1 Introduction

Since Bennett and Brassard suggested the first quantum key distribution [1] which was guaranteed by the law of quantum mechanics, many quantum communication protocols have been suggested including quantum key distribution (QKD) [1,2,3], quantum secret sharing (QSS) [4,5,6], quantum secure direct communication (QSDC) [7,8,9,10,11,12] and quantum identity authentication (QIA) [13,14,15,16,17,18,19,20,21]. In network communication, it is important to ensure a system or protocol in which transferred information is received by only the authenticated users. In general, identity authentication, which is a procedure of verifying the identification of each user in communications, is an excellent method to protect a communication from illegitimate user pretending to be a legitimate user. At the same time, identity authentication protocols should also prevent secret key shared in prior between legitimate users leakage. The security of classical identification generally relies on the complexity of mathematical algorithms. Therefore, they are not absolutely secure in the age of quantum computer.

In 1995, Crépeau et al. [13] first proposed a QIA scheme, which was based on quantum teleportation [23]. In 1999, Dušek et al. [14] presented a secure identity authentication proposal by combining quantum key distribution and classical identification procedure. In 2006, Lee et al. [15] proposed two protocols of quantum direct communication schemes with authentication, which was in use of the correlation of GHZ states. However, Lee et al.’s protocols are not secure in which case the authenticator is required to be prevented from knowing the secret message in prior. At the same year, Zhang et al. [16] presented an authentication protocol which is based on ping-pong technique. In previous protocols, there is a contradiction between the combination of the QKD phase and the QIA phase. Therefore, in Zhang et al.’s protocol, participants update the secret key after authentication which can settle this problem. In 2009, Yang et al. [17] presented a multiparty identity authentication protocol based on (r + 1) particle GHZ states. In multiparty simultaneous identity authentication protocols, there always is a trusted third party who is known as the certification authority. However, from the perspective of information security, there is no third party that is fully trusted. Therefore, Yang et al. [18] proposed a protocol in 2013, which can prevent the trusted third party from getting the secret key by introducing a hash function. In 2014, Hao Yuan et al. [19] presented a quantum identity authentication protocol based on ping-pong technique. This protocol has two advantages compared with previous protocols. First, it needs less quantum resource and no classical information. Previous protocols always need Bell states or GHZ states and classical information during the authentication phase, while only single photons are needed in this protocol. Second, it could update the secret key shared between users when they authenticate each other, which provide further security for next communication. In 2017, Chang et al. [20] proposed a quantum identity authentication protocol, which uses single photons as the quantum resource. But it can only achieve one-way identity authentication in one certifying process. There always is a trusted third party who could control the bidirectional simultaneous authentication process between two users, e.g., in the references [17, 19]. But as mentioned in Kang et al. [21], there is no trusted third party. In a communication between two users, if there is a third party, the third party may get some information by performing some illegal operators. But we assume that the responsibility of the third party is only preparing the quantum resource and publishing the authentication result and no other operators while users authenticate each other. So the third party won’t get any information about the secret key shared between users.

Based on the above quantum communication protocols, we propose a bidirectional quantum entity authentication protocol based on Bell states and entanglement swapping. In this protocol, we introduce a semi-honest third party called Charlie who can help to accomplish the process of the authentication and publish the result of the authentication. Furthermore, the third party Charlie has no Pauli operators throughout the authentication. Our protocol adopts the Bell states as quantum resource and applies Pauli operators by users randomly on one sequence, which can prevent not only outside attacks, but also the secret key shared between users being known by third parties. Besides, we adopt the decoy photons [22] to check the security of the quantum channel, which can efficiently detect outside attackers.

2 Basic idea

In this section, we will introduce the Bell states and entanglement swapping which we use in our protocol. The correspondence between the bell state and the bit string is as follows:

$$ {\displaystyle \begin{array}{c}00:\mid \left.{\phi}^{+}\right\rangle =\frac{1}{\sqrt{2}}\Big(\mid \left.00\right\rangle +\left|\left.11\right\rangle \right)\\ {}01:\mid \left.{\phi}^{-}\right\rangle =\frac{1}{\sqrt{2}}\Big(\mid \left.00\right\rangle -\left|\left.11\right\rangle \right)\\ {}\begin{array}{c}10:\mid \left.{\psi}^{+}\right\rangle =\frac{1}{\sqrt{2}}\left(|\left.01\right\rangle +|\left.10\right\rangle \right)\\ {}11:\mid \left.{\psi}^{-}\right\rangle =\frac{1}{\sqrt{2}}\Big(\mid \left.01\right\rangle -\left|\left.10\right\rangle \right)\end{array}\end{array}} $$
(1)

As known Bell states are a maximumly-entangled state of two-qubit system [24]. They form a complete orthogonal basis vector set in which we can measure a two-qubit system [28]. It is called the Bell state measurement. And the Bell state measurement has already been completed in laboratory [25, 26, 29, 30].

Quantum entanglement swapping plays a very important role in the quantum communication. Now we use quantum entanglement swapping to describe our basic idea. Suppose that the third party Charlie randomly prepares three Bell states such as:

$$ {\displaystyle \begin{array}{c}\mid {\left.{\phi}^{-}\right\rangle}_{12}=\frac{1}{\sqrt{2}}\left(|{\left.00\right\rangle}_{12}-|{\left.11\right\rangle}_{12}\right),\\ {}\mid {\left.{\psi}^{+}\right\rangle}_{34}=\frac{1}{\sqrt{2}}\left(|{\left.01\right\rangle}_{34}+|{\left.10\right\rangle}_{34}\right),\\ {}\mid {\left.{\psi}^{-}\right\rangle}_{56}=\frac{1}{\sqrt{2}}\left(|{\left.01\right\rangle}_{56}-|{\left.10\right\rangle}_{56}\right)\end{array}} $$
(2)

the subscripts 1, 2, 3, 4, 5, and 6 are used to distinguish the two particles in each Bell state. Therefore, ∣ϕ12, ∣ψ+34 and ∣ψ56 represents a bit string 01, 10, and 11, respectively, according to Eq. (1). And the third party Charlie preserves the result of addition modulo 2 of the three bit strings which the three initial Bell states referred to.

$$ 01\bigoplus 10\bigoplus 11=00 $$
(3)

