1 Introduction

With the development of modern society, electronic communications become more and more frequent in our everyday life, such as shopping over the Internet, drawing money from automated teller machines, transacting finance between different banks, and transmitting personal (or commercial, governmental, military and diplomatic) E-mail in network. In all these instances, to guard other one against impersonating the legitimate users to implement the communication, identity of communication users are necessarily authenticated. Classical identification generally employs secret key as password to ensure security. However, the existing classical identification schemes merely rely on the complexity of mathematical algorithms. Therefore, theoretically speaking, they are not absolutely secure, which makes accidentally merchant, bank or individual lose money and government, military leak intelligence. Furthermore, the potential powerful quantum commuter poses a serious menace to security of classical identification schemes. With its unconditional security, quantum identity authentication (QIA) has become a research focus and may be put into real-life use around the corner in the foreseeable further.

In 1995, Cr\(\acute{e}\)peau et al. [1] first proposed a QIA scheme, which is based on quantum oblivious transfer [2]. Unfortunately, quantum oblivious transfer has been proved insecure against the so-called collective attacks by Mayers [3]. In 1999, Du\(\check{s}\)ek et al. [4] presented a secure identity authentication proposal by combining a classical identification procedure and quantum key distribution. Nonetheless, strictly speaking, the proposal is not a pure QIA scheme. In 2000, Zeng et al. [5] put forward a quantum key verification scheme by utilizing Einstein–Podolsky–Rosen (EPR) pairs and Bell theory. In the same year, Ljunggren et al. [6] presented some user authentication protocols by introducing a third-party trusted authority. In 2002, Mihara [7] gave three quantum identification schemes by using entangled state and unitary operation. In 2005, Zhou et al. [8] offered a cross-center quantum identification scheme based on teleportation and entanglement swapping in quantum optics. In 2006, taking advantage of the correlation of GHZ states, Lee et al. [9] proposed two protocols of quantum direct communication schemes with authentication. However, in 2007, Zhang et al. [10] has revealed that Lee et al’s protocols are insecure in the case that the authenticator is required to be prevented from knowing the secret message in priori. They have modified Lee et al’s two protocols such the protocol securities are assured. Nonetheless, neither in the two original protocols nor in their modified versions, the authentication key cannot be reused. So far, more and more QIA schemes [121] have been presented.

It should be mentioned, by employing properties of multipartite entangled states and quantum controlled-NOT gate, Zhang et al. [11] proposed a QIA protocol (referred to as ZZZX QIA protocol hereafter) based on ping-pong technique. The distinct advantage of the ZZZX QIA protocol is that the authentication key can be updated for reuse. Incidentally, the so-called ping-pong technique in quantum cryptography was first proposed by Bostr\(\ddot{o}\)m and Felbinger [22] in 2002 using entanglement, and it has attracted much attention [2326] over the last several years and become mature so far. In this paper, we will propose a QIA scheme also based on the ping-pong technique. However, it is worthy to emphasize that in our scheme, we will use single-particle states and the single-qubit operation instead of the multipartite entangled states and the two-qubit controlled-NOT gate operation in the ZZZX QIA scheme. Such replacements will make our scheme much simpler and more feasible. Comparing with the existing QIA schemes, the present scheme has three distinct advantages: One is consuming lesser quantum resource and no classical information while obtaining maximum capacity and efficiency; the second is only single-particle operations or measurements are used in the present scheme, which is more feasible with the present-day technique; the third is verifying the legitimate user’s identity at the same time updating the authentication key to use in the next communication.

The present paper is outlined as follows. In Sect. 2, we will propose a QIA scheme via the ping-pong technique without entanglement (i.e., utilizing single-particle states as quantum channel). In Sect. 3, we will extensively analyze the security of our scheme with respect to various attack strategies. The influences of imperfect quantum channel are briefly discussed in Sect. 4. Finally, in Sect. 5, we will make a brief summary.

2 The QIA scheme based on ping-pong technique without entanglements

In our scheme, the QIA system consists of two parties, say Alice and Bob. Alice is assumed to be a reliable certification authority (CA), while Bob is a common user. To prevent the eavesdropper Eve extracting some useful secret message by impersonating the legitimate user, Bob’s identity needs to be verified when he communicates with Alice, or logins in a network where Alice is the authentication center. Moreover, the authentication key needs to be updated for reuse after the identity verification. Suppose Alice and Bob have in prior shared a binary key \(K=\{k_1, k_2, \ldots , k_{2n}\}\) as the authentication key. The following four-step scheme can achieve the goal of simultaneously updating the authentication key and verifying the user’s identity.

(S1)CA’s preparation Alice prepares an ordered \(n\)-particle sequence. For each particle in the sequence, its state to be prepared is not completely random but partially determined by the value of a corresponding bit in the authentication key. For the \(i\)-th particle, its corresponding bit is \(k_{2i}\) (\(1 \le i \le n\)). If \(k_{2i}=0\), it is prepared either in the state \(|0\rangle \) or in the state \(|1\rangle \). Otherwise, \(k_{2i}=1\) and accordingly it is prepared either in the state \(|+\rangle \) or in the state \(|-\rangle \). Here \(|0\rangle \) and \(|1\rangle \) are the eigenstates of \(\hat{S_z}\), and \(|+\rangle \) and \(|-\rangle \) are the eigenstates of \(\hat{S_x}\). Note that Alice knows exactly the state of each particle. After the preparations, Alice sends the particle sequence to the user Bob.

