1 Introduction

Quantum communication provides an unconditionally secure way for the transmission of information, by exploiting the principles in quantum mechanics. In recent decades, this field gains much attention of researchers all over the world. There are many important branches of quantum communication for different tasks, such as quantum key distribution (QKD) [1,2,3], quantum secure direct communication (QSDC) [4,5,6,7,8,9,10,11,12], quantum secret sharing (QSS) [13], and so on. QKD supplies a secure way for two remote legitimate parties to create a private key [1,2,3]. The parties in QKD can detect the eavesdropper, say Eve, if she monitors their quantum channel, by picking up a subset of their outcomes obtained with two nonorthogonal measuring bases to check eavesdropping. They can then discard the outcomes when they find Eve. Far different from QKD, QSDC gives an absolutely secure approach for two parties to transmit their secret message directly, without producing the private key in advance. The first QSDC scheme was proposed by Long and Liu [4] and it exploits the properties of Bell states and uses a block transmission technique in 2002. Subsequently, Deng, Long, and Liu [5] clarified the standard criterion for QSDC explicitly in 2003, and they proposed an important two-step QSDC protocol by using the Einstein-Podolsky-Rosen photon pair blocks . Recently, these two-step QSDC protocols [4, 5] were experimentally implemented by two groups [6, 7]. In 2004, Deng and Long [8] introduced the first QSDC protocol based on a sequence of single photons, called quantum one-time pad scheme which has been recently experimentally demonstrated by Hu et al. [9] in a noisy environment with frequency coding. In 2017, Wu et al. [10] proposed a high-capacity QSDC protocol with two-photon six-qubit hyperentangled states. QSS is used to share a secret key among some agents of a boss [13], in which the agents can reconstruct the secret if and only if they collaborate. QSS has a higher requirement than QKD because a potentially dishonest agent may injure the benefit of the boss. The inside attacks will increase largely the difficulty of the design of QSS schemes in practical applications.

Quantum key agreement (QKA)[14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36] is another interesting multiparty quantum communication. It is an extension of classical key agreement [37], by utilizing the principles of quantum mechanics, i.e., quantum no-cloning theorem, Heisenberg uncertainty principle, and the principle of quantum state superposition. Ways of generating the shared keys are different in QKA and QKD protocols. In a QKA protocol, a classical final shared key is derived by two (or more) parties as a function of information contributed by each of them [14], it is generated by all the participants together. But in a QKD protocol, a shared key is decided by one participant and distributed to others. A secure QKA protocol needs to satisfy four properties [15]: correctness, security, fairness, and privacy property. The correctness property requires that each participant should receive the correct secret key. The security property requires that outside eavesdroppers cannot obtain the shared key without being detected. The fairness property indicates that non-trivial subsets of the involved participants can determine the final shared key. And the privacy property requires that the sub-secret key of each participant should not be learned by any other [15]. Those properties make the QKA protocols more suitable for open insecure channels, and make it have the extensive application prospect in open network [16]. Also, they increase the difficulty of designing a secure QKA protocol. In 2004, Zhou et al. [17] proposed a QKA protocol which contains two users and utilizes the quantum teleportation technique. In 2010, Chong et al. [18] proposed a QKA protocol based on the BB84 protocol, utilizing a delayed measurement technique. Nevertheless, only two users are involved in the above protocols [17, 18]. In 2013, Shi et al. [19] presented a multi-party QKA (MQKA) protocol by using the entanglement swapping technique. In the same year, Liu et al. [20] pointed out that Shi et al.’s protocol is not a fair QKA protocol and then put forward another MQKA protocol with single particles. In 2014, a MQKA protocol using Bell state and Bell measurement was proposed by Shukla et al. [21]. In 2016, two MQKA protocol were proposed by Sun et al. with cluster state [22] and six-qubit states [23] respectively. In the same year, Liu et al. [14] calculated the previous MQKA protocols into three categories: the complete-graph-type MQKA protocols [16, 20], the circle-type MQKA protocols [15, 19, 21,22,23,24], and the tree-type MQKA protocol [25]. A circle-type protocol has a higher qubit efficiency than the complete-graph-type one. But in Ref. [25], they described an instructional mode of the attacks to the circle-type MQKA protocols, and claimed that those previous MQKA protocol cannot resist the collusive participant attacks (or called inside attacks). In 2016, Huang et al. [26] proposed a QKA protocol in travelling-mode utilizing single photons and rotation operations. In 2017, Cai et al. [27] presented another MQKA protocol with rotation operations. Subsequently, Cao et al. [28] proposed a MQKA protocol based on quantum search algorithm. Recently, Huang et al. [29] put forward a MQKA protocol with collective detection and rotation operations. Up to now, many other different QKA protocols have been proposed [30,31,32,33,34,35,36].

