improvement of the security of quantum protocols for anonymous voting and surveying
TRANSCRIPT
. Brief Report .
SCIENCE CHINAPhysics, Mechanics & Astronomy
November 2010 Vol. 53 No. 11: 2131–2134doi: 10.1007/s11433-010-4130-y
c© Science China Press and Springer-Verlag Berlin Heidelberg 2010 phys.scichina.com www.springerlink.com
Improvement of the security of quantum protocols for anonymousvoting and surveying
XU QingJun* & ZHANG ShiYing
Department of Physics and Electronic Engineering, Zaozhuang University, Zaozhuang 277160, China
Received March 8, 2010; accepted April 1, 2010; published online September 2, 2010
Several quantum protocols were proposed in a recent paper by Vaccaro, Spring and Chefles for ensuring the anonymous voting in anumber of different scenarios. However, it is shown that their protocols are very vulnerable in terms of security. Improved schemesare also presented to recover the security.
quantum protocols, security, anonymous voting and surveying
PACS: 03.67.-a, 03.65.Ud, 03.67.Hk
Based on physical laws instead of mathematical complexi-ties, communication with perfect secrecy can be guaranteedover an insecure channel in Vernam’s sense of a one-time-pad, which is known as quantum cryptography [1]. The mainpursuit of it is the proven absolute security of the quantumprotocols thanks to counterintuitive principles of quantumtheory. Since the pioneering work of Bennett and Brassardin 1984 [2], i.e., the well-known BB84 protocol, quantumcryptography has attracted much attention and a lot of clas-sical cryptosystems have been generalized into quantum ver-sions. Conventionally, the problem is referred to as quantumkey distribution (QKD)(for a review see [1]). Although themethods used in these QKD schemes are various, all of themallow for a secret generation of random keys through whichlegitimate users can accomplish a thoroughly private com-munication. Besides QKD, a new concept in quantum cryp-tography, quantum secure direct communication (QSDC) hasalso been proposed [3–9], which permits confidential mes-sages to be communicated directly without first establishingrandom keys to encrypt them. The final purpose of quan-tum cryptography is the possible application in practice, thusits experimental realization has also been reported, such asthe experiment on a robust hierarchical metropolitan quan-tum cryptography network [10].
The most important issue of quantum cryptography is the
*Corresponding author (email: [email protected])
security on eavesdropping, at least in theory [11–14]. Re-cently, Vaccaro, Spring and Chefles presented quantum pro-tocols [15] for voting and a related task that they term sur-veying. Their proposals are of importance in some situationswhere the identity of the person who sent the message mustbe kept secret, such as elections, anonymous ballots and ref-erendums. The quantum channel they used is the entangledstate of particle numbers, which is shared between at leasttwo sites. The ballot state stores the tally of the votes whichare registered using local operations. The authors of ref. [15]discussed the security of their protocols under some attacks.However, we will show that their protocols are highly inse-cure, i.e., the voting message of each individual voter can belearnt by the tallyman or the other voters. Also, in the so-called comparative ballot protocol of ref. [15], the collectivevoting information of the voters can be easily obtained by anyexternal eavesdropper.
The first quantum voting protocol in [15] is a comparativeballot protocol. Suppose that two voters, Alice and Bob, arerequired to vote on a question with a response of either “yes”or “no”. There is a tallyman who needs to determine whetheror not the two voters have cast the same vote. But the tal-lyman is not allowed to gain information about the voting ofindividual voters. Alice and Bob who are at spatially sepa-rated sites A and B share a ballot state of the form
|C0〉 = 1√2
(|1, 0〉 + |0, 1〉), (1)
2132 XU QingJun, et al. Sci China Phys Mech Astron November (2010) Vol. 53 No. 11
where |n,m〉 ≡ |n〉A ⊗ |m〉B represents n (m) particles occupy-ing a spatial mode at site A (B). A “yes” vote is representedby an operator exp(iNπ) with exp(iNπ)|n〉 = exp(inπ)|n〉.The identity operator stands for a “no” vote. If both votersmake the same vote, the ballot state is unchanged. However,if their votes are different, the state is transformed into
|C1〉 = 1√2
(|1, 0〉 − |0, 1〉), (2)
up to a global factor “±”. After the operations, Alice and Bobsend their particles to the tallyman who performs a measure-ment in the basis (|1, 0〉 ± |0, 1〉)/√2 to get the final outcome.
