Quantum authentication method based on key-controlled maximally mixed quantum state encryption

Quantum authentication is a fundamental first step that ensures secure quantum communication. Although various quantum authentication methods have been proposed recently, their implementation efficiency is limited. This paper proposes a key-controlled maximally mixed quantum state encryption (MMQSE) method using only a single qubit, unitary operation, minimized quantum transmissions, and a single qubit measurement, which improves implementation feasibility and operation efficiency. We applied it to representative quantum authentication applications, namely, quantum identity and message authentication. The security of our authentication schemes was verified by analyzing the relationship between the integral ratio of Uhlmann’s fidelity and probability of successful eavesdropping. Moreover, we demonstrate the higher authentication efficiency of the proposed scheme in a real quantum-channel noise environment. The upper bound of the valid noise rate was quantified using the integral ratio of Uhlmann’s fidelity in a noise environment. Finally, the optimal number of authentication sequences was estimated.

Modern cryptography has been threatened by the explosive development of quantum-computing technology that can implement quantum algorithms such as Shor’s [1–3]. Quantum cryptography is a representative alternative technology [4–7] providing data security based on physical laws such as the superposition of quantum states, irreversibility of quantum measurement, no-cloning theorem, and the uncertainty principle. In the field of quantum cryptography, quantum authentication is the first and most fundamental process in secure communication. Its representative applications include quantum identity authentication (QIA) and quantum message authentication (QMA). First, QIA ensures the legitimacy of the identity by verifying that the claimant possesses secret information [8, 9]. The key technological element for QIA is the use of time variant parameters to ensure timeliness or uniqueness. Since Dušek et al. proposed a QIA scheme in 1999 that combines the BB84 quantum key distribution with identity authentication [10], various QIA schemes have been proposed [11–21]. Second, QMA ensures the origin and integrity of the message by validating quantum message authentication code (QMAC) [8, 9]. QMA is performed using an encoded quantum message state called a quantum message authentication code (QMAC). Beginning with a proposal by Curty et al. in 2002 [22], various QMA scheme studies have been proposed [23–25]. Furthermore, QMA can be extended to quantum signatures with the addition of non-repudiation [26–32].

The above quantum authentication methods have successfully proposed a secure authentication process. However, most require complicated resources such as entangled states, CNOT operation, Bell state measurement (BSM), swap test, and multiple quantum transmissions [19, 33–42]. This paper proposes a key-controlled maximally mixed quantum state encryption (MMQSE) method for quantum authentication schemes. It enables the easy encryption and decryption of quantum states using pre-shared secret keys between users with single qubit preparation, unitary operation, single qubit measurement, and minimized quantum transmissions [21, 43]. We applied the key-controlled MMQSE method to design QIA and QMA schemes that are secure, convenient, and easy to implement. The proposed QIA uses cryptographic challenge-response protocols to prove its identity as a verifier without revealing the secret [9]. The proposed QIA and QMA schemes are practical because they require only a single operation on a single quantum state and a single measurement [44]. Moreover, QIA and QMA were efficiently performed with only two and one quantum transmissions, respectively. As Uhlmann’s fidelity is a convenient analytical tool for quantifying the distance between quantum states, we analyzed the security of the proposed scheme by relating the integral ratio of Uhlmann’s fidelity to the probability of successful eavesdropping. We proved the security of the proposed QIA scheme against impersonation and intercept-and-resend attacks. In addition, we proved the security of our QMA scheme by analyzing the message origin and the impossibility of forgery. Furthermore, we demonstrated the integral ratio of the Uhlmann’s fidelity in a real quantum channel noise environment without eavesdropping and calculated the upper bound of the valid noise rate. We then used it to estimate the optimal number of authentication sequences.

The remainder of this paper is organized as follows. Section 2 introduces the primary concept of the key-controlled MMQSE method for the physical realization of quantum authentication. Section 3 proposes QIA schemes based on the key-controlled MMQSE method and analyzes their security. Section 4 proposes QMA schemes based on the key-controlled MMQSE method and analyzes their security. Finally, Sect. 5 analyzes the authentication efficiency for the noise and compares the proposed quantum authentication schemes with an existing scheme.

For quantum cryptography, we designed a key-controlled MMQSE method for the physical realization of quantum authentication. Additionally, using the proposed method, a legitimate user with a secret key can easily decrypt the quantum state, whereas an eavesdropper, who does not know the secret key, finds it difficult to decrypt a quantum state. The key-controlled MMQSE method comprises three phases: quantum state preparation, unitary operation, and quantum state measurement.

In the quantum state preparation phase, users pre-share a secret key and prepare an appropriate quantum state according to the secret key \(\hat{k}_{AB}\); \(\hat{k}_{AB} = ( \sin \theta \cos \phi , \sin \theta \sin \phi , \cos \theta )\) is the rotation axis of the single qubit rotation operator. θ and ϕ are the polar and azimuthal angles of the rotation axis in Bloch sphere, respectively; it is also represented as \(\hat{k}_{AB} = ( \theta ,\phi )\) in this paper. Subsequently, we consider the arbitrary quantum state \(\vert \Psi \rangle = \cos ( {\alpha} / {2} ) \vert 0 \rangle + \mathrm{e}^{i\beta} \sin ( {\alpha} / {2} ) \vert 1 \rangle \), where α and β are the polar and azimuthal angles of quantum state \(\vert \Psi \rangle \) in the Bloch sphere, respectively. In the key-controlled MMQSE method, quantum state \(\vert \Psi ( \alpha ,\beta ) \rangle \) has the following constraint depending on the secret key \(\hat{k}_{AB} ( \theta ,\phi )\):

Second, for the unitary operation phase, consider an arbitrary unitary operator \(U = e^{i \Phi} \mathcal{R}_{\hat{k}_{AB}} ( \Theta )\), where Φ is the global phase and \(\mathcal{R}_{\hat{k}_{AB}} ( \Theta ) = \cos ( {\Theta} / {2} ) I_{2} +i \sin ( {\Theta} / {2} ) ( \hat{k}_{AB} \boldsymbol{\cdot} \overrightarrow{\sigma} )\) is the rotation operator with rotation angle Θ, rotation axis \(\hat{k}_{AB}\), and Pauli vector \(\overrightarrow{\sigma} = ( \sigma _{x}, \sigma _{y}, \sigma _{z} )\). If \(\Phi =2m\pi \) (m: integer) and \(\Theta = {\pi} / {2}\), the unitary operator U can be expressed as the rotation operator \(V= \mathcal{R}_{\hat{k}_{AB}} ( \pi /2 )\). Consequently, using Eq. (1), the results of unitary operation for \(\vert \Psi \rangle \) and \(\vert \Psi \rangle _{\bot} \) becomes