There are another two participants Alice and Bob who have in prior shared the secret key KAB = {01}. The third party Charlie divides each Bell state into two particles. That’s to say, Bell states ∣ϕ12 is divided into particle 1 and particle 2, ∣ψ+34 is divided into particle 3 and particle 4, and ∣ψ56 is divided into particle 5 and particle 6. Then Charlie sends Alice two particles 2 and 5, sends Bob two particles 4 and 6, and saves two particles 1 and 3. After that the two distant participants Alice and Bob and the third party Charlie share three entangled states ∣ϕ12 ⨂  ∣ ψ+34 ⨂  ∣ ψ56 where Charlie holds particles 1 and 3, Alice holds particles 2 and 5, and Bob holds particles 4 and 6. Then Alice and Bob perform σx operator according to the secret key KAB = {01} on one particle selected randomly from the two particles they hold respectively. For example, Alice chooses the particle 2 from two particles to perform σx operator.

$$ {\displaystyle \begin{array}{l}\left(\mid \left.0\right\rangle \left\langle 1\right|+\left|\left.1\right\rangle \left\langle 0\right|\right)\mid {\left.{\phi}^{-}\right\rangle}_{12}=\right(\mid \left.0\right\rangle \left\langle 1\right|+\left|\left.1\right\rangle \left\langle 0\right|\right)\frac{1}{\sqrt{2}}\left(|{\left.00\right\rangle}_{12}-|{\left.11\right\rangle}_{12}\right)=\frac{1}{\sqrt{2}}\left(|{\left.01\right\rangle}_{12}-|{\left.10\right\rangle}_{12}\right)\\ {}=\mid {\left.{\psi}^{-}\right\rangle}_{12}\end{array}} $$
(4)

Therefore, the initial Bell state ∣ϕ12 will be turned into ∣ψ12. Bob chooses the particle 6 from the two particles to perform σx operator.

$$ {\displaystyle \begin{array}{l}\left(\mid \left.0\right\rangle \left\langle 1\right|+\left|\left.1\right\rangle \left\langle 0\right|\right)\mid {\left.{\psi}^{-}\right\rangle}_{56}=\right(\mid \left.0\right\rangle \left\langle 1\right|+\left|\left.1\right\rangle \left\langle 0\right|\right)\frac{1}{\sqrt{2}}\left(|{\left.01\right\rangle}_{56}-|{\left.10\right\rangle}_{56}\right)=\frac{1}{\sqrt{2}}\left(|{\left.00\right\rangle}_{56}-|{\left.11\right\rangle}_{56}\right)\\ {}=\mid {\left.{\phi}^{-}\right\rangle}_{56}\end{array}} $$
(5)

Therefore, the initial Bell state ∣ψ56 will be turned into ∣ϕ56.

After their operator, they perform Bell state measurements on the particles they hold respectively. This result can be rearranged as follows:

$$ {\displaystyle \begin{array}{l}\mid {\left.{\psi}^{-}\right\rangle}_{12}\otimes \mid {\left.{\psi}^{+}\right\rangle}_{34}\otimes \mid {\left.{\phi}^{-}\right\rangle}_{56}\\ {}=\frac{1}{\sqrt{2}}\left(|{\left.01\right\rangle}_{12}-|{\left.10\right\rangle}_{12}\right)\otimes \frac{1}{\sqrt{2}}\left(|{\left.01\right\rangle}_{34}+|{\left.10\right\rangle}_{34}\right)\otimes \frac{1}{\sqrt{2}}\left(|{\left.00\right\rangle}_{56}-|{\left.11\right\rangle}_{56}\right)\\ {}\begin{array}{c}=\frac{1}{2\sqrt{2}}\Big(\mid \left.010100\right\rangle -\left.010111\right\rangle +\mid \left.011000\right\rangle -\mid \left.011011\right\rangle \\ {}-\mid \left.100100\right\rangle +\mid \left.100111\right\rangle +\mid \left.101000\right\rangle +\mid \left.101011\right\rangle \Big){}_{123456}\\ {}\begin{array}{c}=\frac{1}{2\sqrt{2}}\Big(\left|{\left.00\right\rangle}_{13}\right|{\left.10\right\rangle}_{25}\left|{\left.10\right\rangle}_{46}-\left|{\left.00\right\rangle}_{13}\right|{\left.11\right\rangle}_{25}\right|{\left.11\right\rangle}_{46}\\ {}+\left|{\left.01\right\rangle}_{13}\right|{\left.10\right\rangle}_{25}\left|{\left.00\right\rangle}_{46}-\left|{\left.01\right\rangle}_{13}\right|{\left.11\right\rangle}_{25}\right|{\left.01\right\rangle}_{46}\\ {}\begin{array}{c}-\left|{\left.10\right\rangle}_{13}\right|{\left.00\right\rangle}_{25}\left|{\left.10\right\rangle}_{46}+\left|{\left.10\right\rangle}_{13}\right|{\left.01\right\rangle}_{25}\right|{\left.11\right\rangle}_{46}\\ {}+\mid {\left.11\right\rangle}_{13}\mid {\left.00\right\rangle}_{25}\mid {\left.00\right\rangle}_{46}+\mid {\left.11\right\rangle}_{13}\mid {\left.01\right\rangle}_{25}\mid {\left.01\right\rangle}_{46}\Big)\\ {}\begin{array}{l}=\frac{1}{8}\Big(\left(|{\left.{\phi}^{+}\right\rangle}_{13}+|{\left.{\phi}^{-}\right\rangle}_{13}\right)\left(|{\left.{\psi}^{+}\right\rangle}_{25}-|{\left.{\psi}^{-}\right\rangle}_{25}\right)\left(|{\left.{\psi}^{+}\right\rangle}_{46}-|{\left.{\psi}^{-}\right\rangle}_{46}\right)\\ {}-\left(|{\left.{\phi}^{+}\right\rangle}_{13}+|{\left.{\phi}^{-}\right\rangle}_{13}\right)\left(|{\left.{\phi}^{+}\right\rangle}_{25}-|{\left.{\phi}^{-}\right\rangle}_{25}\right)\left(|{\left.{\phi}^{+}\right\rangle}_{46}-|{\left.{\phi}^{-}\right\rangle}_{46}\right)\\ {}\begin{array}{c}+\left(|{\left.{\psi}^{+}\right\rangle}_{13}+|{\left.{\psi}^{-}\right\rangle}_{13}\right)\left(|{\left.{\psi}^{+}\right\rangle}_{25}-|{\left.{\psi}^{-}\right\rangle}_{25}\right)\left(|{\left.{\phi}^{+}\right\rangle}_{46}+|{\left.{\phi}^{-}\right\rangle}_{46}\right)\\ {}-\left(|{\left.{\psi}^{+}\right\rangle}_{13}+|{\left.{\psi}^{-}\right\rangle}_{13}\right)\left(|{\left.{\phi}^{+}\right\rangle}_{25}-|{\left.{\phi}^{-}\right\rangle}_{25}\right)\Big(\mid {\left.{\psi}^{+}\right\rangle}_{46}+\mid {\left.{\psi}^{-}\right\rangle}_{46}\\ {}\begin{array}{c}-\left(|{\left.{\psi}^{+}\right\rangle}_{13}-|{\left.{\psi}^{-}\right\rangle}_{13}\right)\left(|{\left.{\phi}^{+}\right\rangle}_{25}+|{\left.{\phi}^{-}\right\rangle}_{25}\right)\Big(\mid {\left.{\psi}^{+}\right\rangle}_{46}-\mid {\left.{\psi}^{-}\right\rangle}_{46}\\ {}+\left(|{\left.{\psi}^{+}\right\rangle}_{13}-|{\left.{\psi}^{-}\right\rangle}_{13}\right)\left(|{\left.{\psi}^{+}\right\rangle}_{25}+|{\left.{\psi}^{-}\right\rangle}_{25}\right)\left(|{\left.{\phi}^{+}\right\rangle}_{46}-|{\left.{\phi}^{-}\right\rangle}_{46}\right)\\ {}\begin{array}{c}+\left(|{\left.{\phi}^{+}\right\rangle}_{13}-|{\left.{\phi}^{-}\right\rangle}_{13}\right)\left(|{\left.{\phi}^{+}\right\rangle}_{25}+|{\left.{\phi}^{-}\right\rangle}_{25}\right)\left(|{\left.{\phi}^{+}\right\rangle}_{46}+|{\left.{\phi}^{-}\right\rangle}_{46}\right)\\ {}+\left(|{\left.{\phi}^{+}\right\rangle}_{13}-|{\left.{\phi}^{-}\right\rangle}_{13}\right)\left(|{\left.{\psi}^{+}\right\rangle}_{25}+|{\left.{\psi}^{-}\right\rangle}_{25}\right)\left(|{\left.{\psi}^{+}\right\rangle}_{46}+|{\left.{\psi}^{-}\right\rangle}_{46}\right)\Big)\\ {}\begin{array}{l}=\frac{1}{4}\Big(\mid {\left.{\phi}^{+}\right\rangle}_{13}\mid {\left.{\psi}^{+}\right\rangle}_{25}\mid {\left.{\psi}^{+}\right\rangle}_{46}+\mid {\left.{\phi}^{+}\right\rangle}_{13}\mid {\left.{\psi}^{-}\right\rangle}_{25}\mid {\left.{\psi}^{-}\right\rangle}_{46}\\ {}-\left|{\left.{\phi}^{-}\right\rangle}_{13}\right|{\left.{\psi}^{+}\right\rangle}_{25}\left|{\left.{\psi}^{-}\right\rangle}_{46}-\left|{\left.{\phi}^{-}\right\rangle}_{13}\right|{\left.{\psi}^{-}\right\rangle}_{25}\right|{\left.{\psi}^{+}\right\rangle}_{46}\\ {}\begin{array}{c}+\left|{\left.{\phi}^{+}\right\rangle}_{13}\right|{\left.{\phi}^{+}\right\rangle}_{25}\left|{\left.{\phi}^{+}\right\rangle}_{46}+\left|{\left.{\phi}^{+}\right\rangle}_{13}\right|{\left.{\phi}^{-}\right\rangle}_{25}\right|{\left.{\phi}^{-}\right\rangle}_{46}\\ {}-\left|{\left.{\phi}^{-}\right\rangle}_{13}\right|{\left.{\phi}^{+}\right\rangle}_{25}\left|{\left.{\phi}^{-}\right\rangle}_{46}-\left|{\left.{\phi}^{-}\right\rangle}_{13}\right|{\left.{\phi}^{-}\right\rangle}_{25}\right|{\left.{\phi}^{+}\right\rangle}_{46}\\ {}\begin{array}{c}+\mid {\left.{\psi}^{+}\right\rangle}_{13}\mid {\left.{\psi}^{+}\right\rangle}_{25}\mid {\left.{\phi}^{+}\right\rangle}_{46}-\mid {\left.{\psi}^{+}\right\rangle}_{13}\mid {\left.{\psi}^{-}\right\rangle}_{25}\mid {\left.{\phi}^{-}\right\rangle}_{46}\\ {}+\left|{\left.{\psi}^{-}\right\rangle}_{13}\right|{\left.{\psi}^{+}\right\rangle}_{25}\mid {\left.{\phi}^{-}\right\rangle}_{46}-\left|{\left.{\psi}^{-}\right\rangle}_{13}\right|{\left.{\psi}^{-}\right\rangle}_{25}\mid {\left.{\phi}^{+}\right\rangle}_{46}\\ {}\begin{array}{c}-\mid {\left.{\psi}^{+}\right\rangle}_{13}\mid {\left.{\phi}^{+}\right\rangle}_{25}\left|{\left.{\psi}^{+}\right\rangle}_{46}+\left|{\left.{\psi}^{+}\right\rangle}_{13}\right|{\left.{\phi}^{-}\right\rangle}_{25}\right|{\left.{\psi}^{-}\right\rangle}_{46}\\ {}-\mid {\left.{\psi}^{-}\right\rangle}_{13}\mid {\left.{\phi}^{+}\right\rangle}_{25}\mid {\left.{\psi}^{-}\right\rangle}_{46}+\mid {\left.{\psi}^{-}\right\rangle}_{13}\mid {\left.{\phi}^{-}\right\rangle}_{25}\mid {\left.{\psi}^{+}\right\rangle}_{46}\Big)\end{array}\end{array}\end{array}\end{array}\end{array}\end{array}\end{array}\end{array}\end{array}\end{array}\end{array}\end{array}} $$
(6)