Here, we show that the comparative ballot protocol de-scribed above is highly insecure, namely, there exist three at-tacks: (1) an individual voter can obtain the other voter’s mes-sage about the voting, (2) the tallyman can gain informationof the voting of individual voters, and (3) any external eaves-dropper Eve can access to the collective information of thevoters. In their scheme, after the voting the two-particle stateis transferred to the site of the tallyman. During the transmis-sion, a dishonest party, say, Bob can measure the two-particlestate in the basis (|1, 0〉 ± |0, 1〉)/√2 and then resend it on tothe tallyman. By doing so Bob knows the collective infor-mation and, hence, can deduce Alice’s voting information: Ifthe two-particle state is (|1, 0〉 + |0, 1〉)/√2, Alice’s voting isidentical to Bob’s, otherwise if he gets (|1, 0〉 − |0, 1〉)/√2,Alice’s voting is opposite to Bob’s. As for the tallyman,he can, instead of |C0〉, prepare the ballot state in the form∣∣∣C′0⟩
= |+,+〉 , where |±〉 = (|0〉 ± |1〉)/√2. Then, he is ableto gain full information of both Alice’s and Bob’s vote bymeasuring the two modes separately in the basis |±〉 withoutbeing detected by Alice and Bob. Finally, any external eaves-dropping Eve is able to gain the collective voting as well byjust measuring the ballot state in the basis (|1, 0〉 ± |0, 1〉)/√2after both Alice and Bob have performed their votes followedby forwarding the (measured) ballot state on to the tallyman.Clearly, such an attack of Eve cannot be detected either.
One can introduce an appropriate checking procedure forAlice and Bob to guarantee that the ballot state they shareis indeed in an entangled (not product) state. Such checkingprocedure would rescue the attack (2), but, unfortunately, at-tacks (1) and (3) remain uncured. In the following we shallpresent an improved scheme to defeat these attacks. To en-sure the security of particle transmission, we take advantageof the idea of “block transmission” of particles which hasbeen proposed firstly in ref. [16]. By means of block trans-mission, the user can take some of the received particles asthe samples to check the security of the transmission. Thisstrategy is efficient in ensuring the transmission security andhas been employed in a lot of quantum secret communicationschemes [4,5].
The tallyman prepares 2N identical entangled states|Ψ10〉TAi Ai
= (|10〉TAi Ai+ |01〉TAi Ai
)/√
2 and |Ψ10〉TB j B j=
(|10〉TB j B j+ |01〉TB j B j
)/√
2 (with i, j = 1, 2, ...N), then sendsall the particles Ai (B j) to Alice (Bob). Alice (Bob) takes
some of the received particles Ai (B j) as the samples andmeasure them in randomly chosen basis from {|0〉 , |1〉} and{|+〉 , |−〉}. Then she (he) asks the tallyman to measure the cor-responding particles TAi (TB j) in the same basis as hers (his)and to announce the measurement result. If the basis {|0〉 , |1〉}({|+〉 , |−〉}) is chosen their measurement result should alwaysbe opposite (identical). Through comparison, Alice (Bob)can check not only the security of the transmission but alsothe honesty of the tallyman. When the entangled state hasbeen successfully distributed with Alice and Bob, the tally-man makes a Bell-state measurement (BSM) on two of theremaining unchecked particles, say, the particles TAk and TBl .The tallyman keeps the BSM result secret to him. Thanks toentanglement swapping, Alice’s particle Ak and Bob’s parti-cle Bl become in a certain Bell state whose identity is knownonly to the tallyman:
|Ψ10〉TAk Ak⊗ |Ψ10〉TBl Bl
=14
(|Ψ00〉TAk TBl|Ψ00〉Ak Bl
− |Ψ01〉TAk TBl|Ψ01〉Ak Bl
+ |Ψ10〉TAk TBl|Ψ10〉Ak Bl
− |Ψ11〉TAk TBl|Ψ11〉Ak Bl
), (3)
where
|Ψ00〉XY =1√2
(|00〉 + |11〉)XY ,
|Ψ01〉XY =1√2
(|00〉 − |11〉)XY ,
|Ψ10〉XY =1√2
(|10〉 + |01〉)XY ,
|Ψ11〉XY =1√2
(|10〉 − |01〉)XY .
(4)
In the following process, Alice and Bob can perform the vot-ing in the way described in [15]. Since the working ballotstate is now secret to any individual voter as well as to anyexternal Eve, those cannot get any voting messages even theymeasure the final encoded state, i.e., attacks (1) and (3) aredefeated. In addition, after receiving the particles Ai and B j,Alice and Bob have performed the security checking. As aresult, the cheating of the tallyman by using product statessuch as
∣∣∣C′0⟩
= |+,+〉 must be detected. Thus, attack (2) isalso ruled out.
