**2.2 Quantum secure direct communication**

The next method of information security based on quantum technologies is the usage of *quantum secure direct communication (QSDC) protocols* (Boström & Felbinger, 2002; Chuan et al., 2005; Cai, 2004; Cai & Li, 2004a; Cai & Li, 2004b; Deng et al., 2003; Vasiliu, 2011; Wang et al., 2005a, 2005b). The main feature of QSDC protocols is that there are no cryptographic transformations; thus, there is no key distribution problem in QSDC. In these protocols, a secret message is coded by qubits' (qudits') – quantum states, which are sent via quantum channel. QSDC protocols can be divided into several types:


There are QSDC protocols for two parties and for multi-parties, e.g. broadcasting or when one user sends message to another under the control of a trusted third party.

Most contemporary protocols require a transfer of qubits by blocks (Chuan et al., 2005; Wang et al., 2005). This allows eavesdropping to be detected in the quantum channel before transfer of information. Thus, transfer will be terminated and Eve will not obtain any secret information. But for storing such blocks of qubits there is a need for a large amount of quantum memory. The technology of quantum memory is actively being developed, but it is still far from usage in common standard telecommunication equipment. So from the viewpoint of technical realisation, protocols using single qubits or their non-large groups (for one cycle of protocol) have an advantage. There are few such protocols and they have only asymptotic security, i.e. the attack will be detected with high probability, but Eve can obtain some part of information before detection. Thus, the problem of privacy amplification appears. In other words, new pre-processing methods of

Quantum Secure Telecommunication Systems 219

( ) ( ) ( ) <sup>2</sup>

( ) ( ) ( ) <sup>2</sup>

1 1 16 1 .

For the protocol with GHZ-triplets a density matrix size is 16х16, and а number of nonzero eigenvalues is equal to eight. At symmetrical attack their kind is (Vasiliu & Nikolaenko, 2009):

1 1 2 2 16 1 , 2 2 3 3

1 1 2 2 16 1 . 2 2 3 3

For the protocol with *n*-qubit GHZ-states, the number of nonzero eigenvalues of density matrix is equal to 2*<sup>n</sup>* , and their kind at symmetrical attack is (Vasiliu & Nikolaenko, 2009):

1 1 2 2 <sup>16</sup> <sup>1</sup> , 2 2 21 21

= +± + − ⋅ − − −

where *d* is probability of attack detection by legitimate users at one-time switching to control

The probability of that Eve will not be detected after *m* successful attacks and will gain

<sup>1</sup> , , , 1 1

max *d d* = are shown (Vasiliu & Nikolaenko, 2009). max *d* is maximum probability of attack

max 1 <sup>1</sup> 1 .

( ) ( )

*<sup>q</sup> sIqd q d*

= +± + − ⋅ − − −

2 2

*n n n n*

<sup>−</sup> <sup>=</sup> − − (5)

<sup>2</sup>*<sup>n</sup> <sup>d</sup>* <sup>−</sup> = − (6)

− −

*<sup>i</sup> <sup>p</sup>* <sup>−</sup> <sup>=</sup> , *q* = 0.5 and

− − − −

*n n n n*

2 2 <sup>2</sup>

0

*I I*

*p p p p pp d d* = +± + − ⋅ −

*p p p p pp d d* = +± + − ⋅ −

2 1,2 1 2 1 2 1 2 1 1

2 1,2 2 1 2 2 1 2 2 1 2 1 1 1 1 2 2 <sup>16</sup> <sup>1</sup> , 2 2 21 21 *nn n n n n n n*

information 0 *I mI* = is defined by the equation (Boström & Felbinger, 2002):

In fig. 2 dependences of *s I*( ) , , *q d* for several *n*, identical frequencies 2 *<sup>n</sup>*

−− − − − −

*p p p p pp d d*

*p p p p pp d d*

1 1 16 1 , 2 2

ρhave

(2)

(3)

(4)

For the protocol with Bell pairs and quantum superdence coding the density matrix

1,2 1 2 1 2 1 2

3,4 3 4 3 4 3 4

2 2

( ) ( )<sup>2</sup> 1,2 1 2 1 2 12

( ) ( )<sup>2</sup> 7,8 7 8 7 8 78

( ) ( )

( ) ( )

mode; *<sup>i</sup> p* are frequencies of *n*-grams in the transmitted message.

where *q* is a probability of switching to control mode.

detection at one-time run of control mode, defined as

= +± + − − *p p p p ppd d*

= +± + − − *p p p p ppd d*

size 4х4 and four nonzero eigenvalues:

λ

λ

λ

λ

λ

λ

transferring information are needed. Such methods should make intercepted information negligible.

One of the quantum secure direct communication protocols is the ping-pong protocol (Boström & Felbinger, 2002; Cai & Li, 2004b; Vasiliu, 2011), which does not require qubit transfer by blocks. In the first variant of this protocol, entangled pairs of qubits and two coding operations that allow the transmission of one bit of classical information for one cycle of the protocol are used (Boström & Felbinger, 2002). The usage of quantum superdense coding allows transmitting two bits for a cycle (Cai & Li, 2004b). The subsequent increase in the informational capacity of the protocol is possible by the usage instead of entangled pairs of qubits their triplets, quadruplets etc. in Greenberger-Horne-Zeilinger (GHZ) states (Vasiliu & Nikolaenko, 2009). The informational capacity of the ping-pong protocol with GHZ-states is equal to *n* bits on a cycle where *n* is the number of entangled qubits. Another way of increasing the informational capacity of ping-pong protocol is using entangled states of qudits. Thus, the corresponding protocol based on Bell's states of threelevel quantum system (qutrit) pairs and superdense coding for qutrits is introduced (Wang et al., 2005; Vasiliu, 2011).

