Master Key Secured Quantum Key Distribution Tabish Qureshi∗ Centre for Theoretical Physics, Jamia Millia Islamia, New Delhi, India. Tabish Shibli† SGTB Khalsa College, New Delhi, India. Aditi Sheel‡ Department of Physics, Jamia Millia Islamia, New Delhi-110025, India. AnewschemeofQuantumKeyDistributionisproposedusingthreeentangledparticlesinaGHZ state. Aliceholdsa3-particlesourceandsendstwoparticlestoBob,keepingonewith herself. Bob 3 1 uses one particle to generate a secure key, and the other to generate a master-key. This scheme 0 should prove to be harder to break in non-ideal situations as compared to the standard protocols 2 BB84andEckert. TheschemeusestheconceptofQuantumDisentanglementEraser. Extensionto multi-partitescheme has also been investigated. n a PACSnumbers: 03.67.Dd;03.65.Ud J 7 1 Crypting messages for secret communication is a very 1. An entangled spin-1/2 particle source produces a old problem. The so-called Vernam Cipher [1] or one- sequence of particles pairs, in a singlet state, one ] h time pad, is a method which is believed to be the most going to Alice, and one to Bob. p secure, with the caveat that it is based on a shared key - which can only be used once. This led to people explor- 2. Bob measures the incoming particles’ spin states t n ingthepossibilityofremotelysharinganewsecretkeyin by randomly choosing a measurement of either the a a secure way. Quantum key distribution (QKD) allows x-component of the spin or the z-component, with u two parties,conventionallycalledAlice and Bob, to gen- equal probability. q erate a common string of secret bits, the secret key, in [ the presence of an eavesdropper, usually called Eve [2]. 3. BobpubliclytellsAlicewhichbasesheusedforeach 1 Thekeysogenerated,maybeusedforcryptingmessages particle he received (but, of course not the result v of his measurement). using Vernam Cipher. The pioneering protocol for QKD 5 was given by Bennet and Brassard in 1984, in a confer- 1 4. Alice publicly tells Bob which bases she used to 0 ence in Bangalore [3]. Later another equivalent proto- measure her particles. 5 col was given by Eckert utilizing properties of entangled . states [4]. In principle, QKD is hundred percent secure, 1 5. Alice and Bob keep only the data from those mea- the proof being provided by the laws of quantum me- 0 surements for which their bases are the same, dis- 3 chanics [5]. However, real-life implementations of QKD carding all the rest. 1 have various issues which make them deviate from the v: assumptions in idealized models. By exploiting security 6. This data is interpreted as a binary sequence ac- i loopholes in practicalrealizations,notably imperfections cording to the coding scheme + x = 1, x = 0, X in the detectors, various attacks have been successfully + z =1, z =0 forAlice, an|di+ x =|0−,i x = ar demHeornestwreatiendtraogdauicnestacnoemwmQeKrcDialmQeKthDodsyusstienmgsth[6re,e7]e.n- 1|,i|+iz =|0−,i|−iz = 1 for Bob. | i |−i tangled particles. This method introduces an additional 7. Alice announcesthe resultsofasmallsubsetofher element in the standard key distribution protocols, to measurements. Bob checks if he has identical re- make it harder to break in non-ideal situations. sults. Any discrepency here indicates a possible evesdropping attempt. I. BB84 AND ECKERT PROTOCOLS 8. If there is no discrepancy, the rest of the binary sequence is treated as the new key, and is identical for both Alice and Bob. The basic quantum key distribution protocol of BB84 [3] or Eckert [4] is as follows. If the entangled-particle source is held by Alice, and only one particle travels to Bob and the other remains with Alice, the protocol is essentially BB84. She could replace it by a source producing single particles, each of ∗Electronicaddress: [email protected] †Electronicaddress: [email protected] which she measures before forwarding it to Bob. The ‡Electronicaddress: [email protected] consequences will be identical to those described above. 