Introduction

In 1984, the first quantum cryptographic protocol, known as BB84 quantum key distribution protocol was proposed by Bennett and Brassard1. Since its unconditional security is guaranteed by the laws of quantum mechanics, quantum cryptography has become a heated topic, and various protocols including quantum key distribution (QKD)1,2, quantum secure direct communication (QSDC)3,4,5,6,7,8,9, quantum secret sharing (QSS)10,11, etc., have been proposed. Recently, Quantum key agreement(QKA), a new branch of quantum cryptography, has attracted extensive attention.

Different from QKD, QKA can fairly and securely negotiate a final key among users. That is, the final key is equally determined by each participant and any non-trivial subset of the participants cannot absolutely predetermine the final key. In 2004, Zhou et al. proposed the first QKA protocol by utilizing the quantum teleportation technique12. In the same year, Hsueh and Chen proposed another QKA protocol by employing the entangled states13. Nevertheless, Tsai et al. pointed that neither of the two protocols is secure14,15. In 2010, Chong and Hwang devised a QKA protocol based on BB8416. However, the above protocols are all based on two-party. To extend QKA to the multi-party case, Shi and Zhong designed the first multiparty QKA (MQKA) protocol based on Bell states in 201317. Since then, many MQKA protocols using single or entanglement quantum states have been proposed18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34.

Liu18 pointed out that existing MQKA protocols can be classified into three types according to the transmission topology of quantum photons: complete-graph-type17,20, circle-type19,21,22,23,24,25,26,27,28,29,30,31,32,34 (also known as travelling-mode) and tree-type35. In the first type, every participant sends each of other participants a sequence of photons which carries the information of his/her secret key. In the second type, each participant only sends out one sequence, which will be operated by each of other participants by turns and sent back to the one who prepares it. The third type is one participant generates a sequence of high dimensional photon states (e.g. GHZ states) and sends each of other participants one of its particles. Since the travelling-mode is more efficient than complete-graph-type and easier to satisfy the fairness property compared with the tree-type, it has attracted comprehensive study. In 2013, Sun et al. presented a MQKA protocol19 in travelling-mode to improve the efficiency of Liu et al’s MQKA protocol20. In 2014, Shukla et al. proposed a travelling-mode MQKA protocol based on Bell state and Bell measurements21. In 2015, Zhu et al. put forward the attack strategy to defeat Shukla et al’s protocol and proposed an improved version22. In 2018, Abulkasim pointed out that Wang and Ma’s protocol23 is susceptible to participant’s attacks and proposed an improved protocol24. Meanwhile, Cao and Ma proposed two MQKA protocols which were designed to be immune to the collusive attack25; they also presented a MQKA protocol based on non-orthogonal quantum entangled pairs34. Besides, some protocols based on higher-dimensional quantum states, such as five-qubit brown states26, G-Like states28, and four-qubit symmetric W state29, were presented.

In these travelling-mode MQKA protocols, we find that some protocols25,26,27,28,29,30 cannot resist dishonest participant’s attacks, which leads to the failure of fairness property19. The dishonest participant can take advantage of a favorable geographical location or collude with other participants to predetermine the final keys of honest participants without being discovered. Besides, we also find there exists the problem of information leakage in Cao-Ma MQKA protocol34. Following we take two Cao-Ma MQKA protocols25,34 as examples to demonstrate the attacks in detail. To resist these attacks, We propose a new MQKA protocol based on non-orthogonal Bell states by utilizing Pauli and rotation operations. Our proposed protocol has three noticeable advantages: Firstly, owing to the use of non-orthogonal Bell states, the proposed protocol can resist attacks from both internal dishonest participants and external eavesdroppers. It also effectively solves the problem of information leakage in Cao-Ma protocol. Secondly, the frequency of eavesdropping detection has been greatly reduced. Hence, the qubit efficiency and measurement efficiency of our proposed protocol are higher than those of the existing secure ones20,32,33,34. Thirdly, since only Bell states and unitary operations are employed, the protocol is feasible with the current technology.

