1 Introduction

Quantum cryptography is a combination of quantum physics and cryptography and has been extensively investigated [1, 2]. It has inherent advantages compared with classical cryptography, since its security is based on quantum mechanical principles instead of unproven mathematical assumptions [3]. Bennett and Brassard proposed the first quantum cryptography protocol in 1984 [4], which was proved to be unconditionally secure. Subsequently, a lot of quantum cryptographic protocols have been designed to solve various problems, such as quantum key distribution (QKD) [5,6,7], quantum secret sharing (QSS) [8, 9], quantum encryption [10, 11], and quantum private query [12, 13]. Quantum private comparison (QPC) has also gained a lot of attention, as it can allow participants who do not trust each other to compare whether their private information is equal without leaking them. The first QPC protocol was proposed by Yang et al by using Bell states and decoy states [14]. Later, Chen et al proposed an efficient QPC protocol based on three-particle GHZ states [15]. Subsequently, some other QPC protocols are proposed to be suitable for different environments [16,17,18,19,20,21,22,23,24,25,26,27,28].

However, almost all these proposed QPC protocols required participants to have full quantum capabilities. In fact, quantum resources are still relatively scarce and many participants often do not have enough quantum capability at present. It is an issue that needs to be solved to reduce the quantum capabilities of participants. Boyer et al. first put forward the notion of “semi-quantum” in 2007 [29], where one participant is “classical" and the other is quantum. A “classical” participant indicates that one can only perform four operations described below: (1) preparing qubits in the computational basis {\( |0\rangle \), \( |1\rangle \)}, (2) measuring qubits in the computational basis, (3) reordering qubits, and (4) sending and receiving qubits. Semi-quantum technology also can be applied to QPC [30,31,32,33,34]. Chou et al introduced the first semi-quantum private comparison (SQPC) protocol in 2016, which does not require participants to have sufficient quantum capabilities [30]. With the assistance of a third-party TP, two players can check whether their secret inputs are equal by using decoy photons and two-particle entangled states. Other similar SQPC protocols also have been proposed by the combined use of QPC and semi-quantum technology [31,32,33]. But the efficiency of qubits in the existing SQPC protocols is low [30, 33]. Recently, Yan et al. presented a SQPC protocol with three-particle G-like states [35], which obtains higher efficiency than the previously proposed SQPC protocols [31,32,33]. We observe there is a design weakness in their protocol. It can make the protocol vulnerable to the double CNOT attack, by which a malicious participant is possible to get secret information of another honest participant without being caught. Furthermore, we improve the SQPC protocol given by Yan et al. to avoid this attack.

The remainder of the paper can be organized below. Section 2 is a general overview of Yan et al.’s SQPC protocol [35]. Cryptanalysis on Yan et al.’s SQPC protocol is made in Sect. 3. Section 4 gives an improved SQPC protocol. Section 5 makes security analysis on the proposed SQPC protocol. The final section makes a conclusion of this paper.

2 Review of Yan et al.’s SQPC protocol

Yan et al.’s SQPC protocol [35] is briefly reviewed in this part. Let two classical participants share a key sequence \(K_{AB}\) through a semiquantum key distribution [36] and have their own private messages X and Y, where each key bit \(K_{AB}^{i} \in \) \(\{0,1\}\), \(X= \sum _{i=1}^{n} x_{i}2^{i-1}\), \(Y= \sum _{i=1}^{n} y_{i}2^{i-1}\), and \(x_{i}\), \(y_{i}\in \{0,1\}\). The equality of their secrets X and Y must be compared securely without revealing their true value to each other and a semi-honest TP. Note that, a semi-honest TP means that he may attempt to obtain the secrets of the participants by collecting related information during the implementation process, but he has to follow the specified steps and cannot collude with any participant. The specific steps in the protocol are given as follows.

Step 1 Quantum user TP generates 2n G-like states in the form of \( |{\psi }\rangle _{TAB} \) which can be written as

$$\begin{aligned} \begin{aligned} |{\psi }\rangle _{TAB}&= \frac{1}{2} ( |001\rangle + |010\rangle + |100\rangle + |111\rangle )_{TAB}\\&= \frac{1}{\sqrt{2}} ( |\varphi ^{+}\rangle _{TA} |0\rangle _{B}+ |\phi ^{+}\rangle _{TA} |1\rangle _{B})\\&= \frac{1}{\sqrt{2}} ( |\varphi ^{+}\rangle _{TB} |0\rangle _{A}+ |\phi ^{+}\rangle _{TB} |1\rangle _{A}), \end{aligned} \end{aligned}$$
(1)

where \( |\phi ^{+}\rangle \), \( |\phi ^{-}\rangle \), \( |\varphi ^{+}\rangle \) and \( |\varphi ^{-}\rangle \) are the four Bell states and the subscripts ‘T’, ‘A’, and ‘B’ indicate that the qubits will be held by TP, Alice, and Bob, respectively. All the first qubis of these states form the sequence \(S_{T}\), the second qubits of them form the sequence \( S_{A}\), and the third qubits of them constitute the sequence \(S_{B}\). Then he sends \(S_{A}\) to Alice, \(S_{B}\) to Bob, and keeps \( S_{T} \) by himself.

Step 2 For each received qubit, Alice (or Bob) randomly chooses to reflect the qubit to TP without doing anything else (called action R) or makes a measurement in the \(\{|0\rangle ,|1\rangle \}\) basis to obtain \(MA_i\) (or \(MB_i\)) and computes \(RA_{i} =MA_{i} \oplus K_{AB}^{i} \oplus x_{i}\) (\(RB_{i} =MB_{i} \oplus K_{AB}^{i}\oplus y_{i}\)) (called action M). Note that and \(1 \le i \le n \), \( MA=\{MA_{1}, MA_{2}, ... , MA_{n}\}\), \( RA=\{RA_{1}, RA_{2}, ... , RA_{n}\}\), \( MB=\{MB_{1}, MB_{2}, ... , MB_{n}\}\), and \( RB=\{RB_{1}, RB_{2}, ... , RB_{n}\}\).

Step 3 When all qubits arrive, TP informs the participants Alice and Bob and they will reveal their choices in step 2. Based on the selections made by Alice and Bob in step 2, there are four cases and TP performs different operations as indicated in Table 1.

Table 1 Actions on the qubits for participants in Yan et al.’s protocol [35]
Full size table

If case 1 happens, TP makes the joint measurement on his own qubit, the qubit sent by Alice, and the qubit sent by Bob in the G-like basis for eavesdropping. If there does not exist an eavesdropper, TP’s measurement result should be \(|{\psi }\rangle _{TAB}\). Otherwise TP terminates the protocol.

When cases 2 and 3 occur, the Bell measurement is done by TP with his own qubit and the qubit returned by Alice or Bob to detect eavesdroppers. If the measurement result is \( |\phi ^{+}\rangle \) or \( |\varphi ^{+}\rangle \), the protocol continues, otherwise it terminates. TP can obtain \(MB_{i}\) or \(MA_{i}\) according to the Bell measurement results and Eq. (1). Then TP measures the qubit sent by the participant who chose the operation M in the Z basis to get \(RB_{i}\) or \(RA_{i}\). Finally, TP computes \( PB_{i} = RB_{i} \oplus MB_{i}= (MB_{i} \oplus K_{AB}^{i} \oplus y_{i}) \oplus MB_{i} = K_{AB}^{i} \oplus y_{i}\) or \(PA_{i} =RA_{i}\) \( \oplus MA_{i}= (MA_{i} \oplus K_{AB}^{i} \oplus x_{i}) \oplus MA_{i}= K_{AB}^{i}\oplus x_{i} \).

