APS/123-QED Cryptanalysis of the Hillery-Buˇzek-Berthiaume quantum secret-sharing protocol Su-Juan Qin1,2, Fei Gao1, Qiao-Yan Wen1, and Fu-Chen Zhu3 (1. State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, 100876, China) (2. School of Science, Beijing University of Posts and Telecommunications, Beijing, 100876, China) (3. National Laboratory for Modern Communications, P.O.Box 810, Chengdu, 610041, China) Email: [email protected] (Dated: February 2, 2008) Theparticipantattackisthemostseriousthreatforquantumsecret-sharingprotocols. Wepresent a method to analyze the security of quantum secret-sharing protocols against this kind of attack 8 taking the scheme of Hillery, Buˇzek, and Berthiaume (HBB) [Phys. Rev. A 59 1829 (1999)] as 0 an example. By distinguishing between two mixed states, we derive the necessary and sufficient 0 conditions under which a dishonest participant can attain all the information without introducing 2 any error, which shows that theHBB protocol is insecure against dishonest participants. It is easy to verify that the attack scheme of Karlsson, Koashi, and Imoto [Phys. Rev. A 59, 162 (1999)] n is a special example of our results. To demonstrate our results further, we construct an explicit a attackschemeaccordingtothenecessaryandsufficientconditions. Ourworkcompletesthesecurity J analysis of the HBB protocol, and the method presented may be useful for the analysis of other 5 similar protocols. 2 PACSnumbers: 03.67.Dd,03.67.Hk ] h p - I. INTRODUCTION attackbyanexternalattacker. References[12,13,14]in- t n vestigatedtherelationbetweensecurityandtheviolation a ofsomeBellsinequalitiesbyanalyzingseveraleavesdrop- Quantum cryptography is a technique which permits u ping scenarios. However, their analyses are incomplete q parties to communicate over an open channel in a se- because not all the individual attacks are covered. Ref- [ cureway. Quantumsecretsharing(QSS)isanimportant erence [3] showed that the HBB scheme was insecure to branchofquantumcryptography,whichallowsasecretto 2 a skillful attack, and gave a remedy; but this analysis be shared among many participants in such a way that v is not systematic. Here, we consider the original HBB 8 only the authorized groups can reconstruct it. In fact, protocol and give a complete and systematic analysis of 1 there are two types in quantum secret sharing, that is, security against a participant attack. From our analysis 4 the sharingofclassicalsecretandthatofquantuminfor- we also get the same result as Ref. [3], and, moreover, 2 mation. The formerwasfirstproposedbyHillery, Buˇzek we derive the necessary and sufficient (NAS) conditions . 1 and Berthiaume [1] (called HBB hereafter), and the lat- for a successful attack, which is more important. From 0 ter was first presented by Cleve, Gottesman and Lo [2]. the NAS conditions, we can find many attack schemes 8 Since the above pioneering works appeared, QSS has at- easily (including the eavesdropping strategy in Ref. [3]), 0 tracted a greatdeal of attention (please see [3, 4] for the : which will deal with the difficulty that breaking a pro- v sharing of classical secret and [5] for that of quantum tocol is unsystematic. Although the result is partly not i information). X new [3], the method (which is indeed our main aim) is. As we know, the designing schemes and analyzing This method might