1 Introduction

Cryptography is the most important approach to protect transferred data in public environments. In classical cryptography, the security of various schemes, protocols, and cryptosystems are based on the computational complexity assumptions. However, quantum cryptography provides unconditional security by introducing quantum mechanical laws into cryptography [1, 2]. Furthermore, a major advantage of quantum cryptography is eavesdropping check. So, well-designed quantum cryptographic protocols can provide these tasks. Hence, over the past few decades, quantum cryptography has played a significant role in abstract theory of information and communication security. Also there are many practical aspects, which make the study of quantum cryptography important for applications. There are various examples of applied quantum cryptography. We refer to some of them in the following:

Demonstration of the SECOQCFootnote 1 in 2008 has shown that the networks based on QKDFootnote 2 are realizable [3]. Thereafter transmission, storage, and usage of keys generated by QKD which are essential for implementing a quantum cryptographic network, would become the new emphasis of researches [4]. Since QKD has reached adolescence, it is possible to implement with existing infrastructures, e.g., medical information systems, and thus increases their security level remarkably [5]. Moreover, a 3-stage quantum cryptography protocol for secure optical burst switching is proposed in [6], which makes quantum cryptography applicable for embedded systems security. More approaches in quantum communication and quantum technology are presented in [7, 8].

Besides QKD, there exist some major researches in quantum cryptography, such as QSSFootnote 3 [9], QIAFootnote 4 [10], and QDSFootnote 5[11]. A new topic of quantum cryptography is QSDC,Footnote 6 which has been studied comprehensively recently. The goal of QSDC is to transmit a secret message directly without a key generating session to encrypt the message. Like many other topics of quantum cryptography, two approaches for research on QSDC have been put forward: quantum entanglement [12], and single photons [13]. Recently many papers have been published in QSDC: Chou et al. proposed a bidirectional QSDC protocol for mobile network [14], which is improved by Gao [15]. Hwang et al. introduced a new topic in quantum cryptography called quantum authencryption, combining quantum encryption and quantum authentication into one process for off-line communications [16]. Yang put forward a QSDC protocol without quantum memory; a stream is replaced by quantum data block to transmit quantum states [17]. Chang et al. proposed a controlled QSDC protocol; they used five-particle cluster state and quantum one time pad [18]. Zou and Qiu introduced a semiquantum secure direct communication protocol with classical Alice [19]. Hassanpour and Houshmand put forward a three-party controlled QSDC based on GHZ-like states which improves the efficiency of the previous ones [20]. An experimental model of proposed protocol in [21], which is based on EPR pair blocks, is implemented by Hu et al. [22]. Mi et al. presented a QSDC scheme using orbital angular momentum of photons to reach high capacity and security [23]. A practical QSDC to demonstrate a potential application for long-distance quantum communication in a quantum network is presented by Zhang et al. in [24]. However, understanding new cryptanalysis strategies could help us to propose new protocols with higher security, because a cryptographic protocol may be attacked by a subtle strategy which was not presented before proposing the protocol. Some QSDC protocols, which have been cryptanalyzed and improved, can be found in [25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41].

OTPFootnote 7 is the only classical encryption system provides perfect secrecy, which has been proved to be unconditional secure by Shannon in 1949 [42]. Hence, combining quantum cryptography with OTP has become an appropriate strategy to construct high-security cryptographic protocols [13, 43]. In 2013, Chang et al. presented a QSDC and authentication protocol based on single photons [44], hereafter so-called CXZY protocol, in which it is assumed Alice and Bob already shared two secret identity strings. Indeed, the idea of CXZY protcol is to combine OTP with single photons method in the sense of quantum cryptography. Analysis of the protocol shows that it is immune against most attacks such as man-in-the-middle and quantum teleportation. In this paper we first propose a specific impersonation attack on CXZY protocol in two parts. At the first part the opponent called “Oscar” obtains Bob’s identity string. Afterwards Oscar impersonate Alice to obtain the secret message. We then suggest a method for mutual authentication to close the loop-hole by which, any illegal person can impersonate neither Alice nor Bob. So the protocol becomes robust against the impersonation attack. Furthermore, quantum storage is not needed in our protocol. Indeed we use a technique for secret order rearrangement of photons, which makes the correct order of photons indistinguishable to the eavesdropper “Eve”. Secret order rearrangement of photons which is used in some previous protocols provides high security level, and prevents information leakage [28, 45, 46]. The protocol proposed in [45], uses single photons, but it needs quantum storage and twice transmitting of photons. In [46], two schemes based on EPR pairs are presented: a round trip scheme which has been cryptanalyzed, due to lack of sufficient security-checking processes in [28], and a one way scheme. In our proposed protocol, we use once transmitting of single photons like CXZY. Moreover, because of the secret order rearrangement of photons, the secret key can be reused securely. So, the improved protocol is practical in real applications such as embedded systems security.

