A Secured Half-Duplex Bidirectional Quantum Key Distribution Protocol against Collective Attacks

: Quantum Key Distribution is a secure method that implements cryptographic protocols. The applications of quantum key distribution technology have an important role: to enhance the security in communication systems. It is originally inspired by the physical concepts associated with quantum mechanics. It aims to enable a secure exchange of cryptographic keys between two parties through an unsecured quantum communication channel. This work proposes a secure half-duplex bidirectional quantum key distribution protocol. The security of the proposed protocol is proved against collective attacks by estimating the interception of any eavesdropper with high probability in both directions under the control of the two parties. A two-qubit state encodes two pieces of information; the ﬁrst qubit represents the transmitted bit and the second qubit represents the basis used for measurement. The partial diffusion operator is used to encrypt the transmitted qubit state as an extra layer of security. The predeﬁned symmetry transformations induced by unitary in conjunction with the asymmetrical two-qubit teleportation scheme retain the protocol’s secrecy. Compared to the previous protocols, the proposed protocol has better performance on qubit efﬁciency.


Introduction
Quantum computing has affected many areas such as machine learning, optimization problems, material synthesis, and communication systems, specifically Quantum Key Distribution (QKD) [1][2][3][4][5][6][7]. QKD is an important aspect of quantum cryptography [8]. It allows exchanging cryptographic keys between two parties named Alice (A) and Bob (B). The two parties trust each other, but they do not have access to a secure communication channel [9]. The strength of QKD is that it uses the laws of quantum physics, especially the properties of light and photons, that are used to introduce methods for the secure distribution of encryption keys over communication networks [10].
In quantum physics, polarized light can be used to exchange information by encoding the values of classical bits into quantum objects. Each bit is represented by a pulse which is emitted and sent to the receiver as light signals. These pulses typically involve millions of light particles known as photons [10]. Eavesdroppers usually try to observe or detect information about the transmitted photons that would change the photon state. The transmission is then perturbed and causes a transmission interruption [11].
The measurement of the quantum state causes the state to be destroyed when an eavesdropper detects the photon and registers the bit value. Consequently, Eve prepares a new photon according to the information she received and then sends the photon to the receiver side [12]. The two parties can detect the attack where the receiver chooses a bit splitter that receives a photon from the sender randomly. On the other hand, Eve is not supposed to determine exactly which basis to perform the measurement in order to intercept the communication transmission. The eavesdropper can only guess the basis in a random manner, and if the guessing is wrong, then Bob would receive a muddled state that is disturbed by Eve who will consequently lose control over the communication channel [13].
In 2017, a semi-quantum version of the B92 protocol was presented where the sender party transmits one qubit to the receiver, which is a classical party. This protocol provides a security proof against collective and general attacks using fewer quantum resources [14]. In 2019, Po-Hua et al. proposed a mediated semi-QKD protocol that shares a secret key between two classical parties. This protocol uses a third untruthful party to generate single photon and perform Bell measurement [15]. In 2020, a QKD scheme against collective rotation channel noise was introduced. This protocol uses polarization and transverses the spatial modes of photons. The linear optical elements are used to measure two-single photon states to obtain the keys [9]. In 2021, Nitin Jain et al. demonstrated a QKD system that can generate composable keys that are secured against collective attacks. A machine learning framework for phase compensation was implemented to retain the excess noise under the null key length threshold [16]. In 2022, a semi-QKD protocol based on logical qubits was presented, two physical qubit entangled states are used, and the measurement of a single physical qubit is performed by the quantum communicant [17]. Xu et al. proposed a QKD protocol with random post-selection that reduces the error events with an enhanced detection efficiency [18]. Luis et al. proposed a method that obtains a complete reconciliation in QKD; this method determines the transmitted errors in a reverse reconciliation and corrects all of them, which is invariant to the error rate. However, this method is still not applicable on the collective attack [19].
This paper proposes a half-duplex bidirectional QKD protocol that is secured against collective attacks. The proposed QKD protocol provides a parameter estimation that can be completely estimated under the control of the two parties. This protocol is also secured against the intercepted attack where the sender prepares a two-qubit state that combines two main data, the bit and basis values. The partial diffusion quantum operator is applied to hide the two qubit state from the superposition against the direct measurement of an eavesdropper [20].
The remaining of this paper is organized as follows: Section 2 introduces the main basic tools used for developing the proposed protocol. Section 3 presents the structure of the proposed protocol in addition to a security proof of a collective attack and parameter estimation. Section 4 shows the discussion and results of this work. Finally, the main conclusion of this work is introduced in Section 5.

