Quantum Enabled Data Authentication Without Classical Control Interaction

Abstract

We present a quantum-assisted data authentication protocol that integrates classical information-theoretic security with quantum communication techniques. We assume only that the participants have access to open classical and quantum channels, and share a random static key material. Building on the Wegman–Carter paradigm, our scheme employs universal hashing for message authentication and leverages quantum channels to securely transmit random nonces, eliminating the need for key recycling. The protocol utilizes polar codes within Wyner’s wiretap channel model to ensure confidentiality and reliability, even in the presence of an all-powerful adversary. Security analysis demonstrates that the protocol inherits strong guarantees from both classical and quantum frameworks, provided the quantum channel maintains low loss and noise.

1. Introduction

Data authentication—guaranteeing the integrity and origin of messages—is an indispensable primitive in modern cryptography, supporting secure communication, distributed control, and cryptographic key management. In practice, most deployed authentication mechanisms, such as block-cipher-based or hash-based MACs and digital signatures, provide only computational security: their guarantees rely on hardness assumptions and on large software stacks. By contrast, the Wegman–Carter construction [1] achieves unconditional authenticity. Its security follows from information-theoretic arguments, but at the cost of requiring new shared key material for each authenticated message [2]. This “fresh-key bottleneck” becomes a serious limitation in long-lived or high-throughput deployments.

Quantum information offers the possibility of detecting eavesdropping: any attempt to observe quantum states unavoidably disturbs them. This feature motivates quantum authentication schemes that can reuse keys as long as no disturbance is detected. Barnum et al. [3] introduced the encrypt-then-encode approach, combining a quantum one-time pad with purity-testing codes. Subsequent work developed trap-code authenticators embedding hidden qubits [4], design-based schemes with strong post-accept security [5], and efficient unitary two-design authenticators [6]. Portmann [7] and Dulek–Speelman [8] extended this line to composable settings, proving that strong purity-testing codes enable key recycling. These results demonstrate that unconditional authentication with key reuse is theoretically possible, but their reliance on quantum tags, entanglement, or unitary designs makes near-term implementation difficult.

A more practical direction keeps the authentication tag classical and employs quantum communication only to enable key reuse. The core insight, first noted by Bennett et al. [9], is that if quantum transmission reveals tampering, then keys may be safely reused when verification succeeds. Damgård et al. [10] provided the first rigorous realization using mutually unbiased bases in high dimensions, achieving near-optimal key recycling but requiring legitimate parties being equipped with quantum computers because of the nature of quantum states manipulation. Fehr and Salvail [11] reduced the quantum requirements to BB84 prepare-and-measure qubits. Their scheme transmits the plaintext and Wegman–Carter tag over the classical channel, while a hidden nonce is delivered via BB84 states. If verification succeeds, the full key may be reused; otherwise, part of the secret must be refreshed. Follow-up work improved noise tolerance by employing extended encoding [12,13] and further reduced interaction, showing that only an authenticated one-bit acknowledgement is necessary [14]. Despite these advances, authenticated feedback and occasional key renewal remain unavoidable, and dependence on robust classical authenticated channels introduces tension between quantum and classical resources [15,16].

We present a new approach to the construction of data authentication protocols that leverages both classical and quantum resources. The protocol is designed upon three fundamental pillars:

• Shannon’s security model: the authentication tag is computed using a classical Wegman–Carter construction, ensuring information-theoretic protection against forgery.
• Wyner’s wiretap model: confidentiality arises from the intrinsic errors occurring in the adversary’s channel, which limit the amount of information that can be extracted.
• Quantum communication: the use of quantum states guarantees that the assumptions underlying Wyner’s model are satisfied, since any eavesdropping attempt unavoidably introduces disturbances that can be detected.

This line of research is closely related to the work of Fehr and Salvail [11], who showed that classical authentication combined with quantum communication enables secure key recycling. Our protocol can be seen as a continuation of this direction, with the main innovation being a different technique for confidentiality provision. Instead of embedding random nonces directly into BB84 states, we construct and transmit a structured sequence of polar-coded codewords, which improves confidentiality guarantees. Recent results demonstrate wiretap-style secure transmission implemented with polar codes, both at the conceptual level and in practical optical systems [17,18], which directly motivates our use of polar-coded structures.

By combining these elements, the protocol achieves data authenticity, even in the presence of an all-powerful adversary. The net effect is the elimination of the key recycling requirement. The remainder of this paper is organized as follows. First, we review the required background on Wegman–Carter authentication, quantum communication, wiretap channels, and polar codes (Section 2). Next, the proposed authentication protocol is introduced together with the underlying security model (Section 3). Afterwards, a security analysis is presented, establishing unconditional integrity and confidentiality of the nonce (Section 4.1). The discussion then turns to practical aspects, including resource requirements and implementation feasibility (Section 4.2). Finally, this paper concludes with a summary of the main contributions and an outlook on future work (Section 5).

2. Preliminaries

2.1. Notation

We follow standard information- and coding-theoretic conventions. Random variables and random vectors are denoted by capital letters (e.g., X, Y, $A^N$), and their realizations by lowercase letters (x, y, $a^N$). For $N\in \mathbb{N}$, we write $X^N\triangleq (X_1,\dots ,X_N)$ and $x^N\triangleq (x_1,\dots ,x_N)$. All logarithms are base 2 unless stated otherwise. Concatenation of bit strings is written $u\parallel v$ and bitwise XOR as ⊕.

