1 Introduction

In 2004, quantum key agreement (QKA), a new application of quantum mechanics in cryptography, was proposed by Zhou et al. [1]. With a QKA protocol, two or more participants can establish a secret key over unsafe public channels. In contrast to quantum key distribution (QKD), in which the sender determines the key and then distributes it to the receiver, each participant in a QKA protocol contributes equally to the final key. The final key cannot be determined by any non-trivial subset of participants. We know that the security of most classical KA protocol [211] relies on some unproved assumptions of computation complexity, while the security of QKA protocol is guaranteed by quantum mechanics principles, such as Heisenberg’s uncertainty principle and quantum no-cloning theorem; this security advantage makes QKA quickly become a research hotspot in recent years, and more and more QKA protocols [1218] were proposed. However, the cryptanalysis of QKA protocol has not drawn enough attention. As that described by Gao et al. [19], cryptanalysis plays an important role in the development of cryptography, and it estimates a protocol’s security level, finds potential loopholes and tries to overcome security issues. In the study of quantum cryptography, quite a few effective attack strategies have been proposed, such as entanglement-swapping attacks [20], channel-loss attacks [21], denial-of-service attacks [22], Trojan horse attacks [23] and participant attacks [24]. Deep learning of those attacks will be helpful for us to design new protocols with high security. In these kinds of attacks, we should pay more attention to the participant attacks. In contrast to an outside attacker, an inside participant, especially in a multi-party quantum cryptographic protocol, usually has more power to attack the protocol for her/his participant identity. Later studies showed that quite a number of quantum cryptographic protocols could not resist participant attacks [2530].

Recently, Shukla et al. [31] proposed two QKA protocols based on Bell state and Bell measurement, and they claimed that their two protocols were secure against participant attack, and the security could mainly be assured by orthogonal-state-based eavesdropping checking technique. However, according to a widely accepted security definition for a multi-party QKA protocol proposed by Sun et al. [32], we find that Shukla et al.’s three-party QKA protocol is not secure. Any participant in the protocol can directly obtain other two participants’ secret keys. More seriously, two dishonest participants in the protocol can conclude to determine the shared key alone. Furthermore, we will show that there is another minor flaw in their two protocols; that is, eavesdroppers can flip any bit of the final key without introducing any error. In the end, some possible improvements are proposed to avoid these flaws.

2 Brief review of Shukla et al.’s three-party QKA protocol

To maintain the integrity of the paper, let us first give a brief review of Shukla et al.’s three-party QKA protocol [31]. In the protocol, three participants Alice, Bob and Charlie want to equally establish a final secret key. Four Bell states \(\left| {\psi ^{+}} \right\rangle ,\left| {\psi ^{-}} \right\rangle , \left| {\phi ^{+}} \right\rangle \) and \(\left| {\phi ^{-}} \right\rangle \) will be used in the protocol, where, \(\left| {\psi ^{\pm }} \right\rangle =\frac{1}{\sqrt{2}}\left( {\left| {00} \right\rangle \pm \left| {11} \right\rangle } \right) ,\left| {\phi ^{\pm }} \right\rangle =\frac{1}{\sqrt{2}}\left( {\left| {01} \right\rangle \pm \left| {10} \right\rangle } \right) \). The details of the protocol are as follows.

  • Step 1 Alice (Bob, Charlie) generates n EPR pairs which are all in state \(\left| {\psi ^{+}} \right\rangle \). Alice (Bob, Charlie) takes one particle from each pair to form sequence \(p_\mathrm{A} \left( {p_\mathrm{B} ,p_\mathrm{C} } \right) \); the remained particles in each pair compose sequence \(q_\mathrm{A} \left( {q_\mathrm{B} ,q_\mathrm{C} } \right) \). Alice (Bob, Charlie) randomly generates another binary bit sequence \(K_\mathrm{A} \left( {K_\mathrm{B} ,K_\mathrm{C} } \right) =\left( {K_\mathrm{A}^1 ,\ldots ,K_\mathrm{A}^n } \right) \left( {\left( {K_\mathrm{B}^1 ,\ldots ,K_\mathrm{B}^n } \right) ,\left( {K_\mathrm{C}^1 ,\ldots ,K_\mathrm{C}^n } \right) } \right) \) as her /his secret key.

