Improving the security of arbitrated quantum signature protocols Zhiwei Sun1 ,∗ Ruigang Du1 ,† Bang-Hai Wang1 , and Dongyang Long1‡ 1 Department of Computer Science, Sun Yat-sen University, Guangzhou 510006,China
arXiv:1107.2459v2 [quant-ph] 18 Jul 2011
(Dated: July 19, 2011) Arbitrated quantum signatures (AQS), for signing quantum message, have been proposed. It was claimed that the AQS schemes could guarantee unconditional security. However, in this paper, we show that all the presented AQS protocols are insecure if quantum one-time pad encryption is used where the signer Alice can always successfully acquire Bob’s secret key and disavow any of her signatures. The detailed attack strategies and security analysis are described. Furthermore, the original version of the protocols is revised and accordingly the security of the AQS protocols are improved. And meanwhile we present a method to against Alice’s disavowal proposed by Gao et al. (arXiv:1106.4398v1).
I. INTRODUCTION
Digital signature schemes allow a signer Alice who has established a public key to sign a message in such a way that any other party who know the public key can verify that the message originated from signer and has not been modified in any way and the signer cannot repudiate it later [1]. Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering. However, digital signatures become increasingly vulnerable with more powerful quantum computation [2, 3] since their security is mostly based on the assumption of computational complexity. So, many scholars have begun to investigate quantum signature which is supposed to provide an alternative protocol with unconditional security. In 2002 Zeng and Keitel proposed an arbitrated quantum signature (AQS) which provides many merits, and they announced that the unconditional security is ensured by using the correlation of Greenberger-HorneZeilinger (GHZ) triplet states and quantum one-timepads [4]. In 2009 Li et al. [5] presented an AQS scheme using Bell states, which reduces the complexity of implementation by using Bell states instead of GHZ states. Recently, Zou et al further simplified this protocol achieving AQS without entangled state [6]. Both of them still preserve the merits in Zeng et al’s protocol. Very recently Gao et al. show that these AQS protocols are not secure, and Bob can realize existential forgery of Alice’s signature under known message attack [7]. In this brief report, we will show that the AQS scheme is completely insecure if quantum one-time pad is used, Alice can always obtain Bob’s secret key and disavow all her signatures successfully. Therefore, some improvements
are provided to enable the AQS schemes to circumvent our presented attack. The remainder of this brief report is organized as follows. In Sec. II, we analyze the security of the existing AQS protocols and present our attack. Then, in Sec. III, we construct an AQS scheme similar the scheme in Ref. [6] which can prevent Alice from disavowing her signature. The technique can also be used to improve the AQS scheme using entangled states [4, 5]. Finally, we give our conclusion. II. SECURITY ANALYSIS FOR ARBITRATED QUANTUM SIGNATURE SCHEMES
We first introduce quantum one-time-pad algorithm, which is helpful to understand our attack strategies. Then the AQS protocol using Bell states [5] is described briefly, and security analysis and improvement is demonstrated. Finally, we take the AQS scheme without utilizing entangled states [6] as an example and give an general attack on arbitrated quantum signature scheme. A. Quantum one-time pad algorithm
For convenience, EK denotes the quantum one-time pad (QOTP) encryption [9] and the key is K ∈ {0, 1}∗, K ≥ 2n. The QOTP encryption EK on the quantum message |P i = |p1 i ⊗ |p2 i ⊗ · · · ⊗ |pn i with |pi i = αi |0i + βi |1i can be described by |Ci = EK |P i =
n O
2i
σxK σzK
2i−1
|pi i,
(1)
i=1
where K j denotes the jth bit of K, and σx and σz are Pauli operations. The corresponding decryption DK is ∗ † ‡
[email protected] [email protected] [email protected]
DK |Ci =
n O i=1
σzK
2i−1
2i
σxK |ci i,
(2)
2 where |ci i denotes the ith qubit of the ciphertext |Ci. B. AQS scheme using Bell states
The AQS protocol using Bell states [5] is as follows. Initializing phase. Alice and Bob share a key with the arbitrator through quantum key distribution protocols, i.e., KA and KB respectively, and they also share n Bell states |φ+ i = √1 (|00i + |11i)AB , where the subscripts A and B corre2 spond to Alice and Bob, respectively. Signing phase. S1. Alice obtains three copies of the quantum message |P i = ⊗ni=1 |pi i to be signed. S2. Using the key KA , Alice transforms one copy of |P i into |RA i, i.e., |RA i = MKA |P i. We notice that MKA denotes a unitary operator, and it is not clearly stated in the original paper [4] whether the operator is commutative or non-commutative with other quantum operators. In Ref. [10], the author gave an example to show how the quantum state |RA i is generated by Alice, |RA i = MKA |P i n n O O 1⊕K i K i σx A σz A |pi i, MKAi |pi i = = i=1