The advantages of QSDC protocols are a lack of secret key distribution, the possibility of data transfer between more than two parties, and the possibility of attack detection providing a high level of information security (up to information-theoretic security) for the protocols using block transfer. The main disadvantages are difficulty in practical realisation of protocols using entangled states (and especially protocols using entangled states for *d*level quantum systems), slow transfer rate, the need for large capacity quantum memory for all parties (for protocols using block transfer of qubits), and the asymptotic security of the ping-pong protocol. Besides, QSDC protocols similarly to QKD protocols is vulnerable to man-in-the-middle attack, although such attack can be neutralized by using authentication of all messages, which are sent via the classical channel.

Asymptotic security of the ping-pong protocol (which is one of the simplest QSDC protocols from the technical viewpoint) can be amplified by using methods of classical cryptography. Security of several types of ping-pong protocols using qubits and qutrits against different attacks was investigated in series of papers (Boström & Felbinger, 2002; Cai, 2004; Vasiliu, 2011; Vasiliu & Nikolaenko, 2009; Zhang et al., 2005a).

The security of the ping-pong protocol using qubits against eavesdropping attack using ancilla states is investigated in (Boström & Felbinger, 2002; Chuan et al., 2005; Vasiliu & Nikolaenko, 2009).

Eve's information at attack with usage of auxiliary quantum systems (probes) on the pingpong protocol with entangled *n*-qubit GHZ-states is defined by von Neumann entropy (Boström & Felbinger, 2002):

$$I\_0 = S(\rho) \equiv -Tr\left\{\rho \log\_2 \rho\right\} = -\sum\_i \mathcal{A}\_i \log\_2 \mathcal{A}\_i \tag{1}$$

where λ*<sup>i</sup>* are the density matrix eigenvalues for the composite quantum system "transmitted qubits - Eve's probe".

transferring information are needed. Such methods should make intercepted information

One of the quantum secure direct communication protocols is the ping-pong protocol (Boström & Felbinger, 2002; Cai & Li, 2004b; Vasiliu, 2011), which does not require qubit transfer by blocks. In the first variant of this protocol, entangled pairs of qubits and two coding operations that allow the transmission of one bit of classical information for one cycle of the protocol are used (Boström & Felbinger, 2002). The usage of quantum superdense coding allows transmitting two bits for a cycle (Cai & Li, 2004b). The subsequent increase in the informational capacity of the protocol is possible by the usage instead of entangled pairs of qubits their triplets, quadruplets etc. in Greenberger-Horne-Zeilinger (GHZ) states (Vasiliu & Nikolaenko, 2009). The informational capacity of the ping-pong protocol with GHZ-states is equal to *n* bits on a cycle where *n* is the number of entangled qubits. Another way of increasing the informational capacity of ping-pong protocol is using entangled states of qudits. Thus, the corresponding protocol based on Bell's states of threelevel quantum system (qutrit) pairs and superdense coding for qutrits is introduced (Wang

The advantages of QSDC protocols are a lack of secret key distribution, the possibility of data transfer between more than two parties, and the possibility of attack detection providing a high level of information security (up to information-theoretic security) for the protocols using block transfer. The main disadvantages are difficulty in practical realisation of protocols using entangled states (and especially protocols using entangled states for *d*level quantum systems), slow transfer rate, the need for large capacity quantum memory for all parties (for protocols using block transfer of qubits), and the asymptotic security of the ping-pong protocol. Besides, QSDC protocols similarly to QKD protocols is vulnerable to man-in-the-middle attack, although such attack can be neutralized by using authentication

Asymptotic security of the ping-pong protocol (which is one of the simplest QSDC protocols from the technical viewpoint) can be amplified by using methods of classical cryptography. Security of several types of ping-pong protocols using qubits and qutrits against different attacks was investigated in series of papers (Boström & Felbinger, 2002; Cai, 2004; Vasiliu,

The security of the ping-pong protocol using qubits against eavesdropping attack using ancilla states is investigated in (Boström & Felbinger, 2002; Chuan et al., 2005; Vasiliu &

Eve's information at attack with usage of auxiliary quantum systems (probes) on the pingpong protocol with entangled *n*-qubit GHZ-states is defined by von Neumann entropy

0 22 ( ) { log } *i i* log

 ρρ

*i*

λ

 λ

(1)

= −

*<sup>i</sup>* are the density matrix eigenvalues for the composite quantum system

negligible.

et al., 2005; Vasiliu, 2011).

Nikolaenko, 2009).

λ

where

(Boström & Felbinger, 2002):

"transmitted qubits - Eve's probe".

of all messages, which are sent via the classical channel.

2011; Vasiliu & Nikolaenko, 2009; Zhang et al., 2005a).

