Semi-Quantum Identification without Information Leakage

Abstract

In 2019, Zhou et al. proposed semi-quantum identification (also known as semi-quantum authentication, SQA), which proceeds under a measure-resend and measurement-free environment. However, Zhou et al.’s SQA protocol suffers from severe information leakages. An eavesdropper can obtain an intact authentication key without being detected under this environment. In particular, Zhou et al.’s measure-resend SQA protocol is vulnerable to double CNOT attacks, while the measurement-free SQA protocol is vulnerable to man-in-the-middle attacks. Hence, this study reveals the severe security issues of Zhou et al.’s SQA protocol and proposes an improved protocol with guaranteed security. The proposed measure-resend SQA protocol is immune to double CNOT attacks. Since the photons sent back and forth are identical, Eve cannot obtain any information by cross-comparing these photons. In the proposed measurement-free SQA protocol, the eavesdropper cannot obtain the order of the transmitted photons because it was previously a pre-shared key to decide the order of the photons. Hence, the proposed measurement-free SQA protocol can withstand man-in-the-middle attacks.

1. Introduction

To increase the convenience of quantum protocols, Boyer et al. [1] proposed a semi-quantum key distribution (SQKD) in 2007. Under this protocol, the abilities of the two participants are specified as follows. Alice, a sender possesses full quantum capabilities, and Bob, the receiver possesses only classical capabilities with limited quantum capabilities. Bob is allowed to perform three of the following operations: (1) Z-basis measurement on qubits (i.e., $\left\{\left|0\rangle , \left|1\rangle \right.\right.\right\}$), (2) preparing Z-basis qubits, (3) reordering the qubits through delay lines, and (4) reflecting qubits without interference. There are four SQKD protocol schemes: measure-resend, randomization-based, measurement-free, and unitary-operation-based.

In the measure-resend SQKD protocol, Bob performs (1) Z-basis measurements on qubits (i.e., $\left\{\left|0\rangle , \left|1\rangle \right.\right.\right\}$), (2) preparation of Z-basis qubits, and (4) reflection of qubits without interference. In the randomization-based SQKD protocol, Bob performs (1) Z-basis measurement on qubits, (2) prepares Z-basis qubits, and (3) reorders the qubits through delay lines. In 2015, Zou et al. [2] presented a new measurement-free semiquantum environment. In the measurement-free SQKD protocol, the classical user is allowed to (2) prepare Z-basis qubits, (3) reorder the qubits through delay lines, and (4) reflect qubits without interference. Because the SQKD protocol is practical and novel, it has been further investigated. In 2019, Tsai et al. [3] proposed another semi-quantum environment: a unitary-operation-based protocol. In the unitary-operation-based SQKD protocol, the classical user is allowed to perform (1) Z-basis measurements on qubits and (2) unitary operations.

Although SQKD protocols [4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29] increase the convenience of quantum protocols, the SQKD protocols mentioned above cannot be secured without an authenticated classical channel. In the light of this, Yu et al. [30] proposed the first authenticated semi-quantum key distribution (ASQKD) in 2014, which does not require authenticated classical channels. The concept of ASQKD introduced a key hierarchy in security systems and reduced key management issues. Li et al. [31] proposed two ASQKD protocols in 2016 that required fewer pre-shared keys and provided better communication efficiency. In 2016, Meslouhi and Hassouni [32] discovered that a key can be recovered by a malicious person and is vulnerable to man-in-the-middle attacks. In 2019, Wen et al. [33] proposed a semi-quantum authentication protocol based on GHZ-like states and W states. Wen et al.’s protocol can determine the identities of two participants and ensure the credibility of the important information. Tsai and Yang [34] proposed a lightweight authenticated semi-quantum key-distribution (LASQKD) protocol in 2020. The two communicants pre-shared a master key and applied a one-way communication strategy. The proposed protocol ensures that quantum Alice and classical Bob can share secret keys without using an authenticated channel or a Trojan horse detection device. Chang et al. [35] proposed a new measure-resend ASQKD protocol using single photons in 2021, which requires fewer pre-shared keys and provides better qubit efficiency than the aforementioned ASQKD protocols. In 2022, Wang et al. [36] investigated Chang et al.’s ASQKD protocol when subjected to a reflecting attack and proposed an efficient and secure measure-resend ASQKD protocol against the reflecting attack. In 2022, Wang et al. [37] discover the flaws of Wen et al.’s ASQKD protocol [33] and propose an authenticated semi-quantum key distribution protocol with high qubit efficiency.

In 2019, Zhou et al. [38] proposed semi-quantum identification based on single photons. The proposed protocol includes two semi-environments: the measure-resend and measurement-free environments. Zhou et al.’s SQA protocol has the following advantages:

(1)

It minimizes the quantum mechanical burden for classical Bob.

(2)

It does not require an authenticated classical channel.

(3)

The authentication key can be used circularly.

Although Zhou et al.’s SQA protocol has proven secure [38], this study discovers the severe information leakage it faces in the measure-resend and measurement-free environments. In the measure-resend environment, Eve can obtain the pre-shared key $\mathit{K}$ by performing a double CNOT (i.e., controlled NOT gate) attack. In the measurement-free environment, Eve can successfully obtain the pre-shared key $K$ through a man-in-the-middle attack. Hence, in this study, we propose an improved protocol that is immune to all these attacks.

The remainder of this paper is organized as follows. Section 2 presents a review of the SQA protocol proposed by Zhou et al. Section 3 addresses the security issues of Zhou et al.’s SQA protocol. The proposed SQA protocol is described in Section 4. Section 5 presents the security analysis of the proposed SQA protocol. Section 6 presents a performance analysis of the proposed SQA protocol. The paper ends with a conclusion in Section 7.

