1 Introduction

Key distribution (KD) and key agreement (KA) are two similar cryptographic primitives which allow participants to share a common secret key via insecure channel. Different from KD, in which only one participant decides the private key and then distributes it to the other ones, each party in a KA protocol should contribute its part to the shared key. Hence, in a KA protocol, the generated key cannot be determined by any non-trivial subset of the participants. Compared with KD, KA is obviously of higher security requirements. In addition to have the ability of preventing the external attackers from stealing the key as KD protocols, KA protocols should also have the ability of resisting participant attack, i.e., dishonest participant(s) tries to determine the key alone, which is not required in KD.

It is known that the security of most classical cryptosystems (e.g., classical key agreement) must be based on the assumption of computation complexity. However, with the rapid development of quantum algorithms and quantum computer, classical cryptosystems face more and more austere challenges [1, 2]. In order to solve this problem, people start to research new cryptographic technology, such as quantum cryptography [3]. Quantum cryptography, whose security is assured by the quantum mechanics principles rather than the assumption of computation complexity, has become a hot spot in cryptography. There are many hot research points in quantum cryptography, such as quantum key distribution (QKD) [49], quantum secret direct communication (QSDC) [1016], deterministic secure quantum communication (DSQC) [1720], quantum secret sharing (QSS) [2125], quantum private comparison (QPC) [2628] and quantum signature(QS) [2931].

Quantum key agreement (QKA) [3236] is an important branch of quantum cryptography, which utilizes quantum mechanics to guarantee the security of KD protocols. Different from the security of the classical key agreement which might be susceptible to the strong ability of quantum computation, the security of QKA is simply based on the laws of physics (such as quantum no-cloning theorem and Heisenberg uncertainty principle). Therefore, QKA can resist the threat from an attacker with the ability of quantum computation. In 2004, Zhou et al. [32] presented the first QKA protocol with maximally entangled states. However, Chong et al. [33] pointed out that Zhou et al.’s protocol is susceptible to the participant attack and they also improved it. In 2011, Chong et al. proposed a QKA protocol based on the famous BB84 protocol [4, 34]. In 2012, Shi et al. [35] proposed a new QKA protocol based on EPR pairs and entanglement swapping. Recently, Liu et al. [36] presented a multiparty QKA protocol with single particles.

In this paper, we propose a QKA protocol with EPR pairs and single-particle measurements. The EPR pairs in our protocol should be transmitted with the technique of block transmission, which has been proposed firstly by Long et al. [10]. Block transmission is an important method for transmitting quantum states in quantum information processing, which has been utilized in many quantum cryptographic protocols [1020, 28, 43]. In block transmission, the quantum information carriers are ordered and transmitted in blocks, and the eavesdropping detection is also completed on the blocks. Our protocol has the following merits. First, this protocol can guarantee both the fairness and security of the shared key. Second, in addition to the EPR pairs utilized to establish the shared key, there is no need to consume any extra pairs except the ones used for detecting eavesdropping. Therefore, the intrinsic efficiency for qubits of this protocol is high. In addition, the proposed protocol makes use of EPR pairs as the information carriers and further utilizes single-particle measurements as the main operations. Hence, our protocol has advantages in implementation over the protocol which utilizes Bell measurements [35]. Considering that all the previous QKA protocols [3236] have been designed in ideal channel, we further present a method for sharing EPR pairs between two participants over two kinds of collective-noise channels. By utilizing this method, the QKA protocols (both the protocols presented in this paper and in [35]), which are based on EPR pairs, can be executed in these kinds of collective-noise channels.

The rest of this paper is arranged as follows. In Sect. 2, we present our QKA protocol by using EPR pairs and single-particle measurements. In Sect. 3, we prove that the proposed protocol is secure against both outside attacks and participant attacks. In Sect. 4, the method for sharing EPR pairs between two participants over two kinds of collective-noise channels is presented, and finally we give a short conclusion in Sect. 5.

2 The proposed QKA protocol based on EPR pair block and single-particle measurements

In this section, we introduce our QKA protocol, in which two participants, say Alice and Bob, can share a common secret key with EPR pair block and single-particle measurements. The steps of this protocol can be described as follows (see also Fig. 1).

  1. (1)

    Alice prepares \(n\) EPR pairs in state

    $$\begin{aligned} |\phi ^+\rangle _{A_{i}B_{i}}&= \frac{1}{\sqrt{2}}(|00\rangle +|11\rangle )_{A_iB_i}\nonumber \\&= \frac{1}{\sqrt{2}}(|++\rangle +|--\rangle )_{A_iB_i}, \end{aligned}$$
    (1)

    where \(i=1, 2, \ldots , n\). \(|0\rangle \) and \(|1\rangle \) are the up and down eigenstates of \(\sigma _z, |+\rangle =\frac{1}{2}(|0\rangle +|1\rangle )\) and \(|-\rangle =\frac{1}{2}(|0\rangle -|1\rangle )\) are the up and down eigenstates of \(\sigma _x\). Then she divides these particles into two sequences: \([A_1, A_2, \ldots , A_n]\) (denoted as \(S_A\)) and \([B_1, B_2, \ldots , B_n]\) (denoted as \(S_B\)).

