In step 1, by adding and M¹ (m₁, m₂, … , m_N) bitwise, Alice obtains C (c₁, c₂, … , c_N),

where denotes the bitwise adding operation. Then Alice encodes the message C on N | 0′ ⟩ states by permuting operations, therefore Alice forms a qubit sequence S_C,

where P_C denotes the permuting operations denominated by C, and S denotes the qubit sequence consisting of N | 0′ ⟩ states. After, Alice inserts decoy sequence S_T to S_C and obtains ,

where Z denotes inserting S_T to S_C according to K^B.

After Bob receives , he recovers S_C by extracting S_T from according to K^B,

where Z^{− 1} denotes extracting S_T from according to K^B. By measuring S_C with correct bases, Bob obtains

where M_s denotes measuring S_C with bases Z₁Z₂X₃X₄Z₅Z₆ or X₁Z₂Z₃X₄Z₅Z₆. Bob obtains the secret message by adding and C (c₁, c₂, … , c_N) bitwise,

Obviously, the protocol is correct in the ideal scenario.

With the use of DF states, the collective decoherence noise will not lead to errors in the protocol. So only the noise other than collective decoherence needs to be considered. These noises might appear in all of the quantum preparation setups, quantum channels, and measurement equipment. Therefore, to protect our protocol from these non-collective decoherence noises, we can add an error-correcting code (ECC) in our protocol.

Alice and Bob select an [s, N] error-correcting code, ^[21] which uses an s bits codeword to encode an N bits word using generator matrix G(x^N) and can correct t codeword error bits with the error-correcting function D(y^s).

In step 1, after Alice obtains C, she calculates the corresponding bits codeword W= (w₁, w₂, … , w_s), where

In step 2, Alice performs permuting operations on | 0′ ⟩ states according to W and forms a new qubit sequence S_W,

where P_W denotes the permuting operations denominated by W, and S denotes the qubit sequence consisting of s | 0′ ⟩ states. After Alice inserts decoy sequence S_T to S_W, she obtains

where Z denotes inserting S_T to S_W according to K^B.

After Bob receives , he recovers S_W by extracting S_T from according to K^B,

where Z^{− 1} denotes extracting S_T from according to K^B. By measuring S_W with correct bases, Bob obtains

where M_s denotes measuring S_W with bases Z₁Z₂X₃X₄Z₅Z₆ or X₁Z₂Z₃X₄Z₅Z₆.

Suppose that the non-collective decoherence noises appear in the courses of W (w₁, w₂, … , w_s) as O = (o₁, o₂, … , o_s), where o_i = 0 or 1 represents whether an error is existent or not in w_i. Then Bob obtains bit string W’ as

The C can be obtained by using the error-correcting function D(y^s) on W’ ,

When the error rate does not exceed a rational threshold, the number of “ 1” in bit string O does not exceed t, therefore,

Bob obtains the secret message by adding and C (c₁, c₂, … , c_N) bitwise,

That is, the protocol is correct in the decoherence noise scenariotoo.

With the use of DF states, the protocol is immune to collective decoherence noise, therefore, the eavesdropping will be found more easily. The cryptanalysis of the QSDCA protocol boils down to two aspects: (i) how to analyze the eavesdropping detection rate if Eve eavesdrops; (ii) whether the protocol resists some common attack strategies, such as the intercept-resend attack, man-in-the-middle attack, Trojan horse attack, and coherent attack, or not. Because the identity authentication is implemented based on identity string K^B, the protocol will not be threatened by the man-in-the-middle attack. Next we analyze the eavesdropping detection rate of the protocol and how the protocol resists some common attack strategies, such as the intercept-resend attack, Trojan horse attack, and coherent attack.

