由於網際網路的快速發展，為了保護資料傳送的隱密性，傳送者與接收者可使用一把共享的金鑰來加密資料。一般上，此金鑰是由一方決定，再透過對稱式密碼系統或非對稱式密碼系統，傳送給另一方。由於金鑰是由一方決定並分配給接收者，故此金鑰分配方式適用於一個雙方相互信賴的環境。但是，在一個互不信任的環境中，使用者雙方可能不希望該金鑰由一方單獨決定。因此，金鑰協商協定十分適合用來解決此一問題。

由於傳統的金鑰分配及金鑰協商協定無法偵測竊聽者，且一些安全性植基於數學難題的密碼協定，已被證明可在多項式時間內被量子電腦破解，故使用量子物理特性來設計密碼協定，是目前許多研究的發展方向。其中，以量子金鑰分配協定的研究最為受到重視。然而，在量子金鑰分配協定中，金鑰是由一方決定再傳送給另一方，因此並不適用於一個互不信任的環境。雖然量子金鑰協商協定也可使互不信任的使用者共同協商一把金鑰，但使用者卻必需事先各自產生一把子金鑰，再進行金鑰協商。因此，本論文更提出一個新的量子分配協定──機率式量子金鑰分配協定，藉由量子量測的不確定性，公平地分配一把隨機產生的金鑰給兩位互不信任的使用者。同時，為了防止惡意的使用者在偵測竊聽者的過程中控制金鑰，本論文亦提出一個公平偵測竊聽者的方法，解決目前量子金鑰協定在偵測竊聽者方面所面臨的公平性問題。

With the rapid increase in security threats during data transmission, especially on the Internet, it has become extremely important to ensure privacy in communications. A sender typically decides a secret key and then distributes it to a receiver via a symmetric or asymmetric cryptosystem. Subsequently, they use the key to encrypt the exchanged messages. Since the secret key is decided by one communicant, such a key distribution method is suitable for mutually trusted environments. However, if the communicants are mutually untrusted, neither may want the secret key to be predetermined by the other. In such situations, they can use a key agreement protocol to solve the problem.

The security of many cryptosystems takes advantage of mathematical difficulties, but such cryptosystems cannot always detect eavesdropping attacks. Therefore, the development of quantum cryptosystems, whose security is based on quantum phenomena, has attracted considerable research attention. In quantum cryptography, quantum key distribution (QKD) is one of the most important research topics. QKD enables a sender to securely distribute a secret key to a receiver through the transmission of quantum signals. Since the secret key is decided by one communicant, the QKD cannot be used in mutually untrusted environments.

This thesis proposes three quantum key agreement (QKA) protocols that allow two mutually untrusted communicants to contribute equally to a negotiated key in such a manner that neither communicant can fully control that key independently. Since both the communicants in the QKA have to artificially generate a secret subkey each before executing the protocol, this thesis proposes a new concept of QKD called the “probabilistic quantum key distribution (PQKD)” to solve the weakness. By exploiting the beautiful nature of unpredictability in the measurements of quantum phenomenon, a secret key can be generated and distributed to two mutually untrusted communicants; moreover, this precludes any communicant from determining the secret key alone even with a one-bit advantage. Furthermore, this thesis proposes a fair public discussion game to prevent malicious communicants from controlling the secret key during eavesdropping check.

[1] H. C. Shih amd K. C. Lee and T. Hwang. New efficient three-party quantum key distribution protocols. IEEE Journal of Selected Topics in Quantum Electronics, 15(6):1602-1606, 2009.

[2] H. Bechmann-Pasquinucci and N. Gisin. Incoherent and coherent eavesdropping in the 6-state protocol of quantum cryptography. Physical Review A, 59(6):4238-4248, 1999.

[3] M. Ben-Or, M. Horodecki, D. W. Leung, D. Mayers, and J. Oppenheim. The universal composable security of quantum key distribution. In Proceedings of the 2nd Theory of Cryptography Conference, (Lecture Notes in Computer Science/Security and Cryptology), volume 3378, pages 386-406, Cambridge, MA, USA, 10-12, Feb. 2005.