  • Step 2 Alice (Bob, Charlie) prepares n/2 EPR pairs which are all in state \(\left| {\psi ^{+}} \right\rangle \) as decoy photons. Then Alice (Bob, Charlie) concatenates these decoy photons with sequence \(q_\mathrm{A} \left( {q_\mathrm{B} ,q_\mathrm{C} } \right) \) to get sequence \(q_\mathrm{A} ^{\prime }\left( {q_\mathrm{B}^{\prime },q_\mathrm{C}^{\prime }} \right) \). Subsequently, Alice (Bob, Charlie) applies a permutation operator \(\left( {\Pi _{2n} } \right) _\mathrm{A} \left( {\left( {\Pi _{2n} } \right) _\mathrm{B} ,\left( {\Pi _{2n} } \right) _\mathrm{C} } \right) \) on the sequence \(q_\mathrm{A} ^{\prime }\left( {q_\mathrm{B}^{\prime },q_\mathrm{C}^{\prime }} \right) \) to get sequence \(q_\mathrm{A}^{{\prime }{\prime }}\left( {q_\mathrm{B}^{{\prime }{\prime }},q_\mathrm{C} ^{\prime \prime }} \right) \) and then sends the new sequence to Bob (Charlie, Alice).

  • Step 3 Bob (Charlie, Alice) sends an authentic acknowledgment of receipt to Alice (Bob, Charlie) through an ordinary public communications channel. As that described by Bennett and Brassard [33], the channel is assumed to be susceptible to eavesdropping but not to the injection or alteration of messages. Alice (Bob, Charlie) announces the details of permutation operator \(\left( {\Pi _{2n} } \right) _\mathrm{A} \left( {\left( {\Pi _{2n} } \right) _\mathrm{B} ,\left( {\Pi _{2n} } \right) _\mathrm{C} } \right) \). Bob (Charlie, Alice) computes error rate. If all three error rates are found to be within a tolerable limit, they continue to the next step, otherwise they stop the protocol. In a real-life quantum cryptographic system, the photons in the transmission will inevitably interact with environment. The tolerable limit tells us the theoretical bound of error rate, and a quantum cryptographic protocol can tolerate. The limit mainly depends on the type of protocol and the way of classical post-processing. Gottesman and Lo showed that BB84 protocol [33] with two-way classical communications during post-processing can tolerate a bit error rate of up to 18.9 %, while the BB84 protocol with one-way classical communications only can tolerate a bit error rate of 11.1 %. A similar six-state QKD protocol with two-way classical communications can tolerate a bit error rate of up to 26.4 % [34].

  • Step 4 After having discarded all decoy photons, according to the ith bit \(K_\mathrm{B}^i \left( {K_\mathrm{C}^i ,K_\mathrm{A}^i } \right) \), Bob (Charlie, Alice) performs I or X on the ith particle in \(q_\mathrm{A} \left( {q_\mathrm{B} ,q_\mathrm{C} } \right) \) to obtain a new sequence \(r_\mathrm{B} \left( {r_\mathrm{C} ,r_\mathrm{A} } \right) \). Bob (Charlie, Alice) prepares another n/2 EPR pairs which are all in state \(\left| {\psi ^{+}} \right\rangle \) as decoy photons. Bob (Charlie, Alice) concatenates these n/2 EPR pairs with \(r_\mathrm{B} \left( {r_\mathrm{C} ,r_\mathrm{A} } \right) \) and then applies \(\left( {\Pi _{2n} } \right) _\mathrm{B}^{\prime }\left( {\left( {\Pi _{2n} } \right) _\mathrm{C}^{\prime },\left( {\Pi _{2n} } \right) _\mathrm{A}^{\prime }} \right) \) on the sequence to obtain a new sequence \(r_\mathrm{B}^{\prime }\left( {r_\mathrm{C}^{\prime },r_\mathrm{A}^{\prime }} \right) \). Bob (Charlie, Alice) sends the new sequence to Charlie (Alice, Bob).