2. Review of Zhou et al.’s SQA Protocol

Suppose that Alice and Bob pre-share a binary key $\mathit{K}=\left\{{\mathit{K}}_1,{\mathit{K}}_2,\dots ,{\mathit{K}}_{2n}\right\}$, where ${\mathit{K}}_{\mathit{j}}\in \left\{00,01,10,11\right\}$ and $j=1,2,\dots ,2n$. They generate photons based on ${\mathit{K}}_{2i}, \mathit{i}=1,2,\dots ,n.$ Figure 1 and Figure 2 clearly illustrate Zhou et al.’s measure-resend SQA protocol and measurement-free SQA protocol, respectively.

2.1. Measure-Resend SQA Protocol

• Step A1.   Alice generates n photon sequence s based on the pre-share d key $\mathit{K}$ .

  ⏺

  If ${\mathit{K}}_{2i}=00 \mathrm{or} 01,$ then Alice generates Z-basis qubits $\left|0\right.=\left[\begin{array}{c}1\\ 0\end{array}\right] \mathrm{or} |1\rangle =\left[\begin{array}{c}0\\ 1\end{array}\right]$. Half of the Z-basis qubits are recorded as authenticated use (${\mathit{Z}}_{\mathit{A}}$), and the remaining as decoy use (${\mathit{Z}}_{\mathit{D}}$).

  ⏺

  If ${\mathit{K}}_{2i}=10 \mathrm{or} 11,$ then she generates X-basis photons $\left|+\right.=\frac{1}{\sqrt{2}}\left(\left|0\right.+\left|1\right.\right) \mathrm{or} |-\rangle =\frac{1}{\sqrt{2}}\left(\left|0\right.-\left|1\right.\right)$, recorded as ${\mathit{X}}_{\mathit{D}}$.

Alice sends all the generated photons (${\mathit{Q}}_{\mathit{A}}$) to Bob.

• Step A2.   Bob receives ${\mathit{Q}}_{\mathit{A}}$ and performs operations based on $\mathit{K}.$

  ⏺

  If ${\mathit{K}}_{2i}=00 \mathrm{or} 01,$ Bob performs a Z-basis measurement on the qubits and does not return the qubits.

  ⏺

  If ${\mathit{K}}_{2i}=10 \mathrm{or} 11,$ then Bob reflects the qubits without interference.

  Then, Bob resends the $\frac{1}{2}n$ photon sequence ($\mathit{Q}{\prime }_{\mathit{A}}$) back to Alice.

• Step A3.   Alice receives $\mathit{Q}{\prime }_{\mathit{A}}$ and measures it on the X basis. She checks whether the states are identical to the initial states to secure the channel. She then publishes the position and value of ${\mathit{Z}}_{\mathit{D}}$.
• Step A4.   Bob obtains the position and value of ${\mathit{Z}}_{\mathit{D}}$ and infers the positions of ${\mathit{Z}}_{\mathit{A}}$. Bob compares whether ${\mathit{Z}}_{\mathit{D}}$ is identical to the announcement from Alice and checks whether ${\mathit{Z}}_{\mathit{A}}$ is based on the generated $\mathit{K}$. If the error rate is higher than a preset threshold, the protocol aborts.
• Step A5.   Alice and Bob both update the authentication key based on ${\mathit{Z}}_{\mathit{A}}$ and $\mathit{K}$ to obtain the new authentication key denoted as ${\mathit{K}}^{″}=\left\{{\mathit{K}}_1^{″},{\mathit{K}}_2^{″},\dots ,{\mathit{K}}_{2n}^{″}\right\} \mathrm{through} \mathrm{the}$following rules: if Bob does not measure the received photons, then Alice and Bob generate ${\mathit{K}}_{\mathit{A}B}^i={\mathit{K}}_{2i}$; if Bob measures the photons, then ${\mathit{K}}_{\mathit{A}B}^i=00 \mathrm{or} 01$ is generated based on measurement results $\left|0\right. \mathrm{or} |1\rangle$. Eventually, Alice and Bob update the authentication key as ${\mathit{K}}_{2i}^{″}={\mathit{K}}_{2i}\oplus {\mathit{K}}_{2i-i}\oplus {\mathit{K}}_{\mathit{A}B}^i$ and ${\mathit{K}}_{2i-i}^{″}={\mathit{K}}_{2i}$, where $\oplus$ represents mutually exclusive or (XOR) operation.

2.2. Measurement-Free SQA Protocol

• Step B1.   Alice generates n photon sequence s based on a pre-share d key $\mathit{K}$ .

  ⏺

  If ${\mathit{K}}_{2i}=00 \mathrm{or} 01,$ then Alice generates Z-basis qubits $\left|0\right. \mathrm{or} |1\rangle$. Half of the Z-basis qubits are recorded as authenticated use (${\mathit{Z}}_{\mathit{A}}$), and the remaining as decoy use (${\mathit{Z}}_{\mathit{D}}$).

  ⏺

  If ${\mathit{K}}_{2i}=10 \mathrm{or} 11,$ then she generates X-basis photons $\left|+\right. \mathrm{or} \left|-\right.\rangle .$ Half of the X-basis qubits are recorded as authenticated use $\left({\mathit{X}}_{\mathit{A}}\right)$ and the remaining as decoy use $\left({\mathit{X}}_{\mathit{D}}\right)$.

Alice sends all the generated photons (${\mathit{Q}}_{\mathit{A}}$) to Bob.

• Step B2.   Bob receives ${\mathit{Q}}_{\mathit{A}}$ and performs insertion based on $\mathit{K}.$

  ⏺

  If the photon ${\mathit{Q}}_{\mathit{A}}$ is generated based on ${\mathit{K}}_{2i}=00 \mathrm{or} 01,$ then Bob prepares a Z-basis qubit $|0\rangle$ and inserts it after the corresponding photon ${\mathit{Q}}_{\mathit{A}}$ .

