A Grover Search-Based Quantum Key Agreement Protocol for Secure Internet of Medical Things Communication

Abstract

The rapid integration of the Internet of Medical Things (IoMT) into healthcare systems raises urgent demands for secure communication mechanisms capable of protecting sensitive patient data. Quantum key agreement (QKA), a collaborative approach to key generation based on quantum principles, provides an attractive alternative to traditional quantum key distribution (QKD), as it eliminates dependence on a trusted authority and ensures equal participation from all users. QKA demonstrates particular suitability for IoMT’s decentralized medical networks by eliminating trusted authority dependence while ensuring equitable participation among all participants. This addresses fundamental challenges where centralized trust models introduce vulnerabilities and asymmetric access patterns that compromise egalitarian principles essential for medical data sharing. However, practical QKA applications in IoMT remain limited, particularly for schemes that avoid complex entanglement operations and authenticated classical channels. Among the few QKA protocols employing Grover’s search algorithm (GSA), existing proposals potentially suffer from limitations in fairness and security. In this paper, the author proposes an improved GSA-based QKA protocol that ensures fairness, security, and correctness without requiring an authenticated classical communication channel. The proposed scheme guarantees that each participant’s input equally contributes to the final key, preventing manipulation by any user subgroup. The scheme combines Grover’s algorithm with the decoy photon technique to ensure secure quantum transmission. Security analysis confirms resistance to external attacks, including intercept-resend, entanglement probes, and device-level exploits, as well as insider threats such as parameter manipulation. Fairness is achieved through a symmetric protocol design rooted in quantum mechanical principles. Efficiency evaluation shows a theoretical efficiency of approximately 25%, while eliminating the need for quantum memory. These results position the proposed protocol as a practical and scalable solution for future secure quantum communication systems, particularly within distributed IoMT environments.

1. Introduction

As healthcare systems increasingly adopt the Internet of Medical Things (IoMT) [1,2], ensuring secure communication becomes crucial. IoMT environments—comprising mobile and remote monitoring systems including wearable devices, implantable sensors, and telemedicine platforms—continuously collect and transmit highly sensitive patient data ranging from real-time vital signs to personal health records. This data sensitivity, combined with the distributed nature of IoMT networks, makes secure communication not merely important but absolutely crucial for maintaining patient privacy and regulatory compliance. Quantum key agreement (QKA) offers a compelling solution for secure communication in IoMT by allowing all participants to collaboratively generate a shared secret key using quantum principles. Unlike quantum key distribution (QKD), which relies on a trusted center to generate and distribute keys [3,4,5], QKA ensures that all parties contribute equally to the final key, enhancing fairness and reducing reliance on centralized infrastructure—features that are particularly desirable in distributed medical systems. Despite its potential, the application of QKA in practical settings such as IoMT remains underexplored, especially for protocols that avoid complex entanglement operations and authenticated classical channels.

QKA addresses many of the limitations inherent in traditional QKD by allowing all parties to collaboratively establish a shared secret key, rather than relying on a single party to generate and distribute it. This collaborative approach proves particularly advantageous for IoMT environments, where medical devices, healthcare providers, and monitoring systems must operate as equal participants in a distributed network without hierarchical dependencies. As highlighted in [6], Lo establishes that all “one-sided two-party computations”—where only one of the two parties learns the computation result—are inherently insecure. QKA, by design, avoids such asymmetry by requiring all involved parties to equally contribute to the key generation process. This equal contribution model aligns perfectly with IoMT’s distributed medical systems, where wearable devices, remote sensors, and healthcare databases must maintain equivalent security privileges without relying on centralized key management infrastructure that could become a single point of failure in critical medical scenarios. This fundamental difference significantly reduces the risks associated with unilateral trust assumptions and central points of failure—characteristics that make QKA particularly desirable in distributed medical systems where patient safety and data integrity cannot depend on centralized authorities.

However, despite QKA’s compelling advantages for IoMT applications, its practical implementation in real-world medical environments remains significantly underexplored. This research gap is particularly pronounced for QKA protocols that avoid complex entanglement operations and authenticated classical channels—precisely the type of streamlined approaches most suitable for resource-constrained IoMT devices with limited computational capabilities and bandwidth constraints. The value of QKA lies in its inherent properties:

• Fairness: No single participant holds complete control over the key generation process, ensuring mutual trust.
• Network Compatibility: QKA protocols can often be implemented using less demanding hardware compared to QKD.
• Enhanced Security: The distributed nature of QKA mitigates risks from insider threats and single-point vulnerabilities common in QKD-based systems.

Since the pioneering work of Zhou et al. in 2004, who proposed the first QKA protocol using Einstein–Podolsky–Rosen (EPR) pairs [7], QKA has received increasing attention. In 2010, Chong and Hwang [8] proposed a BB84-based [9] QKA scheme that incorporated delayed measurement and was proven effective against internal and external attacks. Subsequently, a variety of protocols have emerged, including those based on Bell states [10], entangled states [11], and single-particle systems [12,13,14].