  2. (2)

    For checking eavesdropping, Alice generates \(m\) decoy particles, which are randomly in one of the four states: \(|0\rangle , |1\rangle , |+\rangle \), and \(|-\rangle \). Then she randomly inserts them into the sequence \(S_B\) and sends the new sequence (denoted as \(S^\prime _B\)) to Bob.

  3. (3)

    After confirming that Bob has received the sequence \(S^\prime _B\), Alice announces the positions and the initial states of the decoy particles. Then for each of the decoy particles, Bob measures it in the corresponding basis and compares the measurement outcome with its initial state to check eavesdropping. If there exists no error, Alice and Bob continue to the next step; otherwise, they abort this protocol and restart from step (1).

  4. (4)

    Bob announces a binary string (denoted as \(C\)) of length \(n\). If the \(i\)-th bit in \(C\) is 0 (1), i.e., \(C_i=0\) (1), Alice and Bob measure \(A_{i}\) and \(B_{i}\) in basis \(\sigma _z=\{|0\rangle , |1\rangle \}\, (\sigma _x=\{|+\rangle , |-\rangle \})\), respectively. And if the measurement result is \(|0\rangle \) or \(|+\rangle \) (\(|1\rangle \) or \(|-\rangle \)), they get the key bit 0 (1).

By utilizing the above protocol, two participants (Alice and Bob) can share a common secret key. In this protocol, the secret key shared between Alice and Bob can neither be eavesdropped by outside eavesdroppers nor be determined by one of the two participants alone. That is to say, this protocol can resist not only outside attacks but also participant attacks.

Fig. 1
figure 1

Illustration of the proposed QKA protocol with EPR pairs. Alice prepares a sequence of ordered EPR pairs in \(|\phi ^+\rangle \) and divides them into two partner–particle sequences. She first sends the sequence, which is inserted with decoy particles, to Bob. If the transmission of \(S_B\) is secure, they measure the particles of their sharing EPR pairs in \(\sigma _x\)-basis or \(\sigma _z\)-basis according to Bob’s announced binary string. Here, \(\oplus \) and \(\otimes \) means measuring the particle in \(\sigma _x\)-basis and \(\sigma _z\)-basis, respectively

Full size image

3 Security analysis

In this section, we prove the security of the proposed protocol. First, we consider the outside attacks, then we take into consideration of the participant attacks.

3.1 Outside attack

The process of detecting eavesdropping done by the two participants (Alice and Bob) in this protocol is essentially equivalent to that in the BB84 QKD protocol [4], which has been proved to be unconditionally secure. That is, the decoy particles, which are randomly inserted into \(S_B\), are generated by randomly choosing from one of the two mutually unbiased bases \(\{|0\rangle , |1\rangle \}\) and \(\{|+\rangle , |-\rangle \}\). After Bob obtains the information of the positions and states of the decoy particles, he measures them with the same bases as those chosen by Alice for preparing them. For any outside eavesdropper, the bases used by Bob are random even though they are finally announced publicly as no eavesdropper has the access to the particles in \(S^\prime _B\) after Bob receives them. Just like the situation in the BB84 protocol [4], if an outside attacker eavesdrops in the process of this protocol, his/her eavesdropping actions will inevitably disturb part of the decoy particles and be found by the two participants.

3.2 Participant attack

We first consider the situation that Bob is a dishonest participant who wants to determine the secret key alone. After the eavesdropping check in step (3), the states in Alice’s hand (i.e., \(A_i, i=1,2,3,\ldots ,n\)), as well as the states in Bob’s hand (i.e., \(B_i, i=1,2,3,\ldots ,n\)), are maximally mixed states. Whatever basis Bob chooses in step (4), Alice’s measurement outcomes are random. Even though Bob measures the states in his hand first and then decides which bases to announce, he cannot deterministically control the final key. We take the state \(|\phi ^+\rangle _{A_kB_k}\), for example, suppose Bob wants the \(k\)-th bit in the key to be 1, without loss of generality, we suppose that he measures his particle \(B_k\) in \(\sigma _z\)-basis, the measurement outcome will randomly be \(|0\rangle \) or \(|1\rangle \). If the outcome is \(|1\rangle \) (i.e., the key bit is 1), Bob can announce that \(C_k\) is 0 and he successfully controls this bit. If the outcome is \(|0\rangle \), then Bob can only announce that \(C_k\) is 1. However, when Alice measures \(A_k\) in \(\sigma _x\)-basis, Alice’s measurement result will randomly be \(|+\rangle \) or \(|-\rangle \), which means Alice’s key bit will randomly be 0 or 1. That is to say, the \(k\)-th bit in the key generated by Alice and Bob will be different with a probability of 25 %. Therefore, the key in Alice’s hand will not be identical with the one in Bob’s hand with a probability of \(1\)\((3/4)^n\) provided Bob adopts such attack, especially this probability will be exponentially close to 1 with the increase of \(n\).