The counterclockwise rotated quantum state \(\vert R \rangle \) and the clockwise rotated quantum state \(\vert L \rangle \) are orthogonal, because \(\vert \Psi \rangle \) and \(\vert \Psi \rangle _{\bot} = \sin ( {\alpha} / {2} ) \vert 0 \rangle - \mathrm{e}^{i\beta} \cos ( {\alpha} / {2} ) \vert 1 \rangle \) are orthogonal. From the point of view of an eavesdropper, \(\vert R \rangle \) and \(\vert L \rangle \) are arbitrary quantum states, and \(\hat{k}_{AB} ( \theta ,\phi )\) is an arbitrary rotation axis. Hence, the density matrix \(\rho _{E}\) for Eq. (2) becomes

where the probability density function \(\Pr ( \theta ,\phi ) = ( \int _{\phi =0}^{2 \pi} \int _{\theta =0}^{\pi}\,d\theta \,d\phi )^{-1} = ( 2 \pi ^{2} )^{-1}\) for a uniform distribution in the Bloch sphere; \(\rho = \int _{\beta} \int _{\alpha} \Pr ( \alpha , \beta ) \vert \psi ( \alpha , \beta ) \rangle \langle \psi ( \alpha , \beta ) \vert \,d\alpha \,d\beta \) is an ensemble of pure states \(\vert \psi ( \alpha , \beta ) \rangle \) with probability density function

As shown in Eq. (3), the density matrix of the quantum state \(\vert R \rangle \) or \(\vert L \rangle \) is a maximally mixed state. Therefore, an eavesdropper who does not know the secret key cannot obtain any information from the quantum state of Eq. (2).

Finally, in the quantum state measurement phase, we consider a single qubit measurement \(B= \lambda _{R} B_{R} + \lambda _{L} B_{L} = \lambda _{R} \vert R \rangle \langle R \vert + \lambda _{L} \vert L \rangle \langle L \vert \), that satisfies \(B \vert R \rangle = \lambda _{R} \vert R \rangle \), \(B \vert L \rangle = \lambda _{L} \vert L \rangle \), where \(\lambda _{R}\) and \(\lambda _{L}\) are eigenvalues of B. The measurement operator B should also satisfy the completeness relation \(\sum_{m} B_{m}^{\dagger } B_{m} =I\), (\(m=R,L \)). Then, \(\vert R \rangle \) and \(\vert L \rangle \) can be completely measured by B. Therefore, only legitimate users who know the secret key can obtain accurate measurement results. For example, in Fig. 1, the key-controlled \(\vert \Psi \rangle \), \(\vert R \rangle \), and \(\vert L \rangle \) are represented geometrically in the Bloch sphere when the secret key is \(\hat{k}_{AB} = ( \pi /4,0 )\). The orange solid line represents a specific \(\vert \Psi \rangle \) satisfying Eq. (1). If \(\vert \Psi \rangle \) is a red sphere on the orange solid line, \(\vert R \rangle \) and \(\vert L \rangle \) generated by the rotation operator \(\mathcal{R}_{\hat{k}_{AB}}\) are represented by the blue and cyan spheres, respectively.

Geometric representation of the key-controlled \(\vert \Psi \rangle \), \(\vert R \rangle \), and \(\vert L \rangle \) in the Bloch sphere. The red arrow represents the secret key \(\hat{k}_{AB} = ( \pi /4,0 )\) and the red sphere represents a specific \(\vert \Psi \rangle \) among all possible points represented by the orange solid line. The blue and cyan spheres represent \(\vert R \rangle \) and \(\vert L \rangle \) generated by the rotation operator \(\mathcal{R}_{\hat{k}_{AB}}\)

Full size image

The key-controlled MMQSE method encrypts the single qubit \(\vert \Psi \rangle \) generated in the quantum state preparation phase using the rotation operator V in the unitary operation phase and decrypts it using single qubit measurement B in the quantum state measurement phase. By applying the key-controlled MMQSE method to the quantum authentication schemes, legitimate users can easily encrypt and decrypt the quantum states, and eavesdropping is impossible. Specifically, it provides a security service of confidentiality that allows only legitimate users to encrypt and decrypt completely using the rotation axis corresponding to the secret key. In addition, from the user perspective, \(\vert R \rangle \) and \(\vert L \rangle \) in Eq. (2), encrypted using a fixed rotation angle \(\pi /2\), are known quantum states perpendicular to each other. Therefore, they can be easily decrypted using the single qubit measurement. However, from the eavesdropper perspective, eavesdropping on quantum states is fundamentally difficult because \(\vert R \rangle \) and \(\vert L \rangle \) are maximally mixed states, as shown in Eq. (3). Therefore, we designed QIA and QMA schemes that are feasible and efficient for implementation based on single qubit, single qubit rotation operator, and single qubit measurement using the proposed method. This process is described in detail in the following sections.

3.1 Quantum identity authentication scheme

The schematic representation of QIA based on the key-controlled MMQSE method is given in Fig. 2. Verifier Bob confirms the legitimacy of the claimant Alice and the existence of an illegal third party. The scheme consists of three phases: preparation, identity authentication, and verification.

Schematic representation of QIA. When Alice requests authentication, Bob generates a challenge qubit and sends it to Alice. Alice then generates a legitimate response qubit and sends it to Bob to complete the identity authentication process

Full size image

3.1.1 Preparation phase

Alice and Bob pre-share the secret key sequence \(K_{AB} = ( k_{AB}^{1}, k_{AB}^{2},\ldots , k_{AB}^{i},\ldots , k_{AB}^{N} )\), where \(k_{AB}^{i} \in \{ \hat{n}_{1}, \hat{n}_{2},\ldots , \hat{n}_{j},\ldots , \hat{n}_{O} \}\), N is the number of authentication sequences, O is the number of rotation axes, and \(\hat{n}_{j} = ( \sin \theta _{j} \cos \phi _{j}, \sin \theta _{j} \sin \phi _{j}, \cos \theta _{j} )\) is the rotation axis of the single qubit rotation operator. \(\theta _{j}\) and \(\phi _{j}\) are the polar and azimuthal angles of the rotation axis, respectively, also represented as \(\hat{n}_{j} = ( \theta _{j}, \phi _{j} )\) in this study. The size of the secret key is \(\vert k_{AB}^{i} \vert = \log_{2} O\) and that of the secret key sequence is \(\vert K_{AB} \vert =N \log_{2} O\). \(K_{AB}\) determines the rotation axis of the rotation operators and generates the challenge qubits. Subscripts A and B represent Alice and Bob, respectively. Once Alice requests authentication, Bob randomly generates classical bits \(C= ( c_{1} \Vert c_{2} \Vert \cdots \Vert c_{i} \Vert \cdots \Vert c_{N} )\), where \(c_{i} \in \{ 0,1 \}\). Subsequently, Bob generates a sequence of N challenge qubits \(\vert Q \rangle = \bigotimes_{i=1}^{N} \vert Q \rangle _{i} = \bigotimes_{i=1}^{N} \vert \psi _{i} \rangle _{c_{i}}\), where authentication qubit \(\vert \psi _{i} \rangle = \cos ( {\alpha _{i}} / {2} ) \vert 0 \rangle + \mathrm{e}^{i \beta _{i}} \sin ( {\alpha _{i}} / {2} ) \vert 1 \rangle \). If \(c_{i} =\)0, then \(\vert \psi _{i} \rangle _{0} = \vert \psi _{i} \rangle \); else, \(\vert \psi _{i} \rangle _{1} = \vert \psi _{i} \rangle _{\bot} \). Here, the pairs of angles \(( \alpha _{i}, \beta _{i} )\) and \(( \theta _{j}, \phi _{j} )\) satisfy the condition of Eq. (1). At this point, \(\vert Q \rangle _{i}\) can be considered a time-variant parameter used to ensure the uniqueness or timeliness of the QIA scheme.

