 Research
 Open Access
 Published:
Security and application of semiquantum key distribution protocol for users with different quantum capabilities
EPJ Quantum Technology volume 10, Article number: 21 (2023)
Abstract
Semiquantum protocols serve as a bridge between quantum users and “classical” users with limited quantum capabilities, providing support for application scenarios that cannot afford the excessively high cost of quantum resources. In this paper, we present a semiquantum key distribution (SQKD) protocol based on Bell states and single particles, which is designed for key distribution between different types of users. The protocol enables simultaneous key distribution between quantum and classical users, as well as key establishment between two classical users. The security analysis demonstrates that the protocol can reach the same level of security as the full quantum protocol. Furthermore, we extrapolate the proposed protocol to other semiquantum protocols, such as semiquantum key agreement and semiquantum private comparison protocols. Compared with previous similar ones, our SQKD protocol and its extended versions can fulfill the requirements of their respective counterparts individually. Therefore, our SQKD protocol has the potential for broader applications in practical scenarios.
1 Introduction
Quantum communication [1–3] has experienced significant advancements in recent decades due to its security based on quantum laws rather than computational complexity. Using quantum resources to solve problems in classical communication has become a research hotspot. Quantum key distribution (QKD), a critical branch of quantum communication, is aimed at enabling two quantum users to securely share a secret key, even in the presence of an allpowerful adversary, commonly referred to as Eve. For further investigation on this topic, the reader is referred to the literature cited in references [4–6].
Traditionally, QKD requires all users to possess full quantum capabilities to ensure the security of the protocol. However, given the current technological limitations, not all users may be able to afford the high costs associated with quantum devices. This raises the question of how many quantum resources are necessary to achieve unconditional security, or whether all users in a communication scheme need to have the ability to generate and measure arbitrary quantum states.
Fortunately, Boyer et al. provided an answer to this question by proposing a semiquantum key distribution (SQKD) scheme that reduces the quantum capability of one party compared to QKD [7, 8]. In the SQKD protocol, one user, referred to as the “quantum” user, possesses full quantum power, while the other user, known as the “classical” or “semiquantum” user, has limited quantum capabilities. The classical user is typically only capable of preparing and measuring quantum states in the computational base \(\{0\rangle,1\rangle \}\), performing direct reflection, and reordering operations. As our society moves towards practical implementation of quantum communication networks, semiquantum models may offer advantages such as potentially reducing the cost of devices (since fewer “quantumcapable” hardware may be required) or increasing the robustness of devices against hardware failures (by switching to the semiquantum operation mode in case of device failures). Semiquantum protocols provide an effective way to reduce the dependence of users on quantum resources, making SQKD an active area of research [9–12]. For example, in 2015, Krawec [9] demonstrated the unconditional security of SQKD protocol and derived the protocol’s key rate. Later, Zhang et al. [10] gave a security analysis of singlestate based SQKD protocol. By utilizing the errormatching measurement technique, the protocol’s noise tolerance [11] can be improved at the expense of efficiency. In addition, other types of semiquantum cryptography protocols were also investigated, such as semiquantum secure communication [13–15], semiquantum secret sharing [16, 17], and semiquantum private comparison [18–22]. For a comprehensive survey of the literature, the reader is referred to reference [23].
Mediated semiquantum key distribution (MSQKD) is a special kind of semiquantum protocol, which was initially introduced by Krawec [24] in 2015. MSQKD enables two “classical” users (Alice and Bob) to generate a secure key with the help of a third party (TP), whereas in regular SQKD, the key is shared between quantum and “classical” users. Since its introduction, several MSQKD protocols have been proposed with various quantum states and transport structures [25–30]. In Ref. [25], Krawec improved the key rate of the original MSQKD protocol by using an alternative method of proof. After that, Liu et al. [26] presented a new MSQKD protocol based on entanglement swapping, where the “classical” users do not require quantum measurement capability. Lin et al. [27] presented an MSQKD protocol with single photons instead of entangled ones to reduce the necessary quantum resources. Recently, Chen et al. [28] designed an MSQKD protocol using singleparticle states. Unlike the previous protocols, this protocol adopts the mode of circular transmission. Guskind et al. [29] improved the MSQKD protocol’s efficiency without requiring users’ additional capabilities. Besides, Krawec proposed a multiparty MSQKD protocol that involves two or more adversarial quantum servers assisting two “classical” users in establishing a secret key [30]. In 2023, Ye et al. [31] implemented the MSQKD protocol using Bell states and circular transmission, enabling more than two “classical” users to establish a secret key. In addition, there are some variants of the MSQKD protocol that require attention. Notably, Tsai and Yang [32, 33] introduced two modified versions of the MSQKD protocol, in which classical users possess the capability of performing lightweight unitary operations. These protocol variations aim to eliminate the need for bidirectional transmission by empowering classical users with enhanced abilities. In this way the impact of Trojan horse attacks on the semiquantum protocol can be avoided.
In the description above, SQKD realizes the key distribution between the quantum user and classical user, while MSQKD achieves the key sharing between classical users. SQKD and MSQKD play a crucial role in semiquantum communication protocols, especially in multiparty scenarios. Many semiquantum protocols, such as semiquantum identification [34] and semiquantum secure multiparty computation [35, 36], have to rely on them to guarantee the security of the protocol. However, executing SQKD and MSQKD separately for establishing key relationships between different users can reduce the protocol’s efficiency. Currently, there is no known semiquantum protocol that can achieve simultaneous key distribution among different users.
To address this limitation, in this paper, we present a novel SQKD protocol that utilizes Bell states and singleparticle states to establish key distribution between quantum and classical users, as well as between two classical users. This approach effectively reduces the complexity and cost of the secret key distribution process between different users. For the protocol’s security, we prove that it is informationtheoretically secure under different scenarios. The results show that our protocol may hold similar security to a fully quantum one. Furthermore, we generalize the proposed SQKD protocol to other semiquantum cryptography protocols, such as the semiquantum private comparison (SQPC) and semiquantum key agreement (SQKA), showcasing its versatility and potential for practical applications in other semiquantum scenarios. In summary, our work provides a promising solution for secure key distribution between different users in semiquantum environments, and it can be generalized to other types of semiquantum application scenarios.
The remaining organization of the paper is outlined as follows. Section 2 describes the detailed steps of the proposed SQKD protocol. In Sect. 3, the security of the proposed protocol is analyzed under different conditions, establishing its informationtheoretic security. In Sect. 4, the generalization of the SQKD protocol to other semiquantum protocols, including SQPC and SQKA protocols, is presented. Then, in Sect. 5, we compare the proposed protocols with their respective counterparts separately. Finally, this paper concludes in Sect. 6.
2 The proposed SQKD protocol
There are three users in our protocol, the quantum user TP who has full quantum capability, and the classical users Alice and Bob, whose abilities are limited. The classical users are limited to the following operations: (1) measure: measure the qubit in Z basis \(\{0\rangle,1\rangle \}\) and regenerate one in the same state (e.g., \(0\rangle \rightarrow 0\rangle \), \(1\rangle \rightarrow 1\rangle \)). (2) reflect: reflect the qubit directly. Note that the reordering operation is not required in this paper, and the classical user only needs to perform the measure or reflect operation.
Next, we introduce the classical channels used in the protocol. In standard practice, the classical channels used in quantum protocols require authentication, so Eve can only access the publicly available classical information and cannot change it [37, 38]. Consequently, all classical channels involved in this protocol, including those used in classical postprocessing, adhere to the requirement of authentication.
The detailed protocol steps are as follows (Note that the security for different users will be discussed later in the security analysis).
Step 1: TP prepares 4N Bell states all in the state of \(\phi ^{+}\rangle =\frac{1}{\sqrt {2}}(00\rangle +11\rangle )_{AB}\), and divides them into two sequences:
Then, TP prepares the other two sequences:
where each qubit is randomly from the set \(\{0\rangle, 1\rangle \}\).
Step 2: TP randomly inserts \(T_{A}\) (\(T_{B}\)) into \(S_{A}\) (\(S_{B}\)) to form a new sequence \(S^{*}_{A}\) (\(S^{*}_{B}\)). Subsequently, \(S^{*}_{A}\) and \(S^{*}_{B}\) will be sent to Alice and Bob, separately.
Step 3: For the arriving qubits, Alice (Bob) randomly chooses the measure or reflect operation. Alice (Bob) will record the measurement result, if she (he) chooses the measure operation.
Step 4: TP receives all the qubits and then divides the qubits of \(T_{A}\) (\(T_{B}\)) from qubits of \(S_{A}\) (\(S_{B}\)) and performs different measurements. In more detail, TP measures the qubits of \(T_{A}\) and \(T_{B}\) in the Z basis, while for qubits of \(S_{A}\) and \(S_{B}\) (i.e., \(P^{i}_{A}\) and \(P^{i}_{B}\), \(i\in \{1,2,\dots,4N\}\)) she will perform Bell measurements. After that, TP announces her measurement results of \(S_{A}\) and \(S_{B}\) and the positions of these qubits. Note that the measurement results of \(T_{A}\) and \(T_{B}\) are kept in her hands and not leaked to Alice and Bob (They will be discussed later).
Step 5: Alice and Bob discuss eavesdropping and TP’s honesty. Depending on Alice and Bob’s operations and the information provided by TP, the following three cases will happen (It is expected that there are N qubits in Case 1.):