In this paper, we propose a secure and efficient three-party QKA protocol with Bell states, following partially the idea in previous studies [15, 24]. In our protocol, the idea of quantum dense coding is used [38]. Four unitary operations are used as encoding operations, which are performed by each participant on passing photons. The passing photons contains two parts, the first quantum qubits of Bell states and the single-photon states. Our protocol can prevent dishonest participants learning any useful information about other’s sub-secret key. It can successfully resist both outside attacks and inside attacks. At the end of this protocol, all participants involved can deduce the final shared key simultaneously with very little information about the positions of those single photons announced by others. Moreover, by using the dense coding method, this protocol also prosesses a high efficiency.

2 High-Efficiency Three-Party QKA Protocol

In this QKA protocol, three participants, say Alice, Bob, and Charlie, cooperate to establish a final shared key. The two-photon polarization-entangled Bell states and some single-photon polarization states will be used in our protocol. Four Bell states can be expressed as:

$$ {\displaystyle \begin{array}{rcl}\left|{\phi}^{\pm}\right.rangle& =& \frac{1}{\sqrt{2}}\left(\left|00\right.rangle\pm \left|11\right.rangle\right),\\ {}\left|{\psi}^{\pm}\right.rangle& =& \frac{1}{\sqrt{2}}\left(\left|01\right.rangle\pm \left|10\right.rangle\right),\end{array}} $$
(1)

where \( \left|0\right.rangle \) and \( \left|1\right.rangle \) respectively present the horizontal and vertical polarization states of the single photon. They form a complete orthogonal basis, called Z basis. \( \left|+\right.rangle=\frac{1}{\sqrt{2}}\left(\left|0\right.rangle+\left|1\right.rangle\right) \) and \( \left|-\right.rangle=\frac{1}{\sqrt{2}}\left(\left|0\right.rangle-\left|1\right.rangle\right) \) form another complete orthogonal basis, called X basis. We code the two-photon Bell state \( \left|{\phi}^{+}\right.rangle \) as ‘00’, \( \left|{\phi}^{-}\right.rangle \) as ‘01’, \( \left|{\psi}^{+}\right.rangle \) as ‘10’, \( \left|{\psi}^{-}\right.rangle \) as ‘11’. Furthermore, we code the single-photon state \( \left|0\right.rangle \) as ‘0’, \( \left|1\right.rangle \) as ‘1’.

In our protocol, according to the idea of quantum dense coding [38], we use four unitary operations U00 = I, U01 = σz, U10 = σx and U11 = iσy as the encoding operations. Here σz, σx, σy are the Pauli matrices. If we choose to perform one of those local unitary operations on the first quantum bit of the two-photon system in the state \( \left|{\phi}^{\pm}\right.rangle \) or \( \left|{\psi}^{\pm}\right.rangle \), the transformation of those Bell states can be summarized in Table 1. For single-photon states \( \left|0\right.rangle \) and \( \left|1\right.rangle \), their transformation by the those operations can be shown in Table 2.

Table 1 The transformation of four Bell states \( \left|{\psi}^{\pm}\right.rangle \) and \( \left|{\phi}^{\pm}\right.rangle \) by the unitary operations U00, U01, U10 and U11 performed on the first quantum bits
Full size table
Table 2 The transformation of two single-photon states \( \left|0\right.rangle \) and \( \left|1\right.rangle \) by the unitary operations U00, U01, U10 and U11
Full size table

We assume that the classic channel is authenticated in our protocol, and we utilize the block transmission technique, which was first proposed by Long et al. [4], to ensure the security of transmission. Three participants Alice, Bob and Charlie want to establish a final shared key K. Alice, Bob and Charlie first generate some random bit strings KA, KB and KC as their secret bit strings (or called their sub-secret keys), which can be expressed as:

$$ {\displaystyle \begin{array}{rcl}{K}_A& =& \left({a}_1,{a}_2,\dots, {a}_n\right),\\ {}{K}_B& =& \left({b}_1,{b}_2,\dots, {b}_n\right),\\ {}{K}_C& =& \left({c}_1,{c}_2,\dots, {c}_n\right).\end{array}} $$
(2)

Here ai,bi,ci ∈{00,01,10,11},i = 1,2,…n. So the length of the each bit string is 2n.

