sign in sign up
<<
Home , Secret sharing

The Journal of Systems and Software 83 (2010) 1801–1804

Contents lists available at ScienceDirect The Journal of Systems and Software

journal homepage: www.elsevier.com/locate/jss

Multi-party covert communication with and quantum secret sharing

Xin Liao a,∗, Qiao-yan Wen a, Ying Sun a, Jie Zhang b a State Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China b School of Science, Beijing University of Posts and Telecommunications, Beijing 100876, China article info abstract

Article history: In this paper, we address the “multi-party covert communication”, a stronger notion of security than stan- Received 19 January 2010 dard secure multi-party communication. Multi-party covert communication guarantees that the process Received in revised form 21 April 2010 of it cannot be observed. We propose a scheme for steganographic communication based on a channel Accepted 24 April 2010 hidden within quantum secret sharing (QSS). According to our knowledge nobody has ever raised the Available online 15 June 2010 scheme, providing us the motivation for this work. To an outside observer, participants will engage in a typical instance of QSS, just like the others. But when the session is over, covert multi-party commu- Keywords: nication has already been done. Further analysis shows that the amount of hidden information one can Multi-party covert communication Steganography acquire is 0, even if either an outside observer guesses the covert communication is carrying on or a Quantum secret sharing dishonest participant is eavesdropping. © 2010 Elsevier Inc. All rights reserved.

1. Motivation • Scalability: many participants in different places can covertly complete this communication, and the computational complex- Suppose Alice, the leader of two spies, wants to assign an impor- ity does not increase obviously after adding one into the original. tant and secret mission to two spies, Bob and Charlie. Instead of assigning the whole mission to any individual, Alice has better to Steganography is primarily concerned for military or commer- distribute the mission in such a way that no one alone has access cial utilization and presents less risk because the existence of secret to it, while Bob and Charlie can reconstruct it cooperatively. All of data is concealed (Petitcolas et al., 1999; Wang and Wang, 2004). them want to conceal the communication, and the presence of the The primary contribution of this paper is to introduce a new appli- mission goes unnoticed by others. How can they carry out such a cation of steganograhy, and to show a way realizing MCC. The idea communication? of using steganography and quantum secret sharing in multi-party We call the above simple scenario “the spies’ problem”. In fact, it covert communication in this paper is recommendable. is a special case of multi-party covert communication (MCC), which Can multi-party covert communication be achieved by trivial com- is required to meet the following challenges: position of classical secret sharing with steganography? No. One steganographically encodes all messages of classical • Cooperativity: secrets are distributed among a group of partic- secret sharing, leading to a scheme in which no outside observer ipants, each allocated a share of secrets. Secrets can only be can determine whether it is running. But all classical reconstructed under the circumstances that all the shares are except for one-time pad are based on computational complex- combined together, and each participant barely knows his own ity assumptions, and the security is conditional (Vernam, 1926; part. Shannon, 1949). If an attacker guesses the covert communica- • Covertness: MCC would have good visual/statistical impercep- tion is underway, and the threat of computing power to classical tibility, and the presence has to be unnoticed by an outside cryptosystems increases gradually, the amount of acquired hidden observer. information will not be negligible anymore. Furthermore, how to • Security: an attacker should acquire hidden information as lit- determine whether an eavesdropper is active during the commu- tle as possible, even if he guesses the covert communication is nication is another problem. Recent advances in steganalysis have underway. also made conventional steganography much more detectable (Ker, 2005; Pevnu and Fridrich, 2005; Goljan et al., 2006; Ker, 2007). The representation of classical information by quantum states ∗ Corresponding author. is ideally suited for solving these above problems. Quantum states E-mail address: [email protected] (X. Liao). cannot be copied, and any attempt to obtain information from

0164-1212/$ – see front matter © 2010 Elsevier Inc. All rights reserved. doi:10.1016/j.jss.2010.04.076 1802 X. Liao et al. / The Journal of Systems and Software 83 (2010) 1801–1804 the original source always results in a detectable disturbance, so Table 1 participants can establish evidence that an eavesdropper is active, The measurement results of the states in the different basis. i.e., they can detect an eavesdropper’s presence. Recently, Martin States Z Basis X Basis

