-
密码学是在第三方(敌手)的存在下,保障安全通信的技术和实践。量子密码学是量子力学和传统密码学结合的产物,依靠微观粒子的量子属性实现对信息的保护。量子密码学研究的主要目标是抵抗量子计算攻击的密码算法和协议,是密码学的一个重要分支。
-
量子安全协议的目的是为了抵抗窃听者的攻击。为了将Eve检测出来,采取的方案是计算信道传输中的错误率。根据协议,在Bob没有放弃该次循环和没有噪声干扰的情况下,假如 ${k_B} = 0$ ,则Bob传送的量子比特为 $\left| + \right\rangle $ ;假如 ${k_B} = 1$ ,那么Bob发送的量子比特为 $\left| 0 \right\rangle $ 。于是可以得到,若Alice的测量结果是 $\left| -\right\rangle $ ,那么Bob令 ${k_B} = 1$ (若Bob将量子比特直接回传,那么Alice一定会测得 $\left| + \right\rangle $ );若Alice的测量结果得到 $\left| 1 \right\rangle $ ,则Bob采取直接回传的方式(即 ${k_B} = 0$ )。
若上述量子比特不满足的情况发生,则用随机事件 $\sigma $ 来记录。设 $\sigma $ 发生的次数为L,则错误率为:
$$ \eta = L/n $$ (1) 式中,n为中协议执行过程传输的光子的总数。那么检测到窃听者Eve的概率为:
$$ {P_{\det }}(n) = {P_{\rm{r}}}\{ \eta \ge T\} $$ (2) 式中,参数T是一个预先设置好的阈值。在无噪声干扰的信道中, $T = \varepsilon $ 。 $\varepsilon $ 是一个无穷小量,其取值范围可以根据不同的安全需求进行更改。而在有噪声干扰的信道中, $T$ 取2%~8.9%[29]。图 7给出了无噪声信道中上述3种攻击方式下检测到Eve的概率。
从图 7的结果可知,传输的光子数较少时,检测到Eve的概率较低,而当传输的光子数达到50时,检测到Eve的概率已经很接近于1;当继续增加传输的量子数时,检测概率持续上升并无限趋近于1。
在实际中,无噪声的信道是不存在的,真实信道中的噪声总是存在的。为了验证在有噪声干扰的情况下协议的安全性,需将PRISM中对信道的描述进行更改,就可以计算在噪声干扰的条件下,检测到窃听者的概率。
假设信道在由状态“0”迁移到状态“1”时噪声产生干扰(如图 3所示)。在无噪声信道中,该操作可以表达为:
$$ {\rm{[aliceput] cs = 0}} \to {\rm{(cs' = 1)\& (cd' = ad)\& (cb' = ab)}} $$ (3) 式中,cs表示信道的状态;cd是信道的数据;cb表示信道的测量基;ad表示Alice的数据;ab表示Alice选择的测量基。当加入噪声后,该描述变为:
$$ {\rm{[aliceput]cd = 0}} \to {\rm{0:7:(cs' = 1)\& (cd' = ad)\& (cb' = ab) + }} $$ $$ {\rm{0}}{\rm{.1:(cs' = 1)\& (cd' = ad)\& (cb' = 1}} - {\rm{ab) + }} $$ $$ {\rm{0}}{\rm{.1:(cs' = 1)\& (cd' = 1}} - {\rm{ad)\& (cb' = ab) + }} $$ $$ {\rm{0}}{\rm{.1:(cs' = 1)\& (cd' = 1}} - {\rm{ad)\& (cb' = 1}} - {\rm{ab)}} $$ (4) 由式(3)、式(4) 可以得到,信道状态迁移到正确状态的概率为0.7,迁移到错误状态的概率为0.3。此处的错误状态有3种,分别为:选择了错误的测量基、得到错误的数据、或者两者都有。图 8为有噪声时的验证结果。
从图 8可以得到,在存在噪声干扰的条件下,且信道中传输的光子数较少时,检测到窃听者的概率依然较低,并且出现了下降(即比无噪声时低)。当传输的光子数增加到50个左右时,检测概率已接近于1;当传输的光子数持续增加时,检测到Eve的概率也持续上升且无限趋近于1。
Security Analysis of Semi-Quantum Cryptography Protocols by Model Checking
-
摘要: 对于密码协议而言,安全性是其最核心的关键问题,对于量子密码协议来说也一样。研究人员可以通过各种手段证明这些协议是安全的,但存在极大的困难,因为这对数学功底有着很高的要求。该文利用全自动化的技术——模型检测,采用了形式化验证方法,即基于概率的模型检测工具PRISM,来对半量子密码协议进行建模并验证其安全性。该方法避免了传统基于数学方法验证的繁杂,提高了验证的速度和效率。验证的结果也表明,当传输足够多的光子时,检测出窃听的概率无限趋近于1,和全量子密码协议一样,半量子密码协议也是安全的。Abstract: For cryptography protocols, security is its most core issue, and is the same for quantum cryptography protocols. Researchers can adopt many methods to prove that these protocols are secure, but there exists much difficulty. By using the method of formal verification and the technique of model checking, a fully automated probabilistic model checking tool-PRISM can be used to model these protocols and verify the security properties. Such a methodology can not only avoid the computational complexity of the traditional verification methods based on mathematics, but also improve efficiency and accelerate the verification process. The verification results show that the detection rate of eavesdropping is approximately close to 1 when sufficient photons are transmitted. The semi-quantum cryptography protocols is as secure as the full quantum protocols.