The illustration of our three-party QKA protocol are shown in Fig. 1. They can be described in detail as follows.

(Step 1) :

Alice (Bob, Charlie) prepares m two-photon systems SA (SB, SC) in the maximally entangled state \( \left|{\phi}^{+}\right.rangle \) and divides these particles into two ordered sequences, denoted as SA1 and SA2 (SB1 and SB2, SC1 and SC2), respectively. Note that, these particles in SA1 (SB1, SC1) are the first qubits of the systems in \( \left|{\phi}^{+}\right.rangle \), and these particles in SA2 (SB2, SC2) are the second qubits of the systems in \( \left|{\phi}^{+}\right.rangle \). Alice (Bob, Charlie) prepares kn single photons, which are randomly in the state \( \left\{\left|0\right.rangle,\left|1\right.rangle,\left|+\right.rangle,\left|-\right.rangle\right\} \), as the decoy photons. Then, he (she) inserts randomly those decoy photons into the sequence SA1 (SB1, SC1) and sends the sequence to Bob (Charlie, Alice) through the quantum channel.

(Step 2) :

After confirming that Bob (Charlie, Alice) has received the sequence, Alice (Bob, Charlie) announces the positions of the decoy photons and the corresponding basis (Z basis or X basis) for the measurement on each decoy photon. Bob (Charlie, Alice) picks out and measures the decoy photons according to the announcement of Alice (Bob, Charlie). They compare the measurement results with the initial states of the decoy photons. If the error rate exceed the threshold, they abort the protocol; otherwise, they continue their quantum communication to the next step.

Certainly, Bob (Charlie, Alice) should exploit the complex eavesdropping-checking process [39, 40] to prevent an eavesdropper, say Eve, to eavesdrop the quantum communication with Trojan horse attack in this step. As shown in Ref. [40], he should let each photon received pass through a filter with which only the wavelengths close to the operating one can be let in, which is used to filter out Eve’s invisible photons and avoid the invisible photon eavesdropping scheme with which Eve utilizes the fact that the single-photon detector is only sensitive to the photons with a special wavelength. Moreover, Bob (Charlie, Alice) should use a photon number splitter (PNS: 50/50), which is used to divide each signal into two pieces for some of the decoy photons, to defeat the delay-photon Trojan horse attack [40].

(Step 3) :

Bob (Charlie, Alice) randomly inserts l single photons in the state \( \left|0\right.rangle \) into SA1 (SB1, SC1) to form a new sequence \( {S}_{A1}^1 \) (\( {S}_{B1}^1 \), \( {S}_{C1}^1 \)). Note that, m + l = n, n is the half length of the secret bit strings, and l accounts for a very small percentage of n. The purpose of inserting single photons here is to resist the possible attacks from dishonest participants. Then, he (she) performs the unitary operation \( {U}_{b_i} \) (\( {U}_{c_i} \), \( {U}_{a_i} \)) on each photon in \( {S}_{A1}^1 \) (\( {S}_{B1}^1 \), \( {S}_{C1}^1 \)) according to his (her) secret bit string KB (KC, KA). For instance, if bi (ci, ai)= 00, Bob (Alice, Charlie) chooses U00 to perform on the i th photon of \( {S}_{A1}^1 \) (\( {S}_{B1}^1 \), \( {S}_{C1}^1 \)). After the local operations, we denote the new sequence as \( {S}_{A1}^2 \) (\( {S}_{B1}^2 \), \( {S}_{C1}^2 \)). Bob (Charlie, Alice) prepares kn decoy photons which are randomly in the state \( \left\{\left|0\right.rangle,\left|1\right.rangle,\left|+\right.rangle,\left|-\right.rangle\right\} \), and inserts them into the sequence \( {S}_{A1}^2 \) (\( {S}_{B1}^2 \), \( {S}_{C1}^2 \)). Then, Bob (Charlie, Alice) sends the sequence to Charlie (Alice, Bob).

