Loss-tolerant quantum multi-party key agreement without quantum storage

Chun-Yan Wei; Xiao-Qiu Cai; Shao-Long Huang; Xiao-Lin Lang; Tian-Yin Wang; Tian-Yin Wang

doi:10.1364/OE.471164

1. Introduction

Key establishment is of vital importance to secure communication. It has two main branches, key distribution and key agreement. The key in the former can be determined by one participant and then distributed to others while in the latter it is determined by all participants. Concretely, key distribution should satisfy the following two properties.

(1) Correctness. At the end of the protocol, all participants obtain an identical key;

(2) Security. No outside eavesdropper can obtain any information about the key.

As to key agreement, it should not only be secure against outside eavesdropping but also be immune to participant attack, that is, it should satisfy one more requirement called “fairness”.

(3) Fairness. All participants equally contribute to the shared key, and any nontrivial subset of the participants cannot predetermine the key alone.

Owing to this property, key agreement has been widely used in multiparty secure computations, access control, electronic auctions, and so on.

Many protocols for key establishment have been proposed in classical cryptography. However, the security of classical cryptographic protocols generally relies on the assumption of computational complexity. With the progress in computation capability, especially with the rapid development of quantum computation [1,2], the security of classical cryptographic protocols faces severe challenges. Luckily, this drawback can be settled in quantum cryptography whose security is guarded only by the principles of quantum mechanics. The pioneer work was given in 1984 by Bennett and Brassard [3], who proposed the first quantum key distribution (QKD) protocol. Different from its classical counterparts, the security of QKD is assured by physical laws, that is, any eavesdropping can be detected because it would disturb the transmitted carrier states, so QKD can achieve the information-theoretic security in theory. Since then on, the research of QKD has achieved great progress in both theory and experiment. As the most mature quantum technology, QKD has realized commercial applications in government/enterprise networks, infrastructure construction, and so on.

In contrast with QKD, the research of quantum key agreement (QKA) started much later. In 2004, Zhou et al. [4] presented the first QKA protocol with quantum teleportation and maximally entangled states. However, Tsai and Hwang [5] pointed out that this protocol is not fair, that is, one participant can fully determine the shared key alone without being detected. In 2011, Chong et al. [6] presented a QKA protocol based on BB84 QKD protocol in which delayed measurement and certain unitary operations are utilized. In 2014, to deal with the collective noise, Huang et al. [7] presented a QKA protocol based on entangled states. In 2016, He et al. [8] gave a QKA protocol based on four-particle entangled states. All of these protocols are limited to the two-party cases.

In 2012, Shi and Zhong [9] proposed the first multi-party quantum key agreement (MQKA) protocol by exploiting EPR pairs and entanglement swapping. Subsequently, Liu et al. [10] pointed out that this protocol is not fair because a dishonest participant can totally determine the shared key, and then they gave a secure MQKA protocol with single particles and single-particle measurements. In 2014, Xu et al. [11] presented a MQKA protocol based on GHZ states. In 2016, Huang et al. [12] proposed a MQKA protocol with EPR states. In recent years, many MQKA protocols have been proposed based on two transmission modes, i.e., the distributed mode [10,13] and the traveling mode [9,12,14–22]. In both modes the shared key is generally a function result (usually the sum) of $m$ participants’ secrets. Concretely, the two modes work as follows.

(1) In the distributed mode [10,13], each participant sends every other participant a carrier sequence which carries his/her secret and also contains some randomly inserted decoy states. After all participants have received the sequences from others, they measure the decoy states to check the outside eavesdropping and inside cheating, and then measure the carrier states to obtain other participants’ secrets. Finally, each participant uses the received secrets and his/her own secret to compute the shared key.

(2) In the traveling mode [9,12,14–22], each participant prepares one carrier sequence and pass it to other participants so that each receiver can encodes his/her secret on it with corresponding unitary operators in turn, and finally the sequences will be sent back to the initial sender. After all participants have received their own sequences, each participant selects some carrier states in these sequences to check the outside eavesdropping and inside cheating, then measures his/her own sequence, and finally computes the shared key with the measurement output and his/her own secret.

The traveling-mode protocols are generally more efficient than the distributed-mode ones because the transmitted carrier qubits in the former are greatly less than that of the latter. However, in 2016, Liu et al. [23] pointed out that many traveling mode protocols cannot resist a special collude attack of two participants at specific positions. Recently, Lin et al. [20] also presented a new collusion attack which can break the fairness of the traveling-mode protocols in which each participant uses one specific operation or correlated operations to encode his/her secret on the traveling qubits, and then gave a new protocol which can resist this kind of attack by exploiting EPR pairs and hash function.

Though many QKA protocols have been proposed, scarcely any of them is really practical, far behind the research of QKD. The main reason is that QKA needs to resist not only the outside eavesdropping but also the participant cheating. As we know, resisting dishonest participant is more difficult than resisting outside eavesdropping [24–26], especially with the imperfect implementation apparatuses (e.g., unideal light source [27], noisy channel [28]). Actually, most QKA protocols need to utilize various entangled states, but high-quality entangled states are difficult to acquire today. Though some protocols exploiting single qubits have been proposed, they are still impractical owing to the inevitable channel loss or the lack of mature quantum technique, such as stable quantum storage.

First of all, existing QKA protocols generally cannot tolerate the channel loss. Without loss of generality, suppose the shared key is the sum of $m$ participants’ secrets, then each final key bit is the sum of $m$ corresponding bits from the $m$ participants’ secrets, therefore there are generally $m(m-1)$ carrier states ($m$ carrier states) contributing to this final bit in the distributed (traveling) mode protocol. If any of them is lost, this final key bit will not be shared successfully, which happens with a significant probability with present technology especially when $m$ is large. The participants have to transmit quite many qubits to share a key of certain length, so the efficiency will be unsatisfactory. Worse yet, in the traveling mode the dishonest participants may tell a lie that some carrier states are lost when they use for example Lin et al.’s collusion attack [20] and find the final key bits generated by these carrier states are not favored, so that these bits can be deleted from the shared key. So the inevitable channel loss not only reduces the communication efficiency but also hurts the fairness of MQKA protocols.

Second, the participants in existing QKA protocols are required to have the capability of storing carrier states for some period, which is infeasible with current technology. All of the participants in existing protocols, no matter in the distributed mode or in the traveling mode, have to store the carrier states until the eavesdropping checking is finished and the correct measurement bases are revealed so that they can measure the carrier states with correct bases to obtain an identical shared key finally. Lack of stable quantum storage has become one of the main challenges in the design of practical QKA protocols.

To solve the above problems, we propose a practical MQKA protocol based on the technique of error-correcting code (ECC). It uses only single qubits and X or Z measurement. Owing to the use of ECC, the participants in our protocol can measure the received qubits in X or Z basis immediately without storing them, that is, it removes the requirement of quantum storage. On the other hand, our protocol uses only the qubits which have transmitted successfully to carry the secrets (those lost ones carry no information and can be disregarded directly), so it is loss-tolerant and hence more efficient and secure. Moreover, our protocol can discriminate participants’ cheating with outside eavesdropping. Note that previous MQKA protocols generally check these two attacks simultaneously via decoy states but cannot discriminate them. Dishonest participant may attribute the errors he/she introduces on outside eavesdropping to keep good reputation or escape punishment. As our protocol can recognize the participants’ cheating, dishonest participant generally will not cheat at the cost of losing good reputation, so our protocol is more secure and fair.