For case 4, Alice and Bob publish the values of \( MA_{i} \) and \( MB_{i}\). TP measures his own qubit in the Z basis. If the measurement result is not the same as the expected result according to Eq. (1), \( MA_{i} \), and \( MB_{i}\), he terminates the protocol. Otherwise, he measures the qubits sent by Alice and Bob both in the Z basis to get \(RA_{i}\) and \(RB_{i}\). Then he computes \(PA_{i} =RA_{i} \oplus MA_{i}= K_{AB}^{i} \oplus x_{i}\) and \(PB_{i} =RB_{i} \oplus MB_{i}= K_{AB}^{i} \oplus y_{i}\).

Step 4 TP computes \( P_{i}= PA_{i} \oplus PB_{i}= K_{AB}^{i} \oplus x_{i} \oplus K_{AB}^{i} \oplus y_{i} = x_{i} \oplus y_{i}\). If the value of \( P_{i} \) is not zero, TP declares \(X \ne Y\) and terminates the protocol; otherwise TP sets \(i = i + 1\) and restarts the operation till \(i = n\). If \(x_i\oplus y_i=0\) for each i, TP declares \(X=Y\) and stops the protocol.

3 Cryptanalysis of Yan et al.’s SQPC protocol

In the following, we show Yan et al.’s SQPC protocol [35] is insecure, as the secret of honest participant can be learned by a malicious participant by performing the double CNOT attack without being caught.

Here Bob is assumed to be a curious participant and wants to obtain Alice’s secret. In step 1, TP prepares states \( |{\psi }\rangle _{TAB} \) and sends the qubit sequence \( S_{A}\) to Alice, \(S_{B}\) to Bob, and keeps \( S_{T} \). When TP sends each qubit in \( S_{A}\) to Alice, the attacker Bob intercepts it and performs the first CNOT gate on it and his ancillary qubit which is in the state of \( |0\rangle \). Then the state of the whole system is

$$\begin{aligned} \begin{aligned} {|\psi }\rangle _{1}&=CNOT_{AE}\otimes I_{TB}(|{\psi }\rangle _{TAB}\otimes |0\rangle _{E}) \\&=\frac{1}{2} ( |0010\rangle + |0101\rangle + |1000\rangle + |1111\rangle )_{TABE}.\\ \end{aligned} \end{aligned}$$
(2)

Similarly, the subscripts ‘T,’ ‘A,’ and ‘B’ indicate the qubits held by TP, Alice, and Bob, and ‘E’ indicates an ancillary qubit generated by Bob. When Alice receives the qubit from TP, she chooses R or M at random. When Alice sends the qubit to TP, Bob once again intercepts it and performs the second CNOT gate on it and his ancillary qubit, where the intercepted one is used as the control qubit and his own ancillary qubit is used as the target qubit. Since both Alice and Bob can randomly choose R or M, there are four different cases to be considered.

(a) If both Alice and Bob chose R, the whole state after Bob implements the second CNOT gates can be written as

$$\begin{aligned} \begin{aligned} {|\psi }\rangle _{2}&=(CNOT_{AE}\otimes I_{TB})(CNOT_{AE}\otimes I_{TB})( |{\psi }\rangle _{TAB} \otimes |0\rangle _{E}) \\&=\frac{1}{2} ( |0010\rangle + |0100\rangle + |1000\rangle + |1110\rangle )_{TABE}\\&=|\psi \rangle _{TAB}\otimes |0\rangle _{E}. \end{aligned} \end{aligned}$$
(3)

Obviously, TP cannot detect Bob’s eavesdropping in this case since the state \(|\psi \rangle _{TAB}\) remains unchanged. But Bob cannot get any valuable information since the state of the ancillary qubit is always \( |0\rangle \).

(b) If Alice chose R and Bob chose M, Bob measures the received qubit from TP and generates a new quantum state \(|B\rangle \) to be sent to TP, where \(|B\rangle \in \{|0\rangle _{B'}, |1\rangle _{B'}\} \). According to Eq. (2), the state of the system collapses to \((|0101\rangle + |1000\rangle )_{TABE}\) or \((|0010\rangle + |1111\rangle )_{TABE} \). At the same time, Bob performs the second CNOT gate on his own ancillary qubit and Alice’s qubit. The state of the whole system is changed as

$$\begin{aligned} \begin{aligned} {|\psi }\rangle _{3}&=CNOT_{AE}\otimes I_{TBB'}[\frac{1}{\sqrt{2}}(|0101\rangle + |1000\rangle )_{TABE} \otimes |0\rangle _{B'} ] \\&=\frac{1}{\sqrt{2}}(|0100\rangle + |1000\rangle )_{TABE} \otimes |0\rangle _{B'} \\&=|\varphi ^{+}\rangle _{TA}|00\rangle _{BE}\otimes |0\rangle _{B'} \\ \end{aligned} \end{aligned}$$
(4)

or

$$\begin{aligned} \begin{aligned} {|\psi }\rangle _{4}&=CNOT_{AE}\otimes I_{TBB'}[\frac{1}{\sqrt{2}}(|0010\rangle + |1111\rangle )_{TABE} \otimes |1\rangle _{B'} ] \\&=\frac{1}{\sqrt{2}}(|0010\rangle + |1110\rangle )_{TABE} \otimes |1\rangle _{B'}\\&=|\phi ^{+}\rangle _{TA}|10\rangle _{BE}\otimes |1\rangle _{B'}. \end{aligned} \end{aligned}$$
(5)

Then, TP measures the qubit sent by Alice and his own qubit in the Bell basis for eavesdropping. According to Eqs. (4) and (5), Bob can pass eavesdropping. But he also cannot get Alice’s secret information since the state of his ancillary qubit is still \(|0\rangle \).

(c) If Alice chose M and Bob chose R, Alice measures the received qubit from TP and produces the corresponding quantum state \(|A\rangle \) which is sent to TP, where \(|A\rangle \in \{|0\rangle _{A'}, |1\rangle _{A'}\} \). Similar to case (b), the state of the system collapses to \((|0010\rangle + |1000\rangle )_{TABE} \) or \((|0101\rangle + |1111\rangle )_{TABE}\) according to Eq. (2). If Alice prepares \( |0\rangle _{A'} \), the state of the whole system after Bob carries out the second CNOT gate is

$$\begin{aligned} \begin{aligned} {|\psi }\rangle _{5}&=CNOT_{A'E}\otimes I_{TAB}\left[ |0 \rangle _{A'}\otimes \frac{1}{\sqrt{2}}(|0010\rangle + |1000\rangle )_{TABE}\right] \\&=\left[ |0\rangle _{A'}\otimes \frac{1}{\sqrt{2}}(|0010\rangle + |1000\rangle )_{TABE}\right] \\ \end{aligned} \end{aligned}$$
(6)

or

$$\begin{aligned} \begin{aligned} {|\psi }\rangle _{6}&=CNOT_{A'E}\otimes I_{TAB}\left[ |0\rangle _{A'}\otimes \frac{1}{\sqrt{2}}(|0101\rangle + |1111\rangle )_{TABE}\right] \\&=\left[ |0\rangle _{A'}\otimes \frac{1}{\sqrt{2}}(|0101\rangle + |1111\rangle )_{TABE}\right] .\\ \end{aligned} \end{aligned}$$
(7)

Similarly, if Alice prepares \( |1\rangle _{A'} \), the entire state after Bob performs the second CNOT gate should be

$$\begin{aligned} \begin{aligned} {|\psi }\rangle _{7}&=CNOT_{A'E}\otimes I_{TAB}\left[ |1\rangle _{A'}\otimes \frac{1}{\sqrt{2}}(|0010\rangle + |1000\rangle )_{TABE}\right] \\&=\left[ |1\rangle _{A'}\otimes \frac{1}{\sqrt{2}}(|0011\rangle + |1001\rangle )_{TABE}\right] \\ \end{aligned} \end{aligned}$$
(8)

or

$$\begin{aligned} \begin{aligned} {|\psi }\rangle _{8}&=CNOT_{A'E}\otimes I_{TAB}\left[ |1\rangle _{A'}\otimes \frac{1}{\sqrt{2}}(|0101\rangle + |1111\rangle )_{TABE}\right] \\&=\left[ |1\rangle _{A'}\otimes \frac{1}{\sqrt{2}}(|0100\rangle + |1110\rangle )_{TABE}\right] .\\ \end{aligned} \end{aligned}$$
(9)

In order to escape being detected, Bob should reflect his true qubit to TP. But Bob can perform the Z basis measurement on his ancillary qubit to learn some information. According to Eqs. (6), (7), (8), and (9), if the result is \(|0\rangle \), Bob can know \(MA_{i} \oplus RA_{i}=0\); else he knows \(MA_{i} \oplus RA_{i}=1\). Thus, Bob is able to obtain one bit of Alice’s secret information \(x_i=P_i \oplus K_{AB}^{i}=MA_{i} \oplus RA_{i} \oplus K_{AB}^{i}\).