(3)
S5. Alice transmits the signature |Si and the third copy of message |P i to Bob. Verifying phase. V 1. Bob encrypts |Si and |P i using the key KB , obtaining |YB i = EKB (|Si, |P i), and sends it to the arbitrator. V 2. The arbitrator decrypts the received ciphertext |YB i with KB and KA , getting |MA i, |RA i and |P i. Then the arbitrator sets the verification parameter V = 1 if |RA i = MKA |P i; otherwise he sets V = 0. Quantum state comparison was discussed in detail in Ref. [5]. V 3. The arbitrator can recover |Si and |P i as the compared states can be recovered after the comparison if they are indeed equal. As |MA i are Bell states, it can be distinguished and replicated many copies. Then he sends the encrypted results |YT B i = EKB (|MA i, |Si, |P i, V ) to Bob. V 4. Bob decrypts the received |YT B i and judges whether V = 1. If not, he considers that the signature is forged and stops the protocol. V 5. According to |MA i, Bob can restore the second copy of |P i via teleportation by Alice. Then he compares it with the copy received from the arbitrator and accepts the signature when they are equal; otherwise he considers that the signature has been forged and rejects it.
i=1
i where KA is the ith bit of KA , but it does not mean that Eq. (3) is the only format of MKA . The purpose of this example is to present a detailed mathematical formulation of generating the state RA . As Gao et al. has shown that if MKA is commutative with other quantum operators, existential forgery attack is demonstrated [7]. So non-commutative property should be included in MKA [8]. S3. Alice combines each qubit in the second copy of |P i and the Bell state by carrying out a joint measurement on both states and obtains the three-particle entangled state,
|φi i = |pi i ⊗ |φ+ i i 1 = {|φ+ iA (αi |0i + βi |1i)B + |φ− iA (αi |0i − βi |1i)B 2 +|ψ + iA (αi |1i + βi |0i)B + |ψ − iA (αi |1i − βi |0i)B }, (4) where |φ+ iA , |φ− iA , |ψ + iA and |ψ − iA are the four Bell states [11]. Then she implements a Bell measurement on each three-particle entangled state |φi i, obtaining the measurement result |MA i = ⊗ni=1 |MiA i, where |MiA i are random Bell states. The role of |MA i is to help Bob to retrieve the second copy of message |P i by teleportation via Bell states previously shared between them. S4. Alice generates the signature |Si = EKA (|MA i, |RA i) of message |P i by encrypting |MA i and |RA i with the secret key KA .
C. Security analysis of the AQS scheme using Bell states
In 2010, Zou et al. pointed out that the AQS scheme using Bell states can be repudiated by the receiver Bob, and they improved the AQS scheme by using a public board to conquer this shortcoming. Only the following two things are needed to do: (1). In the signing phase, Alice first chooses a random number r ∈ {0, 1}2n and transforms all |P i into secret ′ ′ qubit strings |P i = Er (|P i). Then they use |P i instead of |P i in all following steps. (2). In the verifying phase, Bob informs Alice by the public board to publish r after he finished his verifying. Then, Alice publishes r by the public board. Finally, Bob ′ gets back |P i from |P i by r and holds (|Si, r) as Alice’s signature for the quantum message |P i. In Ref. [6], the author also said that in order to achieve a higher efficiency in transmission, they do the following improvement: (3). In step V 1, Bob does not send his measuring result |MA i to the arbitrator, and the arbitrator need not send it back. In addition, the arbitrator informs Alice and Bob by the public board to abort the scheme if he found the signature being forged. However, the author only gave an efficiency analysis for the third improvement, and no security improvement is analyzed. In this brief report, we show the third improvement may be indispensable to the security of the
3 AQS scheme using entangled states. And we show that the above AQS scheme using Bell states [5] may be completely insecure: Bob can obtain Alice’s secret key KA , so universal forgery is possible, which seriously violates Alice’s interests; Alice also can get Bob’s secret key KB , so she can successfully disavow any message she ever signed. Before our attack, we first need to know what EKA |MA i is. In step S4 it is not clearly defined how EKA |MA i is generated by Alice. But by the property of the one-time pad encryption, there are two possible way to generate it. Case one is EKA |MA i =
n O
2i
σxK σzK
2i−1
⊗ I|MiA i.