In the protocol, state | 0′ ⟩ is used as the decoy state to detect eavesdropping. Because the positions of decoy particles are secret, Eve cannot discriminate between decoy particles and information particles (particles in S_C). Under this circumstance, Eve usually performs the same attack operation on all particles. We term the attack that Eve performs on each particle as E. Eve’ s attack will make the state | 0⟩ change to ; and the state | 1⟩ change to . Here ∣ a∣ ² + ∣ b∣ ² = 1 and ∣ m∣ ² + ∣ n∣ ² = 1.

Because of Eve’ s attack, the combined system changes to

Obviously, after Bob receives (mixture of S_C and S_T), Bob extracts S_T and performs six single-qubit measurements Z₁Z₂Z₃Z₄Z₅Z₆ on S_T. The probability without an eavesdropper is

Suppose | a| ² = s, | b| ² = t, a = m, and b = n, then

Because ∣ a∣ ² + ∣ b∣ ² = 1 and ∣ m∣ ² + ∣ n∣ ² = 1, p(∣ ψ E⟩ ) = − 12s⁶ + 36s⁵ − 36s⁴ + 12s³ can be obtained. Therefore, the error rate of each qubit due to eavesdropping is

which can also be seen as the lower bound of the detection rate of each qubit eavesdropped,

According to the theory of von Neumann entropy, the maximum amount of information contained in qubit | 0⟩ is termed as

and the maximum amount of information contained in qubit | 1⟩ is termed as

For a qubit transmitting in a quantum channel, it will be in the | 0⟩ or | 1⟩ state with equal probability (p = 0.5), therefore, the total information that Eve can eavesdrop in a qubit will be

By calculating, when I = 1, d = 0.813 is obtained. Also σ = 0.813 can be obtained. That is, eavesdropping to obtain the whole message on one qubit will lead to an 81.3% qubit-error rate, whatever the noise level is. In Ref.  [18], Li analyzed the security of the ping– pong protocol in the presence of collective-rotation noise (a major collective decoherence noise). According to Li’ s analysis, when the noise level is 0, the qubit-error rate caused by eavesdropping to obtain the whole message on one qubit is 0.5; when the noise level is 6%, the qubit-error rate is 0.18; and when the noise level is 11%, the qubit-error rate is 0.11. By comparing, we find that, when I = 1, the qubit-error rate in our protocol is always 81.3% whatever the noise level is; however, the qubit-error rate in the ping– pong protocol decreases dramatically with the increase of the noise level. Even when the noise level is 0, the qubit-error rate of the ping– pong protocol is only 0.5, which is much lower than that in our protocol. Therefore, the eavesdroppers will be found more easily in our protocol both in the ideal condition and the noisy condition. Even in the noisy condition, our protocol can display a better eavesdropping detection rate than the ping– pong protocol.

In an intercept-resend attack, when Alice sends particles to Bob, Eve intercepts some particles; Eve measures these individual particles and resends them to Bob. Eve intents to obtain some information by performing the intercept-resend attack. In this protocol, if Eve intercepts some particles, Eve has an 18.7% chance to guess the purpose of the particle right (for eavesdropping detection or transmitting secret information) and an 81.3% chance to guess wrong. If Eve guesses wrong, she cannot obtain any secret information contained in the qubit and is sure to be found. If Eve guesses right, Eve will have a 50% chance to choose the correct basis to measure the particle. Therefore, in this case, Eve has a 9.4% chance to know one qubit. Because six qubits contribute to one bit of C, Eve can know one bit of C with probability (9.4%)⁶ ≈ 6.89 × 10^{− 5}%. However, because C is the result of M¹ bitwise adding with K^A, Eve cannot obtain the corresponding bit of M¹ (the secret message) without K^A (K^A is secret to anyone else except Alice and Bob).

On the other hand, if Eve guesses right, but she chooses the wrong basis, Bob will have a 50% chance to obtain wrong information and Eve has a 50% chance to obtain the information. Under this circumstance, Eve has a 4.7% (18.7% × 50% × 50%) chance to know one qubit. Therefore, the total rate that Eve knows one qubit is 14.1% (9.4%+ 4.7%). Then Eve can know one bit of C with probability (14.1%)⁶ ≈ 7.86 × 10^{− 4}%, which will not lead to leakage of M¹, unless K^A is leaked because of improper storage by Alice and Bob. Even if K^A is leaked completely, Eve will have a 7.86 × 10^{− 4}% chance to know the secret message on one qubit, which is much smaller than that in the ping– pong protocol (37.5%).