A discrete memoryless channel (DMC) is $W:X\to Y$ with transition law $W(y\mid x)$ and N-fold product $W^N(y^N\mid x^N)\triangleq {\prod }_{i=1}^{N}W(y_i\mid x_i)$. We use the mutual information $I(·;·)$ in the usual sense. Binary symmetric and erasure channels are denoted $\mathrm{BSC}\left(p\right)$ and $\mathrm{BEC}\left(q\right)$ with flip and erasure probabilities p and q, respectively.

The protocol assumes a pre-shared secret key $K=(k_b,k_h,k_m,k_p)$, known to Alice and Bob and unknown to Eve. Its components are used at different stages of the transmit chain: $k_b$ selects the preparation/measurement basis in the quantum physical layer; $(k_h,k_m)$ are used exclusively for the Wegman–Carter message authentication tag; and $k_p$ parametrizes the coding layer. Where relevant, we state explicitly which component of K is in use and whether additional fresh randomness independent of K is employed.

2.2. Wiretap Channel Model

Physical Layer Security (PLS) is a core concept in contemporary data security, focusing on confidentiality provision at the physical layer of a communication system [19]. In contrast to conventional cryptographic methods predominantly operating at higher protocol layers, PLS aims to exploit the properties of the physical communication channel to protect transmitted data. A Wiretap Channel Model (WCM), depicted in Figure 1, forms a mathematical framework to develop and analyze PLS systems.

This model assumes that the communication channel between legitimate parties (sender and receiver) introduces fewer errors than the channel available to an adversary. Exploiting this distinction facilitates the achievement of confidential communication. Key contributions from Wyner [20] and Csiszar and Körner [21] emphasize that Alice can employ a Forward Error Code (FEC) to achieve reliable transmission of confidential messages at rate

$$C_s=\underset{U,V,X,Y,Z}{max}I\left(U^N;Y^N\right)-I\left(U^N;Z^N\right),$$

(1)

where optimization is taken over random variables $U\to V\to X\to Y,Z$ forming a Markov chain in that order. Here, $I(·;·)$ denotes mutual information, $C_s$ is referred to as the secrecy capacity, $X^N$, $Y^N$, $Z^N$ are random variables describing the channel input and output of legitimate parties and the channel output of the adversary, respectively. In the above, we used the notation $A^k=\left(A_1,A_2,\dots A_k\right)$ to denote vector random variables. The auxiliary random variables U and V are referred to as rate splitting and channel prefixing parameters. Unfortunately, in these milestone works the proofs are unconstructive and do tell how to construct a secrecy capacity achieving code. The solution to that problem is presented in the next section.

However, the main challenge in practical application of PLS techniques is ensuring that the adversary’s channel is sufficiently degraded. In classical systems, various sophisticated methods are employed to achieve this [22]. The use of quantum channels, due to their unique properties, opens entirely new possibilities in this regard. An adversary must possess knowledge of the quantum symbol preparation method to deterministically decode the encoded information; otherwise, her measurements are probabilistic and subject to errors. Moreover, an incorrect measurement setup destroys the information contained in quantum symbols and contributes to the error rate observed by legitimate parties. As a result, they can estimate potential information leakage based on the observed error rate and terminate the protocol execution if the leakage is excessive. The adversary’s situation is further complicated by the no-cloning theorem, which prevents faithful copying of quantum symbols for later measurement or for producing multiple copies for statistical analysis. In the following section, we describe the method of encoding classical information into quantum states that ensures these properties. The description is presented in a manner accessible to engineers who do not routinely work with quantum information processing.

2.3. Quantum Physical Layer

The proposed further encoding of classical information in quantum states can be considered as special case of channel modulation that uses symbols of unusual properties. We rely solely on elementary properties of quantum measurement (no entanglement is used in this work). For readers new to these concepts, the measurement model we adopt and the Dirac notation used throughout are briefly reviewed in Appendix C. For clarity, we summarize the quantum features that our protocol exploits. First, measurement outcomes are inherently probabilistic when the way of symbol preparation is unknown to the observer, so Eve cannot deterministically infer the transmitted symbol. Second, by the no-cloning principle, Eve cannot create additional perfect copies of the state and thus has only a single copy available for measurement. Third, measurement is digital in the sense that outcomes come from a finite set; for qubits there are exactly two possible results. By contrast, in the classical setting copying is unrestricted, observation can be effectively analog, and the state can often be determined without knowing how it was prepared.

Let us consider the operation of a channel modulator used in the famous BB84 QKD protocol [9]. The classical bit m is encoded as the m-th element of the basis selected by bit $k_b$. In our protocol, the bit $k_b$ is a part of a key secretly shared by legitimate parties. The encoding process is described by the following expression

$$|q(k_b,m)\rangle ={\mathbf{H}}^{k_b}|m\rangle ,$$

(2)

where H represents the Hadamard gate, defined as

$$\mathbf{H}=|+\rangle \langle 0|+|-\rangle 1={\displaystyle \frac{1}{\sqrt{2}}}\left[\begin{array}{cc}1& 1\\ 1& -1\end{array}\right].$$

(3)

The resulting quantum states are summarized in

Table 1. Rules used to encode classical bits into quantum states. The symbol $k_b$ in Table 1 denotes the secret basis–selection key, shared by Alice and Bob and never transmitted. It selects the preparation/measurement basis in the quantum layer.