Case 1: When Alice and Bob choose the measure operation on the qubits \(P^{i}_{A}\) and \(P^{i}_{B}\), they will obtain the same measurement result, and TP will publish the result as either \(\phi ^{+}\rangle \) or \(\phi ^{}\rangle \). Moreover, TP knows nothing about Alice and Bob’s measurements because she performs Bell measurements, not Zbasis measurements, on the qubits \(P^{i}_{A}\) and \(P^{i}_{B}\). Thus, Alice and Bob can establish a raw secret key sequence denoted as \(K_{AB}=[k^{1}_{AB},k^{2}_{AB},\dots,k^{N}_{AB}]\).

Case 2: When they choose the reflect operation on the qubits \(P^{i}_{A}\) and \(P^{i}_{B}\), TP should always publish \(\phi ^{+}\rangle \). This case is used for checking the honesty of TP and eavesdropping. If error rate surpasses the threshold, the protocol ends.

Case 3: If they perform different operations, this case will be discarded.
Step 6: After the eavesdrop check, Alice and Bob will discuss the operations performed on the sequence \(T_{A}\) (\(T_{B}\)) with TP. They first tell TP their operations on the qubits of \(T_{A}\) and \(T_{B}\). Note that in the sequence \(T_{A}\) (\(T_{B}\)), there are 2N qubits performed the measure operation and 2N qubits performed the reflect operation. As a result, three scenarios need to be considered:

(1) For the qubits performed the reflect operation, TP compares these qubits’ initial states and measurement results recorded in step 4. If the error rate is over high, the protocol terminates and restarts.

(2) For the qubits performed the measure operation (i.e., 2N qubits), Alice (Bob) first picks out N qubits and announces the measurement results to TP. Then, TP compares these announcements and her measurement results recorded in step 4. If there is no Eve online, Alice’s (Bob’s) measurements, TP’s measurements, and the initial state of these qubits, all three are the same. These qubits are used for eavesdropping checking.