  • Step 5 After having received the authentic acknowledgment of the receipt of sequence \(r_\mathrm{B}^{\prime }\left( {r_\mathrm{C}^{\prime },r_\mathrm{A} ^{\prime }} \right) \) from Charlie (Alice, Bob), Bob (Charlie, Alice) announces the coordinates of the decoy photons. Charlie (Alice, Bob) computes error rate. If the computed error rates are found to be within the tolerable limit, Bob (Charlie, Alice) announces the coordinates of the message qubits, otherwise they stop the protocol.

  • Step 6 After having discarded all decoy photons, according to the ith bit \(K_\mathrm{C}^i \left( {K_\mathrm{A}^i ,K_\mathrm{B}^i } \right) \), Charlie (Alice, Bob) performs I or Z on the ith particle in \(r_\mathrm{B} \left( {r_\mathrm{C} ,r_\mathrm{A} } \right) \) to obtain a new sequence \(s_\mathrm{C} \left( {s_\mathrm{A},s_\mathrm{B} } \right) \). Charlie (Alice, Bob) prepares another n/2 EPR pairs which are all in state \(\left| {\psi ^{+}} \right\rangle \) as decoy photons. Charlie (Alice, Bob) concatenates these n/2 EPR pairs with \(s_\mathrm{C} \left( {s_\mathrm{A} ,s_\mathrm{B} } \right) \) and then applies \(\left( {\Pi _{2n} } \right) _\mathrm{C}^{{\prime }{\prime }}\left( {\left( {\Pi _{2n} } \right) _\mathrm{A}^{{\prime }{\prime }},\left( {\Pi _{2n} } \right) _\mathrm{B}^{{\prime }{\prime }}} \right) \)on the sequence to obtain sequence \(s_\mathrm{C}^{\prime }\left( {s_\mathrm{A}^{\prime },s_\mathrm{B}^{\prime }} \right) \). Charlie (Alice, Bob) sends the new sequence to Alice (Bob, Charlie).

  • Step 7 Charlie (Alice, Bob) and Alice (Bob, Charlie) check the security of the transmission as that in Step 5.

  • Step 8 After having discarded all decoy photons, Alice (Bob, Charlie) rearranges the received sequence and then performs Bell state measurements on the particle pairs in sequences \(p_\mathrm{A} \left( {p_\mathrm{B} ,p_\mathrm{C} } \right) \) and \(s_\mathrm{C} \left( {s_\mathrm{A} ,s_\mathrm{B} } \right) \) to obtain other two participants’ secret keys.

3 Security analysis of Shukla et al.’s three-party QKA protocol

Shukla et al. claimed that the protocol was secure as it was designed along the line of existing protocol [15] with a modified strategy of eavesdropping checking [35, 36]. However, in this section, we will show that Shukla et al.’s three-party QKA protocol is not secure, and the protocol cannot achieve privacy and fairness properties. Then, we will show that there is another minor flaw in Shukla et al.’s two protocols; that is, eavesdroppers can flip any bit of the final key without introducing any error. As that described in Ref. [32], a secure multi-party QKA protocol should satisfy following four security properties.

  • Correctness Each participant involved in the protocol could get the correct shared key.

  • Security An outside eavesdropper cannot get any useful information about the final shared key without being detected.

  • Privacy Each participant in the protocol cannot learn any useful information about other participant’s secret key, i.e., the sub-secret keys of the participants can be kept secret in the protocol. In the view of information theory, the probability that each participant can succeed in deducing any one bit of other participant’s sub-secret key is 50 %.

  • Fairness All involved participants are entirely peer entities and can equally influence the final shared key. In the view of information theory, the probability that non-trivial subset of the participants can succeed in determining the shared key alone can be negligible.