*I S Tr* = ≡− ρ

For the protocol with Bell pairs and quantum superdence coding the density matrix ρ have size 4х4 and four nonzero eigenvalues:

$$\begin{aligned} \mathcal{A}\_{1,2} &= \frac{1}{2} (p\_1 + p\_2) \pm \frac{1}{2} \sqrt{\left(p\_1 + p\_2\right)^2 - 16p\_1 p\_2 d \left(1 - d\right)},\\ \mathcal{A}\_{3,4} &= \frac{1}{2} (p\_3 + p\_4) \pm \frac{1}{2} \sqrt{\left(p\_3 + p\_4\right)^2 - 16p\_3 p\_4 d \left(1 - d\right)}. \end{aligned} \tag{2}$$

For the protocol with GHZ-triplets a density matrix size is 16х16, and а number of nonzero eigenvalues is equal to eight. At symmetrical attack their kind is (Vasiliu & Nikolaenko, 2009):

$$\begin{split} \mathcal{A}\_{1,2} &= \frac{1}{2} (p\_1 + p\_2) \pm \frac{1}{2} \sqrt{\left(p\_1 + p\_2\right)^2 - 16p\_1p\_2 \cdot \frac{2}{3}d\left(1 - \frac{2}{3}d\right)}, \\ \mathcal{A}\_{7,8} &= \frac{1}{2} (p\_7 + p\_8) \pm \frac{1}{2} \sqrt{\left(p\_7 + p\_8\right)^2 - 16p\_7p\_8 \cdot \frac{2}{3}d\left(1 - \frac{2}{3}d\right)}. \end{split} \tag{3}$$

For the protocol with *n*-qubit GHZ-states, the number of nonzero eigenvalues of density matrix is equal to 2*<sup>n</sup>* , and their kind at symmetrical attack is (Vasiliu & Nikolaenko, 2009):

$$\begin{split} \lambda\_{1,2} = \frac{1}{2} (p\_1 + p\_2) \pm \frac{1}{2} \sqrt{\left(p\_1 + p\_2\right)^2 - 16p\_1 p\_2 \cdot \frac{2^{n-2}}{2^{n-1} - 1} d \left(1 - \frac{2^{n-2}}{2^{n-1} - 1} d\right)}, \\ \lambda\_{2^{n-1},2^{n}} = \frac{1}{2} (p\_{2^{n}-1} + p\_{2^{n}}) \pm \frac{1}{2} \sqrt{\left(p\_{2^{n}-1} + p\_{2^{n}}\right)^2 - 16p\_{2^{n}-1} p\_{2^{n}} \cdot \frac{2^{n-2}}{2^{n-1} - 1} d \left(1 - \frac{2^{n-2}}{2^{n-1} - 1} d\right)}, \end{split} \tag{4}$$

where *d* is probability of attack detection by legitimate users at one-time switching to control mode; *<sup>i</sup> p* are frequencies of *n*-grams in the transmitted message.

The probability of that Eve will not be detected after *m* successful attacks and will gain information 0 *I mI* = is defined by the equation (Boström & Felbinger, 2002):

$$\text{res}\left(I, q, d\right) = \left(\frac{1 - q}{1 - q\left(1 - d\right)}\right)^{\|I\|\_0},\tag{5}$$

where *q* is a probability of switching to control mode.

In fig. 2 dependences of *s I*( ) , , *q d* for several *n*, identical frequencies 2 *<sup>n</sup> <sup>i</sup> <sup>p</sup>* <sup>−</sup> <sup>=</sup> , *q* = 0.5 and max *d d* = are shown (Vasiliu & Nikolaenko, 2009). max *d* is maximum probability of attack detection at one-time run of control mode, defined as

$$d\_{\text{max}} = 1 - \frac{1}{2^{n-1}}.\tag{6}$$

Quantum Secure Telecommunication Systems 221

Let's mark that described procedure is not message enciphering, and can be named inverse hashing or hashing using two-way hash function, which role random invertible binary

It is necessary for each block to use individual matrix *Ki* which will allow to prevent cryptoanalytic attacks, similar to attacks to the Hill cipher, which are possible there at a multiple usage of one matrix for enciphering of several blocks (Eve could perform similar attack if she was able before a detection of her operations in the quantum channel to intercept several blocks, that are hashing with the same matrix). As matrices in this case are not a key and they can be transmitted on the open classical channel, the transmission of the

Necessary length *r* of blocks for hashing and accordingly necessary size *r r* × of hashing matrices should correspond to a requirement *r* > *I*, where *І* is the information which is gained by Eve. Thus, it is necessary for determination of *r* to calculate *І* at the given values

<sup>0</sup> . <sup>1</sup> lg 1 (1 )

n q = 0,5; max *d d* = q = 0,5; max *d d* = 2 q = 0,25; max *d d* = q = 0,25; max *d d* = 2

Table 1. Eve's information *I* at attack on the ping - pong protocol with *n*-qubit GHZ-states at

*q q d* <sup>−</sup> <sup>=</sup> <sup>−</sup> − −

(8)

*kI <sup>I</sup>*

2 69 113 180 313 3 74 122 186 330 4 88 145 216 387 5 105 173 254 458 6 123 204 297 537 7 142 236 341 620 8 161 268 387 706 9 180 302 434 793 10 200 335 481 881 11 220 369 529 970 12 240 403 577 1059 13 260 437 625 1149 14 279 471 673 1238 15 299 505 721 1328 16 319 539 769 1417 17 339 573 817 1507 18 359 607 865 1597 19 379 641 913 1686 20 399 675 961 1776

matrix acts.

of *n*, *s*, *q* and max *d d* = .

