1 Introduction

Due to the security of quantum information is guaranteed by the characteristics of quantum physics, quantum information has demonstrated higher security than classical information. In recent decades, quantum information is used in various fields, such as quantum machine learning, quantum image processing [1,2,3] and quantum communication. In the field of quantum communication, Bennet and Brassard [4] proposed the first quantum key distribution protocol in 1984. Subsequently, numerous quantum communication protocols were proposed, including quantum key distribution (QKD) [5,6,7], quantum secret sharing (QSS) [8,9,10,11], quantum secure direct communication (QSDC) [12,13,14], quantum identity authentication (QIA) [15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31], etc. In 2001, Shor and Preskill [15] proved the unconditional security of quantum key distribution, which established solid foundation for the security of quantum communication. In quantum communication, there may be a forged communicator who pretend to be a legitimate communicator to steal secret information. Therefore, it is imperative to research quantum identity authentication. In 1995, Crépeau and Salvai [16] proposed the first quantum identity authentication protocol. In 1999, Dušek et al. [17] proposed a quantum identity authentication by combining classical identity system and quantum key distribution. Later, a great number of quantum identity authentication protocols were proposed, which can be mainly divided into two categories: quantum identity authentication based on previously shared entangled states [18,19,20], and quantum identity authentication based on previously shared classical information [21,22,23,24,25]. Since it is difficult to store entanglement states for a long time, most quantum identity authentication protocols are based on sharing classical information in advance. In addition, the third party can be introduced to achieve mutual quantum identity authentication or multi-party quantum identity authentication [26,27,28,29,30]. However, there are very few completely trusted third parties in the real world, the dishonest third party may do evil actions to get secret information [31].

All communicators are quantum parties with complete quantum abilities in quantum communication. But owing to the expensive cost of quantum resources, it is luxury to ensure that all communicators in quantum communication have complete quantum capabilities in reality. In order to reduce the consumption of quantum resources and lower the difficulty of implementation, Boyer et al. [32] proposed the semi-quantum key distribution (SQKD) in 2007, which realized key distribution between quantum communicator and classical communicator. In 2009, Boyer et al. [33] presented two SQKD protocols and proved their complete robustness against attacks.

Combining semi-quantum communication and identity authentication based on pre-shared classical information, Zhou et al. [34] proposed two semi-quantum identification protocols with single photons by using pre-shared classical information in 2019. In Ref. [34], one protocol implements the process of classical Bob authenticates quantum Alice’s identity, and in the meantime, another protocol realizes the process of quantum Alice verifies the identity of classical Bob. However, all above-mentioned protocols cannot achieve mutual authentication between quantum Alice and classical Bob. In 2019, Zheng et al. [35] proposed two semi-quantum direct communication protocols based on Bell states, which can realize mutual authentication between quantum Alice and classical Bob. However, there exist two drawbacks in Zheng’s protocols: on the one hand, the transmitted secret information is realized through two pre-shared keys, which does not conform the strict definition of QSDC [12, 36]; on the other hand, if the identity authentication is unsuccessful, it is impossible to determine which one is illegal. In addition, the protocols used two classical algorithms to encrypt and reorder particles, which increase the complexity of the protocols. Inspired by the above schemes, a novel semi-quantum mutual authentication protocol is proposed in this paper. Without the third party and the assistance of other classical algorithms, our protocol can achieve the mutual identity authentication between quantum Alice and classical Bob only by using Bell states, simple measurement operation and XOR operation.

The rest of the paper is outlined as follows: in Sect.2, the proposed semi-quantum mutual identity authentication protocol is presented. In Sect.3, the security analysis is depicted. In Sect.4, the efficiency analysis and comparison are presented in detail. Finally, a conclusion is drawn in Sect.5.

2 The Proposed Semi-Quantum Mutual Identity Authentication Protocol

2.1 Basic Idea

The proposed protocol uses two common quantum measurement bases: Z basis and X basis. Here, the measurement property of Bell states is introduced when they are measured in Z basis. Because of the entanglement property of Bell states, after one qubit is measured with the Z basis, the other qubit will collapse to the corresponding state. The correlations of Bell states measured in Z basis are shown in Table 1.