Classical Bit	${\mathit{k}}_{\mathit{b}}=0$	${\mathit{k}}_{\mathit{b}}=1$
“0”	$|0\rangle$	$|+\rangle$
“1”	$|1\rangle$	$|-\rangle$

. The decoding is simple for the legitimate recipient. Bob just has to employ the same transformation to the received state $|q^{\prime }\rangle$ using the same value of the secret bit k,

$${\mathbf{H}}^{k_b}|q^{\prime }\rangle \to |m^{\prime }\rangle ,$$

(4)

and measure the resulting state on a computational basis to recover the transmitted bit. The above correctness is guaranteed by the property of Hadamard gate ${\mathbf{H}}^2=\mathbf{I}$, where I is the identity operator. However, the eavesdropper lacks knowledge of whether to apply the Hadamard transformation. Consequently, with probability $1/2$, Eve selects an incorrect measurement basis when attempting to decode the symbol $\left|q\right(k_b,m)\rangle$. When the correct basis is chosen, her measurement outcome is deterministic. For incorrect basis selection, the measurement outcome is probabilistic, yielding either “0” or “1” with equal likelihood. Therefore, the average BER observed by the eavesdropper is 25%. Moreover, for instances in which Eve employs the incorrect basis, the post-measurement qubit collapses into a state incompatible with the legitimate basis, rendering subsequent measurements by the legitimate receiver non-deterministic. This process irreversibly disturbs the transmitted information, leading to an increased BER for the legitimate parties. Thus, there exists a direct correspondence between the BER observed by legitimate parties and the extent of information leakage to the adversary; this property is not exploited in our design. The described method of encoding classical information into quantum states ensures that an adversary, lacking knowledge of the secret bit $k_b$, cannot deterministically decode the transmitted information.

2.4. Polar Coding for Wiretap Channel

Recently, considerable research has focused on the construction of practical encoding schemes that achieve secrecy capacity. The WCM results can be applied almost directly to the physical layer implementation proposed in Section 2.3. Further, we advocate for the adoption of polar codes [23] for sensitive information encoding, as proposed in [24,25]. This choice is motivated by the availability of effective decoders and theoretical proofs demonstrating the achieved security measures. The key problem of the polar code design for the WCM is the proper mapping of sensitive information to codewords.

Let $N=2^n$, where $n\in \mathbb{N}$. Consider a transformation of the form

$$x^N=a^N{G}^{\otimes n}=a^N{\left[\begin{array}{cc}1& 0\\ 1& 1\end{array}\right]}^{\otimes n},$$

(5)

where ⊗ denotes the Kronecker product. Assume that the variable $A^N$ is transmitted through the channel ${W^N}_{X^N\to Y^N}$ is transmitted as N independent uses of channel $W_{X\to Y}$, the received values of ${\widehat{A}}_k$ must be decoded sequentially. Arikan proved [23] that in the limit of long codewords, ($N\to \infty$) virtual channels $W_{A_k\to {\widehat{A}}^{k-1}{Y}^N}$ responsible for transmission of the $A_k$ variable fall into two distinct categories (hence the name polarization):

• almost perfect channels with $I\left(A_k;{\widehat{A}}^{k-1}{Y}^N\right)>1-\epsilon$;
• almost useless channels with $I\left(A_k;{\widehat{A}}^{k-1}{Y}^N\right)<\delta$.

Following this observation, the set $\left[N\right]$ of indices $A^N$ can be divided into reliable ${\mathcal{L}}_{A\mid Y}$ and useless ${\mathcal{H}}_{A\mid Y}$ ones:

$$\begin{array}{cc}\hfill {\mathcal{L}}_{A\mid Y}& \triangleq \left\{k:Z\left(A_k\mid {\widehat{A}}^{k-1}{Y}^N\right)<\epsilon \right\},\hfill \end{array}$$

(6)

$$\begin{array}{cc}\hfill {\mathcal{H}}_{A\mid Y}& \triangleq \left\{k:Z\left(A_k\mid {\widehat{A}}^{k-1}{Y}^N\right)>1-\delta \right\}.\hfill \end{array}$$

(7)

In the above, we have used the Bhattacharyya distance [26] $Z\left(X\mid Y\right)$ as an alternative way of quantitative characterization of the mentioned feature. It follows that the so-called frozen bits $k\in {\mathcal{H}}_{A\mid Y}$ cannot be reliably delivered and must be known in advance at the decoder. At the same time, it is proved that whole information can be transmitted on $k\in {\mathcal{L}}_{A\mid Y}$

$$\underset{N\to \infty }{lim}{\displaystyle \frac{∣{\mathcal{L}}_{A\mid Y}∣}{N}}=I\left(X;Y\right).$$

(8)

Unfortunately, for the finite codeword length N, the polarization is not complete and there exists some small subset of indices that cannot be accounted for ${\mathcal{L}}_{U\mid Y}$ nor ${\mathcal{H}}_{U\mid Y}$.

$$\mid \left[N\right]\setminus {\mathcal{H}}_{U\mid Y}\setminus {\mathcal{L}}_{U\mid Y}\mid =o\left(N\right).$$

(9)

This fact has to be accounted for in the design of polar coding for WCM.