If Alice, Bob and Charlie measure the particles they hold, they will get each result with the probability of 1/16 in Eq. (6). Each result in Eq. (6) corresponds to a bit string, and the result of addition modulo 2 of three bit strings of the combination of any result is 00. Descriptions in details are in Table 1:

Table 1 The possible measured results
Full size table

After their Bell state measurements, Alice and Bob obtain their measurement results respectively and publish them. Then Charlie holds three measurement results and makes an operator of addition modulo 2 on the three bit strings which the three measurement results referred to. From Table 1, we can get the information that if the result of addition modulo 2 that the third party Charlie gets is equal to the result of addition modulo 2 on the three bit strings of initial three Bell states, the third party Charlie knows the operators that Alice and Bob performed on the corresponding particles they hold respectively are same. On the contrary, the operators that Alice and Bob performed are different, and accordingly there is an attacker in this authentication process.

3 Identity authentication

In this section, we will introduce the details of our protocol. There are two users Alice and Bob who want to certify each other and a semi-honest third party Charlie who can control the mutual identity authentication between Alice and Bob in this protocol. Suppose Alice and Bob beforehand shared a classical secret key \( {K}_{AB}=\left\{{k}_1^1{k}_2^1,{k}_1^2\ {k}_2^2,\dots {k}_1^i{k}_2^i,\dots, {k}_1^n\ {k}_2^n\right\} \),(1 ≤ i ≤ n) using QKD protocols [1, 27], which can distribute the key in unconditionally secure way [28, 29]. The secret key sequence KAB is a classical bit string whose size is 2n, where the elements are defined as \( {k}_1^i{k}_2^i\in \left\{\mathrm{00,01,10,11}\right\} \). The two users Alice and Bob will perform Pauli operator according to the element \( {k}_1^i{k}_2^i \). The relation is listed as follows:

$$ {\displaystyle \begin{array}{c}\begin{array}{c}{k}_1^i{k}_2^i=00:{U}_{00}=I=\mid \left.0\right\rangle \left\langle 0\right|+\mid \left.1\right\rangle \left\langle 1\right|\\ {}{k}_1^i{k}_2^i=01:{U}_{01}={\sigma}_x=\mid \left.0\right\rangle \left\langle 1\right|+\mid \left.1\right\rangle \left\langle 0\right|\end{array}\\ {}{k}_1^i{k}_2^i=10:{U}_{10}=i{\sigma}_y=\mid \left.0\right\rangle \left\langle 1\right|-\mid \left.1\right\rangle \left\langle 0\right|\\ {}{k}_1^i{k}_2^i=11:{U}_{11}={\sigma}_z=\mid \left.0\right\rangle \left\langle 0\right|-\mid \left.1\right\rangle \left\langle 1\right|\end{array}} $$
(7)

In out protocol, the secret key KAB is only known to Alice and Bob as the entity information. The following steps will show how to verify the identity of each other.

  • (S1) The third party Charlie prepares 3 groups of Bell states {R1, R2, R3}, in each group there are n pairs of Bell states (for 1 ≤ i ≤ n):

    $$ {\displaystyle \begin{array}{c}{R}_1=\left\{|{\left.R\right\rangle}_{12}^1,|{\left.R\right\rangle}_{12}^2,|{\left.R\right\rangle}_{12}^3,\dots |{\left.R\right\rangle}_{12}^i,\dots |{\left.R\right\rangle}_{12}^n\right\},\\ {}{R}_2=\left\{|{\left.R\right\rangle}_{34}^1,|{\left.R\right\rangle}_{34}^2,|{\left.R\right\rangle}_{34}^3,\dots |{\left.R\right\rangle}_{34}^i,\dots |{\left.R\right\rangle}_{34}^n\right\},\\ {}{R}_3=\left\{|{\left.R\right\rangle}_{56}^1,|{\left.R\right\rangle}_{56}^2,|{\left.R\right\rangle}_{56}^3,\dots |{\left.R\right\rangle}_{56}^i,\dots |{\left.R\right\rangle}_{56}^n\right\}\end{array}}. $$
    (8)

The subscripts 1,2,3,4,5,and 6 are used to distinguish the particles in an entangled state. All Bell states are randomly selected from Eq. (1). Then Charlie preserves the results of addition modulo 2 of three bit strings correlated with three Bell states \( \mid {\left.R\right\rangle}_{12}^i \), \( \mid {\left.R\right\rangle}_{34}^i \), and \( \mid {\left.R\right\rangle}_{56}^i \) in each group which can be written as

$$ {\displaystyle \begin{array}{c}M={m}_1^1{m}_2^1,{m}_1^2\ {m}_2^2,\dots {m}_1^i\ {m}_2^i\dots, {m}_1^n\ {m}_2^n\\ {}{m}_1^i\ {m}_2^i=\mid {\left.\mathrm{R}\right\rangle}_{12}^{\mathrm{i}}\bigoplus \mid {\left.R\right\rangle}_{34}^i\bigoplus \mid {\left.R\right\rangle}_{56}^i\end{array}} $$
(9)

For example, if i = 1, according to Eqs. (2) and (3) \( {m}_1^1\ {m}_2^1=00 \).

