A New Quantum Multiparty Simultaneous Identity Authentication Protocol with the Classical Third-Party

To guarantee information security in communication, quantum identity authentication plays a key role in politics, economy, finance, daily life and other fields. In this paper, a new quantum multiparty simultaneous identity authentication protocol with Greenberger–Home–Zeilinger (GHZ) state is presented. In this protocol, the authenticator and the certified parties are the participants with quantum ability, whereas the third party is a classical participant. Here, the third-party is honest and the other two parties may be dishonest. With the help of a classical third-party, a quantum authenticator and the multiple certified parties can implement two-way identity authentication at the same time. It reduces the quantum burden of participants and lowers down the trustworthiness, which makes the protocol be feasible in practice. Through further security analysis, the protocol can effectively prevent an illegal dishonest participant from obtaining a legitimate identity. It shows that the protocol is against impersonation attack, intercept-measure-resend attack and entangle-measure attack, etc. In all, the paper provides positive efforts for the subsequent security identity authentication in quantum network.


Introduction
In the past few years, with the rapid development of quantum computing, existing cryptographic schemes face the security threat that the scheme can not resist quantum computing attacks. In order to solve this security problem, the idea of applying quantum technology to the cryptography scheme is proposed, and then quantum cryptography appears. In quantum cryptography, the security is guaranteed by the Heisenberg uncertainty principle, quantum non-cloning theorem and other quantum mechanics principles, which is no longer based on mathematical difficulties problems. With the development of quantum cryptography, various different types of quantum cryptography protocols have been proposed, which mainly involves Quantum Key Distribution (QKD) [1][2][3], Quantum Secure Direct Communication (QSDC) [4][5][6], Quantum Authentication (QA) [7][8][9][10][11], etc. Among them, quantum authentication is becoming an important branch and has attracted more and more attention. Quantum authentication can generally be divided into the following aspects: quantum message authentication (QMA) [12][13][14], quantum entity authentication (QEA) [11,15,16], quantum identity authentication (QIA) [17][18][19][20]. Since authentication is a prerequisite for completing many quantum protocols, it will have more important application prospects in practice.
In 1999, by combining quantum key distribution and classical identification procedure, Dušek et al. first designed a secure identity authentication system [21]. In 2000, Zeng et al. put forward a quantum key verification protocol, which quantum identity authentication occurs while completing the quantum key verification [22]. In 2002, Takashi et al. presented three types of quantum identification schemes [23]. They completed two quantum identifications by using the entangled states and introducing a trusted authority. Besides, a quantum message authentication scheme was proposed via combining the quantum cryptosystem with the ordinary authentication. Until then, most QIA schemes only involved simple authentication between two or three users, but few authentications involved multiple parties. In 2006, Wang et al. proposed a multiparty simultaneous identity authentication (MSQIA) protocol based on entanglement swapping [24]. All the users in the protocol can be authenticated by a trusted third party (TTP) simultaneously. In 2013, Yang et al. proposed a quantum protocol for (t,n)-threshold identity authentication based on GHZ States [25]. In the MSQIA protocol, the trusted third party (TTP) can authenticate the users simultaneously when and only when t or more users among n apply for authentication.
In 2017, Hong et al. presented a QIA protocol based on single photons [26]. The protocol does not require any quantum memory registration and quantum entangled states to complete the authentication. In 2019, Zawadzki et al. proposed an improved version with better security for the protocol of Hong et al. [27]. The improved protocol does not require an authenticated classic channel, Bob simply confirms or denies the entire authentication transaction. In the same year, Zhang et al. presented a quantum simultaneous identity authentication based on Bell states [28]. With the help of a third party, the mutual identity authentication protocol was designed by combining Bell states and Pauli operations. This protocol can prevent a third party from knowing the originally shared key. Then, Jiang et al. proposed a mutual simultaneous identity authentication protocol between quantum user and classical user by using Bell states in 2021, which did not require the third party or complicated operations [29]. In the protocol, only the single-qubit measurement and XOR operations were performed to complete the authentication. Nevertheless, the protocols mentioned above cannot achieve multiparty simultaneous authentication.
However, in real life, it is difficult for the third-party to have quantum capability. In this paper, a new quantum multiparty simultaneous identity authentication protocol based on (r + 1)-particle GHZ state the classical third-party is presented. In the protocol, the thirdparty does not require to prepare any quantum resources during quantum authentication communication. Moreover, the third-party only perform certain operations in the initial registration and the final certification stage, and he does not participate in the following steps. Thus, the authority of third-party is reduced and the protocol is more reasonable in reality. Furthermore, in our protocol, authenticator randomly generates quantum resource, whereas the authenticated users require to conduct measurement and reflection operations, etc.
The rest of the paper is organized as follows: in Section 2, some preliminaries are presented in this section. In Section 3, a quantum multiparty simultaneous identification protocol is proposed. In Section 4, the security analysis is described in detail. Finally, a conclusion is given in Section 5.