The K^A and K^B are shared by Alice and Bob by executing the QKD protocol, therefore K^A and K^B are safe in the process of quantum key distribution. In the process of secret transmission, K^A and K^B will never be delivered in classical form but in qubit form which will be unconditionally safe because of quantum mechanics. The only unsafe factor is improper storage of K^A and K^B by Alice and Bob. However, the loss of K^A will lead to leakage of the secret message on one qubit with probability 7.86 × 10^{− 4}%. The loss of K^B will not lead to leakage of the secret message in this transmission but give Eve a chance to obtain K^A by exhaustive attack, which will make leakage of the secret in the following transmission. Therefore, the loss of K^B or both K^B and K^A will cause leakage of the secret.

The Trojan horse attack is performed by using spy photons. The spy photons are usually some invisible photons with a different wavelength or delay photons, which cannot be found by the legitimate users. Usually, Eve inserts spy photons to the legitimate photons. Because Bob cannot find the spy photons, Bob will encode the secret message on the spy photon, then Eve has the chance to obtain the secret message. In our protocol, Eve cannot obtain any secret message by performing a Trojan horse attack, because our protocol is a one-way protocol, Bob will not encode the secret message on photons.

In our protocol, | 0′ ⟩ and | 1′ ⟩ (| + ′ ⟩ and | − ′ ⟩ ) are distinguished by six single-qubit measurements Z₁Z₂X₃X₄Z₅Z₆ (X₁Z₂Z₃X₄Z₅Z₆). Bob measures 6-DF states in S_C with basis Z₁Z₂X₃X₄Z₅Z₆ or X₁Z₂Z₃X₄Z₅Z₆. The decoy qubits mixed in S_C are measured with basis Z₁Z₂Z₃Z₄Z₅Z₆. For measurements Z₁Z₂X₃X₄Z₅Z₆, X₁Z₂Z₃X₄Z₅Z₆, and Z₁Z₂Z₃Z₄Z₅Z₆, we can find that three single-qubit measurements, which are marked in bold, remain unaltered. If Eve wants to get some valuable information and escape from being detected, she can intercept all the states sent from Alice and only measure the qubits with Z₂Z₅Z₆ except for the first, the third, and the fourth ones in each state.

Table 1.

Table 1.

Table 1. All possible measurement results obtained by Eve with Z2Z5Z6 in her attack. The original state The possible result | 0′ ⟩ ∣ 0⟩ 2∣ 0⟩ 5∣ 0⟩ 6, ∣ 1⟩ 2∣ 1⟩ 5∣ 1⟩ 6 ∣ 0⟩ 2∣ 1⟩ 5∣ 1⟩ 6, ∣ 1⟩ 2∣ 0⟩ 5∣ 0⟩ 6 ∣ 0⟩ 2∣ 0⟩ 5∣ 1⟩ 6, ∣ 1⟩ 2∣ 0⟩ 5∣ 1⟩ 6 ∣ 0⟩ 2∣ 1⟩ 5∣ 0⟩ 6, ∣ 1⟩ 2∣ 1⟩ 5∣ 0⟩ 6 | 1′ ⟩ ∣ 0⟩ 2∣ 1⟩ 5∣ 1⟩ 6, ∣ 1⟩ 2∣ 0⟩ 5∣ 0⟩ 6 ∣ 0⟩ 2∣ 0⟩ 5∣ 1⟩ 6, ∣ 1⟩ 2∣ 0⟩ 5∣ 1⟩ 6 ∣ 0⟩ 2∣ 1⟩ 5∣ 0⟩ 6, ∣ 1⟩ 2∣ 1⟩ 5∣ 0⟩ 6 | + ′ ⟩ ∣ 0⟩ 2∣ 0⟩ 5∣ 0⟩ 6, ∣ 1⟩ 2∣ 1⟩ 5∣ 1⟩ 6 ∣ 0⟩ 2∣ 1⟩ 5∣ 1⟩ 6, ∣ 1⟩ 2∣ 0⟩ 5∣ 0⟩ 6 ∣ 0⟩ 2∣ 0⟩ 5∣ 1⟩ 6, ∣ 1⟩ 2∣ 0⟩ 5∣ 1⟩ 6 ∣ 0⟩ 2∣ 1⟩ 5∣ 0⟩ 6, ∣ 1⟩ 2∣ 1⟩ 5∣ 0⟩ 6 | − ′ ⟩ ∣ 0⟩ 2∣ 1⟩ 5∣ 1⟩ 6, ∣ 1⟩ 2∣ 0⟩ 5∣ 0⟩ 6 ∣ 0⟩ 2∣ 0⟩ 5∣ 1⟩ 6, ∣ 1⟩ 2∣ 0⟩ 5∣ 1⟩ 6 ∣ 0⟩ 2∣ 1⟩ 5∣ 0⟩ 6, ∣ 1⟩ 2∣ 1⟩ 5∣ 0⟩ 6