The rest of this paper is organized as follows. In Sec. 2, we describe our MQKA protocol in details. Then we discuss its features and analyze the security in Secs. 3 and 4, respectively. Finally, we conclude in Sec. 5.

2. Protocol

Suppose that $m$ participants $P_0$, $P_1$, $\cdots$, $P_{m-1}$ want to agree on a secure $k$-bit key. To remove the quantum storage, a public $[n,k,d]$ error-correcting code is introduced to encode the participants’ secrets (the choice of $n$ and $d$ will be discussed later), so that each participant in our protocol can measure the received qubits immediately (without storing them) in two conjugate bases with biased probabilities. The concrete protocol is as follows (see Fig. 1 for a sketchy flowchart).

Fig. 1. The sketchy flowchart about how to exchange secrets between any two different participants $P_i$ and $P_j$.

Download Full Size | PDF

(1) Each participant $P_i$ randomly selects a $k$-bit key $K_i$ as his/her secret, then uses the $[n,k,d]$ error-correcting code to encode $K_i$ into one $n$-bit codeword $C_i$.

(2) Each participant $P_i$ sends a qubit sequence $S_{ij}$ to participant $P_j$ for $j=1,2, \ldots,i-1, i+1,\ldots, m$, where each qubit is randomly in one of the states $\{|0\rangle,|1\rangle,|+\rangle,|-\rangle \}$. Here,

(1)$$|+\rangle=\frac{1}{\sqrt{2}}(|0\rangle+|1\rangle),\quad |-\rangle=\frac{1}{\sqrt{2}}(|0\rangle-|1\rangle).$$

(3) All participants measures the received qubits in Z-basis with probability $1-p$ or in X-basis with probability $p$, where $p$ is slightly smaller than $d/2n$. Then they drop the qubits which are not detected successfully.

(4) For each sequence $S_{ij}$, $P_i$ randomly selects some qubits from it and asks $P_j$ to announce corresponding measurement outputs. If $P_i$ finds that $P_j$’s announcement conflicts with the initial states of these qubits, he/she aborts the protocol.

(5) They discard the checking qubits. Then in each sequence $S_{ij}$ ($i,j=1,2,\ldots,m$ and $j\neq i$), $P_i$ selects $n$ carrier qubits to record his/her codeword $C_i=c_{i1}c_{i2}\cdots c_{in}$. Concretely, for $k=1,2\cdots,n$, $P_i$ selects the $k$-th carrier qubit in state $|0\rangle$ ($|1\rangle$) when $c_{ik}=0$ (1), and if $t_k$ is the position of the $k$-th carrier qubit in sequence $S_{ij}$,

(2)$$t_1<t_2<\cdots<t_n$$

should be satisfied. $P_i$ records the positions of these $n$ carrier qubits and asks $P_j$ to discard other qubits sent in $Z$-basis. Then in each sequence $S_{ij}$, there are $n$ carrier qubits (sent in Z-basis) carrying $P_i$’s secret, and all of the remaining qubits are sent in X-basis (which will be used as test qubits to detect participants’ cheating).

(6) After all participants have finished step (5), for each sequence $S_{ij}$ ($i,j=1,2,\ldots,n$ and $j\neq i$), $P_i$ announces the positions and the initial states of the test qubits in this sequence, then $P_j$ checks $P_i$’s honesty by comparing $P_i$’s announcement with his/her own measurement outputs of the test qubits. If any mismatch occurs, the protocol aborts.

(7) Each participant $P_i$ records his/her measurement outputs of the $n$ carrier qubits in sequence $S_{ji}$ ($j=1,2,i-1\cdots,i+1,m$) with one $n$-bit string $C_j'=c'_{j1}c'_{j2}\cdots c'_{jn}$, that is, $c'_{ji}=0$ (1) if the measurement output of the $i$-th carrier qubit is $|0\rangle$ or $|+\rangle$ ($|1\rangle$ or $|-\rangle$). Note that the $n$ carrier qubits sent in Z-basis are measured in Z-basis with probability $1-p$ and in X-basis with probability $p$, so $C'_j$ will have on average $n\times p/2$ and at most $n\times p$ different bits (i.e., errors in the perspective of ECC) with the codeword $C_j$. As $p<\frac {d}{2n}$, these errors can be corrected by the $[n,k,d]$ code, so $P_i$ can successfully recover the codeword $C_j$ and the secret $K_j$ of the participant $P_j$.

(8) Each participant $P_i$ computes the finally key $K=K_1 \oplus K_2 \oplus \cdots \oplus K_m$.

3. Features and parameters

3.1 Example

We now give a simplified example with $m=3$ and $k=12$, that is, 3 participants $P_0$, $P_1$ and $P_2$ cooperate to share a $12$-bit final key. Suppose they use the $[23,12,7]$ code whose generation matrix is $G=(I_{12}, P)$, where $I_{12}$ is the identity matrix of order 12 and

(3)$$P= \begin{pmatrix} 0 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 \quad 1 \\ 1 & 1 & 1 & 0 & 1 & 1 & 1 & 0 & 0 & 0 \quad1 \\ 1 & 1 & 0 & 1 & 1 & 1 & 0 & 0 & 0 & 1 \quad0 \\ 1 & 0 & 1 & 1 & 1 & 0 & 0 & 0 & 1 & 0\quad 1 \\ 1 & 1 & 1 & 1 & 0 & 0 & 0 & 1 & 0 & 1\quad1\\ 1 & 1 & 1 & 0 & 0 & 0 & 1 & 0 & 1 & 1 \quad0\\ 1 & 1 & 0 & 0 & 0 & 1 & 0 & 1 & 1 & 0\quad 1\\ 1 & 0 & 0 & 0 & 1 & 0 & 1 & 1 & 0 & 1\quad1\\ 1 & 0 & 0 & 1 & 0 & 1 & 1 & 0 & 1 & 1\quad1\\ 1 & 0 & 1 & 0 & 1 & 1 & 0 & 1 & 1 & 1\quad0\\ 1 & 1 & 0 & 1 & 1 & 0 & 1 & 1 & 1 & 0\quad0\\ 1 & 0 & 1 & 1 & 0 & 1 & 1 & 1 & 0 & 0\quad 0 \end{pmatrix}.$$

The parity check matrix of this code is $H=(P^{T} , I_{11})$. Here, $\frac {d}{2n}\approx 0.152$ and hence they can set $p=0.13$. Suppose $P_0$, $P_1$ and $P_2$ select the secrets

(4) $$K_0=001000110110, K_1=100101100010, K_2=110100100100,$$

respectively. Then $K_0$ will be encoded to the codeword

(5) $$C_0=K_0G=00100011011011100100110.$$

Therefore, the carrier states carrying $C_0$ in the sequences $S_{01}$ and $S_{02}$ transmitted by $P_0$ will be

(6)$$|0\rangle|0\rangle|1\rangle|0\rangle|0\rangle|0\rangle|1\rangle|1\rangle|0\rangle|1\rangle|1\rangle|0\rangle|1\rangle|1\rangle|1\rangle|0\rangle|0\rangle|1\rangle|0\rangle|0\rangle|1\rangle|1\rangle|0\rangle.$$