  ⏺

  If photon ${\mathit{Q}}_{\mathit{A}}$ . is generated based on ${\mathit{K}}_{2i}=10 \mathrm{or} 11,$ then Bob prepares Z-basis qubit $\left|1\right.$ and inserts it after the corresponding photon ${\mathit{Q}}_{\mathit{A}}$ .

After insertion, Bob reorders the photon sequence randomly and resends the $2n$ photon sequence (${\mathit{Q}}_{\mathit{A}}^{\prime }$) back to Alice.

• Step B3.   Alice receives ${\mathit{Q}}_{\mathit{A}}^{\prime }$ and informs Bob via the classical public channel. Bob then sends the correct order for ${\mathit{Q}}_{\mathit{A}}^{\prime }$. Alice reorders the photon sequence to the correct position according to the announcement from Bob. Alice measures ${\mathit{Z}}_{\mathit{D}}$ and ${\mathit{X}}_{\mathit{D}}$ on the correct basis to check if they are equal to the initial states. She then measures the inserted qubits on the Z-basis to check whether Bob’s insertion is based on $\mathit{K}$, that is, $|0\rangle$ should be inserted after ${\mathit{Z}}_{\mathit{D}}$, and $|1\rangle$ should be inserted after ${\mathit{X}}_{\mathit{D}}.$ After the eavesdropping check, Alice announces the positions of ${\mathit{Z}}_{\mathit{D}}$ and ${\mathit{X}}_{\mathit{D}}$.
• Step B4.   Bob receives the positions of ${\mathit{Z}}_{\mathit{D}}$ and ${\mathit{X}}_{\mathit{D}}$. Bob then requires Alice to announce the values of ${\mathit{Z}}_{\mathit{D}}$ and ${\mathit{X}}_{\mathit{D}}$. Bob checks whether the photon values are generated based on $\mathit{K}.$ If the error rate is higher than a preset threshold, the protocol is aborted. Alice compares whether ${\mathit{Z}}_{\mathit{A}}$ and ${\mathit{Z}}_{\mathit{D}}$ are generated in correlation with $\mathit{K}.$
• Step B5.   Alice and Bob both update the authentication key through the rules listed in

  Table 1. Coding rule of ${\mathit{K}}_{\mathit{A}B}$.

  K2i	The State Inserted by Bob	${\mathit{K}}_{\mathit{A}\mathit{B}}^{\mathit{i}}$
  00	$|0\rangle$	00
  01	$|0\rangle$	10
  10	$|1\rangle$	01
  11	$|1\rangle$	10

  , based on $\mathit{K}$ and the Z-basis qubits inserted by Bob to obtain the new authentication key, denoted as ${\mathit{K}}^{″}=\left\{{\mathit{K}}_1^{″},{\mathit{K}}_2^{″},\dots ,{\mathit{K}}_{2n}^{″}\right\}$. Finally, Alice and Bob update the authentication key as ${\mathit{K}}_{2i}^{″}={\mathit{K}}_{2i}\oplus {\mathit{K}}_{2i-i}\oplus {\mathit{K}}_{\mathit{A}B}^i$ and ${\mathit{K}}_{2i-i}^{″}={\mathit{K}}_{2i}$, where $\oplus$ represents XOR operation.

3. Security Issues in Zhou et al.’s SQA Protocols

Although Zhou et al.’s SQA protocol has been shown to be secure against several attacks [38], the protocol suffers from severe information leakage. Moreover, this information leakage exposes the entire authentication key $\mathit{K}$ without detection. This study reveals that Zhou et al.’s SQA protocol is vulnerable to a double CNOT attack and man-in-the-middle attack. These security issues are described as follows:

3.1. Double CNOT Attack on Zhou et al.’s Measure-Resend SQA Protocol

In Zhou et al.’s measure-resend protocol, an eavesdropper Eve can obtain the authentication key $\mathit{K}$ intact without being detected by performing a double CNOT attack. To proceed with the attack, Eve prepares probe qubits ${\mathit{q}}_e^i={\left|Z\rangle \right.}_e^i=\left\{\left|0\rangle ,\right|1\rangle \right\}$, intercepts each qubit of ${\mathit{Q}}_{\mathit{A}}$(denotes as ${\mathit{Q}}_{\mathit{A}}^i$), and performs the first CNOT operation. The CNOT operation is defined as ($\left|00\right.\rangle \langle 00\left|+\left|01\right.\rangle \langle 01\right|+\left|11\right.\rangle \langle 10\left|+\left|10\right.\rangle \langle 11\right|)$; ${\mathit{Q}}_{\mathit{A}}^i$ is the control qubit, and ${\mathit{Q}}_e^i$ is the target qubit. To demonstrate the attack clearly, consider the X-basis qubits of ${\mathit{Q}}_{\mathit{A}}^i$ (${\mathit{X}}_{\mathit{D}}$) as $\left|+\right.\rangle$ and the Z-basis qubits of ${\mathit{Q}}_{\mathit{A}}^i$ $({\mathit{Z}}_{\mathit{A}},{\mathit{Z}}_{\mathit{D}}$) as $\left|1\right.$. It should be noted that the choice of X-basis qubits (i.e., $\left|+\right.\rangle ,\left|-\right.\rangle$) and Z-basis qubits (i.e., $\left|0\right.\rangle ,\left|1,\rangle \right.$) does not affect the analysis. The first CNOT operation is presented as follows:

Assume the X-basis qubits of ${\mathit{Q}}_{\mathit{A}}^i$ (${\mathit{X}}_{\mathit{D}}$) as $\left|+\right.\rangle :$

$$CNOT\left({\left|+\right.\rangle }_A^i\otimes {\left|Z\rangle \right.}_e^i\right)=\frac{1}{\sqrt{2}}{(\left|0Z\rangle +\right|1\overline{Z}\rangle \rangle )}_{Ae}^i$$

(1)