3.1.2 Identity authentication phase

Bob sends \(\vert Q \rangle \) to Alice. Subsequently, Alice generates a sequence of N response qubits \(\vert A \rangle = \bigotimes_{i=1}^{N} \vert A \rangle _{i}\), \(\vert A \rangle _{i} \in \{ \vert R \rangle _{i} , \vert L \rangle _{i} \}\) to send to Bob by applying the single qubit rotation operators \(\mathcal{R}_{k_{AB}^{i}} ( {\pi} / {2} )\) to \(\vert Q \rangle _{i}\) as \(\vert R \rangle _{i} = \mathcal{R}_{k_{AB}^{i}} ( {\pi} / {2} ) \vert \psi _{i} \rangle \) or \(\vert L \rangle _{i} = \mathcal{R}_{k_{AB}^{i}} ( {\pi} / {2} ) \vert \psi _{i} \rangle _{\bot} = \mathcal{R}_{k_{AB}^{i}} ( - {\pi} / {2} ) \vert \psi _{i} \rangle \), where \(\vert R \rangle _{i}\) and \(\vert L \rangle _{i}\) are orthogonal.

3.1.3 Verification authentication phase

Bob performs the single qubit measurement on \(\vert A \rangle \) using measurement operator \(B= \vert R \rangle _{i i} \langle R \vert - \vert L \rangle _{i i} \langle L \vert \); for convenience, \(\lambda _{R}\) is 1 and \(\lambda _{L}\) is −1. Because only Bob has a secret key and time-varying parameter, he can obtain the measurement outcome \(C'= ( c_{1} ' \Vert c_{2} ' \Vert \cdots \Vert c_{i} ' \Vert \cdots \Vert c_{N} ' )\). If Bob’s measurement outcome is \(\vert R \rangle _{i}\), \(c_{i} ' =0\); else if the measurement outcome is \(\vert L \rangle _{i}\), \(c_{i} ' =1\). Finally, Bob compares C and \(C'\) to confirm Alice’s identity. If \(C=C'\), Alice’s identity is successfully authenticated. Otherwise, Bob aborts the identity authentication process.

3.2 Security analysis

Suppose Eve (eavesdropper) is intended to pass the verification process without being detected or obtain the secret key information. Eve can eavesdrop, pretending to be claimant Alice (impersonation attack) or intercept information in the middle of the quantum channel (intercept-and-resend attack).

First, we analyze Eve’s impersonation attack to pass the verification process without being detected. We present a security analysis of the proposed QIA scheme using Uhlmann’s fidelity. Fidelity is a measure of the distance between the quantum states [45]. Given two quantum states ρ and σ, the fidelity is defined to be \(F ( \rho ,\sigma ) \equiv \operatorname{tr} \sqrt{\rho ^{{1} / {2}} \sigma \rho ^{{1} / {2}}}\). Let \(\vert \Psi \rangle \) and \(\vert \Phi \rangle \) be any purification of ρ and σ, then the fidelity is the maximum value of \(\vert \langle \Psi | \Phi \rangle \vert \) for any purification \(\vert \Psi \rangle \) and \(\vert \Phi \rangle \) using Uhlmann’s theorem: \(F ( \rho ,\sigma ) = \max_{ \vert \Psi \rangle , \vert \Phi \rangle } | \langle \Psi | \Phi \rangle | \). Assuming that both \(\rho = \vert \psi \rangle \langle \psi \vert \) and \(\sigma = \vert \phi \rangle \langle \phi \vert \) are pure state, the fidelity is represented as \(F ( \rho ,\sigma ) =| \langle \psi | \phi \rangle | \). If \(\vert \psi \rangle \) and \(\vert \phi \rangle \) are orthogonal, then fidelity is 0. If \(\vert \psi \rangle \) and \(\vert \phi \rangle \) are the same, then fidelity is 1. For Eve to pass the verification process, it is necessary to estimate the secret key \(K_{AB}\) or generate a legitimate response qubit \(\vert A \rangle \). Most simply, Eve can estimate some secret key information by measuring the challenge qubit \(\vert Q \rangle _{i}\) transmitted by Bob because the secret key information \(( \theta _{j}, \phi _{j} )\) imposes constraints on the challenge qubit information \(( \alpha _{i}, \beta _{i} )\), as shown in Eq. (1). However, \(( \theta _{j}, \phi _{j} )\) is a function of \(( \alpha _{i}, \beta _{i} )\), and even if Eve knows a specific \(( \alpha _{i}, \beta _{i} )\), the secret key cannot be estimated because there are multiple combinations of \(( \theta _{j}, \phi _{j} )\) satisfying Eq. (1). Moreover, Eve does not know whether the qubit transmitted in the sequence is \(\vert \psi \rangle \) or \(\vert \psi \rangle _{\bot} \) by the time-varying parameters R, which only Bob knows. Therefore, quantum state measurement using the above method causes quantum state collapse. Eve cannot generate the correct quantum state to transmit to Bob based on the irreversibility of quantum state measurements and the no-cloning theory. Bob then knows of Eve’s existence in the quantum channel and aborts the authentication process. Thus, Eve encodes the received challenge qubits using a self-generated arbitrary rotation operation as an optimized impersonation attack and transmits them to Bob. When \(c_{i} =0\) in the ith sequence, the fidelity between legitimate response qubit \(\vert A \rangle _{i} = \mathcal{R}_{k_{AB}^{i}} ( {\pi} / {2} ) \vert \psi _{i} \rangle \) and response qubit estimated by Eve \(\vert A_{E} \rangle _{i} = \mathcal{R}_{E^{i}} ( {\pi} / {2} ) \vert \psi _{i} \rangle \) is as follows:

Here, subscript E refers to Eve, and components of \(E^{i} = ( \theta _{E}, \phi _{E} )\) represent polar and azimuthal angles, respectively. Eve randomly selects the rotation axis \(E^{i}\) to generate \(\vert A_{E} \rangle _{i}\). Since challenge qubits \(\vert \psi _{i} \rangle \) are randomly selected by Bob to follow Eq. (1), the average fidelity for all possible challenge qubits is as given in Fig. 3.