Table 1. All possible measurement results obtained by Eve with Z2Z5Z6 in her attack.

All the possible measurement results obtained by Eve in this attack are shown in Table  1. From Table  1, we can see that when Alice sends | 0′ ⟩ and | + ′ ⟩ , Eve may obtain some results which will never appear in the cases | 1′ ⟩ and | − ′ ⟩ , i.e., ∣ 0⟩ ₂∣ 0⟩ ₅∣ 0⟩ ₆ and ∣ 1⟩ ₂∣ 1⟩ ₅∣ 1⟩ ₆. Here and where and denote the reduced density matrices of quantum systems shown in Eq.  (1). If Alice sends | 0′ ⟩ and | + ′ ⟩ , we can find that both ∣ 0⟩ ₂∣ 0⟩ ₅∣ 0⟩ ₆ and ∣ 1⟩ ₂∣ 1⟩ ₅∣ 1⟩ ₆ appear with a probability of 1/6 in either | 0′ ⟩ or | + ′ ⟩ state. Alice sends | 0′ ⟩ or | + ′ ⟩ with probability 1/2, and Eve has good judgment of the purpose of the photon (decoy photon or secret carriers) with probability 1/2, therefore, Eve can gain one bit of the information of C with probability 1/6 × 2 × 1/2 × 1/2 = 1/12. To obtain one bit of the secret information, Eve has to know the corresponding bit of K^A with probability 1/2. Thus, Eve can gain one bit of the secret information with probability 1/12 × 1/2 = 1/24 ≈ 0.042. When the number of bits transmitted in one transmission is N = 50 (the length of K^A), the probability that Eve obtains the secret information approaches zero.

In many cases, six-qubit entangled states are very difficult to prepare and manipulate in an experiment. However, in our protocol, the 6-DF state | 0′ ⟩ can be prepared with a setup^{[43, 44]} that can be designed by combining the two apparatuses of Ref.  [41], and the other three states | 1′ ⟩ , | + ′ ⟩ , and | − ′ ⟩ can be prepared by permuting the outputs of the setup for | 0′ ⟩ .^[42] The measurements of | 0′ ⟩ , | 1′ ⟩ , | + ′ ⟩ , or | − ′ ⟩ may be very difficult, however, six single-qubit measurements Z₁Z₂X₃X₄Z₅Z₆ (X₁Z₂Z₃X₄Z₅Z₆) cannot only distinguish | 0′ ⟩ and | 1′ ⟩ (| + ′ ⟩ and | − ′ ⟩ ), but also decrease the difficulty of measurement in an experiment. Therefore, our protocol is practical in an experiment.