be useful for the analysis of other r a their security are two inherent directions of cryptogra- protocols. phy, which are opposite to but stimulate each other. The paper is structured as follows. In Sec. II, we Each of them is necessary to the development of cryp- review the HBB protocol briefly. In Sec. III, we ana- tography. This is also the case in quantum cryptogra- lyze generalparticipant attack strategies,and derive the phy [6, 7, 8, 9, 10, 11]. However, because the theory NAS conditions under which a dishonest participant at- ofquantum informationremainsstill far fromsatisfacto- tains the whole secret without introducing any error. In rilyknown,thedevelopmentofquantumcryptanalysisis Sec. IV, we give a simple scheme to achieve the attack relatively slow, especially in QSS. In fact, it is complex successfully. Finally, we give a conclusionanddiscussion to analyze the security of QSS protocols because multi- in Sec. V. Cumbersome computations and formulas are ple participants are involved and not all are honest, and summarized in the Appendix. therefore few results [12, 13, 14] have been obtained. In this paper, we present a method to analyze the se- curityofQSSprotocolstakingthe HBBscheme [1]asan II. THE HBB PROTOCOL example. The security of HBB has been discussed from severalaspects. Ref. [1] analyzedan intercept-resendat- Let us introduce the principle of the HBB scheme [1] tack bya dishonestparticipantandanentangle-measure first. The dealer Alice wants to divide her secret mes- 2 take advantage of Alice’s and Bob’s delayed information TABLE I: Correlations between Alice’s, Bob’s measurement about their MBs, a wise attack strategy for Charlie* is results and Charlie’s results. Alice’s (Bob’s) measurement asfollows. WhenthequbitsB andC aresentoutbyAl- results are listed in the first column (line). ice,he lets anancilla,initially insome state χ , interact Alice/Bob x+ x− y+ y− unitarily with them (the dimensionality of t|heiancilla is x+ x+ x− y− y+ a free variable which causes no loss in generality). After x− x− x+ y+ y− the interaction, Charlie* sends qubit B to Bob, stores y+ y− y+ x− x+ qubit C and his ancilla until Alice announces the MBs y− y+ y− x+ x− usedbythe threeparties. Finally,Charlie*measuresthe qubitsathissitetoachievethesecretaccordingtoAlice’s announcements. sage between her two agents, Bob, and Charlie. At the We now describe the procedure in detail. After Alice beginning, Alice prepares a sequence of GHZ triplets in sends out the two qubits, B and C, Charlie* intercepts thestate(1/√2)(000 + 111 ) ,wherethesubscripts them and they interacts with his ancilla. After that, the ABC | i | i A,B andC denotethethreeparticlesforAlice,Boband state of the whole system may be written as Charlie, respectively. For each triplet, Alice keeps parti- 1 cle A and sends particle B to Bob and C to Charlie. As Ψ = a ij ε , (1) intheBennett-Brassard1984scheme[15]scheme,allthe | iABCE X ij| iAB| ijiCE threepartieschooserandomlythe measuringbasis(MB) i,j=0 x or y to measure their particles and then they publish where ε refers to the state of Charlie* after the in- their MBs. The announcement should be done in the | iji teraction and is normalized, and a is complex number following way: Bob and Charlie both send their MBs to ij that satisfies Alice, who then sends all three MBs to Bob and Char- lie [16]. Note