1 Introduction

Cryptography is the basic theory of information security. As an important research content in cryptography key agreement(KA) is one form to distribute keys. As we all know KA has achieved many important achievements in the study of classical cryptography. In 1976, KA was firstly proposed by Diffe and Hellman [1]. In this article, a method for generating a key share for two-parties was proposed. Based on their idea, many KA protocols have been proposed [2,3,4,5,6,7,8,9,10,11]. However, the security of these KA protocols was based on the assumption of computational complexity. With the development of quantum algorithms and quantum computers [12, 13], the classical cryptography protocols are no longer safe. In this sense, quantum cryptography was proposed [14,15,16,17,18,19], including quantum key agreement(QKA).

Quantum cryptography combines quantum mechanics with classical cryptography and safety is independent of the computational complexity of mathematics. In quantum cryptography, QKA is an important way to distribute keys. The first QKA based on quantum teleportation with two participants was presented by Zhou et al. in 2004 [20]. In the same year, Hsueh and Chen put forward another QKA protocol with maximally entangled states [21]. However in 2009, Hwang et al. pointed out that one particular user can determine the final shared key when the QKA can not meet fairness [22, 23]. In 2010, Chong and Hwang proposed a QKA protocol based on BB84 with delayed measurement and unitary operations [24, 25].

There were only two participants in these QKA. With further research of QKA, the first multi-party quantum key agreement (MQKA) protocol with Bell States and Bell measurement was shown by Shi et al. in 2013 [26]. In the same year, Liu et al. pointed out that the protocol of Shi et al. was not safe, they proved that a dishonest participant can determine the final key [27]. At the same time, they showed that the protocol can resist internal attacks by participants with single photon. In the same year, Sun et al. improved the protocol of Liu et al. by adding two positive operations and improved its bit efficiency [28]. Many MQKA protocols [29,30,31,32,33] and their security analysis [34] were given. Most of the above protocols were based on single-particle or Bell states, the efficiency of bits is low. In 2016, Zhu et al. put forward a three-party QKA protocol based on two-photon entanglement states [35]. In the same year, Sun et al. proposed an MQKA protocol based on an entangled six-qubit state [36]. In 2018, Min et al. gave an MQKA protocol using G-like state and Bell state [37]. In the same year, Wang et al. presented a MQKA protocol based on the four-qubit symmetric W-state using block transmission techniques and dense coding methods [38]. Cai et al. proposed a highly efficient MQKA protocol with the five-qubit brown state. Each party performed a single-qubit unitary operations on his local part of brown state [39].

In this paper, we propose a three-party QKA with the quantum Fourier transform. We do not only utilize decoy state and auxiliary particle, but also use quantum Fourier transform(QFT), inverse quantum Fourier transform(QFT− 1) and Controlled-NOT CNOT operator to share the final key. According to our analysis, our protocol is secure against both outside eavesdropping attacks and inside participant attacks.

The rest of this paper is organized as follows. In Section 2, we give preliminaries of this protocol. The three-party QKA protocol is presented in Section 3. In Section 4, we give the security analysis. At last, a short discussion and conclusion are given in Sections 5 and 6, espectively.

2 Preliminaries

Some essential preliminaries are provided in this section.

2.1 The Requirements of QKA

A secure QKA protocol should meet the following three requirements:

  1. (1)

    Correctness: Each participant in the protocol can get the identical shared key.

  2. (2)

    Security: Both an external eavesdropper and participants cannot get any useful information about the final shared key without being detected.

  3. (3)

    Fairness: All involved participants are entirely peer entities and can equally influence the final shared key.