Note that the receivers $P_1$ and $P_2$ will measure them in Z-basis with probability $1-p=0.87$ and in X-basis with probability 0.13. Without loss of generality, suppose $P_1$’s measurement outputs of the carrier qubits in $S_{01}$ is

(7)$$|0\rangle|0\rangle|1\rangle|0\rangle|0\rangle|0\rangle|1\rangle|1\rangle|0\rangle|1\rangle{\color{red}{|+\rangle}}|0\rangle|1\rangle|1\rangle|1\rangle|0\rangle{\color{red}{|-\rangle}}|1\rangle|0\rangle{\color{red}{|+\rangle}}|1\rangle|1\rangle|0\rangle,$$

then he/she can record the measurement outputs of these carrier qubits in step(7) as

(8)$$C'_0=0010001101{\color{red}{0}}01110{\color{red}{1}}100110.$$

That is, $P_1$ measure 3 carrier qubits (the red ones in Eq. (7)) with X basis, which introduces two errors (the red bits in Eq. (8)) in the codeword $C'_0$. Then $P_1$ computes $H{C'_0}^{\bot }$ to determine the two erroneous bits and recover the correct codeword $C_0$ as well as the secret $K_0$. Similarly, $P_2$ can also record the measurement outputs of the carrier qubits in sequence $S_{02}$ and correct the errors within it to recover $K_0$. In this way, $P_0$, $P_1$ and $P_2$ can elicit the two other participants’ secrets correctly and finally obtain the shared key

(9)$$K=K_0\oplus K_1 \oplus K_2=011001110000.$$

3.2 Correctness

If all participants execute the protocol honestly, they can share an identical final key $K_1 \oplus K_2 \oplus \cdots \oplus K_m$. Each $k$-bit secret in our protocol is encoded into one $n$-bit codeword and is carried on $n$ carrier qubits. The $[n,k,d]$ code can correct no more than $\lfloor \frac {d-1}{2}\rfloor$ errors. As $P_i$ measures the $n$ carrier qubits in correct basis with probability $1-p$, and in conjugate basis with probability $p$, so the measurement output $C'_j$ in step (7) will have on average $d_a=np/2$ and at most $d_m=np$ different bits with the codeword $C_j$. As $p<\frac {d}{2n}$, $C'_j$ will have no larger than $\lfloor \frac {d-1}{2}\rfloor$ errors from $C_j$, which clearly can be corrected via ECC (See Fig. 2).

Fig. 2. The relationship between the codeword $C_j$ and the measurement output $C'_j$. The central black dot represents the codeword $C_j$, and the blue span represents the domain of $n$-bit strings which have distance no larger than $d$ from $C_j$. The green span represents the domain of $n$-bit strings which have distance no larger than $R=\lfloor \frac {d-1}{2}\rfloor$ from $C_j$, and all strings within this span can be corrected to the codeword $C_j$ according to the $[n,k,d]$ code. The measurement output $C'_j$ in step (7) will have distance on average $d_a=n\times \frac {p}{2}$ and at most $d_m=n\times p$ from $C_j$, where $d_m$ is slightly smaller than $R$ because $p$ is slightly smaller than $\frac {d}{2n}$. Therefore, $C'_j$ will locate within the yellow span which is contained in the green span, so $C'_j$ would be corrected to $C_j$ and the secret $K_j$ will be elicited correctly.

Download Full Size | PDF

For example, suppose that they wants to share a 64-bit final key, then they can set $n=376$, $d=94$ and $p=0.1<\frac {d}{2n}$ (we will show that the [376,64,94] code is easy to acquire below). As the $n$ carrier qubits are measured with correct basis with probability $1-p$, and with the conjugate basis with probability $p$, so the number of errors in the $C'_j$ will be on average $n\times p/2=19$ and at most $n\times p=38$ in the worst case. Note that the utilized $[376, 64, 94]$ code can correct no more than 46 errors, so the errors in the $C'_j$ can be corrected and the correct secret $K_j$ can be elicited. Therefore, if all participants execute the protocol honestly, they can share an identical final key.

3.3 Capacity of loss-tolerance

Channel loss is inevitable in quantum transmission with current technology, but previous MQKA protocols generally cannot tolerate it. On one hand, each final key bit is generated by at least $m$ corresponding bits of the $m$ participants’ secrets. Even when only one qubit carrying one of these $m$ bits is lost, this final key bit cannot be shared successfully among all of the $m$ participants. On the other hand, in the traveling mode when dishonest participants use for example Lin et al.’s collusion attack [20] and find some final key bits are not favored ones, he/she can announce that the qubits contributing to them are lost, so that a more favored final key can be obtained. Luckily, our protocol can tolerate the channel loss because the participant $P_i$ encodes his/her secret only on the successfully detected qubits, and those lost ones can be discarded directly before that. Therefore, dishonest participant cannot tell a lie to obtain a more favored final key.

3.4 Removing the requirement of quantum storage

Our protocol can eliminate the requirement of quantum storage. The participants in previous QKA protocols generally needs stable quantum storage to store the qubits till some moment (e.g., after the decoy states are checked and/or correct measurement bases are revealed). However, stable and long-term quantum storage is out of reach with current technology. To solve this problem, we introduce the ECC to encode the secrets, which allows participants to measure the qubits immediately, without storing them. Concretely, eliminating the quantum storage can be achieved by the ECC for the following two reasons.

• As analyzed in Sec. 3.2, the correctness of our protocol is assured by the $[n,k,d]$ code though the qubits are measured immediately without storage and some of them are measured in incorrect bases.
• The security of our protocol is assured because each participant is allowed to select one of the two conjugate bases (though with different probabilities) to measure the received qubits immediately. As a result, outside eavesdropping and participant cheating can still be detected by the comparison of transmitted qubits and corresponding measurement outputs in steps (4) and (6), respectively.

3.5 Recognition of participants’ cheating

Our protocol can discriminate certain participants’ cheating with outside eavesdropping, and thus can find the dishonest participants. Previous QKA protocols generally utilize the decoy states to check outside eavesdropping and participants’ cheating simultaneously. That is, they can detect both of them but cannot discriminate them. In this case, a dishonest participant may cheat and attribute the errors he/she introduces on outside eavesdropping to keep good reputation or escape punishment. In our protocol, for each transmitted qubit sequence, the sender $P_i$ checks the outside eavesdropping with the help of the receiver in step (4), and aborts the protocol if he/she finds any mismatch. Then $P_j$ knows that $P_i$ is cheating if he/she finds some errors in $P_i$’s announcement in step (6) because $P_i$ himself/herself have confirmed in step (4) that there is no outside eavesdropping.