(S2)User’s encode After receiving the particle sequence, Bob performs either the unitary operation \(I=|0\rangle \langle 0|+|1\rangle \langle 1|\) or \(U=i\sigma _y=|0\rangle \langle 1|-|1\rangle \langle 0|\) on each particle in terms of his authentication key. That is, for the \(i\)-th (\(1 \le i \le n\)) particle, if \(k_{2i-1}\oplus k_{2i}=0\), then Bob performs the operation \(I\) on it. Otherwise, \(k_{2i-1}\oplus k_{2i}=1\) and consequently he executes the operation \(U\). Here the symbol \(\oplus \) represents modular 2 plus. Incidentally, the nice feature of the \(U\) operation is that it flips the state in each one of the two measuring bases sets \(\mathcal{Z}=\{|0\rangle , |1\rangle \}\) and \(\mathcal{X}=\{|+\rangle , |-\rangle \}\), i.e., \(U|0\rangle =-|1\rangle \), \(U|1\rangle =|0\rangle \), \(U|+\rangle =|-\rangle \) and \(U|-\rangle =-|+\rangle \).

(S3)User’s update After encode, Bob starts to update the authentication key. Denote the updated key as \(K'=\{k'_1, k'_2, \ldots , k'_{2n}\}\). For each bit \(k'_{2i} (1 \le i \le n)\), it is determined in the following way. If \(k_{2i}=0\), Bob measures the \(i\)-th particle in the \(\mathcal{Z}\) basis. Otherwise, \(k_{2i}=1\) and then Bob measures the \(i\)-th particle in the \(\mathcal{X}\) basis. If Bob’s measurement result is \(|0\rangle \) or \(|+\rangle \), then the value of \(k'_{2i}\) is 0. Otherwise, Bob’s measurement result is \(|1\rangle \) or \(|-\rangle \) and then the value of \(k'_{2i}\) is 1. The bit \(k'_{2i-1}\) is determined by \(k'_{2i-1}=k_{2i-1}\oplus k_{2i}\oplus k'_{2i}\). After above operations, Bob returns the ordered \(n\)-particle sequence to Alice.

(S4)CA’s verification and extraction Having received the particle sequence sent by Bob, Alice can deterministically decode Bob’s secret authentication information by orderly measuring each particle in the corresponding measuring basis. The choice of the measuring basis for each particle is completely the same as that described in (S3). The measurement outcomes correspond to the bits \(k'_{2i} (1\le i\le n)\) in the updated key. As mentioned in (S1), Alice knows exactly the initial state of each particle. Moreover, since Bob’s operations are determined by the authentication key, Alice can infer whether the user is the legitimate one. If it is, then Alice can successfully update the authentication key for reuse.

So far, we have expatiated a scheme for implementing QIA without making use of entanglements. Obviously, the proposed QIA scheme can simultaneously update the legitimate user Bob’s authentication key and verify his identity.

3 Security analyses

The eavesdropper Eve can access quantum channel and might execute her evil action by manipulating it. To pass the identity authentication, she might attack the particle during its transmission in quantum channel. Here, we mainly consider two classes of individual attack strategies, i.e., the no-authentication key attack and the authentication key attack.

3.1 No-authentication key attack

The no-authentication key attack is the simplest type of attack. Under this attack, Eve tries to impersonate the legitimate user Bob throughout. Explicitly, when Alice sends the traveling particle \(t\) to Bob, Eve captures it first. Then, she performs a unitary operation \(U_{te}\) on the traveling particle \(t\) and her auxiliary particle \(e\) (prepared, say, in the state \(|\chi \rangle _e\)). Given the particle \(t\) is in the state \(|j\rangle _t\) with \(j\in \{|0\rangle , |1\rangle , |+\rangle , |-\rangle \}\), the action of the unitary operation \(U_{te}\) may be described as follows,

$$\begin{aligned} U_{te}|j_t\chi _e\rangle \rightarrow \alpha _j|j_tj_e\rangle +\beta _j|\bar{j}_tj_e\rangle +\gamma _j|j_t\bar{j}_e\rangle +\delta _j|\bar{j}_t\bar{j}_e\rangle , \end{aligned}$$
(1)

where the coefficients \(\alpha _j\), \(\beta _j\), \(\gamma _j\) and \(\delta _j\) are complex and satisfy \(|\alpha _j|^2+|\beta _j|^2|+|\gamma _j|^2+|\delta _j|^2=1\), the subscripts \(t\) and \(e\) refer, respectively, to the traveling particle and Eve’s auxiliary particle, and \(\langle j|\bar{j}\rangle =0\). Eve keeps the traveling particle \(t\) and sends her auxiliary particle \(e\) to Alice. When receiving the particle \(e\), Alice cannot know it comes actually from a forger and accordingly mistakes it as the particle \(t\). As a consequence, she will follow the procedure explained in the preceding section. That is, if the traveling particle \(t\) is prepared in the state \(|0\rangle \) or \(|1\rangle \) at the beginning, now Alice measures the received particle \(e\) in the \(\mathcal Z\) basis. Otherwise, the initial state of the traveling particle \(t\) is \(|+\rangle \) or \(|-\rangle \). In this case, Alice measures the received particle \(e\) in the \(\mathcal X\) basis. According to the Eq. (1), one can see that, the measurement outcomes should be either \(|j\rangle \) or \(|\bar{j}\rangle \). The former occurs with probability of \(|\alpha _j|^2+|\beta _j|^2\) while the latter with the probability of \(|\gamma _j|^2+|\delta _j|^2\). However, it should be noticed that, only one of the two measurement outcomes is legitimate. If \(k_{2i-1}\oplus k_{2i}=0\), the former is. Otherwise, the latter is. Therefore, with certain probability, Alice can judge whether the quantum channel is disturbed in terms of her measurement outcome. Alternatively, with certain probability, Eve’s attack can be detected. The detection probability of Eve’s attack is