2.2 Operations used in the Protocol

Firstly, we introduce the QFT. The QFT as the quantum version of the standard discrete Fourier operator is a linear operator on qubits. For x, j ∈ {0, 1, ⋯ , N − 1}, the QFT and the inverse QFT are defined as follows [40]:

$$ QFT: |x\rangle\rightarrow\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{x}{N}j}|j\rangle $$
(1)

and the corresponding QFT− 1 is

$$ QFT^{-1}: |j\rangle\rightarrow\frac{1}{\sqrt{N}}\sum\limits_{x=0}^{N-1}e^{-2\pi i\frac{j}{N}x}|x\rangle. $$
(2)

Obviously, it can be seen that

$$ QFT^{-1}(QFT|x\rangle)=QFT^{-1}(\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{x}{N}j}|j\rangle)=|x\rangle $$
(3)

The two sets \(V_{1}=\{|x\rangle \}^{N-1}_{x=0}\) and \(V_{2}=\{F|x\rangle \}^{N-1}_{x=0}\), are two common conjugate bases [41].

Then, the CNOT operator is introduced. The CNOT operator is that the first qubit is the control qubit, and the second qubit is the target qubit, with the form of

$$ \left( \begin{array}{cccc} 1 & 0 & 0 &0\\ 0 & 1 & 0 &0\\ 0 & 0 & 0 &1\\ 0 & 0 & 1 &0 \end{array} \right) $$
(4)

The CNOT operator: \(|00\rangle \rightarrow |00\rangle , |01\rangle \rightarrow |01\rangle , |10\rangle \rightarrow |11\rangle , |11\rangle \rightarrow |10\rangle \). If the control qubit sets to |0〉, the target qubit will be left alone. If the control qubit sets to |1〉, the target qubit will be flipped.

Finally, we define a phase operation as

$$ U=\sum\limits_{k=0}^{N-1}e^{2\pi i\frac{k}{N}}|k\rangle\langle k| $$
(5)

and

$$ \begin{array}{@{}rcl@{}} U|x\rangle&=&\frac{1}{\sqrt{N}}\sum\limits_{k=0}^{N-1}e^{2\pi i\frac{k}{N}}|k\rangle\langle k|(\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{x}{N}j}|j\rangle) \end{array} $$
$$ \begin{array}{@{}rcl@{}} &=&\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{j}{N}(1+x)}|j\rangle \end{array} $$
(6)

According to the theoretical tools above, the three-party protocol based on QFT and random numbers is presented in the following section.

3 The Proposed Three-party QKA Protocol

Without loss of generality, three participants assume that Alice, Bob and Charlie in this QKA protocol. They want to share a key KAKBKC without revealing their respective secret by agreement, here ⊕ denotes the bitwise Exclusive OR. Furthermore, each participant cannot know the keys of any other participants without being discovered before the final key is determined. Three participants in this protocol contribute to the final shared key fairly and equally. The three-party QKA protocol will be proposed in this section. The proposed three-party QKA protocol can be described as follows:

  1. Step 1

    Alice, Bob and Charlie respectively generate a n-bit string KA, KB, KC as their private key,

    $$ K_{A}=\{a_{1},a_{2},\cdots,a_{n}\} $$
    (7)
    $$ K_{B}=\{b_{1},b_{2},\cdots,b_{n}\} $$
    (8)
    $$ K_{C}=\{c_{1},c_{2},\cdots,c_{n}\} $$
    (9)

    meanwhile, they generate a sequence of random numbers

    $$ R_{A}=\{r_{a1}, r_{a2},\cdots,r_{an}\} $$
    (10)
    $$ R_{B}=\{r_{b1}, r_{b2},\cdots,r_{bn}\} $$
    (11)
    $$ R_{C}=\{r_{c1}, r_{c2},\cdots,r_{cn}\} $$
    (12)

    respectively, here jA = (KA + RA)modN, jB = (KB + RB)modN and jC = (KC + RC)modN, ai, bi, ci ∈ {0, 1}, rai, rbi, rci ∈ {0, 1, ⋯ N − 1}, i = 1, 2, ⋯ , n.