2 II. THREE PARTICLE ENTANGLEMENT herself. Bob calls (say) particle 3 as master channel and theparticle2assecurechannel. Hemeasuresσ3x onthe Letusconsiderthefollowing3-particleentangledstate, master channel so that he gets either + 3 or 3. One known as the GHZ state [8] can see from (3) that if Alice and Bob|mieasur|e−σi1z and σ2z respectively, their results will always be correlated. 1 For example, if Alice gets 1 Bob will necessarily get |ψi= √2(|↑i1|↑i2|↑i3+|↓i1|↓i2|↓i3), (1) 2,andifAlice gets 1|B↓oibwillnecessarilyget 2, |↓i |↑i |↑i irrespective of the results of the master channel. wherethestates i, i areeigenstatesoftheoperator NowifAliceandBob(onparticle2)measureσix,writ- σiz. and, let us|a↑lsio |co↓nisider the following transforma- ing (1) in terms of the eigenstates of σix will make it tion in basis, easier to see what will happen. 1 1 1 i = (+ i+ i), i = (+ i i) (2) ψ = (+ 1 + 2+ 1 2) + 3 |↑i √2 | i |−i |↓i √2 | i −|−i | i 2 | i | i |−i |−i | i 1 for i=1,2 and 3. If we just look at the subspaces of par- +2(|+i1|−i2+|−i1|+i2) |−i3. (4) ticles 1 and 2, their state is not a pure entangled state, but a mixed state, as can be seen by writing the den- Itisclearfromtheabovethatifthemasterchannelmea- sHiteyrem, tahterixrefsourlt(s1)ofanmdeatsruacreinmgeonvteorftσhe1zstaantdesσ|2↑zi3w,i|ll↓ib3e. sBuorbem(oenntpgairvteicsle|+2i)3otnheσmixewasilulrbeemiednetnrteicsaull.tsOonfAthlieceotahnedr correlated, but results of measurements of σ1x and σ2x hand, if the master channel measurement gives |−i3 the will not be correlated. measurement results of Alice and Bob (on particle 2) on Writing the states of particle 3 in terms of the eigen- σix will be inverted with respect to each other. states of σ3x, (1) can be written as On receiving the two particles through two different channels, Bob randomly decides to use one channel to 1 generate his secure key, and the other to generate a |ψi = 2(|↑i1|↑i2+|↓i1|↓i2)|+i3 master-key. The details of the protocol are as follows. 1 + ( 1 2 1 2) 3. (3) 1. A3-particlesourceisheldbyAlicewhichgenerates 2 |↑i |↑i −|↓i |↓i |−i a sequence of 3 entangled particles. Particle 1 re- Aswehavenotchangedthestate,measurementsonpar- mainswithAlice, whileparticles2and3gotoBob ticle 1 and 2 will not show any quantum correlations. through two different channels. However, if one also makes a measurement of σ3x, and 2. Bob randomly chooses one channel to generate his picks out only those results of measurementof particle 1 secure key and the other to generate the master- and 2, for which particle 3 yields + 3, particle 1 and 2 | i key. Bob randomly chooses a different channel for will show quantum correlation. Particles 1 and 2, which his master-key, for each pair that comes to him. appeared to be disentangled in state (1), are now entan- gled. One can saythat a measurementof σ3x has erased 3. Alice measures the incoming particles’ spin states the disentaglement between particle 1 and 2. Correlat- by randomly choosing a measurement of either the ing the measurements of particles 1 and 2 with |−i3 will x-component of the spin or the z-component, with alsolead to anentanglementof1 and 2,but of a slightly equalprobability. Bobdoesthe sameforhissecure differentform. Thisconceptofquantumdisentanglement channel. eraser was introduced by Garisto and Hardy [9]. As one can see, measurement of particle 3, in a par- 4. Bob measures the x-component of the spin of par- ticular basis, has the potential to control the nature of ticles from his master channel. entanglementofparticles1and2. We usethis featureto construct a new 3-particle protocol for QKD. The GHZ 5. Alice and Bob publicly declare which bases they statehasbeenusedbeforetoconstructQKDprotocolfor used for the secure channel, for each particle they sharingasecurekeybetweenthreeparties[10]. However, received. we are only interested in two-party key-sharing. 