Efﬁcient and Secure Measure-Resend Authenticated Semi-Quantum Key Distribution Protocol against Reﬂecting Attack

: In 2021, Chang et al. proposed an authenticated semi-quantum key-distribution (ASQKD) protocol using single photons and an authenticated channel. However, an eavesdropper can launch a reﬂective attack to forge the receiver’s identity without being detected. In addition, Chang et al.’s ASQKD protocol assumes an authenticated classical channel between the sender and the receiver. It is considered illogical to have an authenticated channel in the ASQKD protocol. If these security issues are not addressed, the ASQKD protocol will fail to deliver the secret key. Therefore, this study proposes an efﬁcient and secure ASQKD protocol to circumvent these problems using only single photons. Security analysis proves that the proposed ASQKD protocol can effectively avoid reﬂecting attacks, collective attacks, and other typical attacks. Compared with the existing ASQKD protocols, this study has the following advantages: based on a single photon, it demands less advanced quantum devices, the communication efﬁciency is higher than most protocols, it reduces the length of the required pre-shared keys, endures reﬂecting attacks, collective attacks, and there is no need for the classical channel.


Introduction
Quantum key distribution (QKD) protocols have been an important research field in quantum cryptography since the beginning.The main objective of the QKD protocol is to enable the two participants to use quantum mechanics to share a secret key.In the QKD protocol, two participants can detect an eavesdropper trying to eavesdrop on the transmission of information with quantum states.In 1984, Bennett and Brassard [1] proposed the first QKD protocol, also known as BB84, which is based on single photons.The protocol allows two participants (Alice and Bob) to share a secure key with a quantum channel and authenticated classical channel.Since the BB84 protocol was proposed, various QKD protocols [2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18] have been proposed to manage different security issues.
Nevertheless, semi-quantum cryptographic protocols assume the existence of an authenticated classical channel, which means that when an authenticated channel is not available, these protocols cannot endure man-in-the-middle attacks.To prevent manin-the-middle attacks, the lack of authentication of the participants must be fixed.In 2014, Yu et al. [45] proposed two authenticated semi-quantum key distribution (ASQKD) protocols based on Bell states.The main objective of the ASQKD protocol is to enable two participants to use the pre-shared master key to distribute a session key and perform authentication between the quantum and classical participants.In 2016, Li et al. [46] proposed two ASQKD protocols that use Bell states and single photons.Compared with Yu et al.'s ASQKD protocols [45], Li et al.'s ASQKD protocols ensure better communication efficiency and require fewer pre-shared keys.In 2016, Meslouhi and Hassouni [47] pointed out a vulnerability that allows an eavesdropper to recover a partial master key and launch a successful man-in-the-middle attack on Yu et al.'s ASQKD protocols [45] and Li et al.'s ASQKD protocols [46].In 2020, Zebboudj et al. [48] presented a new ASQKD protocol without any entanglement.Zebboudj et al.'s ASQKD protocol can achieve higher security than the existing schemes.In 2020, Tsai and Yang [49] proposed a lightweight authenticated semi-quantum key distribution (LASQKD) protocol based on the Bell states.Tsai and Yang's LASQKD protocol allows a quantum user and a classical user to share secret keys without using an authenticated classical channel or Trojan horse detection device.Compared to the existing ASQKD protocols, Tsai and Yang's LASQKD protocol provides improved practicality, indicating its potential for use in modern quantum systems.
In 2021, Chang et al. [50] proposed a measure-resend ASQKD protocol only using single photons.Compared with the existing ASQKD protocols, Chang et al.'s ASQKD protocol has the following advantages: Although Chang et al. showed that their ASQKD protocol is robust even for an eavesdropper, Eve tries to perform a collective attack.This study demonstrates that Chang et al.'s ASQKD protocol cannot withstand the reflecting attack.In Chang et al.'s ASQKD protocol, Alice prepares several qubits to encode the secret key and hash value and then sends these qubits to Bob. Bob can select the measure-resend or reflecting mode for Alice.However, the sent qubits and the received qubits have the same quantum states.Thus, Eve intercepts the qubits sent from Alice and reflects them back to Alice.Alice cannot distinguish whether these were sent by Bob or forged by Eve-both scenarios would pass the eavesdropping check.In other words, if Eve performs a reflecting attack, Alice will not notice and continue this protocol, treating Eve as Bob.Although Eve cannot obtain the secret key, she is able to launch the replay attack.
More than that, Chang et al.'s ASQKD protocol assumes having an authenticated classical channel between Alice and Bob is illogical (i.e., the transmitted classical messages can be eavesdropped upon, but not modified).ASQKD protocols perform authentication when an authenticated classical channel is unavailable.In other words, research on ASQKD protocols [45][46][47][48][49] assumes that the classical channel is a public classical channel (i.e., it can be modified).
To circumvent these security problems, this study proposes an efficient and secure ASQKD protocol that uses only single photons.Based on the measurement uncertainty of a single photon, Alice can authenticate Bob without using a classical channel.In the proposed ASQKD protocol, Alice generates a single photon as the checking qubit by using the When Bob receives the photon, he measures the checking qubit in the Z-basis (i.e., { |0 , |1 }) and resends the same state to Alice.Alice receives and measures the checking qubit in the X-basis.If the checking qubit is always the same as the initial state, Alice indicates that Bob does not receive and measure-resends the photon.Thus, the protocol suffers from a reflective attack.Otherwise, Alice would acknowledge that Bob received and measure-resend it.Thus, the proposed protocol can effectively avoid reflecting attacks and does not require a classical channel.
The remainder of this paper is organized as follows: Section 2 provides a review of Chang et al.'s ASQKD protocol.Section 3 describes the security issues of Chang et al.'s ASQKD protocol.Section 4 describes the proposed ASQKD protocol.Section 5 presents an analysis of the security of the proposed ASQKD protocol.Section 6 presents an efficiency analysis of the proposed scheme.The paper ends with a conclusion in Section 7.

