Abstract
Quantum key distribution (QKD) and quantum key agreement (QKA) are two main branches of key establishment in quantum cryptography. However, the research of QKA falls far behind that of QKD, especially in practicability. The main reason is that QKA needs to resist not only the outside eavesdropping but also the participant cheating. Resisting dishonest participant is more difficult than resisting outside eavesdropping, especially when the apparatuses are imperfect. Actually, existing QKA protocols cannot tolerate the channel loss and have to rely on stable quantum storage. To solve this problem, we give a new quantum multi-party key agreement protocol based on the error-correcting code. Our protocol is loss tolerant, and the participants can measure the received qubits immediately in one of two conjugate bases, without storage, so our protocol can eliminate the requirement of quantum storage. Besides, our protocol is more fair because it can partially discriminate dishonest participants’ cheating from outside eavesdropping (previously, these two attacks are generally checked simultaneously via decoy states but cannot be discriminated), as a result, dishonest participants generally will not cheat at the cost of losing good reputation.
© 2022 Optica Publishing Group under the terms of the Optica Open Access Publishing Agreement
1. Introduction
Key establishment is of vital importance to secure communication. It has two main branches, key distribution and key agreement. The key in the former can be determined by one participant and then distributed to others while in the latter it is determined by all participants. Concretely, key distribution should satisfy the following two properties.
(1) Correctness. At the end of the protocol, all participants obtain an identical key;
(2) Security. No outside eavesdropper can obtain any information about the key.
As to key agreement, it should not only be secure against outside eavesdropping but also be immune to participant attack, that is, it should satisfy one more requirement called “fairness”.
(3) Fairness. All participants equally contribute to the shared key, and any nontrivial subset of the participants cannot predetermine the key alone.
Owing to this property, key agreement has been widely used in multiparty secure computations, access control, electronic auctions, and so on.
Many protocols for key establishment have been proposed in classical cryptography. However, the security of classical cryptographic protocols generally relies on the assumption of computational complexity. With the progress in computation capability, especially with the rapid development of quantum computation [1,2], the security of classical cryptographic protocols faces severe challenges. Luckily, this drawback can be settled in quantum cryptography whose security is guarded only by the principles of quantum mechanics. The pioneer work was given in 1984 by Bennett and Brassard [3], who proposed the first quantum key distribution (QKD) protocol. Different from its classical counterparts, the security of QKD is assured by physical laws, that is, any eavesdropping can be detected because it would disturb the transmitted carrier states, so QKD can achieve the information-theoretic security in theory. Since then on, the research of QKD has achieved great progress in both theory and experiment. As the most mature quantum technology, QKD has realized commercial applications in government/enterprise networks, infrastructure construction, and so on.
In contrast with QKD, the research of quantum key agreement (QKA) started much later. In 2004, Zhou et al. [4] presented the first QKA protocol with quantum teleportation and maximally entangled states. However, Tsai and Hwang [5] pointed out that this protocol is not fair, that is, one participant can fully determine the shared key alone without being detected. In 2011, Chong et al. [6] presented a QKA protocol based on BB84 QKD protocol in which delayed measurement and certain unitary operations are utilized. In 2014, to deal with the collective noise, Huang et al. [7] presented a QKA protocol based on entangled states. In 2016, He et al. [8] gave a QKA protocol based on four-particle entangled states. All of these protocols are limited to the two-party cases.
In 2012, Shi and Zhong [9] proposed the first multi-party quantum key agreement (MQKA) protocol by exploiting EPR pairs and entanglement swapping. Subsequently, Liu et al. [10] pointed out that this protocol is not fair because a dishonest participant can totally determine the shared key, and then they gave a secure MQKA protocol with single particles and single-particle measurements. In 2014, Xu et al. [11] presented a MQKA protocol based on GHZ states. In 2016, Huang et al. [12] proposed a MQKA protocol with EPR states. In recent years, many MQKA protocols have been proposed based on two transmission modes, i.e., the distributed mode [10,13] and the traveling mode [9,12,14–22]. In both modes the shared key is generally a function result (usually the sum) of $m$ participants’ secrets. Concretely, the two modes work as follows.
(1) In the distributed mode [10,13], each participant sends every other participant a carrier sequence which carries his/her secret and also contains some randomly inserted decoy states. After all participants have received the sequences from others, they measure the decoy states to check the outside eavesdropping and inside cheating, and then measure the carrier states to obtain other participants’ secrets. Finally, each participant uses the received secrets and his/her own secret to compute the shared key.
(2) In the traveling mode [9,12,14–22], each participant prepares one carrier sequence and pass it to other participants so that each receiver can encodes his/her secret on it with corresponding unitary operators in turn, and finally the sequences will be sent back to the initial sender. After all participants have received their own sequences, each participant selects some carrier states in these sequences to check the outside eavesdropping and inside cheating, then measures his/her own sequence, and finally computes the shared key with the measurement output and his/her own secret.