that no one can learn other’s bases before 1 havingto revealhis, otherwise aspointed out in Ref. [1], a 2 =1. (2) X | ij| he could cheat more successfully. When the number of i,j=0 the parties who choose x is odd, the outcomes are use- ful. Thanks to the features of the GHZ state, Charlie and Bob can deduce the outcomes of Alice when they A. The conditions to escape detection cooperate (see Table I [1]). To check for eavesdropping, Alice chooses randomly a large subset of the outcomes As mentioned above, to use the information about to analyze the error rate. That is, Alice requires Bob Alice’s and Bob’s MBs, Charlie* does not measure his and Charlie to announce their outcomes of the samples qubits until Alice reveals them, and then he can choose inpublic. Iftheerrorrateislowerthanathresholdvalue, different methods accordingly. Note that when Alice re- they keep the remaining outcomes as secret key. quires Charlie* to declare his MBs, Charlie* generates a randomsequenceofxandytoforgehisMBs,actuallyhe doesnotmeasureanyqubit. IftheMBschosenbyallthe III. THE ATTACK ON THE HBB PROTOCOL three parties satisfy the condition that the number of x isodd,theresultsarekept,otherwisetheyarediscarded. Now let us give a complete discussion of the security Therefore Charlie* knows Alice’s and Bob’s MBs for ev- of the HBB scheme. As pointed out in Refs. [17, 18, 19], eryusefultripletwhichcanbe utilizedinthe subsequent a participant generally has more advantages in an at- steps. When some triplets are chosen by Alice to detect tack than an outside eavesdropper in the secret-sharing eavesdropping,Charlie*thenmeasureshiscorresponding protocols. If a QSS protocol is secure for a dishonest qubits and announces outcomes accordingto Alice’s and participant, it is secure for any eavesdropper. Therefore, Bob’sMBs. Nowweexploretheconditionstheymustbe to analyzethe security,weshouldconcentrateour atten- satisfiedifCharlie*wantstoescapefrombeingdetected. tion on participant attack. Without loss of generality, LetusfirstconsiderthecasewherebothAliceandBob we assume the attacker is Charlie, denoted Charlie*. He measure their qubits in x direction,and of course,Char- seeks to learn Alice’s secret himself without introducing lie* declares x. The state of the whole system Ψ ABCE | i any error during the eavesdropping check. In order to can be rewritten as 3 1 Ψ ABCE = [ x+ A x+ B(a00 ε00 +a01 ε01 +a10 ε10 +a11 ε11 )CE | i 2 | i | i | i | i | i | i + x+ A x− B(a00 ε00 a01 ε01 +a10 ε10 a11 ε11 )CE (3) | i | i | i− | i | i− | i + x− A x+ B(a00 ε00 +a01 ε01 a10 ε10 a11 ε11 )CE | i | i | i | i− | i− | i + x− A x− B(a00 ε00 a01 ε01 a10 ε10 +a11 ε11 )CE]. | i | i | i− | i− | i | i We can see from Table I that without eavesdropping, collapses to ϕx−x+ or ϕx−x− with equal probabil- if Alice’s and Bob’s results are x+x+ or x x , Char- ity. So to |get infiormat|ion ofiAlice’s result, x+ or − − lie*’s announcement should be x+, otherwise, his an- x , Charlie* should distinguish between two mixed − nouncement should be x−. In a convenient depiction, states ρx+ = 21|ϕx+x+ihϕx+x+|+ 12|ϕx+x−ihϕx+x−| and iwzeedd,ewnhoetne AChliacer’lsiea*n’sdsBtaotbe’sarses|ϕuljtmskanriewjmhiacnhdisknn,owrmhearle- wρxi−th=equ21a|lϕax−pxr+ioirhiϕpx−roxb+a|b+ilit21y|.