State-of-the-Art Survey of Quantum Cryptography

Abstract

In today Internet era, confidential information transmitted over an insecure channel. With the significant development in the area of quantum computing, there is a need for unconditional security in confidential information. Quantum key distribution protocols are proven secure if all devices are perfect (in terms of technologies and proper protocol operations). The major challenges in quantum communication are secret key rate, distance, cost and size of QKD devices. The purpose of this survey article is to carry out a systematic review in the area of quantum cryptography by covering various aspects of non-deterministic quantum key distribution protocols, quantum secure direct communication, semi-quantum key distribution, secure multiparty communication protocol, post-quantum cryptography and device-independent cryptography techniques. In addition, we also discussed various experimental work carried out in the area of quantum cryptography, various attacks and challenges relative to the paradigm shift from classical cryptography to quantum cryptography. Quantum cryptography will become a future replacement of classical cryptography techniques after the development of the first physical quantum computer.

1 Introduction

In a conventional digital communication system, information can be passively monitored or copied; some eavesdropper can alter even information. Classical cryptosystem methods (Rivest–Shamir–Adleman (RSA), Data Encryption Standard (DES)) are based on number theory and guesswork. There is a need for more secure communication as the number of users using online transaction are increasing day by day. If two parties do not share secret initially, then it is impossible in the classical system to share secret key over an insecure channel between these parties. In the today Internet era, our personal information (Such as Financial and Health) and National security data are transmitted over the Internet. Security of these transmitted data is utmost importance in today world.

Fig. 1

Survey organization

Shor [1] designed an algorithm for finding prime factors of a large number. Once quantum computer will be available, Shor’s algorithm will give security threats to all classical cryptographic protocol [2]. Research in quantum computing accelerated after the Shor’s algorithm and Grover’s search algorithm [3].

In a quantum system, information can not be copied (No-cloning Theorem) or read by an eavesdropper. Classical information can be copied like students prepare notes from a book or blackboard without any disturbance, whereas quantum information can not be copied. Any uncontrollable control in quantum information is likely to be detected by the legitimate user. The concept of quantum cryptography evolved with Wiesner’s [4] idea almost fourth-nine years ago, and now commercial key distribution devices are available. Paper was written back in 1970 and remained unpublished till 1983 as no one showed interest in his work. He described quantum coding and its application in money-making and multiplexing of two or three messages (reading of one message can destroy other messages). He pointed out that quantum money will have a serial number (similar as classical money) and 20 perfectly reflective boxes (each box contains a single photon in one of the four states, i.e. vertical, horizontal, right-circular or left-circular). Bank will maintain a record of each photon in each box with respect to the serial number of quantum money, and fake currency can be avoided using the concept of no-cloning theorem.

Gisin et al. [5] carried out an early review on quantum cryptography in 2002. Similar studies were carried out by Alleaume et al. [6], Giampouris [7] Diamanti et al. [8], Long [9] and Zhou et al. [10]. We believe that there is still a need to carry out an in-depth study of the various quantum cryptographic protocol. Compared with previous existing survey papers [5,6,7,8,9,10], our survey introduces the in-depth discussion of Quantum key distribution protocols, reviews the existing work published up to 2020, serving as a guide for other researchers to understand and apply the existing protocols, current research directions and discusses several open problems. Further, this survey also helps the reader to identify a few most impacting protocols and their sources.

For a better understanding of the state-of-the-art in quantum cryptography, we surveyed with the following goals:

• We review various concepts and terminologies used for understanding quantum protocols.

• A state-of-the-art of current trends in quantum cryptography. We further elaborate various quantum attacks on quantum protocols.

• An exhaustive survey on deterministic protocols for quantum secure communication without the shared secret key.

• To identify and discusses the current trends in quantum cryptography like satellite-based communication, device-independent cryptography and high-dimensional Quantum key distribution.

• Classification of discrete and continuous-variable quantum key distribution.

• We survey the existing literature on semi-quantum key distribution protocols.

• An in-depth overview of multiparty communication protocols.

Outline of the Paper The rest of the paper is organized as follows. Section 2 outlines the concepts of quantum cryptography. In Sect. 3, research methodology has been described. Section 4 deals Discrete and Continuous Variable Quantum Key Distribution and in Sect. 5, we classify various quantum attacks. In Sect. 6, we described various Quantum Key Distribution Protocols. Sections 7, 8 and 9 deals with Quantum Secure Direct Communication, Semi-quantum Key Distribution Protocol and Secure Multiparty Communication, respectively. In Sect. 10, Device-Independent Cryptography will be introduced and followed by Post Quantum Cryptography in Sect. 11. Section 12 describes the current trends, sources of quantum cryptography research, various papers in terms of citations (Google as well as Web of Science), few real-life applications of quantum cryptography, and concluding remarks. Figure 1 represents the organization of the paper.

2 Preliminaries

In this section, several fundamental aspects of quantum communication will be discussed.

The Heisenberg Uncertainty Principle: [11] It states that certain pairs of physical properties are related and complementary in the sense measuring one property, prevent simultaneously knowing of other property and destroying it. Two-photon polarization rectilinear (horizontal and vertical) and diagonal (at \(45^\circ \) and \(135^\circ \)) are complementary to each other.

Properties of Quantum Protocol: Quantum Protocol must be secure, correct and robust. In the classical protocol, correction and security are the primary concern. Quantum protocols are based on either the Heisenberg uncertainty principle or quantum entanglement.

• Correct: Bob can able to decrypt the original message from Cipher-text using the decryption key.

• Secure: Eve has no gain of the information sent from Alice to Bob.

• Robustness: The legitimate user (Alice/Bob) will detect errors if Eve attempt to obtain or alter the information

No Cloning Theorem: [12] It states that an unknown quantum state cannot be cloned.

Quantum Entanglement: State of two or more quantum particles are entangled if many of the physical properties of the particles are strongly correlated. State of an individual particle cannot be specified individually. Einstein et al. [13] gave the initial thought that quantum mechanics is incomplete and described the concept of quantum entanglement by “Spooky action at a distance”. Quantum entanglement is a crucial phenomenon for long-distance quantum key distribution. If two qubits are maximal entanglement, then no eavesdropper has any share of entanglement. The heart of quantum cryptography is entangled states. It means quantum entanglement particle A and B must satisfy the following inequality:

$$\begin{aligned} |\psi \rangle _{AB} \ne |\psi \rangle _{A} \otimes |\psi \rangle _{B} \end{aligned}$$

Following are four maximally entangled states.

$$\begin{aligned} |\psi _1\rangle= & {} 1/\sqrt{2}(|0\rangle |0\rangle +|1\rangle |1\rangle ) \\ |\psi _2\rangle= & {} 1/\sqrt{2}(|0\rangle |0\rangle -|1\rangle |1\rangle ) \\ |\psi _3\rangle= & {} 1/\sqrt{2}(|0\rangle |1\rangle +|1\rangle |0\rangle ) \\ |\psi _4\rangle= & {} 1/\sqrt{2}(|0\rangle |1\rangle -|1\rangle |0\rangle ) \\ \end{aligned}$$

One Time Pad: Vernam [14] introduced the concept of one-time pad or Vernam Cipher in 1918. Message and Secret key are represented using a sequence of 0’s and 1’s using an encoding mechanism.

• Encryption Process: It is carried out by XOR (modulo 2) of the original message with secret key bit by bit.

  Plain text(m): 11001101

  Secret Key(k): 01100101

  Ciphertext(c): 10101000    \(c=m\oplus k\) and \(\oplus \) is XOR operation.

• Decryption Process: This is carried out by performing XOR of the cipher text and the secret key.

  Ciphertext(c): 10101000

  Secret Key(k): 01100101

  Plain text(m): 11001101    \(m=c\oplus k\)

The classical one-time pad allows Alice and Bob to share a secret message over the public classical channel. Quantum one-time pad allows Alice and bob to share the secret message (in the form of private quantum states) over a public quantum channel. Assume Alice, Bob and Eve share a quantum state \(\psi _{ABE}\). Schumacher and Westmoreland [15] worked on classical private message sharing between Alice and Bob by considering that Eve state is unrelated with state of Alice and Bob, i.e. \(\psi _{ABE}=\psi _{AB}\otimes \psi _{E}\). Brandao and Oppenheim [16] carried out the work on the quantum one-time pad for sharing quantum messages by considering that Alice and Bob’s state is related with Eve state.

Quantum One-time Pad Encryption: \(|e\rangle =X^k|m\rangle \) and \(X|m\rangle =|m\oplus 1 \rangle \)

Quantum One-time Pad Decryption: \(|m\rangle =X^k|e\rangle =X^k|X^km\rangle \)

Here X is a quantum operation for performing bit flip.

If \(k=0\) then \(X^0=I\)

If \(k=1\) then \(X^1=X\)

Quantum Bit Error Rate (QBER): In a classical system, the bit error rate is the error rate due to noise, interference or any other issues like imperfections in sending or receiving device. It indicates the quality of signal and success of packet delivery. In a quantum system, QBER is defined by the ratio of the error rate to the key rate. QBER provides useful information about Eavesdropper presence and how much information eavesdropper knows.

Table 1 Review methodology, search criterion, databases, inclusion and exclusion criterion

Privacy Amplification: In the quantum protocol, privacy amplification is performed to reduce the amount of information known to Eve by shrinking the key. Bennett et al. [17] introduced the concept of privacy amplification for amplifying the privacy between Alice and Bob.

3 Research Methodology

Table 1 represents the review process, search criterion, databases, inclusion and exclusion criterion. Figure 2 depicts the types of research papers considered in this survey paper. Paper selection consists of following two phases:

1. 1.

   Title and Abstract Level Screening: Initially, We had selected papers from 1964 to 2020, and two essential papers of 1927 and 1935 are considered. In this screening, we used the inclusion/exclusion criterion to publication title and abstract. To minimize the research bias, both authors independently analyzed the search results and analyzed the results. Disagreements were resolved through discussion. Figure 3 depicts the number of research publications used from 1980 onward in this review paper.

2. 2.

   Full-Text Screening: In this phase, we had analyzed the papers based on the full text. We applied the inclusion-exclusion criterion specified in Table 1. If two or more papers were contributed by the same authors and their significant contribution is same, we considered the most relevant paper with a significant contribution.

Fig. 2

Graphical representation for type of papers referred in the review process

Fig. 3

Number of publications from 1980 onward in the area of quantum cryptography

4 Discrete and Continuous Variable Quantum Key Distribution Protocol

Quantum key distribution protocols are classified into Discrete variable QKD and Continuous variable QKD protocol. Table 2 represents the major differences between discrete and continuous variable protocols.