(3) For the remaining N qubits that have been performed the measure operation, Alice’s (Bob’s) measurement results are the same as TP’s. Thus, Alice (Bob) and TP can establish a raw secret key sequence. At the same time, Bob (Alice) knows nothing about them. We use \(K_{TA}=[k^{1}_{TA},k^{2}_{TA},\dots,k^{N}_{TA}]\) (\(K_{TB}=[k^{1}_{TB},k^{2}_{TB}, \dots,k^{N}_{TB}]\)) to represent the secret key between Alice and TP (Bob and TP).
Step 7: After classical postprocessing, different users can obtain the final security key, i.e., TP, Alice, and Bob can respectively establish security keys among themselves.
3 Security analysis
In the above section, we gave the specific steps of the SQKD protocol. Here, we would like to investigate the security of the key distribution between different users. According to [39], security against collective attacks is enough to demonstrate security against arbitrary general attacks. Thereby, we focus on proving security against collective attacks.
3.1 Security of key distribution between the quantum and classical users
In this case, TP is trusted and she wants to establish secure keys with classical users. Alice and Bob play the same role in our protocol, either of whom can establish a secret key with TP. Without loss of generality, we analyze the security of the key distribution between TP and Alice. For the sake of description, both external and internal eavesdroppers will be referred to as Eve. Under collective attacks, the system of TP, Alice, and Eve can be described as
where \(\rho _{E}\) denotes the state of Eve’s ancilla. Let N denote the size of TP and Alice’s raw key, \(\ell (n)\) denote the length of secure key. Based on [4], our protocol’s key rate in the asymptotic scenario is
where \(S(\cdot )\) denotes the Von Neumann entropy, and \(H(\cdot )\) means the Shannon entropy. If \(r>0\), the protocol can obtain a secure secret key. Hence, the goal of the next stage is to analyze Eve’s attack strategy and compute the key rate r.
3.1.1 The attack strategy of Eve
Since the semiquantum protocol is a twoway protocol, the collective attacks can be modeled as two unitaries \(U_{E}\) and \(U_{F}\) (also see Fig. 1). Here, \(U_{E}\) is the attack operator applied on the qubits sent from TP to Alice while \(U_{F}\) is the attack operator applied on the qubits sent from Alice to TP. Note that \(U_{E}\) and \(U_{F}\) have a common probe space with an initial state of \(0\rangle _{E}\). In this kind of attack, Eve may perform \((U_{E},U_{F})\) on the target qubit and her probe \(0\rangle _{E}\) to extract some useful information. According to [9], the effects of \(U_{E}\) and \(U_{F}\) can be described as
where t and E represent the target qubit and Eve’s probe, respectively. \(E_{k}\) is determined by \((U_{E},U_{F})\) and \(i\in \{0,1\}\), \(k\in \{0,1,2,3\}\).
As described in the protocol, the raw key of TP and Alice, \(K_{TA}\), generates in the event that Alice and TP measure the qubits of \(T_{A}\). After Eve’s attack, the system changed as follows.
(1) Eve first launches \(U_{E}\) on the qubit from TP to Alice and her probe \(0\rangle _{E}\). After that, the density operator describing the system of TP and Eve is
where T denotes the qubit sent by TP, \(A^{\prime}\) represents the qubit after Eve’s attack and will be received by Alice.
(2) Alice measures the received qubit and resends a new qubit in the same state to TP. Then, Eve will launch \(U_{F}\) on the qubit from Alice to TP and \(E_{k}\rangle _{E}\). After Eve’s attack and TP’s measurement, the system becomes
where A and \(T^{\prime}\) denote Alice’s and TP’s measurement results, respectively. From (7), it not hard to see that Eve may obtain some secret keys of Alice and TP from her probe.
3.1.2 Key rate derivation
Let \(p_{x,i,j}\) represent the probability that the qubit sent by TP is \(x\rangle \), Alice’s observation is \(i\rangle \), and TP’s measurement result is \(j\rangle \). According to (7), \(p_{x,i,j}\) can be estimated as follows.
Note that TP and Alice can easily calculate the value of \(p_{x,i,j}\). Following the protocol steps, TP accepts the event that the state of the qubit being measured is the same as its initial state (i.e., \(x=j\)). Thereby, the final generated raw key system becomes
where C is the normalization coefficient and \(C=\sum^{1}_{i=0}\langle E^{0}_{i,i}E^{0}_{i,i}\rangle +\langle E^{1}_{i,i+2} E^{1}_{i,i+2}\rangle \).
We have now modeled Eve’s attack and obtained the density matrix of the collective system. Next, we will derive the protocol’s key rate, i.e., \(r=S(TE)H(TA)\). Obviously, calculating \(H(TA)\) is simple, so let’s start with this part of the calculation.
Let \(p_{i,j}\) mean the probability that Alice’s raw key is \(i\rangle \) and TP’s raw key is \(j\rangle \). Observing (9), we have
Thereby, it’s easy to obtain \(H(T,A)=H(p_{0,0},p_{0,1},p_{1,0},p_{1,1})\). Observing the system of Alice, the probability that Alice obtains \(0\rangle \) is \(p_{0,0}+p_{0,1}\), so that we have \(H(A)=H(p_{0,0}+p_{0,1},p_{1,0}+p_{1,1})\). Following this fact, we can calculate:
What remains to be calculated is \(S(TE)\). Tracing out A from \(\rho _{TAE}\) yields:
According to the theorem from [11]:
Theorem 1
Given a quantum state \(\rho ^{\prime}_{TE}\) of the form:
where \(N>0\) is a normalization term. Then, we have:
and \(h(x) = x \log_{2} x  (1  x) \log_{2} (1  x)\).
For the detailed proof process, the reader is referred to [11]. Applying Theorem 1 to (12), we can derive the result:
where
From (16) and (17), it’s easy to find that \(S(AT)\) depends on the parameters \(\langle \gamma _{i}\gamma _{i}\rangle \), \(\langle \eta _{i} \eta _{i}\rangle \), and \(\operatorname{Re}\langle \gamma _{i} \eta _{i} \rangle \). According to (8) and (18), the values of \(\langle \gamma _{i}\gamma _{i}\rangle \) and \(\langle \eta _{i} \eta _{i}\rangle \) can be obtained. Thereby, we need to bound \(\operatorname{Re}\langle \gamma _{i} \eta _{i} \rangle \), i.e., \(\operatorname{Re}\langle E^{0}_{0,0}E^{1}_{1,3}\rangle \) and \(\operatorname{Re}\langle E^{0}_{1,1}E^{1}_{0,2}\rangle \).
In the above analysis, we only focus on the case where the qubits come from the sequence \(T_{A}\) and are measured by Alice. Now let’s turn our attention to the case where the qubits come from \(\phi ^{+}\rangle \) and are directly reflected by Alice and Bob. It may provide a way to calculate \(\operatorname{Re}\langle \gamma _{i} \eta _{i} \rangle \). Specifically, after Eve’s attacks, the Bell state \(\phi ^{+}\rangle \) becomes
where
Then, TP measures the qubits with Bell basis and announces her measurements. If the measurement is not \(\phi ^{+}\rangle \), Alice knows there is an error raised. Here, we use \(p_{\psi ^{}}\), \(p_{\psi ^{+}}\), and \(p_{\phi ^{}}\) to represent the probabilities that TP’s outcomes are \(\psi ^{}\rangle \), \(\psi ^{+}\rangle \), and \(\phi ^{}\rangle \), respectively. According to (19), it’s easy to get
Note that \(U_{E}\) and \(U_{F}\) are unitary, which mean that \(\langle F_{0}F_{0}\rangle +\langle F_{1}F_{1}\rangle =\langle F_{2}F_{2} \rangle +\langle F_{3}F_{3}\rangle =1\). After some algebra, we have
Then, according to the Cauchy–Schwarz inequality (i.e., \(\operatorname{Re}\langle ab\rangle \le \langle ab \rangle \le \sqrt{\langle aa \rangle \langle bb\rangle}\)) and (8), the ranges of \(\operatorname{Re}\langle E^{0}_{0,0}E^{1}_{1,3}\rangle \) and \(\operatorname{Re}\langle E^{0}_{1,1}E^{1}_{0,2}\rangle \) can be obtained. It is important to point out that the value of \(\operatorname{Re}\langle E^{0}_{1,1}E^{1}_{0,2}\rangle \) is generally low, because \(\operatorname{Re}\langle E^{0}_{1,1}E^{1}_{0,2}\rangle \le \sqrt{p_{0,1,0}p_{1,0,1}}\), and \(p_{0,1,0}\), \(p_{1,0,1}\) represent the probability that TP and Alice measurements do not match, which is very small in the protocol, otherwise the protocol would be terminated due to the high error rate.
Therefore, we concentrate on minimizing the value of \(\operatorname{Re}\langle E^{0}_{0,0}E^{1}_{1,3}\rangle \). Let \(\operatorname{Re}\langle E^{0}_{1,1}E^{1}_{0,2}\rangle = \sqrt{p_{0,1,0}p_{1,0,1}}\), we have
The parameters in (24) can all be easily obtained by making observations of the channel. Then, following the values of \(\operatorname{Re}\langle E^{0}_{0,0}E^{1}_{1,3}\rangle \) and \(\operatorname{Re}\langle E^{0}_{1,1}E^{1}_{0,2}\rangle \) we can calculate (15), which in turn gives the value of \(S(TE)\). So far, we have derived the bounds of \(H(TA)\) and \(S(TE)\), thus, the protocol’s key rate can be derived.
3.1.3 Key rate evaluation
In this part, we parameterize the errors introduced by Eve’s attack to estimate the key rate of the protocol. The following are typical parametric assumptions [9, 11]:

1.
The quantum channels of TP to Alice and Alice to TP are the depolarization channel with parameter q:
$$\begin{aligned} \varepsilon _{q}(\rho )=(1q)\rho +\frac{q}{2}I. \end{aligned}$$(25)Moreover, the quantum channels are independent of each other.

2.
Let Q represent the probability that TP (Alice) sents single particle \(i\rangle \) while Alice (TP) observes \(1i\rangle \).