3.6 Choice of $n$ and $d$

We now discuss the choice of $n$, $d$ and their influence on the security and efficiency. Obviously, with the increase of key length $k$, the scale of the $[n,k,d]$ code generally will increase, then how to efficiently generate a suitable large-scale error-correcting code? According to the theory of error-correcting codes [29], a random binary generation matrix of size $k\times n$ defines a binary linear code with minimal distance at least $d$ except with probability $2^{-\alpha n}$ if

(10)$$\frac{k}{n}<1-h(d/n)-\alpha,$$

where $h(x)=-x\log _2(x)-(1-x)\log _2(1-x)$. We set $\alpha =0.01$ then obtain many choices of $n$ and $d$ (see Table 1) with failure probability $2^{-\alpha n}$, which ensures the ECC of proper size is easy to acquire. For example, when the participants want to share a $512$-bit key and set $k/n=0.52$, $d/n=0.1$, the codeword length $n$ will be $k/0.52\approx 985$, and $d$ will be $n\times 0.1=99$. They can establish a random binary matrix of size $512\times 985$ as the generation matrix to construct a $[985,512, 99]$ error-correcting code, then the failure (i.e., the minimum distance of the generated code is smaller than 99) probability is only $2^{-9.85}=0.0011$. As a result, when the participants want to share a 512-bit key, each participant will encode his/her 512-bit secret into a 985-bit codeword with the ECC and then distributes the codeword to others, then as many as 49 errors in the received codeword can be corrected successfully. Meanwhile, if a dishonest participant $P_i$ wants to change his/her secret to a more preferred one after learning the secrets of other participants, he/she has to change at least $d$ bits of the codeword. Therefore, a larger $d/n$ generally means that dishonest participant is more difficult to change his/her secret, but meanwhile the transmission efficiency will be low as $k/n$ decreases with the increase of $d/n$. That is, the security and efficiency of our protocol are in a trade-off relationship.

Table 1. Choices of $n$, $d$ for different key length $k$ when a random binary matrix of size $k\times n$ is used to generate the $[n,k,d]$ error-correcting code with the failure probability $p_{fail}=2^{-0.01n}$.

View Table | View all tables in this article

Generally, we give the priority to security, i.e., ensuring first a big enough $d$ to prevent dishonest participant from changing his/her secret, and then we balance the efficiency. Concretely, when $k$ is large, even a larger $k/n$ can provide a big enough $d$, and hence we can select larger $k/n$ to improve the efficiency; when $k$ is small, we can set a small $k/n$ to ensure a larger $d$. For example, when $k=512$, we set $k/n=0.52$ and $d/n=0.1$, then the codeword length will be 985, and the minimum distance of the code, i.e. $d$, reaches 99; when $k=64$, we set $k/n=0.17$ and $d/n=0.25$, then the codeword length will be 376 and $d$ reaches 94.

4. Security analysis

4.1 Security against outside eavesdropping

We first consider the outside eavesdropping. To elicit the bits encoded on the carrier qubits, the outside eavesdropper Eve has to intercept the transmitted qubits, measure them in $Z$-basis, or elicit the classical bit encoded on the qubit by attaching an additional system on the qubit and conducting certain unitary operation. Without loss of generality, suppose Eve attaches a $|0\rangle$ on the intercepted qubit and conducts an unitary operation $U$ on the composite system, then we have

(11)$$U|0\rangle|0\rangle_E=a|0\rangle|e_{0}\rangle_E+\sqrt{1-a^2}|1\rangle|e_1\rangle_E,$$

(12)$$U|1\rangle|0\rangle_E=b|0\rangle|f_{0}\rangle_E+\sqrt{1-b^2}|1\rangle|f_1\rangle_E,$$

then

(13)$$\begin{aligned} U|+\rangle|0\rangle_E & =\frac{1}{\sqrt{2}}(a|0\rangle|e_0\rangle_E+\sqrt{1-a^2}|1\rangle|e_1\rangle_E\\ & +b|0\rangle|f_0\rangle_E+\sqrt{1-b^2}|1\rangle|f_1\rangle_E)\\ & =\frac{1}{2}|+\rangle(a|e_0\rangle+\sqrt{1-a^2}|e_1\rangle+b|f_0\rangle+\sqrt{1-b^2}|f_1\rangle)_E\\ & +\frac{1}{2}|-\rangle(a|e_0\rangle-\sqrt{1-a^2}|e_1\rangle+b|f_0\rangle-\sqrt{1-b^2}|f_1\rangle)_E\\ & \triangleq |+\rangle|g_0\rangle_E+|-\rangle|g_1\rangle_E, \end{aligned}$$

(14)$$\begin{aligned} U|-\rangle|0\rangle_E & =\frac{1}{\sqrt{2}}(a|0\rangle|e_0\rangle_E+\sqrt{1-a^2}|1\rangle|e_1\rangle_E\\ & -b|0\rangle|f_0\rangle_E-\sqrt{1-b^2}|1\rangle|f_1\rangle_E)\\ & =\frac{1}{2}|+\rangle(a|e_0\rangle+\sqrt{1-a^2}|e_1\rangle-b|f_0\rangle-\sqrt{1-b^2}|f_1\rangle)_E\\ & +\frac{1}{2}|-\rangle(a|e_0\rangle-\sqrt{1-a^2}|e_1\rangle-b|f_0\rangle+\sqrt{1-b^2}|f_1\rangle)_E\\ & \triangleq |+\rangle|h_0\rangle_E+|-\rangle|h_1\rangle_E. \end{aligned}$$

After that, Eve sends the intercepted qubit to the receiver and measures the attached system to elicit the secrets of the participants. As the qubits sent in both X-basis and Z-basis will be checked in step (4), Eve can pass the checking only when $a=1$, $b=0$, $\langle g_1|g_1\rangle =0$ and $\langle h_0|h_0\rangle =0$, which immediately yielding that

(15)$$U|\phi\rangle|0\rangle_E=|\phi\rangle|e_0\rangle_E,$$

for any $|\phi \rangle \in \{|0\rangle,|1\rangle,|+\rangle,|-\rangle \}$. That is, Eve cannot obtain any information from the attached system.

4.2 Security against dishonest participants

Participant cheating in QKA has two styles. First, the dishonest participant tries to elicit the secrets of other participants before transmitting his/her secret to others so that he/she can choose a preferred secret. Second, the dishonest participant tries to change his/her secret to a more preferred one after the secrets of other participants have been revealed. We here show our protocol is secure even in the extreme case that $m-1$ participants $P_1, P_2,\ldots, P_{m-1}$ collude to cheat the remaining one honest participant, e.g. $P_0$.

First of all, the dishonest participants cannot elicit $P_0$’s secret before they transmit their secrets to $P_0$ because they does not know the positions of the “test qubits" and “carrier qubits” in the qubit sequences $S_{0j}$ ($j\neq 0$) transmitted by $P_0$. Following the protocol, the honest participant $P_0$ will transmit the qubits and select the checking ones in X and Z bases with equal probability 0.5, so after dropping the checking qubits in step (5), the remaining qubits in $S_{0j}$ ($j\neq 0$) are initially sent in X and Z bases with equal probability 0.5. As $P_0$ will choose and keep only $n$ qubits from those sent in Z-basis as the carrier qubits while keep all sent in X-basis survive as the test qubits, the proportion of test qubits will significantly larger than that of the carrier qubits in each sequence when step (5) is finished. Generally, the proportion of test qubits is at least twice or several times that of the carrier qubits. Therefore, the dishonest participants cannot identify the carrier qubits (from the sequences transmitted by the honest participant $P_0$) to elicit $P_0$’s secret in advance.