(5)
i=1
TABLE I. Relations of Alice’s key KA , |MA i and EKA |MA i for case one KA \|MA i 00 01 10 11
|φ+ i |φ+ i |φ− i |ψ + i −|ψ − i
|φ− i |φ− i |φ+ i −|ψ − i |ψ + i
|ψ + i |ψ + i |ψ − i |φ+ i −|φ− i
|ψ − i |ψ − i |ψ + i −|φ− i |φ+ i
Bob say that it is the message Alice signed to him, the arbitrator will always stand on the side of Bob though ′ ′ Alice is greatly aggrieved, because MKA (|P i) and |P i ′ ′ always fulfill MKA (|P i) = MKA (|P i).
Case two is EKA |MA i =
n O
σxK
4i−2
σzK
4i−3
4i
⊗ σxK σzK
4i−1
|MiA i.(6)
i=1
Notice than the second case need the K ≥ 4n. In the following analysis, we show that the AQS scheme using Bell states are insecure in the case one. The case one is discussed as follows.
2. Alice’s disavowal for case one
Above we have shown that Bob can obtain Alice’s secret key and forge Alice’s signature for any message. In fact Alice can also get Bob’s secret key KB and disavow any signature she has signed. Just as described above, when the arbitrator sends the |YT B i to Bob in step V 3, Alice intercepts it, where |YT B i = EKB (|MA i, |Si, |P i, V )
1. Bob’s forgery for case one
= (EKB |MA i, EKB (|Si, |P i, V )). As analyzed in Ref. [5], ”if Bob attempts to counterfeit Alice’s signature on his own benefit, he has to know Alice’s secret key KA . However, this is impossible due to the unconditionally secure quantum key distribution. Besides, the use of quantum one-time pad algorithm enhances the security”. Unfortunately, Li’s analysis is incorrect in the above AQS scheme. Because Bob can obtain Alice’s secret key KA after he receiving |YT B i sent by the arbitrator. Bob decrypts the the received |YT B i and obtains |MA i, |Si, |P i and |V i. According to the protocol, a valid signature of quantum message |P i should be in the form of |Si = EKA (|MA i, |RA i) = (EKA |MA i, EKA |RA i).
(7)
Knowing EKA |MA i and |MA i, Bob can compute Alice’s secret key KA . For example, if |MA i = |φ+ i and EKA |MA i = |ψ + i, the secret key KA = 10. The relations of Alice’s secret key KA , |MA i and EKA |MA i is depicted clearly in Table I. As shown in Ref. [5], if Bob knows the key KA , universal forgery of Alice’s signature can be achieved. For example, suppose Bob wants to ′ ′ forge a valid signed quantum message |P i = ⊗ni=1 |p i ′ ′ ′ of Alice, i.e., (|P i, |S i), where |p i = α|0i + β|1i. He ′ randomly selects |MA i = ⊗ni=1 |MiA i, where |MiA i are ′ random Bell states (note that |MA i has no contributions for the arbitrator to resolve disputes). And the ′ ′ ′ ′ signature of |P i is |S i = EKA (|MA i, MKA (|P i)). If
(8)
Alice can deduce Bob’s secret key KB from EKB |MA i and |MA i, which can also refer to Table I. Then Alice can modify her signature so that the resulted signature ′ |S i is not a valid signature of message |P i any more. Al′ ′ ice sends |YT B i = EKB (|MA i, |S i, |P i, V ) to Bob. Bob will accept this signature without noticing Alice’s attack in step V 4 and V 5. When dispute appears Bob requires ′ to make a judgment by providing (|P i, S i) to the arbitrator. Obviously the modified signature will not pass verification in step V 2, and hence Alice denies having signed the message successfully. Note that both EK |MA i and |MA i are Bell states which are distinguishable. If one party knows |MA i, he can learn the key K exactly by measuring each state of EK |MA i in the Bell basis, which corresponds exactly to superdense coding scheme [? ]. This is the main reason why the AQS scheme using Bell states is susceptible to our attack. So some improvements should be considered to against Bob’s forgery and Alice’s disavowal. We begin with the role of the arbitrator. In the above AQS scheme, the arbitrator knows KA and he can help Bob to verify the signature, and when dispute appears, that is, Bob says that Alice signed a message |P i for him but Alice disavows it, the arbitrator will require Bob to provide the message |P i and Alice’s corresponding signature |Si, then the process in step V 2 is done. If V = 1 the arbitrator concludes that |Si is indeed a valid signature of message |P i and Alice is disavowing her signature; oth-
4 erwise, the arbitrator believes the signature is forged by Bob. Even through case two is secure, it is of interest to note that |MA i has no contributions for the arbitrator to resolve disputes. So Alice only need to encrypt |RA i, obtaining the signature |Si = EKA (|RA i) of message |P i in step S4 and sends |Si, |P i, |MA i to Bob in step S5. The above improvements, on the one hand, make the AQS scheme more secure; on the other hand, reduce the communication complexity between the arbitrator and Bob [6].