$$\begin{aligned} P^j_{k_{2i-1}\oplus k_{2i}=0}=|\gamma _j|^2+|\delta _j|^2. \end{aligned}$$
(2)

in this situation of \(k_{2i-1}\oplus k_{2i}=0\), or

$$\begin{aligned} P^j_{k_{2i-1}\oplus k_{2i}=1}=|\alpha _j|^2+|\beta _j|^2, \end{aligned}$$
(3)

in the situation of \(k_{2i-1}\oplus k_{2i}=1\). Note that, with equal probability 1/2, the value of \(k_{2i-1}\oplus k_{2i}\) is 0 or 1, and with equal probability 1/4, the traveling particle \(t\) is initially prepared in the state \(|0\rangle \), \(|1\rangle \), \(|+\rangle \) or \(|-\rangle \). Therefore, the total detection probability for each communication is

$$\begin{aligned} P_d=\frac{1}{2}(P_{k_{2i-1}\oplus k_{2i}=0}+P_{k_{2i-1}\oplus k_{2i}=1})=\frac{1}{8}\sum \limits _j(P^j_{k_{2i-1}\oplus k_{2i}=0}+P^j_{k_{2i-1}\oplus k_{2i}=1})=\frac{1}{2}. \end{aligned}$$
(4)

This indicates that the proposed scheme is unconditionally secure under the no-authentication attack strategy.

3.2 Authentication key attack

Compared with the no-authentication key attack, the authentication key attack is more severe and subtle. Instead of completely impersonating the legitimate user Bob, under the authentication key attack, Eve attacks the quantum channel to only try to extract some useful information on the authentication key, then she uses the eavesdropped key to pass the CA’s identity authentication. Incidently, using this class of attack strategy, if Eve can successfully eavesdrop the original authentication key even if her eavesdropping action will be detected finally, or can successfully eavesdrop the updated authentication key without emerging her eavesdropping action, then her eavesdropping action is completely successful. These attacks can be divided into three types, i.e., the measure-resend attack, the intercept-resend attack, and the entangle-measure attack. As a matter of fact, our present scheme is immune to the types of attacks mentioned above. This can be concluded from the following detailed analyses.

3.2.1 Intercept-resend attack strategy on channel particles

In this attack, Eve may first prepare her own ordered \(n\)-particle sequence (called the fake particle sequence). For each particle in the sequence, its state is prepared completely randomly in one of the four states \(\{|0\rangle , |1\rangle , |+\rangle , |-\rangle \}\). Note that, Eve knows exactly the state of each particle. When CA’s \(n\)-particle sequence (called the real particle sequence) is traveling from Alice to Bob, Eve intercepts and stores it. Then, she sends the fake particle sequence to Bob. When Bob returns the particle sequence to Alice after his encode and update, Eve intercepts it. She orderly measures each particle by using the measuring basis which the initial state of the particle belongs to. Through such measurements, Eve wants to infer Bob’s encodes on the fake particles. If she succeeds, then she can perform the same unitary operations as Bob used on the real particle sequence and then sends it to Alice. By doing so, Eve can extract useful information on the authentication key and sequentially passes Alice’s identity authentication. Unfortunately, it is Alice who prepares each traveling particle, the basis (i.e., \(\mathcal X\) or \(\mathcal Z\)) Alice used to prepare the particle state is completely determined by the value of \(k_{2i}\) and unknown for Eve. Therefore, the probability of Eve’s fake particles in the correct bases is only \(50\,\%\). That is, there is still \(50\,\%\) probability that Eve prepares her fake particles in the wrong bases. In this case, Eve’s evil action can be found. Thus, it is only with probability of \(50\,\%\) that Eve can successfully gain Bob’s encoding operation and with probability of \(50\,\%\) that she can be detected. Consequently, for each communication run, the average probability that Eve’s this attack can be detected is \(25\,\%=(0+1/2)/2\).