(Step 4) :

After confirming that Charlie (Alice, Bob) has received the sequence, they perform the second eavesdropping check. The checking method is same as that in Step 2. If the error rate exceeds the threshold, they abort the protocol; otherwise, they continue the quantum communication to the next step. Also, Charlie (Alice, Bob) should exploit the complex eavesdropping-checking process [39, 40] to prevent Eve to eavesdrop the quantum communication with Trojan horse attack.

(Step 5) :

After picking out the decoy photons, Charlie (Alice, Bob) performs the unitary operation on each photon in \( {S}_{A1}^2 \) (\( {S}_{B1}^2 \), \( {S}_{C1}^2 \)) according to his (her) secret bit string KC (KA, KB) and form a new sequence \( {S}_{A1}^3 \) (\( {S}_{B1}^3 \), \( {S}_{C1}^3 \)). The encoding method is same as that in Step 3. Then, Charlie (Alice, Bob) prepares kn decoy photons and inserts them into \( {S}_{A1}^3 \) (\( {S}_{B1}^3 \), \( {S}_{C1}^3 \)). After that, Charlie (Alice, Bob) sends it back to Alice (Bob, Charlie).

(Step 6) :

After confirming that Alice (Bob, Charlie) has received the sequence, Alice, Bob and Charlie publicly announce the positions of the single-photon states that he (she) has inserted in Step 3 through the authenticated classic channel. In order to ensure the correctness of this protocol, Alice, Bob and Charlie randomly select a set of positions to check whether each participant has received the correct secret key at the end of this protocol. After that, they perform the third eavesdropping check. The checking method is same as that in Step 4. If the error rate exceeds the threshold, they abort the protocol; otherwise, they continue the quantum communication to the next step.

(Step 7) :

After picking out the decoy photons, the remaining photons form the sequence \( {S}_{A1}^3 \) (\( {S}_{B1}^3 \), \( {S}_{C1}^3 \)). Now, Alice (Bob, Charlie) has the sequences \( {S}_{A1}^3 \) and SA2 (\( {S}_{B1}^3 \) and SB2, \( {S}_{C1}^3 \) and SC2). Note that the length of the sequence SA2 (SB2, SC2) is m, and the length of the sequence \( {S}_{A1}^3 \) (\( {S}_{B1}^3 \), \( {S}_{C1}^3 \)) is n. Then they come to the decoding stage. For these positions where the single-photon states have been inserted, Alice (Bob, Charlie) measures the photons from sequence \( {S}_{A1}^3 \) (\( {S}_{B1}^3 \), \( {S}_{C1}^3 \)) in Z basis, and records the bit string of the outcomes as Ma (Mb, Mc). For the other positions, Alice (Bob, Charlie) performs Bell measurement on the corresponding photon pairs from \( {S}_{A1}^3 \) and SA2 (\( {S}_{B1}^3 \) and SB2, \( {S}_{C1}^3 \) and SC2), and records the bit string of the Bell state measurement results as MA (MB, MC). Then, Alice (Bob, Charlie) computes \( {K_A}^{\prime }={M}_A\parallel {M}_a \) (\( {K_B}^{\prime }={M}_B\parallel {M}_b \), \( {K_C}^{\prime }={M}_C\parallel {M}_c \)), where ∥ presents connecting two strings. After that, Alice (Bob, Charlie) picks out the same positions, as the single-photon state in \( {S}_{A1}^3 \) (\( {S}_{B1}^3 \), \( {S}_{C1}^3 \)), from the bit string KA (KB, KC). He (She) keeps the first bits of the two bits and moves them to the end of bit sequence. After that, he (she) would get a new bit string \( {K_A}^{\ast } \) (\( {K_B}^{\ast } \), \( {K_C}^{\ast } \)). Thus, the length of \( {K_A}^{\ast } \) (\( {K_B}^{\ast } \), \( {K_C}^{\ast } \)) is same as \( {K_A}^{\prime } \) (\( {K_B}^{\prime } \), \( {K_C}^{\prime } \)). And it is easy to verify that \( {K_A}^{\ast}\oplus {K_A}^{\prime }={K_B}^{\ast}\oplus {K_B}^{\prime }={K_C}^{\ast}\oplus {K_C}^{\prime } \) according to Tables 1 and 2. Here ⊕ denotes the addition module 2.