The rest of the paper is organized as follows. Next section first reviews and analyzes the security of Cao-Ma MQKA protocols, then introduces our improved travelling-mode MQKA protocol in detail, followed by the security analysis and efficiency comparisons with existing secure protocols. Furthermore, an optical setup is provided. Finally, a short conclusion of this paper is given in the final section.

Results

Review of Cao-Ma MQKA protocols

In this section we briefly describe the Cao-Ma MQKA protocol 125 without trust party and Cao-Ma MQKA protocol 234 based on non-orthogonal quantum entangled pairs respectively.

Cao-Ma MQKA protocol 1

The main process of Cao-Ma MQKA protocol without trust party can be divided into two stages. The first stage is initialization and encoding stage. Each participant Pi(i = 0, 1, …, N−1) possesses a n-bit 0–1 sequence \({\tilde{K}}_{i}\) and TSi as his secret key and additional random sequence, and calculates \({K}_{i}={\tilde{K}}_{i}\oplus T{S}_{i}\). Then he prepares a sequence of Bell states randomly selected from four Bell states, wherein the states of the photon sequence can be expressed as Wi. Each participant keeps the first photon sequence in his hand and sends the second photon sequence which is inserted into decoy photons to next participant Pi+1. Pi and Pi+1 perform eavesdropping checking. If the communication is secure, Pi+1 performs one of the four Pauli operations on the received photon sequence according to Ki+1. Next, Pi+1 inserts decoy photons into the photon sequence and sends it to next participant Pi+2. This process continues until Pi gets the sequence which he generated. The second stage is final key negotiation stage. After each participant gets the sequence he generates, he performs Bell measurements on corresponding photon pairs. The measurement results of the sequence can be expressed as Vi. Then each participant Pi publishes his random sequence TSi and calculates TS = TS0TS1 … TSN−1. Finally, each participant can obtain the final common key Kc, where \({K}_{c}=TS\oplus {W}_{i}\oplus {V}_{i}\oplus {\tilde{K}}_{i}\).

Cao-Ma MQKA protocol 2

This protocol is based on non-orthogonal quantum pairs and adopts the idea of Pauli and Hadamard operations mixed encoding. The process is as follows. Firstly, there are eight photon pairs which are in BS = {|ϕ+〉, |ϕ〉, |ψ+〉, |ψ〉} and DBS = {H|ϕ〉, H|ϕ+〉, H|ψ〉, H|ψ+〉}, and four unitary operations in U = {U00, U11, U01, U10} = {I, iY, H, iYH}, wherein H is Hadamard operation. Each participant Pi(i = 0, 1, …, N−1) generates a sequence of classical bits Ki as his private key, wherein Ki {00, 11, 01, 10}. Moreover, Pi also generates a sequence Ci, where Ci is 0 if Ki {00, 11} and Ci is 1 if Ki {01, 10}. Then each participant Pi prepares a random quantum pair sequence from BS or DBS and transmitted the second photon sequence to the next participant Pi+1. After receiving the sequence, Pi+1 executes the eavesdropping checking and performs unitary operations on the received quantum sequence according to his private key. Until each participant has encoded his private key on the photon sequences of others and receives the sequence he generates, he publishes a classical sequence Ci to reveal the measurement basis and calculates C = C1C2 … CN. Each participant performs BS or DBS measurements on the photon pairs according to C. If C is 0, the measurement basis is the same as the initial state; otherwise, the measurement basis is the dual basis of the initial states. Finally, all participants can extract the common key by comparing the initial states and measurement results.

Security analysis of the Cao-Ma MQKA protocols

In this section, we first show that the dishonest participant in Cao-Ma MQKA protocol 1 can take advantage of a favorable geographical location or collude with other participants to predetermine the final key without being discovered, leading to the failure of fairness property. Next we reveal the problem of information leakage in Cao-Ma MQKA protocol 2.

Fairness analysis

In travelling-mode MQKA protocols, participants encode their secret keys on photons by performing the unitary operations. Besides, they usually perform additional random operations on photons in case to divulge the secret keys. Therefore, once the additional operation is obtained, the participant will deduce the final key directly. Following we take the tripartite (Alice, Bob and Charlie) example to introduce the attack strategy. Suppose Bob is a dishonest participant, his detailed attack process is as follows.