3.2.2 Measure-resend attack strategy on channel particles

To gain the two bits \(k_{2i-1}k_{2i}\) \((1 \le i \le n)\) of the authentication key, Eve intercepts the \(i\)-th traveling particle in the line \(A\rightarrow B\) and measures it to try to extract the bit \(k_{2i}\). Then she resends the particle to Bob. During the transmission in the line \(B\rightarrow A\) after Bob’s encode and update, Eve intercepts the traveling particle again and measures it using the same measuring basis as the first measurement used and then resends it to Alice. By comparing the first measurement result with the second one, Eve tries to infer Bob’s operation. According to the value of the bit \(k_{2i}\) and Bob’s operation, Eve can deduce the value of the first bit \(k_{2i-1}\). However, our scheme can prevent such attack. In our scheme, the traveling particle prepared by Alice may be in one of the four states \(|0\rangle \), \(|1\rangle \), \(|+\rangle \) and \(|-\rangle \). They are not all mutually orthogonal. Therefore, during the ping process, Eve cannot acquire the initial state of the particle with certainty via her measurement. Alternatively, Eve cannot obtain the certain information about the bit \(k_{2i}\). As the above mentioned, to obtain Bob’s operation, Eve performs a same measurement again on the traveling particle during the pong processes. Without any prior knowledge of Alice’s preparation, she may choose the measuring basis from \(\mathcal X\) and \(\mathcal Z\) at random. With \(50\,\%\) probability, Eve may correctly select the measuring basis which Alice uses to prepare the initial state. In this case, she will not be detected at all and can distill full of Bob’s encoding operation. If otherwise Eve chooses the wrong measuring basis, she has \(50\,\%\) probability to extract Bob’s encoding operation. However, there is still \(50\,\%\) probability that Eve will be found by Alice. Hence, by using such attack strategy, the average possibility that Eve can successfully guess Bob’s unitary operation is \(75\,\%\), corresponding to the probability of being detected is \(25\,\%\).

To be explicit, let us show an example. Suppose the two bits \(k_{2i-1}k_{2i}\) of the authentication key is 11 and the \(i\)-th traveling particle prepared by Alice is in the state \(|+\rangle \). If Eve guesses the bit \(k_{2i}\) is 1 and measures the intercepted traveling particle in the \(\mathcal X\) basis, her measurement result is undoubtedly \(|+\rangle \). Then Eve resends the particle to Bob. Bob receives the particle and performs \(I\) operation on it, then measures it using the \(\mathcal X\) basis and then resends it to Alice. Eve intercepts the particle during its transmission and then measures it in the \(\mathcal X\) basis again. Eve’s measurement result is certainly \(|+\rangle \) and resends it to Alice. In this case, Eve not only gets the two bits \(k_{2i-1}k_{2i}\) of the authentication key but also passes Alice’s identity authentication. Otherwise, if Eve guesses the bit \(k_{2i}\) is 0 and measures the intercepted traveling particle in the \(\mathcal Z\) basis, the state of the particle collapses to \(|0\rangle \) or \(|1\rangle \) each with probability 1/2. Then she resends the particle to Bob. After receiving the particle, Bob performs the operation \(I\) on it and then uses the \(\mathcal X\) basis to measure it. Whether the particle received from Eve is in the state \(|0\rangle \) or \(|1\rangle \), Bob’s measurement result is \(|+\rangle \) or \(|-\rangle \) each with probability 1/2. After the measurement, Bob resends the particle to Alice. During its transmission, Eve intercepts it and measures it in the \(\mathcal Z\) basis again. With probability 1/2, Eve gets the measurement result \(|0\rangle \) and she can correctly obtain Bob’s operation is \(I\). She deduces the two bits \(k_{2i-1}k_{2i}\) of the authentication key is 00. At the same time, with probability 1/2, Eve gets the measurement result \(|1\rangle \) and she will wrongly consider Bob’s operation is \(U\). She deduces the two bits \(k_{2i-1}k_{2i}\) of the authentication key is 10. Subsequently, Eve resends the particle to Alice. When Alice receives the particle, she uses the \(\mathcal X\) basis to measure it. Alice’s measurement result is \(|+\rangle \) with probability 1/2, and in this situation, Eve can pass Alice’s identity authentication. However, Alice’s measurement result is \(|-\rangle \) with probability 1/2 too, and in this situation, Eve’s attack can be detected by Alice.

3.2.3 Entangle-measure attack strategy on two-way channel

In this kind of attack, Eve may make use of two ancillas (called ancilla \(\varepsilon \) and ancilla \(\eta \)) on both forward path and backward path to disturb the quantum channel. That is, when the traveling particle is sent from Alice to Bob, Eve intercepts it and performs an operation \(\xi _1\) on both traveling particle and the ancilla \(\varepsilon \) and then lets the traveling particle go on its way. Subsequently, after Bob’s encoding operation and measurement, Eve intercepts the encoded particle and performs another operation \(\xi _2\) on the encoded particle and the ancilla \(\eta \). At the end of transmission, Eve measures his ancillary states \(\varepsilon \) and \(\eta \). By comparing the first with the second measurement results, she tries to extract some useful information on the two-bit key. In the following, we discuss such attack with the aim of finding Eve’s optimal eavesdropping strategy, i.e., recover parameter’s values that maximize Eve’s information on the two-bit key and the probability for Eve successfully getting the authentication key minimizing the possibility of detecting Eve.