Preliminaries
The following basic theories needed to complete the authentication protocol. The (r + 1)-particle GHZ state is widely used in quantum communication, it can be expressed as: where g i ∈ {0, 1}(i = 0, 1, · · · , r), ⊕ is the XOR operation, |1 and |0 are the two eigenstates of the Z-basis.

Quantum Multiparty Identity Authentication Protocol
In this section, we will introduce the details of our multi-party simultaneous identity authentication protocol. Alice is an authenticator, whereas Bob 1 , Bob 2 , · · · , Bob r are the certified users. We suppose that a third party, Trent, can help user Alice to simultaneously authenticate the identity of r legal users Bob 1 , Bob 2 , · · · , Bob r . The process of identity authentication protocol is shown in Figure 1. There are no noise and losses in the quantum channel. Nonetheless, these steps is essential in the protocol.

Registration
In the beginning, Alice and Bob i (i = 1, 2, · · · , r) are registered with Trent, then their legal identification will be determined, respectively. In other words, each of them shares a secret identity number K with Trent. The secret identity number K A 0 , K B 1 , K B 2 , · · · , K B r between Trent and Alice or Bob 1 , Bob 2 , · · · , Bob r are represented by

The First Eavesdropping Detection
Once Bob 1 , Bob 2 , · · · , Bob r received sequences S B 1 , S B 2 , · · · , S B r , Alice announces the initial positions of the rN decoy qubits. Afterwards, Bob 1 , Bob 2 , · · · , Bob r store the sequence briefly. Then they select a subset of N decoy particles to perform the following operations: measuring the decoy photons on the Z-bases or X-bases randomly; preparing states which are same to the measured results; transmitting these decoy states from S B 1 , S B 2 , · · · , S B r to Alice, respectively.
Once confirming that Alice has received the states, Bob 1 , Bob 2 , · · · , Bob r publish the positions, measurement results and measurement bases of the corresponding decoy photons sequence, respectively. Alice will measure these particles by using the same basis and get the measured result R , then compare R with the measured result of her initial prepared state and checks whether the results are correct.
At last, Alice computes the total error rate. If the error rate of these particles is acceptable, the protocol will continue. Otherwise, they will give up continuing to authenticate.

Measurement and Operation
Bob 1 , Bob 2 , · · · , Bob r separately make Z-basis measurements on the S B 1 , · · · , S B r sequences and record the measurement results R B 1 , R B 2 , · · · , R B r . Then they perform the following operation in order according to the secret identity number K A 0 , K B 1 , · · · , K B r , respectively. If the bit of authentication key is 0, Bob 1 , Bob 2 , · · · , Bob r will perform X operation on the particles which are in the sequences S B 1 , S B 2 , · · · , S B r , respectively. If the bit of authentication key is 1, Bob 1 , Bob 2 , · · · , Bob r will implement Y operation on the corresponding particles of sequences S B 1 , S B 2 , · · · , S B r . The specific operations and corresponding conversion results are shown in Table 1. Next, Bob 1 , Bob 2 , · · · , Bob r insert N decoy photons from {|0 , |1 , |+ , |− } into the sequence R B 1 , R B 2 , · · · , R B r , respectively. At this point, sequence R B 1 , R B 2 , · · · , R B r is converted to sequence R B 1 , R B 2 , · · · , R B r . At last, Bob 1 , Bob 2 , · · · , Bob r transfer the sequences R B 1 , R B 2 , · · · , R B r to Alice.