  2. Step 2

    Alice(Bob and Charlie) prepares a n-qubits state |jA〉(|jB〉 and |jC〉). Furthermore, |Ak〉, |Bk〉, |Ck〉 is k th qubit of |jA〉, |jB〉 and |jC〉, respectively, where k ∈ 1, 2,⋯ , n. That is, the j th particle of the sequence |jA〉(|jB〉 and |jC〉)is |x〉 if the j th bit in jA(jB and jC) is x.

    $$ |j_{A}\rangle=|A_{1}\rangle|A_{2}\rangle\cdots|A_{n}\rangle $$
    (13)
    $$ |j_{B}\rangle=|B_{1}\rangle|B_{2}\rangle\cdots|B_{n}\rangle $$
    (14)
    $$ |j_{C}\rangle=|C_{1}\rangle|C_{2}\rangle\cdots|C_{n}\rangle $$
    (15)

    Alice(Bob and Charlie) applies QFT to the |Ak〉(|Bk〉 and |Ck〉) and gets the result \(|j_{A^{1}}\rangle \)(\(|j_{B^{1}}\rangle \) and \(|j_{C^{1}}\rangle \)). That is,

    $$ |j_{A^{1}}\rangle=|{A^{1}_{1}}\rangle|{A^{1}_{2}}\rangle\cdots|{A^{1}_{n}}\rangle $$
    (16)
    $$ |j_{B^{1}}\rangle=|{B^{1}_{1}}\rangle|{B^{1}_{2}}\rangle\cdots|{B^{1}_{n}}\rangle $$
    (17)
    $$ |j_{C^{1}}\rangle=|{C^{1}_{1}}\rangle|{C^{1}_{2}}\rangle\cdots|{C^{1}_{n}}\rangle $$
    (18)

    Here,

    $$ |{A^{1}_{k}}\rangle=F|A_{k}\rangle=\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{A_{k}}{N}j}|j\rangle $$
    (19)
    $$ |{B^{1}_{k}}\rangle=F|B_{k}\rangle=\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{B_{k}}{N}j}|j\rangle $$
    (20)
    $$ |{C^{1}_{k}}\rangle=F|C_{k}\rangle=\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{C_{k}}{N}j}|j\rangle $$
    (21)
  3. Step 3

    Alice(Bob and Charlie) prepares n-qubits |0〉 and performs CNOT operator on \(|{A^{1}_{k}}\rangle |0\rangle \)(\(|{B^{1}_{k}}\rangle |0\rangle \) and \(|{C^{1}_{k}}\rangle |0\rangle \)), where \(|{A^{1}_{k}}\rangle \)(\(|{B^{1}_{k}}\rangle \) and \(|{C^{1}_{k}}\rangle \)) is the control qubit and each |0〉 is the target qubit. Here we can get the result state \(|j_{A^{2}}\rangle \)(\(|j_{B^{2}}\rangle \) and \(|j_{C^{2}}\rangle \)), where

    $$ |j_{A^{2}}\rangle=|{A^{2}_{1}}\rangle|{A^{2}_{2}}\rangle\cdots|{A^{2}_{n}}\rangle $$
    (22)
    $$ |j_{B^{2}}\rangle=|{B^{2}_{1}}\rangle|{B^{2}_{2}}\rangle\cdots|{B^{2}_{n}}\rangle $$
    (23)
    $$ |j_{C^{2}}\rangle=|{C^{2}_{1}}\rangle|{C^{2}_{2}}\rangle\cdots|{C^{2}_{n}}\rangle $$
    (24)

    here

    $$ \begin{array}{@{}rcl@{}} |{A^{2}_{k}}\rangle=\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{A_{k}}{N}j}|j\rangle|j\rangle_{t} \end{array} $$
    (25)
    $$ \begin{array}{@{}rcl@{}} |{B^{2}_{k}}\rangle=\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{B_{k}}{N}j}|j\rangle|j\rangle_{t} \end{array} $$
    (26)
    $$ \begin{array}{@{}rcl@{}} |{C^{2}_{k}}\rangle=\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{C_{k}}{N}j}|j\rangle|j\rangle_{t} \end{array} $$
    (27)

    here, the subscript t denotes that the qubits used for transmission.