Despite these developments, QKA protocols that leverage Grover’s search algorithm (GSA) [15] are still rare. Only two such QKA protocols have been proposed. Cao and Ma [16] introduced the first GSA-based QKA protocol and emphasized that the traveling mode enhances efficiency over the distributed mode. Huang et al. [17] later presented a GSA-based QKA protocol that enables authorized users to jointly establish a secret key without the need for quantum memory or entangled states. However, our evaluation suggests that the Huang-QKA protocol presents challenges in achieving complete fairness and security assurance, as the current framework may not guarantee uniform treatment or symmetric information access across all participants.

A well-designed QKA protocol should satisfy the following three properties:

• Security: Prevent external adversaries from gaining any useful information about the final key without being detected, and ensure that internal malicious participants cannot compromise the key generation process or undetectably influence the final key.
• Correctness: Ensure that all legitimate users obtain the same final agreement key.
• Fairness: Guarantee that all users have equal influence over the final key and that no user obtains the key unless all do, with equivalent assurance levels.

With the growing reliance on IoMT and other mission-critical distributed systems, the demand for secure and fair QKA protocols has become increasingly urgent. While GSA offers promising computational advantages for quantum cryptographic applications, existing GSA-based QKA protocols remain limited in scope and robustness. In particular, our analysis reveals that the Huang et al.’s QKA protocol fails to fully uphold the principles of fairness and security, as it does not ensure that all participants exert equal influence over the final key, nor does it guarantee symmetric protection against quantum attacks. These shortcomings motivate the development of a more balanced and resilient QKA scheme, particularly one that eliminates the dependence on authenticated classical channels—an impractical requirement in many real-world applications such as IoMT environments.

The primary aim of this paper is to develop an improved GSA-based quantum key agreement protocol that guarantees fairness, security, and correctness among all participating users without relying on an authenticated classical communication channel. By modifying and extending the structure of existing GSA-QKA frameworks, we strive to construct a scheme in which each user’s input contributes equally to the generation of the final key, and no subset of users can influence or predetermine the outcome. Our goal is to ensure that the key agreement process remains unbiased, robust against internal and external threats, and suitable for practical deployment in security-sensitive medical network environments.

The proposed QKA protocol offers several key advantages over existing schemes. First, it enhances fairness by ensuring that all participants have equal control over the key generation process, thereby reducing the risk of insider dominance or manipulation. Second, the protocol strengthens security by resisting both classical and quantum attacks, even in the absence of classical authentication. Third, by avoiding the need for quantum memory and minimizing communication overhead, the protocol achieves high efficiency that is particularly well suited for medical devices with limited computational and power resources, making it especially applicable to IoMT environments where such constraints are prevalent. These advantages collectively position the proposed scheme as a practical solution for future secure quantum communication networks in healthcare settings where device limitations and operational constraints demand both security and efficiency.

The rest of this paper is organized as follows. Section 2 reviews the related works on Grover’s search algorithm. Section 3 details the proposed quantum key agreement scheme, outlining its phases and operational procedures. Section 4 provides a comprehensive security analysis, discussing its resilience against external attacks and participant-based threats, evaluating its fairness and resource efficiency, and offering a comparative discussion with other protocols. Finally, Section 5 concludes this paper and suggests future research directions.

2. Related Works

2.1. Quantum Key Agreement: Historical Evolution and Technological Progression

The field of QKA has undergone significant evolution since its inception, representing a paradigm shift from traditional centralized key distribution approaches toward collaborative quantum cryptographic protocols. The foundational work by Zhou et al. in 2004 [7] marked a pivotal moment in quantum cryptography by introducing the first QKA protocol utilizing Einstein–Podolsky–Rosen (EPR) pairs, establishing the theoretical framework for collaborative key generation without relying on trusted third parties.

Following this groundbreaking contribution, the QKA landscape has diversified considerably through various technological approaches and cryptographic methodologies. Chong and Hwang advanced the field by developing BB84-based QKA schemes [8], which leveraged the well-established BB84 protocol [9] principles while adapting them s. These protocols demonstrated how classical-quantum key distribution foundations could be extended to achieve collaborative key agreement, maintaining the security guarantees of single-party systems while enabling distributed participation.

The progression continued with the development of Bell state-based protocols, which exploited the unique properties of maximally entangled two-qubit states to facilitate secure key generation. These approaches offered enhanced security features through the intrinsic correlations of Bell states [10], providing robust protection against both external eavesdropping and internal manipulation attempts. Simultaneously, researchers explored entanglement-based protocols [11] that utilized more complex quantum correlations, enabling sophisticated key agreement mechanisms capable of supporting larger participant groups while maintaining quantum security advantages. Cai et al. [18] propose a measurement-device-independent three-party QKA protocol using GHZ states that requires only Bell state and single-particle measurements, ensuring security and fairness while remaining experimentally feasible.