Average Uhlmann’s fidelity between legitimate response qubit \(\vert A \rangle _{i} = \mathcal{R}_{k_{AB}^{i}} ( {\pi} / {2} ) \vert \psi _{i} \rangle \) and response qubit estimated by Eve \(\vert A_{E} \rangle _{i} = \mathcal{R}_{E^{i}} ( {\pi} / {2} ) \vert \psi _{i} \rangle \) on (a) 3D and (b) 2D contour plot, where \(k_{AB}^{i} = ( \pi /4,0 )\). \(\theta _{E^{i}}\) and \(\phi _{E^{i}}\) are the polar and azimuthal angles of the secret key \(E^{i}\) estimated by Eve, respectively

Full size image

As shown in Fig. 3, when \(\vert A \rangle _{i} = \mathcal{R}_{k_{AB}^{i}} ( {\pi} / {2} ) \vert \psi _{i} \rangle \) and \(\vert A_{E} \rangle _{i} = \mathcal{R}_{E^{i}} ( {\pi} / {2} ) \vert \psi _{i} \rangle \) are orthogonal, the fidelity is zero. Then, the estimated \(E^{i}\) is orthogonal to \(k_{AB}^{i} = ( \pi /4,0 )\). In addition, the closer they are to each other, the closer their fidelity is to 1, implying that \(E^{i}\) and \(k_{AB}^{i}\) have the same components. If fidelity is 0, that is \(E^{i} = ( {3\pi} / {4},\pi )\), then Eve fails to pass the verification process. Therefore, as the integral ratio of the average fidelity approaches 1, the QIA scheme cannot guarantee security against Eve’s impersonation attack. In Fig. 3, the integral ratio of the average fidelity for all \(E^{i}\) values that Eve can select is 0.6555. As the number of authentication sequence N increases, integral ratio of the average fidelity gradually approaches 0, as shown in Fig. 4. Specifically, when N is 2, 5, 10, and 20, the integral ratio of the average fidelity is 0.5000, 0.3073, 0.1979, and 0.1229, respectively. When N increases to 30, the ratio becomes 0.0920. Therefore, as N increases, Eve cannot pass the verification process, and the proposed QIA scheme ensures security against impersonation attacks.

Average fidelity when the number of identity authentication sequences N is 1, 2, 5, 10, 20, and 30 on 3D; the integral ratio in this plot is 0.6555, 0.5000, 0.3073, 0.1979, 0.1229, and 0.0920, respectively

Full size image

Next, we analyzed the security of the secret key of the proposed QIA scheme by analyzing Eve’s intercept-and-resend attack to obtain secret key information. Similar to the impersonation attack, Eve cannot estimate the exact secret key information by measuring the challenge qubits from Bob. Therefore, Eve attempts to estimate the secret key while intercepting Alice and Bob. Eve first stores the challenge qubit \(\vert Q \rangle \) sent by Bob and then transmits \(\vert 0 \rangle \) to Alice to extract the secret key information. Subsequently, Eve applies the unitary operator corresponding to the secret key estimated by Alice’s response qubit \(\vert A ' \rangle _{i} = \mathcal{R}_{k_{AB}^{i}} ( {\pi} / {2} ) \vert 0 \rangle \) to the stored challenge qubit. Thus, Eve can obtain fidelity between \(\vert 0 \rangle \) state and \(\vert A ' \rangle _{i}\) with secret key information: \(F= \vert \langle 0 | A ' \rangle _{i} \vert = \vert \langle 0 \vert \mathcal{R}_{k_{AB}^{i}} ( {\pi} / {2} ) \vert 0 \rangle \vert = { \vert 1-i \cos \theta _{j} \vert } / {\sqrt{2}}\). Assuming that the same secret key is used for each sequence, \(\theta _{j}\) seems to be known, but the key is different for each sequence. Furthermore, the polar angle \(\theta _{j}\) of the secret key can be estimated, but not the azimuth angle \(\phi _{j}\). When \(c_{i} =0\), the probability of estimating the exact secret key is related to fidelity as follows:

Here, \(\vert R_{E} \rangle _{i} = \mathcal{R}_{E^{i}} ( {\pi} / {2} ) \vert \psi _{i} \rangle \) is estimated by Eve. If the state in the verification phase is \(\vert R_{E} \rangle _{i}\) before measurement, then the probability that the result \(\vert R \rangle _{i}\) occurs is \(P_{R}\) for all possible secret key information estimated by Eve; \(p_{R} ( \theta _{E^{i}}, \phi _{E^{i}} )\) is the probability of estimating the exact secret key at a specific value \(( \theta _{E^{i}}, \phi _{E^{i}} )\), where \(0\leq \theta _{E^{i}} \leq \pi \), and \(0\leq \phi _{E^{i}} <2\pi \). Therefore, for all secret keys \(E^{i}\) estimated by Eve, the square of the probability that the result is \(\vert R \rangle _{i}\) is the integral ratio of fidelity. The probability that Eve succeeds in the intercept-and-resend attack can be calculated as the integral ratio of fidelity: \(( {\int F \,dv} / {\int dv} )^{2}\). As the authentication sequence N is performed several times, the probability of Eve’s success decreases, \(( {\int F \,dv} / {\int dv} )^{2N}\). Thus, the probability of Eve being detected is

As shown in Fig. 5, when N is 17, \(P_{\mathrm{fail}} =0.999999\); hence, the probability of Eve being detected is \(P_{\mathrm{fail}} \approx 1\).

Probability \(P_{\mathrm{fail}}\) of Eve being detected increases as the number of authentication sequence N increases. If \(N \geq 16.36\), \(P_{\mathrm{fail}} \geq 0.999999 \) is satisfied

Full size image

4.1 Quantum message authentication scheme

The schematic representation of QMA using the key-controlled MMQSE method is given in Fig. 6. In the QMA scheme, verifier Bob confirms the integrity of the message and authenticates the origin of the message from sender Alice. The proposed QMA scheme consists of three phases: preparation, message authentication, and verification.