  1. (1)

    Before Alice and Bob publish the random sequence TSA and TSC, Bob selects an advantageous geographical position aside Alice and Charlie so that he can get TSA and TSC earlier than expected.

  2. (2)

    Once Bob gets the sequence, he calculates the final key \(K=T{S}_{A}\oplus T{S}_{C}\oplus {\tilde{K}}_{B}\oplus {W}_{B}\oplus {V}_{B}\) and M = KK′, where K′ is the final key he excepts.

  3. (3)

    Then Bob informs Alice and Charlie of \(T{S^{\prime} }_{B}\) = MTSB. Thus, Alice and Charlie will get the illegal final keys KA = \({\tilde{K}}_{A}\oplus T{S^{\prime} }_{B}\oplus T{S}_{C}\oplus {W}_{A}\oplus {V}_{A}\) = K′ and KC = \({\tilde{K}}_{C}\oplus T{S^{\prime} }_{B}\oplus T{S}_{A}\oplus {W}_{C}\oplus {V}_{C}\) = K′ as Bob anticipates.

Through the above operations, Bob can determine the final keys of Alice and Charlie. Following, we will analyze the collusion attack in detail. For clarity, we assume that four participants P0, P1, P2 and P3 want to generate the final key. P1 and P3 are dishonest and want to steal P2’s secret key. The detailed attack process is as follows:

  1. (1)

    P0 prepares a sequence of Bell states |PS10PS20〉, then he transmits the second photon sequence |PS20〉 with decoy photons \(|{\tilde{PS}}_{2}^{0\to 1}\rangle s\) to P1.

  2. (2)

    P1 performs unitary operations on the received photons according to his secret key and sends the sequence \(|{\tilde{{U}^{1}PS}}_{2}^{0\to 1}\rangle \) to P3 instead of P2 as illustrated in Fig. 1. Meanwhile, P1 prepares a fake sequence of Bell states |S11S21〉 and sends the first photon sequence \(|{\tilde{S}}_{1}^{1\to 3}\rangle \) to P3 and the second photon sequence \(|{\tilde{S}}_{2}^{1\to 2}\rangle \) to P2.

    Figure 1
    figure 1

    Dishonest participants’ collusive attack strategy. P1 and P3 collude to eavesdrop on the honest participant P2’s secret key.

    Full size image
  3. (3)

    After security checking, as P2 does not know the received photon sequence is fake, he encodes the sequence by performing unitary operations according to TS2 and sends the sequence \(|{\tilde{{U}^{2}S}}_{2}^{1\to 2}\rangle \) to P3.

  4. (4)

    After confirming P3 has received the sequence \(|{\tilde{{U}^{2}S}}_{2}^{1\to 2}\rangle \), P2 and P3 execute eavesdropping checking. If the communication is secure, P1 and P3 will perform Bell measurement on |S11→3〉 and |U2S21→2〉. Then they can get P2’s unitary operations, i.e., \({\tilde{K}}_{2}\)TS, by comparing the measurement results and initial states.

  5. (5)

    P3 encodes photon sequence |U1PS20→1〉 with P2’s unitary operations and his unitary operations. P3 also generates some decoy photons and inserts them in to |U3U2U1PS20→1〉 randomly. Then he sends the sequence to P0.

  6. (6)

    P1 and P3 wait for the common key negotiation stage, where every participant publishes his TSi. By comparing P2’s unitary operations and TS2, P1 and P3 can effortlessly recover \({\tilde{K}}_{2}\). For example, suppose the fake photon pairs prepared by P1 is |ϕ+〉, and the result of Bell measurement by P1 and P3 is |ϕ+〉 after P2’s encoding, they can deduce the operation performed by P2 is U00. Assume the TS2 published by P2 is 01, P1 and P3 can definitely deduce the P2’s secret key is 01 according to Table 1. Then P1 and P3 can determine P2’s final key by announcing fake TS1 and TS3.

    Table 1 Relationship between P1’s photon states, P2’s operations and P3’s measurement results.
    Full size table

In addition to the Cao-Ma protocol 1, these agreements26,27,28,29,30 are also vulnerable to dishonest participants’ collusion attack, where indicates the protocols cannot satisfy the fairness property.