Complementing these entanglement-centric approaches, single-particle system protocols [12,13,14] emerged as practical alternatives that avoided the technical complexities associated with entanglement generation and maintenance. These protocols demonstrated that effective QKA could be achieved using simpler quantum resources, making the technology more accessible for real-world implementations where entanglement infrastructure might be challenging to establish or maintain.

2.2. Practical Applications and Emerging Opportunities

The theoretical advancements in QKA have naturally led to exploration of practical applications, particularly in security-critical environments where traditional cryptographic approaches face significant limitations. The Internet of Medical Things (IoMT) represents a particularly compelling application domain for QKA protocols due to its unique combination of stringent security requirements and operational constraints.

IoMT environments present distinctive challenges that align well with QKA’s inherent advantages. The distributed nature of medical networks, comprising various sensors, monitoring devices, and healthcare systems, necessitates collaborative security approaches rather than centralized key management solutions. Traditional quantum key distribution protocols, which rely on trusted centers for key generation and distribution, may introduce single points of failure that are unacceptable in critical healthcare applications where patient safety and data integrity are paramount.

Furthermore, the resource-constrained nature of many IoMT devices creates additional requirements for cryptographic protocols. Medical sensors, wearable devices, and implantable systems often operate under strict power consumption limits and computational constraints. QKA protocols that minimize communication overhead and avoid complex quantum operations, such as those requiring quantum memory or sophisticated entanglement manipulation, are particularly well suited for these environments.

The security sensitivity of medical data processing adds another dimension to QKA’s applicability in IoMT contexts. Healthcare systems handle highly sensitive patient information that must be protected against both external threats and potential insider attacks. QKA’s collaborative approach, where all participants contribute equally to key generation, provides natural protection against single-party dominance or manipulation, addressing the multi-faceted threat landscape characteristic of medical environments.

This convergence of technological capability and practical need establishes a strong foundation for exploring advanced QKA implementations, particularly those based on novel approaches such as Greenberger–Horne–Zeilinger (GHZ) state applications (GSA-based QKA), which promise to address the specific challenges of modern distributed security-critical systems while maintaining the fundamental advantages that make QKA an attractive alternative to traditional quantum cryptographic approaches.

2.3. Grover’s Search Algorithm

A significant research trend has emerged in the development of cryptographic techniques leveraging GSA [15], encompassing diverse applications including quantum asymmetric key cryptography [19,20], quantum key agreement protocols [16,17], and quantum digital signature schemes [21]. GSA is a cornerstone of quantum computing, offering a quadratic speedup over classical search algorithms for unstructured databases. GSA operates on a quantum register of $n$-qubits, which represents $N=2^k$ possible states. The algorithm efficiently identifies a target state $|w⟩$ by iteratively applying two operations: the Oracle $O$ and the Diffusion operator $D$.

Initial State Preparation: The algorithm begins with the initialization of the quantum state $|\psi ⟩$, which is typically chosen as the uniform superposition state: $|\psi ⟩=H^{⨂k}{|0⟩}^{⨂k}={\displaystyle \frac{1}{N}}\sum _{x=0}^{N-1}|x⟩$, where $H$ is the Hadamard gate applied to each qubit, ⊗ means tensor, i.e., $H^{⨂k}$ is equivalent to $H\otimes H\otimes \dots \otimes H$ with $k$ terms.

Oracle Operation: The Oracle $O$ is a problem-specific unitary operator that marks the target state $|w⟩$ by flipping its amplitude’s sign. For a target state $|w⟩$, the Oracle is defined as:

$$O=|x⟩=\left\{\begin{array}{l}-|x⟩ \mathrm{if} x=w \\ |x⟩ \mathrm{otherwise}\end{array}\right., \mathrm{or} O=I-2|w⟩⟨w|,$$

where $I$ is the identity operator and $|\mathrm{w}⟩$ is the target state to be searched for.

Diffusion Operation: After applying the Oracle, the algorithm amplifies the amplitude of the marked state using the Diffusion operator $D$, defined as:

$$D=2|\psi ⟩⟨\psi |-I,$$

where $I$ is the identity matrix and $|\psi ⟩$ is determined in the initial state phase. This operation reflects the quantum state about the average amplitude, increasing the probability of the target state being measured.

Measurement: After $r=⌊{\displaystyle \frac{\pi }{4}}\sqrt{N}⌋$ iterations of applying $O$ and $D$, the quantum state is measured, yielding the target state $|w⟩$ with high probability.

It is worth noting that a variant of GSA has been proposed [22], featuring specific modifications to the original approach.

Property: Bitwise XOR Oracle Composition

(1)

The initial state is fixed as |ψ⟩=|++⟩. The corresponding diffusion operation is $2|++⟩⟨++|-I$.

