Quantum Identity Authentication in the Counterfactual Quantum Key Distribution Protocol

In this paper, a quantum identity authentication protocol is presented based on the counterfactual quantum key distribution system. Utilizing the proposed protocol, two participants can verify each other’s identity through the counterfactual quantum communication system. The security of the protocol is proved against individual attacks. Furthermore, according to the characteristics of the counterfactual quantum key distribution system, we propose an authenticated counterfactual quantum key distribution protocol based on a novel strategy of mixing the two types of quantum cryptographic protocols randomly. The authenticated quantum key distribution can also be used to update the extent of the authentication keys.


Introduction
Quantum mechanics has produced immense influence in information security. The widely used public key cryptography algorithms such as the RSA public key algorithm are facing serious threat of quantum computation [1]. Meanwhile, quantum computation also promotes new kinds of cryptographic protocols that can combat the powerful computation capability of quantum computer. Interestingly, quantum mechanics could be a sharp spear to break cryptographic systems and also a strong shield to protect our privacy. Research shows that quantum key distribution (QKD) can provide information theoretic security between two distant and authenticated parties [2][3][4][5]. Various QKD protocols have been proposed utilizing different quantum coding technologies, as well as the other types of quantum cryptographic protocol, such as quantum secure direct communication [6][7][8][9][10][11], quantum secret sharing [12][13][14][15][16][17], quantum private querying [18][19][20][21][22][23] and so on [24][25][26].
Counterfactual QKD protocols employ a very interesting coding method where the valid key bits are generated when no photons have been transmitted in the public channel. Since no photons to be intercepted and captured for the signals of the valid key bits, it is very difficult for the adversaries to carry on an effective attack. Because of the above characteristics, the counterfactual QKD has attracted a lot of attention since its first appearance. In 2009, Noh proposed a QKD protocol [27] inspired by the counterfactual phenomena in quantum world [28] and the counterfactual computation [29]. The next year, Sun et al. proposed a high efficiency version of counterfactual QKD utilizing more beam splitters [30]. The same year, Yin et al. proved the security of Noh's protocol strictly [31]. During the next few years, many experiments on counterfactual QKD protocol have been performed [32][33][34][35]. In the theoretic study of counterfactual quantum communication technology, some scholars analyzed the security of counterfactual QKD on real environment [36][37][38][39][40][41], while others proposed other types of quantum cryptographic protocols with counterfactual quantum communication technology, such as direct quantum communication [42][43][44], quantum private query [45], and so on [46][47][48][49][50][51][52][53].
As described above, the counterfactual QKD protocol has been proven secure in theory [31], however, the security is based on several necessary conditions, such as the perfect quantum detectors, the perfect single-photon source, true random number generator and so on. Secure and reliable identity authentication is one of the key requirements of the security of the counterfactual QKD. Realizing identity authentication with quantum technology has many potential advantages such as higher security, higher efficiency and immunity to certain kinds of replay attacks. Therefore, we propose a quantum identity authentication (QIA) protocol that can be used in the counterfactual QKD protocol to identify the communication parties. Furthermore, due to the characteristics of the counterfactual quantum communication technology, the combined processes of the counterfactual QKD protocol and the proposed QIA protocol can be used to extend the length of authentication keys with almost arbitrary expanded proportion. This paper is organized as follows. In Section 2, we briefly review the processes of the counterfactual QKD and an alternative version, which our QIA protocol is based on. The specific process of the counterfactual QIA protocol is proposed in Section 3. With the QIA protocol in Section 3, we propose an authenticated counterfactual QKD protocol in Section 4. A brief conclusion is given in Section 5.

