Quantum Information and Computation, Vol. 9, No.

5&6 (2009) 0376–0394

c Rinton Press

QUANTUM DIRECT COMMUNICATION WITH MUTUAL AUTHENTICATION

Cheng-An Yen1, a, Shi-Jinn Horng1,2 , Hsi-Sheng Goan3, b, Tzong-Wann Kao4 , Yao-Hsin Chou1
arXiv:0903.3444v1 [quant-ph] 20 Mar 2009

1 Department of Computer Science and Information Engineering

National Taiwan University of Science and Technology, Taipei 10607, Taiwan

2 Department of Electronic Engineering, National United University

Miao-Li 36003, Taiwan

3 Department of Physics, Center for Quantum Science and Engineering, and Center for Theoretical Sciences

National Taiwan University, Taipei 10617, Taiwan

4 Department of Electronic Engineering, Technology and Science Institute of Northern Taiwan

Taipei 11202, Taiwan

Received December 20, 2007

Revised January 31, 2009

In this paper, we first point out that some recently proposed quantum direct communi-
cation (QDC) protocols with authentication are vulnerable under some specific attacks,
and the secrete message will leak out to the authenticator who is introduced to authen-
ticate users participating in the communication. We then propose a new protocol that is
capable of achieving secure QDC with authentication as long as the authenticator would
do the authentication job faithfully. Our quantum protocol introduces a mutual authen-
tication procedure, uses the quantum Bell states, and applies unitary transformations in
the authentication process. Then it exploits and utilizes the entanglement swapping and
local unitary operations in the communication processes. Thus, after the authentication
process, the client users are left alone to communicate with each other, and the authen-
ticator has no access to the secrete message. In addition, our protocol does not require a
direct quantum link between any two users, who want to communicate with each other.
This may also be an appealing advantage in the implementation of a practical quantum
communication network.

Keywords: Quantum direct communication, Authentication, Entanglement swapping.

Communicated by: H-K Lo & R Laflamme

1 Introduction
Quantum key distribution (QKD) is an approach using quantum mechanics principles for the
distribution of a secret key with unconditional security [1, 2, 3]. Recently, there have been
theoretical progresses and experimental demonstrations for the QKD protocols [4, 5, 6, 7, 8, 9].
Different from QKD, a quantum direct communication (QDC) protocol is to transmit directly
a secret message without generating in advance a secret encryption key between the parties
who want to communicate with each other. After the first proposal by Beige et al. [10],
many QDC protocols have been proposed [11, 12, 13, 14, 15, 16]. But most QDC protocols
are susceptible to the man-in-the-middle (MITM) attack in which the eavesdropping attacker
makes extra connections with the victim users, and relays messages between them while
aElectronic address: [email protected]
b Electronic address: [email protected] (corresponding author)

376
 C.-A. Yen, S.-J. Horng, H.-S. Goan, T.-W. Kao, and Y.-H. Chou 377

making them believe that they are talking directly to each other over a private connection.
In fact, the entire message communication is under control by the attacker. In order to
prevent the MITM attack, several quantum authentication schemes have been put forward
[17, 18, 19, 20, 21]. Recently, Lee et al. [22] proposed two protocols which combined QDC
with user authentication. User authentication is to assure the communicating party is the
one that he/she claims to be and the message is only communicated between the authentic
users. This mechanism plays an important role in secure message communication against the
MITM attacks. However, Zhang et al. [23] pointed out that in the two protocols of Lee et
al., the authenticator Trent who is introduced to authenticate the users participating in the
communication should be prevented from knowing the secret message. They also showed that
these two protocols are vulnerable to some specific attacks by Trent. To prevent the attacks,
they revised the original version of the protocols by using the Pauli Z operation σz instead
of the original bit-flip operation X [23].
In this paper, we first point out that the improved version of the protocols proposed by
Zhang et al. still cannot prevent the authenticator Trent from knowing the secret message
if Trent would prepare different initial states. To prevent both the authenticator Trent and
an eavesdropper Eve from knowing the secrete message, we propose a new quantum protocol
that is capable of achieving secure QDC as long as the authenticator Trent would do the au-
thentication job faithfully. In our protocol, we introduce a mutual authentication procedure,
use the quantum Bell states instead of the GHZ states in [22, 23], and apply the unitary
transformations in the authentication process. Then we exploit and utilize the quantum en-
tanglement swapping and local unitary operations in the communication process. In addition,
our protocol which uses the beautiful feature of quantum entanglement swapping does not
require a direct quantum link between any two clients/users who want to communicate with
each other. This may also be an appealing advantage in the implementation of a practical
quantum communication network.
Similar to most of the proposed QDC protocols in the literature [11, 12, 13, 14, 15, 16,
22, 23], we present the proof-of-principle illustration of our secure QDC protocol against the
attacks by eavesdroppers, impostor users and authenticator. In a realistic implementation
of a QDC protocol, there are many other practical issues that need to be considered. For
example, (i) the noise (depolarization and dephasing) in the quantum communication chan-
nels, (ii) the imperfection of the Bell-state (EPR) source and distribution, (iii) the errors that
may occur during the quantum information storage, quantum gate operations and quantum
measurements, and (iv) the photon loss inevitable in propagating light over distance through
optical systems (if a photonic implementation of the QDC protocol is adopted) are important
problems that need to be dealt with. Issues similar to the first three mentioned above for
our QDC protocol have been discussed by Lo and Chau [2] in the context of the security of
QKD over arbitrarily long distances. They have shown that by combining the ideas of quan-
tum repeaters and fault-tolerant quantum computation, the security of QKD in the presence
of source, device, and channel noises as well as operation and measurement errors could be
made unconditionally secure. As to make quantum state robust against photon loss, recently
Wasilewski and Banaszek [24] have proposed a three-photon quantum error correction code
to protect an encoded qubit against a single-photon loss. They have also discussed the prepa-
ration of the code as well as quantum state and process tomography in the code space using
378 Quantum direct communication with mutual authentication

linear optics with single-photon sources and conditional detection. We may apply the results
of these studies [2, 24](and references therein) to argue that our QDC protocol could also be
made secure in a realistic setting under similar conditions. However, an in-depth investigation
to demonstrate that each of the practical issues mentioned above for our QDC protocol could
be really resolved may be still required, but that is beyond the scope of this paper. Never-
theless, we show here that our QDC protocol is secure against the attacks by eavesdroppers,
impostor users and authenticator.