6. Alice and Bob keep only the data from those mea- surements for which their secure channel bases are the same, discarding all the rest. III. MASTER-KEY SECURED QKD (MKS-QKD) 7. This data is interpreted as a binary sequence ac- cording to the coding scheme 1, 0, | ↑i → | ↓i → In the following we propose a key distribution scheme + 1, 0 by Alice and Bob. | i→ |−i→ where Alice holds a 3-particle source which generates a Bob interprets the data of the master channel as sequenceofparticletriosinaGHZstategivenby(1). She follows: + 0, 1, if he measured x- | i → |−i → sends particle 2 and 3 to Bob and keeps particle 1 with componentinthesecurechannel; + 0, 0, | i→ |−i→ 3 if he measured z-component in the secure channel. 4. Bobandpubliclydeclarewhichbasestheyusedfor Alice and Bob’s key doesn’t match at this stage. each particle they received (but, of course not the result of the measurement). 8. Bobnow adds the master-keyto his key bit by bit, 5. Alice and Bob keep only the data from those mea- modulo 2. surements for which their bases are the same, dis- 9. Atthis stage,the keys generatedby Alice andBob carding all the rest. The Master also discards the are identical. data for particles for which Alice and Bob’s bases do not match. 10. Inordertocheckforanyevesdroppingattempt,Al- 6. This data is interpreted as a binary sequence ac- ice announces the results of a small subset of her cording to the coding scheme 1, 0, measurements. Bob checks if he has identical re- | ↑i → | ↓i → + 1, 0 by Alice and Bob. The Master sults. Any discrepency here indicates a possible | i → |−i → interprets his data as follows: + 0, 1, evesdropping attempt. The rest of the sequence | i → |−i → if Alice and Bob measured x-component; + 0, now forms the usable key. | i→ 0, if Alice and Bob measured z-component. |−i → All three now have a key, but Alice and Bob’s key Inthenearlyimpossiblescenarioifanevesdroppercor- doesn’t match. rectly guesses which is the master channel for each pair ofparticlesthattravelsto Bob,hecanperformmeasure- 7. The Master announces his key publicly which Bob ment of σmx, where m is the particle number which is adds to his key bit by bit, modulo 2. considered to be the master channel, and can know in 8. At this stage,the keys generatedby Alice andBob advance Bob’s master-key. The security of this key dis- are identical. tribution scheme then reduces to that of the Eckert or BB84 protocol. However, there is no way an evesdrop- 9. Inordertocheckforanyevesdroppingattempt,Al- per can correctly guess which one is the master channel ice announces the results of a small subset of her for every single pair. Evesdropper measuring σx on the measurements. Bob checks if he has identical re- wrong channel will lead to his attempt being detected. sults. Any discrepency here indicates a possible This feature introduces an additional complexity in the evesdropping attempt. The rest of the sequence secure key distribution, and consequently makes the key now forms the usable key. sharing more robust against attacks. Using this scheme the Master caneffectively delay the sharing of the key by any length of time. Another pos- sible use of MKC-QKD is that if the entangled particles IV. MASTER-KEY CONTROLLED QKD aretobeprovidedbyathirdparty,thismethodprovides (MKC-QKD) awayofauthenticatingthe particlesource. Without the publicly sent master-key, the keys of Alice and Bob will We now use the concept of disentanglement eraser not match. Although this scheme provides a mechanism to construct another kind of key distribution scheme in which makes the involement of the Master necessary, it which there is a Master who wishes to control the key may not provide any additional security over the BB84 distribution between Alice and Bob. In this scheme, the and Eckert protocols. key held by the Master has a special position that with- out using it Alice and Bob cannot share a secure key eventhough they used the Eckertprotocol. This is much V. MULTI-PARTICLE GHZ STATE like a system in some bank lockerswhere the bank holds a master-key without using which the key of an individ- One might wonder if the n-particle GHZ state ual client doesn’t work. The protocolfor the Master-key 1 controlled quantum key