Review of the Counterfactual Quantum Key Distribution Protocol
The main purpose of this paper is to verify the participants' identities in the counterfactual QKD system. As a foundation protocol, the counterfactual QKD protocol [27] is briefly introduced in this section. Utilizing the interference system in Figure 1, the counterfactual QKD can help Alice and Bob generate a secure key based on the signals where no photons have traveled through the public channel. Note that, in Figure 1, C is the optical circulator; OD is the optical delay to make the two paths a and b be the same; OL is the optical loop and SW is the optical switch, which help Bob choose the pulse in specific polarization to the detector D 2 ; FM is the faraday mirror, which reflects the pulse while turns the state of the pulse to the orthogonal polarization; and D 1 can discriminate the polarizations of the pulse. The processes can be described as follows.  [27]. Here, C is the optical circulator; OD is the optical delay to make the two paths a and b be the same; OL is the optical loop and SW is the optical switch, which help Bob choose the pulse in specific polarization to the detector D 2 ; FM is the faraday mirror, which reflects the pulse while turns the state of the pulse to the orthogonal polarization; and D 1 can discriminate the polarizations of the pulse.
(1) At the beginning, Alice triggers the single-photon source S to emit a short optical pulse containing a single photon at a certain point in time. The photon is prepared in either horizontal polarization |H , which represents the classical bit 0, or vertical polarization |V , which represents 1. Afterwards, the pulse will be divided into two paths, a and b, when it passes the beam splitter (BS). The whole system can be described as one of the two orthogonal states where R and T are the reflectivity and transmissivity of BS, and R + T = 1. The state |0 k represents the vacuum state in the path k, where k ∈ {a, b}.
(2) Bob randomly chooses a bit 0 or 1 and, utilizing the polarizing beam splitter (PBS) and the optical loop (OL), switches different polarized pulse to the detector D 2 according to the above bit. Precisely, if Bob chooses 0 (1), he switches the pulse in the state |H (|V ) to the detector D 2 . In fact, when the pulse in path b reaches the PBS at Bob's side, it would directly go to the optical switch (SW) if the pulse were horizontally polarized, and if the pulse were vertically polarized, it would be reflected by the PBS, pass through the OL, be reflected by PBS again, and then go to SW. Thus, if the pulse were in state |V , it would arrive at SW a certain period of time (L/c, where L is the length of OL and c is the speed of time) later than the situation of |H . Therefore, Bob can choose to switch different polarized states to the detector D 2 by the control of the switch time.
(3) At last, Alice and Bob announce which detector clicks. If only D 1 detects a photon with the correct polarization, they establish a key bit, otherwise, the result will be used to detect eavesdropping. In fact, if Alice's and Bob's bits are identical, the pulse in path b will be absorbed by D 2 , and the pulse in path a will be divided into two parts towards D 0 and D 1 , respectively. In this situation, the three detectors D 0 , D 1 and D 2 will click with the probabilities R 2 , RT and T, respectively. If Alice's and Bob's bits are different, the pulse in path b will be reflected back to BS. The faraday mirror (FM) alters the state of the pulse to the orthogonal state while reflects it, therefore, the pulse will determinately pass the OL once and be reflected by the PBS twice, before or after the reflection of FM. The two paths a and b are set with the same length, so the two pulses will complete the interference at BS, with the same polarization state and a phase difference of π. In this situation, D 0 always clicks but D 1 never. Therefore, Alice and Bob would share an identical bit when only D 1 clicks. In ideal cases, the shared bit is secure since no photons have passed through the public channel if D 1 clicks alone.
Generally, to achieve the highest key rate, R and T are set to be 1/2 and 1/2. Considering the situation of 50:50 BS, there is an alternative version (see Figure 2) of the above protocol.
In this alternative version proposed by Brida et al. [33], Bob uses a half wave plate (HWP) and a PBS to accomplish the same task with that in the original protocol. The effect of the half wave plate can be described as follows, where α is the angle between the incident and the fast axis. The two faraday mirrors are replaced by two mirrors. In Step (1), by adjusting the angle of HWP A , Alice randomly rotates the state of the single-photon pulse to |H or |V . In Step (2), Bob randomly performs U(0) or U(π/4) to the coming pulse by adjusting the angle of HWP B to be 0 or π/4, where U(π/4) = i|H V| + i|V H|.
For convenience of reading, we list another two operations, which will be used later, When the pulse passes BS the first time, the state becomes one of the following states, which are exactly the same with Equations (1) and (2), ignoring the global phase −i or i introduced by HWP A . Here, we assume that S always emits a pulse in state |V . When Alice's and Bob's choices are 0 and π/4, respectively, the pulse in path b has been reflected back to BS at Alice's side, the state of the photon after the pulse passes BS the second time will become or similarly when Alice's and Bob's choices are π/4 and 0, the state would be where the subscripts represent the path leading to the corresponding detectors. Thus, the same as the original protocol, D 0 always clicks in this situation. Correspondingly, the key should be generated when D 1 clicks.