Table 2 Discrete and continuous variable protocols

• Discrete Variable QKD Protocol: In discrete variable QKD protocol, discrete refers to the spin of electron or polarization of single photon. BB84, E91, SARG04, B92 are few examples of discrete variable QKD protocol.

• Continuous Variable QKD Protocol: In continuous variable QKD protocol, Information is stored in the form of light. Protocol based on continuous variable offer advantage over discrete because coherent light with photon can easily producible using laser than single-photon [18]. Ralph [19] and Reid [20] independently introduced the concept of continuous-variable quantum key distribution. Ralph [19] examined two continuous variable scheme based on coherent light and 2-mode squeezed light. Table 3 represents the classification of continuous-variable quantum key distribution based on source state and detection mechanism. In Table 3, squeeze state refers to the state with very low variance in one quadrature and very high in other quadrature. Coherent state refers to a state with no quadrature having very low variance. Hillery [21] proposed a continuous analogue of BB84 using squeezed states of light and Homodyne detection mechanism. Garcia-Patron and Cerf [22] proposed a continuous-variable QKD protocol based on squeezed states and heterodyne detection for obtaining higher security key rate over the noisy line. Cerf and Grangier [23] surveyed various continuous-variable Quantum key distribution protocol.

  Leverrier and Grangier [29] proposed two continuous variable QKD protocols with discrete modulation using two and four coherent states. They established the security of these protocols against collective attacks. Recently, Papanastasiou and Pirandola [30] designed continuous-variable QKD protocol using discrete-alphabet encoding. They also studied the protocol against collective Gaussian attacks.

  Andersen et al. [31] discussed the integration of discrete and continuous variable QKD in the applications of quantum teleportation, entanglement distillation, error-correcting and testing Bell inequalities.

Table 3 Classification of various continuous-variable protocol [23]

Table 4 Classes of attack in quantum cryptography

5 Quantum Attacks

Eve’s attacks can be classified into individual, collective and coherent attacks. The coherent attack is considered as the most powerful among individual, collective and coherent attacks. Table 4 indicates a summary of individual, collective and coherent attacks. More details on these classes can be found in the PhD thesis of Snchez [32].

• Individual Attack: Eve prepares each ancilla qubit independently, interact with each qubit on quantum channel independently and measure independently. With the technology available today, only Individual attacks are applicable.

• Collective Attack: Eve prepares each ancilla qubit independently, interact with each qubit on quantum channel independently and measure jointly all ancilla qubits. The collective attack is a subclass of Coherent attack.

• Coherent Attack (Joint Attack): Eve prepares entangled states of the ancilla qubits, interact with qubits on the channel and then measure all ancilla qubits collectively.

Makarov and Hjelme [33] discussed the concept of Faked states attack. Instead of creating the original state, Eve generates a light pulse, and the legitimate user (Alice or Bob) will not be able to notice the eavesdropper. Faked states is a kind of intercept and resend attack.

Pirandola [34] proposed the symmetric collective attacks by extending individual symmetric attacks of Gisin et al. [5] and Fuchs et al. [38] for BB84 and six-state protocols.

Photon Number Splitting Attack (PNS attack: Typically used laser sources are coherent, and they emit more than one photon in each signal. Alice usually encodes her qubits in one photon, two photons, three photons and so on with frequency \(p_1, p_2, p_3,...\) respectively. Eve (not limited by no-cloning theorem) keep few of the photons and store them in quantum memory whereas letting the other photons go to the Bob. Such an attack is known as photon-number splitting attack [35,36,37]. Eve waits till Alice reveals the bases publically to Bob using a classical channel. Thereafter, Eve reveals the state deterministically. In the PNS attack, Eve presence should not be noticed as the photon rate received by Bob remains unmodified.

Vakhitov et al. [39] introduced the concept of a large pulse attack. It is based on the conventional optical eavesdropping, and it eliminates the need for immediate interaction. Dehmani et al. [40] studied the effect of cloning attacks with several eavesdroppers on the quantum error and mutual information between honest parties. Gisin et al. [41] analyzed the effect of Trojan horse attack on quantum key distribution. They found that all system must have counter-measure and auxiliary detector monitors the incoming light. Kronberg and Molotkov [42] analyzed the concept of an optimal attack on BB84 protocol based on linear fiber optical elements and controlled-NOT. Gisin et al. [41], Jain et al. [43] and Fei et al. [44] carried out their work on Trojan-horse and Man-in-the-middle attack, respectively.

Fig. 4

Significant development in quantum cryptography

Fig. 5

Significant development in quantum key distribution protocols

Side Channel attacks refer to the imperfections caused by experimental set up rather than information gained by a protocol implementation. Lamas-Linares and Kurtsiefer [45] experimentally demonstrated the timing-side channel attack. In timing side-channel attack, timing information disclosed by Communicating parties (Alice and Bob) during the public discussion is used by Eve to access the significant part of the secret key. Qi et al. [46] introduced the time-shift attack in which Eve shift the arrival time of signal pulse or synchronization pulses or both between Alice and Bob.

Sun et al. [47] used a quantum hacking strategy by tampering the source without leaving the trace behind. Various quantum attacks can be classified into attack at source (Photon number splitting attack [35,36,37], Phase remapping attack [48, 49], Laser Seeding (Sun et al. [47] etc.) and attack at detection (Timing-side channel attack [45], Faked state attack [33], Time-shift attack [46, 50] and Polarization shift [51]).

In recent years, Various researchers studied the eavesdropper strategy in quantum cryptography [52, 53]. Jain et al. [54] carried out a study on various attacks and their protection in quantum key distribution protocol.

6 Quantum Key Distribution Protocol

Quantum Key Distribution (QKD) utilize the concept of quantum mechanics for sharing the secret keys from one party (Alice) to another (Bob). It can not prevent eavesdropper while enabling the legitimate user to detect the eavesdropper and throw away the key if eavesdropper detected and new key generation takes place. QKD protocols are based on the concept of the no-cloning theorem, Heisenberg uncertainty principle and entanglement property. QKD usage, both classical and quantum channel. Figure 4 represents the significant developments in quantum cryptography and Fig. 5 represents the significant developments in Quantum Key Distribution Protocols.

6.1 BB84 Protocol

In 1984, Bennett and Brassard [55, 56] developed a first quantum key distribution protocol named as BB84 based on the concept of quantum coding proposed by Wiesner’s [4]. They presented a protocol for coin tossing by exchanging quantum messages. In BB84, information is encoded in orthogonal quantum states. BB84 protocol can be classified as prepare and measure protocol. In prepare and measure protocol, one party (say Alice) prepare a quantum state and send the prepared quantum state to another party (say Bob), who will measure it. Both party then compare measurement and preparation bases and after post-processing comes up with a shared secret key (Fig. 6).

Fig. 6

Communication between Alice and Bob using classical and quantum channel

In BB84, Alice prepare a random qubit for sending to Bob in Circular (C) basis \(\{|+\rangle ,|-\rangle \} \) with direction 45 and 135 degrees respectively or Rectilinear (R) \(\{|0\rangle ,|1\rangle \}\) with direction 0 and 90 degree respectively. It is a 4-state (vertical, horizontal, right-circular, left-circular) QKD protocol.

Rectilinear (R) Basis:

$$\begin{aligned} |\rightarrow \rangle= & {} |0\rangle = \begin{pmatrix} 1 \\ 0 \end{pmatrix}\\ |\uparrow \rangle= & {} |1\rangle =\begin{pmatrix} 0 \\ 1 \end{pmatrix} \end{aligned}$$

Circular (C) Basis:

$$\begin{aligned} |\nearrow \rangle= & {} 1/\sqrt{2} \begin{pmatrix} 1 \\ 1 \end{pmatrix} = 1/\sqrt{2}(|\rightarrow \rangle +|\uparrow \rangle ) \\ |\nwarrow \rangle= & {} 1/\sqrt{2}\begin{pmatrix} -1 \\ 1 \end{pmatrix} \quad = 1/\sqrt{2}(-|\rightarrow \rangle +|\uparrow \rangle ) \end{aligned}$$

BB84 is divided into quantum transmission phase (step 1 to step 4) and classical communication phase (step 5 and step 6).

For a particular bit, if Alice and Bob both measure on the same basis, they will get the same result for that particular bit. If Alice send a particular bit in a Circular Basis and Bob measure it in Rectilinear Basis, then there is 50-50% chance of getting \(|\rightarrow>\) or \(|\uparrow>\). Similarly, If Alice send a particular bit in Rectilinear Basis and Bob measure it in Circular Basis, then there is 50–50% chance of getting \(\nearrow > \) or \(\nwarrow>\).

Table 5 Example of quantum secret key sharing in BB84 protocol [56]

In BB84, Alice communicate the basis in which she prepared her qubits on a classical authenticate channel to Bob. If the same basis used by Bob, then their result matches otherwise they discard the qubit. This process is called basis reconciliation or Sifting. If Alice and Bob want to share n bit key, then Alice needs to start with 4n quantum bits as 2n random bit available after step 4 and only n quantum bit key is generated after step 6. If the transmission has not disturbed, then the shared key obtained after step 6 is used in the same way as one-time pad used in a classical cryptosystem. Table 5 illustrates an example of a shared secret key generated using the BB84 protocol.

Step 6 of BB84 can be carried out by various techniques such as parity checking [57]. In step 6.1, Alice selects some random bits with odd parity, and Bob at the other end, picks the same set of random bits and their parity are compared. In step 6.2, Alice select some random bits will even parity, and Bob check the same at the other end. If Alice and Bob agree for odd and even parity, there is very less chance of having eavesdropper.

Unconditional security (Secure irrespective of the computational power used by Eve) of BB84 protocol has been proved by various researchers [58,59,60]. Scarani and Kurtsiefer [61] pointed out the real implementation problems of QKD on 25th anniversary of BB84 protocol and suggested two options (device-independent security and reasonable security of a device). Their idea later give rise to the concept of device-independent cryptography. BB84 is completely robust if Alice and Bob both usage qubit. If one party (say Alice) unknowingly transmit two or more copies of the qubit, then BB84 is partially robust.

Goldenberg and Vaidman [62] proposed GV protocol based on the orthogonal states. They claimed that their approach ensures the detection of eavesdroppers. Peres [63] commented on Goldenberg and Vaidman protocol that Goldenberg and Vaidman protocol support similar features as BB84 protocol. Further, Goldenberg and Vaidman [64] reclaimed the novelty of their protocol and pointed out that they had used carrier of information in a quantum state and the quantum state belongs to a definite set of orthonormal states.