Now we consider the situation that Alice is a dishonest participant who wants to determine the secret key alone. Whatever state Bob receives, the measurement outcome of a state cannot be the same in the two mutually unbiased bases. If Alice sends fake states to Bob in order to determine the final key, she would face the same dilemmas as Bob who adopts the above attack, i.e., she cannot determine the key accurately but probably makes the protocol failed. Obviously, Alice’s attack strategy is similar to Bob’s and is more powerful, so here we only analyze Alice’s attack in detail.

Without loss of generality, we take one key bit for example. Suppose Alice wants the key bit to be 0. She prepares the following two-qubit system \(|\varphi \rangle _{AB}\) and sends the subsystem \(B\) to Bob, where

$$\begin{aligned} |\varphi \rangle _{AB}=\sum \limits _{i=1}^{2}\lambda _i|a_i\rangle _A |b_i\rangle _B. \end{aligned}$$
(2)

The right of Eq. (2) is in the form of Schmidt decomposition. The reduced density matrix of system \(B\) is

$$\begin{aligned} \rho _B=|\lambda _1|^2|b_1\rangle \langle b_1|+|\lambda _2|^2|b_2\rangle \langle b_2|. \end{aligned}$$
(3)

When Bob chooses the \(\sigma _z\)-basis, the probability of measurement outcome to be 0 is

$$\begin{aligned} P_0=\mathtt Tr (|\lambda _1|^2|b_1\rangle \langle b_1||0\rangle \langle 0|+|\lambda _2|^2|b_2\rangle \langle b_2||0\rangle \langle 0|). \end{aligned}$$
(4)

When Bob chooses the \(\sigma _x\)-basis, the probability of measurement outcome to be 0 is

$$\begin{aligned} P_+=\mathtt Tr (|\lambda _1|^2|b_1\rangle \langle b_1||+\rangle \langle +|+|\lambda _2|^2|b_2\rangle \langle b_2||+\rangle \langle +|). \end{aligned}$$
(5)

Suppose \(|b_i\rangle =\mu _i|0\rangle +\nu _i|1\rangle \), where \(|\mu _i|^2+|\nu _i|^2=1, i=1,2\). Since \(\langle b_2|b_1\rangle =0\), then

$$\begin{aligned} \mu _1\mu ^*_2+\nu _1\nu ^*_2=0. \end{aligned}$$
(6)

Hence, the probability that Alice succeed to cheat is

$$\begin{aligned} P&= \frac{1}{2}(P_0+P_+)\nonumber \\&= \frac{1}{2}\mathtt Tr [(|\lambda _1|^2|b_1\rangle \langle b_1|+|\lambda _2|^2|b_2\rangle \langle b_2|)(|0\rangle \langle 0|+|+\rangle \langle +|)]\nonumber \\&= \frac{1}{4}[|\lambda _1|^2(2|\mu _1|^2+\mu _1\nu ^*_1+\mu ^*_1\nu _1)\nonumber \\&\quad +|\lambda _2|^2(2|\mu _2|^2+\mu _2\nu ^*_2+\mu ^*_2\nu _2)+1]. \end{aligned}$$
(7)

Without loss of generality, we suppose \(|\lambda _1|=\cos {\alpha }, |\lambda _2|=\sin {\alpha }\) and \(\mu _j=e^{\beta _j i}\cos {\theta _j}, \nu _j=\sin {\theta _j}\), where \(j=1,2\). Then

$$\begin{aligned} P&= \frac{1}{4}[\cos ^2{\alpha }(2\cos ^2{\theta _1}+ 2\cos {\beta _1}\cos {\theta _1}\sin {\theta _1})\nonumber \\&\quad +\sin ^2{\alpha }(2\cos ^2{\theta _2}+2\cos {\beta _2} \cos {\theta _2}\sin {\theta _2})+1]. \end{aligned}$$
(8)

According to Eq. (6),

$$\begin{aligned} \cos {\theta _1}\cos {\theta _2}e^{i(\beta _1-\beta _2)} +\sin {\theta _1}\sin {\theta _2}=0 \end{aligned}$$
(9)