The traveling-mode protocols are generally more efficient than the distributed-mode ones because the transmitted carrier qubits in the former are greatly less than that of the latter. However, in 2016, Liu et al. [23] pointed out that many traveling mode protocols cannot resist a special collude attack of two participants at specific positions. Recently, Lin et al. [20] also presented a new collusion attack which can break the fairness of the traveling-mode protocols in which each participant uses one specific operation or correlated operations to encode his/her secret on the traveling qubits, and then gave a new protocol which can resist this kind of attack by exploiting EPR pairs and hash function.
Though many QKA protocols have been proposed, scarcely any of them is really practical, far behind the research of QKD. The main reason is that QKA needs to resist not only the outside eavesdropping but also the participant cheating. As we know, resisting dishonest participant is more difficult than resisting outside eavesdropping [24–26], especially with the imperfect implementation apparatuses (e.g., unideal light source [27], noisy channel [28]). Actually, most QKA protocols need to utilize various entangled states, but high-quality entangled states are difficult to acquire today. Though some protocols exploiting single qubits have been proposed, they are still impractical owing to the inevitable channel loss or the lack of mature quantum technique, such as stable quantum storage.
First of all, existing QKA protocols generally cannot tolerate the channel loss. Without loss of generality, suppose the shared key is the sum of $m$ participants’ secrets, then each final key bit is the sum of $m$ corresponding bits from the $m$ participants’ secrets, therefore there are generally $m(m-1)$ carrier states ($m$ carrier states) contributing to this final bit in the distributed (traveling) mode protocol. If any of them is lost, this final key bit will not be shared successfully, which happens with a significant probability with present technology especially when $m$ is large. The participants have to transmit quite many qubits to share a key of certain length, so the efficiency will be unsatisfactory. Worse yet, in the traveling mode the dishonest participants may tell a lie that some carrier states are lost when they use for example Lin et al.’s collusion attack [20] and find the final key bits generated by these carrier states are not favored, so that these bits can be deleted from the shared key. So the inevitable channel loss not only reduces the communication efficiency but also hurts the fairness of MQKA protocols.
Second, the participants in existing QKA protocols are required to have the capability of storing carrier states for some period, which is infeasible with current technology. All of the participants in existing protocols, no matter in the distributed mode or in the traveling mode, have to store the carrier states until the eavesdropping checking is finished and the correct measurement bases are revealed so that they can measure the carrier states with correct bases to obtain an identical shared key finally. Lack of stable quantum storage has become one of the main challenges in the design of practical QKA protocols.
To solve the above problems, we propose a practical MQKA protocol based on the technique of error-correcting code (ECC). It uses only single qubits and X or Z measurement. Owing to the use of ECC, the participants in our protocol can measure the received qubits in X or Z basis immediately without storing them, that is, it removes the requirement of quantum storage. On the other hand, our protocol uses only the qubits which have transmitted successfully to carry the secrets (those lost ones carry no information and can be disregarded directly), so it is loss-tolerant and hence more efficient and secure. Moreover, our protocol can discriminate participants’ cheating with outside eavesdropping. Note that previous MQKA protocols generally check these two attacks simultaneously via decoy states but cannot discriminate them. Dishonest participant may attribute the errors he/she introduces on outside eavesdropping to keep good reputation or escape punishment. As our protocol can recognize the participants’ cheating, dishonest participant generally will not cheat at the cost of losing good reputation, so our protocol is more secure and fair.
The rest of this paper is organized as follows. In Sec. 2, we describe our MQKA protocol in details. Then we discuss its features and analyze the security in Secs. 3 and 4, respectively. Finally, we conclude in Sec. 5.
2. Protocol
Suppose that $m$ participants $P_0$, $P_1$, $\cdots$, $P_{m-1}$ want to agree on a secure $k$-bit key. To remove the quantum storage, a public $[n,k,d]$ error-correcting code is introduced to encode the participants’ secrets (the choice of $n$ and $d$ will be discussed later), so that each participant in our protocol can measure the received qubits immediately (without storing them) in two conjugate bases with biased probabilities. The concrete protocol is as follows (see Fig. 1 for a sketchy flowchart).
(1) Each participant $P_i$ randomly selects a $k$-bit key $K_i$ as his/her secret, then uses the $[n,k,d]$ error-correcting code to encode $K_i$ into one $n$-bit codeword $C_i$.
(2) Each participant $P_i$ sends a qubit sequence $S_{ij}$ to participant $P_j$ for $j=1,2, \ldots,i-1, i+1,\ldots, m$, where each qubit is randomly in one of the states $\{|0\rangle,|1\rangle,|+\rangle,|-\rangle \}$. Here,
(3) All participants measures the received qubits in Z-basis with probability $1-p$ or in X-basis with probability $p$, where $p$ is slightly smaller than $d/2n$. Then they drop the qubits which are not detected successfully.
(4) For each sequence $S_{ij}$, $P_i$ randomly selects some qubits from it and asks $P_j$ to announce corresponding measurement outputs. If $P_i$ finds that $P_j$’s announcement conflicts with the initial states of these qubits, he/she aborts the protocol.