The Second Eavesdropping Detection
Firstly, Bob 1 , Bob 2 , · · · , Bob r confirm that Alice has received the sequence R B 1 , R B 2 , · · · , R B r . Then they announce the positions, measurement results and measurement bases of the corresponding N decoy photons in the sequences, respectively. After that, Alice performs the same operation as the first detection eavesdrop. Finally, Alice counts the total error rate. If the error rate exceeds the security threshold, the protocol will be terminated. Otherwise, they will continue to authenticate.

Verification
After passing the second eavesdropping detection, sequences R B 1 , R B 2 , · · · , R B r are restored to R B 1 , R B 2 , · · · , R B r by Alice. Then she performs Z-basis measurement on the qubits at the corresponding positions of S A 0 , R B 1 , R B 2 , · · · , R B r . After the measurement, according to the conversion rules are shown in Table 2, the measurement results are converted into classical results x,R B 1 ,R B 2 , · · · ,R B r , which can be denoted as Then Alice publishes the results of Alice and Bob 1 , Bob 2 , · · · , Bob r will be seen as legitimate participants. Otherwise, there will be illegal communicators in the protocol. Finally, Trent announces to Alice and Bob 1 , Bob 2 , · · · , Bob r whether the certification is successful.

Security Analysis
Security is the most important part of quantum communication protocols. In this section, the security of the multiparty identity authentication protocol is discussed. During the transmitting procedure of quantum signals, there may be an eavesdropper who wants to pass the identity authentication by illegal operations. In general, eavesdroppers are divided into two situations, which are internal eavesdropper and external eavesdropper. Next, the security of the protocol is analyzed for both aspects.

Impersonation Attack
In the proposed quantum multiparty identity authentication protocol, Alice is the authenticator and resource provider, whereas Bob 1 , · · · , Bob r play the authenticated roles. In this subsection, Bob e is one of Bob 1 , · · · , Bob r and he may have two methods to execute the impersonation attack.
On the one hand, we suppose that attacker Bob e attempts to impersonate verifier Alice. Bob e randomly generates quantum states and allocates entangled particles to Bob 1 , · · · , Bob r . In the paper, Bob e can follow the protocol steps faithfully, but he tries to extract the authentication keys between Trent and Alice. When Bob e proceeded to the Section 3.2.5, he could only perform random XOR operations on qubits due to his ignorance of the pre-shared key K A 0 . He also does not know the measurement results x of sequence S A 0 . If Bob wants to publish the calculation results Q i , he will need to randomly choose one of the classical bit values of 0 or 1 to perform the XOR operations. Therefore, the probability that Bob e can successfully impersonate Alice is 1 2 N . As shown on the left of Figure 2, when the number N of particles is large enough, the probability P 1 = 1 − 1 2 N of failure of Bob e approximates 1. On the other hand, attacker Bob e may impersonate the legitimate user Bob j (e = j). Firstly, Bob j has previously registered his identity information with Trent. That is, he has shared the secret identity key with Trent. In Section 3.2.3, Bob e requires to perform corresponding operation on the measurement result R B j by combining Bob j 's identity numbers K B j and the transition rules of Table 1. Next, although Bob e knows the conversion rules, he is ignorant of Bob j 's identity K B j . Hence he can perform X or Y operations on the received sequence randomly. The probability of choosing either the correct operation or the incorrect operation is 1 2 . Besides, the probability that the Bob e gets the correct conversion result is 1 2 N . Finally, the probability P 2 = 1 − 1 2 × 1 2 N of Bob e 's attack being found tends to be 1 in the Figure 2. Therefore, the protocol can effectively resist impersonation attacks.