We now consider the second style of cheating, that is, dishonest participants try to change their secrets in steps (6) and (7) after learning $P_0$’s secret. As each participant’s secret is encoded with the $[n,k,d]$ error-correcting code and the carrier qubits carry the codeword other than the secret itself, dishonest participant, e.g., $P_j$ ($j\neq 0$), has to change at least $d$ bits in the transmitted codeword even when he/she wants to change only one bit of his/her secret. $P_j$’s possible cheating strategies to achieve this can be divided into the following categories.

4.2.1 Attack of interconverting partial carrier/test qubits

First of all, if the cheater $P_j$ initially transmits a secret $K_j$ to $P_0$, but wants to change it to a more favored secret $K'_j$ in steps (6-7), he/she has to announce some test qubits to be carrier qubits and announce some carrier qubits to be test qubits, i.e., interconverting partial carrier and test qubits. For example, when $P_j$ sends a carrier qubit, e.g. $|0\rangle$, but wants to reveal a bit $1$. $P_j$ needs to announce the carrier qubit $|0\rangle$ to be test qubit $|+\rangle$ or $|-\rangle$ in step (7), and announces another test qubit, e.g., $|+\rangle$, to be the carrier qubit with the hope that $P_0$ can measure it and obtain $1$. Clearly, honest $P_0$ measures the qubit $|+\rangle$ with Z-basis can only obtain $|1\rangle$ with probability $1/2$, meaning that $P_j$’s cheating can only succeed with probability $1/2$. Furthermore, as the carrier qubit $|0\rangle$ is announced to be $|+\rangle$ or $|-\rangle$ randomly, the honest participant $P_0$ can find an error in step (6) if he/she measures it with $X$-basis and obtains $|-\rangle$ or $|+\rangle$, with probability $p/2$. Therefore, for the $d$ carrier states which are announced to be test ones, the probability to detect this cheating is $1-(1-p/2)^d$, which tends to 1 with the increase of $d$. For example, when they use the $[1970, 1024, 197]$ code to share a 1024-bit final key and set $p=0.049<d/2n$, the probability to detect dishonest $P_j$’s such cheating in step (6) will be $1-(1-\frac {0.049}{2})^{197}=0.9925$.

Second, $P_j$ may not transmit a codeword of a specific secret to $P_0$. Instead, he may transmit an intermediate, e.g., one $n$-bit string which is close to two or several codewords. Without loss of generality, suppose $P_j$ selects two candidate secrets $K'_j$ and $K''_j$ whose codewords are $C_1$ and $C_2$, respectively. Suppose the distance between $C_1$ and $C_2$ is $d$. $P_j$ can find an $n$-bit string $C^*$ which has distance about $d/2$ from both $C_1$ and $C_2$. Then, $P_j$ only needs to change about $d/2$ bits in the string to convert his/her secret to $K'_j$ or $K''_j$. Luckily, this cheating still would be detected in step (6) because $k$ and $d$ are generally not too small. For example, when $k=1024$, a $[1970, 1024, 197]$ code is used and $p=0.049$, such cheating can still be detected in step (6) with the overwhelming probability $1-(1-\frac {0.049}{2})^{98}=0.9120$. Furthermore, as the preferred $k$-bit secret may be any $k$-bit string before the dishonest participants obtain $K_0$, the several candidate secrets, i.e. $K'_j$ and $K''_j$ (which are selected by $P_j$ before knowing $P_0$’s secret $K_0$), are probably not what $P_j$ wants, so this cheating can hardly provide any benefit for dishonest participants.

More generally, dishonest $P_j$ may send fake states instead of $|0\rangle$, $|1\rangle$, $|+\rangle$, $|-\rangle$ so that he/she can interconvert some carrier/test qubits to change his/her secret. Denote the state of the two qubits $P_j$ wants to interconvert by $\rho _{AB}$. Suppose the cheater $P_j$ wants to use a special $\rho _{AB}$ to reveal a bit 0 (1) to the receiver by announcing the states of $\rho _{AB}$ to be $|0\rangle |t_i\rangle$ ($|t_j\rangle |1\rangle$) , where $i,j=0,1$ and

(16)$$|t_i\rangle=\frac{1}{\sqrt{2}}(|0\rangle+({-}1)^{i}|1\rangle).$$

That is, when $P_j$ wants the bit 0 to be revealed by the receiver, he/she will announce the first qubit as the carrier qubit and announce the second one to be the test qubit $|t_i\rangle$. As a result, when the measurement outputs of $\rho _{AB}$ are $|0\rangle |t_i\rangle$, $|+\rangle |t_i\rangle$, $|0\rangle |0\rangle$, $|0\rangle |1\rangle$, $|+\rangle |0\rangle$ and $|+\rangle |1\rangle$, the receiver will find no mismatch in the test qubit and record a bit 0 in $C'_j$, which means that $P_j$ cheats successfully. If the measurement outputs of $\rho _{AB}$ are $|0\rangle |t_i^{\bot }\rangle$, $|1\rangle |t_i^{\bot }\rangle$, $|t_i\rangle |t_i^{\bot }\rangle$ and $|t_i^{\bot }\rangle |t_i^{\bot }\rangle$, where $|t_i^{\bot }\rangle$ is orthogonal with $|t_i\rangle$, the receiver will find a mismatch in the test qubit, then this cheating will be detected. Similarly, when $P_j$ wants the bit 1 to be revealed by the receiver, he/she will announce the second qubit as the carrier qubit and announce the first qubit to be the test qubit $|t_j\rangle$. As a result, when the measurement outputs of $\rho _{AB}$ are $|t_j\rangle |1\rangle$, $|0\rangle |1\rangle$, $|1\rangle |1\rangle$, $|t_j\rangle |-\rangle$, $|0\rangle |-\rangle$ and $|1\rangle |-\rangle$, the receiver will find no mismatch in the test qubit and record a bit 1 in $C'_j$, which means that $P_j$ cheats successfully. If the measurement outputs of $\rho _{AB}$ are $|t_j^{\bot }\rangle |1\rangle$, $|t_j^{\bot }\rangle |0\rangle$, $|t_j^{\bot }\rangle |t_j\rangle$ and $|t_j^{\bot }\rangle |t_j^{\bot }\rangle$, the receiver will find a mismatch in the test qubit, then this cheating will be detected. Note that the receiver measures each qubit in X-basis (or Z-basis) with probability $p$ (or $1-p$), therefore, $P_j$’s success probability can be written as

(17)$$\begin{aligned}p_s &=\frac{1}{2}\{(1-p)^2tr\{[|00\rangle\langle00|+2|01\rangle\langle01|+|11\rangle\langle11|]\rho_{AB}\}+\\ &p(1-p)tr\{[|0t_i\rangle\langle 0t_i|+|+0\rangle\langle +0|+|+1\rangle\langle +1|+|t_j1\rangle\langle t_j1|+|0-\rangle\langle 0-|+|1-\rangle\langle 1-|]\rho_{AB}\}\\ &+p^2tr\{[|+t_i\rangle\langle+t_i|+|t_j-\rangle\langle t_j-|]\rho_{AB}\}\}. \end{aligned}$$