(5) They discard the checking qubits. Then in each sequence $S_{ij}$ ($i,j=1,2,\ldots,m$ and $j\neq i$), $P_i$ selects $n$ carrier qubits to record his/her codeword $C_i=c_{i1}c_{i2}\cdots c_{in}$. Concretely, for $k=1,2\cdots,n$, $P_i$ selects the $k$-th carrier qubit in state $|0\rangle$ ($|1\rangle$) when $c_{ik}=0$ (1), and if $t_k$ is the position of the $k$-th carrier qubit in sequence $S_{ij}$,
should be satisfied. $P_i$ records the positions of these $n$ carrier qubits and asks $P_j$ to discard other qubits sent in $Z$-basis. Then in each sequence $S_{ij}$, there are $n$ carrier qubits (sent in Z-basis) carrying $P_i$’s secret, and all of the remaining qubits are sent in X-basis (which will be used as test qubits to detect participants’ cheating).(6) After all participants have finished step (5), for each sequence $S_{ij}$ ($i,j=1,2,\ldots,n$ and $j\neq i$), $P_i$ announces the positions and the initial states of the test qubits in this sequence, then $P_j$ checks $P_i$’s honesty by comparing $P_i$’s announcement with his/her own measurement outputs of the test qubits. If any mismatch occurs, the protocol aborts.
(7) Each participant $P_i$ records his/her measurement outputs of the $n$ carrier qubits in sequence $S_{ji}$ ($j=1,2,i-1\cdots,i+1,m$) with one $n$-bit string $C_j'=c'_{j1}c'_{j2}\cdots c'_{jn}$, that is, $c'_{ji}=0$ (1) if the measurement output of the $i$-th carrier qubit is $|0\rangle$ or $|+\rangle$ ($|1\rangle$ or $|-\rangle$). Note that the $n$ carrier qubits sent in Z-basis are measured in Z-basis with probability $1-p$ and in X-basis with probability $p$, so $C'_j$ will have on average $n\times p/2$ and at most $n\times p$ different bits (i.e., errors in the perspective of ECC) with the codeword $C_j$. As $p<\frac {d}{2n}$, these errors can be corrected by the $[n,k,d]$ code, so $P_i$ can successfully recover the codeword $C_j$ and the secret $K_j$ of the participant $P_j$.
(8) Each participant $P_i$ computes the finally key $K=K_1 \oplus K_2 \oplus \cdots \oplus K_m$.
3. Features and parameters
3.1 Example
We now give a simplified example with $m=3$ and $k=12$, that is, 3 participants $P_0$, $P_1$ and $P_2$ cooperate to share a $12$-bit final key. Suppose they use the $[23,12,7]$ code whose generation matrix is $G=(I_{12}, P)$, where $I_{12}$ is the identity matrix of order 12 and
3.2 Correctness
If all participants execute the protocol honestly, they can share an identical final key $K_1 \oplus K_2 \oplus \cdots \oplus K_m$. Each $k$-bit secret in our protocol is encoded into one $n$-bit codeword and is carried on $n$ carrier qubits. The $[n,k,d]$ code can correct no more than $\lfloor \frac {d-1}{2}\rfloor$ errors. As $P_i$ measures the $n$ carrier qubits in correct basis with probability $1-p$, and in conjugate basis with probability $p$, so the measurement output $C'_j$ in step (7) will have on average $d_a=np/2$ and at most $d_m=np$ different bits with the codeword $C_j$. As $p<\frac {d}{2n}$, $C'_j$ will have no larger than $\lfloor \frac {d-1}{2}\rfloor$ errors from $C_j$, which clearly can be corrected via ECC (See Fig. 2).
For example, suppose that they wants to share a 64-bit final key, then they can set $n=376$, $d=94$ and $p=0.1<\frac {d}{2n}$ (we will show that the [376,64,94] code is easy to acquire below). As the $n$ carrier qubits are measured with correct basis with probability $1-p$, and with the conjugate basis with probability $p$, so the number of errors in the $C'_j$ will be on average $n\times p/2=19$ and at most $n\times p=38$ in the worst case. Note that the utilized $[376, 64, 94]$ code can correct no more than 46 errors, so the errors in the $C'_j$ can be corrected and the correct secret $K_j$ can be elicited. Therefore, if all participants execute the protocol honestly, they can share an identical final key.
3.3 Capacity of loss-tolerance
Channel loss is inevitable in quantum transmission with current technology, but previous MQKA protocols generally cannot tolerate it. On one hand, each final key bit is generated by at least $m$ corresponding bits of the $m$ participants’ secrets. Even when only one qubit carrying one of these $m$ bits is lost, this final key bit cannot be shared successfully among all of the $m$ participants. On the other hand, in the traveling mode when dishonest participants use for example Lin et al.’s collusion attack [20] and find some final key bits are not favored ones, he/she can announce that the qubits contributing to them are lost, so that a more favored final key can be obtained. Luckily, our protocol can tolerate the channel loss because the participant $P_i$ encodes his/her secret only on the successfully detected qubits, and those lost ones can be discarded directly before that. Therefore, dishonest participant cannot tell a lie to obtain a more favored final key.