Dan et al. [65] proposed an intercept/resend attack on BB84 based on Breidbart basis. Using their proposed attacking strategy, the probability of Eve detection will decrease. Although Eve can not be able to obtain the exact information. Wang et al. [66] analyzed the man-in-the-middle attack on the BB84 protocol and suggested the defence mechanism against it. An et al. [67] suggested solution for Beam Splitter attack in BB84 protocol. Garcia-Patron et al. [68] proposed single-photon two-qubit quantum logic for simulating the optimal individual attack on BB84 protocol without quantum memory.

Boyer et al. [69] proposed a protocol BB84-INFO-z (Identical to BB84, except information bits are in z-basis) and found that the modification in BB84 does not harm its security against collective attacks. Fung et al. [48] introduced the phase-remapping attack in QKD protocol. Eve introduces phase-remapping by time-shift on the signal pulses. They showed that if Alice and Bob are unaware of the attack, then the final secret key will be compromised in some situations. Jiang et al. [70] introduced the frequency shift attack using the imperfection used in phase-remapping attack [48]. Using frequency shift attack, Eve gets more information as compared to phase-remapping attack. Fuchs et al. [38] presented optimal eavesdropping strategy for four state BB84 protocol.

6.2 BBM92 Protocol

Bennett, Brassard and Mermin [71] proposed entanglement version of BB84 named BBM92 without the usage of Bell’s theorem. In BBM92, Alice and Bob both take photons generated from a central source, and Alice is not supposed to generate a photon. If Alice and Bob usage the same measurement basis, then their results are perfectly correlated. If Alice and Bob choose a different basis (Alice choose C-basis and Bob choose R-basis or vice-versa), then their results will not be correlated.

BBM92 is again divided into quantum transmission phase (Step 1- Step 3) and classical communication phase (Step 4-Step 5). Classical communication phase of BBM92 and BB84 protocols are the same.

Table 6 illustrates example of shared secret key generated using BBM92 protocol with two bases and maximally entangled state \(|\psi _1\rangle =1/\sqrt{2}(|00\rangle +|11\rangle )\) .

Table 6 Example of secret key sharing using BBM92 protocol [57]

Table 7 Certain cases for B92 protocol [75]

Table 8 Uncertain cases for B92 protocol [75]

Table 9 Example of secret key in B92 protocol

Waks et al. [72] presented the security proof for BBM92 protocol using realistic and un-trustable source against individual attacks. They found that average collision probability of BBM92 and BB84 is same, whereas, BBM92 perform better in terms of communication rate (a function of distance) as compared to BB84. Adenier et al. [73] proposed the double-blinding attack (On each side) on entangled protocols. The double-blinding attack is not a kind of intercept and resend attack. Eve is blocking entangled source completely and replacing it with pairs of bright pulses. In BBM92, Eve gets full information of the key and remain undetected.

Major advantage of BBM92 protocol is that Alice and Bob will detect any malicious control by Eavesdropper to the source. In BBM92, we do not require a trusted central source for generating entangled photon.

6.3 B92 Protocol

Usage of two different bases in BB84 protocol is redundant. In 1992, Bennett proposed a new protocol named B92 using one non-orthogonal basis(\(\rightarrow , \nearrow \)). In B92, Alice used only one non-orthogonal basis. In B92 protocol [74], Alice only sends information using the following two non-orthogonal states.

$$\begin{aligned} |\rightarrow \rangle= & {} |0\rangle =\begin{pmatrix} 1 \\ 0 \end{pmatrix} \\ |\nearrow \rangle= & {} 1/\sqrt{2}(|\uparrow \rangle +|\rightarrow \rangle )= \quad 1/\sqrt{2} \begin{pmatrix} 1 \\ 1 \end{pmatrix} \end{aligned}$$

Alice represents random bit 0 and 1 by \(\rightarrow \) and \(\nearrow \) respectively.

Table 9 illustrates one example of a shared secret key generated using the B92 protocol.

Tamaki et al. [76, 77] proved the security of B92 using a single-photon source. Koashi [78] proposed the implementation of B92 using strong phase-reference coherent light. Kuppam [79] analysed and compared the performance of BB84 and B92 protocol in PRISM. He observed that the B92 protocol performs better in term of eavesdropper detection as compared to BB84. The number of accurate measurement by eavesdropper is less in B92 as compared to BB84. Phoenix et al. [80] proposed a three mutually non-orthogonal state protocol to overcome suppression attack in B92 protocol. Senekane et al. [81] demonstrated an optical implementation of the six-state QKD protocol using three non-orthogonal states. They added the additional features of another detection set in [80] to improve security and eavesdropper detection probability.

6.4 E91 Protocol

Ekert [82] proposed an entanglement based protocol E91. He used the generalized Bell’s theorem for testing of eavesdropping. His approach used Bohm’s version of the Einstein–Podolsky–Rosen (EPR) for generating identical random numbers at remote places. A sequence of entangled pairs of qubits from central sources and each one of our communicators (Alice and Bob) received one of the pairs. In entangled pair, it does not matter whether Alice or Bob measure it first. If Alice/Bob measures the first pair, then Bob/ Alice will collapse respectively.

Consider Alice and Bob are in maximally entangled using \(|\psi _1\rangle \).

$$\begin{aligned} |\psi _1\rangle =|EPR\rangle =1/\sqrt{2}(|00\rangle +|11\rangle ) \end{aligned}$$

Using \(|\psi _1|\) as entangled pair, Alice’s and Bob’s results are perfectly correlated when measured in the same basis (i.e. they receive exactly same bits).

Consider Alice and Bob are in maximally entangled using \(|\psi _3\rangle \).

$$\begin{aligned} |\psi _3\rangle =|EPR\rangle =1/\sqrt{2}(|10\rangle +|01\rangle ) \end{aligned}$$

Using \(|\psi _3|\) as entangled pair, Alice’s and Bob’s results are perfectly anti-correlated when measured in the same basis(i.e. they receive inverted bits). Using \(|\psi _3|\) following compatible cases can occur:

1. 1.

   If Alice/Bob measure spin up, then Bob/Alice collapse into a spin down.

2. 2.

   If Alice/Bob measure spin down, then Bob/Alice collapse into spin up.

Using \(|\psi _3\rangle \) as entangled pair, following Incompatible cases can occur:

1. 1.

   If Alice/Bob measure spin up, then Bob/Alice collapse into spin down or spin up.

2. 2.

   If Alice/Bob measure spin down, then Bob/Alice collapse into spin up or spin down.

In E91 protocol, Alice’s and Bob’s results are perfectly correlated or anti-correlated, which help in identifying the Eavesdropper. Entangled pair become disentangled due to noise in the environment. Therefore we need to compare the matching of bases as in BB84 protocol.

In original E91 protocol [82], Ekert had considered three bases for Alice (\(0^{\circ },45^{\circ }\) and \(90^{\circ } \)) and Bob (\(45^{\circ },90^{\circ }\) and \( 135^{\circ } \) ). There are 1/3 chances that Alice and Bob measure in compatible bases (E91 original protocol consider three bases). Alice and Bob publicly announce their bases and discard incompatible bases. In original E91 protocol, to produce a key size of N, we need to 6N original key size as there is \(~33\%\) chances that bases are compatible and half of the key is used to check the eavesdropper.

Table 10 Example of secret key in E91 protocol [57]

In 1964, John Stewart Bell [83] presented an analogy to Einstein Podolsky Rosen (EPR) paradox based on the spin measurement on pair of entangled photons. He presented a model of reality with hidden variables that allow entanglement. For classical particle, Bell’s inequality will be satisfied with the measurement of particles. For entangled photons, the measurement will violate Bell’s inequality, and it represents the quantum behaviour of a system. Hensen et al. [84] carried out an experiment and analyzed Loophole-free Bell test using electron spins in diamond at the Delft University of Technology.

Ilic [85] described various concepts of error correction, privacy amplification and violation of Bell’s theorem in E91 protocol. Li et al. [86] analysed the security of E91 protocol and proposed a model for noise analysis. Their result shows that Eavesdropper can maximally get 50% of the key if the noise level is approximately 0.5.

Inamori et al. [87] proposed a symmetric incoherent eavesdropping strategy in E91 protocol. If Eve controls the preparation of entangled photon, the effectiveness of E91 protocol reduces to BB84 protocol. Ling et al. [88] reported the implementation of E91 protocol by violating the Bell inequality to derive a secure key. Acin et al. [89] simplified the E91 protocol by taking three bases on one side and two bases on the other side. Honjo et al. [90] carried out an entanglement based QKD experiment over 100 KM of optical fiber using superconducting single-photon detectors.

Fujiwara et al. [91] demonstrated the experimental realisation of Acin et al. protocol [89] through 20 KM fiber using hybrid entanglement photon pair source. Li et al. [92] proposed a model of noise analysis in E91 protocol. They observed that Eve could get 50% of the secret key if the noise level reaches 0.5. Sharma and Lenka [93] applied the concept of E91 protocol in an online banking system for user authentications.

6.5 Six-State Protocol

Bruß [94] generalized the BB84 protocol and designed six-state protocol using three conjugate bases. These six states are pointing towards positive and negative of x-axis, y-axis and z-axis of the Bloch sphere. Bruß [94] further proved that six-state protocol are more secure than BB84 protocol. Implementation of the six-state protocol can be carried out using only optical technologies, without a quantum computer.

Three bases in six-state protocol are:

Along z-axis of Bloch Sphere: \(|0\rangle ,|1\rangle \)

Along x-axis of Bloch Sphere: \(1/\sqrt{2}(|0\rangle +|1\rangle )\), \(1/\sqrt{2}(|0\rangle -|1\rangle )\)

Along y-axis of Bloch Sphere: \(1/\sqrt{2}(|0\rangle +i|1\rangle )\), \(1/\sqrt{2}(|0\rangle -i|1\rangle )\)

Alice selects the basis with equal probability of 1/3 and sends qubits to Bob. Increase in the number of inputs by Alice, make it difficult to learn the message to eavesdropper Eve. After Bob receives all qubits, Alice announces the basis used using a classical channel. Bob measure Alice’s basis and their value are used as the key. Eavesdropper Eve can measure the qubit sent by Alice by choosing random basis (1/3 for correct bases and 2/3 for incorrect bases) and resend new qubits to Bob. Eve guesses the right bases with 1/3 probability and incorrect basis with 2/3 probability. Therefore, Bob receives the right qubits with probability 2/3 and incorrect qubits with 1/3 probability [94]. practical implementation and security proof of six-state protocol is difficult as compared to BB84.

Disadvantage of Six-State Protocol: In the six-state protocol, Bob has a quantum memory, and he performs all its measurement after Alice reveals the Basis. In contrast, in BB84 Bob initial measure his qubit in a random basis and then Alice send him the basis in which she prepared the qubits and mismatch basis are discarded.