3.1 The defect on privacy

We first show that Shukla et al.’s three-party QKA protocol cannot achieve privacy property. In the step 8, Alice (Bob, Charlie) performs Bell-state measurements on the corresponding particle pairs in \(p_\mathrm{A} \left( {p_\mathrm{B} ,p_\mathrm{C} } \right) \) and \(s_\mathrm{C} \left( {s_\mathrm{A} ,s_\mathrm{B} } \right) \). If the measurement result is \(\left| {\psi ^{+}} \right\rangle \), Alice (Bob, Charlie) can deduce that the first operator applied by Bob (Charlie, Alice) and the second operator applied by Charlie (Alice, Bob) are I and I, respectively. Then Alice (Bob, Charlie) can further deduce that the corresponding bits in Bob’s (Charlie’s, Alice’s) sub-key and Charlie’s (Alice’s, Bob’s) sub-key are 0 and 0, respectively. If the measurement result is \(\left| {\psi ^{-}} \right\rangle \), Alice (Bob, Charlie) can deduce that the corresponding bits in Bob’s (Charlie’s, Alice’s) sub-key and Charlie’s (Alice’s, Bob’s) sub-key are 0 and 1, respectively. If the measurement result is \(\left| {\phi ^{+}} \right\rangle \), Alice (Bob, Charlie) can deduce that the corresponding bits in Bob’s (Charlie’s, Alice’s) sub-key and Charlie’s (Alice’s, Bob’s) sub-key are 1 and 0, respectively. If the measurement result is \(\left| {\phi ^{-}} \right\rangle \), Alice (Bob, Charlie) can deduce that the corresponding bits in Bob’s (Charlie’s, Alice’s) sub-key and Charlie’s (Alice’s, Bob’s) sub-key are 1 and 1, respectively. So it is obviously that the protocol cannot achieve privacy property.

3.2 The defect on fairness

In the next, we will show that any two dishonest participants in the protocol can conclude to determine the shared secret key, and the protocol cannot achieve fairness property. Without loss of generality, we suppose that Alice and Bob are two dishonest participants. In step 4, Alice (Bob) first performs unitary operations on the particles in \(q_\mathrm{C} \left( {q_\mathrm{A} } \right) \) according to the corresponding bit in \(K_\mathrm{A} \left( {K_\mathrm{B} } \right) \) to get \(r_\mathrm{A} \left( {r_\mathrm{B} } \right) \). Alice (Bob) concatenates \(r_\mathrm{A} \left( {r_\mathrm{B} } \right) \) with new prepared n/2 decoy photons and then applies \(\left( {\Pi _{2n} } \right) _\mathrm{A}^{\prime }\left( {\left( {\Pi _{2n} } \right) _\mathrm{B}^{\prime }} \right) \)on the sequence to obtain \(r_\mathrm{A}^{\prime }\left( {r_\mathrm{B}^{\prime }} \right) \). Alice (Bob) sends \(r_\mathrm{A}^{\prime }\left( {r_\mathrm{B}^{\prime }} \right) \) to Bob (Charlie). In the same time, Charlie generates \(r_\mathrm{C}^{\prime }\) and then sends the sequence to Alice. In the end of step 5, Alice and Bob can deduce Charlie’s unitary operations through performing Bell-state measurement on the corresponding particle pairs in \(p_\mathrm{B} \) and \(r_\mathrm{C} \). Then they can further deduce the corresponding bit in Charlie’s secret key. For example, if Alice and Bob get \(\left| {\psi ^{+}} \right\rangle \), they deduce that Charlie’s unitary operation is I, which means that the corresponding bit in Charlie’s secret key is 0. If Alice and Bob get \(\left| {\phi ^{+}} \right\rangle \), they deduce that the corresponding bit in Charlie’s secret key is 1.

In step 6, if Alice and Bob do not want to determine the shared key alone, they perform I or Z on the corresponding particles in \(r_\mathrm{C}\) and \(r_\mathrm{A} \) to get \(s_\mathrm{A}\) and \(s_\mathrm{B}\), respectively. Alice (Bob) prepares n/2 decoy photons and then inserts them into \(s_\mathrm{A} \left( {s_\mathrm{B} } \right) \). Alice (Bob) applies \(\left( {\Pi _{2n} } \right) _\mathrm{A}^{{\prime }{\prime }}\left( {\left( {\Pi _{2n} } \right) _\mathrm{B}^{{\prime }{\prime }}} \right) \) on the mixed sequence to obtain \(s_\mathrm{A}^{\prime }\left( {s_\mathrm{B}^{\prime }} \right) \) and then sends the sequence to Bob (Charlie). In the same time, Charlie performs I or Z on the corresponding particle in \(r_\mathrm{B} \) to get \(s_\mathrm{C} \). After having inserted decoy photons into \(s_\mathrm{C} \), Charlie applies \(\left( {\Pi _{2n} } \right) _\mathrm{C}^{{\prime }{\prime }}\) on the mixed sequence to obtain \(s_\mathrm{C}^{\prime }\) and then sends the sequence to Alice. In step 8, after having discarded all decoy photons, Alice (Bob, Charlie) can deduce other two participants’ secret keys through performing Bell-state measurement on the corresponding particle pairs in \(p_\mathrm{A} \left( {p_\mathrm{B} ,p_\mathrm{C} } \right) \) and \(s_\mathrm{C} \left( {s_\mathrm{A} ,s_\mathrm{B} } \right) \). Table 1 shows the relations between Alice’s (Bob’s, Charlie’s) first unitary operations, Bob’s (Charlie’s, Alice’s) second unitary operations and Charlie’s (Alice’s, Bob’s) measurement results.

