A general scheme for information interception in the ping pong protocol

The existence of an undetectable eavesdropping of dense coded information has been already demonstrated by Paviˇci´c for the quantum direct communication based on the ping-pong paradigm. However, a) the explicit scheme of the circuit is only given and no design rules are provided, b) the existence of losses is implicitly assumed, c) the attack has been formulated against qubit based protocol only and it is not clear whether it can be adapted to higher dimensional systems. These deﬁciencies are removed in the presented contribution. A new generic eavesdropping scheme built on a ﬁrm theoretical background is proposed. In contrast to the previous approach, it does not refer to the properties of the vacuum state, so it is fully consistent with the absence of losses assumption. Moreover, the scheme applies to the communication paradigm based on signal particles of any dimensionality. It is also shown that some well known attacks are special cases of the proposed scheme.


I. INTRODUCTION
Quantum direct communication (QDC) aims at provision of confidentiality without resorting to classic encryption. This is in contrast to quantum key distribution (QKD) technique, as no shared key is established and quantum resources take over its role. In QDC, similarly to QKD, its is assumed that legitimate parties can communicate over open and authenticated classic channel.
The roots of QDC can be traced out to the QKD protocol of Long and Liu [1] that, after slight modification proposed as the two-step protocol [2], can be considered the first protocol of this kind. The ping-pong protocol [3] is another QDC scheme which is easier to implement at the price of lesser security margin and capacity. These initial works exploited the entanglement of EPR pairs to protect transmission of sensitive information. Ideas of these proposals have been further adapted to higher dimensional systems [4][5][6][7] and/or modified to enhance capacity via dense coding [8,9]. The entanglement is a very fragile quantum resource and its handling is technically challenging. This motivated the work towards exploiting quantum uncertainty, a resource used by most QKD protocols. The first single-photon QDC protocol proposed by Deng and Long [10] has been recently demonstrated experimentally [11]. The LM05 protocol [12] is the other worth noting proposal of this kind. The history of the development and the review of the early QDC proposals can be found in [13].
QDC protocols offer different level of security which usually results from the trade off between practical feasibility and type of quantum resources available to communicating parties. QDC protocols which process particles in blocks [2,4] can be parametrized in such a way that probability of revealing sensitive information is arbitrarily small. However, they assume that legitimate parties have long term quantum memory. Protocols that process particles individually are quasi secure [13][14][15]. Quasi security means, that before eavesdropping detection, which is inevitable for long sequences, part of the sensitive information may be revealed to the eavesdropper. QDC is a more versatile cryptographic primitive than QKD. In fact, QDC protocols can be used as engines for key agreement. Any key agreement protocol executed in a private channel provided by a QDC protocol offering unconditional security has security comparable with QKD. Also quasi secure QDC protocols can realize unconditionally secure QKD. However, in this case QDC phase delivers shared sequence that is partially known to the eavesdropper. By the appropriate postprocessing i.e., privacy amplification, the eavesdropper's knowledge on the resulting sequence can be reduced to arbitrary small value provided that his information on the initial sequence is less that mutual information of the legitimate parties. The realization of the QKD via QDC can be potentially more efficient as the basis reconciliation step, that severely plaques efficiency of many QKD protocols, can be avoided [16][17][18]. Protocols of this type are referred as deterministic QKD and some of them have been recently experimentally demonstrated [19,20]. This paper is devoted to the analysis of the (in)security of the ping-pong protocol -an entanglement based QDC scheme [3]. Quasi security is provided only for perfect quantum channels [14] and the scheme becomes insecure when losses [21] and/or communication errors and imperfection of devices are taken into account [22]. Protocol offers capacity of single bit per protocol cycle because the authenticity of the shared EPR pair is verified only by a measurement in a single basis. This limits the available encoding to phase flips. Possible capacity enhancement via dense coding leads to undetectable information leakage as demonstrated in [2] and usage of mutually unbiased bases in control measurements is required to preserve quasi security of the communication [8]. In our previous work we have proved that this observation also holds for the qudit based protocol and that detection probability depends on the number of bases used in the control mode [7,23]. Anyway, no explicit attack transformation has been given in the aforementioned papers. The present contribution is motivated by the appearance of the circuit [24] (further it will be referred as P-circuit) capable to undetectable intercept information transmitted in the qubit based ping-pong protocol with the following configuration: quantum channel is perfect, legitimate parties use single basis for control measurements, information is dense coded. In other words -the instantiation of the attack forecast in [2]. Although P-circuit is applicable to perfect channels, it assumes the appearance of the vacuum states in the eavesdropper's ancilla. In consequence, it does not well fit to the existing analyses. Shortly after its appearance, a control mode that address detection of this specific circuit has been proposed [25].
We propose a generic scheme for construction of attacks that permit undetectable eavesdropping under the same assumptions: quantum channel is perfect, control measurements are executed in a single basis, sensitive information is dense coded. Thus our contribution can be considered as the generalization of the result given in [24]. The presented method is applicable to systems of any dimension so it can be used to construct a plethora of new transforms. Using introduced generalization we also demonstrate the equivalence of the attack from [24] and CNOT operation. In consequence, we claim that there is no need for construction of specific control modes as in [25], because any control mode able to detect CNOT operation is also able to detect circuit proposed in [24]. We do not propose the attack that is undetectable by control measurements in unbiased bases. In fact, we think that the opposite is true -control measurements in mutually unbiased bases are sufficient to statistically detect coherence break of the shared entangled state and, that way, reveal the presence of the eavesdropper [23].
The paper is organized as follows. In Section 2 we provide notation and concepts used in the text. Section 3 presents the main contribution. In particular we provide a general bit-flip detection scheme, demonstrate its equivalence with the existing approaches and introduce an attack on the qudit-based protocol. In Section 4 we summarize the presented work.