When designing polar code for WCM, two channels must be considered simultaneously: $W_{X\to Y}$ and $W_{X\to Z}$. This introduces two classes of polarization we are interested in: ${\mathcal{L}}_{A\mid Y}$—bits that can be delivered reliably to Bob and ${\mathcal{H}}_{A\mid Z}$—bits that are random for Eve. The intersections of these classes as shown in Figure 2 are used to design the secure mapping of information to codewords.

For degraded WCM, i.e., when Eve eavesdrops Bob’s device, the situation is relatively simple because ${\mathcal{L}}_{A\mid Z}\subset {\mathcal{L}}_{A\mid Y}$ and ${\mathcal{H}}_{A\mid Y}\subset {\mathcal{H}}_{A\mid Z}$, where the mentioned classes are defined as in (6) and (7) with respect to channels $W_{X\to Y}$ and $W_{X\to Z}$. However, when Eve eavesdrops Alice, the mentioned inclusion of classes does not take place. Another obstacle arises from the fact that, for finite-length codewords, there exists a small subset of indices that cannot be assigned to the reliable $\mathcal{L}$ or random $\mathcal{H}$ bit classes. The solution presented further exploits the following bit classes:

• ${\mathcal{L}}_{A\mid Y}$—bits known to Bob;
• ${\mathcal{L}}_{A\mid Y}^c=\left[N\right]\setminus {\mathcal{L}}_{A\mid Y}$—bits unreliable for Bob;
• ${\mathcal{H}}_{A\mid Z}$—bits random for Eve;
• ${\mathcal{H}}_{A\mid Z}^c=\left[N\right]\setminus {\mathcal{H}}_{A\mid Z}$—bits partially decodable by Eve.

The employed mapping is proven to be secure in [27] and is shown in Figure 2. To achieve secrecy goals, the sensitive information is transmitted through channels that are both good for Alice and bad for Eve $\mathcal{I}={\mathcal{L}}_{A\mid Y}\cap {\mathcal{H}}_{A\mid Z}$. Bits in subset $\mathcal{B}={\mathcal{L}}_{A\mid Y}^c\cap {\mathcal{H}}_{A\mid Z}$ cannot be reliably decoded by Bob, but also, they are not accessible for Eve. In general, some random secret value, the same for each codeword and shared between Alice and Bob, can be assigned to this field. It is the part $K_c$ of the shared secret. Bits in subset $\mathcal{R}={\mathcal{L}}_{A\mid Y}\cap {\mathcal{H}}_{A\mid Z}^c$ can be reliably decoded by Bob, but they are also partially accessible for Eve, so they cannot carry any useful information. Bits from this set are assigned randomly and differently for each codeword. The main problem is related to bits from the set $\mathcal{C}={\mathcal{L}}_{A\mid Y}^c\cap {\mathcal{H}}_{A\mid Z}^c$. Bits from this set cannot be reliably delivered to Bob, but they are partially accessible to Eve. In consequence, they cannot be statically shared and must be random for each codeword.

This delivery problem is resolved by the chaining mechanism shown in Figure 3 [27]. The bit values for indices $\mathcal{l}\in \mathcal{C}$ for the k-th codeword are transmitted in the confidential part of codeword $k-1$. The lent positions are denoted in Figure 3 as set $\mathcal{S}$. They carry random values regenerated for each codeword. For the last codeword, the confidential part can be used in its fullest extent. Special attention is required for the selection of the $\mathcal{C}$ for the first codeword. This value can be publicly known. As long as the $\mathcal{I}\setminus \mathcal{S}$ carry random bits for the first codeword, the eavesdropper obtains no useful information.

The security of the proposed chain is founded on proper estimation of sets $\mathcal{L}$ and $\mathcal{H}$ for both channels. This task poses a serious problem in classical communication systems as there is no guarantee concerning quality of Eve’s channel. However, the proposed physical layer uses encoding in mutually unbiased bases, and, in consequence, Eve experiences a high bit error rate (BER) as long as she does not know the key controlling the encoding process. The rules of quantum mechanics allow the estimation of Eve’s BER lower bound and this parameter can be used for the design of polar code with the desired properties [28]. Throughout this work, Eve is assumed to access an ideal quantum channel; consequently, her BER lower bound stems solely from basis ignorance (unknown $k_b$), not from additional channel noise.

2.5. Wegman-Carter MAC

We recall a basic form of information-theoretic message authentication based on the Wegman–Carter method. Assume the parties share long-term secrets $k_h$ and $k_m$, where $k_h$ selects a function from a universal hash family, and $k_m$ is a uniformly random mask of tag length.

For a message $msg$, the sender chooses a fresh nonce $\nu$ and computes the tag

$$t=h_{k_h}(msg\parallel \nu )\oplus k_m\equiv \mathrm{MAC}\left(k_h,k_m,msg\Vert \nu \right).$$

(10)

The pair $(msg,t)$ is sent over the public channel, while $\nu$ must be delivered confidentially to the verifier. The verifier recomputes the tag from $msg$ and $\nu$ using the shared key, and accepts only if the result matches the received t.