Table 1 The correlations of Bell states measured in Z basis
Full size table

2.2 The Protocol

Suppose that Alice is a powerful quantum communicator, whereas Bob only has classical abilities. Classical Bob is limited to perform following four operations when he accesses a segment of quantum channel: (1) measure: measure the qubit in Z basis ({| 0>, | 1>}); (2) prepare: prepare a fresh qubit in Z basis; (3) reflect: reflect the qubit to quantum Alice without disturbance; (4) reorder: reorder the qubits by using different delay lines [32, 33]. Alice and Bob share the classical secret key sequence K(K2i − 1K2i ∈ {00, 01, 10, 11}, i = 1, 2…n) in advance by using the SQKD protocol, which had proved to be unconditionally secure [37]. Assume that the quantum channel is noiseless and lossless. To accomplish the mutual authentication between Alice and Bob, the specific steps of the proposed protocol are explained as follows.

  1. Step 1:

    Preparation.

Alice prepares a sequence of n Bell states, each of which is random in one of the four Bell states {| φ+>12, | φ>12, | ϕ+>12, | ϕ>12}. The subscript 1 represents the first qubit of each state, 2 denotes the second qubit of each state. Alice divides these Bell states into two sequences, the first qubits constitute home sequence SH(SH = {SH1, SH2SHn}) and the second qubits form traveling sequence ST(ST = {ST1, ST2STn}). Alice generates \( \frac{n}{2} \) decoy qubits D according to the pre-shared key K. The generation rules are described as:

$$ \left\{\begin{array}{l}{D}_i=\mid 0> or\mid 1>,{K}_{2i-1}{K}_{2i}\in \left\{00,01\right\}\\ {}{D}_i=\mid +> or\mid ->,{K}_{2i-1}{K}_{2i}\in \left\{10,11\right\}\end{array}\right.,i=1,2\dots \frac{n}{2} $$
(1)

Alice inserts D into ST randomly and obtains sequence STD. Alice keeps a record of the inserted positions and initial states of these decoy qubits, and then, she sends STD to Bob.

  1. Step 2:

    Eavesdropping detection.

After receiving the sequence STD, Bob informs Alice that he has received STD. Alice announces the inserted positions of the decoy qubits. Alice and Bob perform corresponding operations on the decoy qubits according to the pre-shared key sequence K, respectively.

If K2i − 1K2i ∈ {00, 01}, Bob measures the decoy qubits Di in the Z basis and publishes the corresponding measurement results.

If K2i − 1K2i ∈ {10, 11}, Bob reorders the decoy qubits Di and reflects them to Alice. After receiving all the reflected decoy qubits, Alice asks Bob for the original order and restores. Alice measures them in X basis afterwards.

Alice compares all measurement results with all initial states of the decoy qubits. If the measurement results are different from the initial states, the protocol will be restarted from beginning; otherwise, Bob can obtain sequence ST and go to the next step.

  1. Step 3:

    Measurement.

Alice and Bob perform Z basis measurement on the qubits at the corresponding positions of SH and ST. After the measurement, the measurement results are converted into classical results RA and RB. The conversion rules are shown in Table 2.

Table 2 The classical results of single qubit measured in Z basis
Full size table
  1. Step 4:

    XOR operation.