Based on Eq. (9), \(\beta _1\) and \(\beta _2\) must meet the condition: \(\beta _1-\beta _2=k\pi , k\in Z\). The further discussion about the parameters \(\beta _1, \beta _2, \sin {\theta _1}\) and \(\sin {\theta _2}\) is: (a) when \(\beta _1-\beta _2=2k\pi , \cos {\theta _1}\cos {\theta _2}+\sin {\theta _1}\sin {\theta _2}=\cos {(\theta _1-\theta _2)}=0\), i.e., \(\theta _1-\theta _2=k\pi +\frac{\pi }{2}, k\in Z\); (b) when \(\beta _1-\beta _2=2k\pi +\pi , \cos {\theta _1}\cos {\theta _2}-\sin {\theta _1}\sin {\theta _2}=\cos {(\theta _1+\theta _2)}=0\), i.e., \(\theta _1+\theta _2=k\pi +\frac{\pi }{2}, k\in Z\). According to Eq. (8) and the above discussion, we have

$$\begin{aligned} P&\le \frac{1}{4}(2\cos ^2{\alpha }\cos ^2{\theta _1}+2\sin ^2{\alpha }\sin ^2{\theta _1}+2\cos {\theta _1}\sin {\theta _1}+1)\nonumber \\&= \frac{\cos {2\alpha }\cos {2\theta _1}+\sin {2\theta _1}+2}{4} \\&\le \frac{\sqrt{1+\cos ^2{2\alpha }}+2}{4} \nonumber \\&\le \frac{\sqrt{2}+2}{4} \nonumber \\&\approx 0.85.\nonumber \end{aligned}$$
(10)

That is to say, by utilizing the optimal strategy, Alice can successfully control one bit of the key with the probability of 0.85. Therefore, Alice can successfully determine an \(n\)-bit key with a probability of \((0.85)^n\), which will be exponentially close to 0 with the increase of \(n\).

In this section, the security of the proposed QKA protocol is analyzed in detail. It is shown that the outside eavesdropper cannot get any information of the generated key. In addition, neither of the two participants can determine the generated key alone.

4 Fault-tolerant QKA protocols with EPR pair block over two collective-noise channels

To share a common key by the proposed QKA protocol, the two participants should first share a sequence of EPR pairs in \(|\phi ^+\rangle \). In addition, in another QKA protocol [35] which is also based on the property of EPR pairs, the participants should also first share a sequence of EPR pairs which are randomly in one of the four states: \(|\phi ^+\rangle , |\phi ^-\rangle , |\psi ^+\rangle \) and \(|\psi ^-\rangle \}\), where

$$\begin{aligned} |\phi ^\pm \rangle =\frac{1}{\sqrt{2}}(|00\rangle \pm |11\rangle ),\nonumber \\ |\psi ^\pm \rangle =\frac{1}{\sqrt{2}}(|01\rangle \pm |10\rangle ). \end{aligned}$$
(11)

As described in both the two protocols, to share an EPR pair between two participants in theory, one participant can first prepare the EPR pair and then directly send one particle of the pair to the other one.

However, in practical situation, the qubits transmitted in quantum channel often interact with the environment uncontrollably and noises are then introduced in the transmission unexpectedly. The noise will not only decrease the fidelity of the transmitting qubits, but also provide the eavesdropper a chance to disguise the disturbance caused by her eavesdropping actions during the transmission. To combat with the decoherence of quantum qubits caused by the channel noise, some good methods, such as entanglement purification [37], single-photon error rejection [38] and decoherence-free subspace (DFS) [3944], have been proposed. For the schemes based on the ideal of DFS, there is an important precondition named the collective-noise assumption [39, 40]. That is, if several qubits transmit through the noisy channel simultaneously or they are spatially close to each other, the alterations caused by the noise on each of the qubits are identical.

In the collective-noise channel, two participants can no longer share the EPR pairs between each other simply as described in both our protocol and the one in [35]. In the following part, we will introduce an method for sharing all the four kinds of EPR pairs over collective-dephasing noise channel and collective-rotation noise channel, respectively, inspired by the ideals in [43, 44]. This method is very useful since sharing EPR pairs between two participants is an important work in many quantum protocols, especially in the protocols over non-ideal channels. By utilizing this method, both our protocol and the one in [35] can be immune to these two kinds of collective noise.