Assume the Z-basis qubits of ${\mathit{Q}}_{\mathit{A}}^i$ $({\mathit{Z}}_{\mathit{A}},{\mathit{Z}}_{\mathit{D}}$) as $\left|1\right.\rangle :$

$$CNOT\left({\left|1\rangle \right.}_A^i\otimes {\left|Z\rangle \right.}_e^i\right)={\left|1\overline{Z},\rangle \right.}_e^i={\left|1\right.\rangle }_A^i\otimes {\left|\overline{Z},\rangle \right.}_e^i$$

(2)

After Eve completes the first CNOT operation (Equations (1) and (2)), she sends ${\mathit{Q}}_{\mathit{A}}^i$ to Bob. After receiving ${\mathit{Q}}_{\mathit{A}}^i$, Bob performs a Z-basis measurement on ${\mathit{Z}}_{\mathit{A}},{\mathit{Z}}_{\mathit{D}}$, keeps those qubits, reflects ${\mathit{X}}_{\mathit{D}}$ back to Alice, and forms photon sequence ${\mathit{Q}}_{\mathit{A}}^{\prime }$, which only contains X-basis qubits (${\mathit{X}}_{\mathit{D}}$). Then, Eve intercepts each photon of ${\mathit{Q}}_{\mathit{A}}^{\prime }$ (denoted as ${\mathit{Q}}_{\mathit{A}\prime }^i$), and performs the second CNOT operation on ${\mathit{Q}}_{\mathit{A}\prime }^i$ and probe qubits ${\mathit{q}}_e^i$. The second CNOT operation is as follows:

Assume the X-basis qubits of ${\mathit{Q}}_{{\mathit{A}}^{\prime }}^i$ (${\mathit{X}}_{\mathit{D}}$) as $\left|+\right.\rangle :$

$$CNOT(\frac{1}{\sqrt{2}}\left(\left|0Z\rangle +\right|1\overline{Z}\rangle {)}_{A^{\prime }e}^i\right)=\frac{1}{\sqrt{2}}{(\left|0Z\rangle +\right|1Z\rangle )}_{A\prime e}^i={\left|+\rangle \right.}_{A\prime }^i\otimes {\left|Z\right.}_e^i\rangle$$

(3)

Eve then sends ${\mathit{Q}}_{\mathit{A}}^{\prime }$ to Alice. It should be noted that Alice sends Z-basis qubits and X-basis qubits (${\mathit{Q}}_{\mathit{A}}$) to Bob, and Bob only returns X-basis qubits (${\mathit{Q}}_{\mathit{A}}^{\prime }$). Hence, Eve can cross-compare the positions of the qubits of ${\mathit{Q}}_{\mathit{A}}$ and ${\mathit{Q}}_{\mathit{A}}^{\prime }$ to infer the position of the Z-basis qubits and X-basis qubits. After Eve obtains the position of the Z-basis qubits, she performs the Z-basis measurement on the probe qubits ${\mathit{q}}_e^i \left({\left|Z\right.}_e^i\rangle \right)$ in Equation (2), that were utilized for the first CNOT operation with the Z-basis qubits $({\mathit{Z}}_{\mathit{A}},{\mathit{Z}}_{\mathit{D}}$) of ${\mathit{Q}}_{\mathit{A}}^i$. Eve obtains $\overline{Z}$(i.e., the measurement result of the probe state transforms into the inverse of the original state), which is the authentication key. Alice and Bob share and update circularly. According to Equation (2), after performing the first CNOT operation, the Z-basis qubits $({\mathit{Z}}_{\mathit{A}},{\mathit{Z}}_{\mathit{D}}$) remain the same. According to Equation (3), the X-basis qubits (${\mathit{X}}_{\mathit{D}}$) are not altered after the two CNOT operations. Thus, we have proven that the attack cannot be detected and successfully revealed that the authentication key $\mathit{k}$ is intact. Figure 3 clearly illustrates a double CNOT attack on Zhou et al.’s measure-resend SQA protocol.

3.2. Man-in-the-Middle Attack on Zhou et al.’s Measurement-Free SQA Protocol

In Zhou et al.’s measurement-free protocol, Eve obtains the entire authentication key $\mathit{K}$ without being detected by performing a man-in-the-middle attack. To perform the attack, Eve intercepts ${\mathit{Q}}_{\mathit{A}}^{\prime }$ and preserves ${\mathit{Q}}_{\mathit{A}}^{\prime }$ through quantum memory temporarily for the following procedure: Eve impersonates Alice to require Bob to announce the correct order of ${\mathit{Q}}_{\mathit{A}}^{\prime }$ (i.e., the channel is not authenticated, and Bob cannot notice the requirement is forged by Eve). Bob then announces the correct order of ${\mathit{Q}}_{\mathit{A}}^{\prime }$. Eve reorders ${\mathit{Q}}_{\mathit{A}}^{\prime }$ back to the correct order, according to the announcement from Bob. Eve can now easily acknowledge the basis of each photon of ${\mathit{Q}}_{\mathit{A}}$ by performing the Z-basis measurement on each of the corresponding inserted qubits. Then, Eve measures each photon of ${\mathit{Q}}_{\mathit{A}}$ with the correct basis to obtain the pre-shared key $\mathit{K}$ (i.e., if the inserted qubit is $|0\rangle$, Eve measures the corresponding ${\mathit{Q}}_{\mathit{A}}$ qubits in the Z-basis; if the inserted qubit is $|1\rangle$, Eve measures the corresponding ${\mathit{Q}}_{\mathit{A}}$ qubits in the X-basis). After eavesdropping, Eve disorders the photons back to the position as initially done by Bob (${\mathit{Q}}_{\mathit{A}}^{\prime }$) and sends them to Alice. Accordingly, the attack does not alter any photons; hence, the eavesdropping check cannot detect abnormalities. Thus, we prove that the attack can eavesdrop on the entire authentication key k without being detected. Figure 4 clearly illustrates a man-in-the-middle attack on Zhou et al.’s measurement-free SQA protocol.