[4] C. H. Bennett. Quantum cryptography using any two nonorthogonal states. Physical Review Letter, 68:3121-3124, 1992.

[5] C. H. Bennett and G. Brassard. Quantum cryptography: Public key distribution and coin tossing (invited paper). In Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, pages 175-179, Bangalore, India,Dec. 1984.

[6] C. H. Bennett, G. Brassard, and N. D. Mermin. Quantum cryptography without Bell's theorem. Physical Review Letter, 68:557, 1992.

[7] C. H. Bennett and S. J. Wiesner. Communication via one- and two-particle operators on Einstein-Podolsky-Rosen states. Physical Review Letter, 69(20):2881-2884, 1992.

[8] E. Biham, M. Boyer, P. O. Boykin, T. Mor, and V. Roychowdhury. A proof of the security of quantum key distribution. In Proceedings of the thirty-second an-
nual ACM symposium on Theory of computing, pages 715-724, Portland, Oregon, United States, 21-23, May 2000.

[9] K. Bostroem and T. Felbinger. Deterministic secure direct communication using entanglement. Physical Review Letter, 89(18):187902, Oct. 2002.

[10] D. Bruss. Optimal eavesdropping in quantum cryptography with six states. Physical Review Letters, 81(14):3018-3021, 1998.

[11] Q. Y. Cai. Eavesdropping on the two-way quantum communication protocols with invisible photons. Physics Letters A, 351:23-25, 2006.

[12] T. Chaneli ere, D. N. Matsukevich, S. D. Jenkins, S. Y. Lan, T. A. B. Kennedy, and A. Kuzmich. Storage and retrieval of single photons transmitted between remote quantum memories. Nature, 438(7069):833-836, 2005.

[13] I. C. Chen, T. Hwang, and C. M Li. E cient one-out-of-two quantum oblivious transfer based on four-coherent-state postselection protocol. Physica Scripta, 78(3):035005, Aug. 2008.

[14] J. H. Chen, K. C. Lee, and T. Hwang. The enhancement of Zhou et al.'s quantum secret sharing protocol. International Journal of Modern Physics C, 20(10):1531-1535, 2009.

[15] S. K. Chong and T. Hwang. Quantum key agreement protocol based on BB84. Optics Communications, 283(6):1192-1195, Mar. 2010.

[16] S. K. Chong, Y. P. Luo, and T. Hwang. On arbitrated quantum signature of classical messages against collective amplitude damping noise . Optics Communications, 284(3):893-895, Feb. 2011.

[17] C. S. Chuu, T. Strassel, B. Zhao, M. Koch, Y. A. Chen, S. Chen, Z. S. Yuan, J. Schmiedmayer, and J. W. Pan. Quantum memory with optically trapped atoms. Physical Review Letters, 101(12):120501, 2008.

[18] F. G. Deng, G. L. Long, and X. S. Liu. Two-step quantum direct communication protocol using the Einstein-Podolsky-Rosen pair block. Physical Review A, 68:042317, 2003.

[19] F. G. Deng, G. L. Long, Y. Wang., and L. Xiao. Increasing the e ciencies of random-choice-based quantum communication protocols with delayed measurement. Chinese Physics Letters, 21:2097-2100, 2004.

[20] W. Di e and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22:644-654, Nov. 1976.

[21] L. Dong, X. M. Xiu, Y. J. Gao, and F. Chi. A controlled quantum dialogue protocol in the network using entanglement swapping. Optics Communications, 281:6135-6138, 2008.

[22] A. Einstein, P. Podolsky, and S. Rosen. Can quantum-mechanical description of physical reality be considered complete? Physical Review, 47:777-780, 1935.

[23] A. K. Ekert. Quantum cryptography based on Bell's theorem. Physical Review Letters, 67:661-663, 1991.

[24] T. ElGamal. A public-key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31(4):469-472, 1985.