2 Attacks by the authenticator using different initial states

In order to introduce our mutual authentication process later and to discuss our proposed
attack by the authenticator Trent on the improved version proposed by Zhang et al. [23], we
first summarize the authentication part in the protocol by Lee et al. [22] as follows.
(1) The client users register their secret identities and one-way hash functions with the
authenticator Trent and then go apart. The user’s authentication key shared with Trent can
be calculated as huser (IDuser , Cuser ), where IDuser is the user’s secret identity sequence and
Cuser is the counter of calls on the user’s hash function, huser . [22]
(2) When Alice asks Trent that she would like to communicate with Bob, Trent generates
N tripartite GHZ states |Ψi with |ψi i = √12 (|000i + |111i)AT B and i = 1, 2, · · · , N . The
subscripts of A, T, and B correspond to Alice, Trent and Bob, respectively. Trent then makes
unitary operations I(H) on |Ψi according to the authentication key bit values 0(1) of Alice
and Bob, respectively.
(3) Trent distributes the particles of A sequence to Alice and the particles of B sequence
to Bob.
(4) Alice and Bob make reverse unitary operations on the received particles with their
own authentication keys, respectively.
(5) After making local measurements in the σz basis on a subset, Alice and Bob can
compare the results through a classical public channel.
If the error rate is higher than expected (i.e., existence of an eavesdropper in the commu-
nication), then Alice and Bob terminate the protocol. Otherwise, they can confirm that their
counter parts are legitimate and the channel is secure. Alice and Bob can then execute the
message transmission procedures with Trent. However, as it is pointed out by Zhang et al.
[23], the protocols by Lee et al. [22] are vulnerable to the insider Trent with the intercept-
measure-resend attack, and therefore they proposed two improved schemes with different
unitary operations H(HZ) instead of I(H) on Lee et al.’s protocols.
We now show below the improved version of the two protocols proposed by Zhang et al.
[23] still cannot prevent the attack from the authenticator Trent if he prepared different initial
states from the states that he is supposed to prepare. For example, if Trent wants to know
Alice’s secret message, he could prepare the initial state |Ψi as √12 (| + ++i + | − −−i)AT B
instead of √12 (|000i + |111i)AT B , where |±i denotes √12 (|0i ± |−i) as usual and the subscripts
of A, T, and B indicate Alice, Trent and Bob’s particles (qubits), respectively. Then, after
Alice’s encoding operation HA or HA ZA as in [23], the state will become either √12 (|0 + +i +
|1 − −i)AT B or √12 (|1 + +i + |0 − −i)AT B . If the authentication is verified, Alice can send
her qubits either to Bob (protocol 1) or to Trent (protocol 2) [23]. Then if Trent, just like
the attacks proposed in [23], intercepts ( protocol 1) or receives (protocol 2) Alice’s qubit and
 C.-A. Yen, S.-J. Horng, H.-S. Goan, T.-W. Kao, and Y.-H. Chou 379

measures it in the {0, 1} basis, he can then unambiguously figure out the encoding operation
and thus the bit value of Alice after he has also measured his own qubit in the {+, −} basis.
In other words, if the measurement outcome is (0, +)AT or (1, −)AT , then Trent can conclude
that Alice has performed a HA operation corresponding to the bit value of 0. Otherwise, if
the measurement outcome is (1, +)AT or (0, −)AT , then Alice has performed HA ZA operation
corresponding to the bit value of 1. In this way, Trent can obtain Alice’s whole bit string
including both the random bit string and the secret message. As Alice will publish the
information regarding which qubits are used as the check qubits in public, Trent can then
remove the random check bits. As a consequence, Trent will have complete knowledge of
Alice’s secret message. After Trent’s attack, he resends Alice’s qubit to Bob (protocol 1).
The different initial states might cause the error rate higher than expected. Alice and Bob
will, in this case, conclude that there is an eavesdropper in the communication. But they still
think the secret message has not leaked out. On the contrary, the secret message, in fact, has
already leaked out to Trent. So Trent can use the prepare-intercept-measure-resend attack on
the improved scheme of protocol 1 or the prepare-measure attack on the improved scheme of
protocol 2 proposed by Zhang et al. [23] to completely know the secret message.

3 Quantum secure direct communication with mutual authentication

In this section, we present a new QDC protocol that is able to prevent all the specific attacks
mentioned. It may also seems that all the attacks mentioned above could be avoided if the
authenticator Trent is reliable. In fact, to the best of our knowledge, nothing in the existing
proposed protocols prevents an imposter to step in and pretend to be the real authenticator
Trent between a genuine user and unlawful receiver. Our proposed protocol can, however,
prevent such attack through mutual authentication.
In the protocols by Lee et al. [22] and by Zhang et al. [23] as well as in our protocol
described later, Trent, as an authenticator, is considered to be more powerful than the rest
of other parties or users. For example, all the user’s secret identities are known to the
authenticator Trent, and all the quantum resources are issued by him. It is thus important
in the communication protocol that we should first at least make sure whether “Trent” is
the genuine authenticator or not. If not, some illegitimate party might pretend to be Trent,
then allow Alice to pass the authentication process, and finally obtain the secret message.
For instance, the imposter Trent might simply ask a fake Bob to receive the secret message
from Alice and get the secret message from the fake Bob later. We thus ask, in our protocol,
the users/clients also to authenticate Trent to prevent an imposter to step in and act as the
authenticator. Of course, if the real authenticator Trent would like to eavesdrop or steal the
secret message, his role will then become similar to the imposter Trent and he may also ask
a fake Bob to receive the secret message from Alice. This problem of a fake Bob could, for
example, possibly be found (although not always perfectly and immediately) by allowing the
users/clients to access the classical public channel at any time. If someone pretends to be
Bob to communicate with Alice, the real Bob may discover this event during the attack.
Nevertheless, if the real Trent will do his authentication job faithfully, then it is desired
that a scheme to prevent an imposter Trent from being able to manipulate the authentication
and communication processes, and to steal the secret message later is available. We show
below that our protocol with mutual authentication can accomplish that goal and thus achieve
380 Quantum direct communication with mutual authentication

secure QDC. The classical part of the generation of the authentication keys of the users in
our protocol is similar to that in Lee et al. [22] when they registered to the authenticator
Trent. The secret identity sequence, ID, and one-way hash function, h, of each user are
known to Trent. For simplicity, we denote the authentication keys of Alice and Bob as
AKA = hA (IDA , CA ), AKB = hB (IDB , CB ), respectively. Ci is the counter of calls on the
user’s hash function, where i = A, B. If the length of AKi , denoted as li , is not large enough
to cover the necessary operations, new authentication keys can be created by increasing the
counter Ci as described in Ref. [22]. In order to secure the authentication process to prevent
an imposter authenticator to step in, we ask the user/client to authenticate Trent too. It is
thus a mutual authentication process. In order for the users to be able to authenticate Trent,
as well as to prevent Trent’s different initial state attack, extra quantum resources, which
include the introduction, manipulations and measurements of extra ancilla qubits, are issued
by the users in our authentication protocol. Again, the reason why to authenticate each other
in a mutual manner is to prevent the presence of an imposter authenticator and unlawful
users to steal the secrete message.
One of the reasons why we use the Bell state instead of the GHZ state in our protocol is to
improve the authentication process and to prevent the authenticator Trent from learning too
much knowledge about the secret communication. We believe Trent’s responsibility is only
to authenticate the users/clients who want to communicate with other users/clients. As we
will show later, after Trent finishes his authentication job, he will be prevented from knowing
the secret message if the Bell state pairs and entanglement swapping are employed. Another
reason why using the Bell state is that the two-particle Bell state can be used in a peer to
peer environment, while the three-particle GHZ state used in Refs. [22, 23] has to involve
with the third party’s cooperation. That means if Trent wants to authenticate Alice in the
protocols of Refs. [22, 23], he needs Bob’s honest assistance if the GHZ state is used. This
will not be good as Alice’s authentication has to depend on whether Bob is honest or not. In
our authentication procedure the GHZ state is also used, but this three-particle GHZ state is
however a joint state between Trent’s qubit, Alice’s qubit and an ancilla qubit. This ancilla
qubit is introduced and controlled, for example, by Trent when he wants to authenticate Alice.
In addition, the process of the user authentication should be closely connected to the
message communication process in order to protect against the attack of modification, delay,
replay, and recording [25] which could occur between these two processes. We use the quantum
entanglement swapping scheme [26] with the Bell states to bridge these two processes. That
means the secret message will be transmitted only after the successful authentication.
The details of our protocol will be presented below. In Sec. 3.1, the important concept of
entanglement swapping is discussed. The mutual authentication process which uses the Bell-
state entanglement swapping and local operations is described in Sec. 3.2. The communication
process which also employs the entanglement swapping and local operations are described in
Sec. 3.3.