Given CA’s different initial states and Eve’s ancillary states \(\varepsilon \), the most general operation \(\xi _1\) on the traveling particle can be written as

$$\begin{aligned} |0\rangle |\varepsilon \rangle&\rightarrow \sqrt{F}|0\rangle |\varepsilon _{00}\rangle +\sqrt{D} |1\rangle |\varepsilon _{01}\rangle ,\nonumber \\ |1\rangle |\varepsilon \rangle&\rightarrow \sqrt{D}|0\rangle |\varepsilon _{10}\rangle +\sqrt{F} |1\rangle |\varepsilon _{11}\rangle ,\nonumber \\ |+\rangle |\varepsilon \rangle&\rightarrow \frac{1}{2}|+\rangle (\sqrt{F}|\varepsilon _{00}\rangle +\sqrt{D}|\varepsilon _{10}\rangle +\sqrt{D}|\varepsilon _{01}\rangle +\sqrt{F}|\varepsilon _{11}\rangle )\nonumber \\&+\,\frac{1}{2}|-\rangle (\sqrt{F}|\varepsilon _{00}\rangle +\sqrt{D}|\varepsilon _{10}\rangle -\sqrt{D}|\varepsilon _{01}\rangle -\sqrt{F}|\varepsilon _{11}\rangle ),\nonumber \\ |-\rangle |\varepsilon \rangle&\rightarrow \frac{1}{2}|+\rangle (\sqrt{F}|\varepsilon _{00}\rangle -\sqrt{D}|\varepsilon _{10}\rangle +\sqrt{D}|\varepsilon _{01}\rangle -\sqrt{F}|\varepsilon _{11}\rangle )\nonumber \\&+\,\frac{1}{2}|-\rangle (\sqrt{F}|\varepsilon _{00}\rangle -\sqrt{D}|\varepsilon _{10}\rangle -\sqrt{D}|\varepsilon _{01}\rangle +\sqrt{F}|\varepsilon _{11}\rangle ). \end{aligned}$$
(5)

Similarly, Eve’s attack operation \(\xi _2\) on the encoded particle can be described as

$$\begin{aligned} |0\rangle |\eta \rangle&\rightarrow \sqrt{F'}|0\rangle |\eta _{00}\rangle +\sqrt{D'} |1\rangle |\eta _{01}\rangle ,\nonumber \\ |1\rangle |\eta \rangle&\rightarrow \sqrt{D'}|0\rangle |\eta _{10}\rangle +\sqrt{F'} |1\rangle |\eta _{11}\rangle ,\nonumber \\ |+\rangle |\eta \rangle&\rightarrow \frac{1}{2}|+\rangle (\sqrt{F'}|\eta _{00}\rangle +\sqrt{D'}|\eta _{10}\rangle +\sqrt{D'}|\eta _{01}\rangle +\sqrt{F'}|\eta _{11}\rangle )\nonumber \\&+\,\frac{1}{2}|-\rangle (\sqrt{F'}|\eta _{00}\rangle +\sqrt{D'}|\eta _{10}\rangle -\sqrt{D'}|\eta _{01}\rangle -\sqrt{F'}|\eta _{11}\rangle ),\nonumber \\ |-\rangle |\eta \rangle&\rightarrow \frac{1}{2}|+\rangle (\sqrt{F'}|\eta _{11}\rangle -\sqrt{D'}|\eta _{10}\rangle +\sqrt{D'}|\eta _{01}\rangle -\sqrt{F'}|\eta _{11}\rangle )\nonumber \\&+\,\frac{1}{2}|-\rangle (\sqrt{F'}|\eta _{00}\rangle -\sqrt{D'}|\eta _{10}\rangle -\sqrt{D'}|\eta _{01}\rangle +\sqrt{F'}|\eta _{11}\rangle ). \end{aligned}$$
(6)

To make the operations \(\xi _1\) and \(\xi _2\) unitary, Eqs. (5) and (6) must satisfy the following conditions:

$$\begin{aligned} D+F&= 1=D'+F',\nonumber \\ \langle \varepsilon _{00}|\varepsilon _{10}\rangle +\langle \varepsilon _{01} |\varepsilon _{11}\rangle&= 0=\langle \eta _{00}|\eta _{10}\rangle +\langle \eta _{01}|\eta _{11}\rangle . \end{aligned}$$
(7)

Here, to simplify the discussion, we can set \(\langle \varepsilon _{00}|\varepsilon _{01}\rangle =\langle \varepsilon _{10}|\varepsilon _{11}\rangle = \langle \varepsilon _{00}|\varepsilon _{10}\rangle =\langle \varepsilon _{01}|\varepsilon _{11}\rangle =0\) and \(\langle \eta _{00}|\eta _{01}\rangle =\langle \eta _{10}|\eta _{11}\rangle = \langle \eta _{00}|\eta _{10}\rangle =\langle \eta _{01}|\eta _{11}\rangle =0\). Let us emphasize that under such simplification, the most representative states are preserved after the operations \(\xi _1\) and \(\xi _2\); therefore, its consequences are quite general. As for the nonorthogonal states, we define \(\langle \varepsilon _{00}|\varepsilon _{11}\rangle =\cos x\), \(\langle \varepsilon _{01}|\varepsilon _{10}\rangle =\cos y\), \(\langle \eta _{00}|\eta _{11}\rangle =\cos x'\) and \(\langle \eta _{01}|\eta _{10}\rangle =\cos y'\) with \(0\le x, y, x', y' \le \frac{\pi }{2}\).