Lo [95] proved the unconditional security of the six-state protocol. Lo demonstrated the bit error rate of 12.7%, which is an improvement over BB84 (11%) by allowing one-way classical communication. Kato and Tamaki [96] established the security proof of six-state protocol by using a photon number resolving detector. They found that the bit error rate threshold for six-state protocol is higher than the BB84 protocol. Garapo et al. [97] investigated the effect of collective-rotation noise on the six-state protocol. They observed that the six-state protocol is robust against intercept-resend attacks on collective noise while keeping the rotation angle within certain bounds. Bechmann-Pasquinucci and Gisin [98] found that coherent eavesdropping will not increase Eve’s Shannon information but increase the probability of guessing all correct bits.

Recently, Azuma and Ban [99] investigated the six-state protocol against intercept/resend and collective attacks. They showed that intercept/resend attack can be described by hidden variable models, whereas, the hidden-variable model can not describe collective attacks if the disturbance is smaller than 1/3.

6.6 SARG04 Protocol

Scarani et al. [100] designed SARG04 protocol, which is robust against PNS attack with weak pulses. SARG04 uses two non-orthogonal quantum states similar to B92 protocol. BB84 and SARG04 protocols have the same transmission phase and the measurement phase. SARG04 usages a different post-processing phase as compared to BB84 protocol. SARG04 is more secure even Alice emits two photons.

Table 11 SARG04 Alice transmission states in computational and Hadamard basis [101]

In SARG04 protocol, Alice never announces her basis to Bob. In classical sifting procedure, Alice does not reveal her basis. For binary values of \(a_i\) and \(b_i\) gives us four different qubit states (\(|\psi _{00}\rangle , |\psi _{10}\rangle , |\psi _{01}\rangle , |\psi _{11}\rangle \)) as shown in Table 12. It is evident from the \(4^{th}\) and \(5^{th}\) column of Table 11 that \(a_i\) is encoded in Computational or Hadamard basis is decided by \(b_i\). As Bob announces the receipt of qubits, Alice will not share the basis in which these qubits are prepared. Corresponding to each qubit, Alice prepare two states (one in computational basis and other in Hadamard basis) and announces both to Bob. For example, Alice transmit \(|\psi _{11}\rangle \) and she announces \(|\psi _{11}\rangle \) and \(|\psi _{10}\rangle \) in Hadamard and computational basis respectively. Bob Hadamard measurement will result in \(|\psi _{11}\rangle \), whereas computational measurement will result in \(|\psi _{00}\rangle \) and and \(|\psi _{10}\rangle \) with equal probability 1/2. If Bob observes \(|\psi _{00}\rangle \) state, he can determine the state \(|\psi _{11}\rangle \) sent by Alice. Further, Scarani et al. [100] proved that the SARG04 is more robust than BB84 against PNS attack. Table 11 represent various combinations of Alice announces and detection of a qubit by Bob (other cases like Alice transmit \(|\psi _{00}\rangle \) and \(|\psi _{11}\rangle \) for Alice qubit \(|\psi _{00}\rangle \) will occur in the same way).

Table 12 Different combination of revealing the exact state by Bob in the SARG04 protocol [101, 102]

Branciard et al. [102] designed the entangled version of SARG04 and proved that for a wider class of Eve’s attacks, SARG04 perform better than BB84 in terms of secret key rate and maximal achievable distance. Further, they also showed that the quantum bit error rate (QBER) of SARG04 is twice the QBER of BB84 if a channel of given visibility is available. Koashi [103] generalized the SARG04 protocol to n quantum state protocol. Fung et al. [104] compared the performance of SARG04 with decoy-state and SARG04 with two-way classical communication with BB84. They showed that SARG04 with two-way communications could tolerate a higher bit error rate than SARG04 with one-way communications.

6.7 T12 Protocol

Lucamarini et al. [105] introduced the concept of T12 protocol with the same features as BB84 except that decay qubits are used, and different probabilities are assigned to C and R basis. Decoy state protocol uses imperfect single-photon sources such as weak coherent state source. They observed increased efficiency with a higher key rate in a gigahertz clocked QKD system. Bases are selected using asymmetric probability using \(P_Z \ge 1/2\) and \(P_X = 1-P_Z \).

Lucamarini et al. [105] found that the optimal probability value \((P_X\le 1/16)\) should be used to achieve higher possible key rate. Toshiba’s QKD [106] (TQKD) system delivered digital keys over fiber optic using the concept of T12 protocol. TQKD provide the digital key over a distance of 50 KM with a bit rate one megabit per sec; otherwise, it also facilitates more than 100 Kms.

Table 13 Comparative summary of few QKD protocols. Here O, N and C denote orthogonal, non-orthogonal and conjugate bases

6.8 Other QKD Protocols

Table 13 represents a comparative summary of few QKD protocols. Bennett and Wiesner [107] found that Bob performs one of the four unitary operations on the EPR pairs prepared by Alice. By measuring two particles jointly, Alice can find the operation performed by Bob. Bechmann-Pasquinucci and Peres [108] proposed a QKD protocol using a 3-state system for carrying the information. They showed that the 3-state system provides better security than 2-state carriers. Inoue et al. [109] proposed differential phase shift QKD where a single photon is prepared in a superposition state of three basis kets. The phase difference between two pulses out of three pulses of photons is used to carry bit information from Alice to Bob. Deng and Long [110] proposed a two-way QKD protocol using faint laser pulses and without the involvement of basis reconciliation. In Deng and Long protocol, first Bob sends laser pulses to Alice, and Alice encodes it using unitary operations and returns laser pulses to Bob.

Stucki et al. [111] designed a Coherent one-way (COW) quantum key distribution protocol to work with weak coherent pulses and high bit rate. In COW protocol, emitter Alice encodes information in time. Alice information contains 0-pulses, no-light or \(\mu -\)pulses in time slot separated by T. Pan et al. [112] QKD protocol using twelve nonorthogonal states in a four-state system. Khan et al. [113] proposed KMB protocol that allows more noise without adding intermediate nodes by using two mutually unbiased bases. Any attempt by eavesdropper significantly increases the higher-dimensional photon state. In QKD protocols like BB84, a single particle is transmitted over the quantum channel to share the secret key. Noh [114] had introduced the concept of counterfactual quantum cryptography. Noh’s protocol is more secure without the transmission of a particle on the quantum channel. Gao et al. [115], Wei et al. [116] and Gao et al. [117] carried out work on the quantum private queries.

7 Quantum Secure Direct Communication (QSDC)

Cryptographic protocols like BB84 are non-deterministic and used to establish a shared secret key. Alice encodes a bit in a quantum state and sends it to Bob, but Alice can not able to determine the value decoded by Bob. Beige et al. [118] introduced the concept of direct secure communication. There is no need for establishing a shared secret key in the direct secure communication. In direct secure communication, each photon transmits one bit of Alice’s message without revealing any information to an eavesdropper. The protocol proposed by Beige et al. [118] is deterministic.

Alice represent \(+\) and − by \(|n_+\rangle \) and \(|n_-\rangle \) respectively, where n represent next cipher of Alice key. Alice announces her key publicly after verifying that no eavesdropper was listening. Hong-Mei [119] proposed a QSDC protocol based on cluster entangled state. Figure 7 depicts significant development in Quantum Secure Direct Communication.

Fig. 7

Significant development in quantum secure direct communication

7.1 Bostrom and Felbinger’s Ping-Pong Protocol

Bostrom and Felbinger [120] proposed the concept of direct communication using the concept of entanglement. They proposed a deterministic ping-pong protocol. In ping-pong protocol, the transmission is instantaneous (no additional information is needed to decode the message), and no qubits are discarded. It can be used for plain-text or secret key transmission. For secret key transmission protocol is asymptotically secure, whereas in plain-text transmission it is quasi-secure.

Following steps are used in Bostrom and Felbinger ping-pong protocol [120]:

• Bob prepare two photons in an entangled state \( |\psi _3\rangle =1/\sqrt{2}(|0\rangle |1\rangle +|1\rangle |0\rangle ) \).

• Bob keeps one photon (Home qubit) and send other photon (travel qubit) to Alice through quantum channel.

• Alice choose control or message mode.

• Alice choose message mode:

  • In message mode, if Alice wants to send 0, she performs an identity operation \(I=|0\rangle \langle 0|+|1\rangle \langle 1|\) on travel photon.

  • If Alice wants to send 1, she performs \(\sigma _z=|0\rangle \langle 0|-|1\rangle \langle 1|\) on travel qubit which result into \( |\psi _4\rangle =1/\sqrt{2}(|0\rangle |1\rangle -|1\rangle |0\rangle ) \).

  • Alice send the travel qubit back to Bob.

  • Bob perform Bell measurement which results in \(|\psi _3\rangle \) or \(|\psi _4\rangle \). Based on the result he can infer the encoded qubit is 0 or 1.

• Alice choose control mode:

  • Alice perform measurement in z-basis.

  • Alice inform her result to Bob using Public channel.

  • Bob switches to control mode and perform measurement in the same basis.

  • Presence of Eavesdropper is detected if their result coincide. If their result are anti-correlated then no eavesdropper is presented.

This protocol is called ping-pong as the travelling photon travels from Bob to Alice and back to Bob. In Ping-Pong protocol, no bit is discarded. Incase Eve has complete access of the information in each attack; the detection probability is higher in Ping-Pong Protocol (1/2) as compared to BB84 Protocol (1/4).

Various researchers [121,122,123,124] challenged the security of Ping-Pong protocol by channel loss. Deng et al. [125] identified an attack in the Ping-Pong protocol proposed by [120] in a noise channel. Eavesdropper intercepts the photon and replaces it by a multi-photon signal in the same state for generating the fake signal for one photon. They also proposed an improvement in the Ping-Pong protocol. Lucamarini and Mancini [126] proposed a secure direct communication protocol LM05, which combines the advantages of BB84 and Ping-Pong protocol.

Han et al. [127] proposed a simple and experimental feasible modification to the original Ping-Pong protocol and proved its security in the noisy and lossy channel. In their proposed protocol, Alice prepares n-pairs of maximally entangled state and send half of the qubits to Bob. In message mode, Bob perform one of following four unitary operations \((I_0, I_1, Y_0,Y_1)\) to incoming states [127]:

$$\begin{aligned}&I_0\{|v\rangle ,|0\rangle ,|1\rangle \}=\{|v\rangle ,|0\rangle ,|1\rangle \}, \\&I_1\{|v\rangle ,|0\rangle ,|1\rangle \}=\{|v\rangle ,-|0\rangle ,-|1\rangle \}, \\&Y_0\{|v\rangle ,|0\rangle ,|1\rangle \}=\{|v\rangle ,|0\rangle ,-|1\rangle \}, \\&Y_1\{|v\rangle ,|0\rangle ,|1\rangle \}=\{|v\rangle ,-|0\rangle ,|1\rangle \}, \\ \end{aligned}$$

The existence of vacuum state make \((I_0, I_1, Y_0,Y_1)\) non-unitary. All four operations are having equal probability (1/4). Bob uses \(I_0,I_1\) to encode 0 and \(Y_0,Y_1\) to encode 1 for sending to Alice. The introduction of vacuum states introduces phase randomization in Eve system.