II. PRELIMINARIES
A. Ping-Pong protocol Communication protocol described below is a ping-pong paradigm variant analysed in [24]. Compared to the seminal version [3], it differs only on the encoding operation -the sender uses dense coding instead of phase flips. The remaining elements of the communication scenario are left intact.
Bob starts the communication process by creation of EPR pair [28]  Then he sends one of the qubits, further referred to as the signal/travel qubit, to Alice. Alice can in principle encode two classic bits µ, ν applying unitary transformation are bit-flip and phase-flip operations, respectively. The signal particle is sent back to Bob, who detects applied transformation by a collective measurement of both qubits (FIG. 1).
Passive eavesdropping is impossible. Eve has access only to the travel qubit which before and after encoding looks like maximally mixed state. Unfortunately, the described communication scenario is vulnerable to the intercept-resend attack and Alice have to check whether the received qubit is genuine. As a countermeasure, Alice measures the received qubit in computational basis (|0 , |1 ) in randomly selected protocol cycles and asks Bob over authenticated classic channel to do the same with his qubit (FIG. 2). Her measurement causes the collapse of the shared state (1). The perfect (anti)correlation of the outcomes is preserved only if the qubit measured by Alice is the same one that was sent by Bob. If Eve inserts fake qubit then measured qubits are no longer correlated and some discrepancies, that are the sign of the eavesdropping, do occur. That way Alice and Bob can convince themselves with confidence approaching certainty that the quantum channel is not spoofed, provided that they have executed a sufficient number of control cycles.
However, the intercept-resend attack is not the only possible way of active sensitive information interception. The signal particle that travels forth and back between legitimate parties can be the subject of any quantum action introduced by Eve (FIG. 3). Introduced coupling causes that encoding operation also modifies Eve's ancilla state and Eve hopes to detect decipher Alice's actions by its inspection. Actions of Eve, not necessarily unitary in the affected qubit's space, can be described as unitary operation Q acting in the space extended with two additional qubits, as follows from Stinespring's dilation theorem. The control state shared by legitimate parties then takes the form where |χ E is some initial state of Eve's ancilla. Eve presence is detected with probability where projection P ht depends on initial state and the considered case it is defined as  (2)].