This scheme inherits the one-time security guarantee of Wegman–Carter authentication: any change in $(msg,\nu )$ is detected except with probability $2^{-\tau }$, where $\tau$ is the tag length. The fresh nonce $\nu$ prevents correlation across tags when the same long-term key is reused, which protects both $k_h$ and $k_m$. In practice, we recommend setting the nonce length $\left|\nu \right|$ equal to the tag length $\tau$. For uniformly random nonces, the collision probability among q authentications is approximately $q(q-1)/2^{\left|\nu \right|+1}$; choosing $\left|\nu \right|=\tau$ keeps this risk negligible at the same level as the MAC security while minimizing confidential-transmission overhead.

A central requirement is that $\nu$ remains confidential. If an adversary learns $\nu$, correlations across multiple transcripts may reveal information about the long-term key. The protocol specification therefore assumes that $\nu$ is transmitted securely. If this can be achieved, then the long-term secrets $k_h$ and $k_m$ can be reused for multiple sessions. However, purely classical means cannot guarantee information-theoretic secrecy of $\nu$ without additional fresh key material delivered per communication session. This motivates alternative approaches to achieve confidential delivery of $\nu$ and thus enable safe key reuse beyond what is possible in classical message authentication.

3. Quantum-Assisted Data Authentication Protocol

In this section, we present the protocol that combines quantum communication methods with classical information-theoretic security to achieve robust data authentication. Participants are assumed to have access to both classical and quantum channels, along with a shared static random key. Following the Wegman–Carter approach, the protocol uses universal hashing for authenticating messages and employs quantum channels to securely deliver random nonces, thereby removing the need for shared key updates. Polar codes are applied within Wyner’s wiretap channel framework to guarantee both confidentiality and reliability, even against adversaries with unlimited computational power.

The parties share a secret key K, which consists of four components:

• $k_h$ and $k_m$—used to compute the Wegman–Carter authentication tag as described in Section 2.5;
• $k_b$—used to select the measurement bases between two mutually unbiased bases (e.g., the computational and the dual basis) as described in Section 2.3;
• $k_p$—used to initialize the polar encoder and decoder for information hiding in the WCM model as described in Section 2.4.

The shared key is static and is not updated during protocol execution.

The size of each component depends on the length of the authentication tag and the chosen Wegman–Carter construction. The key $k_b$ must be long enough to specify the measurement basis for every transmitted bit, which means that its length is a multiple of the codeword size. The key $k_p$ has the size of the set $\mathcal{B}$, and thus depends on the parameters of the polar code.

With these assumptions in place, we now specify the step-by-step execution of the protocol. The procedure outlined below is depicted in Figure 4.

• Alice generates a random nonce $\nu$ of length equal to the authentication tag size.
• Then, she computes the tag t for message m according to the method described in Section 2.5:

  $$t=MAC(k_h,k_m,m\Vert \nu ).$$

  (11)
• She transmits the message m and the resulting tag t to Bob over the classical channel. Bob treats them as unreliable data $m^{\prime }$ and $t^{\prime }$.
• The random value $\nu$ is divided into blocks ${\nu }_1,{\nu }_2,\dots ,{\nu }_K$ of size $|\mathcal{I}\setminus \mathcal{S}|$. The sequence is extended with an additional block ${\nu }_0$ consisting of random bits.
• Alice constructs a chain of codewords $c_0,c_1,\dots ,c_K$ as illustrated in Figure 3. The codewords are concatenated into a sequence c of classical bits.
• Each bit of the sequence is mapped into a quantum state as

  $$|q\left[l\right]\rangle ={\mathbf{H}}^{k_b\left[l\right]}|c\left[l\right]\rangle ,$$

  (12)

  where H is the Hadamard operator and the states $\left|c\right[l]\rangle \in \{|0\rangle ,|1\rangle \}$ are prepared on a computational basis.
• Immediately after preparation, the quantum states are sent sequentially to Bob.
• Bob applies the inverse transformation

  $$|c^{\prime }\left[l\right]\rangle ={\mathbf{H}}^{k_b\left[l\right]}|q^{\prime }\left[l\right]\rangle$$

  (13)

  to the received states, and then measures $|c^{\prime }\left[l\right]\rangle$ on a computational basis. To account for quantum channel losses, Bob encodes outcomes as

  $$y_l=\left\{\begin{array}{cc}+1\hfill & c\left[l\right]=1,\hfill \\ -1\hfill & c\left[l\right]=0,\hfill \\ 0\hfill & \mathrm{measurement}\mathrm{failure},\hfill \end{array}\right.$$

  (14)

  obtaining a sequence of symbols. After grouping them into codewords, the sequence is passed to the polar code Successive Cancellation decoder.
• Successful decoding requires that the decoder knows in advance the values of the bits in sets $\mathcal{B}$ and $\mathcal{C}$. Decoding proceeds as in Figure 3. The set $\mathcal{B}$ always contains the private key $k_p$, unknown to Eve. In the zeroth codeword, the set $\mathcal{C}$ is filled with zeros. Once Bob decodes the zeroth codeword, he learns the $\mathcal{C}$ values necessary for decoding the first codeword. The process continues until the entire chain of codewords is decoded.
• From the information sets of all codewords except the zeroth one, Bob reconstructs the value ${\nu }^{\prime }$.
• Using ${\nu }^{\prime }$, the received message $m^{\prime }$, and tag $t^{\prime }$, Bob verifies correctness by checking

  $$t^{\prime }=MAC(k_h,k_m,m^{\prime }\Vert {\nu }^{\prime }).$$

  (15)
• The message is accepted if the equality holds; otherwise, it is rejected.