3.1 The scheme of entanglement swapping

Entanglement swapping [26] is a method that enables one to swap the entanglement of two
entangled pairs of quantum particles into that of two new pairs by local operations (see Fig. 1).
The newly entangled particles may be spatially separately, without interaction and without
 C.-A. Yen, S.-J. Horng, H.-S. Goan, T.-W. Kao, and Y.-H. Chou 381

Table 1. Transformation table between the Bell state basis and computational state basis. This
table not only illustrates |φ+ i= √1 (|00i+|11i) or |ψ− i= √1 (|01i-|10i) columnwisely, but also il-
2 2
lustrates |00i= √1 (|φ+ i+|φ− i) or |10i= √1 (|ψ+ i-|ψ− i) rowwisely.
2 2
Basis |φ+ i |φ− i |ψ+ i |ψ− i
|00i √1 √1 0 0
2 2
|01i 0 0 √1 √1
2 2
|10i 0 0 √1 − √1
2 2
|11i √1 − √1 0 0
2 2

pre-shared entanglement between them. To illustrate that, we first introduce four Bell states
(or EPR pairs) as follows:
1
|φ± i = √ (|00i ± |11i),
2
1
|ψ ± i = √ (|01i ± |10i). (1)
2
The computational basis states, from Eq. (1), can be expressed in terms of the four Bell basis
states as:
1
|00i = √ (|φ+ i + |φ− i),
2
1
|11i = √ (|φ+ i − |φ− i),
2
1
|01i = √ (|ψ + i + |ψ − i),
2
1
|10i = √ (|ψ + i − |ψ − i). (2)
2
Table 1 illustrates the transformation between the Bell state basis and the computational
state basis.
Initially, if two parties each owns two particles, one in each of the shared two entangled
pairs 1-2 and 3-4 in |φ+ i states as shown in Fig. 1(a), then the quantum state of the two Bell
pairs can be rewritten as [27],

|φ+ i12 ⊗ |φ+ i34

1 + +
= (|φ i|φ i + |φ− i|φ− i + |ψ + i|ψ + i + |ψ − i|ψ − i)1324 . (3)
2
If the party who initially owned the particles 1 and 3 makes a measurement in the Bell
basis locally as illustrated in Fig. 1(b), then the system will swap the entanglement pairs
from 1-2, 3-4 into 1-3, 2-4 illustrated in Fig. 1(c). Depending on the measurement result, the
resultant state is in one of the four Bell pairs in Eq. (3) with equal probability of 41 . The
particles 2 and 4 would thus [14, 29] be entangled. Similar results can be obtained if the
initially shared entangled states are the Bell states other than |φ+ i. The most significant
feature of entanglement swapping is to enable one to entangle two quantum systems (2 and
4) that do not have direct interaction between them by a Bell basis measurement (on 1 and
3).
382 Quantum direct communication with mutual authentication

1 2

(a)

3 4

1 2

(b)
M
3 4

1 2

(c)

3 4

Fig. 1. Graphical illustration of the entanglement swapping scheme. (a) Two EPR pairs are
shown in this figure, the dash line represents the entanglement shared between the two particles.
(b) The action of Bell basis measurement is represented with M. (c) The measurement causes the
entanglement swapping.

3.2 mutual authentication process

After sharing the authentication keys with Trent, respectively, as described in Sec. 3, the
clients/users, say Alice and Bob, might leave Trent and go apart. Suppose neither Alice nor
Bob can see each other in a network environment. When Alice wants to communicate with
Bob, she and Bob must go through the authentication process with Trent first. We now
introduce the scheme of quantum Controlled-NOT operations as well as local operations into
our mutual authentication process. This authentication process is illustrated schematically
in Fig. 2 and is described in detail as follows.
(1) Once Trent receives Alice’s request, he prepares an ordered N + 2v two-particle Bell
states, each of which is in, for example, the state |φ+ i = √12 (|00i + |11i)T A , where N is the
number of secret message bits that is intended to be transmitted in this round and v is a
sufficient large number for checking the noise of the quantum channel. In general, v ≥ lA ,
where lA is the length of Alice’s authentication key, AKA . Trent keeps one of the particles
(qubits) in each of the ordered N +2v two-particle Bell pairs to form an ordered particle (qubit)
sequence, called the T sequence. He then encodes each particle of the other correspondingly
ordered sequence, called the A sequence, by an operation H or I according to the bit value
of AKA being 1 or 0, respectively. That is , if the key bit value is 0, a H operation is
performed on the particle; otherwise, nothing is done. Since the number N + 2v is normally
larger than the length lA of AKA , the key bits of AKA will be reused from the beginning
for encoding. The process will be repeated until all N + 2v particles in the A sequence are
encoded with corresponding H/I operations. Trent then sends the encoded particles of the
ordered A sequence to Alice.
 C.-A. Yen, S.-J. Horng, H.-S. Goan, T.-W. Kao, and Y.-H. Chou 383

Trent Alice
T A a
(a)
H/I

(b)
H/I

CNOT
(c)

(d)

(e)
I/H I/H I/H

CNOT
(f)

(g)

I/X

Fig. 2. Pictorial illustration of the authentication scheme. (a) Trent prepares an ordered N + 2v
two-particle Bell states |φ+ i = √1 (|00i + |11i)T A , and encodes each of the particles of the A
2
sequence by operation H (I) according to the bit value of 0 (1) of AKA , here only one pair in
verifying set V and Alice’s ancilla particle are shown. (b) Trent sends the particle A to Alice,
Alice then decodes the particle by operation H (I) also according to the bit value of 0 (1) of
AKA . (c) Alice uses the decoded particle to make the CNOT operation on the ancilla. (d) The
ancilla particle will be entangled with the original two particles. (e) Alice and Trent perform the
operation I (H) on their own particles according to the bit value of 0 (1) of AKA separately. (f)
The Steps of recovering is also depended on the bit value of AKA . If the bit value of AKA is 0,
Alice makes the operation CNOT on the ancilla a again. The ancilla will leave the entanglement
after the operation CNOT. (g) If the bit value of AKA is 1, Alice measures the ancilla a. Alice
then makes the operation I (X) on the particle A according to the measurement result of ancilla
being 0 (1).
384 Quantum direct communication with mutual authentication