B. Pavičić attack
Pavičić's attack demonstrates the violation of ping-pong protocol security when dense coding is used. The attack does not introduce errors nor losses in control and message mode and it permits eavesdropping information encoded as bit flip operation.
The P-circuit presented by Pavičić (FIG. 4) is a result of a cut and try procedure [24, section IV] applied to the Wójcik's circuit [21]. It is is composed of two Hadamard gates followed by the controlled polarization beam splitter (CP BS), which is a generalization of the polarization beam splitter (P BS) concept. The P BS is a two port gate that swaps horizontally polarized photons |0 x (|0 y ) entering its input to the other port |0 y (|0 x ) on output while vertically polarized ones |1 x (|1 y ) retain in their port |1 x (|1 y ) i.e.: where |v denotes the vacuum state. The CP BS behaves as normal P BS if control qubit is set to |0 t . The roles of horizontal and vertical polarization are exchanged for control qubit set to |1 t : Initially Eve's ancilla is initialized to the state |χ 0 = |v x |0 y . The action of the P-circuit from FIG. 4 is then described by the following formulas For the purpose of future analysis, let us also identify actions of the circuit under consideration onto the state |χ 1 = |0 x |v y : The control state (2) after entangling with Eve's ancilla reads This state is further used by Alice and Bob for eavesdropping check. It is clear from (3) that attack does not introduce errors nor losses in control mode and the expected correlation of outcomes is preserved in the computational basis.
Phase flip.: The phase flip encoding applied to the coupled state leads to The signal qubit is then sent back to Bob who, after disentangling on a basis of (7), observes Bit flip.: The bit flip operation transforms Alice's state to The system state after disentangling can be deduced from (8): In both cases i.e., phase flip and bit flip encodings, the signalling subsystem behaves as if there was no coupling with the ancilla. However, Alice's bit flip encoding modifies Eve's register (|χ 0 → |χ 1 ). The states |χ 0 and |χ 1 are orthogonal and perfectly distinguishable. In consequence Eve can eavesdrop bit flip operations without introducing errors and losses in message mode as well.

III. RESULTS
This section is devoted to the analysis of the general form of the incoherent attack shown diagrammatically in FIG. 3. Each cycle of the protocol is considered to be independent on the other ones. Consequently, the effectiveness of the attack is expressed in a fraction of eavesdropped bits per communication cycle. Throughout the analysis it is also assumed that legitimate parties rely on control mode used in the seminal version of the protocol. They locally measure possessed particles in the computational basis and verify expected correlation via the public discussion over authenticated classic channel.

A. Generic bit-flip detection scheme for qubit based protocol
As the control mode explores outcomes of local measurements in computational basis for intrusion detection, the map Q has to be of trivial form to not induce errors and/or losses in control cycles. It follows, that under attack, Alice operates on the state Let the entangling transformation Q additionally satisfies for some state |φ E = |χ E . The process of information encoding and disentangling from the ancilla is then described by the expressions: As a result, the registers used for signalling are left untouched and decoupled but the Eve's register is flipped from |χ E to |φ E when Alice applies bit-flip operation. In consequence, Eve can successfully decode a half of the message content provided that the detection states |χ E , |φ E are perfectly distinguishable. It follows that any unitary coupling transformation Q that satisfies (14) and (16) can be used for bit flip detection.