Review of Chang et al.'s ASQKD Protocol
Chang et al. proposed a measure-resend ASQKD protocol that uses single photons.In Chang et al.'s ASQKD protocol, Alice has full quantum capabilities, whereas Bob (the classical user) has only limited quantum capabilities.Bob can only perform measurement and generation of Z-basis qubits, and reflection of qubits.Alice and Bob must pre-share two secret keys in the protocol: K 1 and K 2 , and a pool of universal hash functions.K 1 represents the position of the decoy photons, and K 2 determines the choice of the hash function from the universal hash function pool.Alice prepares a session key and its hash value in single photons and sends it to Bob.He measure-resends or reflects the qubits based on the pre-shared secret key, K 1 .Finally, Alice and Bob inform each other of their checking results via an authenticated classical channel.The steps involved in the ASQKD protocol of Chang et al. are described below.
Step C1.Alice chooses a binary string of length n as the session key SK.Based on the preshare key K 2 , Alice selects a hash function from a pool of universal hash functions.She hashes SK using the selected hash function H K 2 (•), and obtains the m-bit hash value, H K 2 (SK).Then, Alice concatenates SK and the hashed value Step C2.Alice generates a binary string, S D ∈ {0, 1} n+m .Based on the pre-shared key K 1 , Alice inserts S D into S A .For example, if A is inserted before S i D .Thus, Alice obtains a new binary string, whose length is 2n + 2m.Alice converts the binary string into a sequence of single photons, Q A , according to the following rules: binary bits {0, 1} in S A encode into the Z-basis {| 0 , | 1 }, and binary bits {0, 1} in S D encode into the X-basis . Then, Alice sends Q A to Bob one bit at a time through a quantum channel.
Step C3. Bob receives the qubits and distinguishes S A from S D based on K 1 .For S A , Bob measures the Z-basis and resends the same single photon as the measurement result.As for S D , Bob reflects without any interference back to Alice.Step C4.Alice receives a sequence of single photons, Q A , from Bob and measures S A in the Z-basis, and S D in the X-basis.Alice checks the measurement results S A = S A and S D = S D to prevent an eavesdropping attack.Bob checks H K 2 (SK ) = H K 2 (SK) to identify the secret key sent by Alice.Step C5.For completion of the eavesdropping check, Alice and Bob must both send a message to inform each other regarding the checking result via the authenticated channel.If the transmission is secured, the pre-shared keys are recycled; otherwise, the results and the pre-shared key K 2 should be abandoned.

Security Issues in Chang et al.'s ASQKD Protocol
Although Chang et al.'s ASQKD protocol provides security analyses, the protocol is illogical in using an authenticated classical channel and suffers reflecting attacks, which are described in Sections 3.1 and 3.2, respectively.