The rest of the paper is as follows: Sect. 2 reviews CXZY protocol. Section 3 presents the proposed impersonation attack. In Sect. 4, the accuracy of the new attack is studied, and the probability of perfect success after an arbitrary number of iterations is calculated in two cases: the worst case and the average case. Section 5 presents the improved protocol. A simple example of the improved protocol is given in Sect. 6. The security analysis of the new protocol is presented in Sect. 7. Finally the results of this paper are summarized in Sect. 8.

2 Review of CXZY protocol

Throughout this section we briefly present a short review of CXZY Protocol. Suppose that Alice and Bob have two secret binary strings \({\mathrm {ID}}_{\mathrm{A}}=( a_1, \dots , a_n)\) and \({\mathrm {ID}}_{\mathrm{B}}=(b_1, \dots , b_u)\), already shared between them, which represent Alice’s identity and Bob’s identity, respectively. Suppose that Alice wants to send Bob a secret binary message \(M=(m_1, \dots , m_n)\). Hence, they run the following protocol:

Step 1 Alice encrypts M with \({\mathrm {ID}}_{\mathrm{A}}\), using the simple XOR-operation, obtaining \(C=(c_1,\dots , c_n)\), where \(c_i= m_i\oplus a_i\), for \(i=1,\dots , n\).

Step 2 According to C, Alice prepares n qubits, called \(S_C\) in the following manner: if a bit of C is 0, she randomly prepares the corresponding qubit in \(|0\rangle\) or \(|+\rangle\); otherwise she uses \(|1\rangle\) or \(|-\rangle\). According to \({\mathrm {ID}}_{\mathrm{B}}\), Alice prepares u qubits, called \({S_{\mathrm {IDB}}}\) as follows: if a bit of \({\mathrm {ID}}_{\mathrm{B}}\) is 0, she randomly prepares the qubit in \(|0\rangle\) or \(|1\rangle\); otherwise she uses \(|+\rangle\) or \(|-\rangle\). Alice inserts \({S_{\mathrm {IDB}}}\) to \({S_{C}}\) randomly which forms a new binary sequence called \({S_{C}'}\), and then sends it to Bob.

Step 3 After Bob receives \({S_{C}'}\), Alice publicly announces the position of \({S_{\mathrm {IDB}}}\) qubits in \({S_{C}'}\). Then Bob extracts \({S_{\mathrm {IDB}}}\), and measures these photons in the correct bases according to \({\mathrm {ID}}_{\mathrm{B}}\). If a bit of \({\mathrm {ID}}_{\mathrm{B}}\) is 0, he measures the corresponding qubit in the basis \(B_Z=\{|0\rangle , |1\rangle \}\); otherwise, he uses the basis \(B_{X} =\{ |+\rangle , |-\rangle \}\).

Step 4 Bob announces the states of photons in \({S_{\mathrm {IDB}}}\) which he received; the basis information is not included in this announcement. For example, Bob uses bit 0 to denote \(|0\rangle\) and \(|+\rangle\), and uses 1 for \(|1\rangle\) and \(|-\rangle\). According to this rule, Alice obtains the states of the initial \({S_{\mathrm {IDB}}}\). Alice compares Bob’s result with the initial \({S_{\mathrm {IDB}}}\). If the error rate is low enough, Alice verifies Bob’s legitimacy, and no existence of eavesdropping. In this condition, the communication goes on; otherwise, she interrupts it. Alice and Bob discard the bits in \({\mathrm {ID}}_{\mathrm{B}}\) which the corresponding photons in \({S_{\mathrm {IDB}}}\) are not received by Bob.

Step 5 Alice publicly announces the bases of photons in \({S_C}\). Then Bob measures them, and obtains C.

Step 6 Bob decrypts C with \({\mathrm {ID}}_{\mathrm{A}}\) bit by bit using simple XOR-operation, i.e., \(M=C \oplus {\mathrm {ID}}_{\mathrm{B}}\) (Note that, “\(\oplus\)” is used to represent XOR-operation of two binary strings with same lengths).

Step 7 Alice takes another n-bit binary string of a secret message, called \(M_1\) and starts the next transmission.

3 Description of the impersonation attack

We find out that the authentication inside CXZY protocol is unidirectional, which means that only Alice can verify Bob’s legitimacy. Therefore, everyone can impersonate Alice and send Bob several arbitrary messages. Here, we briefly explain the new attack in two parts.