  4. Step 4

    Alice(Bob and Charlie) randomly selects n decoy particles in the four states |0〉, |1〉, |+〉, |−〉 inserts them into |jt to obtain the sequence |jt, where \(|+\rangle =\frac {1}{\sqrt {2}}(|0\rangle +i|1\rangle )\), \(|-\rangle =\frac {1}{\sqrt {2}}(|0\rangle -i|1\rangle )\). Meanwhile, Alice(Bob and Charlie) records the initial states and corresponding positions of every checking particles, and then sends the sequence \(|j^{*}\rangle _{t}\) to Bob(Charlie and Alice). After confirming that Bob(Charlie and Alice) has received the sequence \(|j^{*}\rangle _{t}\), the three users can calculate the error probability by comparing the measurement results with the initial states of decoy particles. If the error ratio exceeds the predetermined threshold value, she/he declares that the communication is invalid; otherwise, the process continues to the next step.

  5. Step 5

    By deleting the decoy states from \(|j^{*}\rangle _{t}\), Bob(Charlie and Alice) can get the sequence |jt. Bob(Charlie and Alice) applies the operator \(U^{B_{k}}\)(\(U^{C_{k}}\) and \(U^{A_{k}}\)) on the \(|{A^{2}_{k}}\rangle \)(\(|{B^{2}_{k}}\rangle \) and \(|{C^{2}_{k}}\rangle \)), the result state is \(|j_{A^{3}}\rangle \)(\(|j_{B^{3}}\rangle \) and \(|j_{C^{3}}\rangle \)), where, \(|{A^{3}_{k}}\rangle \)(\(|{B^{3}_{k}}\rangle \) and \(|{C^{3}_{k}}\rangle \)) is k-th state of \(|j_{A^{3}}\rangle \)(\(|j_{B^{3}}\rangle \) and \(|j_{C^{3}}\rangle \)),

    $$ \begin{array}{@{}rcl@{}} |{A^{3}_{k}}\rangle=\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{A_{k}+B_{k}}{N}j}|j\rangle|j\rangle_{t} \end{array} $$
    (28)
    $$ \begin{array}{@{}rcl@{}} |{B^{3}_{k}}\rangle=\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{B_{k}+C_{k}}{N}j}|j\rangle|j\rangle_{t} \end{array} $$
    (29)
    $$ \begin{array}{@{}rcl@{}} |{C^{3}_{k}}\rangle=\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{A_{k}+C_{k}}{N}j}|j\rangle|j\rangle_{t} \end{array} $$
    (30)
  6. Step 6

    Bob(Charlie and Alice) first randomly inserts n decoy particles into the ancillary |jt, then sends them to Charlie(Alice and Bob). Each participant performs eavesdropping check as Step 4. They perform the similar process as Step 5 and the following result can be got:

    $$ \begin{array}{@{}rcl@{}} |{A^{4}_{k}}\rangle=\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i(\frac{A_{k}+B_{k}+C_{k}}{N})j}|j\rangle|j\rangle_{t} \end{array} $$
    (31)
    $$ \begin{array}{@{}rcl@{}} |{B^{4}_{k}}\rangle=\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i(\frac{A_{k}+B_{k}+C_{k}}{N})j}|j\rangle|j\rangle_{t} \end{array} $$
    (32)
    $$ \begin{array}{@{}rcl@{}} |{C^{4}_{k}}\rangle=\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i(\frac{A_{k}+B_{k}+C_{k}}{N})j}|j\rangle|j\rangle_{t}. \end{array} $$
    (33)
  7. Step 7