Herein, we first describe the distribution processes of the EPR pair \(|\psi ^+\rangle \) over the two kinds of collective-noise channels. Obviously, if two participants could successfully share the EPR pair \(|\psi ^+\rangle \) over the collective-noise channels, they can also easily share the other three kinds of EPR pairs \((|\phi ^+\rangle , |\phi ^-\rangle , |\psi ^-\rangle )\). Concretely, if the two users want to share the EPR pairs \(|\phi ^+\rangle \, (|\phi ^-\rangle , |\psi ^-\rangle )\) between each other, they first share \(|\psi ^+\rangle \) and then they can transform \(|\psi ^+\rangle \) to \(|\phi ^+\rangle \, (|\phi ^-\rangle , |\psi ^-\rangle )\) by performing the unitary operation \(U_x \,(U_y, U_z)\) on the first qubit of their EPR pair \(|\psi ^+\rangle \), where

$$\begin{aligned} U_x=|0\rangle \langle 1|+|1\rangle \langle 0|,\quad U_y=|0\rangle \langle 1|-|1\rangle \langle 0|,\quad U_z=|0\rangle \langle 0|-|1\rangle \langle 1|. \end{aligned}$$
(12)

The distribution processes of the state \(|\psi ^+\rangle \) over the two collective-noise channels can be described, respectively, as follows.

4.1 Distribution process of EPR pairs over collective-dephasing channel

The transformation effects of the collective-dephasing noise are illustrated as

$$\begin{aligned} U_{dp}|0\rangle =|0\rangle ,\quad \quad U_{dp}|1\rangle =e^{i\phi }|1\rangle , \end{aligned}$$
(13)

where \(\phi \) is the noise parameter which fluctuates with time. In general, a logical qubit encoded into two physical qubits with antiparallel parity is immune to this kind of noise since these two logical qubits acquire the same global phase factor \(e^{i\phi }\).

$$\begin{aligned} |0\rangle _L\equiv |0\rangle |1\rangle ,\quad \quad |1\rangle _L\equiv |1\rangle |0\rangle . \end{aligned}$$
(14)

Here, \(|0\rangle _L\) and \(|1\rangle _L\) are sufficient to encode one bit of information over collective-dephasing channel. Specifically, an input state of a single qubit can be generally expressed as \(|\vartheta \rangle =a|0\rangle +b|1\rangle \). By appending an auxiliary qubit in state \(|1\rangle \) via the circuits shown in Fig. 2, it will be encoded into the state as

$$\begin{aligned} |\vartheta \rangle _L=a|0\rangle _L+b|1\rangle _L=a|01\rangle +b|10\rangle . \end{aligned}$$
(15)

Obviously, the decoding circuits can be constructed by the same operations in the reverse order. In both the encoding circuits and decoding circuits, time proceeds from left to right.

Fig. 2
figure 2

The encoding circuit for preventing collective-dephasing noise

Full size image

To communicate securely, at least two non-orthogonal measuring bases are needed. One of the bases is \(\{|0\rangle _L, |1\rangle _L\}\), the other one can be chosen as \(\{|+\rangle _L, |-\rangle _L\}\), where

$$\begin{aligned}&|+\rangle _L=\frac{1}{\sqrt{2}}(|0\rangle _L+|1\rangle _L) =\frac{1}{\sqrt{2}}(|++\rangle -|--\rangle ),\nonumber \\&|-\rangle _L=\frac{1}{\sqrt{2}}(|0\rangle _L-|1\rangle _L) =\frac{1}{\sqrt{2}}(|-+\rangle -|+-\rangle ). \end{aligned}$$
(16)

It can be easily verified that \(\{|0\rangle _L, |1\rangle _L\}\) and \(\{|+\rangle _L, |-\rangle _L\}\) form two mutually unbiased bases. The steps of the method for sharing the EPR pairs \(|\psi ^+\rangle \) between two authorized users (Alice and Bob) over collective-dephasing channel can be described as follows.

  1. 1)

    By utilizing the encoding circuits in Fig. 2, Alice first prepares a sequence of quantum entangled states in

    $$\begin{aligned} |\varTheta _{dp}\rangle _{AB}&= \frac{1}{\sqrt{2}} (|0\rangle |1\rangle _L+|1\rangle |0\rangle _L)_{AB}\nonumber \\&= \frac{1}{\sqrt{2}}(|0\rangle |10\rangle +|1\rangle |01\rangle )_{AB_1B_2}. \end{aligned}$$
    (17)

    Then Alice divides these quantum states into two sequences, which are denoted as \(T_A\) and \(T_B\). \(T_A\) is consisted of all the qubits \(A\) in these entangled states and \(T_B\) is made up of the logical qubits \(B\), which is composed of \(B_1\) and \(B_2\).

  2. 2)

    Alice generates \(m\) decoy states, which are randomly in one of the four states: \(|0\rangle _L, |1\rangle _L, |+\rangle _L\) and \(|-\rangle _L\). Then she randomly inserts them into the sequence \(T_B\) to form a new sequence \(T^\prime _B\). After that, Alice sends Bob the sequence \(T^\prime _B\) and preserves the sequence \(T_A\).