Basics and Main Methods
This section presents the main idea of quantum key distribution and the basic tools and operators used for developing the proposed protocol.

Quantum Key Distribution
In QKD, the two parties have a quantum communication channel (QCC) in addition to a classical channel. The basic principles of quantum physics are utilized where Alice and Bob can transmit qubits to each other using photons to ensure the secrecy of achieving random keys. In the classical channel, post processing methods are implemented to analyze any eavesdropping behaviors and estimate statistics required to rectify interceptions occurred in the QCC [11].
QKD starts from the QCC where the preparation and measurement of qubits take place randomly in different bases. This step is followed by data sifting, parameter estimation, error correction and privacy amplification in the authenticated classical channel that are implemented to determine which measurement results could lead to secret key bits [8]. Incompatible measurements are discarded from the raw key during the key sifting step; the discarded bits have different photon polarization of their equivalent qubits. In the parameter estimation stage, Alice and Bob estimate the security parameters of the QCC in order to statistically predict the information about their key that is attacked by Eve. The error rate is produced from the parameter estimation stage and is compared by a certain threshold. If the value of the error rate is greater than the threshold, then the protocol is aborted because this indicates that there is an attack or a channel noise; in both cases, the iteration is stopped to guarantee the secrecy of the protocol. On the other hand, if the error rate is less than a certain threshold value, then the protocol continues toward the error correction stage [21].
According to the estimation parameters, the leakage information is estimated; then, Alice and Bob have to remove the errors from their shared key to reconcile their key. This is achieved during the error correction step by implementing an appropriate classical error reconciliation algorithm. During the error correction step, appropriate classical error reconciliation algorithms are used to remove errors of the shared key. These algorithms use the statistical parameters of the parameter estimation step. The conditional Von Neumann entropy associated with the conditional Shannon entropy can be used to compute the key rate [14]. Furthermore, other error reconciliation methods can be applied that correct all the errors that are produced in regular binary frames transmitted over a noisy QCC despite the error rate of the quantum channel [19].
Privacy amplification is then applied to the raw key to reduce the information that Eve has gathered up about the key. In this stage, the correlation between the key and Eve is stopped, and the two parties transform their identical shared key into a new shrinked key unknowable to Eve. The development of quantum communications can be enhanced when using powerful teleportation schemes. Combining quantum teleportation with QKD strategies can remove some implicit noisy effects, and hence, enhance the secrecy of the quantum communications channels [22]. Figure 1 shows schematically the main stages of main QKD protocol.

Partial Diffusion Operator
The partial diffusion operator is a quantum operator that is used to hide quantum states from a superposition to increase the security level in communication systems [23]. It can be represented by the following equation: where W denotes the Walsh Hadamard gate, the vector |0 is of length 2 n+1 , and I n represents the identity matrix. The partial diffusion operator performs the inversion about the mean on the subspace of the system entangled with |0 , which is followed by performing a phase shift of −1 on the subspace of the system entangled with |1 in order to differentiate the hidden states from the selected states. The oracle U f is an operator that evolves to be true for the selected states [20]. The operator U f is applied to determine the selected and hidden states where U f |x, 0 → |x, f (x) . Figure 2 illustrates the implementation circuit of D P . It evaluates to true for the target states and false otherwise. D P is expressed by the following equation: where β is a complex number and β = 1 N ∑ N−1 j=0 β j represents the mean of the amplitudes of the states in the superposition [23]. For example, applying the quantum operator D P on the 2-qubit system |ψ = 1 2 (|00 + |01 + |10 + |11 ) is to convert |ψ to a superposition of any two states contained in this system that can be substituted by the other two states by substituting and restoring them. The states to be hidden and the states to be selected are chosen depending on the data exchange requirements.
The hidden states can be restored using the Grover's quantum operator G that performs the inversion about the mean [24]. Figure 3 presents the quantum circuit of the Grover's operator for a 2-qubit system.