(2) After receiving the A sequence, Alice decodes each of the particles by an operations
H or I also according to the bit value 0 or 1 of AKA as Trent did. The state of each of the
ordered N + 2v two-particle Bell pairs will return to its initial state, √12 (|00i + |11i)T A . She
then chooses randomly a sufficient large subset of size v from the A sequence, and pairs each
of the chosen particle with its corresponding counterpart in the T sequence into a verifying
set V . One pair of particles in set V is shown in Fig. 2 (a) and (b). She also prepares v ancilla
particles, called the a sequence, each of which is in the state |0i. She uses the particles which
she owns in set V to be the control qubits and makes the quantum Controlled-NOT operations
(CNOT) on the target qubits of the ancilla a in sequence. Then, as shown in Fig. 2 (c) and (d),
each of the ancilla particles (qubits) will be entangled with the original two particles (qubits)
in the Bell state. These three particles will then be in the state √12 (|000i + |111i)T Aa , where
the subscripts of T , A and a denote the Trent, Alice and ancilla particles, respectively. Note
that this state is just the quantum GHZ state used in the protocols of Lee et al. [22] and by
Zhang et al. [23]. The difference is that here the third particle, the ancilla qubit, is introduced
and controlled by Alice when she is about to authenticate Trent.
(3) Alice goes to identify Trent in case that some illegitimate party might pretend to
be the authenticator Trent or Trent might prepare different initial states to steal message.
She makes operation I (H) on each of her two own particles according to the bit value 0
(1) of AKA . For example, if the ith bit value of AKA is 0, Alice performs the identity
operation I on each of her two particles in the ith position in set V . Then, the three particles
would remain in √12 (|000i + |111i)T Aa . On the contrary, if the ith bit of AKA is 1, she
performs the operation H on each of her two particles and the three particles would become
1
√
2 2
(|0(0 + 1)(0 + 1)i + |1(0 − 1)(0 − 1)i)T Aa .
(4) Alice tells Trent the positions of the set V particles in the original N + 2v sequence and
tells him that she has finished the transformation operations over a classical public channel.
Trent then also makes operation I (H) on his own particle according to the bit value of his
own key AKA in set V in sequence. For example, if the ith bit of AKA is 0, the three particles
would still stay in √12 (|000i + |111i)T Aa . Otherwise, if the ith bit of AKA is 1, as illustrated
in Fig. 2(e), the three particles would become
1
(H ⊗ H ⊗ H)T Aa √ (|000i + |111i)T Aa
2
1
⇒ (|(00 + 11)0i + |(10 + 01)1i)T Aa . (4)
2
(5) After Trent tells Alice that he has finished his operations over a public channel, Alice
will perform different operations for each pair in set V according to the ith bit value of AKA .
If the ith bit value of AKA is 0, she will make the operation CNOT on the ith ancilla a again
with particle A as the control qubit. Then the ancilla qubit will lost the entanglement with
the pair of qubits T and A as shown in Fig. 2(f). On the contrary, if the ith bit value of AKA
is 1, Alice will measure the ith ancilla particle a in the computational {0,1} basis, i.e., the σZ
basis. If there is no eavesdropping or interference, Alice will obtain either 0 or 1 with equal
probability 1/2. If she obtains 1, she makes the operation X on the particle A. Otherwise,
nothing is done. These actions are shown in Fig. 2(g). After this, the pair of the two particles
T and A in set V should return back into the original Bell state after consuming the ancilla,
provided that there is no eavesdropper, Eve, present.
 C.-A. Yen, S.-J. Horng, H.-S. Goan, T.-W. Kao, and Y.-H. Chou 385

Table 2. Relations between the initially prepared Bell states, the measurement result of ancilla,
and the recovering operations on the home qubit when the bit value of AK of the other party is 1.
Initial prepared Recovering operations on the self qubit
Bell States ancilla’s outcome: 0 ancilla’s outcome: 1
|φ+ i= √1 (|00i+|11i) I X
2
|φ− i= √1 (|00i-|11i) X I
2
|ψ+ i= √1 (|01i+|10i) iY Z
2
|ψ− i= √1 (|01i-|10i) Z iY
2

(6) Now, Alice is going to authenticate Trent as well as to check the presence of Eve. After
Alice measures her own particles (qubits) in set V one by one in the σZ basis, she informs
Trent that her measurements are finished (but does not reveal her measurement results) in
public. Trent then also measures his own particles in the σZ basis and tells Alice the results
in public. At last, Alice compares her results with those of Trent’s to authenticate Trent. If
they have a sufficient large number of results that are the same, Alice [14, 29] accepts that
Trent is the real Trent (the authenticator) and she proceeds the steps to be authenticated by
Trent. Otherwise, if the error rate is too high, she just stops the procedure.
(7) Next, Trent will authenticate Alice. This reverse authentication procedure could be
much simpler as compared with the above steps. This is because Trent owns the particle he
prepared in the very beginning and does not need to check possible different initial state attack
by Alice, so no extra ancilla qubits need to be introduced. If Alice can decode the A sequence
in Step 2, the remaining N +v pairs will all return to the initial state, √12 (|00i+|11i)T A . Trent
then randomly selects v particles in the remaining T sequence and pairs with Alice’s particles
in A sequence to form the reverse verifying set V ′ . He then measures his own particles (qubits)
in set V ′ one by one in the σZ basis, and informs Alice that her measurements are finished in
public. Alice then also measures his own particles in the σZ basis and tells Trent the results
in public. Trent then compares his results with those of Alice’s to authenticate Alice and
also check the existence of Eve. If their measurement results agree with a sufficiently high
probability, Trent [14, 29] accepts that Alice is a legitimate user/client. Otherwise, if the
error rate is too high, he just stops the procedure. This is exactly the reverse process in Step
6 with the interchange of the roles of Alice and Trent.
(8) After the mutual authentication is finished, there still are N pairs of the Bell state
√1 (|00i + |11i)T A between Trent and Alice’s qubits. Note that the local operations after the
2
measurements of the ancilla qubits in Steps 5 depend on the initially prepared Bell state.
In the above example, the initial and recovered Bell state is √12 (|00i + |11i)T A . Other Bell
states can also be used in our protocol with a slight modification of the local operations.
Their relations are illustrated in Table 2. Since both Alice and Trent choose the verifying
sets at random, they could also check the security of the channel during the authentication
steps. Not only the illegitimate party but also the existence of the eavesdropper Eve could be
detected during the verification process. Furthermore, the message communication process
will proceed only if the authentication process is successful. If the channel is too noisy with
a high error rate, they would stop the procedure and start over again.
(9) Finally, Trent notifies Bob that Alice wants to communicate with him. Likewise, Bob
and Trent can authenticate each other. If nothing goes wrong, they will also keep N pairs of
the Bell state √12 (|00i + |11i)T B .
386 Quantum direct communication with mutual authentication

