Cryptanalysis and Improvement of Quantum Sealed-Bid Auction

Abstract

The security of previously proposed Quantum Sealed-bid Auction (QSA) protocols is analyzed. It is shown that there may be a malicious bidder to disrupt the auction that he sends a true bid to auctioneer and commits a fake bid to other bidders. Consequently, these honest bidders may mistakenly think the auctioneer is dishonest. To avoid this security flaw, we propose an improved protocol which can more perfectly meet the security of QSA.

Appendix

We design a new Quantum Secret Sharing (QSS) protocol to meet the QSA protocol proposed above. Suppose that the protocol consists of one secret distributor (Dick), and n participants (P₁, P₂, …, P_n). The secret distributor Dick wants to distribute a random m-bit secret to n participants, which is binary sequence and can be expressed as K_D. In addition, any participant can only get partial secret called sub-secret. When n participants put all sub-secrets together, the original secret will be recovered, but less than n participants cannot recover the original secret. The proposed QSS protocol consists of 9 Steps, which can be described in detail as follows:

• Step 1: According to the secret K_D, the secret distributor Dick prepares a sequence of ordered m single photons S_D, where the coding rules are as follows:

$$ 0\longleftrightarrow \mid \left.0\right\rangle\ \mathrm{or}\mid \left.+\right\rangle; 1\longleftrightarrow \mid \left.1\right\rangle\ \mathrm{or}\mid \left.-\right\rangle $$

(3)

Furthermore, Dick prepares p decoy photons to prevent the eavesdropping. And the state of each decoy photon is randomly selected from {| 0⟩, | 1⟩, | +⟩, | −⟩}. Then, Dick randomly inserts the p decoy photons into the sequence S_D to form a new one S, and Dick makes a record of the positions and initial states of these inserted photons, which are unknown to all participants. Finally, Dick sends the photon sequence S to the participants P_i for i = 1, 2, …, n, who is randomly chose by the secret distributor.

• Step 2: After confirming that he has received the sequence S, the participant P_i randomly selects a unitary operation U from {I, iσ_y} and then performs it on each photon of the sequence S. If U = I, the initial sub-secret correspinding to the photon is the classic bit 0. If U = iσ_y, the initial sub-secret correspinding to the photon is the classic bit 1. In this way, the participant P_i can get his initial sub-secret, expressed as SK_i. In addition, he can obtain a transformed photon sequence S^′. Furthermore, the participant P_i randomly selects another participant P_j and sends the transformed sequence S^′ to P_j through the quantum channel, where j ∈ {1, 2, …, n} and j ≠ i. Meanwhile, the participant P_i returns an 1-bit feedback information to Dick through the classical channel, indicating that he has obtained the corresponding initial sub-secret.

• Step 3: After receiving the transformed photon sequence S^′, the participant P_j judges whether it is the first time that the photon sequence is received. If it is, step 4 is executed; otherwise, step 5 or step 6 is executed randomly.

• Step 4: Similar to Step 2, the participant P_j performs a random unitary operation on each photon in the sequence S^′ to get initial sub-secret, expressed as SK_j, where the unitary operation U is randomly selected from {I, iσ_y}. Similarly, he can get the transformed photon sequence S^′′. Furthermore, the participant P_j randomly selects another participant P_l and sends the transformed sequence S^′′ to P_l through the quantum channel, where l ∈ {1, 2, …, n} and l ≠ j ≠ i. In addition, the participant P_j also needs to return an 1-bit feedback message to Dick through the classical channel.

• Step 5: The participant P_j already has the initial sub-secret SK_j, and he performs another random unitary operation U on each photon of the sequence S^′ to form a middle sub-secret \( {SK}_j^{\prime } \). And then, P_j can obtain an updated initial sub-secret through Eq. 4.

$$ {SK}_j^{\ast }={SK}_j\oplus {SK}_j^{\prime } $$

(4)

In addition, he can get another transformed photon sequence S^′′. Furthermore, the participant P_j randomly selects another participant P_l and sends the transformed sequence S^′′ to P_l through the quantum channel, where l ∈ {1, 2, …, n} and l ≠ j ≠ i.

• Step 6: Instead of performing another unitary operation, the participant P_j directly selects another participant P_l and then sends the transformed photon sequence S^′ to P_l, where l ∈ {1, 2, …, n} and l ≠ j ≠ i.

• Step 7: The participant P_l executes Step 4 again until the secret distributor Dick receives the 1-bit feedback messages of all n participants. After that, Dick broadcasts a classic message to inform that the participant with current single photon sequence S^∗ should send it back to him, where S^∗ denotes the photon sequence transformed by n participants.

• Step 8: After confirming that Dick has received the photon sequence S^∗, he announces the positions of all p decoy photons. Furthermore, n participants also announce the unitary operations in the corresponding positions. According to the initial states and unitary operations of these decoy photons, Dick computes the error rate and then compares it with the security threshold value of the communication channel. If the error rate exceeds the threshold value, the process will be aborted. Otherwise, Dick believes all participants are honest and the quantum channel is secure.

• Step 9: All participants remove these decoy photons from the initial sub-secrets, and they can obtain the final sub-secrets, which can be expressed as K₁, K₂, …, K_n. In addition, n participants can recover the m-bit secret K_D by the following formula:

$$ {K}_D={K}_1\oplus {K}_2\oplus \dots \oplus {K}_n $$

(5)

Furthermore, we analyze the security of our proposed QSS protocol. Since dishonest participants are easier to steal the useful information than external eavesdroppers, the primary security goal of QSS is to prevent dishonest participants from cheating. First, the current participant sends the photon sequence to the next participant, who is randomly chosen. Dishonest participants cannot know which one is the next one to be chosen, so they cannot get the unitary operations or sub-secrets of other participants. And then, the secret K_D of the distributor is restored by XOR operations by the sub-secrets of all participants. Thus, any less than n − 1 participants cannot recover the distributor’s secret without the sub-secrets of the remaining participants. Finally, there is eavesdropping detection procedure with the decoy photons to check the security of the protocol. If a malicious bidder wants to perform intercept-and-resend attack, he/she will be found because the states and positions of decoy photons are unknown to him/her.

Security

(1) The outsider attacks: The attacks usually have the following type of attacks: intercept-and-resend attack, double-CNOT attack, entangle-and-measure attack, etc. Similar to most QSS protocol schemes, in our protocol, the decoy photons can effectively prevent the outer eavesdroppers from stealing the secret. If there is an eavesdropper Eve who wants to get useful messages, she must remove these decoy photons without being found. In fact, this is impossible because the decoy photons are inserted randomly into the sequence and Eve does not know the positions and initial states of these decoy photons. Furthermore, if Eve wants to measure the photon sequence, the state of the decoy photons will be destroyed and she will be found.

(2) The collusion attacks: there are two common types of collusion attacks in most Quantum Secret Sharing protocols. One type is that the first participant (e.g., P₁) and the last participant (e.g., P_n) collude to obtain the aggregate sub-secrets of other participants. Another type is that the previous participant (e.g., P_i − 1) and the next participant (e.g., P_i + 1) collude to get the participant P_i’s sub-secret. Obviously our proposed protocol can resist these collusion attacks. On the one hand, the next participant is randomly selected when sending the photon sequence. On the other hand, the sub-secret of each participant is dynamically updated. Therefore, the collusion attacks are invalid for our QSS protocol.

Furthermore, our protocol has a low quantum consumption rate (i.e., the amount of qubits for every transmitted classic bit message). In addition, it only needs to perform one joint measurement to detect the eavesdropping, so the efficiency of proposed protocol is higher.