(2)

The targets are regarded as w_i ∈ {00,01,10,11}, where $0\le i\le 3$. The oracle operator is defined as $O_{w_i}=I-2|w_i⟩⟨w_i|$ for each target. If the target $w_0$ is related to the sequence $w_1$, $w_2$, and $w_3$ by $w_0=w_1⨁w_2⨁w_3$ (bitwise XOR operation), the composition of oracle operators satisfies the following relationship:

$$O_{w_1}{O}_{w_2}{O}_{w_3}|\psi ⟩=\pm O_{w_0}|\psi ⟩.$$

3. The Proposed Scheme

We consider a typical Internet of Medical Things (IoMT) environment, where the quantum key agreement (QKA) protocol operates between two main entities: the Patient’s Device (PD) and the Healthcare Provider (HP). The PD represents a IoMT terminal, such as a wearable or implantable medical device, which continuously collects physiological signals (e.g., heart rate, glucose levels) from the patient. The HP denotes a trusted medical infrastructure component, such as a hospital cloud platform or electronic health record (EHR) system, which securely manages patient data and supports remote monitoring and diagnosis.

The primary objective of the QKA protocol in this context is to enable the PD and HP to jointly establish a shared quantum key used to encrypt and authenticate sensitive medical data during transmission. Unlike conventional QKD schemes, which rely on a single party (typically the HP) to generate and distribute the key, the QKA protocol ensures that both the PD and HP equally contribute to the final key, thereby achieving fairness and reducing the risk of unilateral control.

Communication between PD and HP occurs over a quantum channel for qubit transmission for protocol coordination. The system assumes that the quantum channel is lossy and noisy—conditions typical of real-world IoMT deployments—while the classical channel is assumed to be public but not necessarily authenticated. This model aligns with realistic constraints in IoMT networks, where authenticated classical infrastructure may not always be available or practical.

Security threats in this model include both external eavesdropping and internal misbehavior (e.g., one party attempting to dominate the key generation). Therefore, the proposed QKA protocol must uphold correctness, security, and fairness, even under such adversarial settings. Furthermore, the protocol should be efficient and secure. The decoy photon technique is employed to safeguard transmissions against external eavesdroppers through the process of inserting decoy qubits to detect potential eavesdropping.

The proposed scheme consists of the following phases:

• Initialization (Public Parameters):

PD and HP agree on a public oracle $O_f=\left\{O_{f_i}\right|f_i\in \left\{\mathrm{00,01,10,11}\right\}, i=\mathrm{1,2},\dots ,n\}$, which allows for the computation on the initial quantum states of two-qubit GSA where $O_{f_i}$ corresponds to a bit string $f=\left\{f_i\right|f_i\in \left\{\mathrm{00,01,10,11}\right\}, i=\mathrm{1,2},\dots ,n\}$ which serves as a one-time-pad. They also agree on a set of allowed initial quantum states $|\psi ⟩=|++⟩$.

• Private Key Selection:

PD and HP randomly select their private key $K_{PD}=\left\{k_i^{PD}\right|k_i^{PD}\in \left\{\mathrm{00,01,10,11}\right\},i=\mathrm{1,2},\dots ,n\}$ and $K_{HP}=\left\{k_i^{HP}\right|k_i^{HP}\in \left\{\mathrm{00,01,10,11}\right\},i=\mathrm{1,2},\dots ,n\}$, respectively.

• Public Key Computation:

PD and HP apply the Grover oracle $O_{f_i}$ and their respective second Grover oracle $O_{k_i^{PD}}$ and $O_{k_i^{HP}}$, prepared using their private key, to the common initial quantum states $|\psi ⟩$. This results in their respective public key $O_{k_i^{PD}}{O}_{f_i}|\psi ⟩$ and $O_{k_i^{HP}}{O}_{f_i}|\psi ⟩$.

• Public Key Exchange:

PD and HP send their public keys to each other through the following operations.

(1)

PD and HP each prepare two decoy photons randomly chosen from one of the four non-orthogonal states, $|0⟩$, $|1⟩$, $|+⟩$, and $|-⟩$. Each participant inserts these decoy photons into the sequence representing their public key at random positions to create a new sequence. Then, they send their respective sequences to each other via the quantum channel.

(2)

PD and HP announce the positions and bases of the decoy photons in the new sequence. They then measure these photons according to the corresponding bases and respond to each other to detect potential eavesdropping. They compute the error rate; if it exceeds a predetermined threshold value, they abort the protocol and restart. Otherwise, they obtain the other party’s public key by removing the decoy photons.

• Shared Quantum Key Computation:

PD and HP perform the following operations:

(1)

Grover Oracle Application: PD and HP apply their respective Grover oracle $O_{k_i^{PD}} \mathrm{and} O_{k_i^{HP}}$ to each other’s public key. Specifically, they apply $O_{k_i^{PD}}{O}_{k_i^{HP}}{O}_{f_i}|\psi ⟩ \mathrm{and} O_{k_i^{HP}}{O}_{k_i^{PD}}{O}_{f_i}|\psi ⟩$.