3.3 Communication process

After finishing the authentication process, Trent’s qubit is entangled with Alice’s qubit in
the Bell state √12 (|00i + |11i) and likewise also with Bob. We describe below a session-key
based communication process [25] which uses the skills of entanglement swapping. Here,
the session key indicates that the sequence of the entangled states between Alice and Bob’s
qubits, generated as a result of the Trent’s entanglement swapping measurements, is used for
only one particular communication session. The detailed communication process is described
as follows.
(1) Trent makes a Bell measurement on his own two qubits, one particle entangled with
Alice’s qubit and the other entangled with Bob’s qubit, in each of the N Bell pairs in sequence.
Each time Trent will obtain a result with equal. probability 1/4 out of four possible outcomes
corresponding to the resultant four possible Bell states in which Alice’s qubit and Bob’s
qubit will be entangled. In other words, as a consequence of Trent’s Bell measurement, the
entanglement has been swapped into the joint state of Alice and Bob’s qubits. However, Alice
and Bob do not know exactly which entangled Bell state their qubits really share so far. Note
that there is no qubit (particle) transmitted between Alice and Bob, so the eavesdropper Eve
cannot obtain any quantum information during this process.
(2) Trent announces the results of his Bell measurements in sequence over a classical public
channel. Another appealing feature as a result of the entanglement swapping is that Trent will
leave the clients, Alice and Bob, alone to communicate with each other. In other words, after
the authenticator Trent finishes his job, he will not be involved in the message communication
process and thus he is prevented from learning the secret message.
(3) After Trent’s public announcement, Alice and Bob then have the knowledge about the
identity of each of the shared Bell state between their qubits in the sequence. They can use
the sequence of the shared entangled Bell pairs to send the secret message using the following
two different schemes.
(i) They may use the scheme of dense coding, first proposed by Bennett and Wiesner [28],
to transmit two classical bits of information using one entangled Bell pair. As Alice and Bob
know which Bell state they share, say in |φ+ i = √12 (|00i + |11i), Alice can then determine
and encode the two classical bits that she wants to send to Bob (00,01,10 and 11) into the
unitary operation (U =I,X,Z or iY ) performed on her particle (qubit) of the Bell pair. Alice
then sends her particle to Bob. After Bob receives Alice’s particle, Bob can measure the two
particles in the Bell basis and obtain Alice’s encoded information. At the end of the direct
communication process, Alice can send 2N bits of classical information to Bob with these
remaining N entangled Bell pairs. However, since Alice’s particles are transmitted to Bob,
Eve might intercept them in the middle. To guarantee secure communication, some randomly
chosen entangled Bell pairs have to be used to check if Eve is eavesdropping [12, 16].
(ii) As mentioned, the above dense coding scheme requires that there is a quantum channel
between Alice and Bob so that Alice can send her qubit to Bob. This, however, may not be
practical in a realistic quantum communication network, as a direct quantum link is required
to be established between every two users/clients who want to communicate with each other.
To overcome this problem, we use a scheme [14, 29], which also utilizes the entanglement
swapping together with local quantum operations, to encode and transmit the message. This
scheme, proposed in the encoding-decoding step in Refs.[14, 29], does not need the qubits to
 C.-A. Yen, S.-J. Horng, H.-S. Goan, T.-W. Kao, and Y.-H. Chou 387

be transmitted between Alice and Bob, and thus no quantum channel is required between
them. It, however, uses two entangled Bell pairs between Alice and Bob to transmitted two
bits of information. For example, in this scheme in Refs.[14, 29], Alice and Bob agree to
apply one of the 4 different unitary operations (say U =I,Z,X or iY ) on one particle of the
two entangled Bell pairs to encode one of the 4 different 2-bit messages (say 00,01,10 or 11).
Suppose that the state of the two entangled pairs, 1-2 and 3-4, is the state of Eq. (3). After
Alice applies one of the local unitary operations, say Z, on one of her two own particles, say
particle 1 in Eq. (3), according to her bit string values of 01, the state becomes

Z1 (|φ+ i12 ⊗ |φ+ i34 )

1 − +
= (|φ i|φ i + |φ+ i|φ− i + |ψ − i|ψ + i + |ψ + i|ψ − i)1324 . (5)
2
Alice can perform a Bell state basis measurement on her two particles, say particle 1 and 3, of
the two entangled Bell pairs. This then results in the entanglement swapping to the pairs of
1-3 and 2-4. She then announces the measurement result, say in |ψ − i state, to Bob through
a classical public channel. Then after Alice’s Bell measurement, Bob should obtain |ψ + i by
his Bell basis measurement. Bob can read out Alice’s bit string value 01 after comparing
the results of his own Bell basis measurement with Alice’s. This scheme takes advantage of
entanglement swapping. As a result, it does not require a quantum channel between Alice
and Bob and it also avoids the possible eavesdropper gaining any meaningful information
of the secret message during the communication process. Note that the resultant shared
entangled Bell states between Alice and Bob’s qubits in our protocol are dependent on the
Trent’s Bell measurement results. Thus the entangled Bell states might not be all the same
as those used in our example or in Refs.[14, 29]. This, however, is not a problem as using
two entangled pairs with different Bell states can also do the job if they know what the states
they share [27]. Repeat the procedure in sequence, N entangled Bell pairs can transmit only
N bits of information. But this may not be a disadvantage since to check and guarantee no
eavesdropping in the dense coding scheme, the consumption of entangled pairs may be large
[14] and might even be larger than N/2.

4 Discussions and security analysis

Before we conclude, a remark between our protocol and a QKD-like scheme as well as a
security analysis of our protocol are in place.

4.1 Comparison with a simple QKD scheme

If the whole point of our protocol up to step (3) of Sec. 3.3, i.e., entanglement swapping
after successful mutual authentication, is to certify only that Alice and Bob, the two users
who want to communicate with each other, share perfect EPR pairs, then one may think
that a simpler way, as is used in QKD, may be employed to do the same job. For example,
if Alice would like to communicate with Bob in an EPR-pair-based QKD scheme for QDC,
she may need (or ask someone else) to generate EPR pairs, then transmits halves of the
EPR pair qubits to Bob and keeps the other halves to herself. Alice and Bob measure and
then compare over a classical authenticated channel the randomly selected X- or Z-basis
measurement results on some randomly chosen EPR pairs they share originally. If their
measurement results and their authentication keys (secrets) agree, then they are certain that
388 Quantum direct communication with mutual authentication

the remaining pairs they share are perfect EPR pairs and that the other party is the real
Alice or the real Bob. Otherwise, they may conclude that the quantum channel Alice used to
transmit qubits to Bob was too noisy, or that an eavesdropper Eve has interfered in the qubit
transmission process. Indeed, this QKD-like scheme combining with secure, authenticated
classical channels can certify that Alice and Bob share perfect EPR pairs. So the absolute
security of the classical authenticated channels must be guaranteed for this QKD-like scheme
for QDC to work. Suppose there is a shared secret key beforehand between the two users, Alice
and Bob. They may apply the classical Wegman-Carter scheme [30] for authentication and
for the comparison of the measurement results. For example, they can use the shared secret
key to create Wegman-Carter tags and then compare the hash values computed from the tags
and the message that contains the measurement results. The Wegman-Carter authentication
scheme [30] is unconditionally secure provided that the shared secret key bits used to create
the tags are different each time. But if Alice and Bob would like to authenticate each other
again for another communication, then the shared secret key bits used to create the tags will
be gradually used up in the Wegman-Carter scheme [31]. It was pointed out in Ref. [31]
that the secret key bits cannot be reused without compromising the provable security of the
Wegman-Carter authentication scheme [30]. So if no further process to replace or refresh the
secret key bits, then the provable security of the Wegman-Carter authentication scheme [30]
may concede. One may use quantum channels to transmit new secret key bits as is done in
QKD. But if a secret encryption key needs to be generated each time in advance between
the parties who want to communicate and authenticate with each other, then this QKD-like
scheme is similar to formal QKD rather than QDC that is intended here.
In addition, in the QKD-like scheme each user needs to generate EPR pairs for every other
users or a third party, say Trent, should be asked to prepare and distribute the EPR pairs
for every users. But if Trent does not play also the role as an authenticator, then any two
users have to authenticate and compare the measurement results directly between themselves
through authenticated classical channels. As a result, each user needs to share a different
secret key with every other user, and an authenticated classical channel is required between
any two users who want to communicate with each other. Furthermore, if there is a new
client, say Charlie, wants to join this communication network, his shared secret key needs to
be generated and distributed securely between him and the rest of every client user. These
may not be practical in the implementation of a realistic quantum communication network
as there may be many users in the network and they may be spatially far apart. These are
the reasons why in the protocols of Refs. [22, 23] as well as in our protocol, an authenticator
Trent is introduced in the QDC network. Thus one should consider applying the QKD-like
scheme to the similar protocols with an authenticator Trent.
Compared with the QKD-like scheme, there is, however, no classical authenticated channel
used in our protocol. The classical channels used in our protocol are public channels. They
are not used to authenticate but are used to broadcast (exchange) the classical information
and measurement results between the participants in public, as are used in Refs. [22, 23].
The generation and registration of the classical authentication keys of the users by the au-
thenticator, as similar to that in Refs. [22, 23], does not mean the classical authenticated
channels are used. Since the users will go apart after getting their authentication keys respec-
tively and since no further encryption scheme is used in the classical public channels in our
 C.-A. Yen, S.-J. Horng, H.-S. Goan, T.-W. Kao, and Y.-H. Chou 389