<sup>6</sup> *s* 10<sup>−</sup> = (bit).

Let's accept ( ) , , 10 *<sup>k</sup> sIqd* <sup>−</sup> = , then:

necessary number of matrices is not a problem.

The calculated values of *І* are shown in tab. 1:

At max *d d* = Eve gains the complete information about transmitted bits of the message. It is obvious from fig. 2 that the ping-pong protocol with many-qubit GHZ-states is asymptotically secure at any number *n* of qubits that are in entangled GHZ-states. A similar result for the ping-pong protocol using qutrit pairs is presented (Vasiliu, 2011).

A non-quantum method of security amplification for the ping-pong protocol is suggested in (Vasiliu & Nikolaenko, 2009; Korchenko et al., 2010c). Such method has been developed on the basis of a method of privacy amplification which is utilized in quantum key distribution protocols. In case of the ping-pong protocol this method can be some kind of analogy of the Hill cipher (Overbey et al., 2005).

Before the transmission Alice divides the binary message on *l* blocks of some fixed length *r*, we will designate these blocks as *<sup>i</sup> a* (*i*=1,…*l*). Then Alice generates for each block separately random invertible binary matrix *Ki* of size *r r* × and multiplies these matrices by appropriate blocks of the message (multiplication is performed by modulo 2):

Fig. 2. Composite probability of attack non-detection *s* for the ping-pong protocol with many-qubit GHZ-states: *n*=2, original protocol (1); *n*=2, with superdense coding (2); *n*=3 (3); *n*=5 (4); *n*=10 (5); *n*=16 (6). *I* is Eve's information.

Blocks *<sup>i</sup> b* are transmitted on the quantum channel with the use of the ping-pong protocol. Even if Eve, remained undetected, manages to intercept one (or more) from these blocks and without knowledge of used matrices *Ki* Eve won't be able to reconstruct source blocks *<sup>i</sup> a* . To reach a sufficient security level the block length *r* and accordingly the size of matrices *Ki* should be selected so that Eve's undetection probability *s* after transmission of *one* block would be insignificant small. Matrices *Ki* are transmitted to Bob via usual (non-quantum) open authentic channel after the end of quantum transmission but only in the event when Alice and Bob were convinced lack of eavesdropping. Then Bob inverses the received matrices and having multiplied them on appropriate blocks *<sup>i</sup> b* he gains an original message.

At max *d d* = Eve gains the complete information about transmitted bits of the message. It is obvious from fig. 2 that the ping-pong protocol with many-qubit GHZ-states is asymptotically secure at any number *n* of qubits that are in entangled GHZ-states. A similar

A non-quantum method of security amplification for the ping-pong protocol is suggested in (Vasiliu & Nikolaenko, 2009; Korchenko et al., 2010c). Such method has been developed on the basis of a method of privacy amplification which is utilized in quantum key distribution protocols. In case of the ping-pong protocol this method can be some kind of analogy of the

Before the transmission Alice divides the binary message on *l* blocks of some fixed length *r*, we will designate these blocks as *<sup>i</sup> a* (*i*=1,…*l*). Then Alice generates for each block separately random invertible binary matrix *Ki* of size *r r* × and multiplies these matrices by

. *i ii b Ka* = (7)

result for the ping-pong protocol using qutrit pairs is presented (Vasiliu, 2011).

appropriate blocks of the message (multiplication is performed by modulo 2):

Fig. 2. Composite probability of attack non-detection *s* for the ping-pong protocol with many-qubit GHZ-states: *n*=2, original protocol (1); *n*=2, with superdense coding (2); *n*=3 (3);

Blocks *<sup>i</sup> b* are transmitted on the quantum channel with the use of the ping-pong protocol. Even if Eve, remained undetected, manages to intercept one (or more) from these blocks and without knowledge of used matrices *Ki* Eve won't be able to reconstruct source blocks *<sup>i</sup> a* . To reach a sufficient security level the block length *r* and accordingly the size of matrices *Ki* should be selected so that Eve's undetection probability *s* after transmission of *one* block would be insignificant small. Matrices *Ki* are transmitted to Bob via usual (non-quantum) open authentic channel after the end of quantum transmission but only in the event when Alice and Bob were convinced lack of eavesdropping. Then Bob inverses the received matrices and having multiplied them on appropriate blocks *<sup>i</sup> b* he gains an original message.

*n*=5 (4); *n*=10 (5); *n*=16 (6). *I* is Eve's information.

Hill cipher (Overbey et al., 2005).

Let's mark that described procedure is not message enciphering, and can be named inverse hashing or hashing using two-way hash function, which role random invertible binary matrix acts.

It is necessary for each block to use individual matrix *Ki* which will allow to prevent cryptoanalytic attacks, similar to attacks to the Hill cipher, which are possible there at a multiple usage of one matrix for enciphering of several blocks (Eve could perform similar attack if she was able before a detection of her operations in the quantum channel to intercept several blocks, that are hashing with the same matrix). As matrices in this case are not a key and they can be transmitted on the open classical channel, the transmission of the necessary number of matrices is not a problem.