(2)

Diffusion Operation: PD and HP then apply the Grover diffusion operator D to the above quantum states, resulting in ${DO}_{k_i^{PD}}{O}_{k_i^{HP}}{O}_{f_i}|\psi ⟩ \mathrm{and} {DO}_{k_i^{HP}}{O}_{k_i^{PD}}{O}_{f_i}|\psi ⟩$. Upon measurement, both parties obtain the same classical value, namely $k_i^{PD}\oplus k_i^{HP}\oplus f_i$ and $k_i^{HP}\oplus k_i^{PD}\oplus f_i$, respectively, where $\oplus$ is a bitwise XOR operation.

(3)

Shared Key Computation: Based on the property of bitwise XOR oracle composition, both PD and HP compute the shared quantum key as $k_{PD\_HP}=k_i^{PD}\oplus k_i^{HP}\oplus f_i \mathrm{and} k_{HP\_PD}=k_i^{HP}\oplus k_i^{PD}\oplus f_i$. Since bitwise XOR is commutative and associative, we have $k_{AB}=k_{BA}$, ensuring both parties derive an identical shared key.

After n rounds of the above procedure, both the Patient’s Device and the Healthcare Provider will derive the same shared quantum key $K=K_{PD}\oplus K_{HP}\oplus f$. Because the Grover oracle is commutative and associative under the property of bitwise XOR oracle composition, both participants will derive the same shared quantum key.

4. Security Analysis and Discussion

This section presents a comprehensive security evaluation of our quantum key agreement (QKA) protocol designed for secure communication between the Patient’s Device (PD) and the Healthcare Provider (HP). The security assessment addresses two fundamental threat categories: external threats from unauthorized third parties and internal threats from potentially compromised legitimate participants. An external adversary might employ various quantum attack methodologies—including measurement-based interception followed by retransmission, quantum entanglement manipulation, or hardware-based infiltration techniques—all aimed at extracting the jointly established cryptographic key $K$. Concurrently, the protocol must safeguard against scenarios where either the PD or HP becomes compromised and attempts to manipulate the key generation process to gain unilateral control over the resulting $K$. The subsequent analysis demonstrates the resilience of our proposed healthcare-oriented QKA protocol against this spectrum of potential security vulnerabilities.

4.1. External Attacks

4.1.1. The Intercept-Resend Attack

Consider a scenario where an eavesdropper (Eve) intercepts the sequences exchanged during the public key exchange phase and measures them. Based on her measurement results, Eve prepares counterfeit sequences and forwards them to the Healthcare Provider (HP). However, this malicious action will be detected during the security verification process. The detection capability stems from the protocol’s use of decoy photons randomly selected from the four non-orthogonal states {$|0⟩$, $|1⟩$, $|+⟩$, $|-⟩$}, which the Patient’s Device (PD) and HP insert into their respective transmitted sequences. Since Eve has no knowledge of either the positions or measuring bases of these decoy photons within the public key exchange sequence, her interception attempts face significant detection probabilities.

Let us consider the detection probability for a single decoy photon. Suppose a participants sends a photon in the state |0⟩. If Eve uses the Z basis (the correct basis), she measures |0⟩ with 100% certainty and introduces no error. This case occurs with probability ${\displaystyle \frac{1}{2}}$. However, if Eve chooses the X basis (incorrect basis), the state |0⟩ collapses into |+⟩ or |−⟩ with equal probability. Then, when the receiver measures in the Z basis (which is correct), the probability of obtaining the original value |0⟩ from either |+⟩ or |−⟩ is ${\displaystyle \frac{1}{2}}$ in each case. The full expression for the probability that Eve’s presence is not detected for a single decoy photon is derived as follows: ${\displaystyle \frac{1}{2}}\times 1+{\displaystyle \frac{1}{2}}\times \left({\displaystyle \frac{1}{2}}\times {\displaystyle \frac{1}{2}}+{\displaystyle \frac{1}{2}}\times {\displaystyle \frac{1}{2}}\right)={\displaystyle \frac{3}{4}}$.

This means Eve has a ${\displaystyle \frac{3}{4}}$. chance of escaping detection per intercepted decoy photon. Therefore, when 2n decoy photons are embedded in the protocol, the probability that none of them detects Eve is ${({\displaystyle \frac{3}{4}})}^{2n}$. Thus, the overall probability that Eve is detected is $1-{({\displaystyle \frac{3}{4}})}^{2n}$. As n increases to practical implementation values, this detection probability approaches 1, ensuring robust security against intercept-resend attacks.