  • (S2) The third party Charlie divides these states in each group into two ordered sequences of particles and obtains six particle sequences:

    $$ {\displaystyle \begin{array}{c}{H}_1=\left\{{h}_1^1,{h}_1^2,{h}_1^3,\dots {h}_1^i\dots, {h}_1^n\right\},\\ {}{H}_2=\left\{{h}_2^1,{h}_2^2,{h}_2^3,\dots {h}_2^i\dots, {h}_2^n\right\},\\ {}\begin{array}{c}{H}_3=\left\{{h}_3^1,{h}_3^2,{h}_3^3,\dots {h}_3^i\dots, {h}_3^n\right\},\\ {}{H}_4=\left\{{h}_4^1,{h}_4^2,{h}_4^3,\dots {h}_4^i\dots, {h}_4^n\right\},\\ {}\begin{array}{c}{H}_5=\left\{{h}_5^1,{h}_5^2,{h}_5^3,\dots {h}_5^i\dots, {h}_5^n\right\},\\ {}{H}_6=\left\{{h}_6^1,{h}_6^2,{h}_6^3,\dots {h}_6^i\dots, {h}_6^n\right\}.\end{array}\end{array}\end{array}} $$
    (10)

Where H1 is the set of the first particles of all Bell states in R1 and H2 is the set of the second particles of all Bell states in R1, H3 is the set of the first particles of all Bell states in R2 and H4 is the set of the second particles of all Bell states in R2, and H5 is the set of the first particles of all Bell states in R3 and H6 is the set of the second particles of all Bell states in R3. Therefore, \( {h}_1^i \) and \( {h}_2^i \) are the two particles in \( \mid {\left.R\right\rangle}_{12}^i \), \( {h}_3^i \) and \( {h}_4^i \) are the two particles in \( \mid {\left.R\right\rangle}_{34}^i \), and \( {h}_5^i \) and \( {h}_6^i \) are the two particles in \( \mid {\left.R\right\rangle}_{56}^i \). Then Charlie preserves two sequences H1 and H3. For security, Charlie prepares p decoy particles for each sequence of H2, H4, H5, H6 and inserts the decoy particles randomly into any locations of each sequence [30]. Afterwards, the four sequence H2, H4, H5, H6 are changed into \( {H}_2^{\prime },{H}_4^{\prime },{\mathrm{H}}_5^{\prime },{H}_6^{\prime } \). Charlie sends Alice two sequences \( {H}_2^{\prime } \) and \( {H}_5^{\prime } \) and Bob two sequences \( {H}_4^{\prime } \) and \( {H}_6^{\prime } \) through quantum channels.

  • (S3) After Alice and Bob receive the sequences Charlie sent, they check the security of the quantum channels and the integrity of each sequence by using the decoy particles inserted in each sequence. If there is no error or attacker, Alice and Bob take out p decoy particles in each sequence \( {H}_2^{\prime },{H}_4^{\prime },{H}_5^{\prime },{H}_6^{\prime } \). Then Alice holds two sequences H2 and H5, and Bob holds two sequences H4 and H6. Otherwise, there is an eavesdropper between the three participants and they abort this process of identification.

  • (S4) Alice performs Pauli operators in Eq. (7) on one sequence which is selected randomly from H2 and H5 according to the secret key KAB. If \( {k}_1^i{k}_2^i=00 \), Alice performs I operator on the i’th particle in the sequence she selected. If \( {k}_1^i{k}_2^i=01 \), Alice performs σx operator on the i’th particle in the sequence she selected. If \( {k}_1^i{k}_2^i=10 \), Alice performs y operator on the i’th particle in the sequence she selected. And if \( {k}_1^i{k}_2^i=11 \), Alice performs σz operator on the i’th particle in the sequence she selected. If Alice selects H2 sequence and performs the operators, then H2 is changed into \( {H}_2^{\ast } \); else Alice selects H5 sequence and performs the operators, H5 is changed into \( {\mathrm{H}}_5^{\ast } \). Meanwhile, Bob performs Pauli operators in Eq. (7) on a sequence which is selected randomly from H4 and H6 according to the secret key KAB. And the operators that Bob performs on particles in the sequence which Bob selected are the same as Alice performs. If Bob selects H4 and performs the operators, then H4 is changed into \( {\mathrm{H}}_4^{\ast } \); else Bob selects H6 and performs the operators, H6 is changed into \( {\mathrm{H}}_6^{\ast } \).

  • (S5) The two users Alice and Bob perform the Bell state measurement [31] on the two particles which are in the same positions in the two sequences they hold respectively as Fig. 1. Alice performs the Bell state measurement on two particles \( {h}_2^i \) and \( {h}_5^i \). Bob performs the Bell state measurement on two particles \( {h}_4^i \) and \( {h}_6^i \). Then Alice obtains the results \( {S}_{25}=\left\{{s}_{25}^1,{s}_{25}^2,\dots, {s}_{25}^i,\dots, {s}_{25}^n\right\} \) which are the results of Bell state measurement performed by Alice; Bob obtains the results \( {S}_{46}=\left\{{s}_{46}^1,{s}_{46}^2,\dots, {s}_{46}^i,\dots, {s}_{46}^n\right\} \) which are the results of Bell state measurement performed by Bob. At the same time, the third party Charlie performs Bell state measurement on particles in the two sequences H1 and H3 and gets the results \( {S}_{13}=\left\{{s}_{13}^1,{s}_{13}^2,\dots, {s}_{13}^i,\dots, {s}_{13}^n\right\} \). Then Alice and Bob send the classical sequences which are corresponded to the measurement results S25 and S46 respectively according to Eq. (1) to Charlie.

    Fig. 1
    figure 1

    The Bell-basis measurements of three parties

    Full size image

  • (S6) Now the third party Charlie holds three classical bit sequences which the three results in Eq. (11) corresponded to:

    $$ {\displaystyle \begin{array}{c}{S}_{13}=\left\{{s}_{13}^1,{s}_{13}^2,\dots, {s}_{13}^i,\dots, {s}_{13}^n\right\}\\ {}{S}_{25}=\left\{{s}_{25}^1,{s}_{25}^2,\dots, {s}_{25}^i,\dots, {s}_{25}^n\right\}\\ {}{S}_{46}=\left\{{s}_{46}^1,{s}_{46}^2,\dots, {s}_{46}^i,\dots, {s}_{46}^n\right\}\end{array}} $$
    (11)

Charlie makes operators of addition modulo 2 on three bit strings that are in the same positions in Eq. (11) corresponded to \( {s}_{13}^i \)\( {s}_{25}^i \) and \( {s}_{46}^i \) according to Eq. (1). If the results addition modulo 2 are equal to Eq. (9) for i from 1 to n as follows:

$$ {n}_1^i\ {n}_2^i={s}_{13}^i\bigoplus {s}_{25}^i\bigoplus {s}_{46}^i $$
(12)

The identity of Alice and Bob are authenticated. Otherwise, there must be an illegal attacker in this process of authentication.

4 Security analysis

In this section, we discuss the security of the presented protocol. When the two users Alice and Bob want to authenticate each other with the help of the semi-honest third party Charlie, there may be an attacker called Eve who wants to attack this process and passes the authentication illegally or gets some information about the secret key shared between Alice and Bob.