4. Proposed SQA Protocol

This section describes the proposed SQA protocol based on an improvement of Zhou et al.’s SQA protocol. Suppose that the protocol proceeds in a semi-quantum environment, where Alice is a quantum user, and Bob is a classical user with limited quantum capabilities. The proposed protocol includes two semi-quantum environments: measure-resend and measurement-free. The proposed protocol circumvents all the security flaws mentioned in Zhou et al.’s SQA protocol. The details are as follows:

4.1. Proposed Measure-Resend SQA Protocol

Suppose that Alice and Bob pre-share a binary key $\mathit{K}=\left\{{\mathit{K}}_1,{\mathit{K}}_2,\dots ,{\mathit{K}}_{2n}\right\}$, where ${\mathit{K}}_j\in \left\{00,01,10,11\right\}$ and $\mathit{j}=1,2,\dots ,2n$. They generate photons based on ${\mathit{K}}_{2i}, \mathit{i}=1,2,\dots ,n.$ Figure 5 clearly illustrates the proposed measure-resend SQA protocol.

• Step C1.   This process is identical to Step A1. Alice generates ${\mathit{Z}}_{\mathit{A}}$ , ${\mathit{Z}}_{\mathit{D}},$ and ${\mathit{X}}_{\mathit{D}}$ based on $\mathit{K}$, forming n photon sequence $\left({\mathit{Q}}_{\mathit{A}}\right)$. Then, Alice sends ${\mathit{Q}}_{\mathit{A}}$ to Bob.
• Step C2.  Bob receives ${\mathit{Q}}_{\mathit{A}}$ and performs operations based on $\mathit{K}.$

  ⏺

  If ${\mathit{K}}_{2i}=00 \mathrm{or} 01,$ Bob performs a Z-basis measurement on the qubits and resends the same single photon based on the measurement result.

  ⏺

  If ${\mathit{K}}_{2i}=10 \mathrm{or} 11,$ Bob reflects qubits without interference.

Bob then resends the $n$ photon sequence ( $\mathit{Q}{\prime }_{\mathit{A}}$ ) back to Alice.

• Step C3.   Alice receives ${\mathit{Q}}_{\mathit{A}}^{\prime }$ and measures it on the correct basis. She checks if the states are identical to the initial states, that is, ${\mathit{X}}_{\mathit{D}}$ remains in the same initial state. Alice then publishes the position and value of ${\mathit{Z}}_{\mathit{D}}$.
• Step C4.   According to Alice’s announcement, Bob can infer the position of ${\mathit{Z}}_{\mathit{A}}$. Bob compares whether ${\mathit{Z}}_{\mathit{D}}$ and ${\mathit{Z}}_{\mathit{A}}$ are generated based on $\mathit{K}$. If the error rate is higher than a preset threshold, the protocol is aborted.
• Step C5.   Alice and Bob both update the authentication key $\mathrm{through}$ the same rule mentioned in Step A5, obtain ing the new authentication key denoted as ${\mathit{K}}^{″}=\left\{{\mathit{K}}_1^{\prime \prime },{\mathit{K}}_2^{\prime \prime },\dots ,{\mathit{K}}_{2n}^{\prime \prime }\right\}$.

The proposed measure-resend SQA protocol is immune to double CNOT attacks. Since ${\mathit{Q}}_{\mathit{A}}$ and $\mathit{Q}{\prime }_{\mathit{A}}$ are identical, Eve cannot obtain any information by cross-comparing ${\mathit{Q}}_{\mathit{A}}$ and $\mathit{Q}{\prime }_{\mathit{A}}$. To perform the double CNOT attack, Eve must obtain the basis of the photons (i.e., if Eve performs the double CNOT attack on both photon sequences (${\mathit{Q}}_{\mathit{A}},\mathit{Q}{\prime }_{\mathit{A}}$), performing the CNOT operation twice on the same photon cannot obtain any information). Hence, the proposed measure-resend SQA protocol is immune to double CNOT attacks.

4.2. Proposed Measurement-Free SQA Protocol

Suppose Alice and Bob pre-share two binary keys, $\mathit{K}=\left\{{\mathit{K}}_1,{\mathit{K}}_2,\dots ,{\mathit{K}}_{2n}\right\}$, where ${\mathit{K}}_j\in \left\{00,01,10,11\right\}$, $\mathit{j}=1,2,\dots ,2n$, and ${\mathit{K}}_{\mathit{A}}$ represents the order of ${\mathit{Q}}_{\mathit{A}}^{\prime },$. They generate photons based on ${\mathit{K}}_{2i}, \mathit{i}=1,2,\dots ,n.$ Figure 6 clearly illustrates the proposed measurement-free SQA protocol.

• Step D1.   This process is identical to Step B1. Alice generates ${\mathit{Z}}_{\mathit{A}}$ , ${\mathit{Z}}_{\mathit{D}}$ , ${\mathit{X}}_{\mathit{A}},$ and ${\mathit{X}}_{\mathit{D}}$ based on $\mathit{K}$ , to form n photon sequence $\left({\mathit{Q}}_{\mathit{A}}\right)$ . Then, Alice sends ${\mathit{Q}}_{\mathit{A}}$ to Bob.
• Step D2.  Bob performs insertion according to the rule mentioned in Step B2. Bob then reorders the photon sequence based on ${\mathit{K}}_{\mathit{A}}$. Bob then resends the $2n$ photon sequence ($\mathit{Q}{\prime }_{\mathit{A}}$) back to Alice.
• Step D3.   Alice receives $\mathit{Q}{\prime }_{\mathit{A}}$ and reorders it to the correct order based on ${\mathit{K}}_{\mathit{A}}$. She measures the inserted qubits in the Z-basis to check if the correlations are based on $\mathit{K}$ (i.e., $|0\rangle$ should be inserted after ${\mathit{Z}}_{\mathit{A}}$ and ${\mathit{Z}}_{\mathit{D}}$, $|1\rangle$ should be inserted after ${\mathit{X}}_{\mathit{A}}$ and ${\mathit{X}}_{\mathit{D}}).$ After the eavesdropping check, Alice announces the positions and the value>s of ${\mathit{Z}}_{\mathit{D}}$ and ${\mathit{X}}_{\mathit{D}}$.
• Step D4.  Bob receives the positions and the values of ${\mathit{Z}}_{\mathit{D}}$ and ${\mathit{X}}_{\mathit{D}}$. He checks whether the announced position is correlated with $\mathit{K}.$ If the error rate is higher than a preset threshold, the protocol is aborted.
• Step D5.   Alice and Bob both update the authentication key based on the coding rule (see also