Entangle and Measure Attack
Moreover, we discuss whether some illegal users can get secret information through entanglement measurement attack in the process of information interaction. When the qubits are sent from Alice to Bob j , we suppose Bob E performs operation U E on the system composed of decoy photons {|0 , |1 , |+ , |− }and the ancillary state which is prepared by Bob E as U E . We can get U E |0 |e = a|0 |e 00 + b|1 |e 01 U E |1 |e = c|0 |e 10 + d|1 |e 11 (5) U E |+ |e = 1 √ 2 [|0 (a|e 00 + c|e 10 ) + |1 (b|e 01 + d|e 11 )] = 1 2 [|+ (a|e 00 + b|e 01 + c|e 10 + d|e 11 ) + |− (a|e 00 − b|e 01 + c|e 10 − d|e 11 )] where |e 00 , |e 01 , |e 10 , |e 11 belong to the Hilbert space of Bob E 's probes and|a| 2 + |b| 2 + |c| 2 + |d| 2 = 1 . After transmission, Bob E measures ancillary qubit to get Bob j 's operations. In order to pass the eavesdropping detection without introducing any errors, he should perform the following actions: However, if b = c = 0 , it means a|e 00 = d|e 11 . It shows that Bob E cannot distinguish between a|e 00 and d|e 11 . Hence, the proposed protocol can resist the entangle-measure attack.

Intercept-Measure-Resend Attack
Actually, Bob e as one of Bob 1 , · · · , Bob r can only get his identity number from the third party Trent. Now, we consider whether he can get the identity of Bob j (e = j). First of all, he could not have obtained any related information about the identity of Bob j by accessing Trent since the third party is absolutely honest with our protocol. Furthermore, he also can't get the true identity of Bob j through the intercept-measure-resend attack.
In Section 3.2.1, Alice inserts rN decoy photons into the sequences S B 1 , S B 2 , · · · , S B r each for the eavesdropping detection, respectively. However, Bob e does not know the initial positions and initial states of the decoy particles in the sequence Alice sent to Bob j . Bob e is a quantum participant who can perform measurement operations on the Z-basis and X-basis. Therefore, if he wants to intercept the particle that Alice is transmitting to Bob j in Section 3.2.1, the measurement based on Z-bases and X-bases randomly can be performed. There are four measurements for these bases, |1 , |0 , |+ and|− . Furthermore, it is difficult to just select the correct N position in the 2N sequence. His probability of success is 1 2 × 1 4 N = 1 8 N . As shown on the left of Figure 3, when N is large enough, the probability P 3 = 1 − 1 8 N is approximate to 1. Therefore, it is almost impossible for illegal behavior of Bob e not to be detected.

External Attack
Unlike internal attackers, external attackers are illegal eavesdroppers from the outside. Eve is an eavesdropper who wishes to obtain some secret information to pass the identity authentication. Eve often uses the impersonation attack, the entangle and measure attack and the intercept-measure-resend attack, etc. The security of some attacks is analyzed below.
We assume that Eve tries to impersonate Bob i (i = 1, 2, · · · , r). In the Section 3.2.2, Alice inserted rN decoy particles into the sequence and sent them to Bob 1 , Bob 2 , · · · , Bob r for detection eavesdropping, respectively. After Eve receives the particles, she randomly measures and sends the qubits to Alice. Moreover, Eve randomly measures particles based on Z-basis or X-basis since she dose not know the authentication key sequence S B i shared only by Alice and Bob i . The probability of her choosing the right operation is 1 2 and the probability of picking the correct N particles from 2N sequence is 1 3 . Hence the probability of Eve being detected is P 4 =1 − 1 2 × 1 2 × 1 4 N . As shown on the right side of Figure 3, if N is large enough, the probability P 4 approximates to 1. Therefore, it is difficult for Eve to pass the eavesdropping detection.
Similar to impersonation attacks, Eve is an external attacker while in the entangle and measure attack and the intercept-measure-resend attack. Eve has less information than an internal attacker, hence the probabilities of failure are higher.

