Quantum Secure Direct Communication Protocol with Mutual Authentication Based on Single Photons and Bell States

Quantum secure direct communication (QSDC) can transmit secret messages directly from one user to another without first establishing a shared secret key, which is different from quantum key distribution. In this paper, we propose a novel quantum secure direct communication protocol based on signal photons and Bell states. Before the execution of the proposed protocol, two participants Alice and Bob exchange their corresponding identity IDA and IDB through quantum key distribution and keep them secret, respectively. Then the message sender, Alice, encodes each secret message bit into two single photons ( | 01〉 or |10〉 ) or a Bell state ( 1 | ( 0 0 1 1 ) 2 φ 〉 = + or 1 | ( 0 0 1 1 ) 2 φ 〉 = − ), and composes an ordered secret message sequence. To insure the security of communication, Alice also prepares the decoy photons and inserts them into secret message sequence on the basis of the values of IDA and IDB. By the secret identity IDA and IDB, both sides of the communication can check eavesdropping and identify each other. The proposed protocol not only completes secure direct communication, but also realizes the mutual authentication. The security analysis of the proposed protocol is presented in the paper. The analysis results show that this protocol is secure against some common attacks, and no secret message leaks even if the messages are broken. Compared with the two-way QSDC protocols, the presented protocol is a one-way quantum communication protocol which has the immunity to Trojan horse attack. Furthermore, our proposed protocol can be realized without quantum memory.


Introduction
The development of quantum computation and quantum information has brought new challenges and opportunities for the research of information security [Zhang, Chang, Yan et al. (2019)]. The principle of quantum mechanics provides unconditionally secure information exchange. Since the first quantum key distribution (QKD) was proposed in 1984 Bennett et al. [Bennett and Brassard (1984)], many quantum secure protocols have been proposed [Zhong, Liu and Xu (2018); Hao, Zhang, Huang et al. (2019)]. Quantum secure direct communication (QSDC) is a very important branch of quantum communication. In the QSDC protocol, secret messages are transmitted directly without first establishing a key to encrypt them. The first QSDC protocol, based on Einstein-Pololsky-Rosen (EPR) pairs, was proposed by Long et al. [Long and Liu (2002)]. Subsequently, Deng et al. [Deng, Long and Liu (2003)] developed the standard criteria and safety judgment condition for QSDC. It has also been shown that QSDC can be used to distribute secret keys, and it has a higher capacity than typical QKD schemes. In 2004, Deng et al. [Deng and Long (2004)] proposed a QSDC protocol based on a single photon and a quantum one-time pad (OTP). Since then, many researchers have proposed a variety of QSDC protocols on the basis of these principles by using different quantum states as quantum channels. These quantum channels include single photons [Lucamarini and Mancini (2005); Wang, Quan and Tang (2006)], EPR pairs [Zhu, Xia, Fan et al. (2006)], GHZ class states [Jin, Ji, Zhang et al. (2006); Banerjee and Pathak (2012)], W class states [Cao and Song (2006) ;Chang, Zhang, Yan et al. (2014)], cluster state [Wang, Fang and Tan (2006) ;Cao, Yang and Wen (2010); Sun, Du and Long (2012) (2011)]. QSDC protocols are usually weak in impersonation attack. Since no identity authentication scheme is adopted in QSDC, the eavesdropper can impersonate one of two legal users to communicate with the other. He/she might impersonate the receiver to receive the secret message from the sender, or impersonate the sender to send a fake message to the receiver. Identity authentication is an effective way to guard against impersonation attack for QSDC protocols. In 2006, Lee et al. [Lee, Lim andYang (2006)] proposed the first quantum direct communication with authentication protocol. A third party, Trent, is introduced to authenticate the users participating in the Lee et al. 's protocol. Subsequently, Zhang et al. [Zhang, Liu, Wang et al. (2007)] pointed out that Lee et al.'s protocol suffered from different initial state attack by a dishonest third party, such as Trent. They proposed an improvement to avoid the attack. Yen et al. [Yen, Horng, Goan et al. (2009) proposed a QSDC protocol with authentication using two nonorthogonal states, but the proposed protocol requires participants to have two-way communication ability. In the paper we propose a mutual authenticated QSDC protocol based on single photons and Bell states. Different form the previous protocols, the proposed protocol has only two participations, Alice and Bob. Alice transmits secret messages directly to Bob. Both sides of the communication can confirm the legitimacy of each other's identity, and only authenticated users can send or receive the correct secret messages. The proposed protocol does not require the receiver to be equipped with quantum memory.
The rest of this paper is organized as follows. In Section 2, we introduce our protocol based on single photons and Bell states. In Section 3, we show the security verification of the protocol under some common attacks. Section 4 present conclusions.