ϕxG−exn−eirhaϕllxy−,xt−he|roecacruerrtiwnog j,k x,y and m,n +, . To avoid being found ways to discriminate between two states, minimum er- ∈ { } ∈ { −} out, Charlie* should have the ability to discriminate ror discrimination and unambiguous discrimination. In completely between the two sets ϕx+x+ , ϕx−x− , Ref. [21], the authors showed the minimum failure prob- {| i | i} {|ϕx+x−i,|ϕx−x+i}. As shown in Ref. [20], two sets S1, ability QF attainable in unambiguous discrimination is S2 can be perfectly discriminated if and only if the sub- always at least twice as large as the minimum-error spaces they span are orthogonal. So the scalar products probability P in ambiguous discrimination for two ar- E of Charlie*’s states have to satisfy four constraints: bitrary mixed quantum states. So we should take the ambiguous discrimination to get the maximum informa- ϕx+x+ ϕx+x− =0, tion. Utilizing the well-known result [22]that to dis-  hhhϕϕxx−+xx+−|||ϕϕxx−+xx+−iii==00,, (4) wcriitmhinaapteriobreitwpreoebnatbwiloitimesixpe1dasntadteps2,ρr1esapnedctρi2veolyc,cuwrhrienrge  hϕx−x−|ϕx−x+i=0. p1+p2 =1, the minimum-error probability attainable is From Eqs. (3) and (4), we obtain PE = 21 − 21kp2ρ2−p1ρ1k, where kΛk=Tr√Λ†Λ, we get the minimum-error probability to discriminate between a∗00a01 ε00 ε01 a∗11a10 ε11 ε10 =0, ρx+ and ρx− under the constraints of Eq. (6)  aa∗0001a120hhε0a0∗0||1εa1100ii−−ε01a∗1ε11a001+hhεa11∗1||0εa0011ii=ε100,ε01 a10 2 =0, (5) PE = 12(1−4|a00|·|a10|). (7)  ||a00||2−−a∗00a11hhε00||ε11ii+a∗11a00hhε11||ε00ii−−||a11||2 =0. Considering the other three cases (see the Appendix A) Similarly,theconstraintsarethenfoundintheAppendix withsimilarstrategy,wegetthe same resultsas Eq. (7). for other cases. Finally, we obtain results from Eqs. (5), ThemutualinformationbetweenAliceandCharlie*in (A.3), (A.6) and (A.9) : terms of Shannon entropy is given by IAC =1+P logP +(1 P )log(1 P ). (8) a∗00a01 ε00 ε01 =a∗00a10 ε00 ε10 =0, E E − E − E  aa∗0∗010aa1111hhhεε0010|||εε1111iii==aa∗1∗001aa1110hhhεε1001|||εε1110iii==00,, (6) NEqosw. t(h2)eatnasdk(6is).mUasxiinmgiztihnegLIaAgCrawngitehmtuhleticpolinesrtrmaeinthtsodof,  ||aa0001||==||aa1110||,. we attain the maximum ImACax =1 under conditions ε00 ε01 = ε00 ε10 = ε00 ε11 =0, OAlbicveioaunsldy,BCohbawrlhiee*nchainssoupcecreaetdioinnsessactaipsfiyngEdqe.te(6ct)i.onby  |hhaε0001|||ε=10|iia=01|hhε=01|||aε1101|ii==|hhaε1110|||=ε1112ii.=0, (9)  Now, we have the NAS conditions for a dishonestpar- B. The maximum information the attacker can ticipant to attack HBB successfully. Therefore the HBB attain protocol is insecure (in its original form). Obviously, ε00 , ε01 , ε10 , and ε11 are orthogonalto each other, | i | i | i | i After escaping from detection, Charlie* measures which indicates that a dishonest participant need pre- the remaining qubits to deduce Alice’s secret. Now pare one additive qubit at least. It is easy to verify that let us compute the maximum information that Char- the eavesdropping strategy in Ref. [3] is a special exam- lie* can gain. From Eqs. (3) and (6), we can see pleofourresults,wheretwoadditivequbitsareusedand if Alice’s result is x+, Charlie*’s state collapses to a00|ε00i= 21|000i,a01|ε01i=−12|001i,a10|ε10i= 21|110i, |ϕx+x+i or |ϕx+x−i with equal probability, otherwise and a11|ε11i=−21|111i. 4 Ψ0 Ψ1 Ψ1 Ψ2 A A U B H B V C C W E=|0i E { { FIG.1: QuantumcircuitrepresentingtheinteractionofChar- Alice’s,Bob’sOperations Charlie*’Operations lie*’s ancilla E,with qubitsB, C. FIG.2: Quantumcircuitonthedetectionqubits. HereU,V, W∈ {H,SH}, and S = |0ih0|+i|1ih1|. The ‘meter’ symbol denotesaprojectivemeasurementinthecomputationalbasis IV. AN EXAMPLE OF SUCCESSFUL ATTACK z. H (SH) can transform z basis into x (y) basis. Charlie* performs his operations according to the MBs of Alice and Bob to avoid being detected. According to Eq. (9), we can construct some attack schemes easily. Here we give an even simpler scheme thanRef.