protocol, the users and authenticator cannot securely authenticate each other through the
classical public channels remotely. The classical authentication keys of the participants are,
however, encoded with local quantum operations H/I onto the EPR pairs of the verifying
sets as illustrated in Sec. 3.2. Our authentication scheme is based on quantum entanglement,
quantum operations and the randomness of quantum measurement results. So the presence
of Eve will be discovered, and no useful information about the secret authentication key may
be inferred in our protocol at least for the several possible Eve’s attacks presented in Sec. 4.2.
Furthermore, our protocol can also avoid Trent’s different initial states attack that the proto-
cols in Refs. [22, 23] fail to prevent (see Sec. 2), as extra quantum resources, which include the
introduction, manipulations and measurements of extra ancilla qubits, are issued by the users
in our authentication protocol when the users authenticate the authenticator Trent. Next, we
perform a security analysis of our protocol and show that this is the case.

4.2 Security analysis

Since after successful mutual authentication process, our protocol utilizes entanglement swap-
ping and local quantum operations in the communication process. As a result, it does not
require a direct quantum link between any two users who want to communicate with each
other and thus it also avoids the possible eavesdropper gaining any meaningful information
of the secret message during the communication process. We therefore focus the security
analysis only on the authentication process. For simplicity, we assume Trent prepares the
initial EPR pairs in the state |φ+ iT A = √12 (|00i + |11i)T A as before.
First, if there is no eavesdropping and no other interference, the resultant state, after the
H/I, H/I, CNOT, I/H and I/X operations according to the corresponding bit value of the
authentication key and the local measurement result of ancilla qubit, should return back into
its initial state |φ+ iT A as illustrated in Sec. 3.2. Alice and Trent can then authenticate each
other and detect the existence of Eve by comparing the Z-basis measurement results of their
respective qubits in this EPR state. If these measurement results agree, then they are sure
that the opposite party really owns the pre-issued authentication key and holds halves of the
EPR pairs. An important observation of our authentication scheme is that no matter what
the bit value of the authentication key is, the pair of the two particles T and A in the verifying
sets V return back into the original Bell state, √12 (|00i + |11i)T A , after consuming the ancilla
as described in Step (5) of Sec. 3.2. So the Z-basis measurement result of either 0 or 1 of
particle T obtained with equal probability and then announced in public by Trent reveals no
useful information of the secret bit value of the authentication key, AKA . Similarly, the state
of each pair in the verifying set V ′ is also back to √12 (|00i + |11i)T A and thus no information
on the secret bit values of Alice’s key can be inferred from the public announcement of Alice’s
qubit measurement results when Trent authenticates Alice.
Second, Eve may use intercept attack, that is, Eve intercepts the EPR particles sending
to Alice, pretends herself to be the legitimate user Alice and tries to cheat Trent into an
acceptance of her as Alice during the authentication process. Eve who did not know Alice’s
key though can, while authenticating Trent, just (pretend to be Alice to) accept Trent’s
measurement results announced in public to pass the process. However, in the reverse process
in which Trent authenticates Eve (the fake Alice), Eve who does not know Alice’s key cannot
decode back the encoded qubit and thus cannot escape from the check by Trent as there will
390 Quantum direct communication with mutual authentication

be a high error rate occurred when Trent compares Eve’s qubit measurement results with
his in the verifying set V ′ of the checking step. In addition, we show below that Eve also
cannot obtain any useful information about Alice’s secrete key AKA . When the authentication
process starts, Trent follows the protocol to perform an operation H/I on each of the particles
in the sequence A according to the bit value of 0/1 of AKA . Suppose that Eve does nothing
(she may do any operation but that will not affect the main conclusion of the following
analysis) as she has no idea about the bit value of AKA . The resultant state after Trent’s
next operation I/H operation is √12 (|0+i + |1−i)T E if the bit value of AKA is 0, and is
√1 (| + 0i + | − 1i)T E = √1 (|0+i + |1−i)T E if the bit value of AKA is 1, where |±i = √1 (|0i ±
2 2 2
|1i) are the eigenstates of the X operator with eigenvalues ±. Note that Trent’s later I/H
operation on his particle in the sequence T according to the bit value 0/1 of AKA is opposite
to his first encoding operation. The encoding operation of I/H on the particle in the sequence
A is, however, according to the bit value of 1/0. These operations make Trent’s resultant Z-
basis qubit measurement results with equal probability of being either 0 or 1 independent of
the bit value of 0/1 of AKA . So if Trent then follows the protocol to announce the Z-basis
measurement result of his qubit (particle) in the verifying set V one by one, then no matter
what the bit value of AKA is, his measurement result will half-chance be 0 and half-chance
be 1. Another case is the intercept-and-CNOT attack. That is, if in the beginning, Eve
also introduces an ancilla qubit Ea being in |0i state and performs a CNOT operation on
the intercepted qubit E and the ancilla qubit, then the resultant state after Trent’s I/H
operation are both in √12 [|0i(|00i + |11i) + |1i(|00 − 11i)]T EEa , no matter what the bit value
of AKA is. Similar to the above scenario, regardless of Eve’s subsequent operations, Trent
will announce his Z-basis qubit measurement results with equal probability of being either
0 or 1, no matter what the bit value of AKA is. So no information of the secret key is
revealed by Eve’s intercept attack in both of the above cases. In the reverse authentication
process, since Eve does not know Alice’s key, she cannot decode back the original EPR state.
Suppose again Eve does nothing (she may do any operation but that will not affect the main
conclusion of the following analysis). The resultant pair state in the verifying set V ′ will be
√1 (|0+i + |1−i)T E if the bit value of AKA is 0, and is √1 (|00i + |11i)T E if the bit value
2 2
of AKA is 1. So the fake Alice’s (Eve’s) qubit measurement result with equal probability of
being either 0 or 1 cannot infer useful information about the real Alice’s authentication key.
It is obvious to see that Eve may do any operation instead of doing nothing on her qubits, but
her measurement results will have no relation at all with the Alice’s key. So Eve’s intercept
attack can catch nothing except being discovered.