7.2 Ping-Pong Protocol with GHZ state

Chamoli and Bhandari [128] modified the Bostrom and Felbinger [120]’s Ping-pong protocol using three-particle GHZ states and the receiver can simultaneously receive information from the other two parties. Using their protocol Bob and Charlie can communicate to Alice. She receives one bit of information from Bob and two bits of information from Charlie simultaneously through a different quantum channel.

Following steps are used in Chamoli and Bhandari’s ping-pong protocol [128]:

• Alice prepares initial state of three photons in one of the eight GHZ states.

  $$\begin{aligned} |\Phi _1\rangle= & {} 1/\sqrt{2}(|000\rangle _{ABC}\pm |111\rangle _{ABC}) \\ |\Phi _2\rangle= & {} 1/\sqrt{2}(|100\rangle _{ABC}\pm |011\rangle _{ABC}) \\ |\Phi _3\rangle= & {} 1/\sqrt{2}(|010\rangle _{ABC}\pm |101\rangle _{ABC}) \\ |\Phi _4\rangle= & {} 1/\sqrt{2}(|110\rangle _{ABC}\pm |001\rangle _{ABC}) \end{aligned}$$

  Lets us consider initial GHZ state with three photons is \( |\Phi _5\rangle =1/\sqrt{2}(|010\rangle _{ABC} + |101\rangle _{ABC}) \)

• Alice keeps one photon and sends one photon to Bob and another one to Charlie through different quantum channel without declaring the order of photons to Bob and Charlie.

• Bob and Charlie mutually decide whether they will proceed in control or message mode, and inform the same to Alice.

• In control mode (Similar as in the original ping-pong protocol), Bob and Charlie perform measurement in z-basis and inform their results to Alice through a public channel.

  Alice performs a measurement in z-basis, and if she obtains result as expected, it means no eavesdropper is presented.

• Bob and Charlie can encode the information by performing operation, as shown in Table 14. Both Bob and Charlie send their qubit to Alice.

• Alice measures the GHZ state and receives one of the eight GHZ states. By observing the measured GHZ state, Alice can able to determine the Bob and Charlie encoded information deterministically.

Table 14 Encoded information of Bob and Charlie in Ping-Pong using GHZ state [128]

The main advantage of Chamoli and Bhandari protocol [128] over Bostrom and Felbinger’s Ping-Pong Protocol [120] is that Alice can receive one bit from Bob and two-bit from Charlie.

Naseri [129] analyzed the Chamoli and Bhandari [128] protocol and pointed out that Eavesdropper can find out the secret message by introducing the concept of fake entangled particles. Using fake entangled particle, any dishonest party can able to obtain the secret of others without any risk of detection. Furthermore, he proposed the improvement in the protocol using decoy photon technique [130, 131] so that secure communications can be avoided against fake entangled particles. In decoy photon technique, Alice prepares some photons in one of the four non-orthogonal states \(|0\rangle , |1\rangle , |+\rangle , |-\rangle \) and insert it into the transmitted sequence to Bob and Charlie. She keeps the record of insertion positions for the detection of the dishonest sender. Li et al. [132] proposed a QSDC protocol based on the hyper-entangled state with improved efficiency for the detection of an eavesdropper. In hyper-entangled state [133], photons are entangled in multiple degrees of freedom.

7.3 QSDC with Quantum Memory

To transmit a message effectively, QSDC needs to be combined with quantum memory. Zhang et al. [134] introduced the concept of quantum memory in Quantum Secure Direct Communication and demonstrated its application in long-distance quantum communication. They used the polarization degree of freedom of photons as an information carrier and obtained 90% fidelity in the entanglement decoding.

7.4 QSDC with Authentication

QSDC provides direct transmission of a message without establishing a key, which leads to higher security. Thus there is a need to certify the user’s identity to prevent Eavesdropper. Lee et al. [135] proposed the first QSDC protocol for authentication. Min-Jie and Wei [136] proposed two protocols by combining the idea of user authentication and direct communication with dense coding.

Dan et al. [137] proposed a protocol for realizing identity authentication based on polarized photons and EPR pairs (Four Bell states). They used EPR pairs for transmitting information, whereas polarized photons are used for detecting the Eavesdropper and transmitting the identity authentication information. Security is guaranteed by shared identity number, which is encoded in the form of polarized photons. They proposed the following steps for comparing the identity numbers [137]:

• Alice and Bob have an identity number \(A_{ID}\) and \(B_{ID}\) respectively.

• Bob prepares a sequence of entangled photons randomly in Bell states. Bob prepare polarized photons in Rectilinear or Circular basis (Similar as in BB84). He further inserts the polarized photons in the sequence of entangled states and transmits the new sequence to Alice.

• Alice receives the sequence, store in quantum memory, measure polarized photons and publishes the measurement bases and result.

• Alice will revise the wrong bases and determine whether Bob is legal or not.

Various researchers [86, 138,139,140,141,142,143,144] proposed a number of QSDC protocols with authentication. Sarvaghad-Moghaddam [145] proposed an efficient and secure protocol using the concept of entanglement swapping for bidirectional quantum secure direct communication under the controller permission.

7.5 Quantum Dialogue

Ping-Pong Protocol supports only one-way communication. Ba An [146] pointed out denial-of-service or disturbance attack in the Ping-Pong Protocol. Eve can wait in the Pong-route and see that a qubit is coming from Alice in the message mode. Eve can apply operation and destroy the entanglement or changes the EPR pair randomly. Bob will not receive useful information from Alice, and Eve also remains undetected. To overcome the limitation of a denial-of-service attack, Ba An [146] proposed the concept of quantum dialogue in which Alice and Bob can simultaneously exchange their messages. Bennett and Wiesner [107] proposed that Alice will always pong the qubit to Bob in both control and message mode. In addition, he used the concept of super-dense coding for doubling the quantum channel capacity.

Hong and Yang [147] showed that the quantum dialogue is not secure against intercept and resend attack. Further, Zhong-Xiao et al. [148] proposed the modified quantum dialogue, which is secure against the intercept-and-resend attack.

YuGuang and QiaoYan [149] proposed quasi-secure quantum dialogue protocol using batches of single photons. Alice and Bob obtain classical information from running of single-photon back and forth. Their protocol is free from the concept of entanglement. Tan and Cai [150] pointed out that in quantum dialogue protocols, half of the message between Alice and Bob is leaked through classical public communication. Xia et al. [151] and Yan et al. [152] proposed their quantum dialogue protocols using the GHZ state.

Cao and Jiang [153] proposed a multi-party quantum dialogue protocol by introducing a semi-honest third party. Their protocol usage the concept of multi-particle entangled GHZ state and result in communication among multi-party without leaking any information. Recently Gong et al. [154] proposed a quantum network dialogue protocol for communication among multiple legitimate parties using continuous-variable GHZ state. Using their protocol, the sender can send information to multiple users. The continuous-variable quantum protocol offers a significant improvement in channel capacity.

Chou et al. [155] proposed a dynamic group multi-party quantum key agreement protocol using multicast transmission method. It has the feature to deal with complex situations such as joining and revoking of a member, dividing one group into two and combining two groups into one group.

8 Semi-Quantum Key Distribution Protocol

Secure key distribution is possible when both Alice and Bob are quantum in nature. Semi-quantum Key Distribution (SQKD) protocol operate over a two-way communication channel. In SQKD protocol, one/some of the two users/multi-user are classical in nature. A classical user with no quantum memory can able to measure the qubits only in the computational basis. In contrast, a quantum user can prepare the qubits and measure them in any computational basis (states of the basis must be non-orthogonal). Boyer et al. [156] introduced the concept of SQKD based on entanglement in 2007. In SQKD, Alice and Bob share the secret key as in QKD except Bob is usually classic in nature. They had not proved that their protocol is robust against an eavesdropper. They [157] extended their work and proposed two robust protocol against eavesdropper. Figure 8 depicts the significant development in semi-quantum key distribution protocol.

Fig. 8

Significant development in semi-quantum key distribution protocol

First, Alice sends a qubit to Bob, then Bob sends back to Alice after measuring and resend or reflect (send back the same qubit to Alice). SQKD protocols also require an authentic classical public channel. The main advantage of SQKD is that it will reduce hardware cost and computational burden.

In SQKD, Alice the powerful quantum communicant, can perform the following operations:

• Prepare quantum state (such as single photons and Bell state)

• Bell measurement and multi-qubit joint measurement.

• Storing qubit in quantum memory.

In SQKD, Bob the classical-quantum communicant, can perform the following operations:

• Qubit preparation and measurement in computational Z-basis \(|0\rangle ,|1\rangle \)

• Reflect the qubit (Sending back to Alice without distributing the qubit.

• Reorder the qubits via different delay lines.

Krawec [158] designed a single state semi-quantum key distribution protocols which permit reflections to carry information. He considered a restricted attack by Eve and showed the robustness of the protocol. Further, Krawec [159] designed the Mediated semi-quantum key distribution protocol (multi-user quantum key distribution protocol) using Bell basis for allowing two classical or limited semi-quantum users (Alice and Bob) to establish a secret key using the untrusted full quantum server/center. In this quantum server/center will prepare the quantum states and forward it to Alice and Bob. Alice and Bob can only reflect or measure in computational Z-basis and need to rely on the quantum server/center for performing measurement in alternate bases and ensuring the security of quantum channel. He showed that semi-quantum protocol has similar security as full quantum protocol.

Boyer et al. [156] proposed a four states in the quantum protocol. Zou et al. [160] proposed five different SQKD protocols using less than four states and proved their robustness. In two of their protocol, Alice only sends one quantum state. They observed that the protocol with single quantum state have double information bit proportion as compared to Boyer et al. protocol [156].

Lu and Cai [161] proposed a quantum protocol with classical Alice and Eve is aware about Alice classic nature. They extended and devised a protocol when both Alice and Bob are classical in nature. Zhang et al. [162] proved the unconditional security of the single state semi-quantum key distribution protocol proposed by Zou et al. [160].