3.1 Impersonating Alice

Oscar prepares an arbitrary binary sequence of length u, such as \({id_{\mathrm {B}}}=(\beta _1, \dots , \beta _u)\) (Note that \(id_{\mathrm {B}}\ne {\mathrm {ID}}_{\mathrm{B}}\) in general). Indeed \({id_{\mathrm {B}}}\) is a candidate for \({\mathrm {ID}}_{\mathrm{B}}\) and would be changed after each session until they coincide (with high enough probability). According to \({id_{\mathrm {B}}}\), Oscar prepares a sequence of qubits obtaining \({S_{id{\mathrm {B}}}}\) as follows: if a bit of \({id_{\mathrm {B}}}\) is 0, the corresponding qubit of \({S_{id{\mathrm {B}}}}\) is \(|0\rangle\); otherwise, it is \(|-\rangle\). Next he prepares a random qubit sequence as \(S_C\) and mixes it with \({S_{id{\mathrm {B}}}}\), obtaining \({S_{C}'}\). Then he sends \({S_{C}'}\) to Bob. Invoking the protocol, after Bob receives \({S_{C}'}\), Oscar announces the positions of \({S_{id{\mathrm {B}}}}\) in \({S_{C}'}\). Then Bob measures the polarization of all photons in \({S_{id{\mathrm {B}}}}\), according to the corresponding bit of \({\mathrm {ID}}_{\mathrm{B}}\). The rule is that he uses the basis \(B_Z\) if the corresponding bit is 0, and uses \(B_X\) if it is 1. Then Bob announces the state of photons in \({S_{id{\mathrm {B}}}}\) he received. As mentioned at step 4 of the protocol, without loss of generality, assume that Bob uses bit 0 to denote \(|0\rangle ,|+\rangle\), and 1 for \(|1\rangle ,|-\rangle\). In other words, if a bit of the string announced by Bob is 0, it means that the corresponding qubit he received, is either \(|0\rangle\) or \(|+\rangle\); otherwise, it is either \(|1\rangle\) or \(|-\rangle\). Thus, Oscar obtains the state of the initial \({S_{id{\mathrm {B}}}}\). Then he compares Bob’s result with the state of initial \({S_{id{\mathrm {B}}}}\). If a bit of the string announced by Bob and the corresponding qubit of \({S_{id{\mathrm {B}}}}\) do not match, Oscar concludes that the corresponding bit of \({id_{\mathrm {B}}}\) say \(\beta _i\) is wrong and changes it; otherwise, the corresponding bit of \({id_{\mathrm {B}}}\) is probably correct, where the probability of the correctness depends on the number of session iterations. By this method, after each iteration, a new \(id_{\mathrm {B}}\) would be replaced by the previous one. If after k iterations, no non-matching case is observed in a position, the bit is correct with probability \(1-2^{-k}\). Therefore, if after k iterations, t matchings remain, the probability of coincident of \({id_{\mathrm {B}}}\) and \({\mathrm {ID}}_{\mathrm{B}}\) is \((1-2^{-k})^t\). After Oscar obtains \({\mathrm {ID}}_{\mathrm{B}}\) (with high enough probability), he can impersonate Bob.

3.2 Impersonating Bob

Oscar intercepts the communication between Alice and Bob. Since Oscar knows \({\mathrm {ID}}_{\mathrm{B}}\), when Alice announces the positions of \({S_{\mathrm {IDB}}}\) qubits in \({S_{C}'}\), he measures the qubits in the correct bases (with high enough probability). So Alice will be deceived, and she announces the bases of photons in \(S_C\). Therefore, Oscar obtains C which is the message encrypted by \({\mathrm {ID}}_{\mathrm{A}}\) using simple XOR-operation. Hence he can break it easily; see [47] and the references therein.

4 Numerical example and discussion

It is clarified at step 4 of the protocol, that Alice considers the error rate when she compares Bob’s result with the state of initial \({S_{\mathrm {IDB}}}\). If it is low enough, then she verifies Bob’s legitimacy. Suppose that the error rate of the quantum channel is e, and \({id_{\mathrm {B}}}\) differs with \({\mathrm {ID}}_{\mathrm {B}}\) in t positions at the beginning of the session described in the first part of the attack. In other words \(d({id_{\mathrm {B}}}, {\mathrm {ID}}_{\mathrm {B}})=t\), where function d shows the hamming distance between two strings of equal lengths. We show that after a few iterations of the protocol, the first part of the attack will be successful considering \(e < 0.02\) (and even in ideal cases with high probability). After k iterations of the session,\(\lceil (1-2^{-k})t\rceil\) wrong bits of \({id_{\mathrm {B}}}\), will be corrected on average (since \(2^{-k} \longrightarrow 0,\) and the number of iterations is a discrete quantity, the ceiling function is used). Also it is clear to Oscar that each one of the other \((u-t)\) bits is the same as the corresponding bit of \({\mathrm {ID}}_{\mathrm{B}}\) with probability \((1-2^{-k})\). So, after k iterations, Oscar knows that every changed bit of the latest \(id_{\mathrm {B}}\) is correct, and the remaining x-bit substring equals the corresponding substring of \({\mathrm {ID}}_{\mathrm{B}}\) probably. Precisely, if after k iterations, x bits do not change, \({id_{\mathrm {B}}}={\mathrm {ID}}_{\mathrm{B}}\) with probability \((1-2^{-k})^x\). Table 1 shows the probability of that \({id_{\mathrm {B}}}={\mathrm {ID}}_{\mathrm{B}}\) after k iterations with several lengths of \({\mathrm {ID}}_{\mathrm{B}}\).