(2007a,b), Martin presented an interesting perspective for stegano- |0 0 0 with probability 1/2, graphic communication with (Bennett 1 with probability 1/2 and Brassard, 1984; Bennett et al., 1992). The amount of acquired |1 1 0 with probability 1/2, hidden information is very small even if an attacker guesses the 1 with probability 1/2 |+ 0 with probability 1/2, 0 covert communication is taking place. In this paper we propose a 1 with probability 1/2 multi-party covert communication scheme by elegantly integrat- |− 0 with probability 1/2, 1 ing steganography into quantum secret sharing (QSS) (Karlsson et 1 with probability 1/2 al., 1999; Hillery et al., 1999; Guo and Guo, 2003; Yang and Wen, 2008; Hao et al., 2010). Since only a few modifications are made to the original QSS scheme, the taking place of covert communication Bi and Ci in the Z basis (if li =0) or X basis (if li = 1), where cannot be observed. The cover object of our scheme is a current QSS bi ⊕ ci = ai. Table 2 summarizes the coding qubits in the cor- rather than digital media such as images, audio and video, so it is responding basis. For example, if li = 1 and ai = 0, Alice prepares secure against the current detection attack. Further analysis shows either Bi = Ci = |+ (bi = ci =0)or Bi = Ci = |− (bi = ci = 1) each that the amount of hidden information one can acquire is 0, even with probability 1/2. But she knows exactly which pair of qubits if either an outside observer guesses the covert communication is she prepares. She sends 2n-qubit strings B = (B1,B2, ···,B2n) underway or a dishonest participant eavesdrops. and C = (C1,C2, ···,C2n) to Bob and Charlie, respectively. The remainder of this paper is organized as follows. In Sec- (2) When both Bob and Charlie announce that they have received tion 2, quantum information (Nielsen and Chuang, 2000; Xu et al., their strings, Alice announces l. Bob and Charlie measure each 2009; Wang and Song, 2009) and Guo et al.’s QSS scheme (Guo qubit in the Z basis or X basis according to the corresponding and Guo, 2003) are introduced along with their interesting fea- bit value of l. tures. In Section 3, we propose a multi-party covert communication (3) Alice randomly selects n check bits in a. Bob and Charlie are scheme, where it takes full advantage of two different mechanisms: required to announce the measurement results of their corre- steganography and QSS, then analyze its security. Conclusions are sponding check qubits in B and C. drawn in the last section. (4) If Alice finds the number of agreed values is unacceptably few, she aborts this run and restarts from step 1. Otherwise, she 2. Preliminaries continues to the next step. (5) They perform information reconciliation and privacy ampli- 2.1. Quantum information fication to generate three m-bit keys ka, kb and kc from the remaining n bits. Alice, Bob and Charlie can obtain ka, kb and The bit is the fundamental concept of classical computation and kc separately, where ka = kb ⊕ kc. classical information. Quantum computation and quantum infor- mation are built upon an analogous concept: the quantum bit (qubit 3. Our proposed scheme for short). Just like a classical bit has a state (either 0 or 1), a qubit |  |  also has a state. Two possible states for a qubit are 0 and 1 , which 3.1. A novel multi-party covert communication scheme correspond to the states 0 and 1 for a classical bit. A qubit can exist |  |  in a continuum of state between 0 and 1 until it is measured, In this subsection, we present a novel multi-party covert com- such as munication scheme by elegantly integrating steganography into Guo et al.’s QSS. Every run except the first could covertly multi- =˛|0+ˇ|1 (1) party communicate 1-bit secret. Before the covert communication where ˛ and ˇ are two complex numbers satisfying |˛|2 + |ˇ|2 =1. takes place, they agree on two integers d (1 ≤ d ≤ n) and r ∈{0, 1} When a qubit is measured with a orthogonal basis, it only gives in advance. They don’t covertly communicate secret bits in the first “0” or “1” as the measurement result. An observer can specify run. In the j-th (j ≥ 2) run, Alice uses m-bit key ka = (k0,k1, ···,km−1) what they want to measure by specifying a basis. Two examples (ki ∈ {0,1}) generated in the previous run to update d and r: of basis are: the computation basis Z ={|0, |1} and the Hadamard r = km− (2) rotated basis X = {|+√, |−}. They are the only bases√ we care about in 1 this paper. |+ = (1/ 2)(|0+|1) and |− = (1/ 2)(|0−|1) cor-   m−2 respond to the states 0 and 1 for a classical bit. i d = ki × 2 mod n + 1 (3) When we measure a state described by the qubit | =˛|0+ i= ˇ|1 in the Z basis, we get either the result |0, with probability |˛|2, 0 |  |ˇ|2 or the result 1 , with probability . Table 1 summarizes the mea- We make a few modifications to Guo et al.’s QSS, so an outside |  |  |  |− surement results of the states 0 , 1 , + and in the Z basis and observer cannot be aware of the happening of covert communica- X basis, respectively. Throughout the paper, capital letters denote tion. qubits and lowercase letters denote classical bits. ⊕ represents the XOR operation. Table 2 The coding qubits in the corresponding basis. 2.2. Literature review l 01