4.1 Impersonation attack

Firstly, we assume that Eve tries to impersonate the legal user Alice (or Bob) and pass the process of authentication [32, 33]. When Charlie sends Alice two sequences \( {H}_2^{\prime } \) and \( {H}_5^{\prime } \) and sends Bob two sequences \( {H}_4^{\prime } \) and \( {H}_6^{\prime } \) through quantum channels, actually here Alice is Eve. Then in (S6), after Charlie obtains sequences S25 and S46, she makes operator of addition modulo 2 on three bit strings in i’th position in each group corresponding to \( {s}_{13}^i \)\( {s}_{25}^i \) and \( {s}_{46}^i \) according to Eq. (1). Because Alice (who actually is Eve) doesn’t know the secret key KAB, Alice (i.e, Eve) will not pass the authentication. The length of the secret key is 2n, so Alice must executes n Pauli operators which are selected from the four Pauli operators in Eq. (7). Because Alice doesn’t know the secret key KAB, she may execute randomly Pauli operators. The probability that she can pass the authentication is \( {\left(\frac{1}{4}\right)}^n \). When n is larger enough, the probability that Eve passes the authentication is close to 0. For example, in Table 2, according to Eqs. (2), (3), (4), (5) and (7) and the secret key KAB = {01}, the probability that Eve selected the correct operator is \( \frac{1}{4} \).

Table 2 The possible operators of Eve
Full size table

4.2 Intercept and resend attack

Secondly, let’s consider another attack, i.e., intercept and resend attack [33, 35]. Assume that there is an attacker, Eve, who can intercept the sequences \( {H}_2^{\prime } \) and \( {H}_5^{\prime } \) which Charlie sends to Alice in step (S2), and send another two sequences \( {E}_2^{\prime } \) and \( {E}_5^{\prime } \) which are prepared randomly by Eve, whose length is equal to n + p (p represents the number of decoy photons). Then in step (S3), they will check the security of the channel and the integrity of each sequence by use of decoy photons. However, Eve doesn’t know the positions of all decoy photons in each sequence and the measurement bases. So the third party Charlie will detect the existence of the attacker Eve and abandon this authentication.

Then, we assume that Eve is clever enough to pass the security check. The attacker Eve then intercepts the sequence S25 which is generated from \( {E}_2^{\prime } \) and \( {E}_5^{\prime } \) after Alice executed Pauli operators according to the secret key KAB in step (S5). As Eve knows the initial states of \( {E}_2^{\prime } \) and \( {E}_5^{\prime } \), she tries to extract information about the secret key KAB according to the classical information S25. But she can’t succeed because there are 4 Pauli operators performed on each particle:

$$ {\displaystyle \begin{array}{c}I:\Big(\left|\left.0\right\rangle \left\langle 0\right|+\left|\left.1\right\rangle \left\langle 1\right|\right)\right|\left.0\right\rangle =\mid \left.0\right\rangle \\ {}I:\Big(\left|\left.0\right\rangle \left\langle 0\right|+\left|\left.1\right\rangle \left\langle 1\right|\right)\right|\left.1\right\rangle =\mid \left.1\right\rangle \\ {}\begin{array}{c}{\sigma}_x:\Big(\left|\left.0\right\rangle \left\langle 1\right|+\left|\left.1\right\rangle \left\langle 0\right|\right)\right|\left.0\right\rangle =\mid \left.1\right\rangle \\ {}{\sigma}_x:\Big(\left|\left.0\right\rangle \left\langle 1\right|+\left|\left.1\right\rangle \left\langle 0\right|\right)\right|\left.1\right\rangle =\mid \left.0\right\rangle \\ {}\begin{array}{c}i{\sigma}_y:\Big(\left|\left.0\right\rangle \left\langle 1\right|-\left|\left.1\right\rangle \left\langle 0\right|\right)\right|\left.0\right\rangle =\mid \left.1\right\rangle \\ {}i{\sigma}_y:\Big(\left|\left.0\right\rangle \left\langle 1\right|-\left|\left.1\right\rangle \left\langle 0\right|\right)\right|\left.1\right\rangle =\mid \left.0\right\rangle \\ {}\begin{array}{c}{\sigma}_z:\Big(\left|\left.0\right\rangle \left\langle 0\right|-\left|\left.1\right\rangle \left\langle 1\right|\right)\right|\left.0\right\rangle =\mid \left.0\right\rangle \\ {}{\sigma}_z:\Big(\left|\left.0\right\rangle \left\langle 0\right|-\left|\left.1\right\rangle \left\langle 1\right|\right)\right|\left.1\right\rangle =\mid \left.1\right\rangle \end{array}\end{array}\end{array}\end{array}} $$
(13)

So Eve can’t distinguish I operator and σz operator if the classical bit is 0, and she can’t distinguish σx operator and y operator if the classical bit is 1. Therefore, Eve can’t get any information about the secret key KAB.

4.3 Entangle and measure attack

Now, let’s consider entangle-measure attack [34, 36]. In this kind of attack, the attacker Eve firstly intercepts the two particle sequences \( {H}_2^{\prime } \) and \( {H}_5^{\prime } \) (or \( {H}_4^{\prime } \) and \( {H}_6^{\prime } \)) that Charlie sends to Alice (or Bob). Then she prepares 2(n + p) ancillary state | ε⟩ and entangles them with particles in the two intercepted sequences by performing ξ1 operator and lets the two sequences go on its way in step (S2).

