Security requirements for the identity authentication protocols are very stringent:

none of the bits of the shared secret can be exposed to the eavesdropper,

shared secret is unchanged between subsequent unsuccessful protocol runs,

no prior authentication of the supporting classical channel can be assumed.

The following discussion of the protocol under consideration takes the aforementioned aspects into account.

The seminal protocol [33] operates in message or control modes that are randomly interwoven. Alice and Bob:

share a secret k composed of even number of bits,

can communicate with the classic public channel and an unprotected quantum one,

agree to use rectilinear \({{{\mathscr {B}}}}_0=\{|0\rangle ,|1\rangle \}\) and diagonal \({{{\mathscr {B}}}}_1=\{|+\rangle ,|-\rangle \}\) bases,

use rules from Table 1 to encode a pair of classic bits into a quantum state.

Table 1 Encoding rules used by Alice and Bob Full size table

The protocol continues as follows:

1. Both parties set counter \(n=0\). 2. If n is greater that length of the secret—authentication successful, otherwise proceed. 3. Alice randomly selects message or control mode: 4. Message mode: (a) Alice takes bits \(( k_{n}, k_{n+1} )\) of the shared secret and she constructs a quantum state according to Table 1. (b) Alice sends the state to Bob. (c) Bob measures the incoming state. He selects the measurement basis using bit \(k_{n}\) of his own copy of the shared secret. The measurement outcome equals to \(k^\prime _{n+1}\). (d) Bob announces reception. Alice communicates that they operate in message mode. (e) Bob compares the received and the expected value of the bit. If \(k^\prime _{n+1}=k_{n+1}\) then proceed: confirm cycle success to Alice, \(n=n+2\), then go to step 2; otherwise abort the protocol. 5. Control mode (a) Alice creates the pair \( (k_{n}, d)\) from the even bit of the shared secret and some random bit d and then, on their basis, she constructs a quantum state according to Table 1. (b) Alice sends the state to Bob. (c) Bob measures incoming state. He selects the measurement basis using bit \(k_{n}\) of his own copy of the shared secret. The measurement outcome equals to \(d^\prime \). (d) Bob announces reception. Alice communicates that they operate in control mode and the value of d. (e) Bob compares the received and the expected value of the bit. If \(d^\prime =d\) then proceed: confirm cycle success to Alice, \(n=n+2\), go to step 2, otherwise abort the protocol.

Man-in-the-middle attack

Let Eve impersonates Alice. The MITM attack assumes that Eve measures photons coming from Alice and forwards fake ones in a state derived from the measurement outcome. If Eve selects measurement basis correctly, nothing special happens: (a) her outcome is in agreement with Alice’s encoding, (b) the reconstructed photon is in a correct state, (c) secret bit decoded by Bob has the expected value so the protocol continues. However, if Eve selects basis incorrectly there is a 50% chance that Bob’s decoding fails. This happens independent on operation mode selected by Alice. The situation in which Bob’s measurement yields, by an accident, the expected result is not interesting—the protocol simply continues and Eve has no clue what was the basis and value of the encoded qubit—it can be correct one because of two reasons: (a) proper basis selection, (b) random nature of quantum measurement outcome in improper basis. On the other hand, if Bob’s measurement yields an incorrect result then the protocol is aborted (points 4e and 5e of the seminal protocol specification). This is a sign for Eve, that the basis she has selected is incorrect. Eve learns that way the value of the even numbered bit \(k_n\) of the shared secret that is responsible for the basis selection. Alice probably takes another try to authenticate. In the next protocol run, Eve will select the correct basis for the protocol cycle controlled by the known bit and she will learn the value of the odd numbered bit \(k_{n+1}\) responsible for the photon polarization. For the rest of photons, she might still use the measure and resend strategy. In case of protocol abortion, she will learn the value of another evenly numbered bit. Smart policy of selection of protocol cycles to be attacked permits Eve to learn bits of the shared secret as long as Alice and Bob won’t be changing the shared secret frequently.

Entangle and discriminate attack

The seminal proposal [33] includes analysis of the entangle and measure attack, in which Eve entangles the travel qubit with her own probe register. Depending on the outcome of Bob’s measurement, the probe is left in different states and, on this basis, Eve can draw information on the state of the travel qubit. The price she pays for her knowledge is a nonzero error rate observed by Bob. Various entangling strategies and probe states discrimination techniques result in distinct trade-offs between Eve’s information gain and induced error rate. The seminal analysis estimates Eve’s information gain assuming minimum error discrimination and availability of infinite number of copies of the state to be examined. The discussion presented below addresses the success rate of entangle and measure attack with Eve having an access to only one copy of the state to be discriminated. It is shown that under this restriction, the seminal version of the protocol is not secure in the context of constraints quoted at the beginning of this section.