Schematic representation of QMA. Alice generates a QMAC corresponding to the message and sends them to Bob. Bob verifies the QMAC using the message to complete the message authentication process

Full size image

4.1.1 Preparation phase

Alice and Bob pre-share the secret key \(K_{AB}\) as in the proposed QIA scheme. Then, Alice generates the message \(M= ( m_{1} \Vert m_{2} \Vert \cdots \Vert m_{i} \Vert \cdots \Vert m_{N} )\), where \(m_{i} \in \{ 0,1 \}\). Subsequently, Alice generates the initial quantum state \(\bigotimes _{i=1}^{N} \vert \psi _{i} \rangle _{m_{i}}\), where \(\vert \psi _{i} \rangle = \cos ( {\alpha _{i}} / {2} ) \vert 0 \rangle + \mathrm{e}^{i \beta _{i}} \sin ( {\alpha _{i}} / {2} ) \vert 1 \rangle \). If \(m_{i} =\)0, then \(\vert \psi _{i} \rangle _{0} = \vert \psi _{i} \rangle \); else \(\vert \psi _{i} \rangle _{1} = \vert \psi _{i} \rangle _{\bot} \), where \(\vert \psi _{i} \rangle _{\bot} \) is orthogonal to \(\vert \psi _{i} \rangle \). As in the QIA schemes, the pair of angles \(( \alpha _{i}, \beta _{i} )\) and secret key angles \(( \theta _{j}, \phi _{j} )\) satisfy the condition of Eq. (1). Furthermore, with specific values \(\alpha _{i} =2 \arctan ( \sin \theta _{j} + \sqrt{1+ \sin ^{2} \theta _{j}} )\) and \(\beta _{i} = \phi _{j} + \theta _{j}\), the quantum states are completely dependent on the secret key information.

4.1.2 Message authentication phase

Alice generates a sequence of N QMAC, \(\vert \mathrm{QMAC} \rangle = \bigotimes _{i=1}^{N} \vert \mathrm{QMAC} \rangle _{i}\), by applying the single qubit rotation operator \(\mathcal{R}_{k_{AB}^{i}} ( {\pi} / {2} )\) to the initial quantum states as \(\vert \mathrm{QMAC} \rangle _{i} = \mathcal{R}_{k_{AB}^{i}} ( {\pi} / {2} ) \vert \psi _{i} \rangle _{m_{i}}\). If \(m_{i} =0\), \(\vert \mathrm{QMAC} \rangle _{i} = \vert R \rangle _{i} = \mathcal{R}_{k_{AB}^{i}} ( {\pi} / {2} ) \vert \psi _{i} \rangle \) else \(\vert \mathrm{QMAC} \rangle _{i} = \vert L \rangle _{i} = \mathcal{R}_{k_{AB}^{i}} ( {\pi} / {2} ) \vert \psi _{i} \rangle _{\bot} = \mathcal{R}_{k_{AB}^{i}} ( - {\pi} / {2} ) \vert \psi _{i} \rangle \). \(\vert R \rangle _{i} \) and \(\vert L \rangle _{i}\) are orthogonal. Subsequently, Alice transmits M and \(\vert \mathrm{QMAC} \rangle \) to Bob.

4.1.3 Verification phase

Bob performs a single qubit measurement to \(\vert \mathrm{QMAC} \rangle \) using the measurement operator \(B= \vert R \rangle _{i i} \langle R \vert - \vert L \rangle _{i i} \langle L \vert \). Because Bob has the secret key \(K_{AB}\), he can obtain the measurement outcome \(M'\). If Bob’s measurement outcome is \(\vert R \rangle _{i}\), \(m_{i} ' =0\). However, if the measurement outcome is \(\vert L \rangle _{i}\), \(m_{i} ' =1\). Finally, Bob verifies Alice’s message by comparing M and \(M'\). If \(M=M'\), the message M is authenticated; else, Bob aborts the message authentication process.

4.2 Security analysis

In the proposed QMA scheme, Eve intends to disturb the message origin authentication and contaminates the message integrity without being detected. Thus, Eve causes confusion about the origin of the message by generating a quantum message that only legitimate users can create (security of the message origin). Alternatively, Eve forgeries the message to induce incorrect message delivery (impossibility of forgery).

First, we analyze the security of the message origin, in which Eve generates illegal quantum messages to cause confusion about the origin of the message, and show a security analysis of the proposed QMA scheme using fidelity. Eve attempts to cause confusion about the message origin using arbitrary classical messages \(M_{E} = ( m_{E^{1}} \Vert m_{E^{2}} \Vert \cdots \Vert m_{E^{i}} \Vert \cdots \Vert m_{E^{N}} )\), where \(m_{E^{i}} \in \{ 0,1 \}\), and QMAC \(\vert \mathrm{QMAC}_{\mathrm{E}} \rangle = \bigotimes _{i=1}^{N} \mathcal{R}_{E^{i}} ( {\pi} / {2} ) \vert \psi _{E^{i}} \rangle _{m_{E^{i}}}\) pairs because only legitimate users know the secret key. When \(m_{E^{i}} =0\) in the ith sequence, the fidelity between legitimate quantum message \(\vert \mathrm{QMAC} \rangle _{i} = \mathcal{R}_{k_{AB}^{i}} ( {\pi} / {2} ) \vert \psi _{i} \rangle \) and Eve’s quantum message \(\vert \mathrm{QMAC}_{\mathrm{E}} \rangle _{i} = \mathcal{R}_{E^{i}} ( {\pi} / {2} ) \vert \psi _{E^{i}} \rangle \) is as follows:

Eve generates the initial quantum state \(\vert \psi _{E^{i}} \rangle = \cos ( {\alpha _{E^{i}}} / {2} ) \vert 0 \rangle + \mathrm{e}^{i \beta _{E^{i}}} \sin ( {\alpha _{E^{i}}} / {2} ) \vert 1 \rangle \) with specific value \(\alpha _{E^{i}} =2 \arctan ( \sin \theta _{E^{i}} + \sqrt{1+ \sin ^{2} \theta _{E^{i}}} )\) and \(\beta _{E^{i}} = \phi _{E^{i}} + \theta _{E^{i}}\) using secret key information \(E^{i} = ( \theta _{E^{i}}, \phi _{E^{i}} )\) estimated by Eve. Therefore, Eve’s initial quantum states are completely dependent on the \(E^{i} = ( \theta _{E^{i}}, \phi _{E^{i}} )\). The fidelity of QMAC is shown in Fig. 7.