(d) If both Alice and Bob chose M, they must publish the measurement results \( MA_{i} \) and \( MB_{i}\). The state of the system may collapse to \(|0010\rangle _{TABE}\), \(|0101\rangle _{TABE}, |1000\rangle _{TABE}\) or \(|1111\rangle _{TABE}\) after Alice and Bob perform the measurements. Then Bob performs the second CNOT gate on the qubit returned by Alice and his ancillary qubit and the state of the whole system is changed to \(|0\rangle _{A'} |0010\rangle _{TABE} \!|B\rangle \), \(|0\rangle _{A'} |0101\rangle _{TABE} \!|B\rangle \), \(|0\rangle _{A'} |1000\rangle _{TABE} |B\rangle \), \(|0\rangle _{A'} |1111\rangle \) \(_{TABE} |B\rangle \), \(|1\rangle _{A'} \!|0011\rangle _{TABE} |B\rangle \), \(|1\rangle _{A'} |0100\rangle _{TABE} |B\rangle \), \(|1\rangle _{A'} |1001\rangle _{TABE} |B\rangle \), or \(|1\rangle _{A'} |1110\rangle \) \(_{TABE} |B\rangle \). Since the state of qubit owned by TP has not changed, Bob’s attack will not be discovered. Then Bob measures his ancillary qubit in the Z basis, obtaining \(|0\rangle \) or \(|1\rangle \) with probability 1/2. Since the value of \( MA_{i} \) is published, Bob can easily get Alice’s secret bit \(x_i\). For example, suppose the measurement result of Bob’s ancillary qubit is 0, that is, \(MB_{i}\) is 0, and \(MA_{i}\) that Alice publishes is also 0. Then Bob knows the state of the whole system after he does the second CNOT gate should be \(|0\rangle _{A'} |1000\rangle _{TABE} |B\rangle \) and thus learns the value of \(RA_i\) is 0. Then he can compute \( x_{i} = RA_{i} \oplus MA_{i} \oplus K_{AB}^{i}\) to get Alice’s secret \(x_i\).

In terms of the above analysis, we can deduce that in cases (c) and (d), since the qubits returned to TP after measuring by Alice are not the same as those sent by TP, the participant Bob who is a malicious one can get Alice’s secret without being detected by performing the double CNOT attack. Hence, the private information of the honest participant can be acquired by the malicious participant using the double CNOT attack with a probability of 1/2.

4 The proposed improved SQPC protocol

In the following, we improve Yan et al.’s SQPC protocol [35] to be secure against various types of attack like the original protocol and also the double CNOT attack.

In the improved protocol, two classical participants Alice and Bob share a n-bit key sequence \(K_{AB}\) through an efficient mediated quantum key distribution protocol [37], Alice has the secret X, and Bob has the secret Y. Let \(K_{AB}^{i}\), \(x_{i}\), and \(y_{i}\) be the i-th bit of \(K_{AB}\), X, and Y, respectively, where \(K_{AB}^{i}, x_{i}, y_{i}\in \{0, 1\}\) and \(1 \le i \le n \). TP is a semi-honest third party to help Alice and Bob to complete their secret comparison. The basic processes of the improved protocol are depicted in Fig. 1 and a detailed description of it is given as follows.

Fig. 1
figure 1

Processes involved in the improved SQPC protocol. Note that, Alice and Bob only disclose the value of RA and RB when they both choose M in step 3

Full size image

Step 1 TP generates 4n G-like states in the form of \( |{\psi }\rangle _{TAB} \) which can be written as

$$\begin{aligned} \begin{aligned} |{\psi }\rangle _{TAB}&= \frac{1}{2} \left( |001\rangle + |010\rangle + |100\rangle + |111\rangle \right) _{TAB}\\&= \frac{1}{\sqrt{2}} ( |\varphi ^{+}\rangle _{TA} |0\rangle _{B}+ |\phi ^{+}\rangle _{TA} |1\rangle _{B})\\&= \frac{1}{\sqrt{2}} ( |\varphi ^{+}\rangle _{TB} |0\rangle _{A}+ |\phi ^{+}\rangle _{TB} |1\rangle _{A}), \end{aligned} \end{aligned}$$
(10)

where \( |\phi ^{+}\rangle \), \( |\phi ^{-}\rangle \), \( |\varphi ^{+}\rangle \) and \( |\varphi ^{-}\rangle \) are the four Bell states. TP divides them into three sequences \( S_{T} \), \(S_{A}\), and \(S_{B}\). Then he transmits the sequence \( S_{A}\) to Alice, \( S_{B}\) to Bob, and keeps \( S_{T} \).

Step 2 Alice and Bob choose one of the following two operations at random after receiving each qubit: (1) returning the qubit to TP directly (called action R), and (2) measuring the received qubit in the Z basis and preparing a new qubit according to the measurement result and sending it to TP (called action M). Let the binary sequence \( MA=\{MA_{1}, MA_{2}, ... , MA_{2n}\} \) (or \( MB=\{MB_{1}, MB_{2}, ... , MB_{2n}\} \)) be made up of the measurement results and \( MA_{i}\in \{0, 1\} \) (or \(MB_{i}\in \{0, 1\} \)) be the ith bit of MA (or MB). Note that different from Yan et al.’s SQPC protocol [35], here participants need to resend the qubit to the TP in the state corresponding to the measurement result. For instance, the participant should generate \(|0\rangle \) and send it to TP if the measurement result is 0. It can ensure that the attacker cannot distinguish which actions the participants chose.

Table 2 Actions on the qubits for participants in the proposed protocol
Full size table

Step 3 If TP has received all the qubits, Alice and Bob broadcast their choices in step 2. There are four cases and TP performs different actions according to the choices that Alice and Bob made as described in Table 2.

In case 1 where both Alice and Bob chose R, TP makes a joint measurement on the qubit sent by Alice and Bob, and his own qubit in the G-like basis for eavesdropping detection. TP’s measurement result should be \(|{\psi }\rangle _{TAB}\), otherwise there may exist an eavesdropper and the protocol is terminated.

In cases 2 and 3 where one participant chose R and the other participant chose M, TP measures his own qubit and the directly returned qubit by the participant who chose R in the Bell basis. In addition, the participant who chose M reveals the value of \(MA_{i}\) or \(MB_{i}\). If the Bell measurement result corresponds to the state \(|\phi ^{+}\rangle \) or \( |\varphi ^{+}\rangle \), TP continues the protocol, else he terminates it.

In case 4 where both Alice and Bob chose M, TP measures the qubits returned by Alice and Bob in the Z basis to obtain \(MA_{i}\) and \(MB_{i}\). Then, TP makes the Z basis measurement on his own qubit. If the measurement result differs from the expected result based on Eq. (10), \(MA_{i}\), and \( MB_{i}\), TP terminates the protocol. Then, Alice calculates \(RA_{j}= MA_{i} \oplus K_{AB}^{j} \oplus x_{j}\), where \(i \in (1, 2, ..., n)\) and \(j\in (1, 2, ..., n)\). Bob also calculates \(RB_{j}=MB_{i} \oplus K_{AB}^{j} \oplus y_{j}\). Then Alice and Bob broadcast the value of \(RA_{j}\) and \(RB_{j}\), respectively.