It is known that for the BB84 protocol, which is mimicked by the protocol under consideration, the optimal information gain is provided by the Brandt probe [34, 35] that uses non-orthogonal probe states and \({\overline{CNOT}}\) gate as the entangling operation. Let the bases used by Alice and Bob be denoted \({\mathscr {B}}_0=\{|u\rangle , |{\bar{u}}\rangle \}\) and \({\mathscr {B}}_1=\{|v\rangle , |{\bar{v}}\rangle \}\) and be rotated for \(\pm \pi /8\) relative to the computational basis used by Eve in construction of the entangling operation, as depicted in Fig. 1.

Fig. 1 Orientation of bases in Brandt probe setup Full size image

The bases are related to each other with the following formulas

$$\begin{aligned} |0\rangle&= c |u\rangle + s |{\bar{u}}\rangle&|1\rangle&= -s |u\rangle + c |{\bar{u}}\rangle \end{aligned}$$ (1)

$$\begin{aligned} |0\rangle&= c |v\rangle - s |{\bar{v}}\rangle&|1\rangle&= s |v\rangle + c |{\bar{v}}\rangle \end{aligned}$$ (2)

where \(c = \cos \frac{\pi }{8}= \frac{1}{2}\sqrt{2+\sqrt{2}}\) and \(s =\sin \frac{\pi }{8}=\frac{1}{2}\sqrt{2-\sqrt{2}}\). It is assumed that cbit 0 is encoded as \(\{ |u\rangle , |v\rangle \}\) depending on basis choice, while cbit 1 is encoded as \(\{ |{\bar{u}}\rangle , |{\bar{v}}\rangle \}\) (see Table 1). Eve simply entangles the travel qubit with the probe register using \({\overline{CNOT}}\) gate controlled by the travel qubit

$$\begin{aligned} {\overline{CNOT}} = |0\rangle \langle 0| \otimes {\overline{I}} + |1\rangle \langle 1| \otimes {\overline{X}} \end{aligned}$$ (3)

where \({\overline{I}}\) is the identity operator and \({\overline{X}}=|1\rangle \langle 0|+|0\rangle \langle 1|\) denotes bit flip applied to the target register. Eve has a freedom of selection of the initial state \(|\chi \rangle \) placed in the probe register. The following identities hold true, independent on its value

$$\begin{aligned} |u\rangle |\chi \rangle&\xrightarrow {{\overline{CNOT}}} |u\rangle \left( c^2{\overline{I}}+s^2{\overline{X}}\right) |\chi \rangle + |{\bar{u}}\rangle s c \left( {\overline{I}}-{\overline{X}}\right) |\chi \rangle \end{aligned}$$ (4)

$$\begin{aligned} |v\rangle |\chi \rangle&\xrightarrow {{\overline{CNOT}}} |v\rangle \left( c^2{\overline{I}}+s^2{\overline{X}}\right) |\chi \rangle - |{\bar{v}}\rangle s c \left( {\overline{I}} - {\overline{X}} \right) |\chi \rangle \end{aligned}$$ (5)

$$\begin{aligned} |{\bar{u}}\rangle |\chi \rangle&\xrightarrow {{\overline{CNOT}}} |{\bar{u}}\rangle \left( s^2{\overline{I}}+c^2{\overline{X}}\right) |\chi \rangle +|u\rangle s c \left( {\overline{I}} - {\overline{X}} \right) |\chi \rangle \end{aligned}$$ (6)

$$\begin{aligned} |{\bar{v}}\rangle |\chi \rangle&\xrightarrow {{\overline{CNOT}}} |{\bar{v}}\rangle \left( s^2{\overline{I}}+c^2{\overline{X}}\right) |\chi \rangle - |v\rangle s c \left( {\overline{I}} - {\overline{X}} \right) |\chi \rangle \end{aligned}$$ (7)