Xian-Zhou et al. [163] developed and proved the robustness of a protocol to distribute key bits among one quantum party and m classical parties (No quantum capacity). Their protocol is secure against symmetrically individual attacks, and any attack should be detected with non-zero probability.

Jian et al. [164] proposed an improved and secured protocol using entangled states. Alice prepares two-particle entangled state and measured particle in Bell state. Alice prepare N bell states and choose one particle from each states to form N particle \(B_1,B_2,..,B_N\) to Bob. Bob either measure it in a computational basis (Called SIFT) or reflecting the particles (Send the qubit back to Alice without disturbing it or reordering of particles). Their proposed protocol can be modified to measure-resend protocol. Li et al. [165] proposed a semi-quantum secret sharing protocol by utilizing the concept of product states \((|+\rangle |+\rangle )\). Alice prepares the product state and sends one qubit to classical Bob and other to classical Charlie. They tested the protocol by introducing some errors which will further be noticed by the legitimate users.

Yu et al. [166] designed the first SQKD protocol free from all attack and without using authentic classical channels known as Authenticated semi-quantum key distribution (ASQKD). Alice and Bob require pre-sharing of the master secret key, which can be generated by using QKD or SQKD protocol. After generating the master secret key, many session keys can be generated using ASQKD protocol. They proposed randomization based ASQKD and measure-resend ASQKD protocols. Luo and Hwang [167] proposed two authenticated semi-quantum direct communication protocols based on randomization and measure-resend. Sender (Say Alice) equipped with quantum devices transmit a message to the classical receiver. They analyzed that their protocols are robust against Trojan horse attack, intercept and resend attack, modification and impersonation attacks. Zou et al. [168] proposed a semi-quantum protocol without involving the classical Alice’s measurement capability. Their proposed protocol requires less number of quantum states sent by both parties and it is secure against joint attacks.

Chou et al. [169] proposed a semi-quantum private comparison protocol with the presence of a dishonest third party. Lu et al. [170] proposed a no-key semi-quantum direct communication protocol using only constant entanglement preservation time and a fixed number of quantum bit registers.

Boyer et al. [171] in 2017 proposed a semi-quantum key distribution using classical Alice, with a controllable mirror and four-level available systems. In Quantum Private Comparison’s, two users can compare equality of their private secrets using a third semi-honest third party. Thapliyal et al. [172] proposed two semi-quantum protocol for quantum private compassion’s using orthogonal states and evaluated the performance under noisy environment.

Krawec [173, 174] proved the unconditional security of Boyer et al. [156] semi-quantum protocol. Iqbal and Krawec [175] designed a semi-quantum key distribution protocol using high-dimensional quantum states and carried out the security analysis for the same. Recently, Tsai et al. [176] proposed a semi-quantum secret sharing protocol using W-state for three parties and found that the protocol is free from the well-known attacks. Iqbal and Krawec [177] carried a survey of various semi-quantum key protocol and pointed out several open problems. Lin et al. [178] proposed a semi-quantum protocol to share a secret key between two classical users with the help of third untrusted party. The untrusted third party will require single-photon and Bell measurement capability. Wen et al. [179] proposed a semi-quantum authentic protocol based on the correlation between GHZ and W state for determining the identities of two participants. They pointed out that the proposed protocol is more secure and effective than traditional quantum authentication protocols. Tao et al. [180] proposed two-semi direct communication protocols based on Bell states and two pre-shared secret keys. To overcome the problem of double CNOT attack and information leakage problem in the Sun et al. protocol [181], Yang [182] proposed an efficient and secure semi-quantum protocol. Zhou et al. [183] presented two semi-quantum identification protocols using a single photon. In their proposed protocols, quantum Alice and classical Bob can identify each other to resist against a man-in-the-middle attack. Yan et al. [184] proposed a semi-quantum protocol to transmit a secret message between classical Bob and quantum Alice using Bell states.

In addition to the above mentioned protocol, semi-quantum key distribution protocol has attracted the attention by various researchers and carried out work in [185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214].

9 Secure Multiparty Communication (SMPC)

Secure Multiparty Communication (SMPC) is also known as Secure function computation. It was introduced originally by Yao [215] in the form of Millionaire problem for secure multiparty computation. Millionaire problem is a comparison problem in which two millionaires want to discover which one is richest without revealing the precise amount of their personal fortune. SMPC has several applications in the field of online bidding, secure voting and market clearing price scenario. In general, SMPC refers to n parties, and they compute a publicly available function using a set of private variables without revealing their personal fortune. Figure 9 depicts the significant development of Secure Multiparty Communication.

Fig. 9

Significant development in secure multiparty communication

Zhang et al. [216] proposed a quantum protocol using Bell states for comparing the values of two distrustful parties with the help of the third semi-dishonest party. Mayers [217], and Lo and Chau [218] independently pointed out in 1997 that the previously developed multiparty communication is insecure due to unreliable quantum bit commitment scheme.

Dong et al. [219] proposed a generalized multi-party deterministic quantum protocol using entanglement swapping. Shi and Zhong [220] proposed two protocols for quantum multiparty communication using entanglement swapping and EPR pairs. Liu et al. [221] found that multiparty protocol proposed by Shi and Zhong [220] is not secure as a dishonest participant can able to determine the secret key independently by illegal means. Further, Liu et al. [221] proposed a secure multiparty quantum protocol which is secure against participant attacks as well as an outside attack using a single particle. Sun et al. [222] improved the Liu et al. [221] protocol efficiency from \( \frac{1}{(k+1)(N)(N-1)} \) to \(\frac{1}{(k+1)(N)}\) using two additional unitary operations, where N denotes the number of parties. Xun-Ru et al. [223] proposed a three-party QKD based on EPR pairs. Yin et al. [224] proposed a three-party QKD protocol using two-qubit entangled state and each party equally contribute to the establishment of a shared secret key. Zhu et al. [225] found that Yin et al. [224] protocol is not secure if two dishonest parties offset the role of the third party in the generation of the shared secret key by launching a special kind of attack. They also proposed an improved protocol to overcome the participant attack.

Shukla et al. [226] proposed two protocols (Two-party and multi-party) using multi-partite entangled states and found that such quantum systems are useful in the implementation of quantum dialogue. Zhu et al. [227] showed that the Shukla et al. [226] protocol is not secure, and any participant can directly obtain the secret key of the other two participants. They found that in Shukla et al. [226] protocol, an eavesdropper can flip any bit in the final secret key without introducing any error. Finally, they proposed a protocol to overcome the limitation of Shukla et al. protocol [226]. Further, Gu and Hwang [228] found that Zhu et al. protocol [227] suffers from Collusive attack (Any two dishonest parties collaborate and perform manipulation in the final secret key without getting detected). Luo et al. [229] proposed a quantum private comparisons protocol using \(l-\)parties and \(d-\)dimensional entangled state.

Huang et al. [230] pointed out that Sun et al. [222] protocol cannot achieve privacy and fairness. They also proposed a fair and secured protocol for secret key amongst n-parties with a high qubit efficiency. Smania et al. [231] performed experimental realisation of a three-party quantum protocol using qutrit communication using a three-level system includes Secret Sharing, Detectable Byzantine agreement and communication complexity reduction.

Sun et al. [232] proposed a multi-party quantum key protocol by utilizing the four-photon cluster state, block transmission technique, dense coding method and decoy-state. Sun et al. [233] proposed fairness (No one alone cannot be able to determine the key) multiparty quantum key protocol using maximally entangled six-qubit states. Sun et al. [234] proposed a single qubit state protocol for multiparty quantum key agreement by performing an exclusive-OR operation on all the parties without the explicit need of entanglement states, joint measurement and unitary operations. Li et al. [235] found that circle-type multi-party quantum key agreement protocols are not fair, and any two dishonest parties at a special position can able to determine the shared secret key. In multiparty quantum key agreement travelling and distributed mode is used to transmit the quantum information. Huang [236] proposed two protocols for travelling mode using EPR pairs and single photons. Huang et al. [237] proposed an efficient, fair and secure multiparty quantum key agreement protocol using single photons in travelling mode.

Liu et al. [238] proposed a multiparty protocol by taking Bell state as a quantum resource and considering the client-server model. Participants will able to access quantum channel and prepare single photons, whereas the delegate computation such as Bell measurement and unitary operations will be performed at remote quantum centers. Wang et al. [239] proposed a general circle-type multi-party key agreement, which is secure against \(t<N\) dishonest parties cooperation.

Zhou et al. [240] proposed a semi-quantum protocol based on four-particle cluster states. Using Zhou et al. ’s protocol, the key can be distributed among one quantum and two classical parties. Further, they pointed out that the concepts can be extended for more than 3-user for communication. Sun et al. [241] proposed a fair multi-party protocol that resists against Liu’s et al. [235] collusion attack. Participants prepare the initial states only and server to prepare the quantum states. The main advantage of this protocol is that any eavesdropper including server is not able to find the final shared secret key. Cao and Ma [242] proposed the first multiparty quantum key agreement based on Grover’s search algorithm. They showed that their protocol work on a five-party system and further compared the proposed protocols with the existing protocols. A travelling mode in multiparty quantum key agreement protocol achieves higher efficiency than the distributed mode. Cao et al. [243] proposed a multi-party quantum key agreement protocol for travelling mode based on non-orthogonal quantum pairs, Bell states and their dualities by mixed dense encoding.

Sun et al. [244] proposed an efficient multiparty quantum key agreement protocol using sequential communication of a single d-level quantum system. Each participant only performs a unitary operator and measurement complexity is independent on the number of participants. The main advantage of Sun et al. protocol is that the efficiency rate is \(\frac{1}{2N}\). Huang et al. [245] investigated existing multi-party quantum key agreement in a travelling mode. They found that dishonest participants with favourable geographical location collaborating with other participants can able to determine the secret key. Further, they proposed a multi-party quantum key agreement in travelling mode using non-orthogonal Bell states. He et al. [246] proposed a high-efficiency three-party quantum key agreement protocol by utilizing two-photon polarization entangled Bell states and a few single-photon polarization states. They used quantum dense coding to improve the efficiency and each participant need to perform one unitary operation to encode the sub-secret key. Jo et al. [247] carried out a security analysis which provides an asymptotic secret key rate for multiparty quantum key distribution under the restriction that the successive trials are independent. Mohajer and Eslami [248] pointed out that the participant attack on Sun et al. protocol [234] and proposed an improvement to avoid the participant attack.

10 Device Independent Cryptography

Actual device used in quantum key distribution suffer from unavoidable imperfections and behave differently than the theoretical assumptions. Zhao et al. [50] experimentally demonstrated time-shift attack (first quantum hacking attack) against a commercially available QKD system. Lydersen et al. [249] introduced the concept of detector blinding attack to acquire the whole secret key. QKD system suffers from the loophole that allows the side-channel attack. Full-device independent QKD was proposed to avoid the side-channel attack. Figure 10 depicts the significant development in Device Independent Cryptography.