Fidelity between legitimate QMAC \(\vert \mathrm{QMAC} \rangle _{i} = \mathcal{R}_{k_{AB}^{i}} ( {\pi} / {2} ) \vert \psi _{i} \rangle \) and Eve’s QMAC \(\vert \mathrm{QMAC}_{\mathrm{E}} \rangle _{i} = \mathcal{R}_{E^{i}} ( {\pi} / {2} ) \vert \psi _{E^{i}} \rangle \) on (a) 3D, and (b) 2D contour plot. \(\theta _{E^{i}}\) and \(\phi _{E^{i}}\) are the polar and azimuthal angles of the secret key \(E^{i}\) estimated by Eve, respectively

Full size image

When \(m_{i} =0\), i.e., \(\vert \mathrm{QMAC} \rangle _{i} = \vert R \rangle _{i}\), the range of the polar angle of the \(\vert \mathrm{QMAC} \rangle _{i}\) is from \(\pi /4\) to \(\pi /2\). However, since there is no \(E^{i}\) where \(\vert \mathrm{QMAC}_{\mathrm{E}} \rangle _{i}\) is orthogonal to \(\vert \mathrm{QMAC} \rangle _{i}\) corresponding to \(k_{AB}^{i} = ( \pi /4,0 )\), the fidelity cannot be 0 in Fig. 7. If \(E^{i} = ( \pi /4,0 )\) and \(k_{AB}^{i}\) are the same, then the fidelity is 1. In Fig. 7, even if \(E^{i}\) is different from the actual secret key, the fidelity can be 1 when \(\vert \mathrm{QMAC}_{\mathrm{E}} \rangle _{i} = \vert \mathrm{QMAC} \rangle _{i}\). However, Eve’s probability of manipulating and selecting such a scenario is almost 0. Therefore, assuming that Eve knows the classical message \(m_{i}\) that Alice wants to send, the fidelity integral ratio for all \(E^{i}\) that Eve can select is 0.7517. As in QIA, as the number of authentication sequence N increases, the quantum message is represented by the product state \(\vert \mathrm{QMAC}_{\mathrm{E}} \rangle = \bigotimes _{i=1}^{N} \vert \mathrm{QMAC}_{\mathrm{E}} \rangle _{i} = \bigotimes _{i=1}^{N} \mathcal{R}_{E^{i}} ( {\pi} / {2} ) \vert \psi _{E^{i}} \rangle \), and the fidelity integral ratio gradually approaches zero, as shown in Fig. 8. Specifically, when N is 2, 5, 10, and 20, the fidelity integral ratio is 0.6020, 0.3895, 0.2641, and 0.1730, respectively. When N increases to 30, the fidelity integral ratio becomes 0.1314. Therefore, as N increases, Eve cannot send the intended message and is not authenticated as the legitimate user Alice. Thus, the proposed QMA scheme ensures the security of the message origin.

Fidelity when the number of message authentication sequences N is 1, 2, 5, 10, 20, and 30 on 3D; the integral ratio in this plot is 0.7517, 0.6020, 0.3895, 0.2641, 0.1730, and 0.1314, respectively

Full size image

Next, we analyze the security of the proposed QMA scheme using Eve’s forgery strategy that attempts to violate the integrity of the message and QMAC pair. Eve’s purpose is to forge the message and QMAC pair owned by Alice to pass the verification process undetected. Eve flips the bit of message M, and applies an arbitrary unitary operator \(U_{E^{i}}\) to \(\vert \mathrm{QMAC} \rangle _{i}\). The forged QMAC \(\vert \mathrm{QMAC}_{E} \rangle _{i}\) in which Eve applies \(U_{E^{i}}\) to \(\vert \mathrm{QMAC} \rangle _{i}\) is as follows:

Eve performs message authentication using the forged message \(M_{E}\) and QMAC \(\vert \mathrm{QMAC}_{E} \rangle _{i}\). For example, we consider the case of rotation axis \(k_{AB}^{i} = ( 0,0 )\) and initial quantum state \(\vert \psi _{i} \rangle = \frac{1}{\sqrt{2}} ( \vert 0 \rangle + \vert 1 \rangle )\). Then, \(\vert \mathrm{QMAC} \rangle _{i} \in \{ \vert R \rangle _{i}, \vert L \rangle _{i} \}\) that Alice transmits to Bob is as follows:

Eve flips the message bit and applies the unitary operator \(U_{E^{i}} = \mathcal{R}_{\hat{Z}} ( \pi )\) to \(\vert \mathrm{QMAC} \rangle _{i}\) for the forgery sequence. If \(m_{i} =0\), Eve forges message bit to \(m_{E^{i}} =1\) and \(\vert \mathrm{QMAC} \rangle _{i}\) to \(\vert \mathrm{QMAC}_{E} \rangle _{i} = \mathcal{R}_{\hat{Z}} ( \pi ) \vert R \rangle _{i} = \vert L_{E} \rangle _{i}\). Figure 9 presents Eve’s forgery for message and QMAC pair using \(U_{E^{i}} = \mathcal{R}_{\hat{Z}} ( \pi )\) when the secret key is \(k_{AB}^{i} = ( 0,0 )\).

Eve’s forged message and QMAC pair using \(U_{E^{i}} = \mathcal{R}_{\hat{Z}} ( \pi )\) when the secret key is \(k_{AB}^{i} = ( 0,0 )\). (a) Eve forges QMAC \(\vert R \rangle _{i}\) to \(\vert L_{E} \rangle _{i}\) when \(m_{i} =0\). (b) Eve forge QMAC \(\vert L \rangle _{i}\) to \(\vert R_{E} \rangle _{i}\) when \(m_{i} =1\)

Full size image

For Eve to succeed in forgery, \(E^{i} = k_{AB}^{i}\) must be satisfied. We consider a universal quantum NOT gate (U-NOT) that evolves any arbitrary quantum state \(\vert \psi \rangle \) into \(\vert \psi \rangle _{\bot} \). If Eve flips the message bit and performs U-NOT instead of \(U_{E^{i}}\) in Eq. (8), in forgery for any rotation axis \(k_{AB}^{i} \) will be successful. However, being an antiunitary operator, the U-NOT gate can only partially be implemented [46–48]. If Eve attempts forgery using a gate approximated to the U-NOT gate, the probability of evolving \(\vert \psi \rangle \) into \(\vert \psi \rangle _{\bot} \) is \(2/3\). Thus, the probability of Eve being detected is

As shown in Eq. (10), when N is 14, \(P_{\mathrm{fail}}\) reaches 0.999999, indicating that the probability of Eve being detected is approximately 1. Therefore, in practice, Eve’s forgery of messages and QMAC pairs are impossible.

This section compares the proposed quantum authentication schemes with previously proposed schemes. Subsequently, we demonstrate that the proposed schemes are robust to noise through several important noise cases. In addition, we calculated the point where the probability of Eve being detected and the probability of success in a secure authentication process in a noisy environment are optimal for the number of sequences.