Employing transformations (5) and (6) and conditions (7), we can calculate the probability of detecting Eve. Suppose the secret two-bit key \(k_{2i-1}k_{2i}=00\), according to the procedure of our scheme, Alice prepares the traveling particle randomly in one of the two states \(|0\rangle \) and \(|1\rangle \), and Bob’s encoding operation is \(I\). First, let consider the initial state of the traveling particle is \(|0\rangle \), and in this case, CA’s decoding can be expressed as

$$\begin{aligned} |\psi _{|0\rangle _t}^{00}\rangle&= E_2\{I[E_1(|0\rangle |\varepsilon \rangle )]|\eta \rangle \}= \sqrt{FF'}|0_t\varepsilon _{00}\eta _{00}\rangle + \quad \sqrt{FD'}|1_t\varepsilon _{00}\eta _{01}\rangle \nonumber \\&+\,\sqrt{DD'}|0_t\varepsilon _{01}\eta _{10}\rangle +\sqrt{DF'}|1_t\varepsilon _{01}\eta _{11}\rangle . \end{aligned}$$
(8)

From Eq. (8) one can see, Eve will be detected if CA’s decoded measurement result is not \(|0\rangle \), corresponding to the probability of Eve’s such attack can be detected is

$$\begin{aligned} P_d(|\psi _{|0\rangle _t}^{00}\rangle )=FD'+DF'. \end{aligned}$$
(9)

Similarly, assume the initial state of the traveling particle is \(|1\rangle \), and in this case, CA’s decoding can be expressed as

$$\begin{aligned} |\psi _{|1\rangle _t}^{00}\rangle&= E_2\{I[E_1(|1\rangle |\varepsilon \rangle )]|\eta \rangle \}= \sqrt{DF'}|0_t\varepsilon _{00}\eta _{00}\rangle + \quad \sqrt{DD'}|1_t\varepsilon _{00}\eta _{01}\rangle \nonumber \\&+\, \sqrt{FD'}|0_t\varepsilon _{01}\eta _{10}\rangle +\sqrt{FF'}|1_t\varepsilon _{01}\eta _{11}\rangle . \end{aligned}$$
(10)

From Eq. (10) one can find, Eve will be detected if the state of encoded traveling particle is not \(|1\rangle \), leading to the probability of detecting Eve is

$$\begin{aligned} P_d(|\psi _{|1\rangle _t}^{00}\rangle )=DF'+FD'. \end{aligned}$$
(11)

Since Alice randomly chooses the two states \(|0\rangle \) and \(|1\rangle \) with equal possibility, the average probability of Eve’s attack can be detected when \(k_{2i-1}k_{2i}=00\) is given by

$$\begin{aligned} P_d(k_{2i-1}=0)=FD'+DF'. \end{aligned}$$
(12)

Further calculations show the detection probability also satisfies Eq. (12) when \(k_{2i-1}k_{2i}=01\). In the same way, we obtain the probability of detecting Eve when \(k_{2i-1}k_{2i}=10\) or 11, which is found to be

$$\begin{aligned}&P_d(k_{2i-1}=1) \nonumber \\&\quad =\frac{1}{2}(1-DD'\cos y\cos y'-DF'\cos y\cos x' \nonumber \\&\qquad -FD'\cos x\cos y'-FF'\cos x\cos x'). \end{aligned}$$
(13)

Combining Eqs. (12) and (13) gives the average detection probability over all CA’s initial states,

$$\begin{aligned} P_d&= \frac{1}{2}[P_d({2i-1}=0)+P_d({2i-1}=1)] \nonumber \\&= \frac{1}{4}(1+2FD'+2DF'-DD'\cos {y}\cos {y'} -DF'\cos {y}\cos {x'} \nonumber \\&\quad -\,FD'\cos {x}\cos {y'}-FF'\cos {x}\cos {x'}). \end{aligned}$$
(14)

For those given parameters \(x\), \(x'\), \(y\), and \(y'\), the detection probability \(P_d\) takes the minimum (denoted \(d\)) in the condition of \(F=F'=1\),

$$\begin{aligned} d\equiv \textit{minP}_d&= \frac{1}{4}(1-\cos {x}\cos {x'}). \end{aligned}$$
(15)

Above equation shows the value of \(d\) is only relative to \(x\) and \(x'\). Note that the information that Eve can distill from his measurement result is somewhat related to the degree of orthogonality she imposes on her ancillae, the more orthogonal they are, the higher is the information achieved [27]. For the optimal Eve incoherent attack consists in a balanced one, we set \(x=x'\), in this case Eq. (15) can be therefore rewritten as

$$\begin{aligned} d=\frac{1}{4}(1-\cos ^2{x}). \end{aligned}$$
(16)

Obviously, when \(x=\pi /2\), the value of \(d\) takes maximum 1/4, corresponding, as we will see, to Eve’s maximum information.

As an eavesdropper, Eve wants to maximize the mutual information on the two-bit key while minimize the possibility of being detected. Now, we investigate the relationship between Eve’s extracting information on the two-bit key and the possibility of detecting Eve. Eve’s attack strategy \(E\) is composed by her operations at position \(\xi _1\) and \(\xi _2\), and therefore, Eve’s information on the two-bit key \(K\) under the strategy \(E\) can be calculated by

$$\begin{aligned} I(K;E)\equiv \sum \limits _{k, \xi }p(k,\xi )\log _2\frac{p(k,\xi )}{p(k)p(\xi )}, \end{aligned}$$
(17)

where \(k\) is the two-bit key, i.e., \(k\in \{00, 01, 10, 11\}\), \(\xi \) is the joint measurement results of Eve at the positions \(\xi _1\) and \(\xi _2\), i.e., \(\xi =\varepsilon _{ij} \eta _{\mu \nu }\) with i, j, \(\mu \), \(\nu \in \{0, 1\}\), \(p(k,\xi )\) is the joint probability distribution of \(k\) and \(\xi \), and \(p(k)\) and \(p(\xi )\) are the marginal probability distribution of \(k\) and \(\xi \), respectively.