Step 4 TP computes \( P_{j}=RA_{j} \oplus RB_{j} \oplus MA_{i}\oplus MB_{i} =(MA_{i} \oplus K_{AB}^{j} \oplus x_{j})\oplus (MB_{i} \oplus K_{AB}^{j} \oplus y_{j})\oplus MA_{i} \oplus MB_{i}= x_{j} \oplus y_{j} \). If \( P_{j} \) \(\ne 0\), TP will publish \(X \ne Y\), which means Alice and Bob have unequal secrets. Otherwise, TP repeats the comparisons till all the results have been obtained. If \(P_{j} = 0\) for all the comparisons, TP can conclude that Alice’s secret is the same as Bob’s secret and he will announce \(X =Y\).

5 Security analysis

In the improved SQPC protocol, since a key sequence \(K_{AB}\) is pre-shared among the participants, who know more information than the external eavesdropper, the probability of successful attack by the participants is significantly higher than that of the outside eavesdropper. Therefore, we focus on analyzing the security of the protocol in the worst case where a participant is considered as an attacker. For instance, Bob is assumed to be dishonest and may try to obtain Alice’s secret through some types of attacks, such as the intercept-resend attack, the measure-resend attack, the double CNOT attack, and the entangle-measure attack. In addition, TP’s attack is also analyzed.

5.1 Intercept-resend attack

A malicious attacker Bob may launch the intercept-resend attack to steal some valuable information from Alice. The specific operations are as follows. Bob intercepts the qubit sequence \(S_{A}\) in step 1 and stores them. Then Bob sends his prepared fake qubits in the state of \(|0 \rangle \) or \(|1\rangle \) to Alice at random. Subsequently, Bob intercepts Alice’s qubits once more and delivers the stored qubit sequence \(S_{A}\) to TP. This kind of attack Bob will be discovered in step 3 with a certain probability and the detail analysis is in the following. If the participants chose to reflect the qubit directly in step 2, TP will measure his own qubit and the directly reflected qubits in the G-like basis or the Bell basis for eavesdropping. Since the qubit sequence \(S_{A}\) and \(S_{B}\) do not change, Bob’s attack will not be discovered. Similarly, if both Alice and Bob chose to measure the qubits, TP measures the qubits sent by Alice and Bob in the Z basis to get the values of \( MA_{i} \) and \( MB_{i}\). Due to Bob’s attack, TP may acquire \(MA_{i}\) which may not be equal to that Alice got with probability 1/2. But Bob learns the value of \( MA_{i} \) that Alice got and may obtain the secret qubit of Alice without being caught. But if Alice chose to measure the qubit and Bob chose to reflect the qubit, TP detects eavesdropping by performing the Bell basis measurement on the qubits returned by Bob and his own qubit. Since the qubit that Alice performed the measurement on was replaced by that Bob prepared, Bob can be discovered by TP and Alice with probability 1/2. Consequently, the probability that Bob may be detected in the four cases is P = \(1-(3/4+1/4\times 1/2)^{N}=1-(7/8)^{N}\). When N is large enough, P is close to 1.

5.2 Measure-resend attack

The measure-resend attack here means that Bob intercepts the qubit sequence \(S_{A}\) sent by the TP and performs the Z basis measurement, generates the new qubit in the corresponding state according to the measurement result and sends it to Alice. In step 3, for case 3, TP measures the qubit sent by Bob and his own qubit in the Bell basis for eavesdropping. Since the qubit that Alice performed the measurement was the same as that Bob prepared, Bob cannot be discovered by TP. Similarly, in case 4, Bob’s attack does not change the qubit owned by TP and thus he is undetectable. Bob also can figure out Alice’s secret exactly. However, in cases 1, TP performs the G-like basis measurement on the returned qubits and his own qubit to check detection. Since Bob’s attack destroyed the initial G-like state, the probability of him being detected is 1/2. Similarly, in case 2, TP measures the qubit sent by Alice and his own qubit in the Bell basis for eavesdropping detection. Based on Eq. (10), TP must obtain \(|\varphi ^{+}\rangle \) or \(|\phi ^{+}\rangle \) with equal probability. But Bob replaced the qubits sent by TP with the qubits generated by himself, his attack also will be detected with probability 1/2. To sum up, the total probability of Bob being detected in four cases is P = \(1-(1/4\times 1/2+1/4\times 1/2+1/2)^{N}\)= \(1-(3/4)^{N}\) and it is close to 1 if N is large enough.

5.3 Double CNOT attack

In step 1, TP generates \(|{\psi }\rangle _{TAB}\) and divides these qubits into three sequences \( S_{T}\), \( S_{A}\), and \(S_{B}\). Then he sends \( S_{A}\) to Alice, \( S_{B}\) to Bob, and keeps \( S_{T}\). Bob intercepts each qubit sent by TP to Alice and performs the first CNOT gate on it and his ancillary qubit \(|0\rangle \), the state of the whole system is

$$\begin{aligned} \begin{aligned} {|\psi }\rangle _{1}&=CNOT_{AE}\otimes I_{TB}(|{\psi }\rangle _{TAB}\otimes |0\rangle _{E}) \\&=\frac{1}{2} ( |0010\rangle + |0101\rangle + |1000\rangle + |1111\rangle )_{TABE}.\\ \end{aligned} \end{aligned}$$
(11)

In step 2, when Alice receives each qubit, she chooses R or M at random. Bob intercepts the qubit returned from Alice and implements the second CNOT gate on it and his ancillary qubit. According to different choices made by Alice and Bob, there are the following four situations.

Case 1 When both Alice and Bob chose R, the entire state after Bob implements the second CNOT gate can be written as

$$\begin{aligned} \begin{aligned} {|\psi }\rangle _{2}&=(CNOT_{AE}\otimes I_{TB})(CNOT_{AE}\otimes I_{TB})(|{\psi }\rangle _{TAB} \otimes |0\rangle _{E}) \\&=\frac{1}{2} ( |0010\rangle + |0100\rangle + |1000\rangle + |1110\rangle )_{TABE}.\\ \end{aligned} \end{aligned}$$
(12)

In this case, the state \(|{\psi }\rangle _{TAB}\) is not changed by executing the CNOT gate operation twice. It is simple to determine that the ancillary qubit is always \( |0\rangle \), implying that Bob is unable to gain any meaningful information.

Case 2 When Alice chose R and Bob chose M, Bob measures the received qubit from TP and generates a new qubit \(|B\rangle \) to be sent to TP, where \(|B\rangle \in \{|0\rangle _{B'}, |1\rangle _{B'}\} \). According to Eq. (11), \(|\psi \rangle _1\) collapses to \((|0101\rangle + |1000\rangle )_{TABE}\) or \((|0010\rangle + |1111\rangle )_{TABE} \). Then Bob performs the second CNOT gate operation on his own ancillary qubit and Alice’s qubit. The state of the whole system is changed as

$$\begin{aligned} \begin{aligned} {|\psi }\rangle _{3}&=CNOT_{AE}\otimes I_{TBB'}\left[ \frac{1}{\sqrt{2}}(|0101\rangle + |1000\rangle )_{TABE} \otimes |0\rangle _{B'} \right] \\&=\frac{1}{\sqrt{2}}(|0100\rangle + |1000\rangle )_{TABE} \otimes |0\rangle _{B'}\\&=|\varphi ^{+}\rangle _{TA}|00\rangle _{BE}\otimes |0\rangle _{B'}\\ \end{aligned} \end{aligned}$$
(13)

or

$$\begin{aligned} \begin{aligned} {|\psi }\rangle _{4}&=CNOT_{AE}\otimes {I_{TBB'}}\left[ \frac{1}{\sqrt{2}}(|0010\rangle + |1111\rangle )_{TABE} \otimes |1\rangle _{B'} \right] \\&=\frac{1}{\sqrt{2}}(|0010\rangle + |1110\rangle )_{TABE} \otimes |1\rangle _{B'}\\&=|\phi ^{+}\rangle _{TA}|10\rangle _{BE}\otimes |1\rangle _{B'}.\\ \end{aligned} \end{aligned}$$
(14)

TP measures the qubit returned from Alice and his own qubit in the Bell basis for eavesdropping. According to Eqs. (13) and (14), Bob can pass the detection as Bob’s ancillary bit is always \(|0\rangle \) and he does not get any information of Alice from the ancillary qubit.