5.1 Comparison

We compared the proposed quantum authentication schemes with previously proposed schemes. Most previously proposed schemes were designed without considering the feasibility of implementing factors such as quantum sources, quantum operations, quantum measurements, and the number of quantum transmissions. First, quantum authentication schemes based on entangled states, such as the Bell or GHZ states, are difficult to generate and maintain [34–36]. It is difficult to generate and maintain high quality entangled states using spontaneous parametric down-conversion [49–51]. Second, most methods implement quantum operations, such as the controlled operation of two or more qubits, probabilistically [37–39]. Even the antiunitary operations are practically impossible to implement [46–48]. Third, quantum measurements, such as the swap test and BSM, cannot be completely implemented using linear optics [40–42, 52]. The swap test is only probabilistically implemented, and the BSM based on linear optics cannot measure the Bell state \(\vert \Phi ^{\pm} \rangle \). Finally, noise on the quantum channel reduces the efficiency of quantum authentication schemes as the number of quantum transmissions increases. Conversely, because our QIA and QMA schemes are based on the key-controlled MMQSE method, they are feasible and efficient for implementation. In the proposed method, the single qubits and single qubit measurement corresponding to the secret key facilitate the quantum state preparation and measurement process. Single qubit rotation operators for encryption are simpler to implement than multi qubit or antiunitary operations. Moreover, our schemes are robust to noise because the number of quantum transmissions is less [44], and highly efficient because the sequences used as decoy qubits can also be used as authentication qubits [21, 43]. Decoy qubits added for protocol security are difficult to implement in practice, and no research has been published on their implementation to date. Tables 1 and 2 compare the quantum sources, quantum operations, quantum measurements, and the number of quantum transmissions between the proposed and conventional quantum authentication schemes.

In Table 1, our QIA scheme uses N single qubits as the quantum source, compared to the control mutual quantum entity authentication scheme using 2N GHZ-like states proposed by Kang et al. in 2018 [16]. Our QIA scheme applies only N rotation operators and performs only 2N quantum transmissions, compared with the quantum identification scheme with many quantum operations and quantum transmissions proposed by Choi et al. in 2020 [21]. Our QIA scheme performs single qubit measurement instead of two or more qubits measurement, such as the BSM used in the scheme proposed by Dutta et al. in 2022 [17]. In Table 2, compared with the simple QMA scheme proposed by Curty et al. in 2002 [22], our QMA scheme uses N single qubits. Finally, in Table 2, compared with the QMA schemes proposed by Bartkiewicz et al. in 2014 [23] and Kang et al. in 2021 [25], our QMA scheme has fewer operations and quantum transmissions and does not use the swap test.

5.2 Analysis of noise environment

The proposed schemes are robust to noise because the number of quantum transmissions is less than that of other schemes. Even without eavesdropping, we analyze the authentication efficiency for noises in the quantum channels using fidelity. There are several important examples of noise in a quantum channel: bit flip noise, phase flip noise, bit-phase flip noise, and depolarizing noise. In noisy environments, noise causes authentication errors even in the absence of eavesdroppers. The fidelity integral ratio without noise is 1. As noise increases gradually, the fidelity integral ratio decreases. However, when there was no noise and only eavesdropping in the channel, the fidelity integral ratios were 0.6555 and 0.7517 in QIA and QMA, respectively. Therefore, the valid upper bound for the bit flip noise rate \(( \epsilon _{b} )\), phase flip noise rate \(( \epsilon _{p} )\), bit-phase flip error rate \(( \epsilon _{b+p} )\), and depolarizing noise rate \(( \epsilon _{d} )\) is calculated for the security of the proposed schemes [45].

The simulation results in Fig. 10 indicate that QIA, which performs quantum transmission twice, is more affected by noise than QMA, which performs quantum transmission once. Figure 10(a) shows that in QIA, the integral ratio of the average fidelity decreases similarly for all noises but is slightly more sensitive to bit-phase flip noise, represented by red lines and dots. The upper bound of the valid noise rate not exceeding the integral ratio of the average fidelity 0.6555 when Eve eavesdrops is \(\epsilon _{b} \leq 5.79\%\), \(\epsilon _{p} \leq 5.79\%\), \(\epsilon _{b+p} \leq 5.78\%\), and \(\epsilon _{d} \leq 5.79\%\); the corresponding integral ratio of the average fidelity for each upper bound of the valid noise rate are 0.6556, 0.6557, 0.6557, and 0.6557, respectively. Figure 10(b) shows that in the QMA, the slope of the fidelity integral ratio decreases differently. The slope decreases more rapidly for bit flip noise than in others. This is because the polar angle range of the \(\vert \mathrm{QMAC} \rangle _{i} = \vert R \rangle _{i}\) state used in the simulation is set to \(\pi /4\sim \pi /2\); if bit flip noise occurs in the \(\vert R \rangle _{i} \) state, the result is closer to the \(\vert L \rangle _{i} \) state rather than \(\vert R \rangle _{i} \) state unconditionally. Therefore, the probability that the fidelity is closer to zero increases and the integral ratio of fidelity decreases more rapidly. The upper bound of the valid noise rate not exceeding the fidelity integral ratio of 0.7517 when Eve eavesdrops is \(\epsilon _{b} \leq 9.83\%\), \(\epsilon _{p} \leq 30.90\%\), \(\epsilon _{b+p} \leq 9.83\%\), and \(\epsilon _{d} \leq 17.90\%\); the corresponding fidelity integral ratios in each upper bound of the valid noise rate are 0.7518, 0.7521, 0.7518, and 0.7518.

In the proposed QIA and QMA schemes (a) average fidelity integral ratio, and (b) fidelity integral ratio to noise rate

Full size image

If the noise rate of the quantum channel is higher than the upper bound of the valid noise rate, security of the proposed scheme cannot be guaranteed because it is impossible to determine whether the authentication error is due to noise in the quantum channel or eavesdropping by Eve. In addition, as the number of transmissions increases, the noise rate increases. This reduces the integral ratio of fidelity and increases authentication errors. Quantum authentication schemes with many transmissions are not robust to noise because the upper bound of the valid noise rate increases. Therefore, the proposed quantum authentication schemes are efficient and secure because they reduce the number of quantum transmissions.

Furthermore, we can also calculate the upper bound of the valid noise rate in various types of noisy environments. For example, if bit flip, phase flip, and bit-phase flip noise occur simultaneously with the different probabilities \(p_{1}\), \(p_{2}\), and \(p_{3}\), respectively. Subsequently, the noise operator for two or more types of noise at the same time in the quantum channel can be expressed as follows:

In Eq. (11), depolarizing noise occurs when \(p_{1} = p_{2} = p_{3}\). Using Eq. (11), QIA and QMA fidelity can be expressed with respect to the noise operator \(E_{\mathrm{mix}}\), and according to Eq. (5), the (average) fidelity integral ratio can be calculated. Finally, the upper bound of the valid noise ratio can also be expressed as a function of probabilities \(p_{1}\), \(p_{2}\), and \(p_{3}\), after which it can be analyzed in a more straightforward manner.

