret (instead of a random key) to the recei-ver in a deterministic and secure manner. Moreover, a carefully de-signed QSDC protocol can also attain unconditional security intheory [9].

As we know, design and analysis has always been importantbranches of cryptography. Both of them drive the development ofthis field. The same should be true in quantum cryptography. Aspointed out by Lo and Ko, breaking cryptographic systems was asimportant as building them [10]. In fact, cryptanalysis is an interest-ing work in quantum cryptography. Some protocols were attacked

ll rights reserved.

oratory of Networking andd Telecommunications, P.O.

0; fax: +86 10 62283192.tmail.com (F. Gao).

successfully by subtle strategies which were not concerned whenthese protocols were originally designed [11–18]. Understandingthose attacks will be helpful for us to design new schemes withhigh security.

Compared with that in QKD, the demands for security inQSDC are more rigorous because the information transmitted inchannel is just the secret instead of a random key. More concretely,the information carried by photons cannot be leaked out whetherthe eavesdropper would be discovered or not. Based on this fact,some attacks on QSDC were proposed [19,20]. Furthermore, itwas pointed out that the information of the secret would bepartially leaked out in quite a few bidirectional QSDC protocols[21,22]. Therefore, cryptanalysis of QSDC is a problem deservingof study.

Not long ago, a new kind of QSDC, i.e. controlled QSDC (CQSDC),was presented and it is attracting a lot of attention [23–27]. In thiscircumstance, except for the sender and the receiver, there is stillat least one controller. Only with the permission of controller canthe receiver read the secret from the sender. As a result, the crypt-analysis of CQSDC boils down to two questions: (1) Can an externaleavesdropper extract information about the transmitted secret?(2) Can the receiver obtain secret information without the permis-sion of the controller? In a secure CQSDC protocol the answers ofboth questions should be no.

In a recent paper [28], Wang et al. gave a vivid descriptionabout the application of CQSDC and its security requirements.

F. Gao et al. / Optics Communications 283 (2010) 192–195 193

They also proposed a novel CQSDC protocol based on Greenber-ger–Horne–Zeilinger (GHZ) state. It achieves a high source capac-ity because GHZ state forms a large Hilbert space. Furthermore,some careful measures were taken to ensure its security. Herewe study the cryptanalysis of this protocol and we will showthat, by a clever strategy, the receiver can obtain 33.3% of thesecret information even if it is not allowed by the controller.That is, it is necessary to find some possible improvements forthis protocol so that it can withstand this kind of attack. Forsimplicity we will call this protocol WZT protocol in the follow-ing text.

Let us give a brief description of WZT protocol (three-partyversion) first. Suppose Alice is the sender, Bob is the controllerand Charlie is the receiver. The CQSDC process consists of thefollowing steps (see Fig. 1).

(1) Bob generates a certain amount of three-particle GHZ statesjWi ¼ 1ffiffi

2p ðj000i þ j111iÞABC . All the particles denoted by

A ðB;CÞ compose an ordered sequence A ðB;CÞ. Bob ran-domly performs one of four Pauli operations fI;rz;rx; irygon every particle in B sequence, and then sends A and Bsequences to Alice.

(2) After Alice received these two sequences, she and Bob ran-domly select some GHZ states as check qubits and detecteavesdropping by conjugate-basis measurements, i.e.BZ ¼ fj0i; j1ig or BX ¼ jþi¼ 1ffiffi

2p ðj0iþj1iÞ; j�i¼ 1ffiffi

2p ðj0i�j1iÞ

n o,

on them.(3) If there is no eavesdropping, Bob randomly performs one offI;rz;rx; iryg on every particle in C sequence, and thensends this sequence to Charlie.

(4) After Charlie received these particles, three users detecteavesdropping by the way similar to that in step (2).

(5) If there is no eavesdropping, Alice prepares two sets of ran-dom check bits and encodes them into some random GHZstates first. After that Alice encodes her secret message intothe remaining GHZ states. Here the encoding operations areeight Pauli-pairs fU1 ¼ rz � rz;U2 ¼ I � rz;U3 ¼ iry � rz;

U4 ¼ rx � rz; U5 ¼ I � rx; U6 ¼ rz � rx; U7 ¼ rx � rx; U8 ¼iry � rxg, which will be performed on particles A and B in asame GHZ state. Then Alice sends B sequence to Charlie,which is followed by an eavesdropping-detection process,similar to that in step (2), using the GHZ states encoded withone set of check bits. If no eavesdropping is discovered, Alicesends A sequence to Charlie and then similar eavesdroppingdetection, using the GHZ states carrying the other set ofcheck bits, is executed.