distribution works as follows. ψ = [ 1 2 3... n+ 1 2 3... n], | i √2 |↑i |↑i |↑i |↑i |↓i |↓i |↓i |↓i (5) 1. An 3-particle source is held by the Master which posesses similar properties. In this state too, any two generates a sequence of 3 entangled particles. Par- particles are not entangled, as the two-particle reduced ticle 1 goes to Alice, particle 2 to Bob and particle densitymatrix,aftertracingoverrestofthen-2particles, 3 remains with the Master. is a mixed state density matrix. However, one can show 2. Alice and Bob measure the incoming particles’ that if one measures the n-2 particles in an appropriate spin states by randomly choosing a measurement basis, the entanglement between the two particles can of either the x-component of the spin or the z- be brought back by correlating with the measurement component, with equal probability. results of n-2 particles. This indicates that a QKD pro- tocolispossiblebyusingan-particleGHZstate. Since a 3. The Master measures the x-component of the spin n-particleentangledstate haslittle practicaluse, we will of his particle. not go into the details of describing the QKD protocol. 4 VI. CONCLUSION Bobwill be unable to sharea secure key. Variouspracti- cal uses of this method can be explored. For example, if The quantum disentanglement eraser idea for 3- the sourceofparticles is to be providedby a third party, particle GHZ state has been used here to construct two this method can be used to establish the authenticity of QKD protocols. The first one, where Alice holds the the source. This variant, however, is not expected to 3-particle source, provides an additional level of security provide and additional security over the BB84 or Eckert overtheBB84orEckertprotocols. Inidealcircumstances protocols. BB84andEckertmethodsprovideunbreakablekeyshar- ing, but in non-ideal cases several kinds of attacks can be constructed. In such situations, our Master-Key Se- Acknowledgments cured QKD protocol will provide key-sharing which will be harder to break. We have also provided a variant which we call Master-Key Controlled QKD where three T.ShiblithankstheCentreforTheoreticalPhysicsfor parties are involved. MKC-QKD allows the possibility thesummerstudentprogramduringwhichthisworkwas forathirdperson,calledMaster,tocontrolthekeyshar- completed. A. Sheel thanks the Centre for Theoretical ingbetweenAliceandBob. Withoutthemaster-keypro- Physics for providing the facilities of the Centre during vided publicly by the Master at a later stage, Alice and the course of this work. [1] G.S. Vernam, ”Cipher Printing Telegraph Systems For Xu,B.QiandH.-K.Lo,NewJ.Phys.12,113026(2010). SecretWireandRadioTelegraphicCommunications”,J. [7] B.Qietal.,QuantumInf.Comput.7,73(2007);Y.Zhao Am. Inst. Elec. Eng. 55: 109-115 (1926). etal.,Phys.Rev.A78,042333(2008);L.Lydersenetal., [2] N. Gisin et al., Rev. Mod. Phys. 74, 145 (2002); V. NaturePhoton. 4, 686 (2010); I.Gerhardt et al., Nature Scarani et al., Rev. Mod. Phys. 81, 1301 (2009). Commun. 2, 349 (2011). [3] C.H. Bennett, G. Brassard, “Quantum cryptography: [8] D.M. Greenberger, M.A. Horne, A. Zeilinger, “Go- Public-key distribution and coin tossing,” in Proceed- ing Beyond Bell’s Theorem” in Bell’s Theorem, Quan- ings of IEEE International Conference on Computers, tum Theory, and Conceptions of the Universe, eds. M. Systems and Signal Processing, Bangalore, India, 1984, Kafatos (KluwerAcademic,Dordrecht,1989), pp.73-76; (IEEE Press, 1984), pp. 175179; C.H. Bennett and G. arXiv:0712.0921 [quant-ph]. Brassard,“Quantumpublickeydistribution,”IBMTech- [9] R.Garisto,L.Hardy,“Entanglementofprojectionanda nical Disclosure Bulletin 28, 31533163 (1985). newclassofquantumerasers,”Phys.Rev. A60,827-831 [4] A.K. Eckert, “Quantum cryptography based on Bell’s (1999). theorem”, Phys. Rev. Lett. 67, 661-663 (1991). [10] G.L.Khym,W.Y.Chung,J.I.Kim,H.J.Yang,J.Korean [5] P.W. Shor, J. Preskill, Phys. Rev. Lett 85, 441-444 Phys. Soc. 44, 1349-1354 (2004). (2000). [6] C.-H.F. Fung et al., Phys. Rev. A 75, 032314 (2007); F.