-
Key words:
- eavesdropping /
- model checking /
- PRISM /
- semi-quantum cryptography
-
[1] BENNETT C H, BRASSARD G. Quantum cryptography:Public key distribution and coin tossing[C]//In Proc of IEEE International Conference on Computers, Systems, and Signal Processing. Bangalore, India:IEEE, 1984:175-179. [2] BENNETT C H, BESSETTE F, BRASSARD G, et al. Experimental quantum cryptography[J]. Journal of Cryptology, 1992, 5(1):3-28. doi: 10.1007/3-540-46877-3_23 [3] HILLERY M, BUZEK V, BERTHIAUME A. Quantum secret sharing[J]. Physical Review A, 1999, 59(3):1829-1834. doi: 10.1103/PhysRevA.59.1829 [4] SHI R H, HUANG L S, YANG W, et al. Multiparty quantum secret sharing with Bell states and Bell measurements[J]. Optics Communications, 2010, 283(11):2476-2480. doi: 10.1016/j.optcom.2010.02.015 [5] RAHAMAN R, PARKER M G. Quantum scheme for secret sharing based on local distinguishability[J]. Physical Review A, 2015, 91(2):91. 022330. http://adsabs.harvard.edu/abs/2015PhRvA..91b2330R [6] CHUANG I, GOTTESMAN D. Quantum digital signatures:US, US 7246240 B2[P]. 2007. [7] ZENG G H, CHRISTOPH K. An arbitrated quantum signature scheme[J]. Physev A, 2002, 65:042312. http://www.jourlib.org/paper/3665732 [8] BOYER M, KENIGSBERG D, MOR T. Quantum key distribution with classical bob[C]//First International Conference on Quantum, Nano, and Micro Technologies, 2007, ICQNM'07.[S.l.]:IEEE, 2007, 99(14):10-10. [9] KRAWEC W. Mediated semiquantum key distribution[J]. Physical Review A, 2015, 91(3):032323. doi: 10.1103/PhysRevA.91.032323 [10] BOYER M, GELLES R, KENIGSBERG D, et al. Semiquantum key distribution[J]. Phys Rev A, 2009, 79:032341. doi: 10.1103/PhysRevA.79.032341 [11] YU K F, YANG C W, LIAO C H, et al. Authenticated semi-quantum key distribution protocol using Bell states[J]. Quantum Information Processing, 2014, 13(6):1-9. doi: 10.1007/s11128-016-1468-8 [12] KRAWEC W. Mediated semiquantum key distribution[J]. Physical Review A, 2015, 91(3):032323. doi: 10.1103/PhysRevA.91.032323 [13] KRAWEC W. Security proof of a semi-quantum key distribution protocol to appear[C]//IEEE ISIT 2015.[S.l.]:IEEE, 2015. [14] KRAWEC W. Semi-quantum key distribution[D].