Measurement-device-independent multi-party quantum key agreement

Quantum key agreement (QKA) is an important quantum cryptography primitive. In a QKA protocol, two or more untrusted parties can agree on an identical key in such a way that they equally influence the key and no subset can decide it alone. However, in practical QKA, the imperfections of the participant’s detectors can be exploited to compromise the security and fairness of QKA. To remove all the detector-side-channel loopholes, a measurement-device-independent multi-party QKA protocol is proposed. The protocol exploits the post-selected GHZ states to generate a secure agreement key between legitimate participants, while ensuring the fairness of key agreement. Our protocol provides a new clue for the design of practical QKA protocols.


Introduction
Securing group communication has received lots of attention in recent years.The approach of supporting secure group communication is to maintain a secret known only to all group members.The way of generating this secret is known as group key establishment.There are two ways to realize it.One is centralized key establishment, i.e., key distribution, where one party generates a group secret.It is appropriate for 2-party (e.g., client-server or peer-to-peer) communication as well as for large multicast groups.However, many collaborative group settings (e.g., remote board meetings, teleconferences, white-boards, shared instruments, secure and efficient data sharing, collaborative workspaces, cloud computing, and command-and-control systems) require distributed key establishment techniques, i.e., distributed group key agreement.
A key agreement protocol aims to generate a common conference key for multiple participants to ensure the security of their later group communications in such a way that all influence the outcome.Since it was introduced by Diffie-Hellman in their seminal paper (Diffie and Hellman, 1976), the key agreement protocol has become one of the fundamental cryptographic primitives.However, classical key agreement protocols are based on public key cryptography where the security is based on the assumption of computational complexity.With the proposal of quantum computer, the classical cryptosystem faces certain security threats, so quantum cryptography came into being.
Generally speaking, a secure QKA should satisfy four conditions (C1) Correctness: At the end of the protocol, each participant will get the correct agreement key (C2) Fairness: All participants have equal influence on the agreement key, that is, any non-trivial subset of participants cannot determine the agreement key alone (C3) Security: No external eavesdropper can obtain the information about the agreement key without being detected (C4) Privacy: All participants' sub keys must remain confidential, and only the participants themselves know their own sub-keys.Since Zhou et al. proposed the first QKA protocol (Zhou et al., 2004) in 2004, various novel two-party and multi-party QKA protocols have been proposed (Tsai and Hwang, 2009;Chong and Hwang, 2010;Liu et al., 2013a;Shi and Zhong, 2013;He and Ma, 2015;Sun et al., 2016;He and Ma, 2017;Mohajer and Eslami, 2017;Wang et al., 2017;Yang et al., 2019b;Li and Li, 2020;Naresh et al., 2020;Naresh and Reddi, 2020;Zhou et al., 2020;Zhu et al., 2021a;Zhu et al., 2021b;Huang et al., 2021;Lin et al., 2021;Yang et al., 2022).
In practice, deviations in the actual behavior of a physical device from its ideal behavior can lead to significant practical safety issues.Quantum hackers can exploit these device flaws, especially detector defects, to perform time-shift attacks, bright light blinding attacks, and other attacks on detectors (Qi et al., 2007;Makarov, 2009;Lydersen et al., 2010;Xu et al., 2020).To address this security issue, measurement-device-independent QKD (MDI-QKD) was proposed, which removes all detector-side channel loopholes (Lo et al., 2012).The advantage of MDI-QKD is that it is only necessary to assume that legitimate participants have a trusted state preparation device.Thus, the measurement device can be considered as a black box, which naturally removes all detectorside channels.Various MDI-QKD experimental systems have been successfully demonstrated (Liu et al., 2013b;Ferreira da Silva et al., 2013;Rubenok et al., 2013;Woodward et al., 2021) and extended to the communication network (Tang et al., 2016).Various new MDI-QKD protocols, such as twin-field QKD (Lin and Lütkenhaus, 2018;Lucamarini et al., 2018;Ma et al., 2018;Wang et al., 2018) and modepairing QKD (Zeng et al., 2022), have also been proposed.Recently, the MDI-QKD proposed by Fan et al. achieves networking of QKD by combining cost and the user needs, enabling the network to meet high key rates or achieve high security levels (Fan-Yuan et al., 2021).Next, they proposed the MDI-QKD protocol, which is robust to environmental disturbances and highly adaptive to multi-user access (Fan-Yuan et al., 2022).Wang et al. proposed the long-distance TF-QKD protocol, which can achieve long-distance key distribution of more than 830 km.This is a great breakthrough and in ensuring similar distances, compared to previous key distribution, the security key rate of this protocol is two orders of magnitude greater (Wang et al., 2022).