QIA in the Counterfactual QKD System
In this section, we propose a QIA protocol, where two participants, utilizing a pre-shared classical authentication key, can verify each other's identity through the counterfactual QKD system. The communication system we adopt here is the alternative version, which is more convenient to introduce a conjugate basis to complete the task of identity authentication. Here, we make a minor modification that the half wave plate on Alice's side, i.e., HPB A is set at the right side of BS (see Figure 3). Thus, the states of the photons back to Alice's side should always be the same with their original states, and the key bits should be generated from the signals where D 0 clicks alone.

The QIA Protocol Based on the Counterfactual QKD
For the sake of description of the proposed QIA protocol, we first expound some basic concepts about the protocol and the devices in Figure 3. Before the protocol, two participants are required to pre-share a sequence of authentication keys {K 1 , K 2 , ..., K l }. Each of the above keys has m + n bits, where the first m bits would be used for Alice to verify Bob's identity, and the last n bits are for Bob to verify Alice's identity. Alice and Bob also record the statuses of their keys, originally "valid".
The single-photon source S in Figure 3 is supposed to always emit a pulse in state |V , and Alice can choose to keep its state or flip it to |H utilizing HWP A . Ignoring the global phases, if Alice adjusts α A , the angle of HWP A , to 0, the state of the pulse remains |V , and if Alice adjusts α A to π/4, the state changes to |H . Bob also randomly chooses to flip the state of the coming pulse or not, utilizing HWP B . The above processes are just the alternative version of the counterfactual QKD protocol.
To complete the task of identity authentication, the participants use the authentication key as the control bits in the manner that, if the ith bit of the authentication key is 1, Alice and Bob both rotate an additional angle of π/8 to their half wave plates, otherwise, they do nothing additionally. Thus, only the legal participants who have the authentication key can perform complete the QIA protocol legally. The concrete processes of the proposed QIA protocol are as follows.

Key status exchange.
Alice and Bob exchange the status of their pre-shared authentication keys and choose the one with the smallest subscript among those keys which are "valid" on both Alice's and Bob's sides. We denote the bits of this key K as {b 1 , b 2 , ..., b m , a 1 , a 2 , ..., a n }. (12) 2. Authentication of Bob's identity. The first m pulses are used to authenticate Bob's identity in the manner that Alice chooses her bit randomly and Bob always chooses bit 0, and both of the above choices are under control of the first m bits of K.

Alice generates a random string R A with m bits
2.2 For the ith pulse Alice emits into the system, she sets the angle of HWP A as 2.3 For the ith coming pulse, Bob sets the angle of HWP B as 2.4 Alice checks the results of D 0 and D 1 . If D 1 clicks with the probability of 100% for the pulses where r i = 1, and for those r i = 0, D 0 and D 1 click with the probability about 25% and 25%, respectively, Alice believes Bob's identity and they go on to Step 3, otherwise, Alice skips to the last step.

Authentication of Alice's identity.
In this step, Bob checks Alice's identity with the help of the last n bits of K.

Bob generates a random string R A with m bits
3.2 For the (m + j)th pulse, Alice sets the angle of HWP A as 3.3 For the (m + j)th coming pulse, Bob sets the angle of HWP B as 3.4 Bob checks results of D 2 . If D 2 never clicks when s i = 0 and clicks with the probability of 50% for both the two cases that {s i = 1,a i = 0} and {s i = 1,a i = 1}, Bob believes Alice's identity.

Key status update.
Alice and Bob update the statuses of K as "invalid".

Correctness of the Proposed QIA Protocol
For the legal Alice and Bob, they can verify each other's identity following the above processes. The unitary operations of the HWPs in different cases are shown in Equations (4)- (7). In the processes of Step The final state, i.e., the state of the polarization and the position of the photon after (part of) it passes BS the second time, is Here, we use ρ H A (α) to denote the state of the pulse when it first passes BS and HWP A in the situation that α A = α, ρ PBS (α 1 , α 2 ) to denote the state when the pulse first passes PBS in the situation that α A = α 1 and α B = α 2 , and ρ BS (α 1 , α 2 ) to denote the state when the pulse passes BS the second time. For the situation of {π/8, π/8}, where and Thus, the final state of this case would be For both above cases of Equations (21) and (25), D 0 , D 1 and D 2 would click with the probabilities of 25%, 25% and 50%, respectively. Similarly, we can calculate that D 1 always clicks in these two cases. The calculations on the four cases coincide with the judgements at the end of Step 2.