    Charlie(Alice and Bob) randomly inserts n decoy particles into the ancillary |jt, each participant performs eavesdropping check as step 5. Charlie(Alice and Bob) sends ancillary |jt back to Alice(Bob and Charlie), each of them again applies CNOT on her/his n qubits |jt to get the following result,

    $$ \begin{array}{@{}rcl@{}} |{A^{5}_{k}}\rangle=\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i(\frac{A_{k}+B_{k}+C_{k}}{N})j}|j\rangle|0\rangle_{t} \end{array} $$
    (34)
    $$ \begin{array}{@{}rcl@{}} |{B^{5}_{k}}\rangle=\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i(\frac{A_{k}+B_{k}+C_{k}}{N})j}|j\rangle|0\rangle_{t} \end{array} $$
    (35)
    $$ \begin{array}{@{}rcl@{}} |{C^{5}_{k}}\rangle=\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i(\frac{A_{k}+B_{k}+C_{k}}{N})j}|j\rangle|0\rangle_{t} \end{array} $$
    (36)

    where the first n qubits are the control qubit and the corresponding n qubits of the second are the target qubit.

  8. Step 8

    After that, Alice(Bob and Charlie) measures the second n qubits of |0〉t in the computational basis. If the measured result is |0〉, she/he will perform the next step; otherwise she/he thinks that there are one or two dishonest participants, then this protocol will be terminated.

  9. Step 9

    At last, they applies QFT− 1 on n qubits and measures them, they rightly get the \((j_{A}+ j_{B}+ j_{C})mod N\).

  10. Step 10

    Alice, Bob and Charlie compute the hash value \(H((j_{A}+ j_{B}+j_{C})mod N)\) using a pre-shared hash function H. If the hash function values are equal, Alice, Bob and Charlie will simultaneously publish random numbers \(R_{A}, R_{B}, R_{C}\) through the authenticated classical channel, respectively; otherwise, there is at least one dishonest participant and ends the reconstruction phase. Finally, Alice, Bob and Charlie can share the key \(K_{A}\oplus K_{B}\oplus K_{C}\). The illustration of the presented protocol can be shown in Figs. 1 and 2.

    Fig. 1
    figure 1

    The illustration of the protocol

    Full size image
    Fig. 2
    figure 2

    The final shared key by agreement with the three participants

    Full size image

4 Security Analysis

In this section, we will give the correctness and security analysis of the proposed three-party QKA protocol. First, we show that if all parties execute the protocol honestly, they will get the final shared key correctly. Then, we show that it is immune to attacks from internal eavesdropping. Finally, the proposed protocol is secure against external eavesdropping.

4.1 Correctness

The correctness of the proposed protocol means that three participants can correctly share the identical key. We will give proof and analysis of the correctness of the protocol.The correctness proof of protocol

$$ \begin{array}{ll} 1. &U^{B_{k}}|{A^{2}_{k}}\rangle=\sum\limits_{x=0}^{N-1}e^{2\pi i\frac{x}{N}B_{k}}|x\rangle\langle x|(\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{A_{k}}{N}j}|j\rangle|j\rangle_{t})\\ =&\frac{1}{\sqrt{N}}\sum\limits_{x,j=0}^{N-1}e^{2\pi i\frac{xB_{k}+A_{k}j}{N}}|j\rangle|j\rangle_{t}\\ =&\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{A_{k}+B_{k}}{N}j}|j\rangle|j\rangle_{t} \end{array} $$

where, \(|{A^{2}_{k}}\rangle =\frac {1}{\sqrt {N}}\sum \limits _{j=0}^{N-1}e^{2\pi i\frac {A_{k}}{N}j}|j\rangle |j\rangle _{t}\), \(U^{B_{k}}=\sum \limits _{x=0}^{N-1}e^{2\pi i\frac {x}{N}B_{k}}|x\rangle \langle x|\).