$$ {\displaystyle \begin{array}{l}{\xi}_1\left|\left.0\right\rangle \right|\left.\varepsilon \right\rangle =\alpha \left|\left.0\right\rangle \right|\left.{\varepsilon}_{00}\right\rangle +\beta \left|\left.1\right\rangle \right|\left.{\varepsilon}_{01}\right\rangle \\ {}{\xi}_1\left|\left.1\right\rangle \right|\left.\varepsilon \right\rangle =\gamma \left|\left.0\right\rangle \right|\left.{\varepsilon}_{10}\right\rangle +\delta \left|\left.1\right\rangle \right|\left.{\varepsilon}_{11}\right\rangle \\ {}\begin{array}{c}{\xi}_1\left|\left.+\right\rangle \right|\left.\varepsilon \right\rangle =\frac{1}{2}\Big[\mid \left.+\right\rangle \left(\alpha \left|\left.{\varepsilon}_{00}\right\rangle +\beta \right|\left.{\varepsilon}_{01}\right\rangle +\gamma \left|\left.{\varepsilon}_{10}\right\rangle +\delta \right|\left.{\varepsilon}_{11}\right\rangle \right)\\ {}+\mid \left.-\right\rangle \left(\alpha \left|\left.{\varepsilon}_{00}\right\rangle -\beta \right|\left.{\varepsilon}_{01}\right\rangle +\gamma \left|\left.{\varepsilon}_{10}\right\rangle -\delta \right|\left.{\varepsilon}_{11}\right\rangle \right)\Big]\\ {}\begin{array}{c}{\xi}_1\left|\left.-\right\rangle \right|\left.\varepsilon \right\rangle =\frac{1}{2}\Big[\mid \left.+\right\rangle \left(\alpha \left|\left.{\varepsilon}_{00}\right\rangle +\beta \right|\left.{\varepsilon}_{01}\right\rangle -\gamma \left|\left.{\varepsilon}_{10}\right\rangle -\delta \right|\left.{\varepsilon}_{11}\right\rangle \right)\\ {}+\mid \left.-\right\rangle \left(\alpha \left|\left.{\varepsilon}_{00}\right\rangle -\beta \right|\left.{\varepsilon}_{01}\right\rangle -\gamma \left|\left.{\varepsilon}_{10}\right\rangle +\delta \right|\left.{\varepsilon}_{11}\right\rangle \right)\Big]\end{array}\end{array}\end{array}} $$
(14)

where |α2| + |β2| = |γ2| + |δ2| = 1, and {| ε00〉, | ε01〉, | ε10〉, | ε11〉} are ancillary states prepared by Eve. After Alice (or Bob) performed Pauli operators according to the secret key KAB on one of the two sequences selected randomly and executed Bell measurement, Alice (or Bob) sends the classical bit information corresponding to the outcomes to Charlie. The attacker Eve intercepts the result S25 (or S46) which Alice (or Bob) sent in step (S5). Finally, Eve measures all ancillary states and tries to extract some information about the secret key KAB by comparing the two sets of measurement results on ancillary states with the classical information. But she cannot get any information and will be detected by Charlie. Because the sequences \( {H}_2^{\prime } \) and \( {H}_5^{\prime } \) (or \( {H}_4^{\prime } \) and \( {H}_6^{\prime } \)) was inserted decoy particles to check the existence of the eavesdropper. Besides, in step (S4) Alice (or Bob) selects randomly a particle sequence to execute Pauli operators and then performs Bell measurement. Because of the decoy particles, Eve can’t match the classical bit information in S25 (or S46) with the outcome of \( {H}_2^{\prime } \) and \( {H}_5^{\prime } \). Therefore, there is no relationship between the two sets of measurement results on ancillary states and classical bit information. Thus, our protocol is secure against the entangle and measure attack.

4.4 The third party’s attack

In previously proposed protocols, many researchers assumed that the third party Charlie is fully trusted. However, from the perspective of information security, there is no fully trusted third party. In our protocol, we take the reliability of the third party into consideration. We assume that the third party Charlie isn’t a fully trusted certification authority and Charlie may steal the two users’ secret key KAB while they authenticate each other. But Charlie will get nothing in this protocol. Let’s consider the condition in section 2 of Basic idea. The third party Charlie prepares three Bell states ∣ϕ12, ∣ψ+34 and ∣ψ56 and she knows the three classical bit information corresponding to the three Bell states are 01, 10 and 11. Then she preserves the results of addition modulo 2 of the three classical bit strings show in Eq. (3). Then Charlie divides each Bell state into two particles, sends Alice two particles 2 and 5, and sends Bob two particles 4 and 6. Then Alice and Bob randomly select one particle from the two particles they holds and performs Pauli operator according to the secret key KAB shared in prior. Finally, Alice, Bob and Charlie execute Bell measurement on two particles they hold and Alice and Bob send the classical information corresponding to their results according to Eq. (1). Now, Charlie obtains the results she measured herself and the results Alice and Bob measured. But Charlie can’t calculate any information about the secret key KAB shared between Alice and Bob. Because Charlie doesn’t know which particles Alice and Bob choose to perform Pauli operators. Besides she couldn’t know the results of the Bell measurement of the initial Bell states without Pauli operators as in Eq. (15).