The probability to detect this cheating is

(18)$$\begin{aligned}p_d &=\frac{1}{2}\{p(1-p)tr\{[|0t_i^{\bot}\rangle\langle 0t_i^{\bot}|+|1t_i^{\bot}\rangle\langle 1t_i^{\bot}|+|t_j^{\bot}1\rangle\langle t_j^{\bot}1|+|t_j^{\bot}0\rangle\langle t_j^{\bot}0|]\rho_{AB}\}\\ &+p^2tr\{[|t_it_i^{\bot}\rangle\langle t_it_i^{\bot}| +|t_i^{\bot}t_i^{\bot}\rangle\langle t_i^{\bot}t_i^{\bot}|+[|t_j^{\bot}t_j\rangle\langle t_j^{\bot}t_j|+[|t_j^{\bot}t_j^{\bot}\rangle\langle t_j^{\bot}t_j^{\bot}|]\rho_{AB}\}\}. \end{aligned}$$

Clearly, to ensure $p_d=0$, the cheater $P_j$ should prepare $\rho _{AB}$ in state $|t_j\rangle |t_i\rangle$, otherwise the receiver will detect $P_j$’s cheating with a nonzero probability. When $\rho _{AB}=|t_j\rangle |t_i\rangle$, we can obtain $p_s=\frac {1+p}{2}$. That is, $P_j$ can control one bit in the receiver’s $C'_j$ only with probability $\frac {1+p}{2}$. Imagine that when $P_j$ prepares $n$ such qubit pairs and wants to reveal a preferred secret to the receiver by this way, he/she can only succeed on about $n(\frac {1+p}{2})$ bits. That is, the measurement output of the receiver, $C'_j$, will have distance as large as $n(\frac {1-p}{2})$ from $P_j$’s preferred code word. As $\frac {d}{n}$ is generally greatly less than $\frac {2}{3}$ in our choices of error correcting code (see Table 1), we have

(19)$$n(\frac{1-p}{2})>\frac{d}{2},$$

so $C'_j$ will not be corrected to the cheater $P_j$’s preferred secret. Therefore, such cheating can hardly succeed.

We now consider the case that $p_d\neq 0$. Obviously, to change his/her secret, the cheater $P_j$ should increase $p_s$ and decrease $p_d$. We now discuss two strategies to achieve it.

• Strategy I. $P_j$ chooses proper $\rho _{AB}$ to maximize $p_s$, i.e., maximizing the success ability of his/her cheating.
• Strategy II. $P_j$ chooses proper $\rho _{AB}$ to maximize $p_s-p_d$, i.e., balancing to obtain a larger success probability and a lower detection probability of his/her cheating.

We give the relationship between $p_s$ and $p_d$ under these two strategies in Figs. 3 and 4 for $p\in [0.01,0.18]$. Clearly, when $p$ increases, $p_s$ decreases and $p_d$ increases. Remember that $p$ is limited by the $[n,k,d]$ code, i.e., $p<\frac {d}{2n}$, therefore the choice of $[n,k,d]$ code will greatly influence the security of our protocol.

Fig. 3. The relationship between $P_{s}$ and $P_d$ when $P_s$ is maximized.

Download Full Size | PDF

Fig. 4. The relationship between $P_{s}$ and $P_d$ when $P_s-P_d$ is maximized.

Download Full Size | PDF

We now show the influence of $n$ and $d$ by comparing the cheater’s success probability and the probability of detecting the cheater under the above two strategies. We here mainly consider the following two cases.

• First, the cheater $P_j$ prepares $n$ pairs of qubits in certain states $\rho _{AB}$ and uses them to make his/her secret to be any preferred one after learning the secrets of other participants. This cheating will be detected with probability $P_{D_1}=1-(1-p_d)^n$.
• Second, as the minimum distance of the ECC is $d$, the cheater $P_j$ prepares $d$ pairs of qubits in certain states $\rho _{AB}$ and uses them to change his/her secret to be a more preferred one after learning the secrets of other participants. As these $d$ pairs are located in fixed positions in his/her sequences, he/she generally can only make his/she secrets to be very few secrets (which are probably unwanted ones) by cheating on them. This cheating will be detected with probability $P_{D_2}=1-(1-p_d)^d$.

Concrete results for $k=128$ are shown in Table 2. The probability to detect the cheating in the former case (i.e. $P_{D_1})$) approximates to 1, so such cheating would be detected by the honest participant. On the other hand, the probability of detecting the cheating in the second case is also significant, which means that the cheater will be detected with a significant probability (e.g., larger than 0.3568 when $k=128$ with the choices of $n,d,p$ in Table 2) even when he/she tries to change only 1 bit of his/her secret (owing to the use of $[n,k,d]$ code). And for a given key length $k$, when $p$ increases, the probability of detecting the cheater decreases. On the other hand, as $p$ is slightly smaller than $\frac {d}{2n}$, the increase of $p$ means the increase of $\frac {d}{n}$ and decrease of $\frac {k}{n}$. Therefore, for any given $k$, when $\frac {d}{n}$ increases, $p$ increases and the probability of detecting a cheating participant increases. Generally, we can set a larger $\frac {d}{n}$ to achieve a higher security.

Table 2. The influence of $n$, $d$ for key length $k=128$. Here, $P_{D_1}=1-(1-p_d)^n$ and $P_{D_2}=1-(1-p_d)^d$ represent the probabilities of detecting the cheater when he/she cheats on the whole $n$-bit codeword and on $d$ bits of it, respectively.

View Table | View all tables in this article

4.2.2 Attack based on error-correcting code

As interconverting the carrier and test qubits would be detected in step (6), dishonest $P_j$ may not cheat on the test qubits, but tries to cheat only on the carrier qubits to alter his/her secret, with the hope that the errors induced by his/her cheating can be corrected by ECC. As the test qubits are treated honestly, this cheating cannot be detected in step (6). We now show that this cheating can hardly succeed.

Denote the state of the $n$ carrier qubits in the sequence $S_{j0}$ of cheater $P_j$ as $\rho _c$. Suppose that after learning the secret of the honest participant $P_0$, $P_j$ wants $K^*$ to be his/her own secret elicited by $P_0$, then he/she has to ensure that $P_0$’s measurement output of $\rho _c$, i.e. $C'_j$, has distance less than $d/2$ from $C^*$, where $C^*$ is the codeword of $K^*$. We now show that, such cheating can hardly succeed because it requires $P_j$ to know $K^*$ before the honest participant $P_0$’s secret is revealed.

We first consider the most simple case where $\rho _c$ is a direct product of $n$ states in Z-basis in the form of

(20)$$|D_1\rangle=|d_{11}\rangle \otimes|d_{12}\rangle \otimes \cdots \otimes |d_{1n}\rangle,$$

where $D_1=d_{11}d_{12}\cdots d_{1n}$ an $n$-bit string. As $P_0$ measures each qubit in Z-basis with probability $1-p$ and in X-basis with probability $p$, the measurement output of these $n$ carrier qubits, i.e., $C'_j$ in step (7), will have distance on average $n\times p/2$ and at most $n\times p$ with $D_1$. Therefore, to ensure that all such measurement outputs can be corrected to the codeword $C^*$, $D_1$ should be very close to $C^*$ (as shown in Fig. 5). It requires that $P_j$ should know $C^*$ before he/she sends the states $\rho _c$ to $P_0$, which is clearly impossible.