In this subsection, we briefly describe Guo et al.’s QSS scheme, a 010 1 consisting of the following steps: bc 00 01 00 10 11 10 11 01 BC |0|0|0|1|+|+ |−|+ (1) Alice generates two random 2n-bit strings l = (l1,l2, ···,l2n) and |1|1|1|0 |−|− |+|− a = (a1,a2, ···,a2n). For each bit of l and a, she creates qubits X. Liao et al. / The Journal of Systems and Software 83 (2010) 1801–1804 1803

(1) Alice generates two random 2n-bit strings l = (l1,l2, ···,l2n) and by the aforementioned method. x = t − d = 5 − 3 = 2(mod7). The a = (a1,a2, ···,a2n). She randomly selects a “steganographic last check bit is v2, corresponding to ≤ q ≤ n bit” aq (1 2 ) whose value equals to the XOR result of  Alice’s secret bit s and r. B =|1|− ∗ |0|+ ∗ |1∗∗|0|0∗

aq = s ⊕ r (4) C =|1|+ ∗ |0|− ∗ |0∗∗|1|0∗ For each bit of l and a, she creates qubits Bi and Ci in the Z basis (if  li =0)orX basis (if li = 1), where bi ⊕ ci = ai. Alice sends 2n-qubit where the last check qubits are marked by “ ”. strings B = (B1,B2, ···,B2n) and C = (C1,C2, ···,C2n) to Bob and Charlie, respectively. 3.2. Security analysis (2) When both Bob and Charlie announce that they have received their strings, Alice announces l. Bob and Charlie measure each There are two different kinds of attackers: an outside observer qubit in the Z basis or X basis according to the corresponding Eve, who wants to eavesdrop on Alice’s secret without being bit value of l. detected, and a dishonest member of Bob–Charlie pair, who tries (3) In this step, Alice will select n check bits in a. The first n − 1 check to extract Alice’s secret without collaborating with the other one. bits from the 2n − 1 bits (aq is excluded from the original 2n bits) Without loss of generality, suppose the dishonest member is Bob*. are randomly selected, while the last one is chosen intention- Neither of them are able to acquire Alice’s secret, even if either ally. Suppose the remaining n + 1 bits are v = (v0, v1, v2, ···, vn) Eve guesses the covert communication is underway or Bob* eaves- and the “steganographic bit” is vt (i.e. aq in a). The last check bit drops. vx is chosen such that x = (t − d)mod(n + 1) (5) 3.2.1. An outside observer Eve To outside observers, our scheme appears indistinguishable Bob and Charlie are required to announce the measurement from the original QSS scheme. Since d appears random, no cor- results of their corresponding check qubits in B and C. relation exists between the last check bit and the “steganographic (4) If Alice finds the number of agreed values is unacceptably few, bit”. Outsiders are not capable of observing the happening of covert she aborts this run and restarts from step 1. Otherwise, she communication. continues to the next step. Assuming the worst that Eve guesses the covert communication (5) They perform information reconciliation and privacy ampli- is taking place, now we calculate the leaking out amount of Alice’s fication to generate three m-bit keys ka, kb and kc from the secret to Eve. remaining n bits. Alice, Bob and Charlie can obtain ka, kb and Eve obtains the value of the qubit with probability 3/4 when kc separately, where ka = kb ⊕ kc. she measures it in a randomly chosen basis. On the other hand, she has to guess the value of the qubit when she dose not measure Alice’s secret bit s can be obtained by Bob and Charlie cooper- it. If ˛ is the proportion of particles that Eve measures during the atively. They first reconstruct ka by their separated keys kb and kc, transmission from Alice to Bob, the probability that Eve knows the then obtain r and d by Eqs. (2) and (3). The correct location of the value of the qubit is “steganographic bit” vt can be derived by 3 1 ˛ 1 p = × ˛ + × (1 − ˛) = + (8) t = (x + d)mod(n + 1) (6) 4 2 4 2 where x is announced in step 3. They implement the operation Eve guesses the correct location of the “steganographic bit” and cooperatively. obtains the value, with probability 1/n × p. When Eve guesses the wrong location, she has the same value in the incorrect location as s = b ⊕ c ⊕ r q q (7) Alice does in the correct location with probability (1 − 1/n) × (1/2). It should be emphasized that Bob and Charlie have stored b and The probability that Eve obtains the value of bq is q   cq, respectively. In fact, quantum memory, shown available in the 1 1 1 ˛ 1 Pb = × p + 1 − × = + (9) present experimental technique (Guo and Guo, 2003), is required n n 2 4n 2 to store 2n-qubit strings B and C by Bob and Charlie. Bob and Charlie can hold their strings until Alice announces the string L. For simplicity, suppose the proportion of particles Eve measures Here is a simple example. The twelve-bit strings l and a (n =6) during two transmissions are equal. Eve obtains the value of cq with are supposed to be 011010010001 and 010011101101, and Alice’s the same probability Pc = Pb. The probability that Eve knows aq is secret bit s = 0. Suppose five-bit key k (m = 5) generated in the pre- a 1 ˛2 vious run is 01111, then r = 1 and d = 3. Alice randomly selects the Pa = Pb × Pc + (1 − Pb) × (1 − Pc) = + (10) 2 8n2 “steganographic bit”: 010011101101, where the bit marked in bold face denotes the “steganographic bit”. She creates the strings: Eve knows nothing about r, so the probability that Eve knows the value of Alice’s secret bit s is B =|1|−|−|0|+|1|1|−|0|0|0|+ 1 1 1 P = Pa × + (1 − Pa) × = (11) Eve 2 2 2 C =|1|+|−|0|−|0|0|−|1|1|0|− Therefore Eve knows nothing about Alice’s secret. During the checking procedure, Alice randomly selects five check We have implicitly assumed that Eve attacks Bob and Charlie bits at first: 01 ∗ 01 ∗ 1 ∗∗10∗, corresponding to individually. But it is necessary to consider the coherent attack, B =|1|− ∗ |0|+ ∗ |1∗∗|0|0∗ and the worst case of coherent attack can be viewed as a dishonest participant’s attack.