However, there is little work related to MDI-QKA.Recently, Cai et al. proposed a three-party MDI-QKA protocol (Cai et al., 2022).
In this protocol, the participant Charlie needs to implement Z-basis or X-basis measurement on his Greenberger-Horne-Zeinger (GHZ) particle c, where the Z-basis measurement result is just the agreement key.However, if an external eavesdropper manipulates Charlie's measurement device, Charlie's measurement device may leak Charlie's Z-basis measurement result, i.e., the agreement key to the external eavesdropper, thus threatening the security of the MDI-QKA protocol.
To eliminate all detector-side channel loopholes in QKA, a new multi-party MDI-QKA protocol is proposed.The protocol utilizes post-selected GHZ states to generate secure agreement keys among the multiple participants while ensuring fairness in key agreement.The protocol only needs to assume that the participants' state preparation devices are trusted, and thus the security is better than that of Cai et al.
The rest of this paper is organized as follows: In Section 2, a three-party MDI-QKA protocol is first proposed.In Section 3, the protocol is analyzed in terms of correctness, fairness, and security.In Section 4, the generalization of the three-party MDI-QKA protocol to n-party is proposed.The last section gives the discussion and conclusion.
2 The three-party MDI-QKA protocol Suppose that the three participants Alice, Bob and Charlie want to jointly negotiate a key K. David is the untrusted relay for implementing GHZ state measurements.The process of the three-party MDI-QKA protocol is described as follows.(2) David performs three-particle GHZ state measurements on photons received at the same positions in the three sequences and publishes the results of his measurements.The three-particle GHZ state can be described as ) .
(3) Alice, Bob and Charlie randomly select the photon subset corresponding to successful GHZ state measurement by David as the decoy photons, notify the other two parties of the location of the photon subset and ask them to announce their decoy photon states, respectively.They discard the positions with different tripartite preparation bases.When the bases are the same, they check whether the correlation between the tripartite decoy photon states and David's GHZ state measurements satisfies formulas ( 2)-( 17).If the error rate is higher than the preset value, they will terminate the protocol, otherwise continue to the next step.
(4) After all participants complete the eavesdropping detection, they publish the base information of their remaining single photon states corresponding to the successful GHZ state measurements by David.Finally, the three participants choose the states in Z basis to generate the raw key K′.(5) Alice, Bob and Charlie generate the final key K by performing error correction and privacy amplification on the raw key K′.
3 Analysis of correctness, fairness and security

Correctness
Theorem 1. Suppose Alice, Bob and Charlie are honest and they can negotiate a key K together.
Proof.It can be shown that if Alice, Bob and Charlie perform the above agreement honestly, they can negotiate the raw key K′ together.This is because when David successfully implements GHZ state measurement and the three preparation bases are Z bases, it can be seen from formulas (2)-( 9) that the particle states prepared by Alice, Bob and Charlie can only have two combinations, namely, |0〉|0〉|0〉 and |1〉|1〉|1〉 with equal probability.Thus, each party can infer from its single photon state that the other two parties have the same state as his preparation.For example, if Alice prepared the single photon state |0〉, she can infer that Bob and Charlie also prepared the single photon state as |0〉.So, "0" can be used as the agreement key.Therefore, Alice, Bob and Charlie can jointly negotiate a key K′.On this basis, Alice, Bob and Charlie generate an agreement key K after implementing error correction and privacy amplification on K′.

Fairness
Theorem 2. No subset of participants can determine the agreement key K alone.