4.1.2. The Quantum Entangled-Probe Attack

A quantum entanglement-based attack refers to a strategy in which an adversary Eve introduces quantum states that are pre-entangled with those of legitimate communication parties (e.g., PD and HP). The adversary aims to indirectly eavesdrop on or manipulate the communication process by exploiting these entangled states, all while preserving the overall entanglement structure of the system to avoid detection. Consider a scenario where Eve attempts to perform an entanglement-based attack by introducing an auxiliary qubit |E⟩ and applying a unitary transformation U to entangle it with the transmitted quantum states. The action of U on the standard basis states can be described as:

$$U\left(|0⟩|E⟩\right)=a|0⟩|e_{00}⟩+b|1⟩|e_{01}⟩, U\left(|1⟩|E⟩\right)=c|0⟩|e_{10}⟩+d|1⟩|e_{11}⟩$$

where $|e_{ij}⟩$ are four normalized pure states in the adversary’s ancilla system, and the coefficients satisfy ${\left|a\right|}^2+{\left|b\right|}^2={\left|c\right|}^2+{\left|d\right|}^2=1$. When applied to superposition states $|+⟩$, and $|-⟩$, the unitary yields coherent mixtures of $|+⟩$, and $|-⟩$ tensor product with corresponding ancilla states, revealing the entanglement structure. To avoid introducing detectable errors during this interaction, the adversary must satisfy the stringent conditions $a=d=1$, $b=c=0$ and

$$a|e_{00}⟩-b|e_{01}⟩+c|e_{10}⟩-d|e_{11}⟩=\stackrel{⃑}{0}, a|e_{00}⟩+b|e_{01}⟩-c|e_{10}⟩-d|e_{11}⟩=\stackrel{⃑}{0}.$$

Solving these constraints implies that $|e_{00}⟩=|e_{11}⟩$, which leads to the conclusion that the adversary cannot extract any distinguishable information from the ancillary system. Therefore, any entanglement-based attack of this form is mathematically proven to be ineffective in gaining useful information without being detected, reinforcing the intrinsic security of the protocol against such quantum threats.

4.1.3. Hardware Vulnerability Exploitation

In our proposed QKA protocol, the decoy photon mechanism effectively defends against hardware-level vulnerability exploitation attacks. The effectiveness of this protection is demonstrated in the following aspects:

• Active Probing Defense: The random insertion of decoy photons prevents attackers from determining which are key photons and which are decoy photons. When attackers attempt to inject probing signals through hardware defects (such as fiber bypass or detector control), these operations inevitably affect the decoy photons, thereby being detected during the security verification phase.
• Hardware Manipulation Detection: Decoy photons utilize four non-orthogonal quantum states {$|0⟩$, $|1⟩$, $|+⟩$, $|-⟩$}, ensuring that any attempt to manipulate measurement devices through hardware vulnerabilities will alter the quantum states of these photons, subsequently causing statistical deviations in measurement results.
• Reverse Channel Blockage: Physical hardware vulnerabilities in quantum communication often involve creating covert channels by exploiting reflection properties of optical components. The decoy photon mechanism effectively monitors such reverse channel attacks by inserting photons of known quantum states at random positions. Any probing attempt exploiting hardware defects will disturb these photon states.
• Real-time Monitoring Capability: The protocol requires both communicating parties to perform immediate measurements of decoy photons and compare results, a process that continuously evaluates the integrity of the quantum channel and associated hardware, ensuring that any hardware-level anomalies can be detected promptly.

Through the decoy photon mechanism, our protocol can effectively resist hardware vulnerability exploitation attacks such as Trojan horses without relying on additional hardware protection measures, ensuring secure transmission of sensitive information in medical environments. The statistical properties of decoy photons ensure that even if attackers gain partial hardware control, they cannot extract sufficient information to obtain the final protocol key without being detected.

4.2. Participant-Based Security Threats

In our proposed quantum key agreement protocol, we must address scenarios wherein internal participants may be compromised by adversaries. Such insider attackers possess all privileges of legitimate participants and might attempt to manipulate protocol parameters to gain control over or access to the final agreement key. This analysis evaluates the feasibility of such attacks and corresponding defense mechanisms based on fundamental quantum mechanical principles.

4.2.1. Parameter Manipulation Attack Analysis

Consider an adversary-controlled participant (hereafter referred to as the attacker) attempting to manipulate the agreement key. Upon receiving the confidential parameters from the legitimate counterpart, the attacker may pursue several attack vectors:

The attacker’s manipulation capabilities are fundamentally constrained following quantum state transmission. Once the quantum state sequence has been transmitted, the attacker can only manipulate undisclosed confidential parameters. However, the quantum no-cloning theorem prevents duplication of transmitted quantum states, and measurement results, once obtained, cannot be retracted—establishing inherent physical limitations on the attacker’s manipulation space.