C =|1|+ ∗ |0|− ∗ |0∗∗|1|0∗ 3.2.2. A dishonest participant Bob* where five check (qu)bits are denoted by “∗”. The remaining seven A more serious threat is that from a dishonest participant Bob*, bits are v0v1v2v3v4v5v6 = 0101110. Alice selects the last check bit who obtains the value of aq if he knows cq. The probability that Bob* 1804 X. Liao et al. / The Journal of Systems and Software 83 (2010) 1801–1804 obtains the value of aq is References ˇ ∗ 1 Bennett, C.H., Brassard, G., 1984. Quantum : public-key distribution Pa = + (12) 2 4n and coin tossing. In: Proceedings of the IEEE International Conference on Com- ˇ puters, Systems and Signal Processing, pp. 175–179. where is the proportion of particles that Bob* measures during Bennett, C.H., Brassard, G., Mermin, N.D., 1992. without the transmission from Alice to Charlie. Bob* knows nothing about Bell’s theorem. Physical Review Letters 68 (5), 557–559. r, so the probability that Bob* obtains the value of Alice’s secret bit Goljan, M., Fridrich, J., Holotyak, T., 2006. New blind steganalysis and its implica- tions. In: Proceedings of SPIE, Security, Steganography, and Watermarking of s is Multimedia Contents VI, pp. 1–13. ∗ 1 ∗ 1 1 Guo, G.P., Guo, G.C., 2003. Quantum secret sharing without entanglement. Physical P ∗ = P × + − P × = Bob a (1 a ) (13) Letters A 310 (4), 247–251. 2 2 2 Hao, L., Li, J.L., Long, G.L., 2010. Eavesdropping in a quantum secret sharing protocol Therefore Bob* knows nothing about Alice’s secret without the based on Grover algorithm and its solution. Science China Physics, Mechanics & cooperation of Charlie. Astronomy 53 (3), 491–495. Hillery, M., Buzek,ˇ V., Berthiaume, A., 1999. Quantum secret sharing. Physical Review Letter 59 (3), 1829–1834. 3.3. Discussion Karlsson, A., Koashi, M., Imoto, N., 1999. Quantum entanglement for secret sharing and secret splitting. Physical Review Letters 59 (1), 162–168. Ker, A.D., 2005. A general framework for the structural steganalysis of LSB replace- As stated above, our scheme satisfies the security requirement, ment. In: Proceedings of the Information Hiding Workshop. Springer LNCS, pp. described in Section 1. Now we will show that our scheme also 296–311. satisfies the other three requirements: cooperativity, covertness, Ker, A.D., 2007. Derivation of error distribution in least squares steganalysis. IEEE Transactions on Information Forensics and Security 2 (2), 140–148. and scalability. First, Alice’s secrets can only be reconstructed when Long, G.L., Liu, X.S., 2002. Theoretically efficient high-capacity quantum-key- the shares of Bob and Charlie are combined cooperatively. Sec- distribution scheme. Physical Review A 65, 032302. ondly, since only a few modifications are made to the original Martin, K., 2007a. Secure communication without . IEEE Security and Privacy 5 (2), 68–71. QSS scheme, and the cover object of our scheme is not digi- Martin, K., 2007b. Steganographic communication with quantum information. In: tal media, visual/statistical imperceptibility will be good and the Proceedings of the Information Hiding Workshop. Springer LNCS, pp. 32–49. covertness is guaranteed. Thirdly, the preparation of the single- Nielsen, M.A., Chuang, I.L., 2000. Quantum Computation and Quantum Information. Cambridge University Press. photon state is much easier than that of the entangled state. The Petitcolas, F., Anderson, R., Kuhn, M., 1999. Information hiding—a survey. Proceed- proposed scheme can be carried out only with the single-photon ings of the IEEE 87 (7), 1062–1078. state, turning out to be more experimentally realizable (especially Pevnu, T., Fridrich, J., 2005. Towards multi-class blind steganalyzer for JPEG images. inaccessible multi-party entangled states). More new players, more In: Proceedings of 4th International Workshop on Digital Watermarking, vol. 3710, pp. 39–53. adding single-photon states, but the computational