Case 3 When Alice selected M and Bob selected R, Alice measures the received qubit from TP in the Z basis and generates \(|A\rangle \) according to the measurement to be sent to TP, where \(|A\rangle \in \{|0\rangle _{A'}, |1\rangle _{A'}\} \). Similar to case 2, \(|\psi \rangle _1\) collapses to \((|0010\rangle + |1000\rangle )_{TABE} \) or \((|0101\rangle + |1111\rangle )_{TABE}\). Bob intercepts \(|A\rangle \) and performs the second CNOT gate operation on it and his ancillary qubit again. If Alice prepares \(|0\rangle _{A'}\), the state of the whole system after Bob carries out the second CNOT gate is

$$\begin{aligned} \begin{aligned} {|\psi }\rangle _{5}&=CNOT_{A'E}\otimes I_{TAB}\left[ |0\rangle _{A'}\otimes \frac{1}{\sqrt{2}}(|0010\rangle + |1000\rangle )_{TABE}\right] \\&=\left[ |0\rangle _{A'}\otimes \frac{1}{\sqrt{2}}(|0010\rangle + |1000\rangle )_{TABE}\right] ,\\ \end{aligned} \end{aligned}$$
(15)

but if Alice prepares \(|1\rangle _{A'}\), the state of the entire system should be

$$\begin{aligned} \begin{aligned} {|\psi }\rangle _{6}&=CNOT_{A'E}\otimes I_{TAB}\left[ |1\rangle _{A'}\otimes \frac{1}{\sqrt{2}}(|0101\rangle + |1111\rangle )_{TABE}\right] \\&=\left[ |1\rangle _{A'}\otimes \frac{1}{\sqrt{2}}(|0100\rangle + |1110\rangle )_{TABE}\right] .\\ \end{aligned} \end{aligned}$$
(16)

TP performs the Bell basis measurement on the qubit returned from Bob and his own qubit for eavesdropping. From Eqs. (15, 16), Alice makes a measurement and produces qubit \(|A\rangle \) that is consistent with the initial state sent by TP to Alice. At this time, Bob measures his ancillary qubit in the Z basis and the result is always \(|0\rangle \). Thus, he cannot distinguish Alice’s choice and get her secret in this case.

Case 4 When both Alice and Bob selected M, the state of the system \(|\psi \rangle _1\) will collapse to \(|0010\rangle _{TABE},|0101\rangle _{TABE},|1000\rangle _{TABE}\) or \(|1111\rangle _{TABE}\). Then Bob performs the second CNOT gate and the state of the whole system should be \(|0\rangle _{A'} |0010\rangle _{TABE}|1\rangle _{B'} \), \(|1\rangle _{A'} |0100\rangle _{TABE} |0\rangle _{B'} \), \(|0\rangle _{A'} |1000\rangle _{TABE} |0\rangle _{B'} \), or \(|1\rangle _{A'}|1110\rangle \) \(_{TABE} |1\rangle _{B'} \). Since Bob’s attack does not change the state of qubit owned by TP, Bob’s attack will not be discovered. In addition, Alice measures the qubit sent by the TP and generates the same qubit as the measurement result back to the TP. Therefore, Bob still cannot get any valuable information of Alice as his ancillary qubit is always \(|0\rangle \).

5.4 Entangle-measure attack

The entangle-measure attack means that Bob measures his ancillary qubits which are entangled with the qubits transmitted between Alice and TP by performing unitary operations to extract Alice’s secret information. Bob may perform two unitary operations, \(U_{1}\) and \(U_{2}\). The \(U_{1}\) operation is performed when Bob entangles his ancillary qubit with the qubit sent by TP to Alice. Similarly, the \(U_{2}\) operation is made on the intercepted qubit that Alice returns to TP and the ancillary qubit. The \(U_{1}\) can be described as

$$\begin{aligned} \begin{aligned}&U_1(|e\rangle _{E}|0\rangle )=a_{0} |g_{0}\rangle _{E}|0\rangle + a_{1}|g_{1}\rangle _{E}|1\rangle \\&U_1(|e\rangle _{E}|1\rangle )=b_{0} |h_{0}\rangle _{E}|0\rangle + b_{1}|h_{1}\rangle _{E}|1\rangle ,\\ \end{aligned} \end{aligned}$$
(17)

where \(|a_{0}|^2+|a_{1}|^2=1\), \(|b_{0}|^2+|b_{1}|^2=1 \), \(|e\rangle _E\) is an ancillary qubit of Bob, and \( \{|g_{0}\rangle \), \( |g_{1}\rangle \), \( |h_{0}\rangle \), \( |h_{1}\rangle \}\) are arbitrary states that are not necessarily orthogonal. Then \(U_2\) can be described as

$$\begin{aligned} \begin{aligned}&U_2(|g_{0}\rangle _{E}|0\rangle )=c_{0} |i_{0}\rangle _{E}|0\rangle + c_{1} |i_{1}\rangle _{E}|1\rangle \\&U_2(|g_{0}\rangle _{E}|1\rangle )=d_{0} |j_{0}\rangle _{E}|0\rangle + d_{1} |j_{1}\rangle _{E}|1\rangle \\&U_2(|g_{1}\rangle _{E}|0\rangle )=e_{0} |k_{0}\rangle _{E}|0\rangle + e_{1} |k_{1}\rangle _{E}|1\rangle \\&U_2(|g_{1}\rangle _{E}|1\rangle )=f_{0} |m_{0}\rangle _{E}|0\rangle + f_{1} |m_{1}\rangle _{E}|1\rangle \\&U_2(|h_{0}\rangle _{E}|0\rangle )=l_{0} |n_{0}\rangle _{E}|0\rangle + l_{1} |n_{1}\rangle _{E}|1\rangle \\&U_2(|h_{0}\rangle _{E}|1\rangle )=p_{0} |v_{0}\rangle _{E}|0\rangle + p_{1} |v_{1}\rangle _{E}|1\rangle \\&U_2(|h_{1}\rangle _{E}|0\rangle )=s_{0} |w_{0}\rangle _{E}|0\rangle + s_{1} |w_{1}\rangle _{E}|1\rangle \\&U_2(|h_{1}\rangle _{E}|1\rangle )=t_{0} |o_{0}\rangle _{E}|0\rangle + t_{1} |o_{1}\rangle _{E}|1\rangle ,\\ \end{aligned} \end{aligned}$$
(18)