$$ \begin{array}{ll} 2. &QFT^{-1}(\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{j_{k}}{N}j}|j\rangle)\\ =&\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{j_{k}}{N}j}QFT^{-1}|j\rangle\\ =&\frac{1}{\sqrt{N}}\sum\limits_{j=0}^{N-1}e^{2\pi i\frac{j_{k}}{N}j}(\frac{1}{\sqrt{N}}\sum\limits_{x=0}^{N-1}e^{-2\pi i\frac{j}{N}x}|x\rangle)\\ =&\frac{1}{N}\sum\limits_{j,x=0}^{N-1}e^{2\pi i(\frac{j_{k}-x}{N})j}|x\rangle\\ =&|j_{k}mod N\rangle+\frac{1}{N}\sum\limits_{x=0,x\neq j_{k}}^{N-1}(\sum\limits_{j=0}^{N-1} e^{2\pi i(\frac{j_{k}-x}{N})j}|x\rangle)\\ =&|j_{k}mod N\rangle+\frac{1}{N}\sum\limits_{x=0,x\neq j_{k}}^{N-1}0\cdot |x\rangle\\ =&|j_{k}mod N\rangle \end{array} $$

where, \(j_{k}=A_{k}+B_{k}+C_{k}\).

Furthermore,

$$ \begin{array}{@{}rcl@{}} \sum\limits_{j=0}^{N-1}e^{2\pi i\frac{j_{k}}{N}j}=\left\{\begin{array}{ll} 0 & if j_{k}\neq0mod N\\ N & if j_{k}=0mod N \end{array}\right. \end{array} $$

We analyze the correctness of shared key with Alice, Bob and Charlie. After getting the state\(|j_{A^{5}}\rangle \), according to the proof of the correctness, Alice can obtain \((j_{B}+j_{C})mod N\) by \(QFT^{-1}\). Alice’s key is \((j_{A}+j_{B}+j_{C})mod N\). After receiving the \(|j_{B^{5}}\rangle \), Bob can get \((j_{A}+j_{C})modN\), his key is \((j_{A}+j_{B}+j_{C})mod N\). For Charlie, he can determine \((j_{A}+j_{B})mod N\) by \(|j_{C^{5}}\rangle \), his key is \((j_{A}+j_{B}+j_{C})mod N\). After step 10, Alice, Bob and Charlie can obtain \((R_{A}+R_{B}+R_{C})modN\). Therefore, three participants can correctly share the key final key \(K_{A}\oplus K_{B}\oplus K_{C}\).

4.2 Internal Attack

Internal attack means that the participant determines the final key by cooperation or by himself. As known to all, internal attack is more dangerous than outside attack. Therefore, we will primarily focus on the security analysis of this protocol from internal attack. Internal attacks include joint attacks and entanglement measurement attacks, etc.

4.2.1 Joint Attack

Joint attack means that participants collaborate to obtain the final shared key information without being detected. In this protocol, we apply the random numbers and auxiliary particle to resist participant attack.

First, suppose the dishonest participants want to replace their keys with other particles, but they cannot change the final key as they expected. That’s because this protocol uses auxiliary state |0〉. Each participant measures the second n qubits of |0〉t in step 8. If the measured result is |0〉, she/he will perform the next step; otherwise she/he will realize that there are one or two dishonest participants and end this protocol.

Then, suppose Bob and Charlie are dishonest participants and want to cooperate to determine Alice’s key. After step 9, Bob and Charlie can cooperate to obtain the \(j_{A}=(K_{A}+R_{A})modN\), because they cannot know Alice’s random numbers RA in advance, they cannot successfully cooperate to determine Alice’s key KA. Therefore this protocol can resistant to joint attacks.