Using an Authenticated Classical Channel in ASQKD Protocol
ASQKD protocols involve authenticating communicators without using an authenticated classical channel [45][46][47][48][49] , and then generates a binary string, S D .In Step C2, Alice converts the binary string (S A and S D ) into a sequence of single photons, Q A , and then sends Q A to Bob.In Step C3, Bob can select the measure-resend mode, or the reflecting mode, based on K 1 and then send Q A to Alice.In Step C4, Alice checks Q A .If the measurement result of Q A is equal to the initial state Q A , the eavesdropping check is passed.Hence, the sent qubits, Q A , and received qubits, Q A , are the same quantum states for Alice.Thus, Eve can intercept the qubits Q A sent from Alice in Step C2 and then reflect Q A back to Alice in Step C3.In Step C4, Alice cannot distinguish whether this was sent by Bob or forged by Eve-both scenarios would pass the eavesdropping check.In other words, if Eve performs a reflecting attack, Alice will not notice and continue this protocol, treating Eve as Bob.Although Eve cannot obtain the secret key, she can successfully perform the replay attack.

Proposed ASQKD Protocol
In the proposed ASQKD protocol, Alice has full quantum capabilities and Bob has limited quantum capabilities.In the initial phase, Alice and Bob share two secret keys in the protocol, K 1 and K 2 , and a pool of universal hash functions.K 1 represents the position of the decoy photons (ternary number system), and K 2 determines the hash function choice from the universal hash function pool.To prevent a reflecting attack, this study utilizes an eavesdropping check using the measurement uncertainty of a single photon.Thus, the proposed protocol can effectively avoid reflecting attacks and does not require classical channels.Figure 1 clearly illustrates the proposed scheme.The steps involved in the proposed ASQKD protocol are as follows: Step 1. Alice chooses a binary string of length n as the session key SK.Based on the preshare key K 2 , Alice selects a hash function from a pool of universal hash functions.She hashes SK using the selected hash function H K 2 (•), and obtains the m-bit hash value, H K 2 (SK).Then, Alice concatenates SK and the hashed value H K 2 (SK) to form S A = SK H K 2 (SK) , whose length is n + m bits.
Step 2. Alice generates the binary strings Based on the pre-shared key K 1 , Alice combines S A , S D , and S R into a binary sequence, S AB .

For example, if
Thus, Alice obtains a binary sequence, S AB , whose length is 2n + 2m.Alice converts the binary sequence S AB into a sequence of single photons, Q A , according to the following rules: (1) binary bits {0, 1} in S A encode into the Z-basis {| 0 , | 1 }, and (2) binary bits {0, 1} in S D and S R encode into the X-basis (2) The measurement result of S R is not completely equal to that of the initial state S R (i.e., the measurement result is random).Meanwhile, Bob also calculates to identify the secret key sent by Alice.If all the checking steps were passed, the protocol is completed.Otherwise, the communication is aborted.

Security Analysis
In this section, the security analysis of the proposed ASQKD protocol is presented from five perspectives: (1) the reflecting attack and (2) ordinary eavesdropping, (3) collective attack, (4) intercept and resend attack, and (5) measure and resend attack.The security of the proposed protocol is based on Chang et al.'s ASQKD protocol.This has been proven to be robust in a study by Chang et al. [50].

Security against the Reflecting Attack
If Eve performs the reflecting attack on the proposed ASQKD protocol by directly sending   , as described in Section 3.2, then the attack will be detected in Step 4 because of the use of the measurement uncertainty of the single photon.Eve does not know the In Step 4, Alice performs an eavesdropping check.If the measurement result of S R is the same as the original S R , then a reflecting attack exists during the transmission of the protocol.That is, if S R = S R , Alice is aware that Bob did not measure S R , indicating that the transmission is suffering a reflecting attack.Alice can detect this attack herself without Bob's information.Moreover, Bob authenticates Alice by calculating H K 2 (SK ) = H K 2 (SK) .Thus, the proposed ASQKD protocol can effectively avoid reflecting attacks and does not require a classical channel.

Security Analysis
In this section, the security analysis of the proposed ASQKD protocol is presented from five perspectives: (1) the reflecting attack and (2) ordinary eavesdropping, (3) collective attack, (4) intercept and resend attack, and (5) measure and resend attack.The security of the proposed protocol is based on Chang et al.'s ASQKD protocol.This has been proven to be robust in a study by Chang et al. [50].