Fig. 1
figure 1

The illustration of our three-party QKA protocol. UA (UB, UC) denotes the unitary operations performed by Alice (Bob, Charlie) according to his (her) secret bit string KA (KB, KC). The solid arrows present the sequence transmitted through the quantum channel with the block transmission technique [4].We ignore the eavesdropping check stages (Step 2, Step 4, Step 6) in this figure for conciseness

Full size image

Finally, for each participant, he (she) can get the same final shared key \( K={K_A}^{\ast}\oplus {K_A}^{\prime }={K_B}^{\ast}\oplus {K_B}^{\prime }={K_C}^{\ast}\oplus {K_C}^{\prime } \). Then, they check whether the final shared key from those positions chosen in Step 6 is consistent. If not, they they abort the protocol.

3 Security Analysis

In this section, we analyze the security of our protocol. For QKA protocol, we not only need to consider the attacks from outside eavesdroppers, but also need to consider the inside attacks being done by dishonest participants. Hence, the security analysis of QKA protocols is more complex than that in QKD protocols.

3.1 Outside Attack

Suppose there is an eavesdropper Eve (not the legitimate participants) who wants to steal the final shared key without being detected by the legitimate participants. To achieve this goal, she must obtain participants’ sub-secret key through some means. Eve mainly has these attack means: intercept-resend attack, measurement-resend attack, entangle-measure attack and Trojan horse attack. Therefore, if we want to demonstrate the security of our protocol against the outside attacks, we must prove that our protocol can resist all those four attack means. Without loss of generality, we take the situation that the sequence is generated by Alice, and sends to Bob and Charlie orderly for example to describe the security of our QKA protocol.

First, let us consider the intercept-resend attack. Eve intercepts the photons at the end of Step 1, Step 3 or Step 5, and replaces them with her own photons to get the sub-secret key of Bob or Charlie. But she cannot pass the eavesdropping check. Eve couldn’t know the information of the decoy photons which are randomly in the state \( \left\{\left|0\right.rangle,\left|1\right.rangle,\left|+\right.rangle,\left|-\right.rangle\right\} \). Therefore, the probability that she will be detected is \( \left(1-{\left(\frac{1}{2}\right)}^{kn}\right) \). If kn is large enough, Eve will be detected with the probability approaching to 100%.

Second, let us consider the measurement-resending attack. Eve intercepts the photons and measures them at the end of Step 1, Step 3 or Step 5, and then resends them to Bob or Charlie. However, Eve can’t distinguish between the target photons and decoy photons before the eavesdropping check process. So She just randomly chooses the measurement bases. As a result, Eve introduces many errors in the eavesdropping stage and exposes herself. The probability that she exposes herself is \( \left(1-{\left(\frac{3}{4}\right)}^{kn}\right) \) which will approach to 100% when kn is large enough.

Now, let us come to the entangle-measuring attack. Eve intercepts the photons at the end of Step 1, Step 3 or Step 5, and employs a unitary operation on the ancillary photons \( \left|E\right.rangle \) and the photons she captured.

Suppose the unitary operation is UE, one can have the relations for the eavesdropping as follows:

$$ {\displaystyle \begin{array}{rcl}{U}_E:\left|0\right.rangle\left|E\right.rangle\to & & \left|0\right.rangle\left|{E}_{00}\right.rangle+\left|1\right.rangle\left|{E}_{01}\right.rangle,\\ {}\left|1\right.rangle\left|E\right.rangle\to & & \left|0\right.rangle\left|{E}_{10}\right.rangle+\left|1\right.rangle\left|{E}_{11}\right.rangle.\end{array}} $$
(3)