[25] G. Gan. Quantum key distribution scheme with high e ciency. Communications in Theoretical Physics, 51(5):820- 822, 2009.

[26] F. Gao, Q. Y. Wen, and F. C. Zhu. Comment on `quantum exam' [Phys. Lett. A, 350 (2006) 174]. Physics Letters A, 360(6):748 -750, 2007.

[27] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden. Quantum cryptography. Reviews of Modern Physics, 74:145- 190, 2002.

[28] D. Gottesman and H. K. Lo. Proof of security of quantum key distribution with two-way classical communications. IEEE Transactions on Information Theory, 49(2):457-475, 2003.

[29] D. Gottesman, H. K. Lo, N. Lutkenhaus, and J. Preskill. Security of quantum key distribution with imperfect devices. Quantum Information and Computation,
4(5):325-360, 2004.

[30] Y. Guo and G. Zeng. Quantum event-error detection codes. Journal of the Physical Society of Japan, 74:2949- 2956, 2005.

[31] Y. Guo and G Zeng. How to combat quantum bursts of errors e ciently. Journal of the Physical Society of Japan, 75:034402, 2006.

[32] C. C. Hsueh and C. Y. Chen. Quantum key agreement protocol with maximally entangled states. In Proceedings of the 14th Information Security Conference (ISC 2004), pages 236- 242, National Taiwan University of Science and Technology, Taipei, Taiwan, 10-11 Jun. 2004.

[33] D. Z. Huang, Z. G. Chen, and Y. Guo. Quantum error-correction codes based on multilevel constructions of hadamard matrices. In Proceedings of the 3rd International Conference on Intelligent Computing, pages 18-24, Qingdao, China, 21-24 Aug. 2007.

[34] T. Hwang and K. C. Lee. EPR quantum key distribution protocols with potential 100% qubit e ciency. IET Proceedings Information Security, 1:43-45, 2007.

[35] T. Hwang and C. M. Li. Secure direct communication using deterministic BB84 protocol. International Journal of Modern Physics C, 19(4):625-635, 2008.

[36] International Organization for Standardization. ISO/IEC 11770-3:2008, Information technology - Security techniques - Key management - Part 3: Mechanisms using asymmetric techniques. 2nd edition, 15 Jun. 2008.

[37] A. E. Kozhekin, K. Molmer, and E. Polzik. Quantum memory for light. Physical Review A, 62(3):033809, 2000.

[38] C. Li, H. S. Song, L. Zhou, and C. F. Wu. A random quantum key distribution achieved by using Bell states. Journal of Optics B: Quantum and Semiclassical
Optics, 5(2):155-157, 2003.

[39] C. Liu, Z. Dutton, C. H. Behroozi, and L. V. Hau. Observation of coherent optical information storage in an atomic medium using halted light pulses. Nature,
409(6819):490-493, 2001.

[40] H. K. Lo and H. F. Chau. Unconditional security of quantum key distribution over arbitrarily long distances. Science, 283:2050-2056, 1999.

[41] H. K. Lo, X. Ma, and K. Chen. Decoy state quantum key distribution. Physics Review Letters, 94:230504, 2005.

[42] G. L. Long and X. S. Liu. Theoretically e cient high-capacity quantum-key-distribution scheme. Physical Review A, 65:0323021-0323023, 2002.

[43] X. F. Ma, B. Qi, Y. Zhao, and H. K. Lo. Practical decoy state for quantum key distribution. arXiv:quant-ph/0503005v5, 10 May 2005.

[44] D. Mayers. Unconditional security in quantum cryptography. Journal of the ACM, 48:351-406, 2001.

[45] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 2001.

[46] C. J. Mitchell, M. Ward, and P. Wilson. Key control in key agreement protocols. Electronics Letters, 34(10):980-981, May. 1998.

[47] C. Monroe, D. M. Meekhof, B. E. King, W. M. Itano, and D. J. Wineland. Demonstration of a fundamental quantum logic gate. Physical Review Letters, 75(25):4714-4717, Dec. 1995.