Necessary length *r* of blocks for hashing and accordingly necessary size *r r* × of hashing matrices should correspond to a requirement *r* > *I*, where *І* is the information which is gained by Eve. Thus, it is necessary for determination of *r* to calculate *І* at the given values of *n*, *s*, *q* and max *d d* = .

Let's accept ( ) , , 10 *<sup>k</sup> sIqd* <sup>−</sup> = , then:

$$I = \frac{-kI\_0}{\lg\left(\frac{1-q}{1-q(1-d)}\right)}.\tag{8}$$

The calculated values of *І* are shown in tab. 1:


Table 1. Eve's information *I* at attack on the ping - pong protocol with *n*-qubit GHZ-states at <sup>6</sup> *s* 10<sup>−</sup> = (bit).

Quantum Secure Telecommunication Systems 223

For the intruder who hasn't a key, this qubit likes qubit in maximal mixed state (the rotation can be interpreted as quantum Vernam cipher). In the next stage Alice uses random

others qubits of codeword for simulating some level of noise in quantum channel. Next, she sent a codeword to Bob. For correct untwirl operation Bob use the shared secret key and

The security of this protocol depends on the security of previous key distribution procedure. When key distribution has information-theoretic security, and using information qubit twirl (equivalent to quantum Vernam cipher) all scheme can have information-theoretic security. It is known the information-theoretic security is provided by QKD protocols. But if an intruder continuously monitors the channel for a long time and he has a precise channel characteristics, in the final he discovers that Alice transmits information to Bob on quantum stegoprotocol. In addition, using quantum measurements of transmitted qubit states, an

*<sup>z</sup>* for this qubit by determining a concrete

σ

*<sup>z</sup>* ) to some part of

σ *<sup>x</sup>* , σ*<sup>y</sup>* or

σ *<sup>x</sup>* , σ *<sup>y</sup>* or σ

intruder can cancel information transmitting (Denial of Service attack).

Thus, in the present three basis methods of quantum steganography are proposed:

Fig. 3. The scheme of quantum stegoprotocol: *С –* qubit of codeword, *I –* information qubit,

The last method is the most promising direction of quantum steganography and also hiding using quantum error-correcting codes has some prospect in the future practice

*–* qubit, to which Alice applies Pauli operator (qubit that

σ

depolarization mistakes (using the same Pauli operators

then he uses a key again to find information qubit.

2. Hiding using quantum error-correcting codes; 3. Hiding in the data formats, protocols etc.

qubit operators (Pauli operators) *І*,

1. Hiding in the quantum noise;

*T –* twirled information qubit,

simulate a noise).

implementation.

operation using two current key bits.

Thus, after transfer of hashed block, the lengths of which are presented in tab. 1, the probability of attack non-detection will be equal to 10-6; there is thus a very high probability that this attack will be detected. The main disadvantage of the ping-pong protocol, namely its asymptotic security against eavesdropping attack using ancilla states, is therefore removed.

There are some others attacks on the ping-pong protocol, e.g. attack which can be performed when the protocol is executed in quantum channel with noise (Zhang, 2005a) or Trojan horse attack (Gisin et al., 2002). But there are some counteraction methods to these attacks (Boström & Felbinger, 2008). Thus, we can say that the ping-pong protocol (the security of which is amplified using method described above) is the most prospective QSDC protocol from the viewpoint of the existing development level of the quantum technology of information processing.

#### **2.3 Quantum steganography**

Quantum steganography aims to hide the fact of information transferral similar to classical steganography. Most current models of quantum steganography systems use entangled states. For example, modified methods of entangled photon pair detection are used to hide the fact of information transfer in patent (Conti et al., 2004).

A simple quantum steganographic protocol (stegoprotocol) with using four qubit entangled Bell states:

$$\begin{aligned} \left| \boldsymbol{\phi}^{+} \right\rangle &= \frac{1}{\sqrt{2}} \left( \left| 0 \right\rangle\_1 \left| 0 \right\rangle\_2 + \left| 1 \right\rangle\_1 \left| 1 \right\rangle\_2 \right), \left| \boldsymbol{\phi}^{-} \right\rangle = \frac{1}{\sqrt{2}} \left( \left| 0 \right\rangle\_1 \left| 0 \right\rangle\_2 - \left| 1 \right\rangle\_1 \left| 1 \right\rangle\_2 \right), \\ \left| \boldsymbol{\nu}^{+} \right\rangle &= \frac{1}{\sqrt{2}} \left( \left| 0 \right\rangle\_1 \left| 1 \right\rangle\_2 + \left| 1 \right\rangle\_1 \left| 0 \right\rangle\_2 \right), \left| \boldsymbol{\nu}^{-} \right\rangle = \frac{1}{\sqrt{2}} \left( \left| 0 \right\rangle\_1 \left| 1 \right\rangle\_2 - \left| 1 \right\rangle\_1 \left| 0 \right\rangle\_2 \right), \end{aligned} \tag{9}$$

was proposed (Terhal et al., 2005). In this protocol *n* Bell states, including all four states (9) with equal probability is divided between two legitimate users (Alice and Bob) by third part (Trent). For all states the first qubit is sent to Alice and second to Bob. The secret bit is coded in the number of *m* singlet states ψ<sup>−</sup> in the sequence of *n* states: even *m* represents "0" and odd represents "1". Alice and Bob perform local measurements each on own qubits and calculate the number of singlet states ψ<sup>−</sup> . That's why in this protocol Trent can secretly transmit information to Alice and Bob simultaneously.