4. Analysis

4.1. Security

In the proposed scheme, message authentication is performed by computing a checksum:

$$t=\mathrm{MAC}\left(k_{\mathbf{H}},k_m,m\parallel \nu \right),$$

(16)

where $\mathrm{MAC}(·)$ denotes a universal hash function [1], $k_h$ and $k_m$ are the shared secrets, m is the message to be authenticated, and $\nu$ is a one-time random value known only to Alice and Bob. We assume that the keys $k_m$, $k_h$ can be reused without the need for refreshing.

In the considered attack model, Eve observes the pair $(m,t)$ and attempts to guess the secrets $k_h$ and $k_m$ or to substitute m and forge t. Such an attack was analyzed by Fehr and Salvail [11] in the Shannon security model, where they proved the security of the scheme. The probability of a successful forgery equals $2^{-\tau }$, where $\tau$ is the length of the checksum in bits. However, if the confidentiality of $\nu$ is compromised, information leakage about shared secrets occurs, forcing the keys to be refreshed.

Confidentiality of $\nu$ is therefore critical to the overall security of the protocol and can be ensured in two ways: by selecting a fresh value of $\nu$ from a shared random bit pool for each authentication instance (as in a one-time pad (OTP)) or by transmitting $\nu$ securely within the protocol. In the classical information model, secure transmission of $\nu$ is possible only with the OTP, which still requires a shared pool of random bits. This limitation can be overcome by leveraging quantum information processing techniques. In [11], secure delivery of $\nu$ was proposed using BB84 encoding, under the assumption of an ideal quantum channel. However, the protocol requires an authenticated classical feedback channel, which also consumes a shared random bit resource, though of smaller size.

To achieve reliable and confidential delivery of $\nu$, we rely on Wyner’s wiretap model [20], in which noise is an inherent component of data protection. Within this model, $\nu$ can be transmitted confidentially if the Alice–Eve channel is of lower quality than the Alice–Bob channel. This requires encoding $\nu$ with a properly constructed redundancy code. The existence of such codes has been proven, while their practical construction remains challenging.

In the classical setting, constructions based on polar codes have been developed and analyzed in the literature [25,27]. These results show that, in the wiretap channel model, polar codes enable confidential and reliable transmission with probabilities $1-2^{-\epsilon }$ and $1-2^{-\delta }$, respectively, where $\epsilon$ and $\delta$ are design parameters of the code. The requirement is that the error rate in the Alice–Bob channel must remain below the design threshold, while the error rate in the Alice–Eve channel must not be lower than the assumed bound. Exceeding the error threshold in the Alice–Bob channel does not compromise confidentiality but prevents Bob from decoding correctly. Conversely, Eve may gain partial access to the protected information only if her channel quality improves beyond the design threshold.

The proposed protocol directly employs these constructions and thus inherits the corresponding security proofs. Therefore, the security analysis reduces to evaluating the error rate of the Alice–Eve channel under the adopted quantum-layer encoding method and estimating the probability that this rate falls below the design threshold.

For Eve, the only feasible attack on the protocol is to compromise the confidentiality of the transmitted value $\nu$. To achieve this, she must decode the codeword transmitted in the quantum layer. The most straightforward approach is to guess the bits of the key $k_b$ and measure on the basis specified by this guess. Since the key is random and secret, her only option is trial and error. In the limit of infinitely long sequences, her error rate converges to 25%. This follows from the fact that in 50% of the cases, she selects the wrong measurement basis, leading to random outcomes. Eve has no oracle to reveal which guessed bits are correct. To validate her guesses for $k_b$, she would need to decode a hypothetical value ${\nu }^{″}$ and verify it by computing

$$t\stackrel{?}{=}\mathrm{MAC}\left(k_h,k_{m}m\parallel {\nu }^{″}\right).$$

(17)

Correctly determining ${\nu }^{″}$ requires satisfying three conditions: (a) reducing the error rate in the eavesdropping channel to the design threshold $BER$ assumed for the Alice–Bob channel, (b) obtaining the key $k_c$ required for polar decoding, and (c) knowing the key $k_h$ and $k_m$ required for the MAC computation. Consequently, Eve must test the entire key $k=(k_b,k_h,k_m,k_c)$. There is no tolerance for errors—every bit of ${\nu }^{″}$ must be correct, otherwise the MAC verification fails. Thus, she must guess at least $(1-2BER)|k_b|$ bits of the key correctly. Eve therefore faces an all-or-nothing problem: either she compromises the protocol by correctly guessing almost the entire key, which is highly improbable, or she learns nothing about the key or the transmitted value $\nu$.