3.4 Removing the requirement of quantum storage
Our protocol can eliminate the requirement of quantum storage. The participants in previous QKA protocols generally needs stable quantum storage to store the qubits till some moment (e.g., after the decoy states are checked and/or correct measurement bases are revealed). However, stable and long-term quantum storage is out of reach with current technology. To solve this problem, we introduce the ECC to encode the secrets, which allows participants to measure the qubits immediately, without storing them. Concretely, eliminating the quantum storage can be achieved by the ECC for the following two reasons.
- • As analyzed in Sec. 3.2, the correctness of our protocol is assured by the $[n,k,d]$ code though the qubits are measured immediately without storage and some of them are measured in incorrect bases.
- • The security of our protocol is assured because each participant is allowed to select one of the two conjugate bases (though with different probabilities) to measure the received qubits immediately. As a result, outside eavesdropping and participant cheating can still be detected by the comparison of transmitted qubits and corresponding measurement outputs in steps (4) and (6), respectively.
3.5 Recognition of participants’ cheating
Our protocol can discriminate certain participants’ cheating with outside eavesdropping, and thus can find the dishonest participants. Previous QKA protocols generally utilize the decoy states to check outside eavesdropping and participants’ cheating simultaneously. That is, they can detect both of them but cannot discriminate them. In this case, a dishonest participant may cheat and attribute the errors he/she introduces on outside eavesdropping to keep good reputation or escape punishment. In our protocol, for each transmitted qubit sequence, the sender $P_i$ checks the outside eavesdropping with the help of the receiver in step (4), and aborts the protocol if he/she finds any mismatch. Then $P_j$ knows that $P_i$ is cheating if he/she finds some errors in $P_i$’s announcement in step (6) because $P_i$ himself/herself have confirmed in step (4) that there is no outside eavesdropping.
3.6 Choice of $n$ and $d$
We now discuss the choice of $n$, $d$ and their influence on the security and efficiency. Obviously, with the increase of key length $k$, the scale of the $[n,k,d]$ code generally will increase, then how to efficiently generate a suitable large-scale error-correcting code? According to the theory of error-correcting codes [29], a random binary generation matrix of size $k\times n$ defines a binary linear code with minimal distance at least $d$ except with probability $2^{-\alpha n}$ if
where $h(x)=-x\log _2(x)-(1-x)\log _2(1-x)$. We set $\alpha =0.01$ then obtain many choices of $n$ and $d$ (see Table 1) with failure probability $2^{-\alpha n}$, which ensures the ECC of proper size is easy to acquire. For example, when the participants want to share a $512$-bit key and set $k/n=0.52$, $d/n=0.1$, the codeword length $n$ will be $k/0.52\approx 985$, and $d$ will be $n\times 0.1=99$. They can establish a random binary matrix of size $512\times 985$ as the generation matrix to construct a $[985,512, 99]$ error-correcting code, then the failure (i.e., the minimum distance of the generated code is smaller than 99) probability is only $2^{-9.85}=0.0011$. As a result, when the participants want to share a 512-bit key, each participant will encode his/her 512-bit secret into a 985-bit codeword with the ECC and then distributes the codeword to others, then as many as 49 errors in the received codeword can be corrected successfully. Meanwhile, if a dishonest participant $P_i$ wants to change his/her secret to a more preferred one after learning the secrets of other participants, he/she has to change at least $d$ bits of the codeword. Therefore, a larger $d/n$ generally means that dishonest participant is more difficult to change his/her secret, but meanwhile the transmission efficiency will be low as $k/n$ decreases with the increase of $d/n$. That is, the security and efficiency of our protocol are in a trade-off relationship.Generally, we give the priority to security, i.e., ensuring first a big enough $d$ to prevent dishonest participant from changing his/her secret, and then we balance the efficiency. Concretely, when $k$ is large, even a larger $k/n$ can provide a big enough $d$, and hence we can select larger $k/n$ to improve the efficiency; when $k$ is small, we can set a small $k/n$ to ensure a larger $d$. For example, when $k=512$, we set $k/n=0.52$ and $d/n=0.1$, then the codeword length will be 985, and the minimum distance of the code, i.e. $d$, reaches 99; when $k=64$, we set $k/n=0.17$ and $d/n=0.25$, then the codeword length will be 376 and $d$ reaches 94.
4. Security analysis
4.1 Security against outside eavesdropping
We first consider the outside eavesdropping. To elicit the bits encoded on the carrier qubits, the outside eavesdropper Eve has to intercept the transmitted qubits, measure them in $Z$-basis, or elicit the classical bit encoded on the qubit by attaching an additional system on the qubit and conducting certain unitary operation. Without loss of generality, suppose Eve attaches a $|0\rangle$ on the intercepted qubit and conducts an unitary operation $U$ on the composite system, then we have
then4.2 Security against dishonest participants
Participant cheating in QKA has two styles. First, the dishonest participant tries to elicit the secrets of other participants before transmitting his/her secret to others so that he/she can choose a preferred secret. Second, the dishonest participant tries to change his/her secret to a more preferred one after the secrets of other participants have been revealed. We here show our protocol is secure even in the extreme case that $m-1$ participants $P_1, P_2,\ldots, P_{m-1}$ collude to cheat the remaining one honest participant, e.g. $P_0$.