Security against the Reflecting Attack
If Eve performs the reflecting attack on the proposed ASQKD protocol by directly sending Q A , as described in Section 3.2, then the attack will be detected in Step 4 because of the use of the measurement uncertainty of the single photon.Eve does not know the positions of S A , S D , and S R when intercepting Q A in Step 2 and directly resends Q A to Alice.If S A , S D , and S R can pass the eavesdropping check, Eve can forge Bob's identity.However, without knowing the positions of S A , S D , and S R , Eve can be detected from the eavesdropping check.Therefore, Eve cannot perform a reflective attack to forge Bob's identity.
In the proposed ASQKD protocol, Alice generates a single photon as the checking qubit in the S R using the X-basis (i.e., When Bob receives the photon, he measures the checking qubit in the S R using a Z-basis (i.e., { |0 , |1 }) and resends the same state to Alice.Alice receives and measures the checking qubit in S R using an X-basis.If the checking qubit is always the same as the initial state, Alice indicates that Bob does not receive and measure-resends the photon based on the measurement uncertainty of the single photon.Thus, the protocol suffers from a reflective attack.Otherwise, Alice would acknowledge that Bob received and measure-resend it.Thus, the proposed protocol can effectively avoid reflecting attacks and does not require a classical channel.

Security against the Ordinary Eavesdropping
Chang et al.'s ASQKD protocol is resistant to ordinary eavesdropping because Eve cannot measure the S A and S D sequences without being detected.To avoid an ordinary eavesdropping attack, the proposed ASQKD protocol uses S A and S D (i.e., {|0 , |1 , |+ , |− }) in Step 2 to guarantee the correctness of the encoded photons between Alice and Bob.However, based on quantum no-cloning theory [51], we know that the four single-photons {|0 , |1 , |+ , |− } cannot be unambiguously discriminated.For example, without know- ing the bases in advance, some errors will later be detected during the eavesdropping check if Eve measures single photons.Hence, regardless of the attack strategy Eve performs, she will be detected in the eavesdropping check (a similar security analysis was proposed in [50]).

Security against the Collective Attack
This section provides proof that the proposed ASQKD protocol can be secure against the collective attack and does not leak any information if there is no error detected.
In the attack strategy, suppose Eve possesses full quantum abilities with unlimited computational power and controls the quantum channel.Eve tries to eavesdrop on any useful information from Alice and Bob by performing the collective attack.Eve generates a quantum state |E 1 and performs a unitary operation, U E , on the joint state |q ⊗|E 1 , where |q represents the transmitting qubit between Alice and Bob in Step 2. After the prepared qubits |E 1 entangle with the qubits sent from Alice in Step 2, Eve can infer the private information based on the measurement result of |E 1 .
Theorem 1. Eve performs the collective attack on the qubit that is sent to Bob.In order to do so, Eve applies a unitary operation, U E , on the qubit that complies with the theorems of quantum mechanics.However, no unitary operation exists in the collective attack that allows Eve to obtain the information of Alice's secret without being detected.
Proof of Theorem 1. Suppose Eve uses a unitary operator to attack the transmit qubit from Alice to Bob in Step 2 by U E , the possibilities can be defined as follows: Eve's quantum states after the attack.
Alice will send 24 different pairs of qubits as follows: The possibilities can be denoted as follows: After the prepared qubits |E 1 entangle with the qubits sent from Alice in Step 2, Eve can infer the information of transmitting qubit |q by the corresponding measurement result of |E 1 .However, after Bob receives the attacked qubits, he will measure S A in the Z-basis.Bob then abstracts SK H K 2 (SK) from S A and calculates H K 2 (SK ) = H K 2 (SK) to identify that the secret key sent by Alice has not been modified.Thus, to pass the detection, Eve will not modify the value of Z-basis qubits, which restricts the possibilities of U E .The restricted U E can be defined as follows: In Step 4, Alice will check all the received qubits, and if the measurement results are not equal to the original states, Alice will detect the eavesdropping.To pass the detection, |q must be the same as the original states (i.e., ), which can be denoted as follows: Accordingly, the measurement result of each state |q has only one possibility in order to pass the detection from Alice.In other words, | E 1 must all be in the same state, which means Eventually, all the | E 1 are identical, which proves that Eve cannot obtain any private information without detection by performing the collective attack.