Shaw & Brun proposed another one quantum stegoprotocol (Shaw & Brun, 2010). In this protocol the information qubit is hidden inside the error-correcting code. Thus, for intruder the qubits transmission via quantum channel looks like a normal quantum information transmission in the noise channel. For information qubit detection the receiver (Bob) must have a shared secret key with sender (Alice), which must be distributed before stegoprotocol starting. In the fig.3 the scheme of protocol proposed by Shaw & Brun is shown. Alice hides information qubit changing its places with qubit in her quantum codeword. She uses her secret key to determine which qubit in codeword must be replaced. Next, Alice uses key again to twirl (rotate) information qubit. This means that Alice uses one of the four single

Thus, after transfer of hashed block, the lengths of which are presented in tab. 1, the probability of attack non-detection will be equal to 10-6; there is thus a very high probability that this attack will be detected. The main disadvantage of the ping-pong protocol, namely its asymptotic security against eavesdropping attack using ancilla states, is therefore

There are some others attacks on the ping-pong protocol, e.g. attack which can be performed when the protocol is executed in quantum channel with noise (Zhang, 2005a) or Trojan horse attack (Gisin et al., 2002). But there are some counteraction methods to these attacks (Boström & Felbinger, 2008). Thus, we can say that the ping-pong protocol (the security of which is amplified using method described above) is the most prospective QSDC protocol from the viewpoint of the existing development level of the quantum technology of

Quantum steganography aims to hide the fact of information transferral similar to classical steganography. Most current models of quantum steganography systems use entangled states. For example, modified methods of entangled photon pair detection are used to hide

A simple quantum steganographic protocol (stegoprotocol) with using four qubit entangled

<sup>+</sup> = + , ( ) 12 12

<sup>+</sup> = + , ( ) 12 12

ψ

was proposed (Terhal et al., 2005). In this protocol *n* Bell states, including all four states (9) with equal probability is divided between two legitimate users (Alice and Bob) by third part (Trent). For all states the first qubit is sent to Alice and second to Bob. The secret bit is coded

odd represents "1". Alice and Bob perform local measurements each on own qubits and

Shaw & Brun proposed another one quantum stegoprotocol (Shaw & Brun, 2010). In this protocol the information qubit is hidden inside the error-correcting code. Thus, for intruder the qubits transmission via quantum channel looks like a normal quantum information transmission in the noise channel. For information qubit detection the receiver (Bob) must have a shared secret key with sender (Alice), which must be distributed before stegoprotocol starting. In the fig.3 the scheme of protocol proposed by Shaw & Brun is shown. Alice hides information qubit changing its places with qubit in her quantum codeword. She uses her secret key to determine which qubit in codeword must be replaced. Next, Alice uses key again to twirl (rotate) information qubit. This means that Alice uses one of the four single

φ

<sup>1</sup> 00 11

<sup>1</sup> 01 10

<sup>−</sup> in the sequence of *n* states: even *m* represents "0" and

<sup>−</sup> . That's why in this protocol Trent can secretly

(9)

<sup>−</sup> = − ,

<sup>−</sup> = − ,

2

2

removed.

Bell states:

information processing.

**2.3 Quantum steganography** 

φ

ψ

in the number of *m* singlet states

calculate the number of singlet states

the fact of information transfer in patent (Conti et al., 2004).

2

2

transmit information to Alice and Bob simultaneously.

( ) 12 12 <sup>1</sup> 00 11

( ) 12 12 <sup>1</sup> 01 10

ψ

ψ

qubit operators (Pauli operators) *І*, σ *<sup>x</sup>* , σ *<sup>y</sup>* or σ *<sup>z</sup>* for this qubit by determining a concrete operation using two current key bits.

For the intruder who hasn't a key, this qubit likes qubit in maximal mixed state (the rotation can be interpreted as quantum Vernam cipher). In the next stage Alice uses random depolarization mistakes (using the same Pauli operators σ *<sup>x</sup>* , σ *<sup>y</sup>* or σ *<sup>z</sup>* ) to some part of others qubits of codeword for simulating some level of noise in quantum channel. Next, she sent a codeword to Bob. For correct untwirl operation Bob use the shared secret key and then he uses a key again to find information qubit.

The security of this protocol depends on the security of previous key distribution procedure. When key distribution has information-theoretic security, and using information qubit twirl (equivalent to quantum Vernam cipher) all scheme can have information-theoretic security. It is known the information-theoretic security is provided by QKD protocols. But if an intruder continuously monitors the channel for a long time and he has a precise channel characteristics, in the final he discovers that Alice transmits information to Bob on quantum stegoprotocol. In addition, using quantum measurements of transmitted qubit states, an intruder can cancel information transmitting (Denial of Service attack).

Thus, in the present three basis methods of quantum steganography are proposed:


Fig. 3. The scheme of quantum stegoprotocol: *С –* qubit of codeword, *I –* information qubit, *T –* twirled information qubit, σ *–* qubit, to which Alice applies Pauli operator (qubit that simulate a noise).