[3]withonlyoneadditivequbit. Generally,the four states ancilla is the standard state 0 . We choose a00 ε00 = 12|1001i1, a0w1h|εi0c1hi=sat21is|0fy1iE, aq1.0|ε(19|0)i.i=C21o|m10pia,rainngd tah1e1||εi1n1iiitia=l |ϕx+y+i= 21(|00i−i|01i+|10i+i|11i)CE, −2| i 1 state with the state after interaction (see Eq. (1)), we ϕx+y− = (00 +i01 + 10 i11 )CE, (12) can derive the operations performed by Charlie*. | i 2 | i | i | i− | i 1 Nowwe describe the attackorderly. Charlie*prepares |ϕx−y+i= 2(|00i−i|01i−|10i−i|11i)CE, the ancilla E in state 0 . After Alice sends out two | i 1 qubitsB andC,Charlie*interceptsthem,performsH = |ϕx−y−i= 2(|00i+i|01i−|10i+i|11i)CE. (0 0 + 1 0 + 0 1 1 1)/√2 on the qubit B and | ih | | ih | | ih |−| ih | CNOT operation on B, E (see Fig. 1). The entangled (iii) When Alice and Bob measure their qubits in y, x stateofAlice,BobandCharlie*isconvertedfrom Ψ0 = basis, respectively, Charlie*’s state may be one of the √12(|000i+|111i)ABC ⊗|0iE to | i four states 1 ϕ = (00 + 01 i10 +i11 ) , 1 | y+x+i 2 | i | i− | i | i CE |Ψ1i= 2(|00iAB|00iCE +|01iAB|01iCE (10) 1 +10 AB 10 CE 11 AB 11 CE). |ϕy+x−i= 2(|00i−|01i−i|10i−i|11i)CE, (13) | i | i −| i | i 1 |ϕy−x+i= 2(|00i+|01i+i|10i−i|11i)CE, AfterAlice andBobmeasuretheirqubits,the wholesys- 1 tem is changed into |Ψ2i (see Fig. 2 and Fig. 3) which |ϕy−x−i= 2(|00i−|01i+i|10i+i|11i)CE. varies according to their MBs. Let us describe all the cases in detail. (iv) When Alice’s and Bob’s MBs are y, Charlie*’s state (i) If both Alice’s and Bob’s MBs are x, Charlie*’s collapses to one of the four results state collapses to one of the four results 1 ϕ = (00 i01 i10 + 11 ) , | y+y+i 2 | i− | i− | i | i CE 1 1 |ϕx+x+i= 2(|00i+|01i+|10i−|11i)CE, |ϕy+y−i= 2(|00i+i|01i−i|10i−|11i)CE, (14) 1 1 |ϕx+x−i= 2(|00i−|01i+|10i+|11i)CE, (11) |ϕy−y+i= 2(|00i−i|01i+i|10i−|11i)CE, 1 1 |ϕx−x+i= 2(|00i+|01i−|10i+|11i)CE, |ϕy−y−i= 2(|00i+i|01i+i|10i+|11i)CE. 1 |ϕx−x−i= 2(|00i−|01i−|10i−|11i)CE. It is easy to validate that the four states are orthogo- nal to each other in every case, which implies that they (ii) When Alice and Bob measure their qubits in x, y can be distinguished perfectly. Consequently, Charlie* basis, respectively, Charlie*’s state may be one of the can not only get the secret of Alice but also escape from 5 Ψ Ψ 1 2 TABLE II: The unitary operators for U, V, W in different A U cases. i ii iii iv B V U H H SH SH V H SH H SH C U W H SH SH H E { {TABLE III: Relations between Charlie*’s measurement re- Alice’s,Bob’sOperations Charlie*’Operations sultsandhisannouncements(thefirstcolumn)forthedetec- tion qubits. FIG. 3: Quantum circuit on the information qubits. After AliceandBobmeasuretheirqubits,Charlie*measuresqubit i ii iii iv C in the same basis as Alice, and qubit E in computational 0 10, 01 10, 11 10, 01 10, 11 basis. He can deduce Alice’s results from his measurement 1 00, 11 00, 01 00, 11 00, 01 outcomes. states in