  Table 2. Coding rule of ${\mathit{K}}^{\prime \prime }$.

  {K, the Inserted Qubit}	${\mathit{K}}_{\mathit{i}}^{\prime }$
  $\left|0\rangle , \right|0\rangle$	00
  $\left|1\rangle ,\right|0\rangle$	01
  $\left|+\rangle , \right|1\rangle$	10
  $\left|-\rangle , \right|1\rangle$	11

  ) and obtain the new authentication key denoted as ${\mathit{K}}^{″}=\left\{{\mathit{K}}_1^{\prime \prime },{\mathit{K}}_2^{\prime \prime },\dots ,{\mathit{K}}_{2n}^{\prime \prime }\right\}$ .

The proposed measurement-free SQA protocol can endure man-in-the-middle attacks. In Zhou et al.’s SQA protocol, Eve intercepts and preserves $\mathit{Q}{\prime }_{\mathit{A}}$ in quantum memory and forges Alice to request Bob for the order of $\mathit{Q}{\prime }_{\mathit{A}}$, so Eve can obtain the basis of each photon of ${\mathit{Q}}_{\mathit{A}}$ by measuring the corresponding the inserted photons. Eve then measures ${\mathit{Q}}_{\mathit{A}}$ in the correct basis to obtain $\mathit{K}$without being detected. Under the proposed measurement-free SQA protocol, Eve cannot obtain the order of $\mathit{Q}{\prime }_{\mathit{A}}$ because it was previously pre-shared in${\mathit{K}}_{\mathit{A}}$. Hence, the proposed measurement-free SQA protocol can withstand man-in-the-middle attacks.

5. Security Analysis

This section discusses the security analysis of the proposed SQA protocol with respect to three main attacks: (1) typical eavesdropping attack, (2) double CNOT attack, and (3) man-in-the-middle attack. The proposed SQA protocol is based on Zou et al.’s SQA protocol; hence, the security of the proposed protocol has been proven in Zou et al. In this section, the security of the proposed SQA protocol with respect to these three main attacks is discussed.

5.1. Security against Typical Eavesdropping Attack

5.1.1. Attack on the Proposed Measure-Resend SQA Protocol

Assume that Eve conducts a typical eavesdropping attack to eavesdrop on the authentication key $\mathit{k}$. In Step C1, Alice generates photons (${\mathit{Q}}_{\mathit{A}}$) based on ${\mathit{k}}_{2i}$ and sends them to Bob. Eve intercepts each photon of ${\mathit{Q}}_{\mathit{A}}$ and performs a measurement on ${\mathit{Q}}_{\mathit{A}}$ on a random basis (i.e., Z-basis or X-basis). After the measurement, Eve prepares the qubits as measurement results (${\mathit{E}}_{\mathit{A}}$). Eve then sends ${\mathit{E}}_{\mathit{A}}$ to Bob. In Step C2, Bob receives ${\mathit{E}}_{\mathit{A}}$ and performs measure-resend or reflects photons based on ${\mathit{K}}_{2i}$ (that is, if ${\mathit{K}}_{2i}=00 \mathrm{or} 01$, Bob measures on the Z-basis and prepares the same qubit as the measurement result. If ${\mathit{K}}_{2i}=10 \mathrm{or} 11$, Bob reflects a photon without any disturbance). Bob resends all the photons back to Alice (${{\mathit{E}}^{\prime }}_{\mathit{A}}$). In Step C3, Alice performs an eavesdropping check on ${{\mathit{E}}^{\prime }}_{\mathit{A}}$ (i.e., Alice checks whether the X-basis photons are equal to the initial state). To pass the eavesdropping check, ${{\mathit{E}}^{\prime }}_{\mathit{A}}$ must be equal to ${\mathit{Q}}_{\mathit{A}}$. In other words, Eve must acknowledge every basis for the photons of ${\mathit{Q}}_{\mathit{A}}$. ${\mathit{Q}}_{\mathit{A}}$ contains four states (i.e.,$\left|0\right.,\left|1\right.,\left|+\right.,|-\rangle$) based on ${\mathit{k}}_{2i}$ while ${{\mathit{E}}^{\prime }}_{\mathit{A}}$ contains the random basis of the four states. Thus, the possibility of passing the eavesdropping check is ${\left(\frac{1}{4}\right)}^n$. In other words, the possibility of an attack being detected by Alice is $1-{\left(\frac{1}{4}\right)}^n$. Hence, the proposed measure-resend SQA protocol is resistant to eavesdropping.