First of all, the dishonest participants cannot elicit $P_0$’s secret before they transmit their secrets to $P_0$ because they does not know the positions of the “test qubits" and “carrier qubits” in the qubit sequences $S_{0j}$ ($j\neq 0$) transmitted by $P_0$. Following the protocol, the honest participant $P_0$ will transmit the qubits and select the checking ones in X and Z bases with equal probability 0.5, so after dropping the checking qubits in step (5), the remaining qubits in $S_{0j}$ ($j\neq 0$) are initially sent in X and Z bases with equal probability 0.5. As $P_0$ will choose and keep only $n$ qubits from those sent in Z-basis as the carrier qubits while keep all sent in X-basis survive as the test qubits, the proportion of test qubits will significantly larger than that of the carrier qubits in each sequence when step (5) is finished. Generally, the proportion of test qubits is at least twice or several times that of the carrier qubits. Therefore, the dishonest participants cannot identify the carrier qubits (from the sequences transmitted by the honest participant $P_0$) to elicit $P_0$’s secret in advance.
We now consider the second style of cheating, that is, dishonest participants try to change their secrets in steps (6) and (7) after learning $P_0$’s secret. As each participant’s secret is encoded with the $[n,k,d]$ error-correcting code and the carrier qubits carry the codeword other than the secret itself, dishonest participant, e.g., $P_j$ ($j\neq 0$), has to change at least $d$ bits in the transmitted codeword even when he/she wants to change only one bit of his/her secret. $P_j$’s possible cheating strategies to achieve this can be divided into the following categories.
4.2.1 Attack of interconverting partial carrier/test qubits
First of all, if the cheater $P_j$ initially transmits a secret $K_j$ to $P_0$, but wants to change it to a more favored secret $K'_j$ in steps (6-7), he/she has to announce some test qubits to be carrier qubits and announce some carrier qubits to be test qubits, i.e., interconverting partial carrier and test qubits. For example, when $P_j$ sends a carrier qubit, e.g. $|0\rangle$, but wants to reveal a bit $1$. $P_j$ needs to announce the carrier qubit $|0\rangle$ to be test qubit $|+\rangle$ or $|-\rangle$ in step (7), and announces another test qubit, e.g., $|+\rangle$, to be the carrier qubit with the hope that $P_0$ can measure it and obtain $1$. Clearly, honest $P_0$ measures the qubit $|+\rangle$ with Z-basis can only obtain $|1\rangle$ with probability $1/2$, meaning that $P_j$’s cheating can only succeed with probability $1/2$. Furthermore, as the carrier qubit $|0\rangle$ is announced to be $|+\rangle$ or $|-\rangle$ randomly, the honest participant $P_0$ can find an error in step (6) if he/she measures it with $X$-basis and obtains $|-\rangle$ or $|+\rangle$, with probability $p/2$. Therefore, for the $d$ carrier states which are announced to be test ones, the probability to detect this cheating is $1-(1-p/2)^d$, which tends to 1 with the increase of $d$. For example, when they use the $[1970, 1024, 197]$ code to share a 1024-bit final key and set $p=0.049<d/2n$, the probability to detect dishonest $P_j$’s such cheating in step (6) will be $1-(1-\frac {0.049}{2})^{197}=0.9925$.
Second, $P_j$ may not transmit a codeword of a specific secret to $P_0$. Instead, he may transmit an intermediate, e.g., one $n$-bit string which is close to two or several codewords. Without loss of generality, suppose $P_j$ selects two candidate secrets $K'_j$ and $K''_j$ whose codewords are $C_1$ and $C_2$, respectively. Suppose the distance between $C_1$ and $C_2$ is $d$. $P_j$ can find an $n$-bit string $C^*$ which has distance about $d/2$ from both $C_1$ and $C_2$. Then, $P_j$ only needs to change about $d/2$ bits in the string to convert his/her secret to $K'_j$ or $K''_j$. Luckily, this cheating still would be detected in step (6) because $k$ and $d$ are generally not too small. For example, when $k=1024$, a $[1970, 1024, 197]$ code is used and $p=0.049$, such cheating can still be detected in step (6) with the overwhelming probability $1-(1-\frac {0.049}{2})^{98}=0.9120$. Furthermore, as the preferred $k$-bit secret may be any $k$-bit string before the dishonest participants obtain $K_0$, the several candidate secrets, i.e. $K'_j$ and $K''_j$ (which are selected by $P_j$ before knowing $P_0$’s secret $K_0$), are probably not what $P_j$ wants, so this cheating can hardly provide any benefit for dishonest participants.