Table 1 The probability of coincident in the worst-case with k iterations and different lengths of \({\mathrm {ID}_{\rm {B}}}\)
Full size table

Note that Table 1 shows the probability of success in the worst-case for some number of iterations, i.e., the correction of wrong bits is not considered. In other words we mean here by worst-case, the situation in which the first candidate of \(id_{\mathrm {B}}\) (almost) completely coincides with \({\mathrm {ID}}_{\mathrm{B}}\) somehow, so Oscar cannot be sure unless after several iterations. But in general, since some bits of \(id_{\mathrm {B}}\) are wrong, the probability of success increases. Let u be the length of \({\mathrm {ID}}_{\mathrm{B}}\). Then there are t wrong bits in the first candidate \(id_{\mathrm {B}}\), where \(t\le u\). So, as mentioned above, after k iterations of the session, \(\lceil (1-2^{-k})t\rceil\) wrong bits will be corrected on average. Table 2 shows the probability of success in the average-case considering \(t=u/2\).

Table 2 The probability of coincident in the average-case with k iterations and different lengths of \({\mathrm {ID}_{\rm {B}}}\)
Full size table

5 Improvement of CXZY protocol

The unidirectional authentication inside CXZY protocol allows Oscar to impersonate Alice, and obtain \({\mathrm {ID}}_{\mathrm{B}}\). Another problem which makes CXZY protocol difficult to implement, is quantum storage. Bob should store the photons he received until Alice declares the correct bases. Furthermore, if the channel is noisy or Eve is active, the length of \({\mathrm {ID}}_{\mathrm{B}}\) will be shortened. So, after a few iterations \({\mathrm {ID}}_{\mathrm{B}}\) must be replaced by a new one. We propose an improvement of CXZY protocol, in which these problems have been resolved.

5.1 Preparation

Let \(\mathbf{k}=(\mathbf{k}_1,\dots ,\mathbf{k}_{p-1})\) be a secret key already shared between Alice and Bob. We then define a family of functions \(\{f_{\mathbf {r}}:\{0,1\}^{p-1}\rightarrow S_{p-1}\mid 1\le {\mathbf {r}} \le 2^{p-1}-1\}\), where p is a prime number, and \(S_{p-1}\) is the symmetric group on \(p-1\) elements, so that

$$\begin{aligned} f_{\mathbf {r}} (x_1,\dots ,x_{p-1})= (x_{{\pi }^{-1}_r(1)},\dots ,x_{{\pi }^{-1}_r(p-1)}), \end{aligned}$$
(1)

where the permutation \(\pi _r\) obtained as follows:

Since \({\mathbf {r}}=\sum _{i=1}^{p-1}r_{i}2^{i-1}\), then we can pick \(r=(r_{1},\dots , r_{p-1})\), and \(\widehat{r}=(\hat{r}_1,\dots , \hat{r}_{p-1})\), where \(\hat{r}_{i}=r_i\oplus \mathbf{k}_i\) . Put

$$\begin{aligned} \delta _r \equiv \sum _{i=1}^{p-1}\hat{r}_i2^{i-1}~ ({\mathrm {mod}} ~p-1), 1\le \delta _r \le p-1, \end{aligned}$$
(2)
$$\begin{aligned} \eta _{r,i}\equiv i\delta _r~({\mathrm {mod}}~ p), 0\le \eta _{r,i} \le p-1, \end{aligned}$$
(3)

and

$$\begin{aligned} t_r \equiv \sum _{i=1}^{p-1}\hat{r}_i2^{i-1} ~({\mathrm {mod}}~ p), 0\le t_r \le p-1, \end{aligned}$$
(4)

then,

$$\begin{aligned} \pi _r(i)\equiv \eta _{r,i}+t_r ~({\mathrm {mod}}~ p-1) , 1\le \pi _r(i) \le p-1. \end{aligned}$$
(5)

Note that, however, \(t_r=0,\) and \(t_r=p-1,\) are not really different, calculating \(t_r\) modulo p ensures that \(t_r\) differs with \(\delta _r\), and it allows us to use a partly wide variety of permutations. We denote by N the number of distinct permutations obtained from a key with length 2n. One can easily check that \(N=n^2\), where \(2n+1\) is prime.