The last method is the most promising direction of quantum steganography and also hiding using quantum error-correcting codes has some prospect in the future practice implementation.

Quantum Secure Telecommunication Systems 225

effect and by the impossibility of cloning quantum states (Wooters & Zurek, 1982). The complexity of practical implementation is the most important imperfection of QSC (Hirota &

*Quantum digital signature (QDS)* can be implemented on the basis of protocols such as QDS protocols using single qubits (Wang et al., 2006) and QDS protocols using entangled states (authentic QDS based on quantum GHZ-correlations) (Wen & Liu, 2005). QDS is based on use of the quantum one-way function (Gottesman & Chuang, 2001). This function has better security than the classical one-way function, and it has information-theoretic security (its security does not depend on the power of the attacker's equipment). Quantum one-way function is defined by the following properties of quantum systems (Gottesman & Chuang,

2. We can get only a limited quantity of classical information from quantum states according to the *Holevo theorem* (Holevo, 1977). Calculation and validation are not

In the systems that use QDS, user identification and integrity of information is provided similar to classical digital signature (Gottesman & Chuang, 2001). The main advantages of QDS protocols are information-theoretic security and simplified key distribution system. The main disadvantage is the possibility to generate a limited number of public key copies and the leak of some quantities of information about incoming data of quantum one-way

Fig. 4 represents a general scheme of the methods of quantum secure telecommunication

The world's first commercial quantum cryptography solution was *QPN Security Gateway (QPN-8505)* (QPN Security Gateway, 2011) proposed by *MagiQ Technologies (USA).* This system (fig. 5 a) is a cost-effective information security solution for governmental and financial organisations. It proposes VPN protection using QKD (up to 100 256-bit keys per second, up to 140 km) and integrated encryption. The QPN-8505 system uses BB84, 3DES

The Swiss company *Id Quantique* (Cerberis, 2011) offers a systems called *Clavis2* (fig. 5 b) and *Cerberis*. Clavis2 uses a proprietary auto-compensating optical platform, which features outstanding stability and interference contrast, guaranteeing low quantum bit error rate. Secure key exchange becomes possible up to 100 km. This optical platform is well documented in scientific publications and has been extensively tested and characterized. Cerberis is a server with automatic creation and secret key exchange over a fibre channel (FC-1G, FC-2G and FC-4G). This system can transmit cryptographic keys up to 50 km and carries out 12 parallel cryptographic calculations. The latter substantially improves the system's performance. The Cerberis system uses AES (256-bits) for encryption and BB84 and

function (unlike the ideal classical one-way function) (Gottesman & Chuang, 2001).

systems construction for their purposes and for using some quantum technologies.

**2.5 Review of commercial quantum secure telecommunication systems** 

1. Qubits can exist in superposition "0" and "1" unlike classical bits.

difficult but inverse calculation is impossible.

(NIST, 1999) and AES (NIST, 2001) protocols.

• Future-proof security.

SARG04 protocols for quantum key distribution. Main features:

Kurosawa, 2006).

2001):

It should be noted that theoretical research in quantum steganography has not reached the level of practical application yet, and it is very difficult to talk about the advantages and disadvantages of quantum steganography systems. Whether quantum steganography is superior to the classical one or not in practical use is still an open question (Imai & Hayashi, 2006).

#### **2.4 Others technologies for quantum secure telecommunication systems construction**

*Quantum secret sharing (QSS).* Most QSS protocols use properties of entangled states. The first QSS protocol was proposed by *Hillery, Buzek* and *Berthiaume* in 1998 (Hillery et al., 1998; Qin et al., 2007). This protocol uses GHZ-triplets (quadruplets) similar to some QSDC protocols. The sender shares his message between two (three) parties and only cooperation allows them to read this message. Semi-quantum secret sharing protocol using GHZ-triplets (quadruplets) was proposed by Li et al. (Li et al., 2009). In this protocol, users that receive a shared message have access to the quantum channel. But they are limited by some set of operation and are called "classical", meaning they are not able to prepare entangled states and perform any quantum operations or measurements. These users can measure qubits on a "classical" { 0 ,1 } basis, reordering the qubits (via proper delay measurements), preparing (fresh) qubits in the classical basis, and sending or returning the qubits without disturbance. The sending party can perform any quantum operations. This protocol prevails over others QSS protocols in economic terms. Its equipment is cheaper because expensive devices for preparing and measuring (in GHZ-basis) many-qubit entangled states are not required. Semi-quantum secret sharing protocol exists in two variants: randomisation-based and measurement-resend protocols. Zhang et al. has been presented QSS using single qubits that are prepared in two mutually unbiased bases and transferred by blocks (Zhang et al., 2005b). Similar to the Hillery-Buzek-Berthiaume protocol, this allows sharing a message between two (or more) parties. The security improvement of this protocol against malicious acts of legitimate users is proposed (Deng et al., 2005). A similar protocol for multiparty secret sharing also is presented (Yan et al., 2008). QSS protocols are protected against external attackers and unfair actions of the protocol's parties. Both quantum and semi-quantum schemes allow detecting eavesdropping and do not require encryption unlike the classical secret-sharing schemes. The most significant imperfection of QSS protocols is the necessity for large quantum memory that is outside the capabilities of modern technologies today.