  3. 3)

    After Bob confirms the reception of \(T^\prime _B\), Alice announces the positions and the initial states of all the \(m\) decoy states. Then for each one of the decoy states, Bob measures it in \(\sigma _z\otimes \sigma _z\)-basis (\(\sigma _x\otimes \sigma _x\)-basis) if its initial state is \(|0\rangle _L\) or \(|1\rangle _L\) (\(|+\rangle _L\) or \(|-\rangle _L\)). With the measurement outcomes of the \(m\) decoy states, Bob checks eavesdropping according to Table 1. If there exists no eavesdropping, they utilize the remaining states to share the EPR pairs \(|\psi ^+\rangle \) as described in the next step. Otherwise, they abort the states and restart from the begging.

  4. 4)

    For each of the remaining states \(|\varTheta _{dp}\rangle _{AB}\), Bob performs a controlled-NOT operation \(\hbox {CNOT}_{B_1B_2}\) on particles \(B_1\) and \(B_2\) by using particle \(B_1\) as the controller and \(B_2\) as the target. Then the state of the quantum system will be converted from \(|\varTheta _{dp}\rangle _{AB}\) into

    $$\begin{aligned} |\varXi _{dp}\rangle _{AB}&= \frac{1}{\sqrt{2}}(|0\rangle |11\rangle +|1\rangle |01\rangle )_{AB_1B_2}\nonumber \\&= \frac{1}{\sqrt{2}}(|01\rangle +|10\rangle )_{AB_1}\otimes |1\rangle _{B_2}. \end{aligned}$$
    (18)

    Till now, Alice and Bob have securely share a sequence of EPR pairs \(|\psi ^+\rangle _{AB_1}=\frac{1}{\sqrt{2}}(|01\rangle +|10\rangle )_{AB_1}\) over collective-dephasing channel. Of course, if the EPR pair that they want share is \(|\phi ^+\rangle \, (|\phi ^-\rangle , |\psi ^-\rangle )\), they can simply perform the unitary operation \(U_x\, (U_y, U_z)\) on the first qubit of each their shared EPR pairs \(|\phi ^+\rangle \).

Table 1 The possible measurement outcomes which will be obtained by measuring the four states, \(|0\rangle _L, |1\rangle _L, |+\rangle _L\) and \(|-\rangle _L\), in the bases \(\sigma _z\otimes \sigma _z\) and \(\sigma _x\otimes \sigma _x\), respectively
Full size table

4.2 Distribution process of EPR pair block over collective-rotation channel

The transformation effects of the collective-rotation noise are illustrated as

$$\begin{aligned} U_r|0\rangle&= \cos \theta |0\rangle +\sin \theta |1\rangle ,\nonumber \\ U_r|1\rangle&= -\sin \theta |0\rangle +\cos \theta |1\rangle . \end{aligned}$$
(19)

The parameter \(\theta \) are the noise parameter which fluctuates with time. It is known that the two EPR pairs, \(|\varPhi ^+\rangle \) and \(|\varPsi ^-\rangle \), are invariant under the collective-rotation noise. Therefore, we can choose the logical qubits as

$$\begin{aligned} |0_{r}\rangle \equiv |\varPhi ^+\rangle&= \frac{1}{2} (|++\rangle +|--\rangle ),\nonumber \\ |1_{r}\rangle \equiv |\varPsi ^-\rangle&= \frac{1}{2}(|-+\rangle -|+-\rangle ). \end{aligned}$$
(20)

Here, \(|0_{r}\rangle \) and \(|1_{r}\rangle \) are sufficient to encode one bit of information over collective-rotation channel. Concretely, an input state of a single qubit can be generally expressed as \(|\vartheta \rangle =a|0\rangle +b|1\rangle \). By appending an auxiliary qubit in state \(|0\rangle \) via the circuits given in Fig. 3, it is encoded into the following state:

$$\begin{aligned} |\vartheta _r\rangle =a|0_r\rangle +b|1_r\rangle =a|\varPhi ^+ \rangle +b|\psi ^-\rangle . \end{aligned}$$
(21)

Apparently, the decoding circuits can be constructed by the same operations in the reverse order. In both the encoding circuits and decoding circuits, time proceeds from left to right.