Information leakage analysis

Information leakage is that Eve can extract some information about secret key without any active attack36. In Cao-Ma MQKA protocol 2, each participant Pi needs to publish a classical sequence Ci after he receives the sequence he generates. However, Ci and Ki are closely related. If Ci is 0, Eve can draw a conclusion that the secret key of Pi must be 00 or 11; otherwise, the Ki is 01 or 10, which contains \(-2\times \frac{1}{2}\,lo{g}_{2}\frac{1}{2}=1\) bit of information. Thus, one bit of the secret information is leaked to Eve unconsciously.

The improved travelling-mode MQKA protocol

Herein we design a new travelling-mode MQKA protocol based on non-orthogonal Bell states, where n participants negotiate a final key fairly and securely. The detailed process of our protocol is as follows:

Initialization phase

Each participant Pi first generates a (l + kl)-bit 0–1 secret key sequence Ki = {Ki,1, Ki,2, …, Ki,m}, m {1, 2, …, l + kl}. Besides he also generates a random (l + kl)-bit 0–1 controlling string RHij, where k is the detection rate, i, j  {1, 2, …, n} and i ≠ j. Then Pi prepares a sequence BSi = {|BSwi,1 wi,2i〉, |BSwi,3 wi,4i〉, …, |BSwi,2(l+kl)−1 wi,2(l+kl)i〉} of l + kl Bell states, where |BSwi,2m−1 wi,2mi〉  {|BS00〉, |BS01〉, |BS10〉, |BS11〉} and Wi = (wi,1, wi,2, …, wi,2(l+kl)−1, wi,2(l+kl)) is a random 2(l + kl)-bit 0–1 sequence.

$$\begin{array}{l}|B{S}_{00}\rangle =|{{\varphi }}^{+}\rangle =\frac{1}{\sqrt{2}}\mathrm{(|00}\rangle +\mathrm{|11}\rangle ),\,|B{S}_{01}\rangle =|{{\varphi }}^{-}\rangle =\frac{1}{\sqrt{2}}\mathrm{(|00}\rangle -\mathrm{|11}\rangle ),\\ |B{S}_{10}\rangle =|{\psi }^{+}\rangle =\frac{1}{\sqrt{2}}\mathrm{(|01}\rangle +|10\rangle ),\,|B{S}_{11}\rangle =|{\psi }^{-}\rangle =\frac{1}{\sqrt{2}}\mathrm{(|01}\rangle -\mathrm{|10}\rangle \mathrm{).}\end{array}$$
(1)

Sending photons

Pi divides BSi into two single photon sequence: the first photon sequence |BS1ii〉 and the second photon sequence |BS2ii+1〉 (symbol ‘+’ in i + 1 denotes the additional mod n). Then Pi keeps the first photon sequence in home and transmits the second photon sequence to the next participant Pi+1.

Encoding phase

After Pi+1 receives the photon sequence, he performs unitary operation I or Z on |BS2ii+1〉 according to his private key sequence, where I = |0〉〈0| + |1〉〈1| and Z = |0〉〈0| − |1〉〈1|.

Controlling operations

Depending on whether the sequence RHi+1i is 1 or 0, Pi+1 performs rotation operation \({R}_{z}(\frac{\pi }{2})\) on the sequence |BS2ii+1〉 or does nothing, where \({R}_{z}(\frac{\pi }{2})\) is the rotation operator of the z axis and the definition is as follows:

$${R}_{z}(\frac{\pi }{2})=\frac{\sqrt{2}}{2}I-\frac{\sqrt{2}}{2}iZ=[\begin{array}{cc}\frac{\sqrt{2}}{2}-\frac{\sqrt{2}}{2}i & 0\\ 0 & \frac{\sqrt{2}}{2}+\frac{\sqrt{2}}{2}i\end{array}]$$
(2)

The rotation operator can change the state of the |BS〉 to |DBS〉 = {|DBS00〉, |DBS01〉, |DBS10〉, |DBS11〉}, where |DBS〉 are defined as follows. Table 2 shows the relationship of the unitary operations and the transformed Bell states.