Proof.It follows from Theorem 1 that if the subset of participants wants to determine the key K alone, they must first determine the raw key K′.However, this is not possible.Suppose Alice and Bob want to independently determine the generation key K′.Since the raw key K′ is generated when the composite states of Alice, Bob and Charlie are |0〉|0〉|0〉 or |1〉|1〉|1〉, and each single photon state of Charlie is randomly selected from {|0〉, |1〉, | + 〉, | − 〉}, Alice and Bob cannot clearly distinguish these four non-orthogonal states, that is, they cannot identify the single photon state of Charlie according to the Heisenberg uncertainty principle.If Alice and Bob try to intercept Charlie's single photon sequence and send the forged single photon sequence to David, it will be detected with non-zero probability in step 3) when Charlie performs the security detection.The most common attack strategy is for Alice and Bob to prepare an auxiliary particle |ϵ〉 and entangle it with Charlie's single photon, and then the state evolution of the composite system consisting of Alice and Bob's auxiliary particle and Charlie's single photon is Therefore, the probability of being detected under Alice and Bob's entangle-ancilla attack, i.e., David's probability of getting |Φ − 〉 is where |X| 2 X + X.In order not to be detected, we should let P d ( | + + + 〉) 0 a n d P nd ( | 0〉) P nd ( | 1〉) P nd ( | + 〉) P nd ( | − 〉) 1.We can deduce that |ϵ 01 〉 |ϵ 10 〉 0. This means that Alice and Bob's auxiliary particle and Alice, Bob and Charlie's single photons must be in the tensor product state.So, Alice and Bob cannot obtain the information on Charlie's single photon state.
Finally, we consider another possible attack strategy, that is, when Charlie chooses a subset of photons as decoy photons, Alice and Bob deliberately declare their bases differently.In this case, Charlie could not successfully implement security detection.However, if Alice and Bob adopt such strategy for all the decoy photons, Charlie will find the occurrence of abnormal behaviors.For a decoy photon, the probability that Alice's base and Bob's base are different is 1/2.If the number of decoy photons is m, the probability of Alice and Bob's base inconsistency is 1 2 m for all m decoy photons.When m is large, the probability of such occurrence is negligible.Charlie will detect the occurrence of this abnormal behavior.

Security
The proposed MDI-QKA protocol uses the post-selected GHZ state to generate the negotiation key when the threephoton state of Alice, Bob and Charlie is |0〉|0〉|0〉 or |1〉|1〉|1〉.To obtain the negotiation key, the external eavesdropper Eve must attack when the three parties send their single-photon states to David.However, because these single-photon states are randomly in one of {|0〉, |1〉, | + 〉, | − 〉}, Eve cannot directly intercept and measure these single-photon states without being detected.The most common attack strategy is for Eve to prepare an auxiliary particle |ϵ〉 and entangle it with a single photon of a participant such as Alice.Eve can use a similar approach to eavesdrop the single photon states of Bob and Charlie.For simplicity and without loss of generality, assume that Alice, Bob, and Charlie each choose the decoy state | + 〉 for security detection.Without eavesdropping, according to formula (10), if David's implementation of the GHZ state measurement is successful, only |Φ + 0 〉 will be obtained while |Φ − 0 〉 is impossible.Under Eve's entangle-ancilla attack, the state of the composite system consisting of Alice, Bob and Charlie's single photons and Eve's auxiliary particles will evolve into where Then the probability that Eve is detected, that is, David's probability of getting |Φ − 0 〉 is In order not to be detected, we let P d ( | + + + 〉) 0 and We can deduce |ϵ 01 〉 |ϵ 10 〉 0. This means that Eve's auxiliary particle and Alice, Bob and Charlie's single photons must be in the tensor product state.So, Eve cannot obtain any information on the key by measuring the auxiliary particle.
Consider another scenario where the untrusted relay David tries to obtain the raw key K′.When David gets the measurement result |Φ + 0 〉 or |Φ − 0 〉, the states of Alice, Bob and Charlie are in |0〉|0〉|0〉 and |1〉|1〉|1〉 with equal probability according to formulas (2) and ( 9).Therefore, David cannot obtain any information on the raw key K′.Liu et al. 10.3389/frqst.2023.1182637 4 Generalization to the n-party The above three-party protocol can be easily extended to the n-party one.Suppose that the n participants Alice 1 , Alice 2 , . . ., Alice n (n > 3) want to jointly negotiate a key K. David is the untrusted relay for implementing GHZ state measurements.The process of the n-party MDI-QKA protocol is described as follows.
(2) David performs n-particle GHZ state measurements on the received photons at the same positions in the n sequences and publishes the results of his measurements.
(3) Alice 1 , Alice 2 , . . ., Alice n randomly select the photon subset successfully measured by David as the decoy photons, notify the other n-1 parties of the location of the photon subset and ask them to announce their decoy photon states.They discard the positions with different preparation bases of the n parties.When the bases are the same, they check whether the correlation between the n parties' decoy photon states and David's GHZ state measurements is satisfied.If the error rate is higher than the preset value, they will terminate the protocol, otherwise continue to the next step.(4) After all participants complete the eavesdropping detection, they publish the base information of their remaining single photon states corresponding to the GHZ state measurements successfully performed by David.Finally, the n participants choose the states in Z basis to generate the raw key K′.(5) Alice 1 , Alice 2 , . . ., Alice n generate the final key K by performing error correction and privacy amplification on the raw key K′.