B. Equivalence of P and CNOT circuits
The properties of the above generic scheme and the P-circuit [24] perfectly coincide. As follows from (7) and (8), the states |χ 0 = |v x |0 y and |χ 1 = |0 x |v y play the role of detection states |χ E and |φ E , respectively. It is also clear that transformation Q txy has properties claimed in (14) and (16). Thus the P-circuit can be considered as an instance of the generic scheme described in section III A.
However, the operator Q satisfying (14) and (16) can be realized in many ways. It seems that CNOT operation acting on a single qubit of Eve's ancilla: x is the simplest realization of the logic behind the attack. Such version is also practically feasible as the attacks involving probes entangled via the CNOT operation have been already proposed in the QKD context [26,27]. As a result, both, the CNOT and P circuits are equivalent in terms of provided information gain, detectability and practical feasibility. Consequently, there is no need for the design of control modes that address P-circuit in a special manner [25].
C. An attack on qudit based protocol The P-circuit has no straightforward generalization to qudit based version of the protocol. In contrast, the presented approach can be adapted with ease. Let Bob start communication process with creation of EPR pair where D is the qudit dimension. The travel qudit is then sent to Alice for encoding or control measurement. In control mode, the home and travel qubits are measured in the computational basis so the projection P ht used in control equation (3) takes the form Let, by an analogy to the qubit case, |α be the sets of D orthonormal states of the ancilla system. These states will be further referred to as detection and probe states, respectively. The map used by Eve must be of the form to not introduce errors in control measurements. Let us additionally postulate that Q satisfies i.e., Q advances index k positions in a set of Eve's probe states. Similarly, Q −1 backwards index k positions: Let us recall that for qudits Alice uses to encode classic µ, ν "cdits" in the following way Under attack Alice applies encoding (24) to the state coupled according to the rule (20) The travel qubit is affected by Q −1 in its way back to Bob The expression in curly braces is an exactly the state that Bob expects to receive when there is no Eve (see (24)), so eavesdropping also does not affect the message. At the same time, the initial state of the ancilla is moved µ positions within the set of detection states. As a result, Eve can unambiguously identify the value of cdit µ as long as the detection states are mutually orthogonal.
The C X (Controlled X ) gate seems to be the simplest instance of the attack paradigm. Let the detection and probe sets of states be the elements of the computational basis (|α = |m E ) and the ancilla is composed of the single qudit register. The attack operation Q can be then implemented as In obvious way the requirements (21) regarding properties of the Q are then fulfilled. The existence of attacks able to undetectably eavesdrop half of the dense coded information has been already forecast in relation to qubit [2], qutrit [6] and qudit [23] based protocol. However, no explicit form of the attack transformation has been given. Presented result fills this gap in and provides some general guidelines how to construct a coupling transformation with desired properties.

D. Control mode able to detect bit-flip eavesdropping
The insecurity of the considered protocol results from inability to detect coupling Q ht with the control measurements in a single basis. Let us consider a qubit based protocol from section II A with control mode enhanced to measurements in two bases -namely computational basis and its dual basis i.e., eigenvectors of X gate. In the new control mode, Alice randomly selects measurement basis, performs measurement and asks Bob to make local measurement in the same basis. The control state (9) in the absence of coupling takes the form where |± = (|0 ± |1 )/ √ 2 are eigenvectors of X . It follows that legitimate parties expect anticorrelation (correlation) of outcomes in the computational (dual) basis. Under attack undetectable in the computational basis (14), the control equation (15) takes the following form in the dual basis Alice measurement causes the collapse to one of the states in the curly braces. It follows that Bob can obtain ±1 outcome with equal probability, what in turns renders Eve detectability. If control bases are selected with equal probability then bit-flip attack is detected with p det = 1/4. The above qualitative discussion addresses bit-flip attack. The more advanced discussion on the properties of control modes based on mutually unbiased bases and in relation to attacks of any form can be found in [23].

IV. CONCLUSION
A generic scheme that provides undetectable eavesdropping of bit-flip operations in the seminal version of the pingpong protocol is introduced. It can be considered as a generalization of the P-circuit [24], but in contrast, it is deduced from the very basic properties of the coupling transformation. Moreover, the proposed scheme can be realized without referring to the vacuum states so it is fully consistent with the absence of losses assumption. The CNOT gate and P-circuit are special cases of the introduced scheme so both approaches are equivalent. It follows, that any control mode able to detect CNOT coupling is also able to detect the presence of the P-circuit. The control mode based on local measurements in randomly selected unbiased bases is an example of such procedure. Consequently, there is no need of special addressing of P-circuit in the security analyses. Also, the introduced scheme can be adapted to higher dimensional systems. It can be considered as the constructive proof of the existence of attacks forecast in [2,6,23].