*Quantum stream cipher (QSC)* provides data encryption similar to classical stream cipher, but it uses quantum noise effect (Hirota et al., 2005) and can be used in optical telecommunication networks. QSC is based on the *Yuen-2000 protocol (Y-00,* αη *- scheme).* Information-theoretic security of the Y-00 protocol is ensured by randomisation (based on quantum noise) and additional computational schemes (Nair & Yuen, 2007; Yuen, 2001). In a number of papers (Corndorf et al., 2005; Hirota & Kurosawa, 2006; Nair & Yuen, 2007) the high encryption rate of the Y-00 protocol is demonstrated experimentally, and a security analysis on the Yuen-2000 protocol against the fast correlation attack, the typical attack on stream ciphers, is presented (Hirota & Kurosawa, 2006). The next advantage is better security compared with usual (classical) stream cipher. This is achieved by quantum noise

It should be noted that theoretical research in quantum steganography has not reached the level of practical application yet, and it is very difficult to talk about the advantages and disadvantages of quantum steganography systems. Whether quantum steganography is superior to the classical one or not in practical use is still an open question (Imai & Hayashi,

*Quantum secret sharing (QSS).* Most QSS protocols use properties of entangled states. The first QSS protocol was proposed by *Hillery, Buzek* and *Berthiaume* in 1998 (Hillery et al., 1998; Qin et al., 2007). This protocol uses GHZ-triplets (quadruplets) similar to some QSDC protocols. The sender shares his message between two (three) parties and only cooperation allows them to read this message. Semi-quantum secret sharing protocol using GHZ-triplets (quadruplets) was proposed by Li et al. (Li et al., 2009). In this protocol, users that receive a shared message have access to the quantum channel. But they are limited by some set of operation and are called "classical", meaning they are not able to prepare entangled states and perform any quantum operations or measurements. These users can measure qubits on a "classical" { 0 ,1 } basis, reordering the qubits (via proper delay measurements), preparing (fresh) qubits in the classical basis, and sending or returning the qubits without disturbance. The sending party can perform any quantum operations. This protocol prevails over others QSS protocols in economic terms. Its equipment is cheaper because expensive devices for preparing and measuring (in GHZ-basis) many-qubit entangled states are not required. Semi-quantum secret sharing protocol exists in two variants: randomisation-based and measurement-resend protocols. Zhang et al. has been presented QSS using single qubits that are prepared in two mutually unbiased bases and transferred by blocks (Zhang et al., 2005b). Similar to the Hillery-Buzek-Berthiaume protocol, this allows sharing a message between two (or more) parties. The security improvement of this protocol against malicious acts of legitimate users is proposed (Deng et al., 2005). A similar protocol for multiparty secret sharing also is presented (Yan et al., 2008). QSS protocols are protected against external attackers and unfair actions of the protocol's parties. Both quantum and semi-quantum schemes allow detecting eavesdropping and do not require encryption unlike the classical secret-sharing schemes. The most significant imperfection of QSS protocols is the necessity for large quantum memory that is outside the

*Quantum stream cipher (QSC)* provides data encryption similar to classical stream cipher, but it uses quantum noise effect (Hirota et al., 2005) and can be used in optical

Information-theoretic security of the Y-00 protocol is ensured by randomisation (based on quantum noise) and additional computational schemes (Nair & Yuen, 2007; Yuen, 2001). In a number of papers (Corndorf et al., 2005; Hirota & Kurosawa, 2006; Nair & Yuen, 2007) the high encryption rate of the Y-00 protocol is demonstrated experimentally, and a security analysis on the Yuen-2000 protocol against the fast correlation attack, the typical attack on stream ciphers, is presented (Hirota & Kurosawa, 2006). The next advantage is better security compared with usual (classical) stream cipher. This is achieved by quantum noise

αη

*- scheme).*

telecommunication networks. QSC is based on the *Yuen-2000 protocol (Y-00,* 

**2.4 Others technologies for quantum secure telecommunication systems** 

2006).

**construction** 

capabilities of modern technologies today.

effect and by the impossibility of cloning quantum states (Wooters & Zurek, 1982). The complexity of practical implementation is the most important imperfection of QSC (Hirota & Kurosawa, 2006).

*Quantum digital signature (QDS)* can be implemented on the basis of protocols such as QDS protocols using single qubits (Wang et al., 2006) and QDS protocols using entangled states (authentic QDS based on quantum GHZ-correlations) (Wen & Liu, 2005). QDS is based on use of the quantum one-way function (Gottesman & Chuang, 2001). This function has better security than the classical one-way function, and it has information-theoretic security (its security does not depend on the power of the attacker's equipment). Quantum one-way function is defined by the following properties of quantum systems (Gottesman & Chuang, 2001):


In the systems that use QDS, user identification and integrity of information is provided similar to classical digital signature (Gottesman & Chuang, 2001). The main advantages of QDS protocols are information-theoretic security and simplified key distribution system. The main disadvantage is the possibility to generate a limited number of public key copies and the leak of some quantities of information about incoming data of quantum one-way function (unlike the ideal classical one-way function) (Gottesman & Chuang, 2001).

Fig. 4 represents a general scheme of the methods of quantum secure telecommunication systems construction for their purposes and for using some quantum technologies.