Theoretical Work
The usage of QKD can be presented by analyzing the collective attack and parameter estimation steps of the protocol. In collective attacks, Eve performs the same operation each iteration of the quantum communication stage. It is the channel side leakage of information introduced by imperfect devices in the transmission and measurement of quantum states [9]. Section 3.1 presents the main structure and steps of the proposed half-duplex bidirectional QKD protocol. Section 3.2 presents the steps of the collective attack executed by Eve in both the forward and reverse directions.

The Structure of the Proposed Protocol
This protocol utilizes a half-duplex bidirectional quantum channel, forward ( f wd) and reverse (rvs) in addition to an Authenticated Classical Channel (ACC). Alice starts the QKD protocol with two random classical bit strings s and t, each of size N = (4 + δ)n , where s comprises the bit values 0 or 1, while t denotes basis Z and basis X, which are denoted by o and 1, respectively, and n denotes the raw key bits and then encodes them into quantum bits according to the values of each bit in strings s and t where where s l is the lth bit of s ands l denotes the bitwise complement of s. The effect of this procedure is that Alice encodes s as determined by t as a block of 2-qubit states. The classical bit 0 in string s is encoded into |φ 0 = |00 + |10 or |φ 1 = |01 + |11 when the value of the corresponding bit in string t is 0 or 1, respectively. The classical bit 1 in string s is encoded into |φ 0 or |φ 1 when the value of the corresponding bit in string t is 0 or 1, respectively. Alice then applies the partial diffusion quantum operator for hiding the prepared quantum states that comprises the bit and basis values by other two qubit states within the superposition as an extra security level [20]. This makes the message safe by direct measurement from an eavesdropper. The state is now ready to be transmitted to Bob using the asymmetrical two-qubit teleportation configuration T that consists of five particles. Alice comprises the two-qubit state that she intends to transmit to Bob in addition to the third qubit that is entangled with Bob in a GHZ state [25]. Alice sends to Bob through the ACC the Grover quantum operator G and the predefined unitary transform U s where s ∈ {0, 1}. Bob saves his results as a raw key where R denotes the size of Alice's and Bob's raw keys. Figure 4 demonstrates the forward direction steps of the proposed protocol for one iteration. Bob prepares a new state based on his measurement and retransmits to Alice through the reverse direction using T . Alice performs the same unitary transformation she sent to Bob and then measures the system and saves her measurement as a raw key. The protocol's communication stage consists of the following steps: Step 1.
Alice starts with two random classical bit strings s and t, each string is of size N where N = (4 + δ)n where δ is a parameter > 0.
Alice encodes s and t into a (4 + δ)n superposition of two states where the second qubit represents the basis used for measurement, whereas the first qubit represents the bit value. The prepared qubits are then |φ 0 or |φ 1 .
Step 3. Alice performs a partial diffusion quantum operator that is used as an extra security level by substituting the prepared qubits by other qubits from the superposition.
The two-qubit state is teleported from Alice to Bob through the f wd direction of the unauthorized QCC.
Bob performs the Grover's quantum operator followed by the predefined unitary transformation sent by Alice through ACC and performs his measurement. Step 6.
Bob prepares a two-qubit state based on his measurement and retransmits the qubit through the rvs direction of the QCC.
Alice performs the same predefined unitary transformation sent to Bob. Table 1 illustrates the different combinations of the bit and basis values, their equivalent two qubit states, and the predefined unitary transformation. The unitary transformation U 0 applies the Hadamard gate H that transforms |0 into the symmetric linear combination |0 + |1 while it transforms |1 into the anti-symmetric linear transform |0 − |1 . Furthermore, the unitary transformation U 1 applies the symmetric effect of the phase flip gate followed by the Hadamard gate. Figure 5 demonstrates the reverse direction steps of the proposed QKD protocol for one iteration. Table 1. Encoding classical bits and basis measurement into two-qubit state. In each iteration, the bit and basis are encoded into a 2-qubit state; then, a predefined symmetry transformation is applied. Figure 5. The steps of the reverse direction of the proposed half-duplex bidirectional QKD protocol for one iteration. Bob transmits the prepared state to Alice through the reverse direction using asymmetry 2-qubit teleportation scheme T .