5.1.2. Attack on the Proposed Measurement-Free SQA Protocol

Suppose Eve performs a typical eavesdropping attack on authentication key $\mathit{k}$ from the traveling qubits between Alice and Bob. In Step D1, Alice generates photons (${\mathit{Q}}_{\mathit{A}})$ based on ${\mathit{k}}_{2i}$ and sends ${\mathit{Q}}_{\mathit{A}}$ to Bob. Eve intercepts ${\mathit{Q}}_{\mathit{A}}$ and performs measurements on photons on a random basis (i.e., Z-basis or X-basis). After the measurement, Eve prepares the qubits as measurement results $\left({\mathit{E}}_{\mathit{A}}\right)$. She then resends ${\mathit{E}}_{\mathit{A}}$ to Bob. In Step D2, Bob receives ${\mathit{E}}_{\mathit{A}}$ and inserts photons based on ${\mathit{K}}_{2i}$(i.e., if the received qubit is Z-basis, $\left|0\right.$ is inserted; if Bob receives X-basis photons, $\left|1\right.$ is inserted). The inserted photon sequence forms ${{\mathit{E}}^{\prime }}_{\mathit{A}}.$ Then, Bob reorders ${{\mathit{E}}^{\prime }}_{\mathit{A}}$ based on ${\mathit{k}}_{\mathit{A}}$and sends it to Alice. In Step D3, Alice receives and recovers ${{\mathit{E}}^{\prime }}_{\mathit{A}}$ based on ${\mathit{k}}_{\mathit{A}}$, and measures every photon on the correct basis. To pass the eavesdropping check, ${{\mathit{E}}^{\prime }}_{\mathit{A}}$ must be equal to ${\mathit{Q}}_{\mathit{A}}$. ${\mathit{Q}}_{\mathit{A}}$ is generated in four states (i.e.,$\left|0\right.,\left|1\right.,\left|+\right.,|-\rangle$) based on ${\mathit{k}}_{2i}$, and ${\mathit{E}}_{\mathit{A}}$ is generated on a random basis; thus, the possibility of passing the eavesdropping check is ${\left(\frac{1}{4}\right)}^n$. That is, the possibility of an attack being detected by Alice is $1-{\left(\frac{1}{4}\right)}^n$. Hence, the proposed measurement-free SQA protocol is resistant to typical eavesdropping.

5.2. Security against Double CNOT Attack on the Proposed Measure-Resend SQA Protocol

Suppose an eavesdropper, Eve, performs a double CNOT attack to eavesdrop on authentication key $\mathit{k}$. To initiate the attack, Eve prepares ancillary qubits ${\mathit{q}}_e^i={\left|\mathit{Z}\right.}_e^i=\left\{\left|0\rangle ,\right|1\rangle \right\}$ to perform the CNOT operation with each traveling qubit of ${\mathit{Q}}_{\mathit{A}}$(denotes as ${\mathit{Q}}_{\mathit{A}}^i$). The CNOT operation is defined as ($\left|00\right.\rangle \langle 00\left|+\left|01\right.\rangle \langle 01\right|+\left|11\right.\rangle \langle 10\left|+\left|10\right.\rangle \langle 11\right|)$; ${\mathit{Q}}_{\mathit{A}}^i$ is the control qubit, and ${\mathit{q}}_e^i$ is the target qubit. For clarity, assume that the X-basis photon of ${\mathit{Q}}_{\mathit{A}}^i$ contains $\left|+\right.$ and the Z-basis photon of ${\mathit{Q}}_{\mathit{A}}^i$ contains $\left|1\right.\rangle$. The choice of the X-basis (i.e., $\left|+\right.\rangle ,\left|-\right.\rangle$) and Z-basis (i.e., $\left|0\right.,\rangle \left|1\right.\rangle$) does not affect the security analysis. Eve performs the first CNOT operation as follows:

Assume the X-basis photon of ${\mathit{Q}}_{\mathit{A}}^i$ contains $\left|+\right.\rangle :$

$$CNOT\left({\left|+\right.\rangle }_A^i\otimes {\left|Z\right.\rangle }_e^i\right)=\frac{1}{\sqrt{2}}{(\left|0Z\rangle +\right|1\overline{Z}\rangle )}_{Ae}^i$$

(4)

Assume the Z-basis photon of ${\mathit{Q}}_{\mathit{A}}^i$ contains $\left|1\right.\rangle :$

$$CNOT\left({\left|1\right.\rangle }_A^i\otimes {\left|Z\right.\rangle }_e^i\right)={\left|1\overline{Z}\right.\rangle }_e^i={\left|1\right.}_A^i\otimes {\left|\overline{Z}\right.\rangle }_e^i$$

(5)

After the first CNOT operation, Eve sends ${\mathit{Q}}_{\mathit{A}}$ to Bob. After receiving ${\mathit{Q}}_{\mathit{A}}$, Bob utilizes the measure-resend mode or reflect mode based on ${\mathit{k}}_{2i}$ and returns $\mathit{Q}{\prime }_{\mathit{A}}$ to Alice. In the improved SQA protocol, because Bob must send a qubit back to Alice for every received qubit, Eve does not know which qubit will be present in the reflect mode. That is, Eve does not know which qubit is sent back by Bob to perform the CNOT operation. Therefore, Eve intercepts each photon of $\mathit{Q}{\prime }_{\mathit{A}}$ (denoted as ${\mathit{Q}}_{\mathit{A}\prime }^i$), performs the second CNOT operation on ${\mathit{Q}}_{\mathit{A}\prime }^i$ with ${\mathit{q}}_e^i$, and then resends it to Alice. The second CNOT operation is as follows:

Assume the X-basis of ${\mathit{Q}}_{{\mathit{A}}^{\prime }}^i$ contains $\left|+\right.\rangle :$

$$CNOT\left(\frac{1}{\sqrt{2}}\left(|0Z\right.\rangle +\left|1\overline{Z}\right.\rangle {)}_{A^{\prime }e}^i\right)=\frac{1}{\sqrt{2}}{(\left|0Z\rangle +\right|1Z)}_{A^{\prime }e}^i={\left|+\right.\rangle }_A^i\otimes {\left|Z\right.\rangle }_e^i$$

(6)

Assume the Z-basis of ${\mathit{Q}}_{{\mathit{A}}^{\prime }}^i$ contains $\left|1\right.\rangle :$

$$CNOT\left({\left|1\right.\rangle }_{A\prime }^i\otimes {\left|\overline{Z}\right.\rangle }_e^i\right)={\left|1Z\right.\rangle }_e^i={\left|1\right.\rangle }_A^i\otimes {\left|Z\right.\rangle }_e^i$$

(7)

In Equations (6) and (7), the measurement result of ${\mathit{q}}_e^i$ remains the same. In other words, Eve cannot measure an ancillary qubit to obtain private information. Hence, we prove that the proposed measure-resend SQA protocol can endure a double CNOT attack.