Table 1 Relations between Alice’s (Bob’s, Charlie’s) first unitary operations, Bob’s (Charlie’s, Alice’s) second unitary operations and Charlie’s (Alice’s, Bob’s) measurement results
Full size table

However, if Alice and Bob want to determine the shared key alone, in the next, we will show how they can do this. We know that Alice and Bob can deduce Charlie’s secret key through performing Bell-state measurement on the particle pairs in \(p_\mathrm{B}\) and \(r_\mathrm{C}\) in the end of step 5. In step 6, Bob can choose a different unitary operation \(U_i^\dagger =U_{2K_\mathrm{C}^i } U_{2K_\mathrm{B}^i } \) to perform on the ith particle in \(r_\mathrm{A}\) to get \(s_\mathrm{B}^{\dagger }\), and the corresponding particle pair in \(p_\mathrm{C}\) and \(s_\mathrm{B}^{\dagger }\) will be in state \(\left( {I\otimes U_i^\dagger } \right) \left( {I\otimes U_{K_\mathrm{A}^i } } \right) \left| {\psi ^{+}} \right\rangle \); for the sake of clarity, we use \(U_0, U_1 \) and \(U_2\) to represent IX and Z, respectively. Table 2 shows the relations between Alice’s secret key, Bob’s secret key, Charlie’s secret key and Charlie’s measurement results after Bob has performed \(U_i^\dagger \) on the ith particle in \(r_\mathrm{A} \). After having inserted decoy photons into \(s_\mathrm{B}^{\dagger }\), Bob applies \(\left( {\Pi _{2n} } \right) _\mathrm{B}^{{\prime }{\prime }}\) to the mixed sequence to obtain sequence \(s_\mathrm{B}^{\dagger \dagger }\) and then sends \(s_\mathrm{B}^{\dagger \dagger }\) instead of \(s_\mathrm{B}^{\prime }\) to Charlie. After having checked the security of the transmission through discussing with Bob, Charlie performs Bell-state measurement on the corresponding particle pairs in \(p_\mathrm{C}\) and \(s_\mathrm{B}^{\dagger }\) to deduce other two participants’ secret keys.

Table 2 Relations between Alice’s secret key, Bob’s secret key, Charlie’s secret key and Charlie’s measurement results after Bob has performed \(U_i^\dagger \) on the corresponding particles in sequence \(r_\mathrm{A}\)
Full size table