Here \( \left|{E}_{00}\right.rangle \), \( \left|{E}_{01}\right.rangle \), \( \left|{E}_{10}\right.rangle \) and \( \left|{E}_{11}\right.rangle \) are pure states determined by UE. In this protocol, we use the decoy photons randomly in the state \( \left\{\left|0\right.rangle,\left|1\right.rangle,\left|+\right.rangle,\left|-\right.rangle\right\} \) to prevent eavesdropping. At the end of Step 1, Step 3 or Step 5, if Eve use the entangle-measure attack, the states \( \left|+\right.rangle \), \( \left|-\right.rangle \) will have the relations:

$$ {\displaystyle \begin{array}{rcl}{U}_E:\left|+\right.rangle\left|E\right.rangle\to & & \frac{1}{2}\left|+\right.rangle\left(\left|{E}_{00}\right.rangle+\left|{E}_{01}\right.rangle+\left|{E}_{10}\right.rangle+\left|{E}_{11}\right.rangle\right)\\ {}& & +\frac{1}{2}\left|-\right.rangle\left(\left|{E}_{00}\right.rangle-\left|{E}_{01}\right.rangle+\left|{E}_{10}\right.rangle-\left|{E}_{11}\right.rangle\right),\\ {}\left|-\right.rangle\left|E\right.rangle\to & & \frac{1}{2}\left|+\right.rangle\left(\left|{E}_{00}\right.rangle+\left|{E}_{01}\right.rangle-\left|{E}_{10}\right.rangle-\left|{E}_{11}\right.rangle\right)\\ {}& & +\frac{1}{2}\left|-\right.rangle\left(\left|{E}_{00}\right.rangle-\left|{E}_{01}\right.rangle-\left|{E}_{10}\right.rangle+\left|{E}_{11}\right.rangle\right).\end{array}} $$
(4)

If Eve wants to introduce no error in the eavesdropping check in Step 2, Step 4 or Step 6, it must satisfy \( \left|{E}_{01}\right.rangle=\left|{E}_{10}\right.rangle=0 \) and \( \left|{E}_{00}\right.rangle=\left|{E}_{11}\right.rangle \). If not, the probability of Eve being detected is \( \left(1-{\left(\frac{1}{2}\right)}^{kn}\right) \).

And if Eve uses the entangle-measure attack to entangle the ancillary photons with the first qubits of \( \left|{\phi}^{+}\right.rangle \), and then one will have the relations:

$$ {U}_E:\left|{\phi}^{+}\right.rangle\left|E\right.rangle\to \kern1.20em \frac{1}{\sqrt{2}}\left(\left|00\right.rangle\left|{E}_{00}\right.rangle+\left|10\right.rangle\left|{E}_{01}\right.rangle+\left|01\right.rangle\left|{E}_{10}\right.rangle+\left|11\right.rangle\left|{E}_{11}\right.rangle\right). $$
(5)

Hence, if Eve wants to introduce no error (not be detected by the legitimate participants), we will have \( {U}_E:\left|{\phi}^{+}\right.rangle\left|E\right.rangle\to \left|{\phi}^{+}\right.rangle\left|{E}_{00}\right.rangle \). Her ancillary photons and the encoded photons are in product states. She cannot get any useful information from measuring the ancillary photons. And we will come to the same conclusion when Eve entangles the ancillary photons with other Bell states or single-photon states. Thus we can say that Eve cannot obtain the sub-secret keys without being detected if she takes the entangle-measure attack.

Finally, our protocol may suffer from the Trojan attack, which take use of the invisible photons. The legitimate participants can use the wavelength quantum filters and PNSs to resist this attack [39, 40].

In conclusion, outside eavesdroppers can not obtain the shared key without being detected. According to the definitions in Ref. [15], our protocol can reach the security property of the QKA protocol.

3.2 Inside Attack

The inside attack can also be seen as a violation of the privacy and fairness property [15]. The inside attack is that one or more dishonest participants want to predetermine the final shared key without being detected. There are two cases, having only one dishonest participant, or having two dishonest participants. If this protocol is immune to two participants attack, it is surely immune to one participant attack. So we only need to consider the second situation. Suppose that Alice and Charlie are two dishonest participants, they want to conclude to determine the final shared key. In our protocol, the transmission route forms a circle. Choosing another two dishonest participants finally returns to the same situation.