3.
Let \(Q_{R}\) represent the probability that TP announces the wrong result when Alice and Bob reflect the qubits of Bell states. That is, \(p_{\psi ^{+}}+p_{\psi ^{}}+p_{\phi ^{}}=Q_{R}\).
Single particles and Bell states will produce different results through depolarization channels. Through simple calculation, it’s not difficult to get: \(Q=q/2\) and \(Q_{R}=q(1q/2)=2Q(1Q)\). Note that Q can be easily observed in this protocol. Furthermore (8) can be represented by Q as follows
Then (10) can be rewritten as
where \(C=2(1Q)^{2}+2(1Q)Q\). For \(\operatorname{Re}\langle E^{0}_{0,0}E^{1}_{1,3}\rangle \) and \(\operatorname{Re}\langle E^{0}_{1,1}E^{1}_{0,2}\rangle \), applying (26) into (24), we have
Finally, the bounds of \(H(TA)\) and \(S(TE)\) are all denoted by Q. Thus, put it all together into the (4), the key rate r can be estimated by the variable Q. The relationship between r and Q is shown in Fig. 2. As long as \(Q \le 12.75\% \), we have \(r> 0\), that is, a secure key can be obtained by Alice and TP.
3.2 Security of key distribution between two classical users
In the proposed protocol, all quantum resources and complex quantum state measurements can only be accomplished by TP. If TP is adversarial, she will bring the greatest threat to classical users because she can take all possible attacks to steal helpful information, including preparing fake quantum states. Here we consider the worst scenario, where TP is adversarial and wants to steal the secrets of Alice and Bob. Besides, we do not separate natural noise and adversarial noise and briefly hypothesize that all errors are caused by TP’s attacks [29].
3.2.1 The attack strategy of TP
TP is adversarial, so she unnecessarily follows the protocol description to prepare Bell state, but instead any arbitrary state \(\Phi \rangle =\sum_{i,j=0}^{1} \zeta _{i,j}i,j\rangle \). Moreover, TP is allowed to perform any quantum operation, she may entangle her private ancilla with the target qubits. However, according to the protocol steps, she must announce the same message to Alice and Bob in the form of a Bell state, which serves as the basis for Alice and Bob to generate the key.
Following the security proof in [29], TP’s attack can be modeled as an isometry operator U (also see Fig. 3). In more detail, the effect of U is mapping the target qubits from Alice and Bob to TP’s ancilla and a message state \(m\rangle \):
where \(f^{m}_{i,j}\rangle \) is arbitrary, not necessarily normalized, belongs to TP’s ancilla. Note that \(m=0,1,2,3\) represent that TP publishes messages \(\phi ^{+}\rangle \), \(\phi ^{}\rangle \), \(\psi ^{+}\rangle \) and \(\psi ^{}\rangle \), respectively.
We first consider the case where Alice and Bob both measure and resend the received qubit. TP first sends the qubits of \(\Phi \rangle =\sum_{i,j=0}^{1} \zeta _{i,j}i,j\rangle \) to Alice and Bob, respectively. Let \(q_{i,j}\) denote the probability that Alice and Bob’s observation is \(i,j\rangle \). Then, we have
After that, TP performs U on the qubits from Alice and Bob, the system will become
TP then advertises the corresponding Bell state depending on the value of m. Alice and Bob can obtain some information based on their measurement results and TP’s announcement. Let \(q_{m,i,j}\) represent the probability that TP announces message m depending on Alice and Bob observe \(i\rangle \) and \(j\rangle \). Then, we have
As described in the protocol, the raw key \(K_{AB}\) generates in the event that Alice and Bob both choose the measure operation and TP’s result is \(\phi ^{+}\rangle \) or \(\phi ^{}\rangle \). That is, \(m= 0,1\). Conditioning on this event, thus the final generated raw key system is
where, \(N=\sum^{1}_{i,j,m=0}\zeta ^{2}_{i,j} \langle f^{m}_{i,j}f^{m}_{i,j} \rangle \) is a normalization term. Then, TP may observe her ancilla to obtain some helpful information about \(K_{AB}\).
3.2.2 Key rate derivation
In this part, our goal is to calculate the protocol’s key rate \(r_{AB}\). Following the definition of key rate, in this case, it can be expressed as
If \(r_{AB}>0\), a secure secret key can be obtained.
To locate \(r_{AB}\), we need to determine the values of \(S(AT)\) and \(H(AB)\). Since we have derived the final contributing raw key system \(\rho _{ABT}\), it is not difficult to calculate \(S(AT)\) and \(H(AB)\) according to the derivation process in Sect. 3.1.
Let \(q^{k}_{i,j}\) mean the probability that the raw keys of Alice and Bob are \(i\rangle \) and \(j\rangle \). Observing (33), we have
Then, it’s easy to obtain \(H(A,B)=H(\{q^{k}_{i,j}\}_{i,j})\). Let \(q(0)\) be the probability that Bob’s raw key is \(0\rangle \), then we have \(q(0)=q^{k}_{1,0}+q^{k}_{0,0}\). Thereby, \(H(B)=h(q(0))\). Following this fact, we can calculate:
For \(S(TE)\), it can be derived from the Theorem 1 in Sect. 3.1. Tracing out B from \(\rho _{ABT}\) yields:
Applying Theorem 1 to the above state, we can derive the result:
where \(\bar{j}=1j\).
To evaluate the \(S(AT)\), we need to obtain the values of \(\zeta _{i,j}\) and the innerproducts in the above expressions. Thus, in the following, we will use parameters that Alice and Bob can directly observe to denote \(S(AT)\). Recall (30) and (32), the values of \(\zeta _{i,j}\) and the innerproducts \(\langle f^{m}_{i,j}f^{m}_{i,j}\rangle \) can be easily obtained. what remains is to calculate \(\operatorname{Re}^{2}\langle f^{m}_{0,j} f^{m}_{1,\bar{j}}\rangle \).
Observing the case that Alice and Bob both reflect the qubits, we may bound \(\operatorname{Re}\langle f^{m}_{0,j} f^{m}_{1,\bar{j}}\rangle \). Specifically, Alice and Bob both reflect the qubits directly, TP then applies U on the reflected qubits to obtain:
According the value of m, TP then announces the message in the form of a Bell state. Here, we focus on the events that TP announces \(\phi ^{+}\rangle \) and \(\phi ^{}\rangle \), i.e., \(m=0,1\). Unlike previous protocols [25, 29], we will use the reflection error events and reflection correct events to obtain the range of \(\operatorname{Re}\langle f^{m}_{0,j} f^{m}_{1,\bar{j}}\rangle \). We first discuss the case that TP announces \(\phi ^{}\rangle \), i.e., \(m=1\). From (40), the probability that TP announces \(\phi ^{}\rangle \) is:
This provides a way to bound \(\operatorname{Re}\langle f^{1}_{0,0} f^{1}_{1,1}\rangle \) and \(\operatorname{Re}\langle f^{1}_{0,1} f^{1}_{1,0}\rangle \). After some algebra, we have
Applying the Cauchy–Schwarz inequality and (32) into \(\operatorname{Re}\langle f^{1}_{0,j} f^{1}_{1,\bar{j}}\rangle \), we have
Generally speaking, when TP announces \(\phi ^{}\rangle \), i.e., \(m=1\), the probability that Alice and Bob observe different results are small, otherwise it means that there is an error rate too high for the protocol to work properly. That is, the values of \(q_{1,1,0}\) and \(q_{1,0,1}\) are small, while the values of \(q_{1,1,1}\) and \(q_{1,0,0}\) are high. Hence, we focus on bounding \(\operatorname{Re}\langle f^{1}_{0,0} f^{1}_{1,1}\rangle \).
Let \(\operatorname{Re}\langle f^{1}_{0,1} f^{1}_{1,0}\rangle =\sqrt{q_{1,0,1}q_{1,1,0}}\), then applying the Cauchy–Schwarz inequality, Absolute value inequality (i.e., \(\vert a+b \vert \le \vert a \vert + \vert b \vert \)) and (32) into (42), we can obtain:
where \(\zeta _{i,j}\) can be estimated in (30), and \(p_{\phi ^{}}\) can be estimated by Alice and Bob when TP announces \(\phi ^{}\rangle \). Following this fact, we have obtained the bounds of \(\operatorname{Re}\langle f^{1}_{0,0} f^{1}_{1,1}\rangle \) and \(\operatorname{Re}\langle f^{1}_{0,1} f^{1}_{1,0}\rangle \).
For the case that TP announces \(\phi ^{+}\rangle \), i.e., \(m=0\), we can adopt the same method to derive the bounds of \(\operatorname{Re}\langle f^{0}_{0,0} f^{0}_{1,1}\rangle \) and \(\operatorname{Re}\langle f^{0}_{0,1} f^{0}_{1,0}\rangle \). Let \(\operatorname{Re}\langle f^{0}_{0,1} f^{0}_{1,0}\rangle =\sqrt{q_{0,0,1}q_{0,1,0}}\), then it is easy to obtain
Until now, the bound of \(\operatorname{Re}\langle f^{m}_{0,j} f^{m}_{1,\bar{j}}\rangle \) has derived, which depend on the parameters \(\zeta _{i,j}\) and \(q_{m,i,j}\). Finally, the value of \(S(AT)\) and \(H(AB)\) can be obtained based on the parameters available for Alice and Bob.
3.2.3 Key rate evaluation
Here, we assume that the connections between users are all independent depolarized channels. This also allows us to compare with prior work. The two qubits depolarization channel of TP to Alice and Bob (as well as, Alice and Bob to TP) can be modeled with parameter p:
where I is the identity operator.
To compute the protocol’s key rate \(r_{AB}\), we need to obtain \(\zeta _{i,j}\), \(q_{m,i,j}\), \(p_{\phi ^{+}}\) and \(p_{\phi ^{}}\). In the following, the connection between parameter p and \(\zeta _{i,j}\), \(q_{m,i,j}\), \(p_{\phi ^{+}}\), \(p_{\phi ^{}}\) will be build. Let’s start with \(\zeta _{i,j}\). TP is adversarial, she may prepare arbitrary quantum states and send them to Alice and Bob. In order to comply with the original protocol requirements as much as possible, we assume that the state of TP is \(\phi ^{+}\rangle \). Then passing the depolarization channel, we have
Thus the probability that Alice and Bob observe \(i\rangle \) and \(j\rangle \):
Then, we calculate \(q_{m,i,j}\), (i.e., the probability that TP announces message m depending on Alice and Bob observe \(i,j\rangle \)). If Alice and Bob observe \(0,0\rangle \), then passing the depolarization channel, the state will be
According to the original protocol, TP will perform Bellbased measurement and announce the result. In order to minimize the error of TP’s attacks (i.e., incorporate the error into the channel noise), the effect of U should be consistent with the role of TP performing Bellbased measurement on the qubits. Thus, the probability that TP announce \(\phi ^{}\rangle \), i.e., \(m=1\) conditioning on Alice and Bob observe \(0,0 \rangle \) is \(\frac{1p}{2}+\frac{p}{4}=\frac{2p}{4}\). Using the similar process, the other cases will be obtained. Therefore, we have
For \(p_{\phi ^{+}}\) and \(p_{\phi ^{}}\), (i.e., the probabilities that TP announces message \(m=0\) and \(m=1\) when Alice and Bob both reflect the qubits), we also can use p to represent. In more detail, the system of this case can be described as \(\varepsilon _{p}(\varepsilon _{p}(\phi ^{+}\rangle \langle \phi ^{+}))\). Thus, we can derive \(p_{\phi ^{+}}\) and \(p_{\phi ^{}}\):
Note that the above settings for probabilities \(\zeta ^{2}_{i,j}\), \(q_{m,i,j}\), \(p_{\phi ^{+}}\), and \(p_{\phi ^{}}\) are consistent with previous work [25, 29]. Furthermore, we also use Q here as a variable to describe them, which is the probability that Alice and Bob observe different results. It’s not difficult to see that \(Q=\zeta ^{2}_{0,1}+\zeta ^{2}_{1,0}=\frac{p}{2}\). Putting everything together, the key rate \(r_{AB}\) can be computed by the variable Q. The relationship between \(r_{AB}\) and Q is shown in Fig. 4. As long as \(Q \le 8.77\% \), we have \(r> 0\), that is, a secure key can be obtained by Alice and Bob.
4 Generalization to other semiquantum protocols
In our protocol, Alice, Bob, and TP can establish the secure key sequence with each other. In more detail, Alice and Bob share a key sequence \(K_{AB}=[k^{1}_{AB},k^{2}_{AB},\dots,k^{n}_{AB}]\); Alice and TP share a key sequence \(K_{TA}=[k^{1}_{TA},k^{2}_{TA},\dots,k^{n}_{TA}]\); Bob and TP have a key sequence \(K_{TB}=[k^{1}_{TB},k^{2}_{TB},\dots,k^{n}_{TB}]\). Following this fact, our protocol can be applied to other semiquantum cryptography protocols, such as semiquantum private comparison and semiquantum key agreement protocols.
4.1 Semiquantum private comparison protocol
Semiquantum private comparison (SQPC) [18–22] is one of the essential applications of quantum cryptography, whose goal is to allow two classical users, Alice and Bob, to compare whether their private data are the same with the help of TP who has the full quantum capability and may be adversarial. According to the definition of the SQPC protocol, it should follow the rules given below:
 1.:

Correctness: The comparison result should be correct.
 2.:

Security: Any attackers cannot steal users’ data without being detected.
 3.:

Privacy: Each user’s private data should be kept secret from others.
4.1.1 The detailed steps of SQPC protocol
Same as the SQKD protocol setting, Alice and Bob have the limited quantum capability, while TP has full quantum power and may be adversarial. Alice and Bob have the private binary strings \(M_{A}=[m^{1}_{A},m^{2}_{A},\dots,m^{n}_{A}]\) and \(M_{B}=[m^{1}_{B},m^{2}_{B},\dots,m^{n}_{B}]\), respectively. The detailed steps are shown below.
Step 1^{SQPC} ∼ Step 6^{SQPC}: These steps are the same as the SQKD protocol described in Sect. 2. After that, Alice, Bob, and TP can establish the secure key sequences with each other, denoted as
Step 7^{SQPC}: Alice and Bob calculate \(Q^{j}_{A}=k^{j}_{AB}\oplus k^{j}_{TA}\oplus m^{j}_{A}\) and \(Q^{j}_{B}=k^{j}_{AB}\oplus k^{j}_{TB}\oplus m^{j}_{B}\), respectively, where ⊕ is the modulo 2 summation, and \(j\in \{1,2,\dots,n\}\). Afterwards, Alice and Bob send \(Q_{A}=[Q^{1}_{A},Q^{2}_{A},\dots,Q^{n}_{A}]\) and \(Q_{B}=[Q^{1}_{B},Q^{2}_{B},\dots,Q^{n}_{B}]\) to TP.
Step 8^{SQPC}: TP calculates \(R^{j}=Q^{j}_{A}\oplus Q^{j}_{B}\oplus k^{j}_{TA}\oplus k^{j}_{TB}\). If \(R^{j}=0\) for \(j=1,2,\dots,n\), it means that Alice and Bob have the same secrets. Otherwise, their secrets are not equal.
4.1.2 Analysis of SQPC protocol
It is easy to see that our protocol satisfies the requirements of the SQPC protocol.
Correctness: In our protocol, Alice and Bob can share \(K_{AB}=[k^{1}_{AB},k^{2}_{AB},\dots,k^{n}_{AB}]\) based on \(S_{A}\) and \(S_{B}\). Then, TP can establish the secure key sequence \(K_{TA}=[k^{1}_{TA},k^{2}_{TA},\dots,k^{n}_{TA}]\) (\(K_{TB}=[k^{1}_{TB},k^{2}_{TB}, \dots,k^{n}_{TB}]\)) with Alice (Bob) based on the measurement result of \(T_{A}\) (\(T_{B}\)). Afterwards, Alice uses \(K^{j}_{AB}\) and \(K^{j}_{TA}\) to encrypt her secret information \(m^{j}_{A}\) as
Bob also uses \(K^{j}_{AB}\) and \(K^{j}_{TB}\) to encrypt his secret information \(m^{j}_{B}\) as
Finally, TP calculates \(R^{j}=Q^{j}_{A}\oplus Q^{j}_{B}\oplus k^{j}_{TA}\oplus k^{j}_{TB}\). It is easy to obtain that
The results show that our SQPC protocol can guarantee the correctness of the output.
Security: The security of this SQPC protocol is based on the fact that a secure key relationship can be established between Alice, Bob, and TP. In the previous security analysis, we have shown that Alice, bob, and TP can establish a secure key relationship. Therefore, our protocol is secure. That is, users’ private data will not be leaked out to others, and attackers cannot steal users’ data without being detected.
Privacy: The user’s secret information is encrypted with \(K_{AB}\) and \(K_{TA}\) (\(K_{TB}\)). Any eavesdropper has access to at most a portion of the encryption key. Therefore, each user’s private data is kept secret from others.
4.2 Semiquantum key agreement protocol
The goal of semiquantum key agreement (SQKA) [40–43] is to achieve the same contribution of all participants to the final shared key, where the capabilities of the participants are different and only one user is fully quantum capable, while other users’ quantum capabilities are limited.
In our SQKA protocol, TP has full quantum capability, while Alice and Bob are two classical users with limited quantum power. They have a secret bit strings \(m_{A}\), \(m_{B}\) and \(m_{T}\), respectively. That is
TP, Alice and Bob want to establish a secret key \(K=m_{A} \oplus m_{B}\oplus m_{T}\), where all three parties contribute equally to construct the key.
4.2.1 The detailed steps of SQKA protocol
In the following, we describe the SQKA protocol based on the previously proposed SQKD protocol. For simplicity, we would only like to introduce necessary steps that differ from the SQKD protocol above, while others are the same as those described in Sect. 2.
Step 1^{SQKA} ∼ Step 6^{SQKA}: These steps are the same as the SQKD protocol described in Sect. 2. After that, Alice, Bob, and TP can establish the secure key sequences with each other, denoted as \(K_{AB}\), \(K_{TA}\) and \(K_{TB}\), respectively.
Step 7^{SQKA}: Alice, Bob and TP encrypt their secret bit stings \(m_{A}\), \(m_{B}\) and \(m_{T}\) with \(K_{AB}\), \(K_{TA}\) and \(K_{TB}\). More exactly, Alice uses \(K_{AB}\) and \(K_{TA}\) to encrypt \(m_{A}\) as:
Bob uses \(K_{AB}\) and \(K_{TB}\) to encrypt \(m_{B}\) as:
TP uses \(K_{TA}\) and \(K_{TB}\) to encrypt \(m_{T}\) as:
Step 8^{SQKA}: Alice, Bob and TP each calculates the hash values of the corresponding encrypted messages and announces the results to other two parties. For example, Alice will send the hash values \(h(Q_{A\rightarrow B})\) and \(h(Q_{A\rightarrow T})\) to Bob and TP, respectively (Bob and TP will do similar operations). Here \(h(\cdot )\) is some oneway hash function. Note that this step is used to avoid information leaking and tampering due to the asynchronous release of information.
Step 9^{SQKA}: After that, Alice, Bob, and TP publish their encrypted messages to the other two parties. Alice calculates the hash values of \(Q_{B\rightarrow A}\) and \(Q_{T\rightarrow A}\) to obtain the results \(h^{\prime}(Q_{B\rightarrow A})\) and \(h^{\prime}(Q_{T\rightarrow A})\). If \(h^{\prime}(Q_{B\rightarrow A})=h(Q_{B\rightarrow A})\) and \(h^{\prime}(Q_{T\rightarrow A})=h(Q_{T\rightarrow A})\), Alice will accept them. Then, Alice can decrypt \(Q_{B\rightarrow A}\) and \(Q_{T\rightarrow A}\) with \(K_{AB}\) and \(K_{TA}\) to obtain the secret keys \(m_{B}\) and \(m_{T}\). Using the same procedure, Bob and TP can also obtain \(m_{A}\), \(m_{T}\) and \(m_{A}\), \(m_{B}\), respectively.
Step 10^{SQKA}: Each of Alice, Bob, and TP has the secret keys \(m_{A}\), \(m_{B}\) and \(m_{T}\). Thus, they can calculate the final key as \(K=m_{A} \oplus m_{B} \oplus m_{T}\).
4.2.2 Fairness of the proposed SQKA protocol
In Sect. 3, we provide a detailed security analysis of the SQKD protocol, and since our proposed SQKA protocol is based on the SQKD protocol, the security analysis is similar. That is, Alice, Bob, and TP can establish the secure key sequences with each other. Unlike SQKD protocol, SQKA requires all parties equally contribute to the final key. Therefore, we focus on analyzing the fairness of each party’s contribution to the key.
Without loss of generality, we assume that Alice wants to determine the shared key to be \(K^{*}_{A}=[m^{*1}_{A},m^{*2}_{A},\dots,m^{*n}_{A}]\) alone. To achieve this goal, Alice needs to obtain \(m_{B}\) and \(m_{T}\). In our protocol, Alice has the opportunity to obtain \(m_{B}\) and \(m_{T}\) from Bob and TP announcing \(Q_{B\rightarrow A}\) and \(Q_{T\rightarrow A}\) only in step 9. After that, Alice calculates
and Alice then publishes \(Q^{*}_{A\rightarrow B}\) and \(Q^{*}_{A\rightarrow T}\) to Bob and TP, respectively. As a result, Bob and TP can obtain the final key \(K^{*}_{A}\) by computing \((K^{*}_{A}\oplus m_{B}\oplus m_{T})\oplus m_{B}\oplus m_{T}=K^{*}_{A}\). Unfortunately, Alice’s behavior will be detected by Bob and TP. Because \(Q^{*}_{A\rightarrow B}\) and \(Q^{*}_{A\rightarrow T}\) can be accepted by Bob and TP only if they satisfy: \(h^{\prime}(Q^{*}_{A\rightarrow B})=h(Q_{A\rightarrow B})\) and \(h^{\prime}(Q^{*}_{A\rightarrow T})=h(Q_{A\rightarrow T})\). Obviously, they are not equal, so Alice’s cheating behavior cannot succeed.
If two dishonest parties conspire to perform deceptions similar to those described above, third parties will inevitably discover their shows due to the use of hash functions.
The results show that our protocol can guarantee all parties equally contribute to the final key.
5 Discussion
In this paper, we propose several different types of semiquantum protocols. Specifically, we focus on semiquantum cryptography protocols, including SQKD, SQPC, and SQKA, which all rely on twoway communication and are susceptible to Trojan attacks. The analysis of Trojan horse attacks is also one of the focuses. Therefore, in this part, we first investigate the resistance of several protocols proposed in this paper to Trojan attacks.