$$\begin{array}{c}|DB{S}_{00}\rangle ={R}_{z}(\frac{\pi }{2})|{{\varphi }}^{+}\rangle =\frac{1}{\sqrt{2}}(|{{\varphi }}^{+}\rangle -i|{{\varphi }}^{-}\rangle ),\\ |DB{S}_{01}\rangle ={R}_{z}(\frac{\pi }{2})|{{\varphi }}^{-}\rangle =\frac{1}{\sqrt{2}}(|{{\varphi }}^{-}\rangle -i|{{\varphi }}^{+}\rangle ),\\ |DB{S}_{10}\rangle ={R}_{z}(\frac{\pi }{2})|{\psi }^{+}\rangle =\frac{1}{\sqrt{2}}(|{\psi }^{+}\rangle +i|{\psi }^{-}\rangle ),\\ |DB{S}_{11}\rangle ={R}_{z}(\frac{\pi }{2})|{\psi }^{-}\rangle =\frac{1}{\sqrt{2}}(|{\psi }^{-}\rangle +i|{\psi }^{+}\rangle \mathrm{).}\end{array}$$
(3)
Table 2 Effects of unitary operations {I, Z, RzI, RzZ} on the second particles of Bell states |BS〉.
Full size table

After performing the extra unitary operation, Pi+1 sends the sequence |BS2ii+2〉 to the next participant Pi+2. Meanwhile, each of the other n − 1 participants processes his received sequence just in the same way and sends the obtained new sequence to next participant. This process continues until Pi receives the sequence which he generated from Pi−1.

Security checking

Once receiving his own sequence, each participant Pi announces the fact, confirms other participants have received their sequences and informs participant j of his controlling sequence RHij. Then all participants cooperate to choose kl positions from l + kl Bell states for security checking, and the remaining l Bell states are used to form the final key, i.e., Ki, i= 1, 2, 3, …, n. Specifically, Pi randomly selects \(\frac{kl}{n}\) positions from the remaining \((l+kl)-(i-\mathrm{1)}\frac{kl}{n}\) positions and announces the positional information. After finishing selection, each participant publishes the secret key sequence at the kl positions. Then they calculate the XOR results of other participants’ secret keys, offset the extra controlling operations according to RHji (the detailed process is shown in the next step) and perform Bell measurements on the photon pairs at their chosen \(\frac{kl}{n}\) positions. If the measurements are consistent with the calculations, they drop the kl bits used for security checking and continue; otherwise they terminate the protocol.

Secret extraction

Each participant Pi offsets the controlling operations for the remaining l positions according to RHji. Concretely, since \({R}_{z}(\frac{\pi }{2})\) commutes with each of the encoding operations {I, Z}, we can deduce that \({R}_{z}(\frac{\pi }{2})I=I{R}_{z}(\frac{\pi }{2})\) and \({R}_{z}(\frac{\pi }{2})Z=Z{R}_{z}(\frac{\pi }{2})\). Therefore, each participant Pi can offset all controlling operations \({R}_{z}(\frac{\pi }{2})\) by repeating Cij operations \({R}_{z}{(\frac{\pi }{2})}^{\dagger }\) (i.e., by performing once operation \({R}_{z}(\frac{-{C}_{i}^{j}\pi }{2})\)) on the j-th pair of photons in sequence BSi after all the participants have completed their encoding operations E and controlling operations C in turn: CECECE = CCCEEE, where Cij is the j-th bit of the sequence Ci (Ci = RHi+1i + RHi+2i + … + RHi−1i), \({R}_{z}{(\frac{\pi }{2})}^{\dagger }={({R}_{z}{(\frac{\pi }{2})}^{{\rm T}})}^{\ast }\) and \({R}_{z}{(\frac{\pi }{2})}^{\dagger }{R}_{z}(\frac{\pi }{2})=I\). After that, each participant performs Bell measurements on the l processed photon pairs and obtains \(\bar{{K{}^{{\rm{^{\prime} }}}}_{i}}={K{}^{{\rm{^{\prime} }}}}_{i+1}\oplus {K{}^{{\rm{^{\prime} }}}}_{i+2}\oplus \ldots \oplus {K{}^{{\rm{^{\prime} }}}}_{i-1}\). Finally Pi can get the final key \(K=K{{}^{{\rm{^{\prime} }}}}_{i}\oplus {\bar{K{}^{{\rm{^{\prime} }}}}}_{i}\).