Discussion and conclusion
Since both Cai et al.'s protocol (Cai et al., 2022) and the proposed one are based on GHZ-states, we will clarify the difference between them and why the proposed one is more "secure".In Cai et al. protocol, the participant Charlie needs to implement Z-basis or X-basis measurement on his Greenberger-Horne-Zeinger (GHZ) particle c, where the Z-basis measurement result is just the agreement key.However, if an external eavesdropper manipulates Charlie's measurement device, Charlie's measurement device may leak his Z-basis measurement result, i.e., the agreement key to the external eavesdropper, thus threatening the security of the MDI-QKA protocol.
In contrast, the proposed protocol exploits the post-selected GHZ states to generate a secure agreement key between legitimate participants.In our protocol, the measurement device is treated as a black box.David takes charge of performing GHZ state measurement and publishing the GHZ state measurement result.The participants prepare a single photon sequence separately, and every single photon is randomly in state {|0〉, |1〉, | + 〉, | − 〉}.When David successfully implements GHZ state measurement and all the participants choose the Z bases on the instances, the states combinations prepared by the participants are only |0〉|0〉|0〉 and |1〉|1〉|1〉 with equal probability.The agreement key is just the subkeys of the participants.So, even if the eavesdropper obtains the GHZ state measurement result, as long as he does not conspire with the participant, he will not be able to obtain the agreement key.Therefore, the proposed protocol is more secure than that of Cai et al.One main difference between MDI-QKD and MDI-QKA is that in MDI-QKD, all the participants except the untrusted third party are honest while in MDI-QKA, not all the participants are honest.As we know, fairness is one of the conditions required for an MDI-QKA protocol.Fairness in QKA means that all participants have equal influence on the agreement key, that is, any non-trivial subset of participants cannot determine the agreement key alone.In contrast, fairness is not required for MDI-QKD.Only the security against outsider eavesdroppers is taken into account in an MDI-QKD protocol.
Yang et al. ( 2022), a detector-device-independent (DDI) QKA (DDI-QKA) protocol was proposed based on singlephoton Bell-state measurement.Only the time-bin and path encoding are needed.Complete Bell-state measurement can be achieved based on the time-bin and path.It is implemented with linear optical elements only and thus it is feasible with current technology.In this paper, a multi-party MDI-QKA protocol is proposed.The protocol exploits the post-selected GHZ states to generate a secure agreement key between legitimate participants, while ensuring the fairness of key agreement.Only GHZ state measurements and the single photon state are required, making the operation simple.
In this paper, we propose a new MDI-QKA protocol that removes all detector-side channels.We discuss the efficiency of generating secret keys for this protocol.Regardless of eavesdropping detection, the raw key of the protocol is generated when the participants select the Z-basis, while the single photon for each individual is randomly selected from the set {|0〉, |1〉, | + 〉, | − 〉} and the probability of selecting the Z-basis is 1 2 .For the three-party protocol, the probability that the participants all pick Z-basis is ( 1 2 ) 3 12.5%.When extended to n-party users, the probability will be ( 1 2 ) n .It is obvious to see that the raw key rate generated decreases significantly when the number of participants increases, which is lower than the existing QKA protocols (Tsai and Hwang, 2009;Chong and Hwang, 2010;Liu et al., 2013a;Shi and Zhong, 2013;He and Ma, 2015;Sun et al., 2016;He and Ma, 2017;Mohajer and Eslami, 2017;Wang et al., 2017;Yang et al., 2019b;Li and Li, 2020;Naresh et al., 2020;Naresh and Reddi, 2020;Zhou et al., 2020;Zhu et al., 2021a;Zhu et al., 2021b;Huang et al., 2021;Lin et al., 2021;Yang et al., 2022).Similar to the protocol of Cai et al., the actual efficiency of the protocol will be lower if channel loss and compression are considered.Therefore, the future work will focus on how to improve the efficiency of the MDI-QKA protocol to enhance its practicality.Since the implementation of the protocol is inevitably affected by noise, the threshold value for the error rate should be provided before implementing it.However, in this paper, no exact threshold value is given, which is also the case for many multiparty quantum cryptography protocols and becomes an open problem.Combined with quantum state discrimination, we will study this problem in the future.