In full device-independent cryptography, Alice and Bob can buy a device from anyone (reliable or unreliable one). It means the security does not rely on the truthfulness of the quantum apparatus. In full-device Independent Quantum Key Distribution (DIQKD), quantum apparatuses are considered as a black box, which takes classical input and produces classical output. Entanglement based devices are more difficult to implement over long distances. Security of quantum key distribution protocol lies with the credibility of the quantum devices. In device-independent cryptography, there is no guarantee that the quantum device performs as per the specifications.

Fig. 10

Significant development in device independent cryptography

Bell inequality test is performed to ensure that the devices are adequately entangled and ensure the testing of quantumness [82, 250,251,252]. Bell inequality can be considered as the Clauser–Horne–Shimony–Holt (CHSH) game [253] played between honest parties (Alice and Bob) using their shared device.

In CHSH game, Honest Alice (input x and output y) and Honest Bob (input y and output b) such that \(x,y \in {0,1}\).

Wining condition of game \(a\oplus b =x.y\)

Classical Case Optimal wining probability \(75\%\)

Quantum Case for Maximally Entangled State Winning Probability \(~86\%\).

Bell [83] experimented and showed that there exist no hidden variable in nature. The Locality loophole refers that particles and detectors are communicating during the Bell test. Researchers are carrying out the work to close the loopholes one by one for excluding Einstein’s Hidden variable. Mayers and Yao [250] introduced the concept of self-testing quantum source by considering the non-local correlations.

Colbeck [254] applied the Bell test to check the honesty of quantum apparatus. Pironio et al. [255] provided the security proof of Acin et al. [256] device-independent quantum key distribution protocol. Hensen et al. [84] carried out an experiment Loophole-free Bell test using electron spins in artificial diamond at Delft University of Technology, Netherland. They separated the electron and detector 1.3 Km apart so that they can not be able to communicate. They performed 245 trials to test CHSH-Bell inequality [253] and found that Einstein’s hidden variables are wrong. Lucamarini et al. [257] designed a device-independent entanglement based B92 protocol.

Full Device-independent quantum key distribution shows that security of the cryptographic protocol is based on the assumption of trusted random number generator, Authenticated classical public channel, the correctness of quantum physics and Both parties (Alice and Bob) physical locations are secure. The major limitation of full-device independent QKD is that it requires a loophole-free Bell test with distant parties, which is practically impossible with currently available technologies.

One-Sided Device-Independent QKD: In standard QKD, Alice and Bob both trusts their measurement apparatus. Branciard et al. [258] introduced the concept of one-sided device-independent QKD, a less restricted device-independent QKD, where one of the party trust his/her measurement apparatus. Cao et al. [243] proposed one-sided measurement-device-independent QKD to overcome the limitations of measurement-device-independent QKD and to enjoy the detection of loophole-free. They considered Bob encoding system is trusted and carried out an experiment using a coherent light source. Tomamichel et al. [259] showed that the standard BB84 QKD scheme is one-sided device-independent QKD by considering Bob’s quantum apparatus as malicious, and Alice apparatus is a trusted one. Walk et al. [260] carried out an experimental demonstration of Gaussian protocol for one-sided device-independent QKD.

Measurement Device-Independent Quantum Cryptography: Measurement device-independent QKD is one of the feasible solutions with currently available technology to quantum hacking and bridging the gap between theoretical and practical implementation of QKD. Lo et al. [261] introduced the concept of measurement device-independent QKD for removing all detector side channels attacks. In their approach, Alice and Bob prepare phase randomized weak coherent pulse in different BB84 polarization state. These polarization states are selected randomly and independently for each signal. Further, they showed that the system remains secure over 200 KMs in the existence of seriously flawed detectors. Measurement device-independent QKD [262] provide high key rate and long-distance with the currently available technologies.

Tang et al. [263] performed the first experimental realization of measurement device-independent QKD by considering the state preparation flaws and distributed secure keys up to 40 KM. Experimental realization of measurement device-independent QKD has been carried out by various researchers (For details, the reader can see [221, 264,265,266,267]). Qiao et al. [268] proposed a scheme for monitoring light source using single-photon detectors for measurement-device-independent QKD. This new scheme significantly improves the secure key rate and transmission distance. Cui et al. [269] proposed a high-dimensional measurement device QKD protocol with qudits hyper-encoding in spatial mode and polarization degrees of freedom. They demonstrated that their scheme is unconditional secure for weak coherent pulses with decoy states. Dellantonio et al. [270] also proposed a high-dimensional measurement-device-independent QKD protocol and carried out an analysis for phase error and imperfect sources.

Measurement-device independent QKD requires an interface of two photons from two different light source, which makes the experiment more demanding. Secure key rates achieved in measurement-device independent QKD is lower than prepare and measure the QKD system.

Semi-Device Independence Fully device-independent QKD is based on non-locality and applicable only for entanglement based protocols. Semi-device-independent QKD provides secure key distribution for one way prepare and measure protocols [271]. The measurement apparatus’s dimension is of fixed Hilbert space. Yang et al. [272] demonstrated the security of semi-device-independent QKD against collective attacks. Dall’Arno et al. [273] discussed security concerns in semi-device-independent QKD and suggested ways to prevent the malicious attack. Chaturvedi et al. [274] studied the security of semi-device-independent QKD protocol under the random access code, cryptography primitive.

Woodhead et al. [275] proposed a semi-device-independent QKD based on modified BB84 protocol and Bob carried-out CHSH-type estimation on the qubit send by Alice.

Detector Device-Independent Quantum Cryptography: To overcome the limitations of measurement-device independent QKD (Security key rate and Interface of two photons), Lim et al. [276] and Gonzalez [277] proposed the concept of detector device-independent quantum cryptography the combine the security of measurement-device independent quantum cryptography with the efficiency of conventional QKD. The main advantage of detector-based-independent QKD is that two-qubit single photon is used instead of an interface between two widely separated independent single-photon source.

Wei et al. [278] proposed detector blinding attack with intrinsic attack and Eve can obtain the security key without getting detected. They also explicitly discussed the attack proposed by Qi and Siopsis [279], which combines the blinding attack and detector wavelength dependency of a beam splitter. Sajeed et al. [280] demonstrated that detector-device-independent QKD is not secure against side-channel attacks.

11 Post Quantum Cryptography

Security of existing classical cryptosystems relies on the Integer factorization problem, discrete logarithm problem or elliptic-curve discrete logarithm problem. Shor algorithm can able to solve all these three problems using a quantum computer. Grover algorithm [3] showed that the Security of the symmetric encryption algorithm is at risk. Table 15 represents a few symmetric and asymmetric cryptosystem with quantum attacks.

Once a scalable quantum computer is developed, the existing classical security algorithms such as Diffie–Hellman key-exchange [281], RSA public key encryption [282], Algebraically Homomorphic [283], Elliptic curve cryptography [284] and Buchmann–Williams key-exchange [285] will become insecure. There is a growing interest in post-quantum algorithm to make the system secure. Post-quantum algorithms deal with cryptosystem that runs on a conventional computer but secure against attacks by quantum computer [286]. Bernstein and Lange [287] listed various existing cryptographic system and the quantum attacks against the cryptographic system.

Table 15 Few examples of symmetric and asymmetric cryptosystem with quantum attacks [287]

Table 16 Public cryptosystems and their examples

Fig. 11

Significant development in quantum cryptography after BB84 protocol

Post-quantum cryptography schemes are classified into code-based cryptography, Lattice-based Cryptography, Hash-based Cryptography, Multivariate-quadratic equations cryptography. Table 16 represents a few public cryptosystems with their examples.

• Code-Based Cryptography: McEliece [288] introduced the concept of code-based cryptography in 1978. Code-based cryptosystem uses error-correcting code. There is a trade-off between efficiency and security in the code-based cryptosystem. By reducing key size, efficiency can be improved but at the cost of security. By increasing the key size, security can be improved but at the cost of efficiency [289]. The main issue of a code-based cryptosystem is the key size (megabyte) for higher security.

  Although Researchers had proposed few code-based cryptography schemes; attacks have been proposed corresponding to these schemes. Still, the initially proposed scheme by McEliece remain unbreakable, but it suffers from a key size. In future, there is a possibility of new code-based cryptography approach to be proposed that remain secure with the quantum attack.

• Lattice-Based Cryptography: Hoffstein et al. [290] introduced NTRU public cryptosystem with a smaller key size than McEliece cryptosystem. Several quantum attacks have been proposed by exploiting the polynomial structure [291, 292] and without exploiting the polynomial structure [293,294,295]. To gain confidence against quantum attack, more research is needed to be carried out on lattice-based cryptography.

• Hash-Based Cryptography: Hash-based cryptography relies on the hash function and requires minimal security requirements. Lamport-Diffie one-time signature scheme [296] and Winternitz one-time signature scheme [297] are hash-based cryptography schemes. Dods et al. [298] and Hulsing [299] proposed the improved hash-based cryptography schemes using better one-time signatures to decrease the signature size.

• Multivariate-Quadratic Equations Cryptography: It is based on the computational difficulty involved to solve non-linear equations over finite fields. This cryptography scheme is also known as trapdoor multivariate quadratic as it involves higher-order quadratic polynomial equation. Patarin’s and vinegar signature scheme [300], Ding and Schmidt’s Rainbow signature scheme [301] and Patarin’s et al. Quartz signature scheme [302] are few well known multivariate public-key cryptography schemes.

National Institute of Standards and Technology (NIST) has initiated the process to evaluate and standardize the quantum-resistant algorithms for post-quantum cryptography. NIST had shortlisted 26 quantum algorithms (17 Public key encryption and key-establishment algorithms and 9 for digital signatures) for the post-quantum algorithms. Researchers are considering these 26 algorithms as the strongest candidate for post-quantum algorithms [303]. There is an upward trend of research in the area of post-quantum computing. Reader can go through [286, 287, 304] for a detailed study on post-quantum cryptography.

12 Latest Trends and Concluding Remarks

Latif et al. [305] proposed a framework for secure communication in the cloud and internet of things environment. They also proposed a quantum steganography protocol using a hash function and entanglement states. Amer et al. [306] proposed a semi-quantum key distribution protocol for tolerating high-level of noise by considering the advantage of a two-way quantum channel. Figure 11 represents the significant development in quantum cryptography after the design of the BB84 Protocol. Figure 12 represents the major experimental work carried out in the area of quantum cryptography. Table 17 depicts a summary of various attacks on the quantum protocol.