More generally, dishonest $P_j$ may send fake states instead of $|0\rangle$, $|1\rangle$, $|+\rangle$, $|-\rangle$ so that he/she can interconvert some carrier/test qubits to change his/her secret. Denote the state of the two qubits $P_j$ wants to interconvert by $\rho _{AB}$. Suppose the cheater $P_j$ wants to use a special $\rho _{AB}$ to reveal a bit 0 (1) to the receiver by announcing the states of $\rho _{AB}$ to be $|0\rangle |t_i\rangle$ ($|t_j\rangle |1\rangle$) , where $i,j=0,1$ and
That is, when $P_j$ wants the bit 0 to be revealed by the receiver, he/she will announce the first qubit as the carrier qubit and announce the second one to be the test qubit $|t_i\rangle$. As a result, when the measurement outputs of $\rho _{AB}$ are $|0\rangle |t_i\rangle$, $|+\rangle |t_i\rangle$, $|0\rangle |0\rangle$, $|0\rangle |1\rangle$, $|+\rangle |0\rangle$ and $|+\rangle |1\rangle$, the receiver will find no mismatch in the test qubit and record a bit 0 in $C'_j$, which means that $P_j$ cheats successfully. If the measurement outputs of $\rho _{AB}$ are $|0\rangle |t_i^{\bot }\rangle$, $|1\rangle |t_i^{\bot }\rangle$, $|t_i\rangle |t_i^{\bot }\rangle$ and $|t_i^{\bot }\rangle |t_i^{\bot }\rangle$, where $|t_i^{\bot }\rangle$ is orthogonal with $|t_i\rangle$, the receiver will find a mismatch in the test qubit, then this cheating will be detected. Similarly, when $P_j$ wants the bit 1 to be revealed by the receiver, he/she will announce the second qubit as the carrier qubit and announce the first qubit to be the test qubit $|t_j\rangle$. As a result, when the measurement outputs of $\rho _{AB}$ are $|t_j\rangle |1\rangle$, $|0\rangle |1\rangle$, $|1\rangle |1\rangle$, $|t_j\rangle |-\rangle$, $|0\rangle |-\rangle$ and $|1\rangle |-\rangle$, the receiver will find no mismatch in the test qubit and record a bit 1 in $C'_j$, which means that $P_j$ cheats successfully. If the measurement outputs of $\rho _{AB}$ are $|t_j^{\bot }\rangle |1\rangle$, $|t_j^{\bot }\rangle |0\rangle$, $|t_j^{\bot }\rangle |t_j\rangle$ and $|t_j^{\bot }\rangle |t_j^{\bot }\rangle$, the receiver will find a mismatch in the test qubit, then this cheating will be detected. Note that the receiver measures each qubit in X-basis (or Z-basis) with probability $p$ (or $1-p$), therefore, $P_j$’s success probability can be written asClearly, to ensure $p_d=0$, the cheater $P_j$ should prepare $\rho _{AB}$ in state $|t_j\rangle |t_i\rangle$, otherwise the receiver will detect $P_j$’s cheating with a nonzero probability. When $\rho _{AB}=|t_j\rangle |t_i\rangle$, we can obtain $p_s=\frac {1+p}{2}$. That is, $P_j$ can control one bit in the receiver’s $C'_j$ only with probability $\frac {1+p}{2}$. Imagine that when $P_j$ prepares $n$ such qubit pairs and wants to reveal a preferred secret to the receiver by this way, he/she can only succeed on about $n(\frac {1+p}{2})$ bits. That is, the measurement output of the receiver, $C'_j$, will have distance as large as $n(\frac {1-p}{2})$ from $P_j$’s preferred code word. As $\frac {d}{n}$ is generally greatly less than $\frac {2}{3}$ in our choices of error correcting code (see Table 1), we have
so $C'_j$ will not be corrected to the cheater $P_j$’s preferred secret. Therefore, such cheating can hardly succeed.We now consider the case that $p_d\neq 0$. Obviously, to change his/her secret, the cheater $P_j$ should increase $p_s$ and decrease $p_d$. We now discuss two strategies to achieve it.
- • Strategy I. $P_j$ chooses proper $\rho _{AB}$ to maximize $p_s$, i.e., maximizing the success ability of his/her cheating.
- • Strategy II. $P_j$ chooses proper $\rho _{AB}$ to maximize $p_s-p_d$, i.e., balancing to obtain a larger success probability and a lower detection probability of his/her cheating.
We now show the influence of $n$ and $d$ by comparing the cheater’s success probability and the probability of detecting the cheater under the above two strategies. We here mainly consider the following two cases.
- • First, the cheater $P_j$ prepares $n$ pairs of qubits in certain states $\rho _{AB}$ and uses them to make his/her secret to be any preferred one after learning the secrets of other participants. This cheating will be detected with probability $P_{D_1}=1-(1-p_d)^n$.
- • Second, as the minimum distance of the ECC is $d$, the cheater $P_j$ prepares $d$ pairs of qubits in certain states $\rho _{AB}$ and uses them to change his/her secret to be a more preferred one after learning the secrets of other participants. As these $d$ pairs are located in fixed positions in his/her sequences, he/she generally can only make his/she secrets to be very few secrets (which are probably unwanted ones) by cheating on them. This cheating will be detected with probability $P_{D_2}=1-(1-p_d)^d$.