Further Discussion
In this section, we compare different models to demonstrate that our protocol may be more plausible, then comparing and summarizing the quantum authentication protocols in Table 3. Through the following comparison, it can be found that most of the existing quantum authentication protocols with the third party(TP) and our proposed protocol are two different models.
Model 1: The model of a quantum authentication protocol with a third party is simplified as follows [11,28]: Suppose Alice and Bob are two legitimate participants who want to authenticate each other, and the TP is a third party that helps them authenticate. Before the authentication protocol begins, the legitimate Alice and the legitimate Bob share a key in advance. During the authentication process, the TP will generate the quantum states and distribute them to the participants, Alice and Bob will perform operations according to the keys. Finally, the participants confirm the identity of the other party by comparing the results published by the other party.
Model 2: Our proposed protocol model is simplified as follows (for the convenience of comparison, the multi-party protocol is simplified to two parties): Suppose Alice and Bob are two legitimate participants who want to authenticate each other, and the TP is a third party that helps them authenticate. Before the authentication protocol begins, Alice and Bob register their legal identities with the TP. That is, they share the secret keys with the TP, respectively. During the authentication process, Alice will generate the quantum states and distribute them to herself and Bob, and then Alice and Bob will perform certain operations based on the keys. Finally, The TP confirms the identity of the participants by comparing the calculation results of itself and Alice, and announces the results to the participants.
In practice, Model 2 is more suitable for quantum multi-party authentication than Model 1. If Alice and Bob 1 , Bob 2 , · · · , Bob r want to share keys, any two parties must share keys, which will increase a lot of unnecessary work. It is a very complicated process for each participant to share keys with each other, so we introduce a third party to actually conduct centralized key management, which simplifies the process of key distribution. Moreover, even if TP is not introduced, Model 1 can complete the mutual authentication. For example, Ref. [26] and Ref. [27] accomplish mutual authentication without introducing a third party. Therefore, in fact, our model makes more sense in practice.
Furthermore, we compare and summarize the quantum authentication protocols in Table 3. Compared with the previous quantum identity authentication, we extend the two-party authentication to multi-party authentication, which does not require all communicators to own quantum capacity. In this paper, quantum Alice and Bob 1 , Bob 2 , · · · , Bob r are able to complete identity authentication simultaneously based on (r + 1)-particle GHZ states with the help of classical Trent. Only the initial registration and the final certification stage require him to perform some classical operations, and he does not participate in the rest of the time. In other words, the rights of the third party are better reduced.

Conclusions
In this paper, with the help of a classical third-party, a quantum multiparty simultaneous identity authentication protocol with GHZ state is presented. A trusted third-party centrally manages the keys of the participants, and Alice and Bob 1 , Bob 2 , · · · , Bob r complete authentication at the same time. The analysis of this protocol can effectively prevent illegal participants or attackers from obtaining legal identity information, and it can resist all kinds of ordinary attacks from the inside and outside. In addition, similar with the previous quantum multiparty simultaneous identity authentication protocol, the security analysis is based on the case of "no noise and no loss" in quantum channels [9,24,31]. In this case, our paper is also designed against the assumption of "no noise and no loss" in quantum channels. However, we need to make it clear that the security analysis under different noise rates is indeed an important content. We hope that this protocol have better application scenarios in the future.
Author Contributions: Conceptualization, X.L. and K.Z.; methodology, X.L.; software, X.L.; validation, X.L., K.Z., L.Z. and X.Z.; writing-original draft preparation, X.L.; writing-review and editing, X.L.and K.Z. All authors have read and agreed to the published version of the manuscript.