So far, we have demonstrated our proposed travelling-mode MQKA protocol. In the real scenario, the raw keys may have very few mistakes which are caused by the channel noise. We can use the multiparty cascade error-correcting protocols for information reconciliation37,38 and utilize the universal hashing to realize privacy amplification process39.

Security analysis

Herein we give a detailed security analysis for both outside and participant’s attacks. It is proved that the proposed protocol can satisfy the fairness property effectively. We also show the problem of information leakage does not exist in our protocol.

Outside Attacks

Suppose Eve wants to eavesdrop the final key, he should obtain each participant’s private key first. Here are three mainstream attack methods he may take.

Firstly, let us discuss the intercept-resend attack25,35. In intercept-resend attack, Eve intercepts and stores the photon sequences sent from participant Pi to Pi+1. Then he sends the second photon sequence of the fake Bell states which he prepared in advance to Pi+1. After step (3) and (4), Pi+1 finishes performing his unitary operations and extra controlling operations on the photon sequence and sends to Pi+2. At this time Eve will intercept the photon sequence again and sends the original photon sequence to Pi+2. Since Eve does not know whether Pi+1 performs the controlling operation \({R}_{z}(\frac{\pi }{2})\) on the photons or not, he won’t perform Bell measurements on his photon sequence until each participant publishes the random controlling sequence. Therefore he cannot deduce Pi+1’s operations and encode correct information on the original sequence. Eve will be detected with the probability \(1-{(\frac{1}{2})}^{kl}\approx 1\) (kl is big enough) when all participants perform security checking in step (5). Hence the proposed protocol can resist the intercept-resend attack.

Secondly, let us discuss the entangle-measure attack35,40. In entangle-measure attack, Eve wants to steal Pi+1’s secret key by intercepting the traveling photon sequence |BS2ii+1〉 and |BS2ii+2〉, and executing Controlled-not operation on it and his auxiliary photon |0〉e, where intercepted photon is a control bit and photon |0〉e is a target bit. For instance, the Bell state prepared by Pi is \(|{\Psi }_{1}{\rangle }_{pq}=\frac{1}{\sqrt{2}}\mathrm{|00}\rangle +\mathrm{|11}\rangle s\). After Eve’s operation on q and e, the entangled state will transform to \(|{\Psi }_{2}{\rangle }_{pqe}=\frac{1}{\sqrt{2}}\mathrm{|000}\rangle +\mathrm{|111}\rangle \), which is composed of three entangled particles. Then Eve sends the particle q to Pi+1. After Pi+1 performs unitary operations on the sequence and sends to Pi+2, Eve intercepts the particle q, performs Controlled-not operation on q and e again and sends q to Pi+2. After all participants have received their sequences, they start to announce the controlling sequence RHij and offset the extra controlling operations on the checking photons. The states can be defined as follows:

$$\begin{array}{rcl}{U}_{CNOT}(q\otimes e){I}_{q}|{\Psi }_{2}{\rangle }_{pqe} & = & |{{\varphi }}^{+}{\rangle }_{pq}\mathrm{|0}{\rangle }_{e},\\ {U}_{CNOT}(q\otimes e){Z}_{q}|{\Psi }_{2}{\rangle }_{pqe} & = & |{{\varphi }}^{-}{\rangle }_{pq}\mathrm{|0}{\rangle }_{e},\\ {R}_{q}^{\dagger }{U}_{CNOT}(q\otimes e){R}_{q}{I}_{q}|{\Psi }_{2}{\rangle }_{pqe} & = & |{{\varphi }}^{+}{\rangle }_{pq}\mathrm{|0}{\rangle }_{e},\\ {R}_{q}^{\dagger }{U}_{CNOT}(q\otimes e){R}_{q}{Z}_{q}|{\Psi }_{2}{\rangle }_{pqe} & = & |{{\varphi }}^{-}{\rangle }_{pq}\mathrm{|0}{\rangle }_{e}\mathrm{.}\end{array}$$
(4)

According to the Eq. (4), the state of auxiliary photon e is always |0〉e whether Pi+1’s operation is I, Z, RzI or RzZ. Therefore Eve cannot obtain Pi+1’s secret key even if the photon e is entangled with transmitted photons sequence. We can consider that the Entangle-Measure attack is inefficient.