The Security Analysis for No-Error Cases
In fact, the security of Bob's identity is protected by the first part of K, i.e., {b 1 , b 2 , ..., b m }. The operations Bob's operations in the first part is U(0) if b i = 0 and U(π/8) if b i = 1. According to the theorems on operation discrimination, the above two operations cannot be discriminated with no error probability (see Appendix A for details). If the adversary, who is forging Bob's identity to communicate with Alice, performs an error operation on the received pulse, Alice would get a wrong measurement result. Therefore, the adversary cannot always gives Alice a correct response to pass Alice's tests. Correspondingly, the security of Alice's identity is protected by the second part of K, i.e., {a 1 , a 2 , ..., a n }. Since the second part of the protocol only executed when the communicating peer passes Alice's tests, the adversary cannot get any information about the string {a 1 , a 2 , ..., a n } from Alice's side. Therefore, the adversary has to face Bob's tests without any information on the authentication key. Considering that Bob chooses his angles from {0, π/8 π/4, 3π/8} randomly, the measurement results would be random if he is communicating with the adversary who has no information about {a 1 , a 2 , ..., a n }. That is, the adversary cannot pass Bob's tests without introducing any error. Above all, we can get a conclusion that the adversary cannot forge either Alice's identity or Bob's identity in the no-error cases.
For the more general cases, the security analysis of the proposed protocol are described in Appendix A. Specifically, for each signal, we calculate a relaxed lower bound of the minimum error probability that the adversary has to introduce in Alice's test while forging Bob, and a relaxed lower bound of the minimum error probability that the adversary has to introduce in Bob's test while forging Alice, P a > 6.5%.
We believe that the tight bounds would be much larger, since we have made many relaxations during the derivation procedure to simplify the difficulty.

Authenticated Counterfactual QKD Protocol
In this section, we propose an authenticated counterfactual QKD protocol utilizing the proposed QIA protocol. The basic idea is mixing the process of the QIA protocol into the QKD protocol according to the random data generated in the QKD protocol, which can be recorded identically for the two participants without any communication. In the following authenticated QKD protocol, the length of original authentication key is independent with the length of the new generated key. Suppose the length of the key that the participants expect to generate is m, and the length of the authentication key K A which meets the requirement of security is n. Then, the mixing parameter of the authenticated counterfactual QKD protocol is With the definition of r, the main processes of the authenticated QKD protocol can be briefly described as follows: once Bob's detector has clicked r times, Alice and Bob insert one round of the QIA process presented in last section. Specifically, utilizing the devices and circuit in Figure 3, the participants can implement the authenticated counterfactual QKD protocol as follows. For convenience of the following description, we use p i to denote the probability that the ith signal is used for the process of QIA. a. Set-up. For the main processes described above, p i is convergent when i gets larger, however it is much smaller than the convergence value for small is. For example, p i = 0 when i ≤ r. If the adversary only attacks these signals with smaller p i , he is more likely to pass the participant's test. Therefore, before the formal steps of the protocol, Alice and Bob should equalize p i for different is. l r pulses would be used in this stage, where l r = 2 log(4r + 1) .
a 1 Alice emits l r single-photon pulses to the system one by one. For each pulse, Alice (Bob) randomly choose the angle of HWP A (HWP B ) to be one of {0, π/8, π/4, 3π/8}. a 2 If the photon goes to Bob's detector, i.e., D 2 clicks and D 0 and D 1 do not, they record a classical bit 1. If the photon goes back to Alice, i.e., D 0 or D 1 clicks and D 2 does not, they record a classical bit 0. a 3 After all the l r pulses have been detected by the three detectors, Alice and Bob get a l r bit binary number. Then, they use a hash function to uniformly map the above number into the set {0, 1, ..., 4r}, and denote the result as f r . Note that, for one single binary bit, the uncertainty is Alice and Bob produce l r signals here so that the uncertainty of the l r bits is larger than log(4r + 1), to make the value of f r totally random.