4.2.2 Entangle-Measure Attack

The entanglement attack means that dishonest participant prepares the auxiliary particle. The dishonest participant first generates an entanglement relationship with the intercepted quantum state, then retransmits it to the other participants. At last, he obtains the final key by measuring the auxiliary particle. Without loss of generality, we suppose Alice is dishonest participant who wants to get the final key alone. In order to achieve it, she will prepare the auxiliary particle |E〉. In this scene, Alice perform a cooperate operation UE on received state as follows:

$$ U_{E}|0\rangle|E\rangle=a|0\rangle|e_{00}\rangle+b|1\rangle|e_{01}\rangle $$
(37)
$$ U_{E}|1\rangle|E\rangle=c|0\rangle|e_{10}\rangle+d|1\rangle|e_{11}\rangle $$
(38)
$$ \begin{array}{@{}rcl@{}} U_{E}|+\rangle|E\rangle&=&\frac{1}{\sqrt{2}}(a|0\rangle|e_{00}\rangle+b|1\rangle|e_{01}\rangle+c|0\rangle|e_{10}\rangle+d|1\rangle|e_{11}\rangle) \end{array} $$
(39)
$$ \begin{array}{@{}rcl@{}} &=&\frac{1}{2}(a|e_{00}\rangle+b|e_{01}\rangle+c|e_{10}\rangle+d|e_{11}\rangle) \end{array} $$
(40)
$$ \begin{array}{@{}rcl@{}} U_{E}|-\rangle|E\rangle&=&\frac{1}{\sqrt{2}}(a|0\rangle|e_{00}\rangle+b|1\rangle|e_{01}\rangle-c|0\rangle|e_{10}\rangle-d|1\rangle|e_{11}\rangle) \end{array} $$
(41)
$$ \begin{array}{@{}rcl@{}} &=&\frac{1}{2}(a|e_{00}\rangle-b|e_{01}\rangle-c|e_{10}\rangle+d|e_{11}\rangle) \end{array} $$
(42)

where \(|a|^{2}+|b|^{2}=1\) and \(|c|^{2}+|d|^{2}=1\), |0〉, |1〉, |+〉, |−〉 represent decoy state. If Alice wants to introduce no error, the equation above must satisfy

$$ \begin{array}{@{}rcl@{}} a=d=1, b=c=0, |e_{00}\rangle=|e_{11}\rangle \end{array} $$
(43)

It means that if and only if Alice particles are |0〉 or |1〉, she will not be detected. If Alice prepares |0〉 or |1〉, she will not get useful information about the final key. Alice can not get the final key without being detected. Therefore, the proposed protocol meets the security and fairness requirement.

4.3 Outside Attack

Outside attack means that the eavesdropper intercepts the key, measures retransmissions, or tampers with a resend key.

4.3.1 Intercept-Resend Attack

During transmission, suppose there is an eavesdropper Eve. Eve intercepts the particles and replaces the previous particles with new ones. He wants to perform the intercept-resend attack on the ancillary |jt. However, he cannot know the positions of the decoy logical particles and the corresponding measurement bases before the eavesdropping check. Moreover, all the decoy particles are chosen from the four states |0〉, |1〉, |+〉, |−〉 randomly, the probability that Eve cannot be detected is 1/4τ, where τ represents the number of decoy particles. He cannot get useful information about the final key without being detected. Therefore, this protocol can resist intercept-resend attack.

5 Discussion

In this paper, we present a three-party QKA protocol based on the QFT. In the proposed protocol, random numbers and hash functions make the protocol be resistant participant attacks. The role of decoys is to resist external attacks. We use the QFT to add classical key information to the phase. For some simple forms of quantum states, we can also replace the QFT with I and X operations to encrypt the information of key. Through these methods, we can design a secure QKA protocol. In theory, it can be generalized as a model for multiparty QKA.

6 Conclusions

In all, the three-party QKA protocol based on the QFT is proposed. In addition, we utilize random numbers, decoy states and a hash function to make this protocol be resistant external attacks and participant attacks. From our analysis, each participant contributes equally and can not get the final key alone without being detected by other participants. It can be seen that this protocol meets the requirements of QKA fairness.