Thirdly, let us discuss the trojan horse attack. The trojan horse attack is another common attack in travelling-mode MQKA protocols which have been discussed in Li et al’s protocol41. To prevent this type of attack, participant can install some special quantum optical devices to detect the attack, such as the wavelength quantum filter to filter invisible photons and the photon number splitter(PNS) to discover the delay photons. If the multi-photon rate is unreasonable high, then such attack can be detected.

Fairness Analysis

The dishonest participants pose a greater threat to the security of the protocol than outside eavesdroppers. As we mentioned above, the dishonest participant can take the advantage position or collaborate with others to predetermine the final key. Following we conduct a fairness analysis to show that our protocol can resist participant’s attacks.

Let’s discuss the first attack strategy. For the sake of convenience, we suppose there are only three participants Alice, Bob and Charlie, wherein Bob is dishonest. In step (5), Bob selects an advantageous geographical position aside Alice and Charlie so he can obtain Alice’s and Charlie’s controlling sequence RHij earlier than expected. According to the controlling sequences, Bob can perform the operations \({R}_{z}(\frac{-{C}_{i}^{j}\pi }{2})\) to remove the additional controlling operations and perform Bell measurements to obtain the final key in advance. Then Bob wants to predetermine the final keys of Alice and Charlie by announcing incorrect controlling sequences to them. However, we request that each participant first announces the controlling sequence before they cooperate to choose photons for security checking, so this ineluctably leads to the photon pairs for security checking in DBS basis being measured in BS basis and collapsing randomly into one of the four Bell states. Suppose the number of final keys which Bob wants to change is m, there is a \(\frac{kl}{l+kl}\) probability that the selected photons are for security checking since bob cannot unambiguously distinguish the photons for security checking and for final keys. The probability that Bob will successfully pass the security checking is \({(\frac{1}{2})}^{\frac{klm}{l+kl}}={(\frac{1}{2})}^{\frac{km}{1+k}}\approx 0\) and predetermine the final key is \({(\frac{1}{2})}^{\frac{lm}{l+kl}}={(\frac{1}{2})}^{\frac{m}{1+k}}\approx 0\) according to Table 2 (if the number m is large enough). So the dishonest participant cannot predetermine the final keys of honest participants and the protocol can achieve fairness property.

Following we analyze the collusive attack. The worst case is that only one participant is honest and all others are dishonest. Let’s take three participants P1, P2 and P3 for example, where P1 and P3 are dishonest. They want to predetermine P2’s final key. The detailed attack strategies are as follows. P1 prepares Bell states and sends the photon sequence |BS21→2〉 to P2. After P2 completes his operations on the photon sequence |BS21→2〉 and sends the sequence |BS21→3〉 to P3, P1 and P3 won’t measure the Bell states until step (5) where each participant publishes their additional controlling sequences. After obtaining P2’s controlling sequence RH21, P1 and P3 can deduce P2’s secret key K2. However, the only method for P1 and P3 to determine the final key of P2 is to announce fake controlling sequences to him. Based on the analysis of the first participant’s attack strategy, we can conclude the probability they will successfully pass the security checking and predetermine P2’s final key is close to 0. Therefore n−1 dishonest participants cannot determine the final key. In summary, our proposed protocol can resist participant’s attacks.

Information leakage analysis

In addition to the above attacks, information leakage should also be considered. In our protocol, only the controlling string RHij needs to be published in stage (5). Since RHij has nothing to do with the secret key, Eve can only guess that the operation performed by each participant is either I or Z, which contains \(-2\times \frac{1}{2}{\log }_{2}\frac{1}{2}=1\) bit of uncertain information for Eve. As a result, Eve cannot obtain any information of secret key without taking any active attacks. The problem of information leakage does not exist in our agreement.