where \(|c_{0}|^2+|c_{1}|^2=1\), \(|d_{0}|^2+|d_{1}|^2=1 \), \(|e_{0}|^2+|e_{1}|^2=1\), \(|f_{0}|^2+|f_{1}|^2=1 \), \(|l_{0}|^2\) \(+|l_{1}|^2=1\), \(|p_{0}|^2+|p_{1}|^2=1 \), \(|s_{0}|^2+|s_{1}|^2=1 \), \(|t_{0}|^2+|t_{1}|^2=1\), and \(\{ |i_{0}\rangle , |i_{1}\rangle \}\), \(\{|j_{0}\rangle , |j_{1}\rangle \}\), \(\{|k_{0}\rangle , |k_{1}\rangle \}\), \(\{|m_{0}\rangle ,|m_{1}\rangle \}\), \(\{|n_{0}\rangle , |n_{1}\rangle \}\), \(\{|v_{0}\rangle , |v_{1}\rangle \}\), \(\{ |w_{0}\rangle , |w_{1}\rangle \}\), \(\{|o_{0}\rangle ,|o_{1}\rangle \}\) are arbitrary states and not necessarily orthogonal. In step 1, TP generates \(|{\psi }\rangle _{TAB} \) and distributes these qubits into three sequences \( S_{T}\), \( S_{A}\), and \(S_{B}\). \( S_{T}\) is owned by TP, \( S_{A}\) is sent to Alice and \(S_{B}\) is sent to Bob. The state of the quantum system after Bob performs \(U_1\) operation on a qubit in \(S_{A}\) and his own ancillary qubit becomes

$$\begin{aligned} \begin{aligned} |\Psi \rangle _{1}=&(U_1\otimes I_{TB})(|e\rangle _E|{\psi }\rangle _{TAB}) \\ =&\frac{1}{{2}}(a_{0} |g_{0}\rangle |001\rangle + a_{1}|g_{1}\rangle |011\rangle +b_{0}|h_{0}\rangle |000\rangle + b_{1}|h_{1}\rangle |010\rangle \\&+a_{0} |g_{0}\rangle |100\rangle + a_{1}|g_{1}\rangle |110\rangle +b_{0}|h_{0}\rangle |101\rangle +b_{1}|h_{1}\rangle |111\rangle )_{ETAB}. \end{aligned} \end{aligned}$$
(19)

In step 2, after receiving each qubit, Alice and Bob randomly choose R or M and send the operated qubits to TP. Then Bob performs the \(U_2\) operation on the qubit returned by Alice and his ancillary qubit.

If both Alice and Bob select M, the state \(|\Psi \rangle _{1}\) collapses to \(|\psi \rangle _{1}, |\psi \rangle _{2}, |\psi \rangle _{3}\) or \(|\psi \rangle _{4}\) with equal probability, where \(|\psi \rangle _{1}=[(a_{0}|g_{0}\rangle |0\rangle +b_{0}|h_{0}\rangle |1\rangle )|01\rangle ]_{ETAB}\), \(|\psi \rangle _{2}=[(b_{1}|h_{1}\rangle |0\rangle +a_{1}|g_{1}\rangle |1\rangle )|10\rangle ]_{ETAB}\), \(|\psi \rangle _{3}=[(a_{0} |g_{0}\rangle |1\rangle +b_{0}|h_{0}\rangle |0\rangle )|00\rangle ]_{ETAB}\), and \(|\psi \rangle _{4}=[a_{1}|g_{1}\rangle |0\rangle + b_{1}|h_{1}\rangle |1\rangle )|11\rangle ]_{ETAB}\). For example, if Alice’s measurement result is \(|0\rangle \) and Bob’s measurement result is \(|1\rangle \), the state of the system collapses to \(|\psi \rangle _{1}\). Now the state of the qubit held by TP can be described by the following reduced density operator

$$\begin{aligned} \begin{aligned} \rho ^{T}=&tr_{EAB}(|\psi \rangle _{11}\langle \psi |)\\ =&tr_{E}(a_{0} |g_{0}\rangle |0\rangle \langle 0|\langle g_{0}| a_{0}^*)+tr_{E}(b_{0}|h_{0}\rangle |1\rangle \langle 1|\langle h_{0}| b_{0}^*)\\ =&|a_{0}|^2 |0\rangle \langle 0|+|b_{0}|^2 |1\rangle \langle 1|.\\ \end{aligned} \end{aligned}$$
(20)

When TP measures his qubit in the Z basis, he should get \(|0\rangle \) with certainty according to Eq. (11). Thus, we can obtain

$$\begin{aligned} \begin{aligned} P(|0\rangle )=&|a_{0}|^2=1,\\ P(|1\rangle )=&|b_{0}|^2=0.\\ \end{aligned} \end{aligned}$$
(21)

Based on Eqs. (20, 21), we can deduce

$$\begin{aligned} \begin{aligned} a_{0}=1, b_{0}=0. \end{aligned} \end{aligned}$$
(22)

Similarly, if the state collapses to \(|\psi \rangle _{2}, |\psi \rangle _{3}\) or \(|\psi \rangle _{4}\), we can get

$$\begin{aligned} \begin{aligned} a_{1}=0, b_{1}=1. \end{aligned} \end{aligned}$$
(23)

Thus, the operation \(U_1\) can be rewritten as

$$\begin{aligned} \begin{aligned}&U_1(|e\rangle _{E}|0\rangle )=a_{0} |g_{0}\rangle _{E}|0\rangle \\&U_1(|e\rangle _{E}|1\rangle )=b_{1}|h_{1}\rangle _{E}|1\rangle ,\\ \end{aligned} \end{aligned}$$
(24)

and the operation \(U_2\) can be rewritten as

$$\begin{aligned} \begin{aligned}&U_2(|g_{0}\rangle _{E}|0\rangle )=c_{0} |i_{0}\rangle _{E}|0\rangle + c_{1} |i_{1}\rangle _{E}|1\rangle \\&U_2(|g_{0}\rangle _{E}|1\rangle )=d_{0} |j_{0}\rangle _{E}|0\rangle + d_{1} |j_{1}\rangle _{E}|1\rangle \\&U_2(|h_{1}\rangle _{E}|0\rangle )=s_{0} |w_{0}\rangle _{E}|0\rangle + s_{1} |w_{1}\rangle _{E}|1\rangle \\&U_2(|h_{1}\rangle _{E}|1\rangle )=t_{0} |o_{0}\rangle _{E}|0\rangle + t_{1} |o_{1}\rangle _{E}|1\rangle ,\\ \end{aligned} \end{aligned}$$
(25)

where \(|c_{0}|^2+|c_{1}|^2=1\), \(|d_{0}|^2+|d_{1}|^2=1 \), \(|s_{0}|^2+|s_{1}|^2=1 \), \(|t_{0}|^2+|t_{1}|^2=1\), and \(\{ |i_{0}\rangle , |i_{1}\rangle \}\), \(\{|j_{0}\rangle , |j_{1}\rangle \}\), \(\{ |w_{0}\rangle , |w_{1}\rangle \}\), \(\{|o_{0}\rangle ,|o_{1}\rangle \}\) are arbitrary states that are not necessarily orthogonal. After Bob performs a unitary operation \(U_1\) on a qubit in \(S_{A}\) and his ancillary qubit, the entire system’s state should be

$$\begin{aligned} \begin{aligned} |\Psi \rangle _{2} =&(U_1\otimes I_{TB})(|e\rangle _E|{\psi }\rangle _{TAB}) \\ =&\frac{1}{{2}}(a_{0} |g_{0}\rangle |001\rangle +b_{1}|h_{1}\rangle |010\rangle +a_{0}|g_{0}\rangle |100\rangle + b_{1}|h_{1}\rangle |111\rangle )_{ETAB}. \end{aligned} \end{aligned}$$
(26)