Regarding decoy photon position declaration attacks, the attacker might attempt to falsely declare decoy photon positions. Our protocol mitigates this threat through a robust verification mechanism wherein both parties must independently and simultaneously declare their respective sets of decoy photon positions. The protocol subsequently utilizes the intersection as the final set of decoy photon positions. At these positions, both parties disclose and compare measurement outcomes. Should an attacker declare false positions, they must correctly guess the corresponding quantum state for each decoy photon; otherwise, the deception will be detected during the verification phase.

4.2.2. The Statistical Security Threshold

Design our protocol employs parameter $\theta$ as the acceptable threshold for decoy photon measurement error rates. The threshold determination process considers the quantum channel’s natural error rate $\epsilon$, selecting $\theta$ slightly above $\epsilon$. Current quantum systems exhibit error rates of 0.1–1% [23], providing baseline parameters subject to technological advancement. The relationship between security parameters demonstrates that as the number of decoy photons n increases, statistical significance improves, complicating measurement result falsification for attackers. While the error threshold $\theta$ is inversely proportional to security, excessively low $\theta$ values may cause unnecessary protocol termination under normal fluctuations.

4.2.3. Forward Secrecy Guarantees

Our protocol provides forward secrecy, ensuring that even if a participant’s long-term key is compromised in the future, previous communications remain secure. Each session generates entirely new quantum state sequences and random parameters. Session keys depend on specific quantum measurement outcomes that cannot be derived from previous or subsequent sessions. Even with access to a participant’s long-term key, attackers cannot decrypt previously conducted communications.

Through the integrated implementation of the aforementioned security mechanisms, our quantum key agreement protocol effectively resists threats from insider attackers. The decoy photon mechanism, in particular, provides quantifiable security assurances, ensuring that any attempt to manipulate protocol parameters faces an exceedingly high probability of detection. In practical deployments, security further strengthens with increasing decoy photon quantities while maintaining reasonable communication efficiency and availability.

4.3. Fairness

Our quantum key agreement protocol achieves fairness—a critical property where no participant can unduly influence the final key. This is accomplished through symmetric architectural design and quantum mechanical principles. The protocol enforces fairness through balanced contribution mechanisms where both the Patient’s Device (PD) and Healthcare Provider (HP) equally influence the final key. Each party contributes 4n quantum states that determine 2n bits of the cryptographic material, with the final key derived as $K=K_{PD}\oplus K_{HP}\oplus f$. This ensures neither party can unilaterally control more than half the key bits.

4.4. Resource Efficiency Evaluation

When evaluating the practical viability of quantum key agreement protocols, computational efficiency represents a deterministic parameter, particularly critical in resource-constrained healthcare systems. The academic community has established a standardized efficiency evaluation methodology [24], mathematically expressed as:

$${\eta }_1={\displaystyle \frac{S}{Q+C}}$$

where $S$ denotes the quantity of securely shared classical information bits, $Q$ represents the quantum resources consumed (quantified in qubits), and $C$ represents the number of classical bits used, excluding those required for the announcement of decoy photon positions and measurement bases. This efficiency metric provides an objective foundation for performance comparison across various protocols by comprehensively examining the relationship between protocol output and resource utilization. However, ${\eta }_2={\displaystyle \frac{S}{Q}}$ is employed to quantify qubit efficiency [25], whereas ${\eta }_1$ is utilized to assess the efficiency of quantum communication protocols [24].

Our quantum key agreement protocol, designed specifically for secure communication between the Patient’s Device (PD) and Healthcare Provider (HP), aims to establish a cryptographic key of 2n bits. Upon successful completion, the protocol generates 2n bits of securely shared information while consuming quantum resources that include 4n qubits for initial quantum state preparation (2n by PD and 2n by HP) and an additional 4n qubits for decoy states utilized in the public key exchange phase (2n by PD and 2n by HP), resulting in an aggregate consumption of 8n qubits throughout the protocol execution. The classical communication requirements encompass no classical bits for confidential parameter transmission.

When these operational parameters are substituted into the standardized efficiency formula, we obtain ${\eta }_1={\displaystyle \frac{2n}{8n+0}}={\displaystyle \frac{1}{4}}$ and ${\eta }_2={\displaystyle \frac{2n}{8n}}={\displaystyle \frac{1}{4}}$ demonstrating that our protocol achieves a theoretical efficiency level of approximately 25%.

4.5. Discussion

Table 1. Comparison of quantum key agreement protocols based on Grover’s search algorithm.