complexity will Shannon, C.E., 1949. Communication theory of secret system. Bell System Technical not increase obviously. Journal 28, 656–715. In this paper, the block transmission technique is used, first Vernam, G.S., 1926. Cipher printing telegraph systems for secret wire and radio telegraphic communications. Journal of the American Institute for Electrical proposed by Long and Liu (2002) and subsequently used in many Engineers vol. 55, 109–115. protocols. In our scheme, blocks of 2n qubits are transmitted. The Wang, Y.H., Song, H.S., 2009. Preparation of multi-atom specially entangled W- strings B and C should not be sent out simultaneously. Otherwise, class state and splitting quantum information. Chinese Science Bulletin 54 (15), 2599–2605. the possible eavesdropper may gain more information (Guo and Wang, H., Wang, S., 2004. Cyber warfare: steganography vs. steganalysis. Commu- Guo, 2003). nication of the ACM 47 (10), 76–82. If participants want to use our scheme to covertly communicate Xu, F.X., Chen, W., Wang, S., et al., 2009. experiment on a robust hierarchical metropolitan quantum cryptography network. Chinese Science Bulletin 54 (17), multi-bit secrets, they have to run QSS repeatedly, might tipping 2991–2997. off an outside observer the existence of the covert communica- Yang, Y.G., Wen, Q.Y., 2008. Threshold quantum secret sharing between multi-party tion. However, it is significantly helpful to hide short and important and multi-party. Science in China Series G-Physics Mechanics Astron 51 (9), 1308–1315. secrets. It is not implausible that the repeated use of QSS would be the use of the one-time pad in classical cryptosystems, although Xin Liao received the BS degree in applied mathematics from Beijing University of the analogy is not perfect. Posts and Telecommunications, Beijing, China, in 2007. He is currently pursuing the PhD degree in cryptography from Beijing University of Posts and Telecom- munications, Beijing, China. His research interests include information hiding and 4. Conclusion cryptography. Qiao-yan Wen received the BS and MS degrees in mathematics from Shanxi Normal In this paper we propose a novel multi-party covert communi- University, Xi’an, China, in 1981 and 1984, respectively, and the PhD Degree in cryp- cation scheme, based on a steganographic channel hidden within a tography from Xidian University, Xi’an, China, in 1997. She is a professor of Beijing University of Posts and Telecommunications. Her present research interests include conventional QSS scheme. Since only a few modifications are made coding theory, cryptography, information security, security, and applied to the original scheme, the taking place of the covert communica- mathematics. She is the author of two books and more than 40 papers. tion cannot be observed. Even if either an outside observer guesses Ying Sun received the BS degree in applied mathematics from Beijing University the covert communication is carrying on or a dishonest member of Posts and Telecommunications, Beijing, China, in 2005. She is currently pursuing of participants is eavesdropping, it is proved that he gains nothing the Ph.D. degree in cryptography from Beijing University of Posts and Telecommu- about hidden information. Furthermore, it is secure against current nications, Beijing, China. Her research interests include quantum cryptography and quantum information. steganalysis techniques. Jie Zhang received the BS and MS degrees in mathematics from Hebei Normal Uni- versity in 1992 and 1995, respectively, and the PhD Degree in cryptography from Acknowledgments Beijing University of Posts and Telecommunications, Beijing, China, in 2005. Her research interests include boolean function and cryptography. This work is supported by National Natural Science Founda- tion of China (Grant Nos. 60873191, 60903152, 60821001), Beijing Natural Science Foundation (Grant No. 4072020).