Third, Eve could use intercept-and-resend attack, i.e., Eve first intercepts Trent’s EPR
particle A sent toward Alice, and then transmits the particle EA of the EPR pair that she
prepared to Alice instead. Eve keeps particles A and E in her hands, which are entangled,
respectively, with the Trent’s and Alice’s particles. Eve may also try to first prepares an
additional ancilla qubit in the |0i state and entangles it with Trent’s EPR state or with her
prepared EPR pair by CNOT operation. Without knowing Alice’s authentication key, Eve’s
attack cannot pass Trent’s authentication as stated above. In addition, Eve will again obtain
no information of the secrete key bit when she try to authenticates Trent or authenticate Alice
with the similar reasons stated also above. As a result, Eve’s intercept-and-resend attack will
also fail, and Eve will not get any useful information of the secret keys, either.
 C.-A. Yen, S.-J. Horng, H.-S. Goan, T.-W. Kao, and Y.-H. Chou 391

From the above analysis, Eve’s several possible attacks will be discovered during our
authentication process and furthermore, Eve cannot infer useful information about Alice’s
authentication key. As a consequence, the authenticator and client users can all make sure
each time whether the parties who share the entanglement pairs with themselves own the
authentication keys or not and make sure that the secret key bits will not be revealed or be
inferred from the quantum or classical channels in our mutual authentication QDC protocol.

Besides having the ability to discover the possible different attacks from Eve, our authen-
tication scheme can also avoid the attack by Trent if he prepares different initial states and
tries to steal the client users’ messages. In the protocols by Lee et al. [22] and by Zhang et al.
[23] as well as in our protocol, Trent, as an authenticator, is considered to be more powerful
than the rest of other parties or users since all the users’ secret identities are known to him,
and all the quantum resources are issued by him. Thus in our protocol, we use a mutual
authentication scheme in which a user possesses extra ancilla qubits, can perform CNOT
gates between his/her qubits and the ancilla qubit, and perform local operations (I/H and
I/X) and quantum measurements on the ancilla qubits when the user authenticates Trent.
This authentication process may appear slightly more complicated than that of the QKD-like
scheme and than that of the protocols by Lee et al. [22] and by Zhang et al. [23]. But the way
that the user can issue more quantum resources (extra ancilla qubits and manipulations and
measurements on the ancilla qubits) when authenticating Trent is the key point in our pro-
tocol to prevent the attacks by the authenticator Trent if he prepares different initial states,
while the above mentioned protocols fail to prevent (see, e.g., discussions in Sec. 2 and in
Refs. [22, 23]). If now suppose Trent prepares initial GHZ states √12 (|00i + |11i)T EA instead
of EPR states that he is supposed to prepare. This unfaithful action of Trent is similar to
the Eve’s intercept-and-CNOT attack mentioned above, but the difference is that now Trent
knows the authentication keys. The QKD-like with an authenticator scheme will be vulner-
able to this initial GHZ state attack by Trent (though the detailed steps of how this may
happen are not shown here). We show below that this illegal action of Trent will be discov-
ered in the verifying set V of the checking Step 6 of our authentication process illustrated in
Sec. 3.2. The checking procedure starts from Alice’s CNOT operation on her particle A and
the prepared ancilla particle a. This operation will entangle the three particles in the GHZ
state with the ancilla particle, and will result in a state expressed as √12 (|0000i+ |1111i)T EAa .
The next step will depend on the bit value of the shared secret key AKA . When the ith bit
value of AKA is 1, Alice will make H operations separately on her two qubits (particles), i.e.,
A and a, in the ith position in the verifying set V . For the purpose of discovering Trent’s
illegal action, there is no difference here whether Trent will follow the protocol to make his
subsequent quantum operations or not. For simplicity, we suppose that Trent follows the
protocol and does the same H operations on his qubits when the ith bit value of AKT is
1. Suppose now that the the ith bit value of AKT is 1. The state of the four qubits will
become √12 {[(|00i + |11i)|0i + (|01i + |10i)|1i]|0i − [(|00i + |11i)|1i + (|01i + |10i)|0i]|1i}T EAa .
Alice then measures the state of the ancilla particle in the Z-basis, and if the measurement
result is 0, she will do nothing before her next Z-basis measurement on particle A. Otherwise,
she will make an X operation on her particle A before the Z-basis measurement. Therefore,
after Alice measures her ancilla particle and performs the subsequent I or X operation, the
remaining three-particle state will become either √12 [(|00i + |11i)|0i + (|01i + |10i)|1i]T EA
392 Quantum direct communication with mutual authentication

or √12 [(|00i + |11i)|1i + (|01i + |10i)|0i]T EA , corresponding to ancilla’s measurement result

that is either 0 or 1, respectively. It is not hard to see, for each bit value of AKA to be 1,
Trent’s measurement result will, half the time, not match Alice’s measurement result. The
main reason is that the ancilla particle (qubit) is prepared by the verifier, Alice. Trent can
neither operate on the ancilla qubit nor know its measurement result, so he cannot dominate
in the authentication process. Since Alice will discover the illegal action of Trent (similar to
the existence of Eve despite he knows the authentication key) if Trent indeed prepares differ-
ent initial states in the authentication process, she will stop the subsequent communication
process and thus her secret message will not leak out.
In summary, it may appear that both our scheme and the QKD-like scheme require some
shared authentication keys (secrets) to begin with to perform mutual authentication, though
they are used in different ways. But one of significant differences is that the secret key bits
in the QKD-like scheme that uses the Wegman-Carter authentication scheme [30] need to be
different each time and thus eventually need to be refreshed (replaced) in order to guarantee
the absolute security of the authenticated classical channels [31]. If one uses quantum chan-
nels to refresh the shared secret keys, this will make the QKD-like scheme be exactly similar
to formal QKD rather than QDC that is intended here. Our QDC protocol may, however, use
the same shared key bits each time without compromising the system’s security, at least in
the possible attacks by Eve analyzed above. In addition, we have pointed out that the QKD-
like scheme with direct mutual authentication between any two users may not be practical
in the implementation of a realistic quantum communication networks. So a scheme with an
authenticator Trent who not only provides EPR pair qubits but also involves in the authen-
tication process should be considered in the QKD-like scheme. Furthermore, the QKD-like
with an authenticator scheme may still be vulnerable to the attack by the authenticator, if
the authenticator prepares different initial states (though the detailed steps of how this may
happen are not shown here). Our QDC protocol, on the other hand, can discover this attack
of Trent’s illegal action and can prevent the secret message from leaking out.