Instead of guessing the random key $k_b$ and measuring in the corresponding basis, Eve may apply more advanced quantum state discrimination techniques to infer the bits of the codeword. The encoding adopted in the quantum layer is directly borrowed from the BB84 Quantum Key Distribution (QKD) protocol. This canonical encoding method has been extensively analyzed in the literature. It has been shown that for BB84 encoding, optimal state discrimination can be achieved using the so-called Brandt probe [29]. The Brandt probe enables unambiguous state discrimination, meaning that the measurement outcome is either correct or inconclusive. In the case of an inconclusive outcome, Eve obtains no information about the bit value, which at the logical level corresponds to its erasure (value $y_k=0$ in Equation (14)). In the case of a conclusive outcome, Eve is certain that the recovered bit value is correct. However, she gains no information about the basis in which the bit was encoded. Thus, this discrimination method does not reveal the key $k_b$ used to select the basis but only the form of x. Moreover, the method provides information about the encoded bit at the cost of introducing errors in the Alice–Bob channel. There is a direct trade-off between Eve’s information gain $I_E$ and the induced error rate $P_E$.

$$I_E=\left(1-\left|{\displaystyle \frac{1-3P_E}{1-P_E}}\right|\right)(1-P_E).$$

(18)

The expression follows directly from the Brandt probe analysis; see Appendix A for the derivation and operating point. The design of the probe allows controlling the induced error rate $P_E$. We assume Eve ignores the disturbance she induces and maximizes her information gain. The function (18) reaches its maximum $I_E=2/3$ at $P_E=1/3$. Under this operating point, her gain is upper bounded by $2/3$ (i.e., she can learn at most $66\%$ of the codeword bits). Our code is designed so that secrecy would be compromised only if Eve could learn more than $75\%$ of the codeword bits; thus, her optimal gain remains below the breaking threshold.

In summary, the security analysis demonstrates that Eve’s ability to gain information is fundamentally constrained by the properties of the quantum encoding and the applied polar coding scheme. Eve faces an all-or-nothing problem: she must correctly guess almost the entire key, which would completely compromise the protocol but is highly improbable; otherwise, she obtains no information about the key or the transmitted value $\nu$. Moreover, optimal quantum eavesdropping cannot reduce the error rate below the required threshold, preventing her from acquiring even partial information about the bits of $\nu$ needed to attack the data authentication function.

4.2. Performance

Our goal was to design a protocol suitable for practical implementation. To verify this, we constructed a polar code tailored to the constraints of the eavesdropper’s channel. During the design phase, we assumed that the adversary (Eve) has access to an ideal quantum channel, and the bit error rate experienced during eavesdropping arises solely from the lack of knowledge of the basis key $k_b$. Thus, the eavesdropper’s channel can be modeled as a binary symmetric channel (BSC) with bit-flip probability $p=0.25$. In contrast, the channel between Alice and Bob is affected by both losses and errors. We model this situation as a cascade of a binary erasure channel (BEC) with bit erasure probability q and a BSC with bit-flip probability p. A schematic representation of both channels is shown in Figure 5.

The polar code construction was performed using the Bhattacharyya parameter method [23], which provides an upper bound on the error probability for each bit channel. Determining the indices belonging to the sets from Figure 2 is crucial for ensuring security. Membership in these sets is strictly determined by the threshold values $\epsilon$ and $\delta$ from (6) and (7), which guarantee the reliability and confidentiality of the code, respectively. The sizes of these sets also depend on the codeword length and channel characteristics. In the numerical simulations presented below, the thresholds were set to $\epsilon ={10}^{-6}$ and $\delta ={10}^{-12}$. During polarization, the eavesdropper’s channel was always modeled as a BSC with bit-flip probability $p=0.25$. The legitimate channel was analyzed as a function of bit-flip probability p and erasure probability q. It should be noted that in the presented communication model, errors and losses in the quantum channel constitute a common budget and are counted as errors at the classical bit transmission level; thus, the total error rate and loss sum must not exceed the error rate in the eavesdropper’s channel.

Given a binary-input DMC W with Bhattacharyya parameter $Z\left(W\right)$ (see Appendix B), the polarization step replaces two copies of W by the synthetic channels $W^{-}$ and $W^{+}$ [23] (section II). For the Alice→Bob link, we propagate the standard upper bounds (Equations (26) and (27), [23]).

$$Z\left(W^{+}\right)=Z{\left(W\right)}^2,Z\left(W^{-}\right)\le 2Z\left(W\right)-Z{\left(W\right)}^2.$$

This is a conservative choice for reliability (estimate is higher than real value) and may exclude some reliable bit channels from ${\mathcal{L}}_{V\mid Y}$.

For the Alice → Eve link, using the same upper bound for the “minus” recursion can overestimate the Bhattacharyya parameter and thus misclassify a channel decodable by Eve as a secure one. To avoid this, one should use a lower estimate for $Z\left(W^{-}\right)$. A general inequality $Z\left(W\right)\le Z\left(W^{-}\right)$ is available but is very coarse and does not lead to satisfactory designs in practice.