5.2 The improved protocol

Assume that Alice and Bob have a common secret key \(\mathbf{k}=(\mathbf{k}_1,\dots ,\mathbf{k}_{2n})\), where \(p=2n+1\) is prime. The secret key is divided into three parts: \((\mathbf{k}_1, \dots , \mathbf{k}_n)\) considered as the encrypted message base string, \((\mathbf{k}_{n+1},\dots ,\mathbf{k}_{n+\ell })\) as Alice’s verification base string, and \((\mathbf{k}_{(n+\ell +1)}, \dots , \mathbf{k}_{2n})\) as Bob’s verification base string. Suppose that Alice wants to send Bob a binary message \(M=(m_1,\dots ,m_n)\). Encoding bits to qubits according to the corresponding measurement bases, is similar to the rule described at step 2 of CXZY protocol; see Sect. 2. To do the task, Alice and Bob run the following protocol.

Step 1 Alice creates three random strings \(y=(y_1,\dots ,y_n)\), \(v_A=(v_1,\dots ,v_{\ell })\), and \(v_B=(v_{\ell +1},\dots ,v_{n})\). She encrypts the message M with y by XOR-operation, obtaining \(c_M=M\oplus y=(x_1,\dots , x_n)\). So she obtains a string called \(x=(c_M||v_A||v_B)=(x_1,\dots , x_{2n})\). Clearly \(x_{n+i}=v_i\) for \(1 \le i \le n\).

Step 2 Alice chooses a random number \(\mathbf {r}\in \{1,\dots ,2^{2n-1}-1\}\), and announces it.

Step 3 Bob approves receiving \(\mathbf {r}\), after he sets his base string according to \(\mathbf{k}^\mathbf {r}=f_{\mathbf {r}}(\mathbf{k})=(\mathbf{k}^\mathbf {r}_1,\dots ,\mathbf{k}^\mathbf {r}_{2n})\), where \(\mathbf{k}^\mathbf {r}_i=\mathbf{k}_{\pi ^{-1}_r(i)},\) for \(1 \le i \le 2n\).

Step 4 Alice computes \(\mathbf{k}^\mathbf {r}\), and \(x^\mathbf {r}=f_{\mathbf {r}}(x)=(x^\mathbf {r}_1,\dots , x^\mathbf {r}_{2n})\), where \(x^\mathbf {r}_i=x_{\pi ^{-1}_r(i)},\) for \(1 \le i \le 2n\). Then she prepares a train of qubits, called \(X=(X_1,\dots ,X_{2n})\) according to \(x^\mathbf {r}\), and sends X to Bob via the quantum channel. She uses \(\mathbf{k}^\mathbf {r}\) as the corresponding base string.

Step 5 Bob receives X and measures each qubit immediately. Then he extracts \(c_M\), \(v_A\), and \(v_B\), according to \(\pi _r\). In other words, \(X_i\) corresponds to \(x^\mathbf {r}_i=x_{\pi ^{-1}_r(i)}\), which is prepared in the basis according to \(\mathbf{k}^\mathbf {r}_i\). Hence, \(x_i=x^\mathbf {r}_{\pi _{r}(i)}\) for all \(1 \le i \le 2n\).

Step 6 After Bob announces the reception, Alice declares \(v_A\). Then Bob checks the correctness which shows Alice’s legitimacy. If the error rate is high, Bob interrupts the communication; otherwise he declares \(v_B\), which he obtained.

Step 7 Alice checks the correctness of v B declared by Bob, which shows Bob’s legitimacy. If the error rate is high, she interrupts the communication; otherwise, she announces y.

Step 8 Bob decrypts the secret message \(M=c_M\oplus y\).

Note that in a noisy channel, one should do privacy amplification on photons to make perfect quantum states and error correction on the measurement results.

Since Alice and Bob must already share a secret key, they can share a secret key with length \(2n=p-1\), where p is a prime number. But if the condition doesn’t hold, i.e., \(2n+1\) is not prime, the protocol should be slightly changed as follows.

Suppose that \(\mathbf{k}=(\mathbf{k}_1,\dots ,\mathbf{k}_{2n})\), is the secret key. Clearly \(2n+2\) is even. So, before running the protocol, Alice and Bob agree on two prime numbers pq, where \(2n+2=p+q\), such that the product pq has the maximum value as possible. This selection has been guaranteed by Goldbach’s conjecture which holds for even numbers up to \(4\times 10^{18}\)[48] (that is too larger than key lengths in practice). Writing \(2n=(p-1)+(q-1)\), we have \(\mathbf{k}=(\mathbf{k}_1,\dots ,\mathbf{k}_{p-1}, {\mathbf{k}}_{p},\dots ,{\mathbf{k}}_{2n})\). Indeed, k consists of two separate parts of lengths \(p-1\), and \(q-1\), respectively. Also \(v_A=(x_{i_1},\dots ,x_{i_\ell })\), and \(v_B=(x_{j_1},\dots ,x_{j_{n-\ell }})\), where they are two disjoint substring with publicly known positions of the final string \(x=(x_1, \dots , x_{p-1},x_{p} \dots , x_{2n})\). Note that none of three strings \(c_M, v_A,\) and \(v_B\) should be included in only one part of x. More precisely, \(c_M, v_A,\) and \(v_B\), should be distributed almost uniformly on x. The function \(f_\mathbf {r}\) acts on each part separately, as described above. In this case, \(N=(pq-p-q+1)^2\).