Security against the Intercept and Resend Attack
Assume Eve attempts to perform an intercept and resend attack on the traveling particles in Q A , to obtain Alice's secret key, SK.To perform the attack, Eve intercepts S A , S D , and S R and resends the fake single photons randomly chosen from four different states (i.e., |0 , |1 , |+ , |− ), trying to forge the identity of Alice in Step 2. In Step4, Bob checks the hash value of SK, which infers that Eve must obtain all the particles' positions to pass the check.However, Eve does not know the corresponding positions of each photon in S A , S D , and S R .Then, Eve has a probability of 1  x! to pass the eavesdropping check, where x represents the total number of Q A (i.e., x = 2n + 2m in the proposed ASQKD protocol).Thus, the probability for Eve to be detected in Step 4 is 1 − 1 x! .If x is large enough, the detection probability would converge to 1, as shown in Figure 2.
Accordingly, the measurement result of each state |⟩ has only one possibility in order to pass the detection from Alice.In other words, | 1 ⟩ must all be in the same state, which means Eventually, all the | 1 ⟩ are identical, which proves that Eve cannot obtain any private information without detection by performing the collective attack.

Security against the Intercept and Resend Attack
Assume Eve attempts to perform an intercept and resend attack on the traveling particles in   , to obtain Alice's secret key, .To perform the attack, Eve intercepts   ,   , and   and resends the fake single photons randomly chosen from four different states (i.e., |0⟩, |1⟩, |+⟩, |−⟩), trying to forge the identity of Alice in Step 2. In Step 4, Bob checks the hash value of , which infers that Eve must obtain all the particles' positions to pass the check.However, Eve does not know the corresponding positions of each photon in   ,   , and   .Then, Eve has a probability of

Security against the Measure and Resend Attack
Suppose Eve performs a measure and resend attack on the traveling photons in   , to obtain Alice's secret key, .Eve may try to measure   , then resend the measured   photons (or generate new photons based on the measure results) to Bob, hoping to obtain  without being detected.
In Step 4, Bob checks the hash value of , if Eve measures the qubits with the wrong basis, the attack would be detected.Thus, Eve must measure the correct basis on the correct position to pass the eavesdropping check.However, Eve does not obtain the corresponding position of each photon in   ,   , and   .Without the information, the probability of randomly measuring the qubits to pass the eavesdropping check in Step 4 is

Security against the Measure and Resend Attack
Suppose Eve performs a measure and resend attack on the traveling photons in Q A , to obtain Alice's secret key, SK.Eve may try to measure Q A , then resend the measured Q A photons (or generate new photons based on the measure results) to Bob, hoping to obtain SK without being detected.
In Step 4, Bob checks the hash value of SK, if Eve measures the qubits with the wrong basis, the attack would be detected.Thus, Eve must measure the correct basis on the correct position to pass the eavesdropping check.However, Eve does not obtain the corresponding position of each photon in S A , S D , and S R .Without the information, the probability of randomly measuring the qubits to pass the eavesdropping check in Step 4 is 3  4 .Hence, the probability to detect the attack in this protocol is 1 − 3  In the schemes of Yu et al. [45] and Li et al. [46], Alice shares the second qubit of Bell states to Bob.Alice then restores the qubit from Bob to perform Bell measurement, which requires the quantum storage to store the first qubit of Bell states and the hardware to perform the Bell measurement.Moreover, generating a pair of Bell states increases the    [45,46,48,50] and the proposed ASQKD protocol.In the schemes of Yu et al. [45] and Li et al. [46], Alice shares the second qubit of Bell states to Bob.Alice then restores the qubit from Bob to perform Bell measurement, which requires the quantum storage to store the first qubit of Bell states and the hardware to perform the Bell measurement.Moreover, generating a pair of Bell states increases the need for advanced quantum hardware compared to a single photon.Therefore, the proposed protocol based on single photons does not require quantum storage and hardware of Bell measurement, significantly reducing the demand for advanced quantum hardware.