Alice announces the initial states of prepared Bell states. Based on the Z basis measurement results in step 3 and the initial Bell states announced by Alice, Bob can deduce the Z basis measurement results of Alice as RA. In the same way, Alice can deduce the Z basis measurement results of Bob as RB. Bob performs bitwise XOR on RA and K, RB and K to obtain IA and IB. Similarly, Alice can get IA and IB. The detailed operations are explained as Eq. (2). Bob sends IA to Alice and Alice sends IB to Bob.

$$ \left\{\begin{array}{l}{R}_{Ai}\oplus {K}_i={I}_{Ai},{I}_{Ai}=\left\{{I}_{A1},{\mathrm{I}}_{A2}\dots {\mathrm{I}}_{An}\right\}\\ {}{R}_{Bi}\oplus {K}_i={I}_{Bi},{I}_{Bi}=\left\{{I}_{B1},{\mathrm{I}}_{B2}\dots {\mathrm{I}}_{Bn}\right\}\\ {}{{R_A}_i}^{\ast}\oplus {K}_i={{I_A}_i}^{\ast },{{I_A}_i}^{\ast }=\left\{{{I_A}_1}^{\ast },{{\mathrm{I}}_{A2}}^{\ast}\dots {{\mathrm{I}}_{An}}^{\ast}\right\}\\ {}{{R_B}_i}^{\ast}\oplus {K_i}^{\ast }={{I_B}_i}^{\ast },{{I_B}_i}^{\ast }=\left\{{{I_B}_1}^{\ast },{{\mathrm{I}}_{B2}}^{\ast}\dots {{\mathrm{I}}_{Bn}}^{\ast}\right\}\end{array}\right.,\left(i=1,2\dots n\right) $$
(2)
  1. Step 5:

    Authentication.

If IA = IA, Alice successfully authenticates Bob, the identity of Bob is legal; otherwise, Bob is the illegal communicator.

If IB = IB, Bob successfully authenticates Alice, the identity of Alice is legal; otherwise, Alice is the illegal communicator.

3 Security Analysis

Assumed that the attacker Eve has strong quantum capabilities. Eve can access quantum channel and execute the evil actions to steal secret information. In this section, we analyze four different attack strategies and verify that the proposed protocol is immune to these attacks.

3.1 Impersonation Attack

If the attacker Eve impersonates Alice, he will try to complete fake authentication by randomly preparing qubits, sending qubit sequence, and performing single-qubit measurement. Since Eve is ignorant of the pre-shared key sequence K, Eve can only randomly generate the decoy qubits De(De ∈ {| 0>, | 1>, | +>, | −>}). The probability that each decoy qubit generated correctly by Eve is \( \frac{1}{4} \). Consider that when Eve prepares the decoy qubit in wrong basis, the probability that legitimate communicator can get the correct measurement result is \( \frac{1}{4}\times \frac{1}{2}+\frac{1}{4}\times \frac{1}{2}=\frac{1}{4} \). Thus Eve has \( \frac{1}{4}+\frac{1}{4}=\frac{1}{2} \) probability to escape from the detection without being detected. In other words, there are \( \frac{n}{2} \) decoy qubits suffering from Eve’s attack, then Eve’s attack can be detected with probability \( {P}_1=1-{\left(\frac{1}{2}\right)}^{\frac{n}{2}} \). From Fig. 1, if n is large enough, P1 is approximate to 1. Therefore, when the number of decoy qubits is large enough, it is difficult for Eve to pass the eavesdropping detection.

Fig. 1
figure 1

The detection probability of Eve impersonating Alice

Full size image

If the attacker Eve pretends to be Bob, he will unable to perform proper operation on the corresponding qubits in the sequence STD because of the absence of the pre-shared key sequence K. Eve chooses correct operation with probability \( \frac{1}{2} \). If Eve chooses wrong operation, the probability that legitimate communicator can get correct measurement result is \( \frac{1}{2}\times \frac{1}{2}=\frac{1}{4} \). Then Eve can pass the eavesdropping detection with probability \( \frac{1}{2}+\frac{1}{4}=\frac{3}{4} \). Therefore, there are \( \frac{n}{2} \) decoy qubits suffering from Eve’s attack, then Eve’s attack can be detected with probability \( {P}_2=1-{\left(\frac{3}{4}\right)}^{\frac{n}{2}} \). From Fig. 2, if n is large enough, P2 is approximate to 1. When the number of decoy qubits is large enough, it is difficult for Eve to pass the eavesdropping detection.