5 Conclusion
To summarize, it has been shown that the protocols proposed by Lee et al. [22] and the
improved version by Zhang et al. [23] cannot prevent the authenticator Trent from knowing
the secret message. To overcome these problems, we have presented a new quantum protocol
that uses the resources of the Bell states, the local operations and the entanglement swap-
ping. In our proposed QDC protocol, the message communication process only starts after the
successful authentication process. The authenticator Trent, after finishing his authentication
job, will leave the users alone to communicate with each other and to send the secret message
between themselves. Our protocol hence can prevent the real authenticator Trent from know-
ing the secret message, a problem that the protocols proposed by Lee et al. and Zhang et al.
fail to resolve. The Bell measurements by Trent in the communication process will cause the
entanglement swapping. The authenticated users/parties can then communicate with each
other securely with the resources of the entangled Bell pairs between them. In the message
transmission process, the concept of the local unitary operations and the entanglement swap-
ping is again used to encode and transmit the secret message. So no direct quantum link
is required between any two users, say Alice and Bob, who want to communicate with each
 C.-A. Yen, S.-J. Horng, H.-S. Goan, T.-W. Kao, and Y.-H. Chou 393

other. This might be an appealing advantage in the practical implementation of a realistic

quantum communication network. It also avoids possible eavesdroppers to gaining any mean-
ingful information of the secret message in the communication process. The authenticator
Trent can do almost everything in an authentication network, the mutual authentication is
therefore introduced in our protocol to prevent the attacks from an imposter Trent. Our
mutual authentication protocol can thus achieve secure QDC provided that the authenticator
Trent will do his authentication job faithfully. The protocols proposed by Lee et al. and
Zhang et al., on the other hand, also fail to prevent illegitimate party to step in and act
as the authenticator. If, however, the genuine authenticator Trent would ask a fake Bob to
receive the secret message from Alice in our protocol, this could also be possibly prevented
by allowing the users/clients to access the classical public channel at any time. If someone
pretends to be Bob to communicate with Alice, the real Bob may discover this event during
the attack.

Acknowledgments
H.S.G. would like to acknowledge support from the National Science Council, Taiwan, under
Grants No. 97-2112-M-002-012-MY3, support from the Excellent Research Projects of the
National Taiwan University under Grants No. 97R0066-65 and No. 97R0066-67, and support
from the focus group program of the National Center for Theoretical Sciences, Taiwan. C.A.Y.
and S.J.H. would like to acknowledge support from the National Science Council, Taiwan,
under Grants No. 97-2221-E-239-022- and 95-2221-E- 011-032-MY3.

References

1. D. Mayers, Unconditional security in Quantum Cryptography, quant-ph/9802025.

2. H. -K. Lo and H. F. Chau, Unconditional security of quantum key distribution over arbitrarily
long distances, Science, vol. 283, p. 2050 (1999).
3. P. W. Shor and J. Preskill, Simple Proof of Security of the BB84 Quantum Key Distribution
Protocol, Phys. Rev. Lett., 85, 441 (2000).
4. K. Inoue, E. Waks and Y. Yamamoto, Differential-phase-shift quantum key distribution using
coherent light, Phys. Rev. A, 68, 022317 (2003).
5. Z. D. Walton, A. F. Abouraddy, A. V. Sergienko, B. E. A. Saleh and M C. Teich, Decoherence-Free
Subspaces in Quantum Key Distribution, Phys. Rev. Lett., 91, 087901 (2003).
6. J.-C. Boileau, R. Laflamme, M. Laforest and C. R. Myers, Robust Quantum Communication Using
a Polarization-Entangled Photon Pair, Phys. Rev. Lett., 93, 220501 (2004).
7. X. Ma, C. -H. Fred Fung, F. Dupuis, K.Chen, K. Tamaki and H. -K. Lo, Decoy-state quantum key
distribution with two-way classical postprocessing, Phys. Rev. A, 74, 032330 (2006).
8. Y. Zhao, B. Qi, X. Ma, H. -K. Lo and L. Qian, Experimental Quantum Key Distribution with
Decoy States, Phys. Rev. Lett., 96, 070502 (2006).
9. C. -Z. Peng, J. Zhang, D. Yang, W. -B. Gao, H. -X. Ma, H. Yin, H. -P. Zeng, T. Yang, X. -B.
Wang and J. -W. Pan, Experimental Long-Distance Decoy-State Quantum Key Distribution Based
on Polarization Encoding, Phys. Rev. Lett., 98, 010505 (2007).
10. A. Beige, B. G. Englert, Ch. Kurstsiefer, and H. Weinfurter, Secure Communication with a Publicly
Known Key, Acta Phys. Pol. A, 101, 357 (2002).
11. K. Boström and T. Felbinger, Deterministic Secure Direct Communication Using Entanglement,
Phys. Rev. Lett., 89, 187902 (2002).
12. F. -G. Deng, G. L. Long and X. -S. Liu, Two-step quantum direct communication protocol using
the Einstein-Podolsky-Rosen pair block, Phys. Rev. A, 68, 042317 (2003).
 394 Quantum direct communication with mutual authentication

13. F. -G. Deng and G. L. Long, Secure direct communication with a quantum one-time pad, Phys.
Rev. A, 69, 052319 (2004).
14. Z. X. Man, Z. J. Zhang and Y. Li, Deterministic secure direct communication by using swapping
quantum entanglement and local unitary operations, Chin. Phys. Lett., 22, 18 (2005).
15. M. Lucamarini and S. Mancini, Secure Deterministic Communication without Entanglement, Phys.
Rev. Lett., 94, 140501 (2005).
16. C. Wang, F. -G. Deng, Y. S. Li, X. -S. Liu and G. L. Long, Quantum secure direct communication
with high-dimension quantum superdense coding, Phys. Rev. A, 71, 044305 (2005).
17. M. Curty and D. J. Santos, Quantum authentication of classical messages, Phys. Rev. A., 64,
062309, (2001).
18. M. Dušek, O. Haderka, M.Hendrych and R. Myška, Quantum identification system, Phys. Rev.
A., 60, 149, (1999).
19. G. Zeng and W. Zhang, Identity verification in quantum key distribution, Phys. Rev. A., 61,
022303, (2000).
20. D. Ljunggren, M. Bourennane and A. Karlsson, Authority-based user authentication in quantum
key distribution, Phys. Rev. A., 62, 022305, (2000).
21. E. Biham, B. Huttner and T. Mor, Quantum cryptographic network based on quantum memories,
Phys. Rev. A., 54, 2651, (1996).
22. H. Lee, J. Lim and H. Yang, Quantum direct communication with authentication, Phys. Rev. A,
73, 042305 (2006).
23. Z. J Zhang, J. Liu, D. Wang and S. H. Shi, Comment on “Quantum direct communication with
authentication”, Phys. Rev. A, 75, 026301 (2007).
24. W. Wasilewsk and K. Banaszek, Protecting an optical qubit against photon loss, Phys. Rev. A, 75,
042316 (2007).
25. B. Schneier, Applied Cryptography, edition 2nd, John Wiley & Sons New York (1996).
26. M. Żukowski, A. Zeilinger, M. A. Horne and A. K. Ekert, ‘‘Event-ready-detectors’’ Bell experiment
via entanglement swapping, Phys. Rev. Lett., 71, 4287 (1993).
27. S. Bose, V. Vedral and P. L. Knight, Multiparticle generalization of entanglement swapping, Phys.
Rev. A, 57, 822 (1998).
28. C. H. Bennett and S. J. Wiesner, Communication via one- and two-particle operators on Einstein-
Podolsky-Rosen states, Phys. Rev. Lett., 69, 2881 (1992).
29. Z. J. Zhang and Z. X. Man, Deterministic secure direct communication by using swapping quantum
entanglement and local unitary operations , quant-ph/0403218.
30. M. N. Wegman and J. L. Carter, New hash functions and their use in authentication and set
equality, Journal of Computer and System Sciences, 22, 265-279 (1981).
31. C. H. Bennett and G. Brassard, Quantum cryptography: public key distribution and coin tossing,
Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing,
IEEE, 175-179 (1984).