Next, let us calculate the mutual information \(I(K;E)\). In the above Eq. (17), \(p(00)=p(01)=p(10)=p(11)=1/4\) obviously, and \(p(k,\xi )=p(k)p(\xi |k)=\frac{1}{4}p(\xi |k)\), where \(p(\xi |k)\) is the probability distribution of \(\xi \) when \(k\) is known to be a particular value. Here, let us show an example of how to calculate the conditional probability \(p(\xi |k)\). Without loss of generality, assume \(k=00\) and \(\xi =\varepsilon _{00}\eta _{00}\). As we have seen, if and only if the detection probability satisfies Eq. (17), Eve’s strategy is optimal. In this case, the condition \(F=F'=1\) applies. According to Eqs. (5) and (6), if CA’s initial state is \(|0\rangle \), then Eve’s measurement outcomes should be \(\varepsilon _{00}\eta _{00}\). Otherwise, if CA’s initial state is \(|1\rangle \), then Eve’s measurement outcomes should be \(\varepsilon _{11}\eta _{11}\). Therefore, considering the initial states may be \(|0\rangle \) or \(|1\rangle \) with equal probability, CA’s decoding can be described by

$$\begin{aligned} |\psi ^{00}\rangle =\frac{1}{\sqrt{2}}(|0_t\varepsilon _{00}\eta _{00}\rangle + |1_t\varepsilon _{11}\eta _{11}\rangle ). \end{aligned}$$
(18)

It is should mentioned that the probability to correctly distinguish two states with overlap \(\cos x\) is \((1+\sin x)/2\) under the optimal measurement [28]. In addition, from Eq. (18), one can find if Eve mistakes to identify one of her ancillas (i.e., \(\varepsilon \) state or \(\eta \) state), then she will guess wrong Bob’s operation. Nevertheless, if she mistakes twice, then she can guess right Bob’s operation. Thus, the conditional probability can be given as \(p(\varepsilon _{00}\eta _{00}|00)=(1+\sin x)/4\), and we therefore obtain

$$\begin{aligned} P(00, \varepsilon _{00}\eta _{00})=P(00)P(\varepsilon _{00} \eta _{00}|00)=\frac{1+\sin x}{16}. \end{aligned}$$
(19)

Similarly, Eve’s measurement outcome is either \(\varepsilon _{00}\eta _{00}\) or \(\varepsilon _{11}\eta _{11}\) when \(k\)=01, and one of two possible outcomes \(\varepsilon _{00}\eta _{11}\) and \(\varepsilon _{11}\eta _{00}\) when \(k=10, 11\). In the same way, the other joint probabilities can be calculated. Further calculations show \(p(\varepsilon _{00}\eta _{00})=p(\varepsilon _{00}\eta _{11})= p(\varepsilon _{11}\eta _{00})=p(\varepsilon _{11}\eta _{11})=1/4\). Thus, Eve’s extracting information on the two-bit key under the attack strategy \(E\) is given by

$$\begin{aligned} I=\frac{1}{2}[(1+\sin x)\log _2(1+\sin x)+(1-\sin x)\log _2(1-\sin x)]. \end{aligned}$$
(20)

From Eq. (16), we obtain \(\sin x=2\sqrt{d}\), therefore, the above equation can be re-expressed as

$$\begin{aligned} I=\frac{1}{2}[(1+2\sqrt{d})\log _2(1+2\sqrt{d})+(1-2\sqrt{d})\log _2(1-2\sqrt{d})]. \end{aligned}$$
(21)

Equation (21) shows that \(I\) is a strict monotonic increasing function of \(d\), where \(d\) is a probability in the range 0–0.25. The function is depicted in Fig. 1, from which we can see the more information Eve wants to extract from the two-bit key, the bigger Eve’s being detected probability becomes, and the maximal information Eve can get on the two-bit is 1 bit, corresponding to the probability of being detected is \(25\,\%\).

Fig. 1
figure 1

The relationship between \(d\) and \(I\)

Full size image

Let us emphasize that \(I\) is only Eve’s extracting information from the two-bit key. Now, we discuss the possibility for Eve successfully eavesdropping the authentication key using such attack. As we have known, to acquire some useful information, Eve must measure both her ancillas, corresponding to the measurement outcomes \(\varepsilon _{ij}\) and \(\eta _{\mu \nu }\), with which Eve can successfully guess the two-bit key with a proper probability. For example, if the measurement outcome is \(\varepsilon _{00}\eta _{00}\), Eve can guess the key to be one of 00 or 10 with equal probability. Given the probability \(c\) that Eve decides the key to be 00 and \(1-c\) to be 10, and consider the inconclusive measurement outcomes, then the probability of Eve’s successfully obtaining the authentication key is given by

$$\begin{aligned} P_s=\frac{(1+\sin x)}{2}\times \frac{c}{2}+\frac{(1+\sin x)}{2}\times \frac{1-c}{2}=\frac{1+\sin x }{4}=\frac{1+2\sqrt{d}}{4}.\quad \end{aligned}$$
(22)