If Alice selected M and Bob selected R, Alice measures the qubit sent by TP, generates a new qubit \(|0\rangle _{A'}\) or \(|1\rangle _{A'}\) according to the result, and the state of the system \(|\Psi \rangle _{2}\) collapses to \((|001\rangle + |100\rangle )_{TAB}\) or \((|010\rangle + |111\rangle )_{TAB} \). Suppose Alice prepares \(|0\rangle _{A'}\), the state of the whole system after Bob implements the operation \(U_2\) should be

$$\begin{aligned} |\Psi \rangle _{3}= & {} (U_2\otimes I_{TAB})(a_{0}|g_{0}\rangle |0\rangle |001\rangle + a_{0} |g_{0}\rangle |0\rangle |100\rangle )_{EA'TAB} \nonumber \\= & {} (a_{0}c_{0} |i_{0}\rangle |0\rangle |0\rangle |01\rangle +a_{0}c_{1} |i_{1}\rangle |1\rangle |0\rangle |01\rangle + a_{0}c_{0} |i_{0}\rangle |0\rangle |0\rangle |10\rangle \nonumber \\&+a_{0}c_{1}|i_{1}\rangle |1\rangle |0\rangle |10\rangle )_{EA'ATB} \nonumber \\= & {} \frac{1}{{\sqrt{2}}}\left[ \begin{array}{ll} &{}a_{0}c_{0} |i_{0}\rangle |0\rangle |0\rangle (|\varphi ^{+}\rangle +|\varphi ^{-}\rangle ) +a_{0} c_{1}|i_{1}\rangle |1\rangle |0\rangle (|\varphi ^{+}\rangle +|\varphi ^{-}\rangle )\\ &{}+a_{0}c_{0} |i_{0}\rangle |0\rangle |0\rangle (|\varphi ^{+}\rangle -|\varphi ^{-}\rangle )+a_{0} c_{1}|i_{1}\rangle |1\rangle |0\rangle (|\varphi ^{+}\rangle -|\varphi ^{-}\rangle )\\ \end{array}\right] _{EA'ATB} \nonumber \\= & {} \frac{1}{{\sqrt{2}}}\left( \begin{array}{ll} &{}a_{0}c_{0} |i_{0}\rangle |0\rangle |0\rangle |\varphi ^{+}\rangle +a_{0}c_{0} |i_{0}\rangle |0\rangle |0\rangle |\varphi ^{-}\rangle \\ &{}+a_{0} c_{1}|i_{1}\rangle |1\rangle |0\rangle |\varphi ^{+}\rangle +a_{0} c_{1}|i_{1}\rangle |1\rangle |0\rangle |\varphi ^{-}\rangle \\ &{}+a_{0}c_{0} |i_{0}\rangle |0\rangle |0\rangle |\varphi ^{+}\rangle -a_{0}c_{0} |i_{0}\rangle |0\rangle |0\rangle |\varphi ^{-}\rangle \\ &{}+a_{0} c_{1}|i_{1}\rangle |1\rangle |0\rangle |\varphi ^{+}\rangle -a_{0} c_{1}|i_{1}\rangle |1\rangle |0\rangle |\varphi ^{-}\rangle \end{array}\right) _{EA'ATB}. \end{aligned}$$
(27)

In this case, the state of the qubit held by TP and the qubit sent back by Bob is

$$\begin{aligned} \rho ^{TB}= & {} tr_{EA'A}(|\Psi \rangle _{33}\langle \Psi |)\nonumber \\= & {} \frac{1}{2}\left[ \begin{array}{ll} &{}tr_{EA'A}(a_{0}c_{0} |i_{0}\rangle |0\rangle |0\rangle |\varphi ^{+}\rangle \langle \varphi ^{+}|\langle i_{0}|\langle 0|\langle 0|a_{0}^*c_{0}^*)+tr_{EA'A}(a_{0}c_{0}|i_{0}\rangle |0\rangle |0\rangle |\varphi ^{-}\rangle \\ {} &{}\langle \varphi ^{-}|\langle i_{0}|\langle 0|\langle 0|a_{0}^*c_{0}^*)+tr_{EA'A}(a_{0} c_{1}|i_{1}\rangle |1\rangle |0\rangle |\varphi ^{+}\rangle \langle \varphi ^{+}|\langle i_{1}|\langle 1|\langle 0|a_{0}^*c_{1}^*)\\ &{}+tr_{EA'A}(a_{0} c_{1}|i_{1}\rangle |1\rangle |0\rangle |\varphi ^{-}\rangle \langle \varphi ^{-}|\langle i_{1}|\langle 1|\langle 0|a_{0}^*c_{1}^*)+tr_{EA'A}((a_{0}c_{0} |i_{0}\rangle |0\rangle |0\rangle |\varphi ^{+}\rangle \\ {} &{}\langle \varphi ^{+}|\langle i_{0}|\langle 0|\langle 0|a_{0}^*c_{0}^*)-tr_{EA'A}(a_{0}c_{0}|i_{0}\rangle |0\rangle |0\rangle |\varphi ^{-}\rangle \langle \varphi ^{-}|\langle i_{0}|\langle 0|\langle 0|a_{0}^*c_{0}^*)\\ &{}+tr_{EA'A}(a_{0} c_{1}|i_{1}\rangle |1\rangle |0\rangle |\varphi ^{+}\rangle \langle \varphi ^{+}|\langle i_{1}|\langle 1|\langle 0|a_{0}^*c_{1}^*)-tr_{EA'A}(a_{0} c_{1}|i_{1}\rangle |1\rangle |0\rangle |\varphi ^{-}\rangle \\ &{}\langle \varphi ^{-}|\langle i_{1}|\langle 1|\langle 0|a_{0}^*c_{1}^*)\\ \end{array}\right] \nonumber \\= & {} \frac{1}{2}\left[ \begin{array}{ll} &{}(|a_{0}c_{0}|^2+|a_{0}c_{1}|^2+|a_{0}c_{0}|^2+|a_{0}c_{1}|^2)|\varphi ^{+}\rangle \langle \varphi ^{+}|\\ &{}+(|a_{0}c_{0}|^2+|a_{0}c_{1}|^2-|a_{0}c_{0}|^2-|a_{0}c_{1}|^2)|\varphi ^{-}\rangle \langle \varphi ^{-}|\\ \end{array}\right] . \end{aligned}$$
(28)

TP checks whether there is eavesdropping at this time by performing the Bell basis measurement on the qubit returned by Bob and his own qubit. Only when TP gets \(|\phi ^-\rangle \) or \(|\varphi ^-\rangle \) with probability 0 and \(|\phi ^+\rangle \) or \(|\varphi ^+\rangle \) with probability 1/2, Bob’s attack cannot be detected. Therefore, the equation below must hold true

$$\begin{aligned} \begin{aligned} P(|\varphi ^-\rangle )=&\frac{1}{2}\left( |a_{0}c_{0}|^2+|a_{0}c_{1}|^2-|a_{0}c_{0}|^2-|a_{0}c_{1}|^2\right) =0,\\ P(|\varphi ^+\rangle )=&\frac{1}{2}\left( |a_{0}c_{0}|^2+|a_{0}c_{1}|^2+|a_{0}c_{0}|^2+|a_{0}c_{1}|^2\right) =\frac{1}{2}.\\ \end{aligned} \end{aligned}$$
(29)

In terms of Eqs. (22, 23), it can be deduced that

$$\begin{aligned} \begin{aligned} |c_{0}|^2+|c_{1}|^2=\frac{1}{2}. \end{aligned} \end{aligned}$$
(30)