Fig. 1. The process of WZT protocol. The black dots labelled as A;B, and C representthree qubit sequences. RB

P RCP

� �is the random Pauli operation on particles in B ðCÞ

sequence, and CA and CB are coding operations performed on qubits in A and Brespectively. M denotes the GHZ measurement. The vertical line labelled asDi ði ¼ 1;2;3;4Þ means an eavesdropping-detection step via conjugate-basis mea-surements. The dotted line E1 and E2 represent the positions where Charlie executeshis eavesdropping in our attack. Furthermore, Alice, Bob, and Charlie’s respectiveregions are separated by dashed lines.

(6) Thus Charlie owns A;B; C sequences. If Bob publishes hisoperations on the photons in B;C sequences, Charlie canacquire Alice’s secret message by performing GHZ measure-ment on each GHZ state. But Charlie cannot obtain the secretmessage without Bob’s permission.

Now we consider the security of WZT protocol according to thetwo cryptanalysis criterions of CQSDC mentioned above. On theone hand, four detection processes via conjugate-basis measure-ments, which has been proved the efficient manner for detectionin quantum cryptography [3,29], are used in this protocol. It makesthat an external eavesdropper cannot obtain the secret messagewithout being detected. On the other hand, can Charlie extract se-cret information without the permission of Bob? The author of Ref.[28] believed that Bob’s random operation on particle B (i.e. RB

P inFig. 1) could prevent Charlie from attaining partial informationwithout Bob’s help. However, this conclusion will be broken ifCharlie utilizes a special property of GHZ state, which we call ‘‘cor-relation extractability” [32,33], to attack. In the following we willdescribe this property and Charlie’s eavesdropping in detail.

Without loss of generality, consider any three-particle GHZstate, which can be represented in the form

jW0iABC ¼1ffiffiffi2p ðjn1; n2; n3i þ jn1;n2; n3iÞABC ; ð1Þ

where A;B, and C denote different particles, ni ¼ 0 or 1, andni ¼ 1� ni ði ¼ 1;2;3Þ. If one prepares a single qubit in state j0iD,the state of the whole system is

jW1i ¼ jW0iABC j0iD ¼1ffiffiffi2p jn1;n2;n3;0i þ jn1;n2;n3;0ið ÞABCD: ð2Þ

Then a CNOT operation CAD (the first subscript A is the controllerand the second D is the target) is performed on particles A and D,by which D will be entangled into GHZ state and the state willbecome

jW2i ¼ CADjW1i ¼ 1ffiffiffi2p ðjn1; n2;n3;n1i þ jn1; n2;n3;n1iÞABCD: ð3Þ

Now if another CNOT operation CBD is performed, the state will bechanged into

jW3i ¼ CBDjW2i ¼ 1ffiffiffi2p ðjn1;n2;n3;n1 � n2i þ jn1;n2;n3;n1 � n2iÞABCD

¼ 1ffiffiffi2p ðjn1; n2; n3i þ jn1; n2; n3iÞABC jn1 � n2iD

¼ jW0iABC jn1 � n2iD; ð4Þ

where � is the addition modulo 2 and the equationn1 � n2 ¼ n1 � n2 was used. Obviously, particle D is definitely disen-tangled from GHZ state, and the measurement result of this particlein basis fj0i; j1ig will be r ¼ n1 � n2. This value implies the correla-tion between n1 and n2 (i.e. between particles A and B). That is, r ¼ 0means n1 ¼ n2, otherwise n1 ¼ n2 ¼ 1� n2. And most importantly,the original GHZ state jW0iABC is completely unchanged. The wholeprocess is demonstrated in Fig. 2. Above we took three-particle GHZstates as our example. In fact similar property also exists for multi-particle ones.

As shown above, by double-CNOT operation one can obtain thecorrelation between any two qubits in a GHZ state as long as theyare accessible to him/her. At the same time, the GHZ state holdsunchanged. This is a special property of GHZ state (i.e. the so-called‘‘correlation extractability”). It is interesting but, unfortunately, italways gives eavesdropper the chance to attack in quantum cryp-tographic protocols, including QKD [30], quantum secret sharing(QSS) [31], quantum exam [32] and QSDC [33].

Fig. 2. Correlation extractability of GHZ states. The horizontal lines labelled asA;B; C, and D represent different particles. The dashed vertical lines labelledjWii ði ¼ 0;1;2;3Þ imply the states at different steps.