5.3. Security against Man-in-the-Middle Attack on the Proposed Measurement-Free SQA Protocol

Suppose Eve performs a man-in-the-middle attack to eavesdrop on authentication key $\mathit{k}$. Alice authenticates Bob in Step D3, where Alice checks if the photons sent by Bob are secured based on ${\mathit{k}}_{2i}$. Bob authenticates Alice in Step D4 and deduces whether Alice announces the correct position of ${\mathit{Z}}_{\mathit{A}}$ and ${\mathit{Z}}_{\mathit{D}}$ based on K. In other words, authentication is based on the individual pre-shared key; hence, impersonation cannot exist under any circumstance.

6. Performance Analysis

This section provides a comparative study of the latest SQA protocols with the proposed SQA protocols. Based on single photons,

Table 3. Comparison of [35,36,38,39] and the proposed SQA protocols.

	Zhou et al.’s Protocols [38]		Zebboudj et al.’s Protocol [39]	Chang et al.’s Protocol [35]	Wang et al.’s Protocol [36]	The Proposed Protocols
Quantum resource	Single photons		Single photons	Single photons	Single photons	Single photons
Semi-quantum environment	Measure-resend	Measurement-free	Measure-resend	Measure-resend	Measure-resend	Measure-resend	Measurement-free
Quantum efficiency	33%	17%	14%	17%	14%	20%	17%
Required pre-shared keys (in bits)	6n	4n	3n	3n	3n	6n	5n
Vulnerability to double CNOT attack	Yes	No	No	No	No	No	No
Vulnerability to man-in-the-middle attack	No	Yes	No	No	No	No	No

provides a comparison between the proposed SQA protocols and Zhou et al.’s protocol [38], Zebboudj et al.’s protocol [39], Chang et al.’s protocol [35], and Wang et al.’s protocol [36]. The qubit efficiency of the protocol is calculated using the following equation: $\eta =\frac{c}{q}$, where c denotes the number of shared classical bits and q denotes the sum of consumed qubits. The efficiency analysis of Zebboudj et al., Chang et al., and Wang et al.’s SQA protocols have been discussed in the study [36].

In Zhou et al.’s measure-resend SQA protocol, Alice prepares $3n$ single photons in $Z_A,Z_D$ and $X_D$. Bob measures $Z_A,Z_D$ and reflects $X_D$. Eventually, both share $n$ authentication key. Thus, the qubit efficiency of Zhou et al.’s measure-resend SQA protocol is $\frac{n}{3n}\approx 33\%$.

In Zhou et al.’s measurement-free SQA protocol, Alice prepares $4n$ single photons in $Z_A,Z_D, X_A$ and $X_D$. Bob generates 2n photons (i.e., $\left|0\right.$ or $\left|1\right.$) and inserts them. Eventually, both share $n$ authentication key. Thus, the qubit efficiency of Zhou et al.’s measurement-free SQA protocol is $\frac{n}{4n+2n}\approx 17\%$.

In the proposed measure-resend SQA protocol, Alice prepares 3$n$ single photons in $Z_A,Z_D$ and $X_D$. Bob measures $Z_A,Z_D$ and generates $2n$ single photons. Thus, the qubit efficiency of the proposed measure-resend SQA protocol is $\frac{n}{3n+2n}=20\%$.

In the proposed measurement-free SQA protocol, Alice prepares 4$n$ single photons in $Z_A,Z_D, X_A$ and $X_D$. Bob generates $2n$ single photons (i.e., $\left|0\right.$ or $\left|1\right.$). Thus, the qubit efficiency of the proposed measurement-free SQA protocol is $\frac{n}{4n+2n}\approx 17\%$.

Compared to Zebboudj et al. [39], Chang et al. [35], and Wang et al.’s [36] measure-resend SQA protocols with the proposed SQA protocols, the proposed SQA protocols have higher qubit efficiency. Although the qubit efficiency is lower than that of Zhou et al. [38], the proposed SQA protocols do not suffer from the double CNOT attack and the man-in-the-middle attack. Based on the comparative studies, the proposed SQA protocols obtain the following advantages:

(1.)

The qubit efficiency of the proposed SQA protocols is significantly higher than most protocols [35,36,39].

(2.)

The proposed SQA protocols do not exist information leakage and are proven secure under the double CNOT attack and the man-in-the-middle attack.

7. Conclusions

This study revealed severe information leakage under Zhou et al.’s SQA protocol, and a secure SQA protocol was proposed. An eavesdropper can obtain an intact authentication key by performing a double CNOT attack and a man-in-the-middle attack without being detected. In Zhou et al.’s measure-resend SQA protocol, Eve can obtain the authentication key by performing a double CNOT attack without being detected based on the cross-comparison of send and resend photon sequences ($Q_A,Q{\prime }_A$). In Zhou et al.’s measurement-free SQA protocol, Eve can eavesdrop on the authentication key by performing a man-in-the-middle attack based on the announcement (the order of $Q{\prime }_A$). In contrast, the proposed SQA protocol is immune to the double CNOT attack, man-in-the-middle attack, and typical eavesdropping attack. Although the qubit efficiency is lower than that of Zhou et al.’s SQA protocol, the proposed protocol ensures information security. How to increase the qubit efficiency while remaining secure is the subject of future research.