Alice and Charlie must first get the sub-secret key of Bob KB before the Step 6. Then they can choose a different unitary operations to preform on the photons and then send back to Bob, or they tell Bob a fake information about the positions of single photons to predetermine the final shared key. In this protocol, the only chance they can get KB before Step 6 is measuring photons in the \( {S}_{A1}^2 \) which have been performed unitary operations by Bob and the photons in SA2 which has been preserved in their hands in the Step 5. But they do not know the positions of single photons which are randomly inserted by Bob, they cannot distinguish which two photons from sequence SA2 and \( {S}_{A1}^2 \) form an EPR pair. They cannot get any useful information of KB to predetermine the final shared key. Thus, all participants involved can equally influence the final shared key. This protocol satisfies the fairness property. And we can see in this protocol, the sub-secret keys of each participant are kept secret during the protocol. Even two dishonest participants cannot get any useful information of the honest participant. Hence this protocol can reach the privacy property. Besides, in Step 6, each participant randomly selects a set of positions to check whether they can conclude the correct secret key at the end of the protocol, ensuring the correctness property of this protocol.

In reality, outside eavesdroppers or inside dishonest participants may hide their attack under the channel noises. The quantum bit error rate introduced by channel noise is about 2%–8.9% [27, 41,42,43,44,45]. But in our protocol, the error rate introduced by outside or inside attack is at least 25%. That is, our protocol will be immune to both the outside and inside attacks. And it can reach the correctness, security, fairness, and privacy property which a secure QKA protocol need to satisfy.

4 Discussion and Summary

Now, we analyze the efficiency of our protocol, and show that the proposed protocol is efficient. According to the definition proposed by Cabello [46], the efficiency of the quantum protocol is:

$$ \eta =\frac{c}{q+b}. $$
(6)

Here, c denotes the number of the secret bits (here in QKA protocol, c denotes the length of the classical final shared key), q refers to the number of qubits transmitted in the quantum channel, and b is the number of classical bits exchanged for decoding the message. In our protocol, comparing with n, l and kn are small quantities. So the efficiency of our protocol \( \eta \approx \frac{2}{3} \). Comparing with previous QKA protocols under this definition of protocol efficiency, i.e. protocols with single photons [15, 20, 27, 29], protocols with Bell states [21, 24, 30], our protocol possess a higher efficiency in the three-party cases. This is because of dense-coding method which enables one qubit to carry two bits of information being used in the protocol. It should make sense that we use the method of inserting some single photons rather than using control strings and performing rotation operations [26, 27, 29] to prevent the inside attacks. With one encoding operation being performed, participant in those protocols can only encode one bit information on one photon while he can encode two bits in our protocol. In order to decode the message, participants in Ref. [26, 27, 29] need to exchange their control strings which are as long as the final shared key. While in our protocol, they only need to exchange very little information about the positions of those single photons. Thus, our protocol is easier to be implemented with less operations performed and less classical bits exchanged under this three-party condition.

According to the classification standard described in Ref. [14], our protocol is a circle-type QKA protocol. And our protocol is not sensitive to collusive attacks (or called inside attacks) according to the above security analysis. Two-photon entangled states and single-photon states are used as the information carriers in our protocol, they can be prepared and controlled [47,48,49,50,51] even at a great distance. And photon states are also of great use in other fields, such as quantum computation [52,53,54,55] and quantum simulation [56, 57]. We utilize the Bell measurement to deduce the final secret key. Four polarization-entangled Bell states can be completely distinguished by the complete Bell state analysis method [58]. Hence, our protocol is feasible under the current technologies and it can be implemented in realistic devices. Certainly, in a practical application of this QKA protocol with a noisy environment, some useful methods should be exploited to depress the influence of noise, such as decoherence-free subspace [59,60,61,62], self-error-rejecting transmission [63,64,65,66], error correction with ancillary qubits [67], entanglement purification [68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83], and entanglement concentration [84,85,86,87,88,89,90,91,92].

In summary, we have proposed a three-party quantum key agreement protocol with Bell states and quantum dense-coding method. We have analyzed the security of our protocol, showing that it is immune to both outside and inside attacks. And it can achieve the the correctness, security, fairness, and privacy property at the same time. Further more, compared with other protocols under this three-party condition, it is also a high-efficiency protocol.