In the proposed QIA scheme, when the number of authentication sequences \(N=17\), the probability of Eve being detected is \(P_{\mathrm{fail}} \approx 1\), i.e., a user can complete a secure authentication process against Eve. Therefore, even in a noisy environment, at least \(N =17\) authentication sequences must be performed for secure authentication. Similarly, in the QMA scheme, \(N \geq 25\) must be applied. Quantitatively, the probability of success in a secure authentication process in a noisy environment is \(P_{\mathrm{QIA}| \epsilon} ( N ) = \sum_{r=0}^{1} {}_{N} C_{r} p^{r} ( 1-p )^{N-r}\) and \(P_{\mathrm{QMA}| \epsilon} ( N ) = \sum_{r=0}^{2} {}_{N} C_{r} p^{r} ( 1-p )^{N-r}\), which depends on the valid noise rate ϵ. r is the number of times noise occurring in the total sequence N and depends on the valid noise rate. In quantum cryptography systems, the quantum bit error rate is typically less than 3%, and depends on the system form, distance, and environment and is particularly affected by channel noise [53–56]. Therefore, we assume that the noise p of the quantum channel occurs at 3%. Specifically, in the QIA scheme, for the quantum states passing through the quantum channels to be robust to noise, noise should not occur more than twice in the 17 sequences. Therefore, even in noisy environments, the probability of success in a secure authentication process \(P_{\mathrm{QIA}| \epsilon} ( N )\) is 90.91%. Similarly, in the QMA scheme, \(P_{\mathrm{QMA}| \epsilon} ( N )\) is 96.20% when the number of authentication sequences N is 25. As the sequence increases, the quantum state is frequently exposed to noise. Thus, the probability of success in a secure authentication process decreases. Figure 11 shows the optimal point between the probability of Eve being detected and the probability of success in a secure authentication process in a noisy environment for the number of authentication sequences. Therefore, the most optimal number of sequences is when \(N=6\) in QIA and \(N=11\) in QMA. Here, the probability of Eve being detected is \(P_{\mathrm{fail}} ( N=6 ) =0.9937\) in the QIA and \(P_{\mathrm{fail}} ( N=11 ) =0.9981\) in the QMA.

Optimal number of authentication sequences between the probability of Eve being detected \(P_{\mathrm{fail}} ( N )\) and probability of success in a secure authentication process in a noise environment; \(P_{\mathrm{QIA}| \epsilon} ( N ) = \sum_{r=0}^{1} {}_{N} C_{r} p^{r} ( 1-p )^{N-r}\), \(P_{\mathrm{QMA}| \epsilon} ( N ) = \sum_{r=0}^{2} {}_{N} C_{r} p^{r} ( 1-p )^{N-r}\) (a) QIA and (b) QMA schemes

Full size image

We propose a key-controlled MMQSE method that uses only a single qubit operation with remarkable advantages in terms of implementation. First, the rotation operator corresponding to single qubit operation can be easily implemented by combining half- and quarter-wave plates in linear optics. Second, because the rotation angle of the rotation operator is fixed, legitimate users possessing the secret key can easily decrypt it using only a single qubit measurement. Third, using a single qubit instead of an entangled state makes generating and maintaining quantum sources easy. We apply this to the QIA and QMA schemes and confirm the legitimacy of an identity or message by performing a single qubit operation. They provide unconditional security because of the arbitrary rotation axis corresponding to the pre-shared secret information. This implies that the security of a quantum channel can be verified without decoy qubits. Furthermore, our schemes are robust to noise because they perform fewer quantum transmissions in real quantum-channel noise environments.

We analyzed the security of the proposed quantum authentication scheme using Uhlmann’s fidelity against various eavesdropper attacks. We demonstrated the relationship between the integral ratio of the Uhlmann’s fidelity and the probability of successful eavesdropping. Using the QIA scheme, we proved the security of our scheme against impersonation and intercept-and-resend attacks. We estimate the probability of successful eavesdropping by Eve as the fidelity integral ratio and demonstrate that the probability of Eve being detected is almost 1 when the number of authentication sequences is 17. We prove the security of our QMA scheme by analyzing the message origin and the impossibility of forgery using the fidelity integral ratio. In addition, the probability of Eve forging the message and QMAC pair is almost zero when the number of authentication sequences is 14.

Subsequently, we show that our schemes improve efficiency compared to previously proposed schemes in terms of quantum sources, quantum operations, quantum measurements, and quantum transmissions. The proposed schemes are robust to noise because the number of quantum transmissions required is less compared to other schemes. We demonstrate the integral ratio of the Uhlmann’s fidelity to the noise rate in the proposed QIA and QMA schemes, even without eavesdropping. We also calculated the upper bound of the valid noise ratio, which did not exceed the fidelity integral ratio when Eve eavesdropped. In the QIA scheme, the upper bound of the valid noise is \(\epsilon _{b} \leq 5.79\%\), \(\epsilon _{p} \leq 5.79\%\), \(\epsilon _{b+p} \leq 5.78\%\), and \(\epsilon _{d} \leq 5.79\%\). In the QMA scheme, the upper bound of the valid noise rate is \(\epsilon _{b} \leq 5.79\%\), \(\epsilon _{p} \leq 5.79\%\), \(\epsilon _{b+p} \leq 5.78\%\), and \(\epsilon _{d} \leq 5.79\%\). Furthermore, the optimal number of sequences determined was \(N=6\) in QIA and \(N=11\) in QMA. Therefore, we demonstrated QIA and QMA schemes that are secure, convenient, and feasible using the key-controlled MMQSE method.

The datasets used and analyzed during the current study are available from the corresponding author on reasonable request.

The authors would like to thank the editor and anonymous reviewers for their valuable suggestions.

This work was supported by the National Research Foundation of Korea (NRF) (2021M1A2A2043892, 2022M3K4A1097119), Institute for Information and Communications Technology Promotion (IITP) (2020-0-00890), the Commercializations Promotion Agency for R&D Outcomes (2022SCPO_B_0210), KREONET Advanced Research Program Grant from KISTI, and KIST research program (2E31531, 2E32801).

Authors and Affiliations

1. Center for Quantum Information, Korea Institute of Science and Technology (KIST), Seoul, 02792, Republic of Korea

   Na-Hee Lim, Ji-Woong Choi & Sang-Wook Han

2. Division of Nano and Information Technology, Korea Institute of Science and Technology School, Korea University of Science and Technology, Seoul, 02792, Republic of Korea

   Na-Hee Lim & Sang-Wook Han

3. Korean Intellectual Property Office (KIPO), Government Complex Daejeon Building 4, 189, Cheongsa-ro, Seogu, Daejeon, 35208, Republic of Korea

   Min-Sung Kang

4. Department of Physics, Korea University, Sejong, 30019, Republic of Korea

   Hyung-Jin Yang

Contributions

S.-W.H. planned and supervised the research. N.-H.L. and J.-W.C. designed protocols. J.-W.C., M.-S.K., and H.-J.Y. analyzed the security of protocols; all authors contributed to analysis and discussion of the performances. N.-H.L., J.-W.C. and S.-W.H. wrote the manuscript with input from all authors.

Corresponding author

Correspondence to Sang-Wook Han.

Competing interests

The authors declare no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Na-Hee Lim and Ji-Woong Choi contributed equally to this work.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions