A Quantum secure sharing protocol for Cloud data based on proxy re-encryption

A quantum scheme for cloud data sharing based on proxy re-encryption is proposed. The user Alice stores the cipher-text of her data on cloud data center. When Alice wants to share her data with another user Bob, Alice is called the delegator and Bob is called the delegatee. The cloud service provider (called the proxy) can convert the delegator’s cipher-text into the delegatee’s cipher-text without decrypting the former, so that the delegatee can get the plain-text of Alice’s data with his private key. The proxy cannot obtain the plain-text of the user’s data stored on cloud data center. Delegator in the protocol should have the ability of producing Bell states, performing Bell basis and Z-basis measurements, and storing qubits. The quantum requirements for the delegatee are reduced. The delegatee needs to have the ability of reflecting and performing Z-basis measurement. One secret at a time (one-time one-pad) is theoretically implemented, especially when the same data is shared multiple times. The anti-selection plain-text attack security and the anti-selective cipher-text attack security are realized. Fine-granularity secret data sharing is achieved flexibly.

is a binary data belonging to Alice. Alice stores the cipher-text of M on the cloud data center. The cloud service provider is called the proxy. The cipher-text of M is denoted as , 1} n is a random number generated by Alice using quantum random number generator and is confidential to others. If Alice wants to share M with Bob, they can finish the task securely with the help of the proxy. The general process is as follows: Alice first sends a conversion key ∈ r {0, 1} K n to the proxy to let him generate the final conversion key ∈ r {0, 1} K f n . Then, the proxy uses r K f to change the cipher-text C A to Bob's cipher-text ∈ C {0, 1} B n . Bob decrypts C B to get the plain-text M by using his private key ∈ K {0, 1} B n . K B can be obtained by executing the initial algorithm of the protocol, which will be described in the definition 3 of section 2.3. The proxy cannot know the plain-text M. The relation between K B and other variables will be described in section 2.3. Figure 1 shows the whole structure of the protocol.
Preliminaries. Definition 1: Bell state is an important two-qubit state, which has four states: 1 2 ( 00 11 ), 1 2 ( 01 10 ) The Bell states φ = ± ± ( 00 11 ) 1 2 have the property that upon measuring the first qubit, one obtains two possible results: 0 with probability 1/2, leaving the post-measurement state 00 φ = ± , and 1 with probability 1/2, www.nature.com/scientificreports www.nature.com/scientificreports/ leaving φ = ± 11 . As a result, a measurement of the second qubit always gives the same result as the measurement of the first qubit. That is, the measurement outcomes are correlated.
Similarly, the Bell states ( 01 10 ) have the property that upon measuring the first qubit, one obtains two possible results: 0 with probability 1/2, leaving the post-measurement state ψ = ± 01 , and 1 with probability 1/2, leaving ψ = ± 10 . As a result, a measurement of the second qubit always gives the opposite result as the measurement of the first qubit. That is, the measurement outcomes are also correlated. Definition 2: Z-basis { 0 , 1 } measurement is the measurement of a qubit in the computational basis. This is a measurement on a single qubit with two outcomes defined by the two measurement operators The measurement operators satisfy the completeness. Suppose the state being measured is 0 Then the probability of obtaining measurement outcome 0 is Similarly, the probability of obtaining the measurement outcome 1 is p(1) The state after measurement in the two cases is therefore 0 or 1 .
Algorithm definition. When Alice's data stored on cloud server is to be shared with Bob, Alice is the delegator, Bob is the delegatee, and the cloud server is the proxy. Alice previously shared ∈ K {0, 1} N with the proxy by executing quantum key distribution protocol.

Definition 5: Re-Encryption Key Generation Algorithm
ReKeyGen(r K ): On inputting the secret key r K , this algorithm works as below: and sends ′ r K to the proxy (cloud server). Here Encrypt () K can be any symmetric encryption algorithm except for XOR. 2. The proxy decrypts r K ′ with K to obtain r K and Q. 3. According to Q, the proxy extracts the corresponding bits in

and obtains the final conversion key
is obtained according to the property of Bell states.

Definition 6: Encryption Algorithm
Encrypt(R, M): On inputting a random number R and plain-text M, this algorithm outputs the cipher-text

Definition 7: Re-Encryption Algorithm
ReEncrypt(r K f , C A ): On inputting the final conversion key r K f and cipher-text C A , this algorithm outputs the re-encryption cipher-text

Definition 8: Decryption Algorithm
www.nature.com/scientificreports www.nature.com/scientificreports/ Decrypt(C B , K B ): On inputting Bob's secret key K B and cipher-text C B , this algorithm outputs the plain-text M. Figure 2 shows the process of algorithm execution.

the Security proof of the protocol
We conclude that the protocol satisfies the consistency according to the following derivation: Alice-> the proxy: The proxy -> Bob: C C r Generally speaking, in order to prove the security of a classical cryptography scheme, the security objectives are first determined. Then an attack model is constructed according to the ability of the attacker. Finally, the method specification for breaking the scheme is proposed to solve a difficult mathematical problem or difficult assumption.
In our scheme, Alice's data is encrypted with a random number R and stored on cloud server. Any user that Alice is willing to share data with can realize the sharing by executing the protocol. The principles of quantum non-cloning, uncertainty and entanglement ensure that the re-encryption cipher-text of the same shared data in each sharing process is different, which means that one secret at a time (one-time one-pad) is realized. Therefore, it can be proved that the protocol can resist anti-selective plain-text attack and anti-selective cipher-text attack without using the classical reduction method.
The principles of quantum non-cloning, uncertainty and entanglement work on the premise that the protocol has the ability to discover or prevent attackers from falsifying quantum carriers. Section 4.1 and 4.2 prove that if the eavesdropper intends to falsifying quantum carriers (replacing or destructing the Bell states), his behavior will be found with very high probability (almost 99.9%).
Furthermore, in the protocol, the proxy only knows K f (the entanglement relationship between K A and K B ), he cannot know the data stored on cloud server. Bob only know Q and K B , he does not know the relationship between K A and K B , therefore he cannot know the data stored on cloud server without the re-encryption of cipher-text by the proxy.

Security Analysis
intercept-resend attack. The external attacker Eve may intercept the particles that Alice sent to Bob, and measure them with Z-basis, then prepare some particles with the same state and send them back to Bob. Suppose that each particle reserved by Alice is expressed as particle 1, each particle sent to Bob is represented as particle 2, and each particle re-prepared by Eve is represented as particle e. Then, after Eve intercepting and measuring particles 2 with Z-basis, the state of particle 1 collapses to ρ = + 0 0 1 1 . The combined state of particle 1 and particle e is: If the initial combined state of particle 1 and 2 is ψ − , after eavesdropping detection, the joint Bell-basis measurement result on particle 1 and e is as follows: If the initial combined state of the particles 1 and 2 is φ + , after eavesdropping detection, the joint Bell-basis measurement result on particle 1 and e is as follows: Therefore, Alice can discover Eve's eavesdropping on each qubit with probability 1/2, and the total probability that Alice can detect Eve's eavesdropping is 1 − (1/2) n . When n = 5, the probability reaches 97%. The protocol will be terminated, and the eavesdropper will not obtain any data that Alice stored on the cloud server.
Source untrusted attack. The reflected particles are used for eavesdropping detection, not only detecting the intercept-resend attack, but also detecting the source untrusted attack [42][43][44] . Usually, in source untrusted attack, the eavesdroppers with super ability will control or provide devices used to prepare Bell states. Although Alice thinks a real Bell state is prepared, what she actually gets may be a different state because the preparing device is controlled or provided by Eve [42][43][44] . That is, the source is untrusted.
To steal secret message, Eve may control the device to prepare some non-entangled mixed states of |00〉, |01〉, |10〉, |11〉 or entangled states with higher dimensional such as GHZ states.
(1) Eve prepares state 00 00 11 11 ρ = + instead of ψ − . By doing so, Eve will know K A and K B before eavesdropping detection. However, during the eavesdropping detection, Alice performs the joint Bell-basis measurement on particles 1 and 2, and the following results will be obtained respectively: Obviously, Alice will discover Eve's eavesdropping on each qubit with probability 1/2, and the total probability that Alice finds Eve's eavesdropping is 1 (1/2) n − . Thus, the protocol will be terminated, and the eavesdropper will not obtain any data that Alice stored on the cloud server. Eve sends particle 1 and 2 to Alice, and keeps particle 3 herself. When Bob measures the received particle 2 with Z-basis, the state of particle 1 and 3 collapse. Since Eve does not know on which positions Bob will measure and which positions to reflect, Eve will not measures those particles 3 on the un-reflected positions with Z-basis until she determines which positions are reflected. Although, by doing so, she will obtain K A and K B , but before that, to detect eavesdropping Alice performs joint Bell-basis measurement on particle 1 and 2. If Eve prepares entangled state G 0 , 3 instead of ψ − , the measurement result is: Obviously, before Eve knows K A and K B , Alice will discover the eavesdropping behavior of Eve with probability − 1 (1/2) n . Thus, the protocol will be terminated, and the eavesdropper will not obtain any data that Alice stored on the cloud server. www.nature.com/scientificreports www.nature.com/scientificreports/ tion, only the delegator knows the random number R which encrypted shared data M, so the proxy cannot know M through C R M A = ⊕ . If the proxy is dishonest, assuming that he is the eavesdropper discussed in 4.1 and 4.2, besides having the power of eavesdroppers, he knows K. When the proxy performs intercept-resend attacks, having K will not help him with the success of his attack. Therefore, when Alice detects eavesdroppers, the attack will be found by Alice with probability 1 (1/2) n − . And the proxy cannot know the shared data that Alice stored on the cloud server. For an honest proxy, although he has the conversion key r k and the final conversion key r K f , he cannot obtain the plain-text of shared data stored on the cloud server. For a dishonest proxy, his bad behavior will be detected with probability closing to 100%. Therefore, neither honest proxy nor dishonest proxy have access to the plain-text of shared data stored on the cloud server.

the comparisons with previous Works
Compared with the previous classical proxy re-encryption protocols proposed in refs. [8][9][10][11][12] , our protocol theoretically implements one secret at a time (one-time one-pad), especially when the same data is shared multiple times. In each data sharing process, K A , K B and r K f are random numbers with entanglement correlation, which is ensured by the principles of quantum non-cloning, uncertainty and entanglement. The second layer cipher-text (cipher-text of the delegatee) will not reappear. Therefore, the protocol realizes the anti-selection plain-text attack security and the anti-selective cipher-text attack security without basing on the difficult mathematical problem or difficulty assumption.
Compared with the protocols proposed in refs. [8][9][10][11][12][13][14][15][16] , our protocol can flexibly achieve fine-granularity secret data sharing. Alice can control the sharing granularity to Bob by adjusting r K and the starting location of shared data. However, the protocol cannot resist the conspiracy attack of the proxy and Bob.
Our protocol requires Alice have the ability of producing Bell states, performing Bell basis and Z basis measurements and storing qubits. The quantum ability of Bob is low; he is only need to have the ability of performing Z basis measurement and reflecting. Compared with QSS protocols proposed in refs. 37,[39][40][41]45 , our protocol reduces the difficulty of implementation. In refs. 39-41 , multi-particle entanglement states need to be prepared, which is more difficult than preparing Bell states. In ref. 45 , although both classical and quantum secret sharing are designed, however the quantum Fourier transform and d-level quantum system are needed, which are more complex and difficult to implement than our protocol.

Discussion
Smooth entropy and mutual information are usually used to analyse the security of quantum key distribution, i.e. secret key agreement by communication over a quantum channel [50][51][52] . In this section, we analyze the post-processing of the protocol from the perspective of mutual information.
In order to make the key shared by Alice and Bob logically consistent, and to reduce the amount of information Eve knows, the protocol has to carry out error reconciliation and privacy amplification. Eve may intercept the particle 2 sent by Alice to Bob, then measures it with the Z-basis and sends it back to Bob. Normally, Bob randomly chooses to reflect the particle or measure the particle with Z-basis. The results of the Z-basis measurement are taken as K B . Eve's attack will not result in a bit error because the measurement basis is the same with Bob's.
Let the bit error rate be λ for the environmental factors 46,47 other than Eve's above attack. In order to correct errors, at least the extra information of H ( ) 2 λ needs to be transmitted for each bit. After privacy amplification, the security key rate is: Because the eavesdropping detection of the protocol is to detect whether the two parties share the entangled state φ + or ψ − , once the shared entangled state is confirmed by the eavesdropping detection, Eve cannot obtain the information of K B according to the monogamy of nonlocal correlations (entanglement). Therefore, in our protocol, I B E ( : ) 0 = .
Assuming that the length of the secret data M is n, the length of r K f , K A and K B must be n bits in order to ensure that the secret data can be successfully shared. Therefore, the length of r K f , K A and K B before error reconciliation and privacy amplification which is denoted as m must satisfy the following inequality The number of Bell states prepared in the initial algorithm should satisfy: The proposed quantum cryptography 48,49 protocol realizes secure data sharing on cloud server based on proxy conversion encryption. In the protocol, the intercept-resend attack, the source untrusted attack, and the proxy attack are analyzed. Delegator in the protocol should have the ability of producing Bell states, performing Bell basis and Z basis measurements and storing qubits. While the quantum requirements for the delegatee are