But, another trouble arises as follows. When Alice andBob, after having done the voting operation, return their qubitAk and Bl to the tallyman, Eve is in full access to the qubits.Eve may choose to apply or not apply exp(iNπ) on eitherof Ak or Bl to change or not change the collective informa-tion. Since the tallyman can by no means detect such anEve’s trick, he is unable to accept the collective informationwith certainty. In a sense, this attack makes the scheme to bedenied-of-service. To prevent such an attack of Eve, the tele-portation scheme for two-particle entangled state [17] can beadopted. The parties use two more entangled pairs {TAk′ , Ak′ }and {TBl′ , Bl′ } from the unchecked particles in the particle dis-tribution stage described above. Alice (Bob) makes a BSM
XU QingJun, et al. Sci China Phys Mech Astron November (2010) Vol. 53 No. 11 2133
on {Ak, Ak′ } ({Bl, Bl′ }), then publicly announces the BSM re-sult. With these classical messages, the tallyman can trans-form his corresponding two-particle state to the final votingstate. Since he knows the initial state and the final state, thetallyman can infer the collective information of Alice’s andBob’s voting.
The second protocol they proposed is termed anonymoussurvey [15]. The one who performs the survey is interestedin the total outcome and the individual opinion must be keptsecret. The state they used is a multiparty entangled state ofthe form
∣∣∣B′0⟩
=1√
N + 1
N∑
n=0
|K(N − n), n, n, ..., n〉 , (5)
where |i, j, ...k〉 ≡ |i〉T ⊗ | j〉ν1 ⊗ ...|k〉νk for K voting sites Vi,i = 1, ...,K, where K is equal to or larger than the numberof voters. Each voter i is assigned a unique voting site Vi forcasting a vote by using the phase shifting operator exp(iNViδi)to the spatial mode at site Vi, where NV |n〉V = n|n〉V andδi = νiπ/(N + 1) for a vote corresponding to an amount νi.After all the operations, the state (5) is transformed into
∣∣∣B′m⟩
=1√
N + 1
N∑
n=0
exp(in�m) |K(N − n), n, n, ..., n〉 , (6)
where �m =∑m
i=1 δi. All the voters send their particles tothe tallyman, who can determines the net value of the votesMm =
∑mi=1 νi from the expectation 〈B′m|T ′|B′m〉 = Mm, where
T ′ =N∑
n=0
n|T ′n〉〈T ′n| (7)
with
|T ′n〉 =1√
N + 1
N∑
n=0
exp(inkθ) |K(N − k), k, k, ..., k〉 . (8)
However, an apparent eavesdropping strategy the tallymancan adopt to know the individual vote is that he measures hisparticles in the particle number basis {|0〉, |1〉, ..., |KN〉}. Sup-pose the tallyman gets |K(N − k)〉, he knows all the states ofthe voters are |k〉. Hence, when each voter transfers the en-coded particle to the tallyman one by one, he can obtain thevalue of each voter as well as the total amount. Besides thetallyman, the individual voter can also acquire the informa-tion of the other voters with the same strategy. Suppose thedishonest one, say, Bob measures his particle in the particlenumber basis with a result |l〉. He knows then all the states ofthe other voters are also |l〉. Hence, when the voters send theirparticles to the tallyman, Bob can measure them and get thevalues of all the other voters. To defeat this apparent attack,we present a possible security checking method as follows.With a probability c, the voters ask the tallyman send his par-ticle to the voting site (site T ), then they measure all the KNparticles to see if it is in the state (5). If they obtain error
result, they can detect this attack though they are not surewhether it is from the tallyman or from an individual voter.
Quantum cryptography always involves two aspects sinceits appearance, one is the design of various protocols, whilethe other is the security analysis for current cryptosystems tofind their vulnerabilities and thus improve them. In this pa-per, we have shown the insecurity of the anonymous votingschemes of [15] and also presented modified scheme and/ordetecting method to make them secure. The first quantumvoting protocol in [15] is a comparative ballot protocol whichcan suffer from three attacks. To defeat these attacks, we havepresented a modified scheme by which the three attacks canbe prevented simultaneously. The second protocol they pro-posed is termed anonymous survey [15] which is also showninsecure. To recover the security, we have given a possiblesecurity checking method. As for the experimental realiza-tion of the scheme, one should first prepare and distribute theentanglement among the users. The entanglement betweentwo remote atoms can be produced by a number of methods[18–22]. In particle distribution and manipulation, the entan-glement would experience decoherence and degradation in-duced by unavoidable environment [23]. However, with thedevelopment of quantum information technology, this proto-col could be realized in the future. Since the security is themost important factor in quantum cryptography, the presentwork is a significant complement to the original one [15].
