Experimental Quantum Multiparty Communication Protocols

Quantum information science breaks limitations of conventional information transfer, cryptography and computation by using quantum superpositions or entanglement as resources for information processing. Here, we report on the experimental realization of three-party quantum communication protocols using single three-level quantum system (qutrit) communication: secret sharing, detectable Byzantine agreement, and communication complexity reduction for a three-valued function. We have implemented these three schemes using the same optical fiber interferometric setup. Our realization is easily scalable without sacrificing detection efficiency or generating extremely complex many-particle entangled states.


Introduction
Many tasks in communications, computation, and cryptography can be enhanced beyond classical limitations by using quantum resources. Such quantum technologies often rely on distributing strongly correlated data that cannot be reproduced with classical theory i.e. it violates a Bell inequality [1]. To violate a Bell inequality, the parties involved in the scheme must share an entangled quantum state on which they perform suitable local measurements returning outcomes that can be locally processed and communicated by classical means. Such entanglement-assisted schemes have been shown successful in a wide variety of information processing tasks, including secret sharing for which additional security features are enabled, detectable Byzantine Agreement for which a classically unsolvable task can be solved, and reduction of communication complexity for which optimal classical techniques are outperformed.
Let us shortly introduce these three communication protocols.
Secret sharing is a cryptographic primitive that can conceptually be regarded as a generalization of quantum key distribution [2,3]. Secret sharing schemes have wide applications in secure multiparty computation and management of keys in cryptography. In such schemes, a message (secret) is divided in shares distributed to recipient parties in such a way that some number of parties must collaborate in order to reconstruct the message. However, the security of classical secret sharing relies on limiting assumptions of the computation power available to an adversary. Quantum cryptography introduces the concept of unconditional security, and can improve security beyond classical constraints. Quantum secret sharing protocols have been proposed with parties sharing a multipartite qubit entangled state [4,5] where their security is linked to Bell inequality violations.
A fundamental problem in fault-tolerant distributed computing is to achieve coordination between computer processes in spite of some processes randomly failing due to e.g. crashing, transmission failure or distribution of incorrect information in the network. For example, such coordination applies to the problem of synchronizing the clocks of individual processes in distributed networks, which is pivotal in many technologies including data transfer networks and telecommunication networks. A method to achieve synchronization is to use interactive consistency algorithms in which all nonfaulty processes reach a mutual agreement about all the clocks [6]. Interactive consistency is achieved through solving the problem of Byzantine agreement, which can be solved only if less than one-third of the processes are faulty [7]. However, for most applications, it is sufficient to consider a scenario called detectable Byzantine agreement (DBA), where the processes either achieve mutual agreement or jointly exit the protocol. Several quantum protocols based on multipartite entanglement have been proposed for achieving the DBA even in the presence of one-third or more faulty processes, thus breaking the classical limitation [8,9,10].
In communication complexity problems (CCPs), separated parties performing local computations exchange information in order to accomplish a globally defined task, which is impossible to solve singlehandedly. Here, we consider the situation in which one would like to maximize the probability of successfully solving a task with a restricted amount of communication [11]. Such studies aim, for example, at speeding-up a distributed computation by increasing the communication efficiency, or at optimizing VLSI circuits and data structures [12]. Quantum protocols involving multipartite entangled states have been shown to be superior to classical protocols for a number of CCPs [13,14].
Quantum multiparty communication protocols that require only sequential communication of single qubits and no shared multipartite entanglement have been proposed for secret sharing [15] and CCP [16], and CCP using the quantum Zeno effect [17]. Very recently generalizations to d-level quantum system (called a qudit) have been proposed. These protocols are multiparty quantum secret sharing [18] and a quantum solution to the DBA, which can then be used to achieve clock synchronization in the presence of an arbitrary number of faulty processes by efficient classical means of communications [19]. Beside experimentally realizing these protocols, we propose and demonstrate a new single qudit protocol for a multiparty CCP, that outperforms any classical counterpart.
Although the mentioned information processing tasks cover very different topics; cryptography, synchronization, and communication complexity, we will show that the quantum schemes that distribute these correlated data sets uphold strong similarities and the differences emerge from the classical processing of the correlated data required to execute these protocols.
Our single qudit communication protocols hold several experimental advantages in scalability over the corresponding entanglement-assisted schemes. While entanglement-assisted protocols typically re-quire the preparation of a high fidelity N -partite d-level entangled quantum state, the single qudit protocols earn their name from requiring only the preparation of a single qudit independently of the number of parties, N , involved in the protocol. Furthermore, in the likely case of parties using non-ideal detectors with efficiencies η ∈ [0, 1], entanglement-assisted protocols require N detections and therefore succeed with an exponentially decreasing probability, approximately η N , while single qudit protocols only require a single detection which succeeds with probability η, independently of N .

Communication protocols
In this report, we will present for the first time the experimental realization of quantum communication protocols, secret sharing, DBA and clock synchronization, and reduction of communication complexity in a multipartite setting involving three parties, Alice, Bob and Charlie, communicating three-level quantum states (qutrits). We will now very briefly present these protocols.