6 Example of the new protocol

Here we give a simple example to illustrate how the new protocol runs. Given \(n=6\), the secret key \(\mathbf{k}=(1,0,1,1,1,0,1,0,0,1,0,1)\), and the secret message \(M=(1,1,1, 0,0,1)\). So \(2n+1=13\) is prime, and the protocol runs as follows:

Step 1 Alice chooses \(y=(0,1,0,1,0,0)\), \(v_A=(1,0,0)\), and \(v_B=(0,1,1)\). So she obtains \(x=(1,0,1,0,0,0,1,0,0,0,1,1)\).

Step 2 Alice announces \(\mathbf {r}=16\).

Step 3 Alice and Bob obtain \(r=(0,0,0,1,0,0,0,0,0,0,0,0)\), and consequently \(\widehat{r}=(1,0,1,0,0,0,1,0,0,1,0,1)\). They have \(\sum _{i=1}^{p-1}\hat{r}_i2^{i-1}\equiv 9 ~({\mathrm {mod}} ~12),\) and \(\sum _{i=1}^{p-1}\hat{r}_i2^{i-1}\equiv 11 ~({\mathrm {mod}} ~13).\) So \(\delta _r=9,\) and \(t_r=11\). Therefore, they obtain \(\eta _{16,1}=9\), \(\eta _{16,2}= 5\), and so on. Hence the permutation \(\pi _r\), is obtained as follows:

$$\begin{aligned} \pi _r=\left( {\begin{array}{cccccccccccc} 1 &{} 2 &{} 3 &{} 4 &{} 5 &{} 6 &{} 7 &{} 8 &{} 9 &{} 10 &{} 11 &{} 12\\ 8 &{} 4 &{} 12 &{} 9 &{} 5 &{} 1 &{} 10 &{} 6 &{} 2 &{} 11 &{} 7 &{} 3 \end{array}} \right) . \end{aligned}$$

Consequently, \(\mathbf{k}^{16}=f_{16}(\mathbf{k})=(\mathbf{k}_6, \mathbf{k}_9, \dots , \mathbf{k}_3)=(0,0,1,0,1,0,0,1,1,1,1,1).\)

Step 4 Alice obtains \(x^\mathbf {r}=f_{16}(x)=(x_6,x_9, \dots , x_3)=(0,0,1,0,0,0,1,1,0,1,0,1)\). So she prepares the train of qubits:

$$\begin{aligned} X=(|0\rangle ,|0\rangle ,|-\rangle ,|0\rangle ,|+\rangle ,|0\rangle ,|1\rangle ,|-\rangle ,|+\rangle ,|-\rangle ,|+\rangle ,|-\rangle ), \end{aligned}$$

and sends X to Bob.

Step 5 Bob receives X and measures the qubits, obtaining \(x^\mathbf {r}=(0,0,1,0,0,0,1,1,0,1,0,1).\) Then he permutes the bits of \(x^\mathbf {r}\), and obtains \(x=(1,0,1,0,0,0,1,0,0,0,1,1),\) according to the rule: \(x_i=x^\mathbf {r}_{\pi _r}(i)\). So he concludes \(c_M=(1,0,1,0,0,0)\), \(v_A=(1,0,0)\), and \(v_B=(0,1,1)\).

Step 6 Bob declares the reception, and Alice announces \(v_A=(1,0,0)\). Bob verifies Alice’s legitimacy and announces \(v_B=(0,1,1)\).

Step 7 Alice verifies Bob’s legitimacy and announces \(y=(0,1,0,1,0,0)\).

Step 8 Bob decrypts the secret message \(M=c_M\oplus y=(1,1,1, 0,0,1)\).

7 Analysis and efficiency

Obviously, the improved protocol defeats all attacks which CXZY protocol does, such as man-in-the-middle, and quantum teleportation. It is found in section 3 that an opponent can break CXZY protocol, and obtain \({\mathrm {ID}}_{\mathrm{A}},{\mathrm {ID}}_{\mathrm{B}}\) by the proposed impersonation attack. Since the loop-hole is originated from unidirectional authentication, applying the proposed mutual authentication closes it. Also in CXZY protocol, Bob should store the received photons until Alice declares the correct bases, while in the improvement there is no need for storing the photons which strongly increases the efficiency. Furthermore, there is a strict limitation on reusing a secret key in CXZY protocol in real environments. This problem has been solved in the improvement using a method for secret order rearrangement of photons.