Fig. 12

Major experimental work in the area of quantum cryptography

Table 17 Summary of various attack on quantum protocol

Table 18 Applications of quantum cryptography

Table 19 Major sources titles with papers \(>3\) used in the review process

To overcome the limited distance communication over fiber cables, free space-based QKD give rise to the concept of satellite-based communication for sharing secret information. Yin et al. [312] explored the satellite-based communication between two entangled photons separated by 1203 KM on earth. Liao et al. [313] reported the development and launch of a low-earth satellite for achieving the kilohertz key rate for a distance up to 1200 KM by implementing decoy-state QKD. Further, Liao et al. [314] performed decoy-state quantum key distribution between multiple locations on the ground (Xinglong, Nanshan and Graz) and low-earth orbit satellite. They communicated the secret message over 7600 KM between locations in Europe and China. Sharma and Banerjee [315] carried out the analysis of the atmospheric effect on satellite-based communication against Photon number splitting and intercept resend with unambiguous discrimination attacks. In 2017, Bedington et al. [316] summarized the research on QKD with satellite. Chunli Bai (President of Chinese Academy of Science) and Anton Zeilinger (President of Austrian Academy of Sciences) successfully conducted the first Inter-Continental video conference call using Chinese quantum satellite Micius [317]. Quantum key is transmitted using the satellite Micius.

Chinese Academy of Science and Jian-Wei Pan research group from University of Science and Technology, China collaboratively working on quantum communication between low earth orbit satellite and receiving stations on earth to achieve secure communications between optical ground stations in China and Europe. Many Indo-Pacific nations also joined the race for Quantum satellite. The National University of Singapore developed a nano-satellite carrying quantum node, which was launched by Indian vehicle in 2015. National Institute of information and Communications technology, Japan also demonstrated quantum communication using a micro-satellite in 2017. Quantum cryptography can be applied in substantial numbers of applications. Table 18 represents a few real-life applications of quantum cryptography.

12.1 Quantum Blind Computation

It is likely possible that the quantum computer after its development will be available in centers across the world. Blind quantum computation is emerged for performing secure computation rather than secure communication. Consider Alice (does not have a quantum computer) and Bob have a quantum computer. Alice wants to utilize Bob quantum resources without revealing about the computation. In Blind quantum computation, Bob will remain unaware of the usage of his quantum computer by Alice. Alice will perform her computation on Bob quantum computer, and Bob will not be aware of her input, output and computation. Arrighi and Salvail [318] introduced the concept of quantum blind computation and proposed a protocol for carrying out the blind quantum computation.

Broadbent et al. [319] proposed a protocol for blind quantum computation. In their protocol, Alice, a purely classical client, communicate with two non-communicating entangled servers for performing the computation. Fitzsimons [320] reviewed the blind quantum computation. Li et al. [86] proposed two protocols for blind quantum computation with identity authentication. Barz et al. [321], Greganti et al. [322] and Huang et al. [323] experimentally demonstrated the concept of blind quantum computing.

12.2 Quantum Digital Signature

With the significant development in the area of a quantum network, Quantum digital signature and Quantum Key distribution are needed for signing and information distribution in the quantum network. Gottesman and Chuang [324] introduced the concept of quantum digital signature in 2001. Quantum digital Signature is an approach used to sign a document by quantum means and transfer to the user with information-theoretically study [325, 326]. Roberts et al. [266] carried out an experimental demonstration of quantum digital signature by realising quantum network architecture mediated by measurement-device-independent quantum key distribution. Cai et al. [327] carried out cryptanalysis on multiparty digital signatures. Shi et al. [328] carried out an analysis of quantum signature scheme based on asymmetric quantum cryptography against forgery attack and suggested the addition of random integer shared between the signer and verifier. Collins et al. [329] reviewed the development in experimental quantum digital signatures. Collins et al. [330], Donaldson et al. [331] carried out experimental demonstration of quantum digital signature.

12.3 High-Dimensional Quantum Key Distribution

Encoding by the polarization of light in quantum key distribution limits the information to be sent per photon. It puts tight bounds on the error rates the system can tolerate. High-dimensional Quantum Key Distribution is an efficient and robust way to encode information with higher key rate. High-dimensional QKD systems are more resistant to noise in the channel and overcome the limitation of QKD by encoding more bits per transmitted photon.

In high-dimensional QKD protocol, information can be encoded using spatial modes [332,333,334], time-phased [335,336,337]. Ding et al. [334] proposed a high-dimensional QKD protocol based on space-division multiplexing in multi-core fiber using silicon photonic integrated lightwave circuits. Jo et al. [247] proposed an efficient high-dimensional QKD protocol using hybrid encoding by two-degree-of freedom of a single photon, multi-path modes and orbital angular momentum modes. Islam et al. [338, 339] proposed and demonstrated a high-dimensional quantum key distribution using two-photon interference technique.

12.4 Position-Based Quantum Cryptography

Chandran et al. [340] devised the concept of classical position-based cryptography. Further, Chandran et al. [341] introduced the concept of position-based quantum cryptography by considering the geographical position of a party as the credential. Using position-based quantum cryptography, two military bases can be communicated without pre-shared keys over an insecure channel. Bilski and Winiecki [342] analyzed the position-based quantum cryptography in a distributed system. Qi and Siopsis [279] studied the performance of position-based quantum cryptography protocols over a noisy channel by assuming that no entanglement is pre-shared between adversaries. Buhrman et al. [343] studied quantum setting in position-based quantum cryptography. Chakraborty and Leverrier [344] proposed interleaved product protocol for position verification.

12.5 Chip-Based QKD Devices

The main limitation of the existing QKD equipment is cost, space and power consumption. To miniaturise and mass-produce of QKD system, Sibson et al. [345] introduced the concept of chip-based quantum communications. IMEC (World-leading research and Innovation hub in Nanoelectronics) and National University of Singapore (NUS) joined their hands to develop robust, scalable and efficient technologies for QKD and quantum random number generation. Roger et al. [346] demonstrated on-chip quantum random generator using laser pulses. Zhang et al. [347] designed a 3 mm silicon photonic chip operating at 1550 nm for continuous-variable QKD system by integrating the all-optical component except for laser source.

12.6 Quantum Bit Commitment

Bit commitment involves Alice and Bob, two mistrustful parties. In Bit commit protocol, Bob is interested that Alice will bind to her commitment and Alice conceal the commitment. Alice commits an encoded bit of information to Bob. Alice cannot be able to change the information after submit, and Bob cannot identify the information until Alice decodes it.

In 1997, Lo and Chau [218] showed that Alice could cheat using the Einstein-Podolsky-Rosen (EPR) attack successfully, causing Quantum Bit commitment to insecure.

Table 20 Papers with citation\(>1000\) in the area of quantum cryptography

Table 21 Papers with google citation\(>30\) per year in the area of quantum cryptography

12.7 Quantum Coin Flipping Protocol

Blum [348] introduced the concept of coin tossing. Coin tossing can be classified as weak or strong. The strong coin-tossing protocol is used if the preference of other party is unknown. In the weak coin-tossing protocol, the preference of other party is known. For instance, a divorced couple (Say Alice and Bob) both want to stay with their single kid and Alice is staying in North India and Bob is staying in South India. A weak coin-tossing protocol will be useful in such a situation where both want to take the responsibility of their kid.

Molina-Terriza et al. [349] designed the first quantum coin flipping protocol using qutrits rather than qubit for higher securities. Here, both communicator Alice and Bob distrust each other. They showed the possibility of a cheater and ways to detect the cheater. Using the concept of photons entangled, Alice and Bob succeeded to toss a row coin remotely.

Colbeck [350] designed a protocol for strong coin-tossing using the power of entanglement and achieve a bias of 1/4. The major advantage of colbeck’s protocol is that it requires only qubits for achieving the bias, whereas bit-commitment require higher-dimensional system [351].

12.8 QKD Devices

Toshiba’s QKD system [352] delivers secure key over 100 KM on fiber optic-based network with a bit rate of 1 Megabit per second. This QKD system is based on T12 protocol (A decoy-state protocol with appropriate modification in BB84) [105]. Toshiba reported that cryogenic detectors operating at room temperature would enhance the performance of high bit rate [106].

To meet the requirement of Metropolitan Area Network, QuantumCTek [353] developed QKD-POL40 series QKD systems based on BB84 protocol with decoy-state and polarization coding. QKD-POL40 is further classified in transmitting mode (QKD-POL40A) and receiving mode (QKD-POL40B). QuantumCTek’s QKD system is secure against attacks (photon beam separation, light blinding and double counting) and provide the feature of quantum channel automatic correction. It provides 15 KBPS@10 dB under typical key rate \(@25\,^{\circ }\)C.

IDquantique IDQ’s Cerberis QKD system [354] provides secure key exchange at temperature \(10^{\circ } \) to \(30^{\circ }\) with secret key rate of 1.4 kb/s (12 dB). Details of parameters and feature of Cerberis QKD system can be found in [355].

The Quantum Technologies Group of the University of Geneva, ID Quantique and Corning Incorporated performed a successful Quantum key distribution at a distance of 421 KM using a three-state time-bin protocol with decoy approach and 2.5 GHZ repetition rate [356]. Travagnin and Lewis [357] carried out a detailed survey of quantum key distribution deployment worldwide. Yuan et al. [358] reported the first QKD complete system which delivers real-time secure keys at the rate of exceeding 10 Mb/s.

12.9 Concluding Remarks

Classical Cryptography is still safe as classical computers can not crack the cryptography algorithms. Concept of quantum cryptography has been commercialized rapidly after the design of the BB84 protocol. Table 19 depicts the significant sources of quantum cryptography. Table 20 shows the most influential quantum cryptography research papers with \(citation>1000\). Table 21 represents a few additional influencing research papers with \(citations>30\) per year.

Computational speed will improve dramatically after the development of the quantum computer. Various research organization and companies are working extensively towards the development of post-quantum algorithms. With NIST competitions, more attacks, algorithms design and implementations are also emerging. Unconditional security of quantum cryptography will make it a long term security solution.

Determining the power of quantum hardware is also a challenging issue. Significant work on verifying quantum computation devices can be found in [359,360,361]. Significant efforts have been made to develop QKD devices. However, low-cost, robust and higher secure key rate and distance remain a challenges question. Satellite-based QKD also emerges rapidly because QKD based on ground approaches has a limited distance (due to fiber attenuation and atmospheric losses).

To overcome challenges in quantum cryptography (quantum attacks, imperfections in quantum communications, cost, distance, secret key rate) and achieve the goal of the quantum internet, research in the area of quantum cryptography will take a rapid pace in the years to come.