194 F. Gao et al. / Optics Communications 283 (2010) 192–195

Now let us go back to WZT protocol. From Fig. 1 we can seethat Alice’s secret is just represented by CA and CB, i.e. one of eightPauli-pairs fU1 ¼ rz � rz;U2 ¼ I � rz;U3 ¼ iry � rz;U4 ¼ rx � rz;

U5 ¼ I � rx;U6 ¼ rz � rx;U7 ¼ rx � rx;U8 ¼ iry � rxg. If an eaves-dropper can obtain the correlations between particles A and Bbefore and after Alice’s coding operations, he can consequentlyget partial information about this secret. For simplicity, let RAB

0

and RAB1 denote the correlation before and after the coding opera-

tion respectively. If RAB0 ¼ RAB

1 , the eavesdropper knows that Alice’scoding operation is one of fU1;U2;U7;U8g. Otherwise he knows theoperation belongs to fU3;U4;U5;U6g.

Then consider the question that whether an eavesdropper isable to extract both correlations RAB

0 and RAB1 under the detection

strategies in WZT protocol. Denote the transmission of A ðBÞ

sequence from Alice to Bob as TABA TAB

B

� �, and similarly the trans-

mission from Bob to Charlie as TBCA TBC

B

� �. From Fig. 1 we can see

that there are no detections between TABA and TAB

B . So any one hasaccess to particles A and B, and can obtain their correlation RAB

0

by double-CNOT operation. On the contrary, there is a detectionD3 between TBC

B and TBCA , which makes it impossible for an external

eavesdropper to extract the correlation RAB1 (because such eaves-

dropping will be discovered by legal users). But for Charlie it is adifferent thing. He can utilize the advantage of a legal user toperform double-CNOT operation after detections D3 and D4.

Above analysis implies that Charlie can extract both correla-tions RAB

0 and RAB1 , and then obtain partial information about Alice’s

secret without the permission of Bob. His eavesdropping consistsof two double-CNOT operations denoted by E1 and E2 in Fig. 1.

Now we demonstrate Charlie’s eavesdropping by an example.Without loss of generality, consider one GHZ state initially in

jW0e iABC ¼

1ffiffiffi2p ðj0;0; 0i þ j1;1;1iÞABC : ð5Þ

Suppose Bob’s operation on particle B is RBP ¼ rx, then the state after

it becomes

jW1e iABC ¼ I � rx � IjW0

e iABC ¼1ffiffiffi2p ðj0;1;0i þ j1;0;1iÞABC : ð6Þ

After that particles A and B will be sent out to Alice. At that timeCharlie intercepts them and performs double-CNOT operation,obtaining the correlation RAB

0 ¼ 0þ 1 ¼ 1. And then resends themto Alice. At the same time, the state jW1

e iABC will not be disturbed.After Alice received these two particles, detection D1 will be

executed. Then Bob performs RCP on particle C, and Alice encodes

her secret (3 bits) into A and B. Suppose RCP ¼ iry, and Alice’s coding

operation is CA � CB ¼ I � rZ ¼ U2, the state will be changed into

jW2e iABC ¼ I � rz � iryjW1

e iABC ¼1ffiffiffi2p ðj0;1;1i þ j1;0;0iÞABC : ð7Þ

Then all the three particles are sent to Charlie step by step.Each transmission is followed by a detection (i.e. D2;D3, and D4).When all these detections have been done, Charlie performsdouble-CNOT operation on A and B, by which he can obtain thecorrelation RAB

1 ¼ 0þ 1 ¼ 1. Because RAB0 ¼ RAB

1 , Charlie knows thatAlice’s coding operation is one of fU1;U2;U7;U8g, which means only2 bits of unknown information. As a result, through two double-CNOT operations Charlie can obtain 1 bit of information about thethree carried by particles A and B. When RB

P ;RCP ; CA, and CB are other

Pauli operations different from above example, we can also drawsimilar conclusion. By eavesdropping all of the GHZ states, Charliecan, even without Bob’s permission, obtain 33.3% of Alice’s secretfinally.

This attack can be generalized into the multiparty version ofWZT protocol [28], and the generalization is straight forward. Inthis condition the receiver Zach can also obtain 33.3% of the secretwithout any controller’s permission.

To find a way to improve WZT protocol, it is necessary to revisitthe essential reason why Charlie can successfully attack. In fact,anyone who wants to achieve above attack has to try to obtainboth RAB

0 (the correlation between A and B before Alice’s codingoperation) and RAB

1 (the one after Alice’s coding operation). Thatis, one cannot successfully attack WZT protocol if he knows onlyone of these two correlations. For example, because of the exis-tence of D3, an external eavesdropper cannot get RAB

1 , and then can-not extract partial information of the secret. Therefore, if weintroduce an additional detection Da between the transmissionsTAB

A and TABB (just like the careful transmissions TBC

A and TBCB ), Char-

lie’s eavesdropping for RAB0 would be discovered by Alice and Bob.

With this modification, WZT protocol will be secure against theabove attack from Charlie.