[S.l.]:Stevens Institute of Technology, 2015. [15] KRAWEC W. Security of a semi-quantum protocol where reflections contribute to the secret key[J]. Quantum Information Processing, 2015, 15(5):1-24. http://arxiv.org/abs/1510.07181 [16] KRAWEC W. Restricted attacks on semi-quantum key distribution protocols[J]. Quantum Information Processing, 2014, 13(11):2417-2436. doi: 10.1007/s11128-014-0802-2 [17] BAIER C, KATOEN J P. Principles of model checking[M]. Cambridge, USA:The MIT Press, 2008. [18] EMERSON E A, CLARKE E M. Characterizing correctness properties of parallel programs using fixpoints[M]//Automata, Languages and Programming. Berlin, Heidelberg:Springer-Verlag, 1980:169-181. [19] CLARKE E M, EMERSON E A. Design and synthesis of synchronization skeletons using branching time temporal logic[J]. Proc Workshop on Logic of Programs, 1982, 131:52-71. doi: 10.1007/BFb0025769 [20] CLARKE E M, EMERSON E A, SISTLA A P. Automatic verification of finite-state concurrent systems using temporal logic specifications[C]//ACM Transactions on Programming Languages and Systems. New York:ACM, 1986:244-263. [21] QUEILLE J P, SIFAKIS J. Specification and verification of concurrent systems in CESAR[C]//In Proc 5th Colloquium on Int Symp Programming. London:Springer, 1982:337-351. [22] BASAGIANNIS S, KATSAROS P, POMBORTSIS A. Synthesis of attack actions using model checking for the verification of security protocols[J]. Secur Comm Networks, 2011, 4(2):147-161. doi: 10.1002/sec.119 [23] BEN-ARI M, PNUELI A, MANNA Z. The temporal logic of branching time[J]. Acta Informatica, 1983, 20(3):207-226. doi: 10.1007/BF01257083 [24] GASTIN P, ODDOUX D. Fast LTL to büchi automata translation[J]. Lecture Notes in Computerence, 2001, 2102:53-65. doi: 10.1007/3-540-44585-4 [25] YANG J, SEGER C H J. Generalized symbolic trajectory evaluation-abstraction in action[M]//Formal Methods in Computer-Aided Design, LNCS. Berlin, Heidelberg:Springer-Verlag, 2002:70-87. [26] YANG F, YANG G W, HAO Y J, et al. Security analysis of multi-party quantum private comparison protocol by model checking[J]. Modern Physics Letters B, 2015, 29(18):717-755. doi: 10.1142/S021798491550089X [27] YANG F, YANG G W, HAO Y J. The modeling library of eavesdropping methods in quantum cryptography protocols by model checking[J]. International Journal of Theoretical Physics, 2016, DOI: 10.1007/s10773-016-2969-z. [28] ELBOUKHARI M, AZIZI M. Analysis of the security of bb84 by model checking[J]. International Journal of Network Security & Its Applications, 2010, 2(2):87-98. http://arxiv.org/abs/1005.4504 [29] CHANG Y J, TSAI C W, HWANG T. Multi-user private comparison protocol using GHz class states[J]. Quantum Information Processing, 2013, 12(2):1077-1088. doi: 10.1007/s11128-012-0454-z