Fig. 5. The situation that $\rho _c$ is a direct product state $|D_1\rangle$. Here, each yellow dot represents a codeword of the ECC, and the green span around it represents the domain of strings which can be corrected to this codeword, that is, the distance between each string in this span and this codeword is no larger than $R=\lfloor \frac {d-1}{2}\rfloor$. The blue dot represents the $n$-bit string $D_1$, and the red span (whose radius $d_m=n\times p$ is slightly smaller than $R$) surrounding it represents $P_0$’s possible measurement outputs of $|D_1\rangle$, i.e., $C'_j$ in step (7). Therefore, to ensure that $P_0$ elicits $P_j$’s secret as $K^*$, the red domain should be contained in the green span of $C^*$, which means that $D_1$ should be very close to $C^*$.

Download Full Size | PDF

Then we consider that $\rho _c$ is pure superposition of direct product states $|D_k\rangle$ in the form of

(21)$$\begin{aligned} |\Phi\rangle & =\Sigma_{k=1}^t \sqrt{p_k} e^{i\theta_k} |D_{k}\rangle\\ & =\Sigma_{k=1}^t \sqrt{p_k} e^{i\theta_k} |d_{k1}\rangle \otimes |d_{k2}\rangle \otimes |d_{kn}\rangle, \end{aligned}$$

where $\Sigma _{k=1}^t p_k=1$ and $D_k=d_{k1}d_{k2}\cdots d_{kn}$ is an $n$-bit string, for $k=1,2,\ldots,t$. Then, $P_0$’s measurement outputs of $|\Phi \rangle$ will appear in $D_k$’s span of radius $r=np$, $k=1,2,\ldots,t$. Therefore to ensure that $P_0$ elicits $P_j$’s secret as $K^*$, $P_j$ should ensure that all $D_k$s are very close to $C^*$, which is obviously impossible.

Similarly, when $\rho _c$ is a mixed state (equivalent to that $P_j$ sends the carrier qubits in some pure states with certain prior probabilities), to ensure $P_0$’s measurement output has distance less than $d/2$ from $C^*$, $P_j$ also has to know $C^*$ before transmitting the carrier states to $P_0$.

In conclusion, though the utilizing of ECC can tolerate the errors induced by the measurement under incorrect bases, it does not give any advantage to the dishonest participant, that is, dishonest participant cannot change his/her secret to a preferred one by exploiting ECC because he/she cannot know which secret is the preferred one before learning honest participant’s secret.

5. Conclusion

We propose a QKA protocol based on ECC, which uses only single qubits as the carrier states and the X/Z measurement to elicit the information encoding on them. The use of ECC ensures that our protocol can tolerate the channel loss and remove the requirement of quantum storage, so our protocol is more practical and efficient. It can also discriminate dishonest participants’ cheating with outside eavesdropping, as a result, dishonest participants cannot keep good reputation and escape from punishment by blaming the errors induced by his/her cheating on outside eavesdropping. However, though ECC is used our protocol to correct errors induced by the measurement of qubits in incorrect bases, it remains unclear whether our protocol can tolerate the channel noise and what extent of channel noise can be tolerated. Our future work will focus on dealing with the channel noise in QKA.

Funding

National Natural Science Foundation of China (61902166, 62172196, 62272208); Natural Science Foundation of Henan Province (212300410062); the Guangxi Key Laboratory of Trusted Software (KX202040); and the Key Scientific Research Project in Universities of Henan Province (21A110017).

Disclosures

The authors declare that there are no conflicts of interest related to this article.

Data availability

The data underlying the results presented in this paper are not publicly available at this time, but may be obtained from the authors upon reasonable request.

References

1. P. W. Shor, “Algorithms for quantum computation: discrete logarithms and factoring,” in Proceedings of the 35th Annual Symposium on the Foundations of Computer Science, (Santa Fe, New Mexico, 1994), pp.124–134.

2. L. K. Grover, “A fast quantum mechanical algorithm for database search,” in Proceedings of the 28th Annual ACM Symposium on Theory of Computing, (New York, 1996), pp. 212–219.

3. C. H. Bennett and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing,” in Proceedings of IEEE Int. Conf. on Computers, Systems and Signal Processing, (Bangalore, 1984), pp. 175–799.

4. N. Zhou, G. Zeng, and J. Xiong, “Quantum key agreement protocol,” Electron. Lett. 40(18), 1149–1150 (2004). [CrossRef]

5. C. W. Tsai and T. Hwang, “On quantum key agreement protocol,” Technical Report C-S-I-E, NCKU, Taiwan (2009).

6. S. K. Chong and T. Hwang, “Quantum key agreement protocol based on BB84,” Opt. Commun. 283(6), 1192–1195 (2010). [CrossRef]

7. W. Huang, Q. Y. Wen, B. Liu, F. Gao, and Y. Sun, “Quantum key agreement with EPR pairs and single-particle measurements,” Quantum Inf. Process. 13(3), 649–663 (2014). [CrossRef]

8. Y. F. He and W. P. Ma, “Two-party quantum key agreement protocol with four-particle entangled states,” Mod. Phys. Lett. B 30(26), 1650332 (2016). [CrossRef]

9. R. H. Shi and H. Zhong, “Multi-party quantum key agreement with bell states and bell measurements,” Quantum Inf. Process. 12(2), 921–932 (2013). [CrossRef]

10. B. Liu, F. Gao, W. Huang, and Q. Y. Wen, “Multiparty quantum key agreement with single particles,” Quantum Inf. Process. 12(4), 1797–1805 (2013). [CrossRef]

11. G. B. Xu, Q. Y. Wen, F. Gao, and S. J. Qin, “Novel multiparty quantum key agreement protocol with GHZ states,” Quantum Inf. Process. 13(12), 2587–2594 (2014). [CrossRef]

12. W. Huang, Q. Su, B. J. Xu, B. Liu, F. Fan, H. Y. Jia, and Y. H. Yang, “Improved multiparty quantum key agreement in travelling mode,” Sci. China-Phys. Mech. Astron. 59(12), 120311 (2016). [CrossRef]

13. X. R. Yin, W. P. Ma, D. S. Shen, and L. L. Wang, “Three-party quantum key agreement with Bell states,” Acta Phys. Sin. 62(17), 170304 (2013). [CrossRef]

14. X. R. Yin, W. P. Wen, and W. Y. Liu, “Three-party quantum key agreementwith two-photon entanglement,” Int. J. Theor. Phys. 52(11), 3915–3921 (2013). [CrossRef]

15. Z. W. Sun, C. Zhang, B. H. Wang, Q. Li, and D. Y. Long, “Improvements on “multiparty quantum key agreement with single particles”,” Quantum Inf. Process. 12(11), 3411–3420 (2013). [CrossRef]

16. C. Shukla, N. Alam, and A. Pathak, “Protocols of quantum key agreement solely using Bell states and Bell measurement,” Quantum Inf. Process. 13(11), 2391–2405 (2014). [CrossRef]

17. Z. C. Zhu, A. Q. Hu, and A. M. Fu, “Improving the security of protocols of quantum key agreement solely using Bell states and Bell measurement,” Quantum Inf. Process. 14(11), 4245–4254 (2015). [CrossRef]