D. Security analysis of the AQS scheme without using entanglement
In the above analysis, we have shown that |MA i does not have to be included in the signature. One reason why we analyze the above attack is that it shows us an interesting property of the quantum one-time pad that there is a way to learn the classical key exactly; the other is that it will lead us to the general attack to be discussed below. In the remainder of this subsection, we’ll show that the above improvement is also insecure for AQS schemes. Because Alice can obtain Bob’s secret key and deny her signature successfully by the property of QOTP encryption. We take the Zou’s AQS scheme without using entanglement [6] as an example for security analysis. Initializing phase Three keys KAB , KA and KB are shared between Alice and Bob, Alice and the arbitrator, Bob and the arbitrator respectively. Signing phase S1. Alice obtains three copies of the quantum message ′ |P i = ⊗ni=1 |pi i, and encrypts each of them into |P i using a random number r as the key. S2. Alice performs the following encryptions |RAB i = ′ ′ ′ EKAB |P i, |SA i = EKA |P i, and sends |P i, |RAB i and |SA i to Bob. Verifying phase ′ V 1. Bob sends |YB i = EKB (|P i, |SA i) to the arbitrator. V 2. The arbitrator decrypts |YB i and verifies whether ′ |SA i = EKA |P i. If the equation holds, he sets the verification parameter VT = 1; otherwise he sets VT = 0. He announces the verification parameter VT by the public board and regenerates |YB i and sends it back to Bob. V 3. If VT = 0, Bob rejects the signature; otherwise he ′ decrypts |YB i and verifies whether EKAB |P i = |RAB i. ′ If EKAB |P i = |RAB i, he sets the verification parameter VB = 1; otherwise he sets VB = 0. He announces the verification parameter VB by the public board. V 4. If VB = 1, Alice publishes r by the public board, ′ and Bob gets back |P i from |P i by r and stores (|SA i, r) as Alice’s signature for the quantum message |P i.
1. Alice’s general attack on AQS schemes
We describe Alice’s general attack in detail in the following. Her attack begins in step S2. Alice prepares an ordered n Bell states |φ+ i = √12 (|00i + |11i)T H , where the subscripts T and H denote different particles. We denote the n ordered Bell states with (T1 , H1 ), (T2 , H2 ), (T3 , H3 ), · · · , (Tn , Hn ), where the subscripts indicates the pair order in the sequence. Alice takes one particle from each Bell state to form an ordered particle sequence which is denoted by |T i = (T1 , T2 , T3 , · · · , Tn ). The remaining particles compose another particle sequence |Hi = (H1 , H2 , H3 , · · · , Hn ). Alice performs the following encryptions |RAB i = ′ ′ EKAB |P i, |SA i = EKA |P i, and sends |T i, |RAB i and ′ |SA i instead of |P i, |RAB i and |SA i to Bob. As Alice ′ transforms the quantum message |P i into |P i using a ′ random number r, |P i will be known to nobody. Furthermore, non-orthogonal states can’t be reliably distinguished. Therefore, Bob won’t notice Alice’s attack and accepts |T i as the signed message. In the verifying phase, Bob sends |YB i = EKB (|T i, |SA i) to the arbitrator for verification. Alice intercepts it, obtaining EKB |T i. Then Alice can learn Bob’s secret key KB exactly by performing Bell-basis measurement on EKB |T i and |Hi simultaneously, which can refer to TABLE I and Ref. [9]. For example, if (T, H) = |φ+ i and (EKB T, H) = |ψ + i, the secret key KB = 10. ′ ′ Alice generates |YB i = EKB (|P i, |SA i) by encrypting ′ |P i and |SA i) using the key KB , and sends it to the arbitrator. When the arbitrator announces the verification ′ parameter VT = 1 by the public board and sends |YB i = ′ EKB (|P i, |SA i) back to Bob in step V 2, Alice intercepts it. Then Alice randomly selects a quantum