Efficiency analysis

Following we compare the proposed MQKA protocol with the existing four secure protocols, i.e., LGHW13 protocol20, HSXL16 protocol33, CM17 protocol34 and HSL17 protocol32, in five aspects: qubit efficiency ηq, measurement efficiency ηm, unitary operation efficiency ηu, quantum resource and category of the protocol. The definitions are as follows: qubit efficiency ηq = \(\frac{l}{q}\), measurement efficiency ηm = \(\frac{l}{m}\), and unitary operation efficiency ηu = \(\frac{l}{u}\), where l denotes the length of the final common key, q is the number of the transmitted qubits on the quantum channel, m is the number of quantum measurements, and u is the number of unitary operations. Table 3 shows the detailed comparison results between these four MQKA protocols and ours. The efficiency analysis is given as follows.

Table 3 Comparison between existing security protocols.
Full size table

In our protocol, each participant will prepare l + kl photon pairs to establish l-bit final key, wherein kl bits are used for security detection. As there are only half photon sequence transmitted in the quantum channel and n participants involved in our protocol, the total number of transmitted photons on the quantum channel is n(l + kl). Hence, the qubit efficiency is

$$\frac{l}{n(l+kl)}=\frac{1}{n\mathrm{(1}+k)}\mathrm{.}$$
(5)

Since only one eavesdropping detection for each participant, the number of measurements required in this protocol is greatly reduced. To establish an l-bit final key, each participant needs to perform \(l+\frac{kl}{n}\) measurements. Therefore, the measurement efficiency of our protocol is

$$\frac{l}{n(l+\frac{kl}{n})}=\frac{1}{n(1+\frac{k}{n})}.$$
(6)

The security of our protocol is mainly based on the controlling operations of each participant on the photon sequences. To establish an l-bit final key, each participant needs perform n(l + kl) unitary operations. Thus, the unitary operation efficiency of the proposed protocol is

$$\frac{l}{{n}^{2}(l+kl)}=\frac{1}{{n}^{2}\mathrm{(1}+k)}\mathrm{.}$$
(7)

The specific comparison results are shown in Fig. 2. As shown in the two subgraphs (a) and (b), the qubit efficiency of the improved protocol is no less than that of the existing security protocols, and it has higher measurement efficiency. Although we increase the number of unitary operations in exchange for higher qubit efficiency and measurement efficiency, the unitary operations can be easily realized with the rapid development of quantum technology. Therefore our protocol is efficient and feasible.

Figure 2
figure 2

The comparisons of the number of transmissions and measurements, where k = 1.

Full size image

Optical setup

As shown in Fig. 3, we design an optical setup for each participant. In the experiment, ultraviolet (UV) laser pulses pass through a BBO crystal to produce polarization-entangled photon pairs42. One of the photon pairs can be first stored in Pic delay line and the other is sent to Pi+1. Pi encodes his secret key and controlling information on other participant’s photon sequence by utilizing electro-optic modulator43 and sends the photon sequence to next participant Pi+1. This process continues until Pi receives the sequence which he generates. After offsetting the extra controlling operations on his second photon sequence by utilizing electro-optic modulator, Pi fetches the first photon sequence from the delay line and performs Bell measurement42 on the photon pairs. According to the measurement results and initial states, all participants can obtain the consistent final key.

Figure 3
figure 3

Experimental setup of participants. BBO: beta barium borate. BS: beam splitter. OS: optical switch. DL: delay line. PBS: polarization beam splitter. Each participant can generate and measure the polarization-entangled photon pairs, encode the received photon sequence and send the photon sequence to next participant.

Full size image

Conclusion

In this paper, we find that some existing travelling-mode MQKA protocols are generally vulnerable to the internal dishonest participants. Besides, we also find the problem of information leakage in Cao-Ma MQKA protocol. Then We take Cao-Ma MQKA protocols as examples to illustrate these attacks in detail. To resist the attacks, we propose a robust travelling-mode MQKA protocol based on non-orthogonal Bell states. The analyses show that our protocol can resist the both outside and participant’s attacks and achieve higher efficiency. Finally, We design an optical platform for each participant, and show that our proposed protocol can be realized with feasible technologies.