Fig. 2
figure 2

The detection probability of Eve impersonating Bob

Full size image

More importantly, even if Eve, which impersonated a legitimate user, passed the eavesdropping detection by chance, he still unable to perform the correct XOR operation in the final authentication stage without the pre-shared key sequence K and his existence would be noticed. So Eve cannot complete a fake authentication with impersonation attack.

3.2 The Intercept-Measure-Resend Attack

In the intercept-measure-resend attack, the attacker Eve intercepts the sequence STD sent by Alice to Bob in step 1, Eve measures each qubit in STD, and prepares a fake sequence of ancillary qubits E(E ∈ {| 0>, | 1>, | +>, | −>}) according to the measurement results. Then Eve sends the fake sequence E to Bob. In step 3, Eve intercepts the qubits returned by Bob to Alice, measures these qubits and attempts to obtain operation information performed by Bob. However, Eve doesn’t know the inserted positions and initial states of the decoy qubits, and Eve chooses the measurement basis randomly. The decoy qubits are not all mutually orthogonal, and Eve cannot know the states of the decoy qubits with certainty via his measurement. The probability that Eve chooses the correct measurement basis to measure the decoy qubit is \( \frac{1}{2} \), and at the meantime, when he measures the decoy qubit in wrong basis, the probability that legal communicator can get the correct measurement result is \( \frac{1}{2}\times \frac{1}{2}=\frac{1}{4} \). Thus, Eve has \( \frac{1}{2}+\frac{1}{4}=\frac{3}{4} \) probability to pass the eavesdropping detection. There are \( \frac{n}{2} \) decoy qubits suffering from Eve’s attack, therefore, the probability that Eve can be detected by legitimate communicators is \( {P}_3=1-{\left(\frac{3}{4}\right)}^{\frac{n}{2}} \). It is the same as P2, so as n is large enough, then P3 tends to 1. Alice and Bob can easily detect the existence of Eve in the eavesdropping detection. In addition, Bob reorders the decoy qubits before returning them to Alice, no one except Bob knows the original order. Therefore, Eve is unable to obtain any useful information from the intercept-measure-resend attack.

3.3 The Entangle-Measure Attack

In the entangle-measure attack, when the traveling qubit is sent from Alice to Bob, the attacker Eve entangles the traveling qubit with an ancillary qubit ∣e> by a unitary operation Ue, which will produce the results in Eq. (3).

$$ {\displaystyle \begin{array}{l}{U}_e\mid 0>\mid e>=a\mid 0>\mid {e}_{00}>+b\mid 1>\mid {e}_{01}>\\ {}{U}_e\mid 1>\mid e>=c\mid 0>\mid {e}_{10}>+d\mid 1>\mid {e}_{11}>\\ {}{U}_e\mid +>\mid e>=\frac{1}{2}\left[\begin{array}{l}\mid +>\left(a|{e}_{00}>+b|{e}_{01}>+c|{e}_{10}>+d|{e}_{11}>\right)\\ {}+\mid ->\left(a|{e}_{00}>-b|{e}_{01}>+c|{e}_{10}>-d|{e}_{11}>\right)\end{array}\right]\\ {}{U}_e\mid ->\mid e>=\frac{1}{2}\left[\begin{array}{l}\mid +>\left(a|{e}_{00}>+b|{e}_{01}>-c|{e}_{10}>-d|{e}_{11}>\right)\\ {}+\mid ->\left(a|{e}_{00}>-b|{e}_{01}>-c|{e}_{10}>+d|{e}_{11}>\right)\end{array}\right]\end{array}} $$
(3)

where |a|2 + |b|2 = |c|2 + |d|2 = 1. Then Eve lets the traveling qubit go on its way. After transmission, Eve measures ancillary qubit to get Bob’s operations. In order to pass the eavesdropping detection without introducing any errors, Eq. (3) must satisfy the following conditions:

$$ \left\{\begin{array}{l}b\mid {e}_{01}>=c\mid {e}_{10}>=0\\ {}a\mid {e}_{00}>-b\mid {e}_{01}>+c\mid {e}_{10}>-d\mid {e}_{11}>=0\\ {}a\mid {e}_{00}>+b\mid {e}_{01}>-c\mid {e}_{10}>-d\mid {e}_{11}>=0\end{array}\right. $$
(4)