message |P ” i ′ ′ where |P ” i = 6 |P i and generates |S i = EKA |P ” i. Then ′ ′ Alice sends |YB” i = EKB (|P i, |SA i) to Bob. Bob will accept this signature without noticing Alice’s attack in step V 3 and V 4. When dispute appears Bob requires to ′ make a judgment by providing (|P i, S i, r) to the arbi′ trator. Then the arbitrator generates |P i by encrypting ′ ′ |P i using r, and verifies whether |S i = EKA |P i. Obviously the modified signature will not pass verification, and hence Alice denies having signed the message successfully. It is easy to verify that the AQS schemes using entanglement [4, 5] are also insecure with the above attack strategy.
III. A SECURE AQS SCHEME WITHOUT USING ENTANGLED STATES
We have analyzed that the existing AQS schemes [4– 6] cannot avoid being disavowed her signature by Alice.
5 And from Ref. [6], we know that the AQS scheme without using entangled states reduces the complexity of implementing the scheme and maintains all other merits of AQS scheme using Bell states [5] and the AQS scheme using GHZ states [4]. Therefore, in this section, we present a new AQS scheme without using entangled states that can avoid above attack and preserves all the merits of AQS scheme of Ref. [6]. As known to all that a secure arbitrated quantum signature should satisfy two conditions: one is that the signature should not be forged by the attacker (including the malicious receiver and the not fully trusted arbitrator) and the other is the impossibility of disavowal by the signatory and the receiver. In the AQS scheme without ′ using entangled states [6], Alice sends |P i, |RAB i and |SA i to Bob in step S2. |RAB i is used to prevent the arbitrator from forge Alice’s signature as he is not fully trusted by Alice and Bob, and KAB is kept secret from him; |SA i is used for avoiding Bob forging her signature as he does not have Alice’s secret key KA , meanwhile, the secret key KA is included in |SA i which will also pre′ vent Alice from repudiating her signature; |P i is used ′ to avoid being disavowed by Bob.Therefore, |P i, |RAB i and |SA i are essential to achieve a secure signature. Alice has been able to deny her signature and obtain Bob’s secret key because Bob has not verified the validity ′ of the signed message |P i in step V 1. We notice that ′ |P i may be replaced by some entangled states, and Alice obtains Bob’s secret key by the property of quantum onetime pad, so she can deny her signature. To avoid being disavowed by Alice, Bob must verify the validity of the ′ signed message |P i before he sends it to the arbitrator in step V 1. Gao et al. [7] showed that Alice can disturb the signature |SA i when the arbitrator sends the |YB i back to Bob in step V 2. As only |SA i is modified by Alice and |SA i is not useful for Bob’s verification in step V 3, Bob will accept this signature as a valid one. However, when dispute appears, Alice can always successfully disavow her signature because the disturbed signature will not pass the arbitrator’s verification. As |SA i is completely indistinguishable to Bob, when he receives the modified |SA i he cannot verify its validity. That is the main reason why Alice’s disavow is always success. To avoid the above attack, Bob need authenticate the validity of the |SA i when he receives it back from the arbitrator. The AQS scheme is specified in the following. Initializing phase Three keys KAB , KA and KB are shared between Alice and Bob, Alice and the arbitrator, Bob and the arbitrator respectively. Signing phase S1. Alice obtains four copies of the quantum message ′ |P i = ⊗ni=1 |pi i, and transforms each of them into |P i ′ using a random number r as the key, i.e., |P i = Mr |P i where Mr is a non-commutative unitary operator.