In conclusion, we present an effective attack on WZT CQSDCprotocol [28], by which the receiver can illegally obtain 33.3% ofthe sender’s secret without any controller’s permission. A specialproperty of GHZ state, i.e. correlation extractability, is demon-strated in detail, which plays a key role in our attack. BecauseGHZ state will be completely unchanged after the correlationwas extracted, this property is inclined to be utilized by an eaves-dropper in quantum cryptographic protocols, especially GHZ-state-based ones [30–33]. Therefore, more attention must be paid to thisproperty in the design and analysis of such protocols.

Acknowledgements

This work is supported by NSFC (Grant Nos. 60873191,60903152, 60821001), SRFDP (Grant No. 200800131016), BeijingNova Program (Grant No. 2008B51), Key Project of Chinese Minis-try of Education (Grant No. 109014), Beijing Natural Science Foun-dation (Grant No. 4072020), National Laboratory for ModernCommunications Science Foundation of China (Grant No.9140C1101010601), and China Postdoctoral Science Foundation(Grant No. 20090450018).

References

[1] N. Gisin, G. Ribordy, W. Tittel, et al., Rev. Mod. Phys. 74 (2002) 145.[2] C.H. Bennett, G. Brassard, in: Proceedings of IEEE International Conference on

Computers, Systems and Signal Processing, IEEE, Bangalore, India, New York,1984, p. 175.

[3] A.K. Ekert, Phys. Rev. Lett. 67 (1991) 661.[4] C.H. Bennett, Phys. Rev. Lett. 68 (1992) 3121.[5] K. Boström, T. Felbinger, Phys. Rev. Lett. 89 (2002) 187902.[6] F. Deng, G. Long, X. Liu, Phys. Rev. A 68 (2003) 042317.[7] F. Deng, G. Long, Phys. Rev. A 69 (2004) 052319.[8] M. Lucamarini, S. Mancini, Phys. Rev. Lett. 94 (2005) 140501.[9] F. Deng, X. Li, C. Li, et al., Phys. Lett. A 359 (2006) 359.

[10] H.K. Lo, T.M. Ko, Quantum Inf. Comput. 5 (2005) 40.[11] Y. Zhang, C. Li, G. Guo, Phys. Rev. A 63 (2001) 036301.[12] A. Wójcik, Phys. Rev. Lett. 90 (2003) 157901.

F. Gao et al. / Optics Communications 283 (2010) 192–195 195

[13] A. Wójcik, Phys. Rev. A 71 (2005) 016301.[14] F. Deng, X. Li, H. Zhou, et al., Phys. Rev. A 72 (2005) 044302.[15] S. Qin, F. Gao, Q. Wen, et al., Phys. Lett. A 357 (2006) 101.[16] Y.Q. Zhang, S. Zhang, Opt. Commun. 270 (2007) 100.[17] F. Gao, S. Qin, Q. Wen, et al., Quantum Inf. Comput. 7 (2007) 329.[18] S. Lin, Q.Y. Wen, F. Gao, et al., Opt. Commun. 281 (2008) 4553.[19] F. Gao, Q. Wen, F. Zhu, Chin. Phys. B 17 (2008) 3189.[20] F. Gao, F. Guo, Q. Wen, et al., Chin. Phys. Lett. 25 (2008) 2766.[21] F. Gao, F. Guo, Q. Wen, et al., Sci. China Ser. G-Phys. Mech. Astron. 51 (2008)

559.[22] Y. Tan, Q. Cai, Int. J. Quantum Inf. 6 (2008) 325.

[23] T. Gao, F.L. Yan, Z.X. Wang, Chin. Phys. 14 (2005) 893.[24] Z.X. Man, Y.J. Xia, Chin. Phys. Lett. 23 (2006) 1680.[25] Y. Xia, H.S. Song, Phys. Lett. A 364 (2007) 117.[26] X.B. Chen, Q.Y. Wen, F.Z. Guo, et al., Int. J. Quantum Inf. 6 (2008) 899.[27] X.B. Chen, T.Y. Wang, J.Z. Du, et al., Int. J. Quantum Inf. 6 (2008) 543.[28] J. Wang, Q. Zhang, C.J. Tang, Opt. Commun. 266 (2006) 732.[29] C.H. Bennett, G. Brassard, N.D. Mermin, Phys. Rev. Lett. 68 (1992) 557.[30] F. Gao, F. Guo, Q. Wen, et al., Phys. Rev. A 72 (2005) 066301.[31] F. Gao, F. Guo, Q. Wen, et al., Phys. Rev. A 72 (2005) 036302.[32] F. Gao, Q. Wen, F. Zhu, Phys. Lett. A 360 (2007) 748.[33] F. Gao, S. Lin, Q. Wen, et al., Chin. Phys. Lett. 25 (2008) 1561.