As a result, it is easy to find that a ∣ e00 >  = d ∣ e11>, which means that Eve cannot differentiate ∣e00> between ∣e11>. In step 1, the decoy qubits D are randomly inserted into the sequence ST, Eve doesn’t know the inserted positions and initial states of D. Furthermore, Bob reorders the decoy qubits before returning to Alice, Eve is unaware of the original order. Eve cannot obtain any valuable information from the ancillary qubit. Therefore, Eve fails to extract operation information with the entangle-measure attack.

3.4 The Trojan Horse Attack

Since our protocol is a two-way communication protocol, the attacker Eve may implement the Trojan horse attack to get secret information. The Trojan horse attack can be generally divided into two types, i.e., the invisible photon eavesdropping (IPE) attack and the delay photon Trojan horse attack. In order to avoid these attack strategies, Alice and Bob need to place wavelength filters and photon number splitters before devices [38,39,40].

4 The Efficiency Analysis and Comparison

Cabello [41] proposed the efficiency definition of quantum and semi-quantum communication protocols, as \( \eta =\frac{b_s}{q_t+{b}_t}\times 100\% \), where bs, qt and bt represent the number of useful quantum bits and classical bits, the number of total qubits and the number of total classical bits. Considering the qubits used for eavesdropping detection, qt = qc + d, where qc means the number of qubits used for transmitting authentication information and d means the number of qubits used for eavesdropping detection.

To accomplish mutual authentication between quantum Alice and classical Bob, the number of useful qubits and classical bits bs = n + n + n + n = 4n. Alice and Bob need to exchange classical information, the number of total classical bits bt = n + n = 2n. Alice prepares \( \frac{n}{2} \) decoy qubits for the eavesdropping detection, thus the number of qubits used for eavesdropping detection \( d=\frac{n}{2} \). The number of qubits used for transmitting authentication information qc = n + n = 2n. From the above analysis, we can know the protocol efficiency will be \( \eta =\frac{4n}{2n+\frac{n}{2}+2n}\times 100\%=88.9\% \).

In Ref. [34], Zhou et al. proposed two protocols for classical Bob to authenticate quantum Alice and quantum Alice to authenticate classical Bob respectively, but the mutual authentication of quantum Alice and classical Bob cannot be realized at the same time. In Ref. [25], quantum Alice and quantum Bob achieved mutual authentication simultaneously with the assistance of a third party. Nonetheless, the trusted third party hardly exists in the real world. In Ref. [35], in the process of realizing SQSDC, quantum Alice and classical Bob accomplished mutual authentication meanwhile, but the protocol did not satisfy the strict definition of QSDC [12, 36], and two classical algorithms are used to assist mutual authentication, which are more complicated. Besides, when the authentication fails, it is impossible to determine whether the identity of Alice or Bob is illegal. Compared with these protocols, the protocol proposed in this paper reduces the use of quantum resources, without the existence of the third party, mutual authentication can be accomplished only by performing simple measurement operation and XOR operation. Even if the authentication fails, the illegal identity of communicators can be distinguished. More importantly, the efficiency of our protocol is improved compared with protocol in Ref. [35].

5 Conclusion

In this paper, a semi-quantum mutual identity authentication protocol is proposed based on Bell states. The security of the proposed protocol has been explicitly analyzed. Security analysis indicates that our protocol is secure against four common attacks. Compared with some existing protocols, the proposed protocol reduces the use of quantum resources and does not need the third party or complex operations. It achieves the mutual authentication simultaneously between quantum Alice and classical Bob only through simple measurement operation and XOR operation. In addition, the existence of illegal communicator can also be detected.