Similarly, if Alice prepares \(|1\rangle _{A'}\), the state of the whole system after Bob implements the operation \(U_2\) should be

$$\begin{aligned} |\Psi \rangle _{4}= & {} (U_2\otimes I_{TAB})(b_{1} |h_{1}\rangle |1\rangle |010\rangle + b_{1} |h_{1}\rangle |1\rangle |111\rangle )_{EA'TAB} \nonumber \\= & {} (b_{1} t_{0}|o_{0}\rangle |0\rangle |1\rangle |00\rangle +b_{1} t_{1}|o_{1}\rangle |1\rangle |1 \rangle |00\rangle + b_{1}t_{0}|o_{0}\rangle |0\rangle |1\rangle |11\rangle \nonumber \\&+b_{1}t_{1}|o_{1}\rangle |1\rangle |1\rangle |11\rangle )_{EA'ATB} \nonumber \\= & {} \frac{1}{{\sqrt{2}}}\left[ \begin{array}{ll} &{}b_{1} t_{0}|o_{0}\rangle |0\rangle |1\rangle (|\phi ^{+}\rangle +|\phi ^{-}\rangle ) +b_{1} t_{1}|o_{1}|1\rangle |1\rangle (|\phi ^{+}\rangle +|\phi ^{-}\rangle )\\ {} &{}+b_{1} t_{0}|o_{0}\rangle |0\rangle |1\rangle (|\phi ^{+}\rangle -|\phi ^{-}\rangle )+b_{1}t_{1}|o_{1}\rangle |1\rangle |1\rangle (|\phi ^{+}\rangle -|\phi ^{-}\rangle )\\ \end{array}\right] _{EA'ATB} \nonumber \\= & {} \frac{1}{{\sqrt{2}}}\left( \begin{array}{ll} &{}b_{1} t_{0}|o_{0}\rangle |0\rangle |1\rangle |\phi ^{+}\rangle +b_{1} t_{0}|o_{0}\rangle |0\rangle |1\rangle |\phi ^{-}\rangle \\ &{}+b_{1} t_{1}|o_{1}\rangle |1\rangle |1\rangle |\phi ^{+}\rangle +b_{1} t_{1}|o_{1}\rangle |1\rangle |1\rangle |\phi ^{-}\rangle \\ &{}+b_{1}t_{0}|o_{0}\rangle |0\rangle |1\rangle |\phi ^{+}\rangle -b_{1}t_{0}|o_{0}\rangle |0\rangle |1\rangle |\phi ^{-}\rangle \\ &{}+b_{1}t_{1}|o_{1}\rangle |1\rangle |1\rangle |\phi ^{+}\rangle -b_{1}t_{1}|o_{1}\rangle |1\rangle |1\rangle |\phi ^{-}\rangle \end{array}\right) _{EA'ATB}. \end{aligned}$$
(31)

In this case, \(\rho ^{TB}\) should be

$$\begin{aligned} \rho ^{TB}= & {} tr_{EA'A}(|\Psi \rangle _{44}\langle \Psi |) \nonumber \\= & {} \frac{1}{2}\left[ \begin{array}{ll} &{}tr_{EA'A}(b_{1} t_{0}|o_{0}\rangle |0\rangle |1\rangle |\phi ^{+}\rangle \langle \phi ^{+}|\langle o_{0}|\langle 0|\langle 1|b_{1}^*t_{0}^*)+tr_{EA'A}(b_{1} t_{0}|o_{0}\rangle |0\rangle |1\rangle |\phi ^{-}\rangle \\ &{}\langle \phi ^{-}|\langle o_{0}|\langle 0|\langle 1|b_{1}^*t_{0}^*)+tr_{EA'A}(b_{1} t_{1}|o_{1}\rangle |1\rangle |1\rangle |\phi ^{+}\rangle \langle \phi ^{+}|\langle o_{1}|\langle 1|\langle 1|b_{1}^*t_{1}^*)\\ &{}+tr_{EA'A}(b_{1} t_{1}|o_{1}\rangle |1\rangle |1\rangle |\phi ^{-}\rangle \langle \phi ^{-}|\langle o_{1}|\langle 1|\langle 1|b_{1}^*t_{1}^*+tr_{EA'A}(b_{1} t_{0}|o_{0}\rangle |0\rangle |1\rangle |\phi ^{+}\rangle \\ &{} \langle \phi ^{+}|\langle o_{0}|\langle 0|\langle 1|b_{1}^*t_{0}^*)-tr_{EA'A}(b_{1}t_{0}|o_{0}\rangle |0\rangle |1\rangle |\phi ^{-}\rangle \langle \phi ^{-}|\langle o_{0}|\langle 0|\langle 1|b_{1}^*t_{0}^*)\\ &{}+tr_{EA'A}(b_{1}t_{1}|o_{1}\rangle |1\rangle |1\rangle |\phi ^{+}\rangle \langle \phi ^{+}|\langle o_{1}|\langle 1|\langle 1|b_{1}^*t_{1}^*)-tr_{EA'A}(b_{1}t_{1}|o_{1}\rangle |1\rangle |1\rangle |\phi ^{-}\rangle \\ &{}\langle \phi ^{-}|\langle o_{1}|\langle 1|\langle 1|b_{1}^*t_{1}^*)\\ \end{array}\right] \nonumber \\= & {} \frac{1}{2}\left[ \begin{array}{ll} &{}(|b_{1}t_{0}|^2+|b_{1}t_{1}|^2+|b_{1}t_{0}|^2+|b_{1}t_{1}|^2)|\phi ^{+}\rangle \langle \phi ^{+}|\\ &{}+(|b_{1}t_{0}|^2+|b_{1}t_{1}|^2-|b_{1}t_{0}|^2-|b_{1}t_{1}|^2)|\phi ^{-}\rangle \langle \phi ^{-}|\\ \end{array}\right] . \end{aligned}$$
(32)

TP measures his qubit and Bob’s qubit in the Bell basis to detect eavesdropping. When TP obtains \(|\phi ^-\rangle \) or \(|\varphi ^-\rangle \) with the probability of 0 and acquires \(|\phi ^+\rangle \) or \(|\varphi ^+\rangle \) with the probability of 1 after the measurement, Bob’s attack cannot be discovered. As a result, Eq. (33) must be correct

$$\begin{aligned} \begin{aligned} P(|\phi ^-\rangle )=&\frac{1}{2}(|b_{1}t_{0}|^2+|b_{1}t_{1}|^2-|b_{1}t_{0}|^2-|b_{1}t_{1}|^2)=0,\\ P(|\phi ^+\rangle )=&\frac{1}{2}(|b_{1}t_{0}|^2+|b_{1}t_{1}|^2+|b_{1}t_{0}|^2+|b_{1}t_{1}|^2)=\frac{1}{2}.\\\\ \end{aligned} \end{aligned}$$
(33)

In terms of Eqs. (22, 23), we can get

$$\begin{aligned} \begin{aligned} |t_{0}|^2+|t_{1}|^2=\frac{1}{2}. \end{aligned} \end{aligned}$$
(34)

According to Eq. (24), it can be inferred that after \(U_1\) operation, Bob’s ancillary qubits and Alice’s qubits are independent and have no entanglement relationship, thus Bob cannot get Alice’s information by measuring \( |g_{0}\rangle \) or \( |h_{1}\rangle \). Based on Eqs. (30, 34), it is obvious they contradict with the initial assumptions \(|c_{0}|^2+|c_{1}|^2=1\) and \(|t_{0}|^2+|t_{1}|^2=1\) and such \(U_2\) operation does not exist if Bob does not want to be detected. Then we can conclude that the proposed improved protocol is robust against the entangle-measure attack.

5.5 TP attack

Although the semi-honest TP cannot be allowed to collaborate with any participant, he may gather as much information about both participants as possible for learning the secrets of Alice or Bob. In step 3, TP can obtain \(MA_{i}\) and \(MB_{i}\) according to measuring the qubit returned by Alice and Bob. In step 4, Alice and Bob publish \(RA_{j}\) and \(RB_{j}\), respectively. TP compares \( P_{j}= RA_{j} \oplus RB_{j}\oplus MA_{i} \oplus MB_{i}= x_{j} \oplus y_{j} \). Even though he obtains \(MA_{i}\), \(MB_{i}\), \(RA_{j}\) and \(RB_{j}\), the secrets of participants are still unknown to him since TP has no knowledge about the \(K_{AB}\) shared by two participants.

6 Conclusion

In this paper, the SQPC protocol proposed by Yan et al [35] has been shown to be vulnerable to the double CNOT attack, by which a malicious attacker is possible to steal one of the honest participant’s secret bits without being detected. To effectively resist the double CNOT attack, an improved protocol has been put forward with no need to strengthen the ability of participants. In addition, the proposed improved protocol has also been proved to be secure against some typical attacks such as intercept-resend attack, measure-resend attack, and entangle-measure attack. But standard security analysis of semi-quantum protocols remains challenging and deserves further investigation.