Bit Basis Encoded 2-Qubit State Unitary Transformation
After repeating the protocol's steps N times, the sifting procedure is performed. For each iteration, Alice will compare the bit and basis values s and t through the ACC with Bob's measurement values after performing U s in order to establish their shared raw key R. The amount of discarded qubits is denoted by M, where M = N − R.

Collective Attack
For one iteration of the protocol, by setting the measurement to be Z-basis, H T represents the two-dimensional Hilbert space modeling the qubits in the transit space. The Eve's private ancilla is represented by H E where the qubits prepared by Eve are denoted by |E . The Eve's ancilla qubit states after the forward attack are denoted by |e j where j denotes the state's index. The states |e k i,j are arbitrary states that resulted from the reverse attack where i denotes the original qubit that is transmitted through the system, j denotes the index of the ancilla qubit resulted from the f wd direction attack, and k represents the ancillary qubits that are entangled with the original system. The quantum operators U f wd and U rvs are unitary operators that perform the attack operation and act on H T ⊗ H E . U f wd is used to attack qubits that are transmitted from Alice to Bob (forward direction) while U rvs is used to attack qubits that are returning from Bob to Alice (Reverse direction). The following equations demonstrate the most general form of the collective attack and illustrate the effect of performing U f wd and U rvs on the first transmitted qubit.
The state |j ⊗ |E is subjected to Eve's unitary transformation that changes the state sent by Alice. The following steps present the analysis of a single iteration of the proposed QKD protocol. It describes the case that Alice sends a Z-basis state where the two parties perform a measurement is in the same basis: Step 1.
The quantum state that represents the qubit prepared by Alice is where the sender prepares a qubit state of the form |00 + |10 . Step 2.
Eve attacks the qubit transmitted from Alice. The unitary attack operator U f wd is applied in the forward direction using Equations (4) and (5). For simplifying the analysis, we focus on attacking the first qubit.
Similarly, the probability of measuring the system in state |1 is Ψ|M 1 M † 1 |Ψ and can be represented as By analyzing the system using Equations (14) and (15) yields: Figure 6 illustrates the steps of the collective attack executed by Eve in both the f wd and rvs directions through one iteration of the proposed QKD protocol. Figure 6. The collective attack. Eve intercepts the qubit transmitted from Alice to Bob in the forward direction using the U f wd operator, and Eve intercepts the qubit transmitted from Bob to Alice in the reverse direction using the U rvs operator.