18. Z. W. Sun, J. P. Yu, and P. Wang, “Efficient multi-party quantum key agreement by cluster states,” Quantum Inf. Process. 15(1), 373–384 (2016). [CrossRef]

19. Z. W. Sun, C. Zhang, P. Wang, J. P. Yu, Y. Zhang, and D. Y. Long, “Multi-party quantum key agreement by an entangled six-qubit state,” Int. J. Theor. Phys. 55(3), 1920–1929 (2016). [CrossRef]

20. S. Lin, X. Zhang, G. D. Guo, L. L. Wang, and X. F. Liu, “Multiparty quantum key agreement,” Phys. Rev. A 104(4), 042421 (2021). [CrossRef]

21. L. L Wang and W. P. Ma, “Quantum key agreement protocols with single photon in both polarization and spatial-mode degrees of freedom,” Quantum Inf. Process. 16(5), 130 (2017). [CrossRef]

22. W. Huang, Q. Su, B. Liu, Y. H. He, F. Fan, and B. J. Xu, “Effcient multiparty quantum key agreement with collective detection,” Sci. Rep. 7(1), 15264 (2017). [CrossRef]

23. B. Liu, D. Xiao, H. Y. Jia, and R. Z. Liu, “Collusive attacks to “circle-type” multi-party quantum key agreement protocols,” Quantum Inf. Process. 15(5), 2113–2124 (2016). [CrossRef]

24. H. K. Lo and H. F. Chau, “Is quantum bit commitment really possible?” Phys. Rev. Lett. 78(17), 3410–3413 (1997). [CrossRef]

25. D. Mayers, “Unconditionally secure quantum bit commitment is impossible,” Phys. Rev. Lett. 78(17), 3414–3417 (1997). [CrossRef]

26. C. Y. Wei, T. Y. Wang, and F. Gao, “Practical quantum private query with better performance in resisting joint-measurement attack,” Phys. Rev. A 93(4), 042318 (2016). [CrossRef]

27. C. Y. Wei, X. Q. Cai, B. Liu, T. Y. Wang, and F. Gao, “A Generic Construction of Quantum-Oblivious -Key-Transfer-Based Private Query with Ideal Database Security and Zero Failure,” IEEE Trans. Comput. 67(1), 2–8 (2018). [CrossRef]

28. C. Y. Wei, X. Q. Cai, T. Y. Wang, S. J. Qin, F. Gao, and Q. Y. Wen, “Error Tolerance Bound in QKD-Based Quantum Private Query,” IEEE J. Select. Areas Commun. 38(3), 517–527 (2020). [CrossRef]

29. F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correctiny Codes (North-Holland, 1977).

$k$	$\frac{k}{n}$	$\frac{d}{n}$	$n$	$d$	$p_{f a i l}$	$\frac{k}{n}$	$\frac{d}{n}$	$n$	$d$	$p_{f a i l}$
64			123	12	0.426			168	25	0.312
128			246	25	0.182			337	51	0.099
256	0.52	0.1	492	49	0.033	0.38	0.15	674	101	0.009
512			985	99	0.001			1347	202	0
1024			1970	197	0			2695	404	0
64			246	49	0.182			376	94	0.074
128			492	98	0.033			753	188	0.005
256	0.26	0.2	985	197	0.001	0.17	0.25	1506	377	0
512			1969	394	0			3012	753	0
1024			3938	788	0			6024	1506	0
64			640	192	0.012			1600	560	0
128			1280	384	0			3200	1120	0
256	0.1	0.3	2560	768	0	0.04	0.35	6400	2240	0
512			5120	1536	0			12800	4480	0
1024			10240	3072	0			25600	8960	0

Strategy	$n$	$d$	$p$	$p_{s}$	$p_{d}$	$p_{D_{1}}$	$p_{D_{2}}$
I	246	25	0.04	0.9620	0.0183	0.9894	0.3698
	337	51	0.07	0.9363	0.0298	1	0.7862
	492	98	0.09	0.9204	0.0363	1	0.9733
	753	188	0.12	0.8987	0.0443	1	0.9998
	1280	384	0.014	0.8856	0.0485	1	1
	3200	1120	0.07	0.8679	0.0543	1	1
II	246	25	0.04	0.9616	0.0175	0.9870	0.3568
	337	51	0.07	0.9350	0.0272	1	0.7550
	492	98	0.09	0.9184	0.0321	1	0.9591
	753	188	0.12	0.8953	0.0372	1	0.9992
	1280	384	0.014	0.8811	0.0393	1	1
	3200	1120	0.07	0.8620	0.0407	1	1

$k$	$\frac{k}{n}$	$\frac{d}{n}$	$n$	$d$	$p_{f a i l}$	$\frac{k}{n}$	$\frac{d}{n}$	$n$	$d$	$p_{f a i l}$
64			123	12	0.426			168	25	0.312
128			246	25	0.182			337	51	0.099
256	0.52	0.1	492	49	0.033	0.38	0.15	674	101	0.009
512			985	99	0.001			1347	202	0
1024			1970	197	0			2695	404	0
64			246	49	0.182			376	94	0.074
128			492	98	0.033			753	188	0.005
256	0.26	0.2	985	197	0.001	0.17	0.25	1506	377	0
512			1969	394	0			3012	753	0
1024			3938	788	0			6024	1506	0
64			640	192	0.012			1600	560	0
128			1280	384	0			3200	1120	0
256	0.1	0.3	2560	768	0	0.04	0.35	6400	2240	0
512			5120	1536	0			12800	4480	0
1024			10240	3072	0			25600	8960	0

Strategy	$n$	$d$	$p$	$p_{s}$	$p_{d}$	$p_{D_{1}}$	$p_{D_{2}}$
I	246	25	0.04	0.9620	0.0183	0.9894	0.3698
	337	51	0.07	0.9363	0.0298	1	0.7862
	492	98	0.09	0.9204	0.0363	1	0.9733
	753	188	0.12	0.8987	0.0443	1	0.9998
	1280	384	0.014	0.8856	0.0485	1	1
	3200	1120	0.07	0.8679	0.0543	1	1
II	246	25	0.04	0.9616	0.0175	0.9870	0.3568
	337	51	0.07	0.9350	0.0272	1	0.7550
	492	98	0.09	0.9184	0.0321	1	0.9591
	753	188	0.12	0.8953	0.0372	1	0.9992
	1280	384	0.014	0.8811	0.0393	1	1
	3200	1120	0.07	0.8620	0.0407	1	1

Loss-tolerant quantum multi-party key agreement without quantum storage

Abstract

1. Introduction

2. Protocol

3. Features and parameters

3.1 Example

3.2 Correctness

3.3 Capacity of loss-tolerance

3.4 Removing the requirement of quantum storage

3.5 Recognition of participants’ cheating

3.6 Choice of $n$ and $d$

4. Security analysis

4.1 Security against outside eavesdropping

4.2 Security against dishonest participants

4.2.1 Attack of interconverting partial carrier/test qubits

4.2.2 Attack based on error-correcting code

5. Conclusion

Funding

Disclosures

Data availability

References

Data availability

Cited By

Figures (5)

Tables (2)

Equations (21)

Optics Express