The QSDC protocol with mutual authentication
In this section, we propose a quantum protocol for quantum secure direct communication using Bell states. There are two participants in the protocol. Alice wants to transmit N-bit secret message M to Bob. IDA and IDB are the identities of Alice and Bob, respectively. Let's first introduce some prior theoretical basis in the proposed protocol. The four Bell states can be denoted as 1 | ( 0 0 1 1 ) 2 We assume that Alice and Bob generate and pre-share their own secret identity IDA and IDB, respectively ( , To facilitate discussion, without loss of generality, we assume that the length of IDA and IDB is exactly equal to N. When Alice sends the photons to Bob, IDA is used to prepare the decoy photons, and IDB is used to determine the position of the decoy photons. The process of the proposed protocol will be described in steps as follows. Step 1: IDA and IDB are pre-shared between Alice and Bob, respectively, via an unconditionally secure quantum key distribution (QKD) protocol.
Step 2: Alice prepares an ordered 2N qubit pairs which are in one of the states { 01 , 10 , φ + , φ − }. All of these qubits compose an ordered sequence S.
To insure the security of communication, N qubit pairs are used to send a secret message where | 01〉 and |10〉 represent bit 0, and φ + and φ − represent bit 1. More specifically, if the i-th bit ( 1 i N < < ) of the secret message is 0, Alice produces state 01 or 10 .
Otherwise, she produces state φ + or φ − . All of these qubit pairs compose sequence SA.
On the basis of the values of IDA, Alice prepares the remaining N qubit pairs which are used to check eavesdropping. If the value of the i-th bit of IDA is 0, Alice produces state 01 or 10 . Otherwise, she produces state φ + or φ − . All of these qubit pairs compose sequence SB. Then Alice inserts decoy photons into the qubit sequence of the secret message based on the values of IDB. If the value of the i-th bit of IDB is 0, Alice inserts the decoy photons (i.e., the i-th bit of SB) before the secret message (i.e., the i-th bit of SA). Otherwise, Alice inserts the decoy photons behind it. Thus, SA and SB compose an ordered sequence S. For example, when N=4, IDA=0110, IDB=1010, message M=1100, the sequence SA will be { φ + , φ − , 10 , 10 , the sequence SB will be { 01 , φ + , φ − , 10 }, and the sequence S will be { φ + , 01 , φ + , φ − , 10 , φ − , 10 , 10 }.
Finally, Alice sends S to Bob. Here the block transmission technology is used to send S [2, 3].
Step 3 Step 4: Then Alice and Bob check eavesdropping. Alice announces the initial states of the decoy photon pairs. Bob's measurement result should be the same as Alice's prepared state. If the error rate is higher than the predetermined error rate, they will terminate the protocol and restart from Step 1. After all the decoy photon pairs announced by Alice are checked, the protocol will continue to the next step.
Step 5: Using the same way as described in Steps 3 to 4, Alice and Bob can also authenticate each other. The initial state of the decoy photon pairs is the same as IDA. Only authenticated Bob can obtain the secret message.
Step 6: Bob discards measurement results of the decoy pairs, then he can obtain the secret message based on the remaining measurement results. The relationship among this information is shown in Tab. 1. Therefore, the proposed protocol achieves the secure transmission of data from Alice to Bob.
Step 7: Comparison of secret information To ensure that Bob receives the same secret message, Alice and Bob can compare parts of the message. Bob announces parts of the message. If Alice finds that Bob has published the same value as hers, it means that the secret message has been sent successfully. The process of the information encoding and decoding phase is shown in Fig. 1. The white dots represent 01 or 10 , and black dots represent φ + or φ − .

Security analysis
In this section, the security of the presented protocol against some common attacks is discussed.

The impersonation attack
Eve may try to impersonate one of two legal users to communicate with the other one. Suppose Eve generates a sequence SE. and sends the forged message to Bob in Step 2. After Bob measures the decoy photons in SE, Eve must announce the initial states of decoy photons to Bob. However, Eve cannot public the correct initial states without knowing the IDA, and the comparison will be failed. On the other hand, suppose Eve impersonates Bob to obtain the encoding message of Alice. To recover the secret message, Eve has to obtain the right position of decoy photons. However, she has no idea about the identity IDA and IDB. According to the analysis above, the proposed protocol is secure against the impersonation attack.

The intercept-and-resend attack
In the communication phase, in order to recover the secret message without being detected, Eve can launch an intercept-and-resend attack as follows. In Step 2, Eve intercepts the sequence S and measures it in Z basis or Bell basis. Then Eve generates the same states based on the measurement results and sends them to Bob. Without knowing the positon of decoy photons, Eve will be detected inevitably.
In detail, let us first consider the case that the state of decoy photon pair is φ + . If Eve intercepts this qubit and performs a measurement on it along the Bell basis, the measurement result will be φ + . Subsequently, Eve retransmits this result state φ + to Bob. As a result, no error has been introduced. If Eve chooses the Z basis, the measurement result is 00 or 11 . Then Eve sends 00 or 11 to Bob. Bob measures it in Bell basis and obtains φ + or φ − each with probability of 1/2. Thus, the error rate introduced by Eve is 50%. Therefore, the probability for Eve to pass the security checking is 3 1 1 1 1 4 2 2 2 = × + × . Now considering the case that the state of decoy photon is 01 , If Eve intercepts this qubit and performs a measurement on it along the Z basis, the measurement result will be 01 . Subsequently, Eve retransmits this result state 01 to Bob. As a result, no error has been introduced. If Eve chooses the Bell basis, the measurement result is ψ + or ψ − .
Then Eve sends ψ + or ψ − to Bob. Bob measures it in Z basis and obtains 01 or 10 each with probability of 1/2. Thus, the error rate introduced by Eve is 50%. Therefore, the probability for Eve to pass the security checking is 3 1 1 1 1 4 2 2 2 = × + × .
Thus, for Eve's intercept-measure-resend attack, the probability of being detected is 3 1 ( ) 4 n d = − . This probability approximates to 1, if n is large enough.

Man-in-the-middle attack
In Step 2, if Eve intercepts the sequence S from Alice and Bob, she prepares another sequence SE and sends it to Bob. However, Alice only announces the initial states of the decoy photon pairs during the protocol. Eve knows nothing about identity IDA and IDB, so Eve cannot correctly distinguish between the decoy photons and the secret message photons. Therefore, even if Eve catches these qubits, she cannot obtain the secret message, and her attack cannot pass the eavesdropping check.

Entangle-measure attack
In this section, we discuss the entangle-measure attack. Eve intercepts sequence S and adds an ancillary state , a b ε to every particle. Then she performs a unitary attack operation E ∧ on the composed system. In the proposed protocol, all the transmitted particles are sent together before eavesdropping is detected. Because Eve does not know which particle is used to detect eavesdropping, she can only perform the same attack operation on all the particles. As for Eve, the state of qubits is distinguishable from the complete mixture, so all qubits are considered in either of the states 0 or 1 with an equal probability 0 1 0.5. p p = = After the attack by Eve, the state 0 and 1 become [Gisin, Ribordy, Tittel et al. (2002) (1 ) log (1 ) log (11) When Eve obtains the information, the detection probability is shown in Fig. 2.

Figure 2: Detection probability of eavesdropping information
The above results show that if Eve wants to gain the full information (I=1), the probability of the eavesdropping detection is d=50%.

Correctness of the secret message
To ensure that Bob receives the same secret message M ′ as M, he needs to compare the message with Alice. They can employ one-way hash function [Damgard (1990) , where n denotes the length of the inputted data, and m denotes the length of the hash code.) on their secret message M ′ and M to obtain two hash codes, ( ) h M ′ and ( ) h M , each of which is with m bit length. Finally, Alice publishes all or part of ( ) h M ′ . If Bob finds that Alice has published the same value as herself, it means that the secret message has been sent successfully. Otherwise, it means that the protocol fails to execute. But without knowing the positon of the decoy photons, the eavesdropper could not recover secret message. He/she could not eavesdrop on any information of the secret message.

Conclusion
In this paper, we propose a quantum secure direct communication protocol with user authentication based on signal photons and Bell states. The process has been explained in detail, and its security is analyzed. In the proposed protocol, participants share their identity ID through QKD. Under the condition that the identity ID is secret and leak-free, Alice and Bob can identify each other and detect eavesdropping behavior. The eavesdropper could not eavesdrop on any information of the secret message. Compared with previous QSDC protocols, the presented protocol has several advantages. Firstly, all the particles prepared by Alice are sent to Bob one time. The proposed protocol is a one-step quantum communication protocol which has the immunity to Trojan horse attack. Secondly, the proposed protocol can be realized without quantum memory. Finally,