Eq. (11) are changed into detection. In fact, we only need distinguish between two 1 differentresultsbecausethe qubits areusedtoeither de- |ϕx+x+i= √2(|00i+|11i)CE, tecteavesdroppingordistillinformation. Thereforethere 1 are some simple ways to fulfill Charlie*’s objective. |ϕx+x−i= √2(|00i−|11i)CE, (16) We take case (i) as an example to describe Charlie*’s 1 operations. Let us first explain how Charlie* can escape |ϕx−x+i= √2(|01i+|10i)CE, frombeing detectedwhen the qubits arechosento check 1 elaarvaetsidornopxp+inogr. Cxh;artlhiee*rewfoarnet,shtoedneedeudcedihscisripmroinpaetredbeec-- |ϕx−x−i= √2(−|01i+|10i)CE. − tween ϕx+x+ , ϕx−x− and ϕx+x− , ϕx−x+ . A {| i | i} {| i | i} From Eq. (16), we can see clearly that the measurement particularly simple circuit to achieve this task is illus- results, 01 or 10, imply that Alice’s secret is x , and 00 trated in Fig. 2 (Here U = V = W = H). Concretely, − or 11 indicate x+. after the operations of CNOT and W, the four states in For other cases (ii), (iii) and (iv), Charlie* can also Eq. (11) are converted into distinguishbetweenthecorrespondingstatesbychoosing different U and W according to Table II, avoid being 1 detectedbyannouncinghisresultsaccordingtoTableIII ϕ = (01 + 10 ) , | x+x+i √2 | i | i CE and then deduce Alice’s secret according to Table IV. 1 |ϕx+x−i= √2(|00i−|11i)CE, (15) V. CONCLUSION AND DISCUSSION 1 |ϕx−x+i= √2(|00i+|11i)CE, The object of QSS protocols is to transmit a secret in 1 such a way that only the authorized groups can access |ϕx−x−i= √2(−|01i+|10i)CE. it, and no other combination of parties can get any in- formation about it. The worst case for QSS protocols is that some participants are dishonest, and try to find ThenCharlie*measureseachqubitincomputationalba- thesecretbythemselves. Therefore,participantattackis sis. If the measurement results of C, E are 00 or 11, themostseriousthreatforthesecurityofQSSprotocols, Charlie*’s announcementis 1 (correspondingto 1 , x− and that is exactly what we study. The purpose of this | i | i or y hereafter),otherwisehis announcementis 0(cor- − res|poniding to 0 , x+ or y+ hereafter). According to | i | i | i Table I, we can see no error occurs, and therefore Char- TABLE IV: Relations between Charlie*’s measurement re- lie* can escape from being detected. sultsandAlice’ssecret (thefirst column)fortheinformation We now discuss how Charlie* can obtain the secret qubits. information from his qubits. He only needs distinguish i ii iii iv bgeettwAeleince’{s|ϕsexc+rxe+tix,|+ϕxo+rx−xi}. aTnhde{c|iϕrcxu−ixt+tio,|aϕcxh−iexv−ei}thtios 0 00, 11 00, 11 10, 01 10, 01 − 1 10, 01 10, 01 00, 11 00, 11 task is illustrated in Fig. 3. After the U operation, the 6 paper is to give a method to analyze a participant at- tack in QSS. We introduce this method taking the HBB scheme [1] as an example. A dishonest participantinter- Ψ ABCE = | i cepts all the qubits, they interact with his ancilla, and 1 he then resends them out. He then measures his qubits 2[|x+y+i(a00|ε00i−ia01|ε01i+a10|ε10i−ia11|ε11i) after other participants reveal their useful information. +x+y− (a00 ε00 +ia01 ε01 +a10 ε10 +ia11 ε11 ) By discriminating between two mixed states, we obtain | i | i | i | i | i the NAS conditions under which the dishonest partici- +|x−y+i(a00|ε00i−ia01|ε01i−a10|ε10i+ia11|ε11i) pant can attain all the information without introducing +x−y− (a00 ε00 +ia01 ε01 a10 ε10 ia11 ε11 )]. | i | i | i− | i− | i anyerror. ThisresultshowsthattheHBBprotocolisin- (A1) secure (in its originalform). Finally, we give anexample achievingtheproposedattacktodemonstrateourresults According to Table I, when Alice’s and Bob’s results are further. x+y+ or x−y−, Charlie*’s announcement should be y−, otherwise, his announcement should be y+. Therefore, Although the result that the HBB scheme is insecure Charlie*shouldbe capableofdistinguishingbetweenthe (in its original form) is not new, the method of analyz- ing the participant attack is, to our knowledge. The two sets, ϕx+y+ , ϕx−y− and ϕx+y− , ϕx−y+ , to {| i | i} {| i | i} avoid being detected. That is treatment we have presented appears to cover all indi- vidualparticipantattacksallowedbyphysicallaws. This mwwoietuthhldosdobmeceuansmefbouedliifianpcdapteliisoeidgnns.tinogWorteehlebarteelsideimvsecihlatehrmaQtesStaShnisdprmaonteoathclyoozlds-  hhhϕϕϕxxx−++yyy++−|||ϕϕϕxxx−++yyy−+−iii===000,,, (A2) ing their security. On the one hand, we can construct  hϕx−y−|ϕx−y+i=0. attack strategies easily according to the NAS conditions Then we get when a protocol has security loopholes. On the other hand, we can show that protocol is secure if the attack a∗00a01 ε00 ε01 +a∗11a10 ε11 ε10 =0, conditionscannotbereached. Forexample,applyingthis h | i h | i method to the enhanced protocol [3], we can show it is a∗00a10hε00|ε10i−a∗11a01hε11|ε01i=0, (A3) secure (Such analysis is beyond the scope of this paper). a01 2 ia∗01a10 ε01 ε10 ia∗10a01 ε10 ε01 a10 2 =0, | | − h | i− h | i−| | a00 2+ia∗00a11 ε00 ε11 +ia∗11a00 ε11 ε00 a11 2 =0. | | h | i h | i−| | (2) When Alice, Bob and Charlie* choose the MBs y, x, y, respectively, Ψ can be rewritten as Acknowledgments ABCE | i Ψ = ABCE | i We thank the anonymous reviewer for helpful com- 1 ments. This work is supported by the National [y+x+ (a00 ε00 +a01 ε01 ia10 ε10 ia11 ε11 ) 2 | i | i | i− | i− | i HighTechnologyResearchandDevelopmentProgramof China, Grant No. 2006AA01Z419; the National Natu- +|y+x−i(a00|ε00i−a01|ε01i−ia10|ε10i+ia11|ε11i) ral Science Foundation of China, Grant Nos. 90604023, +y−x+ (a00 ε00 +a01 ε01 +ia10 ε10 +ia11 ε11 ) | i | i | i | i | i 60373059;theNationalResearchFoundationfortheDoc- +y−x− (a00 ε00 a01 ε01 +ia10 ε10 ia11 ε11 )]. | i | i− | i | i− | i toral Program of Higher Education of China, Grant (A4) No.20040013007; the National Laboratory for Modern Communications Science Foundation of China, Grant According to Table I, the results, y+x+ or y x , imply − − No. 9140C1101010601; the Natural Science Foundation Charlie*’sannouncementshouldbey ,andothersimply − of Beijing, Grant No. 4072020;and the ISN Open Foun- y+. For the same reason, we let dation. ϕy+x+ ϕy+x− =0,  hhϕϕyy−+xx+−||ϕϕyy−+xx+−ii==00,, (A5) h | i APPENDIX A: CONSTRAINTS ON CHARLIE*’S  hϕy−x−|ϕy−x+i=0. PROBES We then have In this appendix, we find the conditions which Char- a∗00a01 ε00 ε01 a∗11a10 ε11 ε10 =0, lie*’soperationsneedsatisfywhennoerrorsaretooccur h | i− h | i in the procedure of detection in other three cases. a∗00a10hε00|ε10i+a∗11a01hε11|ε01i=0, (1) When Alice, Bob and Charlie* choose the MBs |a01|2+ia∗01a10hε01|ε10i+ia∗10a01hε10|ε01i−|a10|2 =0, x, y, y respectively, the whole system |ΨiABCE can be |a00|2+ia∗00a11hε00|ε11i+ia∗11a00hε11|ε00i−|a11|2 =0. rewritten as (A6) 7 (3) When