Parameter Estimation Stage
The two parties can estimate the interception of Eve in the f wd and rvs directions during the parameter estimation stage. Alice generates a set of random bits and encodes them by measuring them randomly in the Z or X-bases. Alice then sends the encoded qubits through the shared QCC that is not secured and authorized by Eve. Before Bob receives the encoded qubits, Eve intercepts the qubits. The cases where Eve measures in a different basis from Alice's will change the qubits states. Eve then passes on the qubits to the receiver side where the qubits are measured. If Alice and Bob measure in the same basis, this means that Bob has a probability of 50% to receive the correct bit. The two parties discard the useless bits of different measured bases in the sifted key step to obtain their raw keys. Alice then chooses a random selection of her sifted key and Bob chooses the same selection part; then, they compare the selected parts to detect Eve's interception. The expectation value of a probability of the quantum state can be determined from the quantity P m,b,a where the parameter m denotes to the encoded qubit equivalent to the bit of the message sent by Alice, and the parameters b and a represent the bases Bob and Alice used to measure, respectively. The probability P m,b,a can be used to estimate the value e k i,j |e k i,j which is used to calculate the amplitude of each state [26]. For example, to estimate P 1,1,0 , Alice initially sends the bit 1 which according to Table 1 is encoded into the qubit state |00 + |10 where If Eve's measurement value after her attack in the f wd direction is |10 , then the qubit state according to (5) is changed to be where e 2 |e 2 + e 3 |e 3 = 1. Eve passes the qubit to Bob, and the probability that Bob measures the qubit in basis 1 is e 3 |e 3 where Bob transmits the qubit back to Alice whereas Eve attacks it in the rvs direction. According to Equation (7), where j = 3, this interception changes the qubit as Eve passes on the qubits back to Alice after the attack. The probability that Alice measures the qubit in basis 0 is The quantity P m,b,a can be calculated using the conditional probability formula [27]. Providing that Alice initially sends m, then where Pr(A a ) is the probability of the event that Alice measures |a , Pr(B b ) is the probability of the event that Bob measures |b , and Pr(A a |B b ) is the probability of the event that Alice measures |a in the rvs direction after Bob has already measured |b in the f wd direction. Now, the quantity Pr(A a ∩ B b ) which denotes the probability that Alice measures |a and Bob measures |b can be calculated. Returning to the above example, Equations (19)- (23) can be executed to estimate other cases. Table 2 summarizes the estimation values of probabilities when Alice initially sends |0 . Parameter estimation results when Alice initially sends |1 are summarized in Table 3. Eve cannot obtain any information using the ancillary particles, and if Eve wants to make the ancillary qubits distinguishable, then his attack will be detected by the two parties.    The key rate against collective attack [28] can be calculated using the following equation: r(ρ ABE ) = I  S(B, E). The mutual information denoted by I (A : B) is a measure of the correlations between two systems; it is used to quantify the amount of bits that Alice and Bob have to discard from their mutual data for error correction [14].
The quantum mutual information between Bob and Eve that quantifies the amount of privacy amplification that is necessary to eliminate the information obtained by Eve is represented by χ(B : E).
By analyzing out the system of (13), ρ BE can be represented as follows The Von Neumann entropy S(B, E) = S(ρ BE ) can then be computed as From Tables 2 and 3, the equation can be rewritten as S(ρ BE ) = H(P 0,0,0 + P 0,0,1 + P 1,0,0 + P 1,0,1 + P 0,1,0 + P 0,1,1 + P 1,1,0 + P 1,1,1 ) The mutual information between B and E can be deduced from the following equation [29] Finally, this equation can be rewritten in terms of quantities on systems A and B as follows and the initial state ρ ABE is where each σ j is a Hermitian operator.

Results and Discussion
The proposed QKD protocol can be explored in a straightforward manner by analyzing the steps of the protocol, as shown in Figure 4. The steps of the proposed QKD protocol are statistically analyzed and simulated using the Qiskit software [30]. The simulation circuit has f ive quantum registers; the first three qubits are under the control of Alice, while the fourth and fifth qubits are under Bob's control. Alice prepares |Φ and communicates with Bob using the shared public QCC through the asymmetrical two-qubit teleportation scheme. Bob receives the two-qubit state and measures it; then, he prepares a new state based on his measurement. Alice reveals the symmetry transformation she used for encoding the string a. The two parties start the protocol with N bits and check the communication to detect the existence of eavesdropping.
The generation of a raw key exchanged between the two parties is executed where the qubits are exchanged between the sender and the receiver through unsecured quantum channel, and eavesdropping attacks are expected to occur. Figure 7 illustrates the circuit implementation of the f wd direction where Alice transmits a bit value ∈ {0, 1} where the state |00 + |10 or |01 + |11 are prepared, respectively, to be sent through the communication channel. If Alice transmits a bit of the message after encoding it into a 2-qubits and there is no eavesdropping attack, then the qubit will be received as it is. Figure 8a  In the case of eavesdropping interception, the quantum channel is not secured, and the eavesdropper executes trials to measure the transmitted qubit before the receiver performs his measurement. Figure 9 illustrates the circuit implementation of the f wd direction in the case of eavesdropper interception. Eve measures the qubit state before reaching Bob, and this reduces the probability value of receiving the exact qubit state to be approximately half. The state of the qubit will be changed to |00 or |10 if Alice prepared a Z-basis state which is presented in Figure 10a, and if Alice prepared a X-basis state, then the state will be changed to be |01 or |11 , which is presented in Figure 10b.  After all the qubits are measured, Alice and Bob reveal the information about their raw keys through a classical communication channel. Bits with law correlation are then discarded so that the two parties share a correlated sifted key. There are two reasons for mismatching between the secret keys of the two parties: the first is the existence of noise in the communication channel, and the other reason is the interception of Eve using an attack; hence, the two parties discard these bits from the key.
The proposed protocol is compared to the protocols presented in [15,17] with respect to the qubit efficiency. The qubit efficiency λ [31] is the ratio between the total number of the key bits established to the total number of qubits generated in the protocol and can be represented by the following equation where n c represents the total number of key bits established, and n q denotes the total number of the generated qubits. In the protocol presented in [17], the total number of consumed quantum states to establish n raw key bits can be approximately calculated by the following equation N = r(6n(1 + δ) + 6n(1 + δ)/2), where r denotes the initial quantum resource being equal to 2 because this protocol uses a two-qubit entangled state, and δ is a small parameter greater than 0. In [17], Alice prepares 6n(1 + δ) and Bob produces 6n(1 + δ)/2, so N = 2(6n + 3n) = 18n, and hence, the qubit efficiency = n 18n = 1 18 . The qubit efficiency of the protocol presented in [15] has the value 1 24 , where this protocol uses the properties of single photons and the Bell measurement. In the proposed protocol, in order to establish n raw key bits, Alice initially prepares N qubits in the f wd direction which is followed by using N/2 qubits temporarily to mark the required states in performing the oracle and partial diffusion quantum operators. The same N 2 qubits will be used for executing the teleportation T scheme where an entanglement in a GHZ state is established with Bob. In the f wd direction, Bob prepares N qubits; then, after his measurement, he prepares N qubits in the rvs direction that are used in the sifting operation. The qubit efficiency for this protocol is λ = n 7N 2 = 2n 7(4+δ)n ≈ 1 14 , where δ is a small parameter greater than 0. The protocol presented by Xu et al. [18] proved the security against collective attacks in the device-independent QKD protocol with random post selection, whereas our protocol successfully proved the security against collective attack with multi-state random selection in addition to using the partial diffusion quantum operator and unitary transformation operators. Table 4 compares some important features among the protocol of Lin et al. [15], that of Pan et al. [17], and the proposed half-duplex bidirectional QKD protocol. Table 4. Comparison of [15,17], and our proposed half-duplex bidirectional QKD protocol.