b. Signal transmission and identity authentication.
Utilizing the random number f r generated in last step, the participants start to distribute a new key while authenticate each other's identity.
b 1 For the first f r pulses in this step, Alice and Bob perform the QKD process, i.e., they both randomly alter the angles of HWP A and HWP B to be 0 or π/4 and record the clicking situation of each detector and the state of the photon if the detector has clicked. b 2 The ( f r +1)th pulse is the first pulse for identity authentication. As in Steps 2.2 and 2.3 in the above QIA protocol, Alice alters the angle of HWP A to be π/4 * r 1 + π/8 * b 1 and Bob alters the angle of HWP B to be π/8 * b 1 , where b 1 is the first bit of the authentication key and r i is a random bit. b 3 From the ( f r + 2)th pulse, the participants start to insert the process of QIA into the QKD according to the random data of the clicks of the detectors. Precisely, each time the click times of D 2 reaches an integral multiple of r, they insert one round of the QIA process immediately until the authentication process for Bob's identity has finished. b 4 Alice checks Bob's identity according to Step 2.4. c. Eavesdropping detection. Alice and Bob first check the validity of each other's identity. If the identity authentication passes, they continue to the rest part of the counterfactual QKD protocol to generate a new key and use part of the new key to update the authentication keys.
In the above protocol, the processes of QIA and QKD are mixed randomly; however, they are performed independently. More specifically, the sequence of the signals for QIA and ones for QKD are random for the adversaries. On the other hand, each signal is either used for QIA or for QKD, but never for both. Because of such independence, the correctness of the above protocol is obliviously established considering the correctness of the counterfactual QKD protocol [27,31] and the counterfactual QIA protocol presented in the last section, as is the security of the process of QIA and the process of QKD. The only new factor which may influence the security of the whole protocol is that the adversary may discriminate the two type of signals, i.e., the signals for QKD and the signals for QIA, and then only attack the signals for QKD. Next, we proved that the adversary cannot discriminate the two type of signals.
Firstly, the two types of signals cannot be discriminated precisely. For a QKD signal, Alice randomly sets her angle as 0 or π/4, and the reduced density matrix for the state in path b is For a QIA signal in the first part, Alice's operation set is {0, π/8, π/4, 3π/8}, and the reduced density matrix for the state in path b is which is the same as ρ QKD . For the second part of QIA, Alice's operation set is {0, π/8}, and the reduced density matrix for the state in path b is The minimum error probability to discriminating ρ QKD and ρ QKA A is which is close to 1/2, the probability of random guess. Furthermore, the discrimination operation will inevitably disturb the pulse in path b and introduce errors in the authentication process or the detection mode of QKD. Secondly, we analyze the probability of being a QIA pulse for each signal. The expectation of the above probability can be deduced by calculating the average interval of two QIA signals, which is Then, both sides of the above equation are multiplied by (1 − p), By subtracting the two equations, we have Suppose Then, We can get So that, Substituting Equation (44) into Equation (40), we have where p = 1/4. This implies that every D+1 signals contain one QIA signal on average. Therefore, the average probability for a pulse to be a QIA signal is However, it is difficult to propose a strategy where the above probability is totally identical for each signal. As for the proposed protocol, the probability of the lth signal to be a QIA one is The the graphs of function p r (l) for different values of r are given in Figure 4. We can see that the probability p l tends to be stable when l is larger than 8r. The adversary cannot effectively reduce the error rate introduced by his attack utilizing the probability distribution of the type of the signals. Therefore, if the adversary wants to attack a proportion of the QKD signals, she will have to disturb a similar proportion of the QIA signals, which will cause a failure result in the QIA part.