Through analyzing Table 2, we find that Alice and Bob can totally offset the role of Charlie in the generation of the final key through performing a different unitary operation \(U_i^\dagger \) on the ith particle in sequence \(r_\mathrm{A}\), the final key is determined by Alice and Bob, Charlie cannot equally influence the final shared key, and the protocol cannot achieve fairness property. We take a generation process of 4-bit key as an example to show the attack; without loss of generality, we suppose that Alice and Bob want to generate a shared key \(K=1111\) alone. Alice first generates a 4-bit sequence 0101 as her secret key, in other words, \(K_\mathrm{A} =0101,K_\mathrm{B} =K\oplus K_\mathrm{A} =1010\). Without loss of generality, we suppose that Charlie’s secret key \(K_\mathrm{C} =1101\). In step 4, after having discarded all decoy photons, Alice (Bob, Charlie) performs \(U_{K_\mathrm{A}^i } \left( {U_{K_\mathrm{B}^i } ,U_{K_\mathrm{C}^i } } \right) \left( {i=1,2,3,4} \right) \) on the \(i^{th }\) particles in \(q_\mathrm{C} \left( {q_\mathrm{A} ,q_\mathrm{B} } \right) \), where, \(K_\mathrm{A}^1 =0,K_\mathrm{A}^2 =1,K_\mathrm{A}^3 =0,K_\mathrm{A}^4 =1\), \(K_\mathrm{B}^1 =1,K_\mathrm{B}^2 =0,K_\mathrm{B}^3 =1,K_\mathrm{B}^4 =0\), \(K_\mathrm{C}^1 =1,K_\mathrm{C}^2 =1,K_\mathrm{C}^3 =0\) and \(K_\mathrm{C}^4 =1\). The states of the corresponding particle pairs in \(p_\mathrm{B}\) and \(r_\mathrm{C}\) will be changed to \(\left| {\phi ^{+}} \right\rangle ,\left| {\phi ^{+}} \right\rangle ,\left| {\psi ^{+}} \right\rangle \) and \(\left| {\phi ^{+}} \right\rangle \), respectively. In the end of step 5, Alice and Bob first perform Bell-state measurement on the corresponding particle pairs in \(p_\mathrm{B}\) and \(r_\mathrm{C} \) to get Charlie’s secret key 1101. In step 6, Bob performs \(U_i^\dagger =U_{2K_\mathrm{C}^i } U_{2K_\mathrm{B}^i }\) on the ith particles in \(r_\mathrm{A}\) to get sequence \(s_\mathrm{B}^{\dagger }\). According to Table 2, we can deduce that the states of the corresponding particle pairs in \(p_\mathrm{C} \) and \(s_\mathrm{B}^{\dagger }\) are \(\left| {\psi ^{+}} \right\rangle ,\left| {\phi ^{-}} \right\rangle ,\left| {\psi ^{-}} \right\rangle \) and \(\left| {\phi ^{-}} \right\rangle \), respectively. After having performed Bell-state measurement on the corresponding particle pairs in \(p_\mathrm{C}\) and \(s_\mathrm{B}^{\dagger }\), Charlie deduces that Alice’s secret key and Bob’s secret key are 0101 and 0111, respectively. Then Charlie further computes the final shared key \(K=\left( {0\oplus 0\oplus 1,1\oplus 1\oplus 1,0\oplus 1\oplus 0,1\oplus 1\oplus 1} \right) =1111\). However, the key has been determined before the execution of the protocol, and Charlie cannot detect the attack.

The above analysis shows that Shukla et al.’s three-party QKA protocol [31] cannot achieve privacy and fairness properties. In the next, we will show there is another minor flaw in Shukla et al.’s two protocols; that is, eavesdroppers can flip any bit of the final key without introducing any error. We also take Shukla et al.’s three-party QKA protocol as an example to show this flaw, and if an attacker performs \(U_1\) or \(U_2\) on each particle in \(q_\mathrm{A}^{{\prime }{\prime }}\left( {q_\mathrm{B}^{{\prime }{\prime }},q_\mathrm{C}^{{\prime }{\prime }}} \right) \) or \(r_\mathrm{A}^{\prime }\left( {r_\mathrm{B}^{\prime },r_\mathrm{C}^{\prime }} \right) \), the state of each decoy photon pair does not change; however, the final states of the corresponding particle pairs in \(p_\mathrm{A} \left( {p_\mathrm{B} ,p_\mathrm{C} } \right) \) and \(s_\mathrm{C} \left( {s_\mathrm{A} ,s_\mathrm{B} } \right) \) may have been changed. In the end, when Alice (Bob, Charlie) performs Bell-state measurements on the corresponding particle pairs in \(p_\mathrm{A} \left( {p_\mathrm{B} ,p_\mathrm{C} } \right) \) and \(s_\mathrm{C} \left( {s_\mathrm{A} ,s_\mathrm{B} } \right) \), she/he may obtain a wrong final bit. However, there is not an effective eavesdropping checking strategy to prevent this kind of attacking.