When Eve’s channel is $\mathrm{BSC}\left(p\right)$, there exists an exact closed form expression for Bhattacharyya parameter recursions:

$$Z\left(W^{+}\right)=Z{\left(W\right)}^2,Z\left(W^{-}\right)=Z\left(W\right)\sqrt{2-Z{\left(W\right)}^2},$$

which we propagate along the polarization tree to obtain $Z\left(W_i\right)$ for all bit channels. After computing $Z\left(W_i\right)$ for legitimate and wiretap channels, we select ${\mathcal{L}}_{V\mid Y}$ and ${\mathcal{H}}_{V\mid Z}$ using the thresholds in (6) and (7), and then form sets $\mathcal{I}$, $\mathcal{B}$, $\mathcal{R}$, and $\mathcal{C}$, as described in Section 2.4. The obtained set sizes for codewords of length $N=2^{12}$, $N=2^{13}$, and $N=2^{14}$ are shown in

Table 2. Sizes of the sets $\mathcal{I}$, $\mathcal{R}$, $\mathcal{B}$, $\mathcal{C}$ for different codeword lengths N and channel parameters p and q.

N	p	q	$\left|\mathcal{I}\right|$	$\left|\mathcal{R}\right|$	$\left|\mathcal{B}\right|$	$\left|\mathcal{C}\right|$
$2^{12}$	0.01	0.05	1021	1399	1676	0
	0.01	0.1	834	1399	1863	0
	0.01	0.15	654	1396	2043	3
	0.05	0.05	119	1345	2578	54
	0.05	0.1	48	1308	2649	91
	0.05	0.15	10	1244	2687	155
$2^{13}$	0.01	0.05	2590	2498	3104	0
	0.01	0.1	2224	2498	3470	0
	0.01	0.15	1870	2498	3824	0
	0.05	0.05	704	2460	4990	38
	0.05	0.1	501	2440	5193	58
	0.05	0.15	318	2416	5376	82
$2^{14}$	0.01	0.05	6080	4508	5796	0
	0.01	0.1	5343	4508	6533	0
	0.01	0.15	4636	4508	7240	0
	0.05	0.05	2250	4481	9626	27
	0.05	0.1	1814	4472	10,062	36
	0.05	0.15	1404	4453	10,472	55

.

A key feasibility condition is that the set $\mathcal{C}$, which contains indices unreliable for Bob and simultaneously informative for Eve, must not exceed the size of the secure set $\mathcal{I}$. Whenever $\left|\mathcal{C}\right|>\left|\mathcal{I}\right|$, the chaining construction from Figure 3 cannot be realized because the number of indices available for secure transmission is insufficient to compensate for the “critical” positions.

As the block length grows, the efficiency of the scheme improves markedly. This follows directly from the polarization effect: with larger N, the fraction of indices that polarize towards being almost perfect (${\mathcal{L}}_{\mathcal{A}\mid \mathcal{Y}}$) for Bob or almost useless (${\mathcal{H}}_{\mathcal{A}\mid \mathcal{Z}}$) for Eve increases. Consequently, the relative size of the uncertain region shrinks, and the effective secure set $\left|\mathcal{I}\right|-\left|\mathcal{C}\right|$ grows. This effect is clearly visible when comparing the ratios $\left|\mathcal{I}\right|/\mathcal{N}$ for increasing block sizes.

In the special case of high-quality information channels ($p=0.01$), the problematic set $\mathcal{C}$ vanishes almost entirely. In such scenarios, there is no need to employ multi-block chaining, since no indices fall into the “bad-for-Bob and good-for-Eve” category. A single-block construction then suffices.

From a practical standpoint, the central quantity is the size of the effective secure field $\left|\mathcal{I}\right|-\left|\mathcal{C}\right|$. Typical requirements are on the order of 256 or 512 bits. The data show that for $p=0.01$, even with moderate block sizes ($N=2^{12}$), the secure field exceeds 512 bits across all considered eavesdropper channel qualities. For noisier information channels ($p=0.05$), larger block lengths are required: at $N=2^{13}$, secure fields reach 256 bits in most cases, while $N=2^{14}$ comfortably provides more than 512 bits of effective secrecy.

5. Conclusions

We have presented a quantum-assisted data authentication protocol that combines classical Wegman–Carter message authentication with quantum physical-layer secrecy, instantiated via polar coding in the wiretap channel model. The protocol achieves integrity and origin guarantees, while enabling safe key reuse by securely transmitting the authentication nonce using quantum resources. Security analysis demonstrates that the adversary’s ability to compromise the protocol is fundamentally limited by quantum measurement constraints and the structure of polar codes, resulting in an all-or-nothing scenario for key recovery. Performance evaluation confirms that practical code parameters yield secure payload sizes suitable for real-world applications, with quantum resource consumption scaling efficiently with block length. The proposed approach eliminates the need for authenticated classical feedback and is robust to channel noise, making it a promising candidate for future quantum-secure communication systems. In its current formulation, the protocol can only be used in high-quality quantum channels with low loss rates, which is its main drawback.

Looking ahead, we identify several directions to enhance the protocol’s applicability and robustness. First, we will pursue efficiency improvements in polar-code design, focusing on practical selection and optimization methods for finite block lengths. Second, we plan to develop an adaptive rate-selection strategy that dynamically adjusts to observed channel conditions, thereby improving both reliability and confidentiality. Third, we will explore alternative quantum transmission techniques compatible with our framework—such as higher-dimensional encodings—to further impede eavesdropping while ensuring reliable reception.