Conclusions
In this paper, we first propose a quantum identity authentication protocol that can be realized in the counterfactual quantum communication system. Then, we propose an authenticated counterfactual QKD protocol by mixing the processes of the proposed QIA protocol and the counterfactual QKD protocol in [33]. In this authenticated counterfactual QKD protocol, the two independent processes of QKD and QIA mixed randomly for any third party except the two participants, therefore, the adversaries cannot discriminate between a QIA signal and a QKD signal. Any attempts to perform a man-in-the-middle attack to the process of QKD will disturb the signal in the QIA process and cause a failure result in the identity authentication. Since the two processes are independent, the length of the authentication key is only related to the expected confidence degree for the participants' identities, and is not concerned with length of the newly generated key in QKD. Therefore, the key expansion in our protocol can be extremely high in theory. The problem is that the proposed protocol can only be performed in noiseless channels since any channel loss or dark count would mess up the whole process of the protocol. Once a channel loss or dark count happens, Alice and Bob cannot synchronize the random data to control the signal type. Despite this, we think the idea of identity authentication in this paper is promising in theory and might inspire practical QIA protocols and authenticated QKD protocols designed in similar ways. The theory of high key-expand-ability QIA protocols in noisy channel will also be our future work. In the above equations, the states for the adversary's system are non-normalized and satisfy To avoid multiple responses in Alice's detectors, when the state in path b is empty state |0 , the adversary should keep it empty, therefore 00|00 = 1.
When the pulse in path b arrives at the adversary's side, the whole state of path a, path b and the adversary's system E is where For the situation α = 0, the state after the adversary's operation is When the pulse in path b passed HWP A the second time, the state turns to Further, when the two pulses in paths a and b pass BS the second time, the state becomes After a simple transformation, we can get Similarly, we can get the states of whole system when the two pulses pass BS the second time and Alice would notice the existence of the adversaries if she has detected a photon in horizontal polarization or the clicking probabilities of D 0 and D 1 are not correct. We divide the probability that the adversary would be found into four parts. The first part is the probability that Alice detects a horizontal polarized photon, The second part is the probability that Alice has not detected any photon when r i = 1, The third part is the probability that Alice detects a vertical polarized photon at D 0 when r i = 1, The fourth part is about the scales of the clicks of D 0 and D 1 , and this part is related with the length of the authentication key and the required confidence of the users' identities in the actual applications.
We consider only the first two parts, and we have Obviously, a necessary condition for the minimum of P 1 + P 2 is that the two vectors in each of the three pairs {|hv , |hh }, {|vv , |vh } and {|h0 , |v0 } are reversed. Under this condition, we can figure out the minimum value of P 1 + P 2 by Lagrange multiplier, Thus, in the situation that the adversary knows nothing about the authentication key, he would be discovered by Alice with a probability that is larger than Next, we analyze the situation that the adversary first communicates with Bob to pry into the authentication key, and then forges Bob's identity with the information about the authentication key he got from Bob. Similar to the processes above, we assume that the adversary prepares the following state and sends the system T to Bob, where e h |e h + e v |e v + e 0 |e 0 = 1. Bob can prevent the adversary from sending multi-photon system to him by add a beam splitter and an additional detector before D 2 . If the authentication key bit is 0, after Bob's operation, the whole state would become If the key bit is 1, the whole state would be where To calculate an accurate result of the minimum error probability to discriminate tr 2 (|φ 0 φ 0 |) and tr 2 (|φ 1 φ 1 |) is difficult. Here, we pursue a lower bound by giving the adversary the power to access the system 2, i.e., we calculate the minimum error probability of the discrimination of |φ 0 and |φ 1 as a lower bound of the minimum error probability to discriminate tr 2 (|φ 0 φ 0 |) and tr 2 (|φ 1 φ 1 |). According to the known conclusions on quantum states discrimination, we find that Now, the problem becomes finding the minimum value of | φ 0 |φ 1 |. By substituting Equations (A26) and (A27) into the above formula, we get φ 0 |φ 1 = 1 √ 2 e h |e + − e v |e − + e 0 |e 0 Assuming that |e h = (l 1 e α 1 i , l 2 e α 2 i , ...) T , |e v = (m 1 e β 1 i , m 2 e β 2 i , ...) T .
Then, Equation (A31) changes to We can get the minimum of | φ 0 |φ 1 |, which appears when α k −β k = −π and m k = ( √ 2−1)l k for any k, and e 0 |e 0 = 0. By further calculation, we can get the lower bound of the minimum error probability of the adversary guessing each bit of the first m authentication key, Here, we did many relaxations to get the above result, and we think the tight lower bound is much larger than it. With the information about the authentication key he obtained from the above operation, the adversary could improve his attack. A relaxed lower bound of the minimum error probability the adversary introduced would be This means in the situation that the adversary knows nothing about the authentication key, he would be discovered by Alice with a probability that is larger than