4 Improvements to Shukla et al.’s QKA protocols

To avoid above security flaws we discussed in the above section, we propose following possible improvements to the protocols. In step 4 of Shukla et al.’s second protocol, after having performed I or X on the corresponding particle in \(q_\mathrm{A} \left( {q_\mathrm{B} ,q_\mathrm{C} } \right) \), Bob (Charlie, Alice) randomly chooses another additional unitary operation I or X to perform on the ith particle. In step 6, after having discarded all decoy photons, Charlie (Alice, Bob) still performs I or X on the ith particle in the received sequence if \(K_\mathrm{C}^i \left( {K_\mathrm{A}^i ,K_\mathrm{B}^i } \right) \) is 0 or 1. In step 8, Alice (Bob, Charlie) first announces the details of the additional unitary operation. After having known the details of other two participants’ additional unitary operation, Alice (Bob, Charlie) announces the coordinates of the message qubits. Alice (Bob, Charlie) rearranges the sequence and then performs same additional unitary operation on the ith particle according to Bob’s (Charlie’s, Alice’s) announcements. Alice (Bob, Charlie) performs Bell-state measurement on the corresponding particle pairs in \(p_\mathrm{A} \left( {p_\mathrm{B} ,p_\mathrm{C} } \right) \) and \(s_\mathrm{C} \left( {s_\mathrm{A} ,s_\mathrm{B} } \right) \) to obtain exclusive OR values of the other two participants’ secret keys. In the end of these two protocols, all participants randomly choose some bits from the generated key for a final eavesdropping checking, and they announce each bit in a random sequential order.

Now, we discuss the security of the improved protocols. The strategy of eavesdropping checking for external attack in our improved protocols is same as that in Shukla et al.’s second protocol. Shukla et al. have already discussed the unconditional security of this eavesdropping checking strategy. So we mainly focus on the fairness and privacy properties of the protocol. We first consider the fairness property. Without loss of generality, we also suppose that Alice and Bob are two dishonest participants. The success of their attack to Shukla et al.’s second protocol depends on following two facts. (1) Alice and Bob can deduce Charlie’s unitary operations though measuring the particle pairs in which one particle has been performed unitary operation by Charlie in the end of step 5. (2) Bob can choose appropriate unitary operations to perform on the particles to offset the role of Charlie. In step 4 of our improved protocol, Charlie first performs \(I\left( X \right) \) on the particle in \(q_\mathrm{B}\) according to his secret key; each EPR pair Bob prepared is in one of the following two states.

$$\begin{aligned} \left( {I\otimes I} \right) \left| {\psi ^{+}} \right\rangle _{p_\mathrm{B}^i q_\mathrm{B}^i }= & {} I\otimes I\frac{1}{\sqrt{2}}\left( {\left| {00} \right\rangle +\left| {11} \right\rangle } \right) _{p_\mathrm{B}^i q_\mathrm{B}^i } =\left( {\left| {00} \right\rangle +\left| {11} \right\rangle } \right) _{p_\mathrm{B}^i r_\mathrm{C}^i } =\left| {\psi ^{+}} \right\rangle _{p_\mathrm{B}^i r_\mathrm{C}^i },\nonumber \\ \left( {I\otimes X} \right) \left| {\psi ^{+}} \right\rangle _{p_\mathrm{B}^i q_\mathrm{B}^i }= & {} I\otimes X\frac{1}{\sqrt{2}}\left( {\left| {00} \right\rangle +\left| {11} \right\rangle } \right) _{p_\mathrm{B}^i q_\mathrm{B}^i } =\left( {\left| {01} \right\rangle +\left| {10} \right\rangle } \right) _{p_\mathrm{B}^i r_\mathrm{C}^i } =\left| {\phi ^{+}} \right\rangle _{p_\mathrm{B}^i r_\mathrm{C}^i }.\nonumber \\ \end{aligned}$$
(1)

After having performed an additional unitary operation I or X on the ith particle, the above two EPR states will be changed as follows.

$$\begin{aligned} I\otimes X\left| {\psi ^{+}} \right\rangle _{p_\mathrm{B}^i r_\mathrm{C}^i }= & {} \left| {\phi ^{+}} \right\rangle _{p_\mathrm{B}^i r_\mathrm{C}^i } ,\nonumber \\ I\otimes X\left| {\phi ^{+}} \right\rangle _{p_\mathrm{B}^i r_\mathrm{C}^i}= & {} \left| {\psi ^{+}} \right\rangle _{p_\mathrm{B}^i r_\mathrm{C}^i } . \end{aligned}$$
(2)