4.2.2 Attack based on error-correcting code
As interconverting the carrier and test qubits would be detected in step (6), dishonest $P_j$ may not cheat on the test qubits, but tries to cheat only on the carrier qubits to alter his/her secret, with the hope that the errors induced by his/her cheating can be corrected by ECC. As the test qubits are treated honestly, this cheating cannot be detected in step (6). We now show that this cheating can hardly succeed.
Denote the state of the $n$ carrier qubits in the sequence $S_{j0}$ of cheater $P_j$ as $\rho _c$. Suppose that after learning the secret of the honest participant $P_0$, $P_j$ wants $K^*$ to be his/her own secret elicited by $P_0$, then he/she has to ensure that $P_0$’s measurement output of $\rho _c$, i.e. $C'_j$, has distance less than $d/2$ from $C^*$, where $C^*$ is the codeword of $K^*$. We now show that, such cheating can hardly succeed because it requires $P_j$ to know $K^*$ before the honest participant $P_0$’s secret is revealed.
We first consider the most simple case where $\rho _c$ is a direct product of $n$ states in Z-basis in the form of
where $D_1=d_{11}d_{12}\cdots d_{1n}$ an $n$-bit string. As $P_0$ measures each qubit in Z-basis with probability $1-p$ and in X-basis with probability $p$, the measurement output of these $n$ carrier qubits, i.e., $C'_j$ in step (7), will have distance on average $n\times p/2$ and at most $n\times p$ with $D_1$. Therefore, to ensure that all such measurement outputs can be corrected to the codeword $C^*$, $D_1$ should be very close to $C^*$ (as shown in Fig. 5). It requires that $P_j$ should know $C^*$ before he/she sends the states $\rho _c$ to $P_0$, which is clearly impossible.Then we consider that $\rho _c$ is pure superposition of direct product states $|D_k\rangle$ in the form of
Similarly, when $\rho _c$ is a mixed state (equivalent to that $P_j$ sends the carrier qubits in some pure states with certain prior probabilities), to ensure $P_0$’s measurement output has distance less than $d/2$ from $C^*$, $P_j$ also has to know $C^*$ before transmitting the carrier states to $P_0$.
In conclusion, though the utilizing of ECC can tolerate the errors induced by the measurement under incorrect bases, it does not give any advantage to the dishonest participant, that is, dishonest participant cannot change his/her secret to a preferred one by exploiting ECC because he/she cannot know which secret is the preferred one before learning honest participant’s secret.
5. Conclusion
We propose a QKA protocol based on ECC, which uses only single qubits as the carrier states and the X/Z measurement to elicit the information encoding on them. The use of ECC ensures that our protocol can tolerate the channel loss and remove the requirement of quantum storage, so our protocol is more practical and efficient. It can also discriminate dishonest participants’ cheating with outside eavesdropping, as a result, dishonest participants cannot keep good reputation and escape from punishment by blaming the errors induced by his/her cheating on outside eavesdropping. However, though ECC is used our protocol to correct errors induced by the measurement of qubits in incorrect bases, it remains unclear whether our protocol can tolerate the channel noise and what extent of channel noise can be tolerated. Our future work will focus on dealing with the channel noise in QKA.
Funding
National Natural Science Foundation of China (61902166, 62172196, 62272208); Natural Science Foundation of Henan Province (212300410062); the Guangxi Key Laboratory of Trusted Software (KX202040); and the Key Scientific Research Project in Universities of Henan Province (21A110017).
Disclosures
The authors declare that there are no conflicts of interest related to this article.
Data availability
The data underlying the results presented in this paper are not publicly available at this time, but may be obtained from the authors upon reasonable request.
References
1. P. W. Shor, “Algorithms for quantum computation: discrete logarithms and factoring,” in Proceedings of the 35th Annual Symposium on the Foundations of Computer Science, (Santa Fe, New Mexico, 1994), pp.124–134.
2. L. K. Grover, “A fast quantum mechanical algorithm for database search,” in Proceedings of the 28th Annual ACM Symposium on Theory of Computing, (New York, 1996), pp. 212–219.
3. C. H. Bennett and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing,” in Proceedings of IEEE Int. Conf. on Computers, Systems and Signal Processing, (Bangalore, 1984), pp. 175–799.