Secret Sharing
Alice (a.k.a. the distributor) prepares the initial qutrit state |ψ = 1 √ 3 (|0 + |1 + |2 ) and applies her action U a 0 V a 1 on the state |ψ according to her input data (a 0 , a 1 ), where a 0 and a 1 are two pseudorandom independent numbers in the set {0, 1, 2}, and operators U and V are given by Then she sends the qutrit to Bob, who according to his input data (b 0 , b 1 ) acts on the qutrit with operator U b 0 V b 1 , and sends the state to Charlie who acts on the qutrit with operator U c 0 V c 1 , where (c 0 , c 1 ) are his input data. Finally, Charlie performs a measurement on the qutrit in the Fourier basis , obtaining a trit outcome m (see Fig. 1). In random order, the parties then announce their data a 1 , b 1 , c 1 , and if condition a 1 + b 1 + c 1 = 0 mod 3 is verified, the round is treated as valid and equation a 0 + b 0 + c 0 = m mod 3 produces the shared secret.
Otherwise if a 1 + b 1 + c 1 = 0 mod 3 the qutrit is not in an eigenstate of the measurement operator at the time of measurement. Thus, the outcome m is random and the run is discarded. At this point all users should publicly announce a 0 , b 0 and c 0 for a relevant number of runs and estimate the quantum trit error rate (QTER) defined as QT ER = number of incorrect outcomes/total number of outcomes. Finally, to reconstruct the shared secret at least two users are required to collaborate [18].
Secret sharing schemes can be subjected not only to eavesdropping attacks but also to attacks from parties within the scheme. Examples are known in which such attacks can breach the security of secret sharing schemes [20]. In the supplementary material we outline a scheme enforcing security that can, at the cost of a lower efficiency, arbitrarily minimize the impact of such attacks. Furthermore, we mention that the full security can be obtained from device independent implementations of entanglement based quantum key distribution [21]. However, to our knowledge, there are no device-independent protocols for secret sharing. In our proposed protocol we assume that the users have control over the devices.

Detectable Byzantine Agreement
In order to solve the DBA problem, the three processes (i.e. parties) need to share data in the form of lists l k of numbers subject to specific correlations, and the distribution must be such that the list l k held by process P k is known only to P k where k = 1, 2, 3. Quantum mechanics provides methods to generate and securely distribute such data. In this case, Alice's state preparation and each user's action are the same as in the previous protocol, except for b 0 and c 0 being bits instead of trits. The difference is in the data processing part: if the measurement outcome is "0", the parties reveal a 1 , b 1 , c 1 and if condition a 1 + b 1 + c 1 = 0 mod 3 is satisfied, the round is treated as valid. It follows that they now hold one of the data sets (a 0 , b 0 , c 0 ) ∈ {(0, 0, 0), (1, 1, 1), (2, 1, 0), (2, 0, 1)} from which the DBA can be solved [19].

Communication Complexity Reduction
In the single qutrit protocol for reducing communication complexity, the distributor supplies Alice, Bob and Charlie with two pseudo-random trits each, (a 0 , a 1 ), (b 0 , b 1 ) and (c 0 , c 1 ). Each party's pair can be mapped into an integer by defining promises the parties that S a + S b + S c = 0 mod 3 and asks Charlie to guess the value of function T = (S a + S b + S c mod 9)/3 given that only two (qu)trits may be communicated in total. After the |ψ state preparation, Alice acts with U The CCP is to maximize the success probability of guessing T correctly, with the given communication restrictions. We have just seen that this success probability, save for experimental errors, is 100% with our quantum protocol. However, it can be shown (see supplementary material) that the optimal classical protocol achieves only a success probability of 7/9 ≈ 0.778, which is clearly inferior to that of the quantum protocol.  (1) and (2)). After passing through the three arms on their way back, the three pulses recombine at the first coupler and depending on their relative phases, yield different interference counts at the single photon detectors (Princeton Lightwaves PGA600). These gated detectors provide 20% quantum efficiency and approximately 10 −5 dark count probability. Importantly, in order to prevent possible eavesdropping attacks, each pulse is attenuated to single photon level by a digital variable attenuator (OZ Optics DA-100) at Charlie's station output.
We would like to emphasize that phase modulators are polarization sensitive, and for this reason they include a horizontal polarizer at the output port. Therefore, controlling polarization throughout the setup is crucial. We thus choose to use polarization maintaining fiber components for all three parties' stations.
However, in order to make the configuration more realistic, links between users are standard single mode fibers. Therefore, polarization controllers have been placed after these fiber links. Finally, the whole experiment was controlled by an FPGA card that worked both as master clock and trigger source, for the electronics driving laser and phase modulators, and for the single photon detectors. For future and practical implementations of these communication protocols, one needs to use a bright true or heralded single photon source, integrated optics interferometer, and high quantum efficiency superconducting single photon detectors.