7.1 No need for quantum storage

There is a disadvantage in CXZY protocol that Bob has to store the qubits he received from Alice until she announces the correct bases. To resolve this problem, a technique for secret order rearrangement of bases and qubits is applied, which uses a family of functions so that each function gives a permutation on the secret key components. In this way, before Alice sends a message, she announces an integer index r. Then Alice and Bob set their identical base strings according to \(f_\mathbf {r}(\mathbf{k})\). So, Bob measures each qubit immediately, and he does not need to store the photons. Since the value of k is secret, no illegal person can distinguish the original order of the qubits.

7.2 Key reusability and authentication

In CXZY protocol, if a qubit in \(S_{\mathrm {IDB}}\) loses due to eavesdropping or noise of the quantum channel, the corresponding bit in \({\mathrm {ID}}_{\mathrm{B}}\) should be discarded to ensure the accuracy of eavesdropping detection and authentication. So the length of \({\mathrm {ID}}_{\mathrm{B}}\) would be shortened, after any iteration of the protocol. Precisely, suppose that

Assume that the bit and phase error rate of the base sequence \({S_{\mathrm {IDB}}}\) are \(E^{\mathrm{{bit}}}_{\mathrm{{base}}}\), and \(E^{\mathrm{ph}}_{\mathrm{base}}\) respectively, and the bit error rate of the channel is e. So, the phase error is at most 2e. If \(e<0.25\), the maximal achievable generation rate of the final reusable base string is

$$\begin{aligned} R(e)=1-H\big (E^{\mathrm{{bit}}}_{\mathrm{{base}}}\big )-H\big (E^{\mathrm{{ph}}}_{\mathrm{{base}}}\big )\le 1-H\big (2e\big ), \end{aligned}$$

where (H denotes the entropy function). If the initial base string \({\mathrm {ID}}_{\mathrm{B}}\) is n-bit, the length of the final reusable base string is nR(e). Hence, if the bit error rate of the channel does not change, the total length of new \({\mathrm {ID}}_{\mathrm{B}}\) from a \(u-\)bit initial after m iterations of the protocol \({\mathrm {ID}}_{\mathrm {B}}\) is \(L_{{{\text{ID}}_{{\text{B}}} }} =uR(e)^m\). For instance, given \(e=0.01\), \(u=40\), and \(m=10\), the total length of the new \({\mathrm {ID}}_{\mathrm{B}}\) is less than 10. For more details, see [44], and the references therein. Thus replacing \({\mathrm {ID}}_{\mathrm{B}}\) completely by a new one, is necessary after a few iterations. As mentioned, in our improvement of CXZY protocol, we use a novel technique for secret order rearrangement of photons; moreover, there is no public announcement of measurement bases. These two conditions together with mutual authentication, allow reusing the secret key without shortening the length, even in a weak noisy channel, and make the protocol safe against collective attack [28, 45, 46]. Indeed, if a qubit loses because of eavesdropping or noise, there is no need to be discarded, since the order of qubits would be permuted in the next transmission. Note that if the secret key is a 2n-bit string, then N distinct permutations will be obtained. So, one can partition the set \(\{1,\dots ,2^{2n-1}-1\}\) to equivalence classes \([\mathbf {r}_1],\dots ,[\mathbf {r}_{N}]\), such that \(\mathbf {r}, \mathbf {r'}\in [\mathbf {r}_j]\), for some \(1\le j \le N\), if \(f_\mathbf {r}(\mathbf{k})=f_\mathbf {r'}(\mathbf{k})\). By (1)–(5) we have

$$\begin{aligned} \textit{f}_\mathbf {r}(\mathbf{k})=f_\mathbf {r'}(\mathbf{k})&\Longleftrightarrow \pi _r=\pi _{r'}, \\&\Longleftrightarrow \pi _r(i)=\pi _{r'}(i),\\&\Longleftrightarrow \eta _{r,i}+t_r \equiv \eta _{r',i}+t_{r'} ~({\mathrm {mod}}~ p-1),\\&\Longleftrightarrow \eta _{r,i}- \eta _{r',i} \equiv t_{r'}-t_r ~({\mathrm {mod}}~ p-1),\\&\Longleftrightarrow i(\delta _r -\delta _{r'})\equiv t_{r'}-t_r ~({\mathrm {mod}}~ p-1),~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (\dagger ) \end{aligned}$$

for all \(1\le i \le p-1\). Since \(t_r,t_{r'}\) are constant, the right side of \((\dagger )\) is constant. On the other hand \(i(\delta _r-\delta _{r'})\) varies on all values of \(i \in \{1,\dots ,p-1\}\). So, both sides must be zero. Therefore,

$$\begin{aligned} \delta _{r}=\delta _{r'} \Longrightarrow \sum ^{p-1}_{i=1}\hat{r}_i 2^{i-1} \equiv \sum ^{p-1}_{i=1}\hat{r}_i' 2^{i-1} ({\mathrm {mod}}~ p-1), \end{aligned}$$
(6)

together with either

$$\begin{aligned} t_r = t_{r'} \Longrightarrow \sum ^{p-1}_{i=1}\hat{r}_i 2^{i-1} \equiv \sum ^{p-1}_{i=1}\hat{r}_i' 2^{i-1} ~({\mathrm {mod}}~ p), \end{aligned}$$
(7)

or

$$\begin{aligned} t_r=t_{r'}-1 \Longrightarrow \sum ^{p-1}_{i=1}\hat{r}_i 2^{i-1} \equiv \sum ^{p-1}_{i=1}\hat{r}_i' 2^{i-1}-1 ~({\mathrm {mod}}~ p). \end{aligned}$$
(8)