Lin et al. Protocol
Pan One of the advantages of this approach is that the bits and bases are represented by 2-qubit states that are hidden through the communication channel using the partial diffusion operator, and this increases the ratio between the total number of the shared qubits to the number of the consumed qubits and hence increases the qubit efficiency. Furthermore, the proposed QKD protocol provides a parameter estimation that can be completely estimated under the control of the two parties. In the future work, the security of the protocol against other eavesdropping attacks can be addressed; this might be mitigated using more advanced quantum operators and schemes.

Conclusions
Despite the fact that QKD is costly to be implemented due to the high number of required qubits to realize an efficient protocol for real applications, it is considered as one of the main important use cases in the near future for the second quantum revolution. In this work, we propose a half-duplex bidirectional QKD protocol and prove its security against collective attacks. We have addressed two main key points that count toward the impact of the proposed protocol: encoding the information and raising the qubit efficiency. For the first one, we have shown how the use of a bidirectional quantum communication enables two parties to improve the security of QKD. Bits and bases are represented by two-qubit states which are hidden through their transmission using the partial diffusion quantum operator. The Grover's quantum operator is applied once to restore the hidden states. The different security layers implemented by the mentioned symmetry transformations induced by unitary managed to make it more robust against attackers. For the second one, a powerful asymmetrical two-qubit teleportation scheme is used for transmitting the twoqubit states in the forward and reverse direction of the protocol. The teleportation scheme consists of five particles: Alice comprises the first three particles, which are also used in performing the partial diffusion operator, and the third particle is entangled with Bob in a GHZ state. The principles of probability theory are used to estimate any eavesdropper interception using the conditional Shannon entropy associated with von Neumann entropy. Compared to other protocols, the proposed scheme does have a higher qubit efficiency ratio. Despite the fact that this protocol managed to detect Eve's presence, further analytical analysis is required to determine the exact accuracy of detecting an eavesdropper especially when the diffusion operator is incorporated. Moreover, as a future direction, enhancing this protocol against noisy quantum channels would be an interesting research direction. Funding: This research received no external funding.

Data Availability Statement:
The data presented in this study are available within the article.