4. N. Zhou, G. Zeng, and J. Xiong, “Quantum key agreement protocol,” Electron. Lett. 40(18), 1149–1150 (2004). [CrossRef]
5. C. W. Tsai and T. Hwang, “On quantum key agreement protocol,” Technical Report C-S-I-E, NCKU, Taiwan (2009).
6. S. K. Chong and T. Hwang, “Quantum key agreement protocol based on BB84,” Opt. Commun. 283(6), 1192–1195 (2010). [CrossRef]
7. W. Huang, Q. Y. Wen, B. Liu, F. Gao, and Y. Sun, “Quantum key agreement with EPR pairs and single-particle measurements,” Quantum Inf. Process. 13(3), 649–663 (2014). [CrossRef]
8. Y. F. He and W. P. Ma, “Two-party quantum key agreement protocol with four-particle entangled states,” Mod. Phys. Lett. B 30(26), 1650332 (2016). [CrossRef]
9. R. H. Shi and H. Zhong, “Multi-party quantum key agreement with bell states and bell measurements,” Quantum Inf. Process. 12(2), 921–932 (2013). [CrossRef]
10. B. Liu, F. Gao, W. Huang, and Q. Y. Wen, “Multiparty quantum key agreement with single particles,” Quantum Inf. Process. 12(4), 1797–1805 (2013). [CrossRef]
11. G. B. Xu, Q. Y. Wen, F. Gao, and S. J. Qin, “Novel multiparty quantum key agreement protocol with GHZ states,” Quantum Inf. Process. 13(12), 2587–2594 (2014). [CrossRef]
12. W. Huang, Q. Su, B. J. Xu, B. Liu, F. Fan, H. Y. Jia, and Y. H. Yang, “Improved multiparty quantum key agreement in travelling mode,” Sci. China-Phys. Mech. Astron. 59(12), 120311 (2016). [CrossRef]
13. X. R. Yin, W. P. Ma, D. S. Shen, and L. L. Wang, “Three-party quantum key agreement with Bell states,” Acta Phys. Sin. 62(17), 170304 (2013). [CrossRef]
14. X. R. Yin, W. P. Wen, and W. Y. Liu, “Three-party quantum key agreementwith two-photon entanglement,” Int. J. Theor. Phys. 52(11), 3915–3921 (2013). [CrossRef]
15. Z. W. Sun, C. Zhang, B. H. Wang, Q. Li, and D. Y. Long, “Improvements on “multiparty quantum key agreement with single particles”,” Quantum Inf. Process. 12(11), 3411–3420 (2013). [CrossRef]
16. C. Shukla, N. Alam, and A. Pathak, “Protocols of quantum key agreement solely using Bell states and Bell measurement,” Quantum Inf. Process. 13(11), 2391–2405 (2014). [CrossRef]
17. Z. C. Zhu, A. Q. Hu, and A. M. Fu, “Improving the security of protocols of quantum key agreement solely using Bell states and Bell measurement,” Quantum Inf. Process. 14(11), 4245–4254 (2015). [CrossRef]
18. Z. W. Sun, J. P. Yu, and P. Wang, “Efficient multi-party quantum key agreement by cluster states,” Quantum Inf. Process. 15(1), 373–384 (2016). [CrossRef]
19. Z. W. Sun, C. Zhang, P. Wang, J. P. Yu, Y. Zhang, and D. Y. Long, “Multi-party quantum key agreement by an entangled six-qubit state,” Int. J. Theor. Phys. 55(3), 1920–1929 (2016). [CrossRef]
20. S. Lin, X. Zhang, G. D. Guo, L. L. Wang, and X. F. Liu, “Multiparty quantum key agreement,” Phys. Rev. A 104(4), 042421 (2021). [CrossRef]
21. L. L Wang and W. P. Ma, “Quantum key agreement protocols with single photon in both polarization and spatial-mode degrees of freedom,” Quantum Inf. Process. 16(5), 130 (2017). [CrossRef]
22. W. Huang, Q. Su, B. Liu, Y. H. He, F. Fan, and B. J. Xu, “Effcient multiparty quantum key agreement with collective detection,” Sci. Rep. 7(1), 15264 (2017). [CrossRef]
23. B. Liu, D. Xiao, H. Y. Jia, and R. Z. Liu, “Collusive attacks to “circle-type” multi-party quantum key agreement protocols,” Quantum Inf. Process. 15(5), 2113–2124 (2016). [CrossRef]
24. H. K. Lo and H. F. Chau, “Is quantum bit commitment really possible?” Phys. Rev. Lett. 78(17), 3410–3413 (1997). [CrossRef]
25. D. Mayers, “Unconditionally secure quantum bit commitment is impossible,” Phys. Rev. Lett. 78(17), 3414–3417 (1997). [CrossRef]
26. C. Y. Wei, T. Y. Wang, and F. Gao, “Practical quantum private query with better performance in resisting joint-measurement attack,” Phys. Rev. A 93(4), 042318 (2016). [CrossRef]
27. C. Y. Wei, X. Q. Cai, B. Liu, T. Y. Wang, and F. Gao, “A Generic Construction of Quantum-Oblivious -Key-Transfer-Based Private Query with Ideal Database Security and Zero Failure,” IEEE Trans. Comput. 67(1), 2–8 (2018). [CrossRef]
28. C. Y. Wei, X. Q. Cai, T. Y. Wang, S. J. Qin, F. Gao, and Q. Y. Wen, “Error Tolerance Bound in QKD-Based Quantum Private Query,” IEEE J. Select. Areas Commun. 38(3), 517–527 (2020). [CrossRef]
29. F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correctiny Codes (North-Holland, 1977).