Further calculations show the probability of Eve’s correctly guessing the authentication key also satisfies Eq. (22) when the measurement outcomes are the other cases (i.e., \(\varepsilon _{00}\eta _{11}\), \(\varepsilon _{11}\eta _{00}\), and \(\varepsilon _{11}\eta _{11}\)). From above equation, we can see \(P_s\) is independent of the parameter c at all. Thus, the possibility that Eve eavesdrops \(n\) bits of full information while without being detected reads as

$$\begin{aligned} P=[P_s(1-d)]^{n/2}=\left[ \frac{1}{4}(1+2\root \of {d})(1-d)\right] ^{n/2} \end{aligned}$$
(23)

The relationship between \(P\), \(n\), and \(d\) is depicted in Fig. 2 We can see obviously that \(P\rightarrow 0\) when \(n\) is larger, whatever the value of \(d\) is. To describe a reasonable scenario, we set \(d=25\,\%\), and in this case, Eve has a probability of about \(1.97\,\%\) to successfully guess 1 byte (i.e., 8 bits) of authentication information and of about \(0.04\,\%\) to eavesdrop 2 bytes. From the above analysis, one can see, although Eve can eavesdrop some information on the two-bit key, the information on the authentication key may be neglected. Furthermore, since a key updating project is proposed in our scheme, obviously, even if the attacker, Eve, has obtained the old key, she cannot obtain the new key (i.e., the updated key).

Fig. 2
figure 2

The relationship between \(P\) and \(n\) for different detection probabilities \(d\)

Full size image

3.3 Efficiency

It should be pointed out that each single-particle state in this scheme can carry two bits of information, two times of that in BB84 protocol [29] and three times of that in ZZZX protocol, and almost all the single-particle states are useful for carrying the authentication information in theory, the intrinsic efficiency for qubits \(\eta _q\equiv \frac{q_u}{q_t}\) approaches the maximal value \(100\,\%\). Here \(q_u\) is useful qubits and \(q_t\) is the total qubits transmitted. In the BB84 protocol, there are half of \(n\) qubits will be discarded as Bob’s random measurement on the received qubits and c qubits of \(\frac{n}{2}\) are employed for detecting Eve, i.e., \(q_t=n\) and \(q_u=\frac{n}{2}-c\). Thus the intrinsic efficiency of BB84 is \(\eta _{BB84}=\frac{n-2c}{2n}<50\,\%\). While in the ZZZX protocol, Alice and Bob need not compare the encoding basis, but only c particles are employed to detect Eve, i.e., \(q_t=n\) and \(q_u={n}-c\), therefore, its intrinsic efficiency is \(\eta _{ZZZX}=\frac{n-c}{n}<100\,\%\). Obviously, comparisons with the BB84 protocol and ZZZX protocol, the proposed scheme is more efficient. Moreover, since only employing the single-particle state as quantum channel, the total efficiency (defined by Li. et al. [30]) of the present scheme also comes up to the max. About \(100\,\% \), more efficient than the previous QIA schemes.

4 Influences of imperfect quantum channel

The above analysis is based on the ideal scenario and does not take into account the influences of imperfect quantum channel (i.e., the noisy channel and the lossy channel). However, in practice, the employed quantum channel is usually imperfect. In this case, fortunately, such scheme is also secure. The proofs for the security of the proposed QIA scheme in an imperfect quantum channel are similar to that of ZZZX protocol, as they are both based on ping-pong technique. Here, we do not discuss it.

Next, we briefly describe the efficiency of transmission in a lossy channel. Assume the lossy coefficient of the employed quantum channel is \(\zeta \), i.e., if CA sends \(n\) particles to Bob, then Bob only receives \(n\zeta \) of them. Since in our scheme a qubit travels for a two-way channel, the total lossy coefficient should be \(\zeta ^2\). Therefore, the practical efficiency of proposed scheme reads as \(\eta '=\eta \zeta ^2=\zeta ^2\). For comparison, in BB84 protocol, suppose Alice sends \(n\) particles to Bob, Bob only gets \(n\zeta \) of them, and half of the received particles will be abandoned. Moreover, Alice and Bob will take out \(c\) particles from \(\frac{n\zeta }{2}\) to detect Eve. Therefore, we can get \(\eta '_{BB84}=\frac{n\zeta -2c}{2n}\). This entails that the presented scheme is more efficient than BB84 given in the condition of \(\zeta >\frac{n+\sqrt{n^2-16nc}}{4n}\) when \(c<n/16\), or of \(c>n/16\) whatever the \(\zeta \) is.

5 Summary

To summarize, we have explicitly presented a feasible QIA scheme based on single-particle ping-pong technique. It can verify user’s identity as well as update the authentication key. The security of the proposed scheme has explicitly analyzed and confirmed against some types of individual attack strategies even if in an imperfect quantum channel. Comparing with the existing QIA protocols, the proposed scheme has three distinct advantages. First of all, only batches of polarized single-particles are enough for exploit, without making use of entanglements, which will greatly reduce the required qubits resources. Secondly, in the process of communication, the encoding and decoding of secret authentication information can be realized only by performing local unitary operations and single-particle measurement, rather than the multipartite joint measurement, which will simplify the devices of the users on the network. Finally, the classical information exchanged is unnecessary, which makes such QIA scheme more secure. Furthermore, the proposed scheme is efficient and suitable for experimental realization.