In the end of step 5, Alice and Bob perform Bell-state measurement on the corresponding particles in \(p_\mathrm{B}\) and \(r_\mathrm{C}\). If the measurement result Alice and Bob get is \(\left| {\psi ^{+}} \right\rangle \), through analyzing the above Eqs. (12), they can deduce that Charlie’s first (additional) unitary operation may be \(I\left( I \right) \) or \(X\left( X \right) \), which means that the corresponding bit in Charlie’s sub-key may be 0 or 1. If the measurement result Alice and Bob get is \(\left| {\phi ^{+}} \right\rangle \), they can deduce that Charlie’s first (additional) unitary operation may be \(I\left( X \right) \) or \(X\left( I \right) \), which means that the corresponding bit in Charlie’s secret key may be 0 or 1 too. We know that Charlie will not announce the details of the additional unitary operation until the protocol proceeds to step 8. So Alice and Bob cannot obtain Charlie’s secret key in the end of step 5, in this situation, Alice and Bob cannot correctly choose appropriate unitary operations to perform on the particles to offset the role of Charlie in the generation of the final key in the step 6, and what Alice and Bob can do is to randomly guess Charlie’s first (additional) unitary operation. The probability that non-trivial subset of the participants (Alice and Bob) can succeed in determining the shared key is \((1/2)^{n}\), and this probability will be exponentially close to 0 with the increase of n. So the protocol achieves fairness property.

In step 8, if each participant Alice (Bob, Charlie) first announces her/his coordinates of the message qubits and then announces the details of the additional unitary operation, Alice and Bob may launch attack as follows. Alice and Bob first perform Bell-state measurement on the corresponding photon pairs in \(s_\mathrm{C}\) and \(q_\mathrm{A}\), they can deduce Charlie’s second unitary operations according to the measurement result and Bob’s first and additional unitary operations which have been performed on each particle in step 4, and then they can further deduce Bob’s secret key. Then Alice can choose appropriate additional unitary operations to announce to offset the role of Charlie in the generation of the final key. However, we request that each participant Alice (Bob, Charlie) first announces the details of the additional unitary operation before she/he announces the coordinates of the message qubits in step 8, so the attack fails.

Now, let us consider the privacy property. As we adopt same unitary operations in step 4 and step 6, each participant Alice (Bob, Charlie) only can obtain the exclusive OR values of the other two participants’ secret keys through performing Bell-state measurements on the corresponding particle pairs in \(p_\mathrm{A} \left( {p_\mathrm{B} ,p_\mathrm{C} } \right) \) and \(s_\mathrm{C} \left( {s_\mathrm{A} ,s_\mathrm{B} } \right) \); for example, if the measurement result the participant Alice gets is \(\left| {\psi ^{+}} \right\rangle \left( {\left| {\phi ^{+}} \right\rangle } \right) \), Alice deduces that the exclusive OR value of the corresponding bits in Bob’s secret key and Charlie’s secret key is 0(1), where the bit 0 means that the corresponding bits in Bob’s secret key and Charlie’s secret key may be 0 (or 1) and 0 (or 1), respectively, the bit 1 means that the corresponding bits in Bob’s secret key and Charlie’s secret key may be 0 (or 1) and 1 (or 0), respectively, and the probability that Alice can succeed in deducing the corresponding bit in Bob’s secret key or Charlie’s secret key is only 50%. To the participant Bob or Charlie, we can get similar results. So the protocol achieves privacy property.

In the end of these two protocols, we require all participants randomly choose some bits from the generated key for a final eavesdropping checking, and it is obviously that the eavesdropper who wants to flip any bit of the final key will be detected by this final checking.

5 Conclusions

In summary, we show that Shukla et al.’s [31] three-party QKA protocol is not secure. Any participant in the protocol can directly obtain other two participants’ secret keys. More seriously, two dishonest participants in the protocol can conclude to determine the shared key alone. Furthermore, we show that there is another flaw in their two protocols; that is, eavesdroppers can flip any bit of the final key without introducing any error. In the end, some possible improvements are proposed to avoid these flaws.