1 Gisin N, Ribordy G, Tittel W, et al. Quantum cryptography. Rev Mod
Phys, 2002, 74: 145–195
2 Bennett C H, Brassard G. Proceedings of the IEEE International Confer-
ence on Computers, Systems and Signal Processings, Bangalore, India.
New York: IEEE, 1984. 175
3 Bostrom K, Felbinger T. Deterministic secure direct communication us-
ing entanglement. Phys Rev Lett, 2002, 89: 187902-1–4
4 Deng F G, Long G L, Liu X S. Two-step quantum direct communica-
tion protocol using the Einstein-Podolsky-Rosen pair block. Phys Rev
A, 2003, 68: 042317-1–6
5 Man Z X, Zhang Z J, Li Y. Deterministic secure direct communication
by using swapping quantum entanglement and local unitary operations.
Chin Phys Lett, 2005, 22: 18–21
6 Man Z X, Zhang Z J, Li Y. Quantum dialogue revisited. Chin Phys Lett,
2005, 22: 22–24
7 Lee H, Lim J, Yang H. Quantum direct communication with authentica-
tion. Phys Rev A, 2006, 73: 042305-1–5
8 Zhang Z J, Liu J, Wang D, et al. Comment on “Quantum direct commu-
nication with authentication”. Phys Rev A, 2007, 75: 26301-1–4
9 Man Z X, Xia Y J, Nguyen B A. Quantum secure direct communication
by using GHZ states and entanglement swapping. J Phys B-At Mol Opt
Phys, 2006, 39: 3855–3863
1- Xu F X, Chen W, Wang S, et al. Field experiment on a robust hierarchi-
cal metropolitan quantum cryptography network. Chin Sci Bull, 2009,
54(17): 2991–2997
11 Zhang X L. One-way quantum identity authentication based on public
key. Chin Sci Bull, 2009, 54(12): 2018–2021
12 Hao L, Li J L, Long G L. Eavesdropping in a quantum secret sharing pro-
2134 XU QingJun, et al. Sci China Phys Mech Astron November (2010) Vol. 53 No. 11
tocol based on Grover algorithm and its solution. Sci China Ser G-Phys
Mech Astron, 2010, 53(3): 491–495
13 Zhang X L, Ji D Y. Analysis of a kind of quantum cryptographic schemes
based on secret sharing. Sci China Ser G-Phys Mech Astron, 2009, 52(9):
1313–1316
14 Gao F, Guo F Z, Wen Q Y, et al. Revisiting the security of quantum dia-
logue and bidirectional quantum secure direct communication. Sci China
Ser G-Phys Mech Astron, 2008, 51(5): 559–566
15 Vaccaro J A, Spring J, Chefles A. Quantum protocols for anonymous vot-
ing and surveying. Phys Rev A, 2007, 75: 012333-1–8
16 Long G L, Liu X S. Theoretically efficient high-capacity quantum-key-
distribution scheme. Phys Rev A, 2002, 65: 032302-1–3
17 Rigolin G. Quantum teleportation of an arbitrary two-qubit state and its
relation to multipartite entanglement. Phys Rev A, 2005, 71: 032303-1–5
18 Cabrillo C, Cirac J I, Garca-Fernandez P, et al. Creation of entangled
states of distant atoms by interference. Phys Rev A, 1999, 59(2): 1025–
1033
19 Bose S, Knight P L, Plenio M B, et al. Proposal for teleportation of an
atomic state via cavity decay. Phys Rev Lett, 1999, 83(24): 5158–5161
20 S ensen A S, M mer K. Probabilistic generation of entanglement in opti-
cal cavities. Phys Rev Lett, 2003, 90(12): 127903
21 Duan L M. Entangling many atomic ensembles through laser manipula-
tion. Phys Rev Lett, 2002, 88(17): 170402
22 Matsukevich D N, Chaneliere T, Jenkins S D, et al. Entanglement of
remote atomic qubits. Phys Rev Lett, 2006, 96: 030405
23 Man Z X, Xia Y J, Nguyen B A. Entanglement measure and dynamics of
multiqubit systems: Non-Markovian versus Markovian and generalized
monogamy relations. New J Phys, 2010, 12: 033020-1–17