[48] M. Naor and B. Pinkas. Oblivious transfer and polynomial evaluation. In Proceedings of the thirty-fi rst annual ACM symposium on Theory of computing, pages 245-254, Atlanta, Georgia, United States, 1-4, May. 1999.

[49] M. A. Nielsen and I. L. Chuang. Quantum Computation and Quantum Information. Cambridge University Press, 2000.

[50] J. W. Pan, D. Bouwmeester, H. Weinfurter, and A. Zeilinger. Experimental entanglement swapping: Entangling photons that never interacted. Physical Review Letter, 80:3891, 1998.

[51] D. F. Phillips, A. Fleischhauer, A. Mair, R. L. Walsworth, and M. D. Lukin. Storage of light in atomic vapor. Physical Review Letter, 86(5):783-786, 2001.

[52] J. Pieprzyk and C. H. Lin. Multiparty key agreement protocols. IEE Proceedings-Computers and Digital Techniques, 147(14):229-236, Jul. 2000.

[53] B. Preneel and V. Rijmen. State of the Art in Applied Cryptography: Course on Computer Security and Industrial Cryptography. Leuven, Belgium, June 3-6, 1997. Revised Lectures, Lecture Notes in Computer Science, vol. 1528, Springer, 1998.

[54] R. Rivest, A. Shamir, and L. Adlemanr. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120-126, 1978.

[55] C. Shannon. Communication theory of secrecy systems. Bell System Technical Journal, 28(4):656-715, 1949.

[56] P. W. Shor. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of 35th Annual Symposium on Foundations of Computer
Science, pages 124 134, Los Alamitos, CA, 20-22 Nov. 1994.

[57] D. Song. Secure key distribution by swapping quantum entanglement. Physical Review A, 69(3):034301, 2004.

[58] William Stallingsn. Cryptography and Network Security, Principles and Practices. Prentice Hall, 2003.

[59] M. Steiner, G. Tsudik, and M. Waidne. Key agreement in dynamic peer groups. IEEE Transactions on Parallel and Distributed Systems, 11(8):769-780, Aug. 2000.

[60] P. D. Townsend. Quantum cryptography on optical ber networks. Optical Fiber Technology, 4:345-370, 1998.

[61] W. Trappe, Y. Wang, and K. J. Ray Liu. Resource-aware conference key establishment for heterogeneous networks. IEEE/ACM Transactions on Networking, 13(1):134-146, Feb. 2005.

[62] C. W. Tsai, S. K. Chong, and T. Hwang. Comment on quantum key agreement protocol with maximally entangled states. In Proceedings of the 20th Cryptology and Information Security Conference (CISC 2010), pages 210-213, National Chiao Tung University, Hsinchu, Taiwan, 27-28 May 2010.

[63] C. W. Tsai and T. Hwang. On quantum key agreement protocol . Technical Report, C-S-I-E, NCKU, Taiwan, R.O.C., 2009.

[64] G. S. Vernam. Cipher printing telegraph systems for secret wire and radio telegraphic communications. Transactions of the American Institute for Electrical Engineers, 45:109-115, 1926.

[65] X. M. Xiua, Li Dong, Y. J. Gao, F. Chia, Y. P. Ren, and H. W. Liu. A revised controlled deterministic secure quantum communication with ve-photon entangled state. Optics Communications, 283(2):344-347, Jan. 2010.

[66] Y. Zhao, B. Qi, X. F. Ma, H. K. Lo, and L. Qian. Experimental quantum key distribution with decoy states. arXiv:quant-ph/0503192v4, 3 Nov. 2005.

[67] N. Zhou, G. Zeng, and J. Xiong. Quantum key agreement protocol. Electronics Letters, 40(18):1149-1150, Sep. 2004.

[68] M. Zukowski, A. Zeilinger, M. A. Horne, and A. K. Ekert. Event-ready-detectors Bell experiment via entanglement swapping. Physical Review Letter, 71:4287, 1993.