The second terms on the right-hand side are responsible for errors observed by Bob. Eve can tune the error rate by proper selection of the initial state. Let us assume its following parameterization

$$\begin{aligned} |\chi \rangle = \sqrt{1-2 P_E} |+\rangle + \sqrt{2 P_E} |-\rangle \end{aligned}$$ (8)

where \(|\pm \rangle =\left( |0\rangle \pm |1\rangle \right) /\sqrt{2}\). Then \(|e\rangle = s c \left( {\overline{I}}-{\overline{X}}\right) |\chi \rangle = \sqrt{P_E} |-\rangle \) so the probability that Bob detects Eve is equal to \(P_E\). If Bob’s measurement is correct, i.e. he does not observe an error, then there are two possible states of Eve’s register

$$\begin{aligned} |\chi _0\rangle&= \left( c^2{\overline{I}}+s^2{\overline{X}}\right) |\chi \rangle = \sqrt{1-2 P_E} |+\rangle + \sqrt{P_E} |-\rangle \end{aligned}$$ (9)

$$\begin{aligned} |\chi _1\rangle&= \left( s^2{\overline{I}}+c^2{\overline{X}}\right) |\chi \rangle = \sqrt{1-2 P_E} |+\rangle - \sqrt{P_E} |-\rangle \end{aligned}$$ (10)

Please note that \(|\chi _0\rangle \) occurs always when Alice encoded classic bit 0, independent on the selected basis. Similarly \(|\chi _1\rangle \) occurs always when Alice’s bit equals to 1, so detection which one of these two states is in the register is sufficient for Eve to decode odd numbered bit \(k_{n+1}\). But the states \(|\chi _0\rangle \) and \(|\chi _1\rangle \) are not orthogonal, so no perfect technique to do that exists. The minimum error discrimination gives maximum average information at the price of limited confidence, so Eve is never 100% sure what was the value of the eavesdropped bit. She has to repeat the discrimination procedure multiple times on identical copies of the state to enlarge her confidence level. In contrary, an unambiguous discrimination gives Eve 100% confident information on which one state is in the register at the price of obtaining inconclusive results with some finite rate. This technique seems to be more appropriate in the context of shared secret recovery.

The rate of inconclusive measurements is equal to the overlap between discriminated states [36, 37], so Eve has no clue on bit value with probability

$$\begin{aligned} Q = \frac{\langle \chi _0|\chi _1\rangle }{ ||\chi _0|| ||\chi _1||} = \frac{1 - 3 P_E}{1-P_E} \end{aligned}$$ (11)

Protocol continues until Bob observes an error. The expected number of consecutive successful protocol cycles followed by a detection event depends on induced error rate

$$\begin{aligned} L = \sum \limits _{l=0}^{\infty } l (1-P_E)^{l} P_E = \frac{1-P_E}{P_E} \end{aligned}$$ (12)

where \((1-P_E)^{l} P_E\) represents probability of occurrence of exactly l successful protocol cycles followed by a failure. Eve conclusively eavesdrops only \((1-Q)\) fraction of these cycles. Her average information gain per protocol run equals to

$$\begin{aligned} I_E = (1-Q) L = \frac{2 P_E}{1-P_E} \frac{1-P_E}{P_E} = 2 \end{aligned}$$ (13)

so she learns two classic bits independent on induced error rate. This is a result of two mutually balancing effects: (a) small error rate permits for long sequences before detection but the unambiguous discrimination is then inefficient, (b) high induced error rate permits effective discrimination at the price of quicker detection.

Analysis of the presented version of entangle and measure attack may be concluded with some optimistic observation. The Brandt probe design is founded on the assumption that during reconcillation phase of BB84, Eve will learn the basis that was used for encoding of classic bits. In the considered protocol, this is no longer true. Eve assumes apriori the encoding method: 0 is encoded as \(|v\rangle \) or \(|u\rangle \) and 1 is encoded as \(|{\bar{v}}\rangle \) or \(|{\bar{u}}\rangle \). The eavesdropping works because probe permits discrimination of horizontal (\(|v\rangle , |u\rangle \)) and vertical (\(|{\bar{v}}\rangle , |{\bar{u}}\rangle \)) states and 0 (1) is encoded always as horizontal (vertical) state. The technique used above simply would not work for Alice and Bob using the following encoding rules: \(0 \rightarrow (|u\rangle \,\text {or}\, |{\bar{v}}\rangle )\), \(1 \rightarrow (|{\bar{u}}\rangle \,\text {or}\, |v\rangle )\). Then probe would differentiate between horizontal and vertical states but it would be not known which basis the identified state came from and Eve would be unable to make the decision whether Alice encoded “0” or “1” (see Table 2). The problem of constructing the entangling probe for this version of encoding remains an open question.