Fig. 3
figure 3

The encoding circuit for preventing collective-rotation

Full size image

For secure communication, at least two non-orthogonal bases are required. One of the bases can be \(\{|0\rangle _r, |1\rangle _r\}\), and the other one can be chosen as \(\{|+\rangle _r, |-\rangle _r\}\), where

$$\begin{aligned} |+_{r}\rangle&= \frac{1}{\sqrt{2}}(|0_r\rangle +|1_r\rangle ) =\frac{1}{\sqrt{2}}(|0+\rangle -|1-\rangle ),\nonumber \\ |-_{r}\rangle&= \frac{1}{\sqrt{2}}(|0_r\rangle -|1_r\rangle ) =\frac{1}{\sqrt{2}}(|0-\rangle +|1+\rangle ). \end{aligned}$$
(22)

It can be easily proved that \(|\langle _{r}+|0_{r}\rangle |^{2}=|\langle _{r}+|1_{r}\rangle |^{2} =|\langle _{r}-|0_{r}\rangle |^{2} =|\langle _{r}-|1_{r}\rangle |^{2}=\frac{1}{2}\), which indicates that \(\{|0_{r}\rangle , |1_{r}\rangle \}\) and \(\{|+_{r}\rangle , |-_{r}\rangle \}\) form two mutually unbiased bases. The steps of the method for sharing the EPR pairs \(|\psi ^+\rangle \) between two participants (Alice and Bob) over collective-rotation channel can be described as follows.

  1. a)

    By utilizing the encoding circuits in Fig. 3, Alice first prepares a sequence of quantum entangled states in

    $$\begin{aligned} |\varTheta _r\rangle _{AB}&= \frac{1}{\sqrt{2}}(|0\rangle |0_{r}\rangle -|1\rangle |1_{r}\rangle )_{AB}\nonumber \\&= \frac{1}{2}(|0\rangle (|00\rangle +|11\rangle )-|1\rangle (|01\rangle -|10\rangle ))_{AB_1B_2}\nonumber \\&= \frac{1}{\sqrt{2}}(|sts\rangle +|tst\rangle )_{AB_1B_2}, \end{aligned}$$
    (23)

    where \(|s\rangle =\frac{1}{\sqrt{2}}(|0\rangle +i|1\rangle )\) and \(|t\rangle =\frac{1}{\sqrt{2}}(|0\rangle -i|1\rangle )\) are the up and down eigenstates of \(\sigma _y\). Alice divides these quantum states into two sequences, \(T_A\) and \(T_B\). \(T_A\) is consisted of all the qubits \(A\) in these entangled states and \(T_B\) is made up of the logical qubits \(B\), which is consisted of two physical qubits \(B_1\) and \(B_2\).

  2. b)

    Alice generates \(m\) decoy states which are randomly in one of the four states: \(|0_r\rangle , |1_r\rangle , |+_r\rangle , |-_r\rangle \). Then she randomly inserts them into the sequence \(T_B\) to form a new sequence \(T^\prime _B\). Afterwards, Alice sends Bob the sequence \(T^\prime _B\) and preserves the sequence \(T_A\).

  3. c)

    After Bob confirms the reception of \(T^\prime _B\), Alice announces the positions and the initial states of all the \(m\) decoy states. Then for each one of the decoy states, Bob measures it in \(\sigma _x \otimes \sigma _x\)-basis (\(\sigma _z \otimes \sigma _x\)-basis) if its initial state is \(|0_r\rangle \) or \(|1_r\rangle \) (\(|+_r\rangle \) or \(|-_r\rangle \)). With the measurement outcomes of the \(m\) decoy states, Bob checks eavesdropping according to Table 2. If there exists no eavesdropping, they make use of the remaining states to share the EPR pairs \(|\psi ^+\rangle \) as described in the following steps. Otherwise, they abort the states and restart from the begging.

  4. d)

    Alice and Bob cooperate to perform the operations \(S\otimes S\otimes S\) and \(H\otimes H\otimes H\) on their shared entangled state \(|\varTheta _r\rangle _{AB}\), respectively. Here \(S\) is phase gate and \(H\) is Hadamard gate, where

    $$\begin{aligned} H&= \frac{1}{\sqrt{2}}(|0\rangle \langle 0|+|0\rangle \langle 1| +|1\rangle \langle 0|-|1\rangle \langle 1|),\nonumber \\ S&= |0\rangle \langle 0|+i|1\rangle \langle 1|. \end{aligned}$$
    (24)

    After these operations, the state of the shared quantum system will be transformed from \(|\varTheta _r\rangle _{AB}\) into

    $$\begin{aligned} |\varGamma _{r}\rangle _{AB}=\frac{1}{\sqrt{2}} (|1\rangle |0\rangle |1\rangle +|0\rangle |1\rangle |0\rangle )_{A{B_1}{B_2}}. \end{aligned}$$
    (25)
  5. e)