Trojan horse attacks in quantum systems include the invisible photon attack [44] and the delayphoton attack [45]. To mitigate the risks posed by these Trojan attacks, it is essential to incorporate specific devices like wavelength filters and photon number separators for each user [46]. The wavelength filter enables the signal receiver to counteract the former attack, while the photon number separator offers protection against the latter attack. Despite the potential impact on protocol efficiency, the above devices are necessary for quantum protocols involving twoway communication to effectively mitigate Trojan attacks. Therefore, our protocols can resist Trojan attacks by equipping the necessary devices.
Additionally, it is worth mentioning that some variants of semiquantum key distribution protocols, as described in references [32, 33], address the issue of Trojan attacks by improving capabilities for classical users, effectively transforming the protocol into a oneway communication scheme. This alternative approach can also be considered, particularly if classical users possess the ability to perform lightweight unitary operations, as demonstrated in literature [33].
In the following, we conduct separate comparisons between the proposed protocols and their respective counterparts, to emphasize the unique features of each protocol.
5.1 Comparison of SQKD protocol
Noise tolerance is a critical indicator of the SQKD protocol, and we have analyzed the protocol’s noise tolerance (i.e., key rate) under different conditions. Specifically, our proposed protocol demonstrates a noise tolerance of 12.75% for establishing secure keys between quantum and classical users, and a noise tolerance of 8.77% for establishing secure keys between two classical users. These results show that our SQKD protocol exhibits similar security to traditional QKD protocols, such as the BB84 protocol with a noise tolerance of 11%.
To provide a clear comparison of noise tolerance and applicable scenarios, we have compared our protocol with similar SQKD protocols in Table 1. The comparison reveals that our protocol is suitable not only for establishing key relationships between quantum and classical users, but also between two classical users. In contrast, previous SQKD protocols are limited to only one scenario, either between quantum and classical users or between two classical users, which significantly restricts their practical applications.
In order to compare the noise tolerance of our proposed semiquantum key distribution (SQKD) protocol with existing protocols, we analyze the noise tolerance from two perspectives. Firstly, in the scenario of key establishment between quantum and classical users, our protocol outperforms previous similar protocols [9–12] in terms of noise tolerance. Secondly, in the scenario of key establishment between two classical users, our protocol exhibits lower noise tolerance compared to similar protocols [25, 29], primarily due to the fact that we only utilize events where Alice and Bob both measure or both reflect, without exploiting mismatched events. If the same approach as in [25] and [29] is employed, a noise tolerance similar to that of [25, 29] can be achieved. Nonetheless, our protocol still achieves a noise tolerance comparable to previous protocols. It is important to note that Refs. [26–28] only provide security analysis under specific attacks, and no noise tolerance is calculated for these protocols.
5.2 Comparison of extension protocols
The performance of the proposed semiquantum key agreement (SQKA) and semiquantum private comparison (SQPC) protocols can be evaluated using the metric of qubit efficiency, as defined in [40]. Qubit efficiency is defined as \(\eta =\frac{c}{q+b}\), where c, q, and b are the number of shared classical bits, the number of consumed qubits, and the number of classical bits needed, respectively.
We first calculate the qubit efficiency of the proposed SQPC protocol. In our protocol, Alice and Bob have n secret bits, respectively, which means \(c=n\). To implement the protocol, TP needs to generate 4n Bell states, and 8n single particles, while Alice and Bob need to prepare 4n qubits, respectively as a replacement for their measured particles. Thus, the number of consumed qubits is 24n. Then, Alice and Bob need 2n bits to publish their encrypted messages, and TP needs 1 bit to publish the comparison result. That is, \(b=2n+1\). Putting everything together, the qubit efficiency of our protocol is \(\frac{n}{26n+1}\). The qubit efficiencies of Refs. [18–22] are also listed in Table 2. It is evident from the table that our protocol has a higher qubit efficiency compared to protocols using distributed transmission. However, the protocol in [22] which uses circular transmission exhibits higher efficiency compared to our protocol.
Next, we calculate the qubit efficiency of the proposed SQKA protocol. In this SQKA protocol, 24n qubits are consumed in order to implement the key negotiation of three users and finally generate a shared key of n bits. As for the consumed classical bits, each of user needs to publish nbits encrypted messages to the other users, along with the hash of the encrypted message (suppose the length of the hash value is nbits). Thus, the total classical bits is \(3*2n+3*2n=12n\). Combining all these values, our protocol’s qubit efficiency is \(\frac{1}{36}\). Table 3 provides detailed comparison results of our protocol with similar protocols. One can easily observe that the qubit efficiency of threeparty schemes is less than that of twoparty schemes. It is obvious that as the number of classical users increases, the quantum resources required will also increase. Our protocol is more efficient for scenarios where three users contribute to the secret key.
6 Conclusion
In this work, we propose a novel semiquantum key distribution (SQKD) protocol that utilizes entangled Bell states and single particles to enable secure key sharing among users of different types. Our protocol can serve as both SQKD and MSQKD. This effectively reduces the complexity and cost of semiquantum protocols that require SQKD and MSQKD between different users to protect the users’ private data, respectively.
To prove this SQKD protocol’s security, we first analyze the attack strategies of attackers who want to obtain keys in different scenarios. Then the density matrix of the joint system that eventually contributes to the secure key is constructed. Finally, the noise tolerance of the protocol is derived by using the parameters observed in the channel. The results show that the noise tolerance of our protocol can reach the same level as that of the QKD protocol.
In addition to the proposed SQKD protocol, we also generalize our approach to other semiquantum protocols such as SQPC and SQKA. We conduct comparative analyses of these protocols with similar existing protocols, highlighting the advantages of our proposed protocols in meeting the requirements of their respective use cases.
Several intriguing research questions remain to be addressed in future studies. Firstly, while we have generalized our protocols to SQKA and SQPC, there may be other unexplored application scenarios that could benefit from our approach. Secondly, our analysis has been limited to ideal environments, and practical implementations of devices in semiquantum environments are still in the nascent stages [47, 48]. Investigating the application of our protocols in realworld scenarios with practical devices would be a promising direction for future research.
Availability of data and materials
The data that support the findings of this study are available from the corresponding author upon reasonable request.
Abbreviations
 QKD:

Quantum key distribution
 SQKD:

Semiquantum key distribution
 MSQKD:

Mediated Semiquantum key distribution
 TP:

Third party
 SOPC:

Semiquantum private comparison
 SQKA:

Semiquantum key agreement
References
Bennet CH, Brassard G. Quantum cryptography: public key distribution and coin tossing. In: Proc. IEEE int. conf. Comput., syst. Signal process. Bangalore, India. 1984. p. 175–9.
Ekert AK. Quantum cryptography based on Bell’s theorem. Phys Rev Lett. 1991;67(6):661.
Bennett CH. Quantum cryptography using any two nonorthogonal states. Phys Rev Lett. 1992;68:3121.
Renner R, Gisin N, Kraus B. Informationtheoretic security proof for quantumkeydistribution protocols. Phys Rev A. 2005;72(1):012332.
Lo HK, Curty M, Tamaki K. Secure quantum key distribution. Nat Photonics. 2014;8(8):595–604.
Scarani V, BechmannPasquinucci H, Cerf NJ et al.. The security of practical quantum key distribution. Rev Mod Phys. 2009;81(3):1301.
Boyer M, Kenigsberg D, Mor T. Quantum key distribution with classical Bob. Phys Rev Lett. 2007;99(14):140501.
Boyer M, Gelles R, Kenigsberg D, Mor T. Semiquantum key distribution. Phys Rev A. 2009;79(3):032341.
Krawec WO. Security proof of a semiquantum key distribution protocol. In: 2015 IEEE international symposium on information theory (ISIT). New York: IEEE Press; 2015. p. 686–90.
Zhang W, Qiu DW, Mateus P. Security of a singlestate semiquantum key distribution protocol. Quantum Inf Process. 2018;17(6):1–21.
Krawec WO. Quantum key distribution with mismatched measurements over arbitrary channels. Quantum Inf Comput. 2017;17(3–4):209–41.
Ye CQ, Li J, Chen XB et al.. An efficient semiquantum key distribution protocol and its security proof. IEEE Commun Lett. 2022;26(6):1226–30.
Zou XF, Qiu QW. Threestep semiquantum secure direct communication protocol. Sci China, Phys Mech Astron. 2014;57(9):1696–702.
Luo YP, Hwang T. Authenticated semiquantum direct communication protocols using bell states. Quantum Inf Process. 2016;15(2):947–58.
Ye TY, Ye CQ. Semiquantum dialogue based on single photons. Int J Theor Phys. 2018;57:1440–54.
Li Q, Chan WH, Long DY. Semiquantum secret sharing using entangled states. Phys Rev A. 2010;82(2):022303.
Li LZ, Qiu DW, Paulo M. Quantum secret sharing with classical bobs. J Phys A, Math Theor. 2013;46(4):045304.
Thapliyala K, Sharmab RD, Pathak A. Orthogonalstatebased and semiquantum protocols for quantum private comparison in noisy environment. Int J Quantum Inf. 2018;16:1850047
Ye TY, Ye CQ. Measureresend semiquantum private comparison without entanglement. Int J Theor Phys. 2018;57(12):3819–34.
Lin PH, Hwang T, Tsai CW. Efficient semiquantum private comparison using single photons. Quantum Inf Process. 2019;18(7):1–14.
Yan LL, Zhang SB, Chang Y et al.. Semiquantum private comparison protocol with threeparticle Glike states. Quantum Inf Process. 2021;20(1):1–16.
Ye CQ, Li J, Chen XB, Tian Y. Efficient semiquantum private comparison without using entanglement resource and preshared key. Quantum Inf Process. 2021;20(8):1–19.
Iqbal H, Krawec WO. Semiquantum cryptography. Quantum Inf Process. 2020;19(3):1–52.
Krawec WO. Mediated semiquantum key distribution. Phys Rev A. 2015;91:032323.
Krawec WO. An improved asymptotic key rate bound for a mediated semiquantum key distribution protocol. Quantum Inf Comput. 2016;16(9–10):813–34.
Liu ZR, Hwang T. Mediated semiquantum key distribution without invoking quantum measurement. Ann Phys. 2018;530(4):1700206.
Lin PH, Tsai CW, Hwang T. Mediated semiquantum key distribution using single photons. Ann Phys. 2019;531(8):1800347.
Chen LL, Li Q, Liu CD, Peng Y, Yu F. Efficient mediated semiquantum key distribution. Phys A, Stat Mech Appl. 2021;582:126265.
Guskind J, Krawec W. Mediated semiquantum key distribution with improved efficiency. Quantum Sci Technol. 2022;7(3):035019.
Krawec WO. Multimediated semiquantum key distribution. In: 2019 IEEE globecom workshops (GC wkshps). New York: IEEE Press; 2019. p. 1–6.
Ye CQ, Li J, Chen XB et al.. Circular mediated semiquantum key distribution. Quantum Inf Process. 2023;22(4):170.
Tsai CW, Yang CW, Lee NY. Lightweight mediated semiquantum key distribution protocol. Mod Phys Lett A. 2019;34(34):1950281.
Tsai CW, Yang CW. Lightweight mediated semiquantum key distribution protocol with a dishonest third party based on Bell states. Sci Rep. 2021;11(1):23222.
Zhou NR, Zhu KN, Bi W et al.. Semiquantum identification. Quantum Inf Process. 2019;18(6):1–17.
Ye TY, Xu TJ, Geng MJ et al.. Twoparty secure semiquantum summation against the collectivedephasing noise. Quantum Inf Process. 2022;21(3):1–14.
Geng MJ, Chen Y, Xu TJ, Ye TY. Singlestate semiquantum private comparison based on Bell states. EPJ Quantum Technol. 2022;9(1):1.
Gottesman D, Lo HK. Proof of security of quantum key distribution with twoway classical communications. IEEE Trans Inf Theory. 2003;49(2):457–75.
Renner R. Security of quantum key distribution. Int J Quantum Inf. 2008;6(01):1–127.
Christandl M, König R, Renner R. Postselection technique for quantum channels with applications to quantum cryptography. Phys Rev Lett. 2009;102(2):020504.
Shukla C, Thapliyal K, Pathak A. Semiquantum communication: protocols for key agreement, controlled secure direct communication and dialogue. Quantum Inf Process. 2017;16(12):1–19.
Yan LL, Zhang SB, Chang Y et al.. Semiquantum key agreement and private comparison protocols using Bell states. Int J Theor Phys. 2019;58(11):3852–62.
Zhou NR, Zhu KN, Wang YQ. Threeparty semiquantum key agreement protocol. Int J Theor Phys. 2020;59(3):663–76.
Xu TJ, Chen Y, Geng MJ et al.. Singlestate multiparty semiquantum key agreement protocol based on multiparticle GHZ entangled states. Quantum Inf Process. 2022;21(7):1–18.
Cai QY. Eavesdropping on the twoway quantum communication protocols with invisible photons. Phys Lett A. 2006;351(1–2):23–5.
Gisin N, Fasel S, Kraus B, Zbinden H, Ribordy G. Trojanhorse attacks on quantumkey distribution systems. Phys Rev A. 2006;73:022320
Deng FG, Zhou P, Li XH, et al. Robustness of twoway quantum communication protocols against Trojan horse attack. arXiv:quantph/0508168.
Boyer M, Katz M, Liss R et al.. Experimentally feasible protocol for semiquantum key distribution. Phys Rev A. 2017;96(6):062335.
Han S, Huang Y, Mi S et al.. Proofofprinciple demonstration of semiquantum key distribution based on the Mirror protocol. EPJ Quantum Technol. 2021;8(1):1.
Funding
This work was supported by the National Natural Science Foundation of China under Grant 62271070, the BUPT Excellent Ph.D Students Foundation under Grant CX2021117, and the China Scholarship Council under Grant 202206470006.
Author information
Authors and Affiliations
Contributions
ChongQiang Ye designed the protocol, conducted the security analysis, and wrote the manuscript; Yanyan Hou and Zhuo Wang checked the writing; Jian Li and XiuBo Chen reviewed the manuscript. All authors read and approved the final manuscript
Corresponding author
Ethics declarations
Ethics approval and consent to participate
Not applicable.
Consent for publication
Not applicable.
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Ye, CQ., Li, J., Chen, XB. et al. Security and application of semiquantum key distribution protocol for users with different quantum capabilities. EPJ Quantum Technol. 10, 21 (2023). https://doi.org/10.1140/epjqt/s40507023001803
Received:
Accepted:
Published:
DOI: https://doi.org/10.1140/epjqt/s40507023001803
Keywords
 Quantum communication
 Semiquantum key distribution
 Different users
 Security
 Key rate