$$ {\displaystyle \begin{array}{c}\mid {\left.{\phi}^{-}\right\rangle}_{12}\otimes \mid {\left.{\psi}^{+}\right\rangle}_{34}\otimes \mid {\left.{\psi}^{-}\right\rangle}_{56}\\ {}=\frac{1}{\sqrt{2}}\left(|{\left.00\right\rangle}_{12}-|{\left.11\right\rangle}_{12}\right)\otimes \frac{1}{\sqrt{2}}\Big(\mid {\left.01\right\rangle}_{34}+\mid {\left.10\right\rangle}_{34}\otimes \frac{1}{\sqrt{2}}\left(|{\left.01\right\rangle}_{56}-|{\left.10\right\rangle}_{56}\right)\\ {}\begin{array}{c}=\frac{1}{4}\Big(\mid {\left.{\phi}^{+}\right\rangle}_{13}\mid {\left.{\phi}^{+}\right\rangle}_{25}\mid {\left.{\phi}^{+}\right\rangle}_{46}-\mid {\left.{\phi}^{+}\right\rangle}_{13}\mid {\left.{\phi}^{-}\right\rangle}_{25}\mid {\left.{\phi}^{-}\right\rangle}_{46}\\ {}-\mid {\left.{\phi}^{-}\right\rangle}_{13}\mid {\left.{\phi}^{+}\right\rangle}_{25}\mid {\left.{\phi}^{-}\right\rangle}_{46}+\mid {\left.{\phi}^{-}\right\rangle}_{13}\mid {\left.{\phi}^{-}\right\rangle}_{25}\mid {\left.{\phi}^{+}\right\rangle}_{46}\\ {}\begin{array}{c}-\mid {\left.{\phi}^{+}\right\rangle}_{13}\mid {\left.{\psi}^{+}\right\rangle}_{25}\mid {\left.{\psi}^{+}\right\rangle}_{46}+\mid {\left.{\phi}^{+}\right\rangle}_{13}\mid {\left.{\psi}^{-}\right\rangle}_{25}\mid {\left.{\psi}^{-}\right\rangle}_{46}\\ {}+\mid {\left.{\phi}^{-}\right\rangle}_{13}\mid {\left.{\psi}^{+}\right\rangle}_{25}\mid {\left.{\psi}^{-}\right\rangle}_{46}-\mid {\left.{\phi}^{-}\right\rangle}_{13}\mid {\left.{\psi}^{-}\right\rangle}_{25}\mid {\left.{\psi}^{+}\right\rangle}_{46}\\ {}\begin{array}{c}+\mid {\left.{\psi}^{+}\right\rangle}_{13}\mid {\left.{\phi}^{+}\right\rangle}_{25}\mid {\left.{\psi}^{+}\right\rangle}_{46}+\mid {\left.{\psi}^{+}\right\rangle}_{13}\mid {\left.{\phi}^{-}\right\rangle}_{25}\mid {\left.{\psi}^{-}\right\rangle}_{46}\\ {}+\mid {\left.{\psi}^{-}\right\rangle}_{13}\mid {\left.{\phi}^{+}\right\rangle}_{25}\mid {\left.{\psi}^{-}\right\rangle}_{46}-\mid {\left.{\psi}^{-}\right\rangle}_{13}\mid {\left.{\phi}^{-}\right\rangle}_{25}\mid {\left.{\psi}^{+}\right\rangle}_{46}\\ {}\begin{array}{c}-\mid {\left.{\psi}^{+}\right\rangle}_{13}\mid {\left.{\psi}^{+}\right\rangle}_{25}\mid {\left.{\phi}^{+}\right\rangle}_{46}-\mid {\left.{\psi}^{+}\right\rangle}_{13}\mid {\left.{\psi}^{-}\right\rangle}_{25}\mid {\left.{\phi}^{-}\right\rangle}_{46}\\ {}-\mid {\left.{\psi}^{-}\right\rangle}_{13}\mid {\left.{\psi}^{+}\right\rangle}_{25}\mid {\left.{\phi}^{-}\right\rangle}_{46}+\mid {\left.{\psi}^{-}\right\rangle}_{13}\mid {\left.{\psi}^{-}\right\rangle}_{25}\mid {\left.{\phi}^{+}\right\rangle}_{46}\Big)\end{array}\end{array}\end{array}\end{array}\end{array}} $$
(15)

The results are the same as the results in Eq. (6) which is the outcome of Bell measurement on these Bell states after Alice and Bob executed Pauli operators according to the secret key KAB. Let’s assume that the third party Charlie gets her Bell measurement results ∣ψ13. Then Charlie can learn that if Alice and Bob measure the two particles they hold respectively without doing the Pauli operators, the results are {| ϕ+25| ψ46, | ϕ25| ψ+46, | ψ+25| ϕ46, | ψ25| ϕ+46}. But Alice and Bob get their result ∣ψ+25 ∣ ϕ46 after their Pauli operators. This real results can be derived from ∣ϕ+25 ∣ ψ46 with the Pauli operator σx, ∣ϕ25 ∣ ψ+46 with the Pauli operator y, ∣ψ+25 ∣ ϕ46 with the Pauli operator I, and ∣ψ25 ∣ ϕ+46 with the Pauli operator σz. The third party Charlie can’t know which operator that Alice and Bob perform on particle. So the third party can’t get any information about the secret key KAB.

5 Comparison

This proposed protocol also has a high efficiency and security. Compared with the protocol Hong et al. [30] presented in 2017 which can only achieve one-way identity authentication in the process of authenticating identity, our protocol can realize bidirectional simultaneous identity authentication in one authenticating process. Compared with the protocol Kang et al. [33] presented in 2015 in which the two users need communicate in the entity authentication phase. And the third party in their protocol is fully trusted, which can obtain the secret key KAB shared between two users Alice and Bob after they authenticated each other. In 2018 Kang et al. [21] presented an improved protocol which has an untrusted third party Charlie who can help to accomplish the authentication. In the protocol, Kang et al. assume that the third party Charlie is an untrusted certifying authority and may try to get the secret key shared between legal users Alice and Bob. They claimed that their protocol can prevent the untrusted third party Charlie from getting any information about the secret key. However, we analyzed Kang et al’ protocol and found that the untrusted third party in their protocol still could get the secret key shared between Alice and Bob by some illegal operators.

In our protocol, there is no communication between two users throughout the authentication process. The Pauli operators performed by Alice on the particle sequence which is randomly selected are the same as Bob according to the secret key KAB. The third party Charlie can’t get any information after the authentication, as she need not to perform any Pauli operators throughout authentication process. So our protocol is more secure. Besides, the quantum resource in our protocol is Bell state which is easier to prepare than GHZ-like state used in the protocol [21, 33]. The details of the comparison with previous protocols are in Table 3. From the Table 3, our protocol is more feasible than these previously proposed protocols.

Table 3 The comparison with previous protocols
Full size table

6 Conclusion

In this paper, we propose an efficient QIA scheme based on Bell states and entanglement swapping. It can realize that two users simultaneously authenticate each other with the help of the third party. In this protocol, two users in prior shared a classical bit string as the secret key KAB using QKD protocols, which can securely distribute the keys. While in the process of authentication, the third party can’t get any information about the secret key KAB shared between the two users Alice and Bob. According to the above security analysis, this scheme is secure against some types of attack by using of the following methods: a) We insert check photons into the sequence during the transmission, which can prevent the information leakage. b) After the two users Alice and Bob received particle sequences, they randomly select one sequence respectively from the two sequences they received and perform Pauli operators according to the secret key KAB. c) After they performed Pauli operators, Alice, Bob and Charlie execute Bell measurements on two particle sequence respectively. Then Alice and Bob send their results to Charlie. Because the three measurement results are correlated, if there is an attacker Eve who replaced the transmitted sequences Charlie will detect it. Furthermore, the proposed protocol can also prevent the third party which is assumed to be fully trusted in previous protocols from stealing the secret key KAB.