    For each of the states \(|\varGamma _{r}\rangle _{AB}\), Bob performs a controlled-NOT operation \(\hbox {CNOT}_{B_1B_2}\) on particles \(B_1\) and \(B_2\) by using particle \(B_1\) as the controller and \(B_2\) as the target. Then the state of the quantum system will be converted from \(|\varGamma _{r}\rangle _{AB}\) into

    $$\begin{aligned} |\varDelta _{r}\rangle _{AB}&= \frac{1}{\sqrt{2}}(|1\rangle |0\rangle |1\rangle +|0\rangle |1\rangle |1\rangle )_{A{B_1}{B_2}}\nonumber \\&= \frac{1}{\sqrt{2}}(|01\rangle +|10\rangle )_{AB_1}\otimes |1\rangle _{B_2}. \end{aligned}$$
    (26)

    Till now, Alice and Bob have securely share a sequence of EPR pairs \(|\psi ^+\rangle _{AB_1} =\frac{1}{\sqrt{2}}(|01\rangle +|10\rangle )_{AB_1}\). Of course, if the EPR pair that they want share is \(|\phi ^+\rangle \) \((|\phi ^-\rangle , |\psi ^-\rangle )\), they can simply perform the unitary operation \(U_x\, (U_y, U_z)\) on the first qubit of each their shared EPR pairs \(|\phi ^+\rangle \).

Table 2 The possible measurement outcomes which will be obtained by measuring the four states, \(|0_r\rangle , |1_r\rangle , |+_r\rangle \) and \(|-_r\rangle \), in the bases \(\sigma _x \otimes \sigma _x\) and \(\sigma _z \otimes \sigma _x\), respectively
Full size table

4.3 Security analysis of the distribution processes of EPR pair block over the two collective-noise channels

The above distribution processes of EPR pairs are secure since the eavesdropping detecting processes done by the two participants in step 3) and step \(c\)) are essentially equivalent to that in the BB84 QKD protocol [4].

Now, we take the distribution process over collective-dephasing channel, for example. The decoy states that used in the eavesdropping detection in Sect. 4.1 are generated by randomly choosing from one of the two mutually unbiased bases \(\{|0\rangle _L, |1\rangle _L\}\) and \(\{|+\rangle _L, |-\rangle _L\}\) and are randomly inserted into \(T_B\). For each of the decoy states, after Bob obtains the information of its position and initial state, he measures it in \(\sigma _z \otimes \sigma _z\)-basis (\(\sigma _x \otimes \sigma _x\)-basis) if its initial state is \(|0\rangle _L\) or \(|1\rangle _L\) (\(|+\rangle _L\) or \(|-\rangle _L\)).

For any eavesdropper, the bases used by Bob are random since the decoy states are generated by randomly using one of the two bases \(\{|0\rangle _L, |1\rangle _L\}\) and \(\{|+\rangle _L, |-\rangle _L\}\). Although the information of the bases is finally announced in public, once Bob receives them, no eavesdropper has the access to the states in \(T^\prime _B\). Same as that in the BB84 protocol which has been proved to be unconditionally secure, any eavesdropping action will inevitably disturb part of the decoy states and be noticed by the two participants if an eavesdropper eavesdrops in the distribution process of the EPR pairs.

As for the distribution process over collective-rotation channel, it is also secure since the eavesdropping detecting process in Sect. 4.2, in essence, is also the same as that in the BB84 QKD protocol. Thus, we omit the redundant description here.

5 Discussion and conclusions

The proposed protocol utilizes EPR pairs as the information carriers, and further utilizes single-particle measurements as the main operations. In practice, EPR pairs have been experimentally generated by many research groups [4549], and the single-particle measurements have also been a mature technology which has been widely used in quantum information processing. Therefore, our protocol is more feasible than the protocol which need to perform Bell measurements [35]. In addition, in order to transmit the ordered particle block (i.e., \(S^\prime _B\)) to Bob, the sender Alice can make use of the similar circuits composed of optical delays and switches in [11, 12] to adjust the particles in \(S^\prime _B\). Moreover, our protocol is presented with EPR pairs, if the qubits of the EPR pairs are transmitted in a noisy channel, it seems that the entanglement may be threaten over a long distance. In this situation, the quantum–repeater technique [50, 51], which contains the entanglement purification and teleportation, can be utilized to keep the reliability of the shared entanglement.

In conclusion, we first present an efficient and feasible QKA protocol with blocks of EPR pairs and single-particle measurements in this paper. Then we proved this protocol to be secure against both the outside attacks and participant attack. In addition to this protocol, a useful method for sharing EPR pairs between two participants over collective-dephasing channel/collective-rotation channel is introduced. This method is very useful since sharing EPR pairs between two participants is an important work in many quantum cryptographic protocols, especially in the protocols over non-ideal channels. By utilizing this method, both our proposed protocol and the one in [35] can be immune to these two kinds of collective noise. What is more, the implementation of the both the proposed QKA protocol and the method for sharing EPR pairs only needs to utilize EPR pairs and single-particle measurements. Therefore, our protocols is feasible with the present techniques.