In fact either (6), (7) or (6), (8) hold. Recall that \(\hat{r}_i=r_i\oplus \mathbf{k}_i\), and \(\hat{r}_i'=r_i\oplus \mathbf{k}_i\), for \(1\le i \le p-1\). Put \(C_{r,r'}=\sum ^{p-1}_{i=1}(\hat{r}_i -\hat{r}_i') 2^{i-1}\). Then (6), (7) imply that

$$\begin{aligned} C_{r,r'} \equiv 0 ~({\mathrm {mod}}~ p-1), C_{r,r'} \equiv 0 ~({\mathrm {mod}}~ p), \end{aligned}$$
(9)

and (6), (8) imply that

$$\begin{aligned} C_{r,r'} \equiv 0 ~({\mathrm {mod}}~ p-1), C_{r,r'} \equiv -1 ~ ({\mathrm {mod}}~ p). \end{aligned}$$
(10)

However, to determine whether \(\mathbf {r,r'}\) are equivalent, one must compute \(C_{r,r'}\). Clearly \([\mathbf {r}]=[\mathbf {r'}]\) if and only if \(C_{r,r'}\) satisfies (9) or (10) .On the other hand, for all \(1\le i \le p-1\):

$$\begin{aligned} \hat{r}_i -\hat{r}_i'= \left\{ \begin{array}{ll} r_i-r'_i &{} \quad \mathbf{k}_i=0, \\ r'_i-r_i &{} \quad \mathbf{k}_i=1. \end{array} \right. \end{aligned}$$

Thus

$$\begin{aligned} C_{r,r'}= \sum _{i=1}^{p-1}(-1)^{\mathbf{k}_i}({r}_i -{r}_i') 2^{i-1}. \end{aligned}$$
(11)

Equation (11) shows that the value of \(C_{r,r'}\) depends on the secret key k as well. Therefore, without knowing k, Eve cannot distinguish the equivalence classes \([\mathbf {r}_1],\dots ,[\mathbf {r}_N]\). In other words, no illegal person can distinguish which permutation is created by an index r. Therefore, when Alice announces r, Eve cannot set her base string according to \(f_\mathbf {r}(\mathbf{k})\). More precisely, Eve’s choice of bases is independent from Alice’s and Bob’s one. Hence a secret key can be reused securely.

7.3 Security against the impersonation attack

It is clear that Eve cannot impersonate Alice, because she does not know the secret key. In detail, suppose that Eve chooses a random index \(\mathbf {r}\), and a random string as her verification string denoted by \(v_E\). Obviously, the value of \(v_A\) calculated by Bob is fully independent from \(v_E\), since Eve knows neither the correct positions nor the correct bases. Thus, \(v_A=v_E\) with probability \(2^{-\ell }\), where \(\ell\) is the length of \(v_A\). If the quantum channel is noisy with bit error rate e, the probability of \(v_A=v_E\) is \(2^{-\ell (1-e)}\). Similarly, Eve cannot impersonate Bob. Thus, the proposed authentication is secure, and the improved protocol is safe against the impersonation attack.

7.4 Efficiency and applications

The protocol runs with once transmitting single photons while does not need to store them. These two properties lead to high performance and low-cost implementation of the protocol. Since in practical aspects, a fixed key may be reused many times, high capacity of key reusability in the protocol could provide a wide usage in practice. Eavesdropping detection is a major advantage of quantum cryptography, which increases the security criterions of a protocol, and is necessary for some applications, provided in the improved protocol. Furthermore, secure mutual authentication with no need to a third party as verifier, ensures legitimacy of users with a simple implementation. Hence, the improved protocol could be used in practical approaches, e.g., embedded systems.

8 Conclusions

We have demonstrated that CXZY protocol is vulnerable to a specific impersonation attack. Since the loop-hole of the protocol is originated from the unidirectional authentication, a mutual authentication is suggested to close it. The improved protocol shares two advantages with CXZY protocol: once transmitting single photons, and eavesdropping detection. Besides them, high capacity of key reusability even in noisy environments, and no need for quantum storage are advantages appeared in the improved protocol. So, the improved protocol is immune against a large variety of attacks (man-in-the-middle attack, quantum teleportation attack, collective attack, impersonation attack, etc.). Moreover, the improved protocol could be investigated in practical aspects, such as quantum embedded systems security.