	Cao and Ma [16]	Huang et al. [17]	Ours
Methodology	GSA	GSA	GSA
Key sharing channels	quantum channels	authenticated classical channel	quantum channels
Requires authenticated classical channel	No	Yes	No
Quantum memory problem	No	No	No
Security	Yes	No	Yes
Fairness	Yes	No	Yes
Number of measurements	8n	4n	8n
Number of unitary operations	3n + 3n	2n	4n + 4n
Quantum communication efficiency ${\eta }_1$	${\displaystyle \frac{2n}{8n+0}}={\displaystyle \frac{1}{4}}$	${\displaystyle \frac{2n}{4n+2n}}={\displaystyle \frac{1}{3}}$	${\displaystyle \frac{2n}{8n+0}}={\displaystyle \frac{1}{4}}$
Qubit efficiency ${\eta }_2$	${\displaystyle \frac{2n}{8n}}={\displaystyle \frac{1}{4}}$	${\displaystyle \frac{2n}{4n}}={\displaystyle \frac{1}{2}}$	${\displaystyle \frac{2n}{8n}}={\displaystyle \frac{1}{4}}$

provides a comparative analysis of three QKA protocols based on GSA: the protocols proposed by Cao and Ma [16], Huang et al. [17], and the scheme proposed in this study. All three utilize GSA as their foundational approach.

In terms of key sharing channels, both the Cao and Ma protocol and our proposed scheme operate over quantum channels, whereas the protocol by Huang et al. requires an authenticated classical channel. This dependency is particularly problematic in IoMT environments, where establishing authenticated classical infrastructure is not only impractical due to resource constraints, but also exposes the protocol to potential quantum computing attacks on classical authentication mechanisms. Additionally, the Huang et al. scheme suffers from a classical-quantum dependence issue, which is not present in the Cao and Ma protocol or in our design. Regarding quantum memory requirements, all three protocols avoid the need for quantum memory, a favorable attribute for medical devices.

Security-wise, Table 1 identifies the Huang et al. protocol as partially insecure, while the other two schemes are deemed secure. This distinction is crucial given the sensitive nature of medical data in IoMT applications. Fairness, which ensures equal participation in the key generation process, is also lacking in the Huang et al. protocol but maintained in the other two. These assessments align with prior evaluations cited in the Introduction, which confirmed the Huang et al. scheme’s potential deficiencies in both fairness and security.

From an efficiency perspective, the theoretical quantum communication efficiency (η₁) of the Huang et al. protocol is 1/3, which is higher than both our proposed scheme and the Cao and Ma protocol, each with an η₁ value of 1/4. Table 1 further details the qubit efficiency (η₂) and associated operational metrics: the Huang et al. protocol requires 4n measurements and 2n unitary operations; our proposed scheme involves 8n measurements and 8n unitary operations; and the Cao and Ma protocol requires 8n measurements and 6n unitary operations. Our protocol achieves 25% efficiency (2n key bits from 8n qubits consumed: 4n for initial state preparation plus 4n for decoy states). This efficiency is acceptable for IoMT applications because: (1) medical devices prioritize security over throughput due to life-critical data handling, (2) IoMT requires periodic rather than continuous key generation, (3) quantum states can be pre-computed during idle periods, and (4) our efficiency is competitive with other measurement-device-independent protocols. The security benefits justify the efficiency trade-off in medical contexts where patient safety is paramount.

On the other hand, recent work by Hung and Chen [26] provides valuable insights into the practical implementation challenges of quantum asymmetric encryption using generalized Grover search algorithms (GGSAs), which directly relates to our protocol’s scalability concerns.

In summary, although our scheme may not outperform existing protocols in terms of raw efficiency, it offers superior security guarantees and ensures fairness—attributes essential for the decentralized and resource-constrained nature of IoMT systems. By eliminating dependency on authenticated classical channels and avoiding classical-quantum entanglement, our scheme emerges as a robust and practical GSA-based QKA solution tailored for the stringent requirements of medical IoT environments.

Our protocol is applicable to realistic quantum communication environments with inherent imperfections such as photon loss, decoherence, detector limitations, synchronization errors, and channel instabilities. The integrated error correction mechanisms ensure robust key generation performance under practical implementation conditions.

5. Conclusions

This paper presents an improved Grover’s search algorithm-based quantum key agreement (GSA-QKA) protocol tailored for secure communication in Internet of Medical Things (IoMT) environments. The proposed scheme ensures fairness, correctness, and security among participants without relying on authenticated classical channels or quantum memory. By enhancing existing GSA-QKA frameworks with a symmetric architecture and integrating decoy photon techniques, the protocol guarantees equal user contribution to the final key while defending against both external and internal attacks. Rigorous analysis confirms resilience to intercept-resend, entanglement-based, and hardware-level threats, as well as insider attacks involving parameter manipulation. The decoy photon mechanism further provides quantifiable assurance against unauthorized key extraction. Although the protocol achieves a theoretical efficiency of 25%, which is moderate compared to some existing GSA-based schemes, it provides significant improvements in security, fairness, and practicality, making it well suited for secure applications in IoMT environments. These characteristics offer a robust and scalable solution for future quantum-secure medical communication networks. While the current work focuses on theoretical analysis and security proofs, we acknowledge the importance of empirical validation. We have added a discussion outlining our planned future work.