Alice, Bob and Charlie* choose the MBs y, We then have y, x, respectively, Ψ can be rewritten as ABCE | i Ψ = ABCE | i 1 [y+y+ (a00 ε00 ia01 ε01 ia10 ε10 a11 ε11 ) 2 | i | i− | i− | i− | i +y+y− (a00 ε00 +ia01 ε01 ia10 ε10 +a11 ε11 ) +|y−y+i(a00|ε00i ia01|ε01i+−ia10|ε10i+a11|ε11i) a∗00a01hε00|ε01i+a∗11a10hε11|ε10i=0, +|y−y−i(a00|ε00i−+ia01|ε01i+ia10|ε10i a11|ε11i)]. a∗00a10hε00|ε10i+a∗11a01hε11|ε01i=0, (A9) | i | i | i | i− | (Ai7) |a01|2−a∗01a10hε01|ε10i+a∗10a01hε10|ε01i−|a10|2 =0, a00 2+a∗00a11 ε00 ε11 a∗11a00 ε11 ε00 a11 2 =0. The results, y+y+ or y y , imply Charlie*’s announce- | | h | i− h | i−| | − − ment should be x , and others imply x+. For the same − reason, we let ϕy+y+ ϕy+y− =0,  hhϕϕyy−+yy+−||ϕϕyy−+yy+−ii==00,, (A8) h | i  hϕy−y−|ϕy−y+i=0. [1] M. Hillery, V. Buzˇek, and A. Berthiaume, Phys. Rev. A [12] V.ScaraniandN.Gisin,Phys.Rev.A65,012311(2001). 59, 1829 (1999). [13] V. Scarani and N. Gisin, Phys. Rev. Lett. 87, 117901 [2] R.Cleve,D.Gottesman, andH.-K.Lo,Phys.Rev.Lett. (2001). 83, 648 (1999). [14] A.Sen(De),U.Sen,andM.Zukowski,Phys.Rev.A68, [3] A.Karlsson,M.Koashi,andN.Imoto,Phys.Rev.A59, 032309 (2003). 162 (1999). [15] C. H. Bennett and G. Brassard, in Proceedings of the [4] D.Gottesman, Phys. Rev.A 61, 042311 (2000). International Conference on Computers, Systems and W. Tittel, H. Zbinden, and N. Gisin, Phys. Rev. A 63, Signal Processing, Bangalore, india (IEEE, New York, 042301 (2001). 1984), pp.175-179. G.P.GuoandG.C.Guo,Phys.Lett.A310,247(2003). [16] Alice need not publicize her MBs; it suffices if she tells L. Xiao, G. L. Long, F. G. Deng and J. W. Pan, Phys. which instances should be used to generate a common Rev.A 69, 052307 (2004). key.However,thisisequivalentfortheparticipantattack L. Y.Hsu, C. M. Li, Phys.Rev.A 71, 022321 (2005). becauseadishonestparticipant canalso deducetheoth- [5] S.Bandyopadhyay,Phys. Rev.A 62, 012308 (2000). ersMBsinthefollowingway: Hefirstwiretapstheother L. Y.Hsu, Phys.Rev.A 68, 022306 (2003). agents MBs when they are transmitted to Alice and he Y.M.Li,K.S.ZhangandK.C.Peng,Phys.Lett.A324, knows that the useful instances satisfy the relation that 420 (2004). the numberof x measurements is odd, so he can deduce A.M.Lance,T.Symul,W.P.Bowen,B.C.Sanders,and Alices MBs for theuseful instances according to his and P.K. Lam, Phys. Rev.Lett. 92, 177903 (2004). the otheragents MBs. F.G.Deng,X.H.Li,C.Y.Li,P.Zhou,andH.Y.Zhou, [17] S.J.Qin,F.Gao,Q.Y.Wen,andF.C.Zhu,Phys.Lett. Phys.Rev.A 72, 044301 (2005). A 357, 101 (2006). G. Gordon1 and G. Rigolin, Phys. Rev. A 73, 062316 [18] F.G.Deng,X.H.Li,H.Y.Zhou,andZ.J.Zhang,Phys. (2006). Rev. A 72, 044302 (2005). [6] N.Lu¨tkenhaus, Phys.Rev. A 54, 97 (1996). [19] F. Gao, S. J. Qin, Q. Y. Wen, and F. C. Zhu, Quantum [7] C. A.Fuchs,N. Gisin, R. B. Griffiths, C.-S. Niu,and A. Information and Computation 7, 329 (2007). Peres, Phys. Rev.A 56, 1163 (1997). [20] S. Y. Zhang and M. S. Ying, Phys. Rev. A 65, 062322 [8] D.Bruβ, Phys. Rev,Lett. 81, 3018 (1998). (2002). [9] D. Bruβ and C. Macchiavello, Phys. Rev, Lett. 88, [21] U. Herzog and J. A. Bergou, Phys. Rev. A 70, 022302 127901 (2002). (2004). [10] P. W. Shor and J. Preskill, Phys. Rev. Lett. 85, 441 [22] C. W.Helstrom, Quantum detection and estimation the- (2000). ory (Academic, NewYork, 1976). [11] D. Gottesman and H. K. Lo, IEEE Transactions on In- formation Theory 49, 457 (2003).