S2. Alice performs the following encryptions |RAB i = ′ ′ ′ EKAB |P i, |SA i = EKA |P i, |SA i = EKA |P i and sends ′ |P i, |RAB i, |SA i and |SA i to Bob. Note that there are two copies of |SA i (in order to facilitate the expression, we denote them |SA i1 and |SA i2 respectively), one |SA i1 for the arbitrator to verify the validity of the signature, the other |SA i2 is used to against Alice’s disavowal proposed by Gao et al. [7]. Verifying phase ′ V 1. Before Bob sending |YB i = EKB (|P i, |SA i1 ) to the arbitrator for verification, he verifies the validity of ′ ′ the |P i and |SA i first. If |RAB i = EKAB |P i and the two copies of |SA i are identical, he believes that Alice is honest and send |YB i to the arbitrator; otherwise, he terminates the protocol and rejects the signature. Note that Bob keeps one copy of |SA i in his hand and it will be used to verify whether the signature sent to the arbitrator is modified by Eve. V 2. The arbitrator decrypts |YB i and verifies whether ′ |SA i1 = EKA |P i. If the equation holds, he sets the verification parameter VT = 1; otherwise he sets VT = 0. He announces the verification parameter VT by the public board and regenerates |YB i and sends it back to Bob. V 3. If VT = 0, Bob rejects the signature; otherwise he ′ decrypts |YB i and verifies whether EKAB |P i = |RAB i and |SA i1 = |SA i2 . If both of them hold, he sets the verification parameter VB = 1; otherwise he sets VB = 0. He announces the verification parameter VB by the public board. V 4. If VB = 1, Alice publishes r by the public ′ board, then Bob gets back |P i from |P i by r and he accepts the signature |SA i of the message |P i and stores (|P i, |SA i, |SA i) for resolving disputes when Alice disavows her signature. According previous analysis, the new AQS scheme without entangled states is secure, i.e., it is secure against our presented attack and Gao’s attack [7] and maintains all the merits of the existing AQS schemes [4–6]. Similarly, the AQS schemes using entangled states [4, 5] can also be improved by the above method.
IV. CONCLUSION
In this brief report, we present a general attack which shows that the existing AQS protocols [4–6] are insecure because Alice can obtain Bob’s secret key and disavow any message she ever signed. And we improve the AQS schemes to against such an attack. To avoid Alice obtaining Bob’s secret key, Bob must firstly verify the validity of the signed message before he sends it to the arbitrator. And we also give a method to against Alice’s disavowal presented by Gao et al. [7]. Note that our presented AQS scheme, on the one hand, can avoid being disavowed by the signatory, on the other hand, preserves all merits of the existing schemes [4–6].
6 ACKNOWLEDGMENTS
This work is in part supported by the Key Project of NSFC-Guangdong Funds (No.U0935002).
[1] Katz, Jonathan and Lindell, Yehuda, Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series), (2007). [2] Peter W. Shor, 35th Annual Symposium on Foundations of Computer Science, 20-22 November 1994, Santa Fe, New Mexico, p. 124-134(1994). [3] Lov K. Grover, 28th Annual ACM Symposium on Theory of Computing, New York, p. 212-219, (1996). [4] Zeng, Guihua and Keitel, C. H., Phys. Rev. A 65, 042312 (2002). [5] Qin Li, W. H. Chan and Dong-Yang Long, Phys. Rev. A 79, 054307 (2009).
[6] Xiangfu Zou and Daowen Qiu, Phys. Rev. A 82, 042325 (2010). [7] Fei Gao, Su-Juan Qin, Fen-Zhuo Guo and Qiao-Yan Wen, e-print arXiv:1106.4398v1 (2011). [8] Jeong Woon Choi, Ku-Young Chang, Dowon Hong, eprint arXiv:1106.5318v1 (2011). [9] P. O. Boykin and V. Roychowdhury, Phys. Rev. A 67, 042317 (2003). [10] Guihua Zeng, phys. Rev. A 78, 016301 (2008). [11] P. G. Kwiat, K. Mattle, H. Weinfurter, A. Zeilinger, A. V. Sergienko, and Y. Shih, Rev. Lett. 75, 4337 (1995). [12] Y. Yeo and W. K. Chua, Phys. Rev. Lett. 96, 060502 (2006). [13] X. W. Wang and G. J. Yang, Phys. Rev. A 78, 024301 (2008). [14] C. H. Bennett and S. J. Wiesner, Phys. Rev. Lett. 69, 2881 (1992).