Efficiency Analysis
The communication efficiency of a quantum cryptographic protocol is defined as η = c q , where c represents the sum of the shared classical secret bits and q denotes the sum of the generated photons in the protocol.Assume Alice chooses a binary string of length n as the secret key.The length m of the hash value is assumed to be equal to that of the secret key (i.e., n = m).
In Yu et al.'s measure-resend ASQKD protocol, Alice prepares 2n + 2m Bell states (i.e., 2(2n + 2m) qubits).In share mode, Bob measures the second qubit in the Bell state and generates n + m single photons.Therefore, the communication efficiency is Compared with Yu et al. [45], Li et al. [46], and Zebboudj et al. [48], the proposed ASQKD protocol not only reduces the length of required pre-shared keys but also possesses an advantage in communication efficiency and applies the secret hash to strengthen the security.Compared with Chang et al. [50], although the communication efficiency of the proposed protocol is slightly lower, the proposed ASQKD protocol is not vulnerable to the reflecting attack and removes the need for the classical channel, elevating security and convenience.

Conclusions
This study discovered the possibility of a reflective attack in Chang et al.'s ASQKD protocol and proposed an efficient and secure ASQKD protocol.An eavesdropper can perform a reflecting attack to successfully forge the receiver's identity.Moreover, Chang et al.'s ASQKD protocol requires an authenticated classical channel between the sender and the receiver.It is considered illogical to have an authenticated channel required in the ASQKD protocol.Thus, the proposed ASQKD protocol revised the flaw of impersonation and illogical use of the authenticated classical channel.Accordingly, the proposed ASQKD protocol was shown to be secure under reflecting attacks, collective attacks, as well as several other well-known attacks.According to the comparative study, the proposed ASQKD protocol possesses multiple advantages, as follows: based on a single photon, it demands less advanced quantum devices, the communication efficiency is higher than most protocols, it reduces the length of the required pre-shared keys, endures reflecting attacks, collective attacks, and there is no need for the classical channel.Although the communication efficiency of the proposed ASQKD protocol was slightly lower than that of Chang et al.'s ASQKD protocol, a future challenge is the construction of an ASQKD protocol with a higher communication efficiency that can still remain immune to the reflecting attack in experimental tests.

( 1 )
Chang et al.'s ASQKD protocol is more practical because it uses single qubits instead of Bell states.(2) Chang et al.'s ASQKD protocol reduces the number of pre-shared keys.(3) Chang et al. showed that the proposed ASQKD protocol is robust under a collective attack.(4) It is significantly more efficient than some existing ASQKD protocols.
, Alice sends Q A to Bob one bit at a time through a quantum channel.Step 3. Bob receives single photons and distinguishes between S A , S D , and S R based on K 1 .For each received single photon belonging to S A or S R , Bob measures the single photon in the Z-basis and resends the same single photon in the Z-basis based on the measurement result.Otherwise, the received single photon belongs to S D and Bob reflects a single photon without any interference back to Alice.Step 4. When Alice receives a sequence of single photons, Q A , from Bob, she measures the photons belonging to S A in the Z-basis and the photons belonging to S D or S R in the X-basis.Alice can perform the eavesdropping check as follows: (1) The measurement results of S A and S D are equal to those of the initial states S A and S D .
to pass the eavesdropping check, where x represents the total number of   (i.e.,  = 2 + 2 in the proposed ASQKD protocol).Thus, the probability for Eve to be detected in Step 4 is 1 − 1 ! .If x is large enough, the detection probability would converge to 1, as shown in Figure2.

Figure 2 .
Figure 2. Detection probability of the intercept and resend attack.

3 4 ..
Hence, the probability to detect the attack in this protocol is 1 If x is large enough, the detection rate would converge to 1, as shown in Figure3.

Figure 2 .
Figure 2. Detection probability of the intercept and resend attack.

Figure 3 .
Figure 3. Detection probability of the measure and resend attack.

Figure 3 .
Figure 3. Detection probability of the measure and resend attack.
. In Chang et al.'s ASQKD protocol, Alice and Bob inform each other via an authenticated classical channel, which disobeys the goal of the ASQKD protocols.If Alice and Bob have an authenticated classical channel, then authentication is performed.Therefore, the authenticated classical channel should be changed to a public classical channel in Chang et al.'s ASQKD protocol.3.2.Reflecting Attack on Chang et al.'s ASQKD Protocol Although Chang et al. showed that their ASQKD protocol is robust even for an eavesdropper, Eve tries to perform a collective attack, and this study demonstrates that Chang et al.'s ASQKD protocol cannot withstand the reflecting attack.In Chang et al.'s ASQKD protocol, Alice encodes the secret key SK and hash value H K 2

Table 1 .
Comparison of