Results
Each protocol setting was run 100000 times per second (i.e. 10 5 laser triggers) and the collected data was used to calculate the QTER. Due to the substantial loss from the setup itself (mainly in the phase modulators) and to the 20% detection efficiency, the final amount of runs with detection was 400 respectively. We can easily see that QTER for the secret sharing and DBA protocols are always below 10%. Our results are better than other results obtained with entanglement-based two-party quantum key distribution protocols [23], and QTER clearly are below the 15.95% security threshold of qutrit based quantum key distribution [22]. Therefore secure communication can be obtained with this configuration [18]. Consistently, CCP experimental results, of which a sample of obtained data is reported in Tab. 3, show success probabilities always above 90%, therefore proving the superiority of the quantum protocol to any classical protocol (limited to 77.8% success probability).
The primary source of QTER is the so called "dark counts". Our detectors' average dark count probabilities, measured with 10 6 runs, are 5.9 · 10 −5 , 2.8 · 10 −5 and 20.5 · 10 −5 per trigger for detectors 0, 1 and 2 respectively. Considering our measurements, these dark counts contribute up to half of the QTER.
Other important systematic contributions to the QTER are due to the phase drift affecting the interferometer. This phase drift causes two problems: it slightly changes the relative phases from the desired   Table 3: Results for the communication complexity reduction protocol.

Conclusion
We have experimentally realized three-party quantum communication protocols using single qutrit communication: secret sharing, detectable Byzantine agreement, and communication complexity reduction for a three-valued function. We have implemented for the fist time these three protocols using the same optical fiber interferometric setup. Our novel protocols are based on single quantum system communication rather than entanglement. Moreover, the number of detectors (detector noise) used in our schemes is independent of the number of parties participating in the protocol. Our realization is easily scalable without sacrificing detection efficiency or generating extremely complex many-particle entangled states. These breakthrough and advances make multiparty communication tasks feasible. They become technologically comparable to quantum key distribution, so far the only commercial application of quantum information. Finally, our methods and techniques can be generalized to other communication protocols. These protocols can also be easily adapted for other encodings and physical systems.

Scheme enforcing security
In secret sharing schemes one may face attacks from cheating parties within the scheme. Since in a three party scheme, it is not meaningful to have more than one cheater, let us assume that the cheating party is Bob who attempts to access Alice's secret. Since Bob is involved in the scheme, he may employ a sophisticated strategy based on e.g. a quantum memory and an entangled ancilla state which can allow him to pass the standard security check undetected. The success of any such strategy must in some manner depend on Bob gaining information on some local data (a 0 , c 0 ) of Alice and Charlie. However, as the three parties announce their data in random order Bob cannot always succeed with his cheating, and thus we can upper bound the probability of Bob successfully cheating in a single round by p cheat ≤ 2/3.
Here, we will outline a privacy amplification scheme that allows Alice and Charlie to arbitrarily minimize Bob's chances of inferring the secret.
The standard protocol is repeated many times and some rounds are used to estimate the QTER.
Assuming the QTER does not imply any security breach, this leaves L successful rounds. We let a be the measurement outcome of Charlie in the round. All parties then map their L trits into a single trit by The new data now satisfies a 0 + b 0 + c 0 = 0 mod 3. Unless Bob successfully cheats in all L rounds, which happens with a probabilityp cheat = p L cheat , he can infer no knowledge on the private data of Alice or Charlie. Thus, the number of rounds that warrants the cheating success probability to be no higher thanp cheat is L = logp cheat / log p cheat i.e. at the cost of repeating the protocol several times, the cheating probability can be arbitrarily minimized. If we consider an example of a known (G. P. He, Phys. Rev. Lett. 2007; 98: 028901-1.) such cheating attack in a three party secret sharing protocol in which Bob was found to have cheating success probability per round of p cheat = 1/3, and we require thatp cheat ≤ 10 −4 , then we find that we need L = 9 rounds to achieve this level of security.

Communication Complexity Reduction: classical bound
The quantum protocol for communication complexity reduction presented in our paper uses a single qutrit and achieves the ideal success probability of 100%. We will now prove that our quantum protocol is superior to any classical one.
To find the best classical protocol, we can without loss of generality consider only deterministic strategies and disregards mixtures of such. Alice has to send the value of some three-valued function with suitable choices of coefficients q 0 , q 1 , q 2 . Therefore, we write where we have emphasized the dependence of the coefficients on the received data f A , f B from subsequent parties. However, we must have q (C) 0 = 0 since otherwise, the strategy is randomized. It is straightforward to find that this implies that only one of the coefficients q can be non-zero, and that its value must be either 1, e 2πi 3 or e − 2πi 3 . Therefore, we find that for some set r A , r B , r C subject to r A , r B , r C ∈ {1, 2}. Evidently, we should choose r A = r B = r C = uniformly distributed and we are promised that a 1 + b 1 + c 1 = 0 mod 3, there are nine different sets (a 1 , b 1 , c 1 ) of which only (0, 0, 0) sums to 0, only (2, 2, 2) sums to 6 and the remaining seven sets sum to 3. Therefore, let q In conclusion, the optimal classical success probability is P (f C = T ) = 7/9 ≈ 0.778, which is clearly inferior to the unitary one for the quantum protocol.

Encoding Settings
In Tables S1 and S2, we report encoding settings used by Alice, Bob and Charlie for the three experiments. We write directly the angular phase shifts to be applied to the three state qutrits exchanged among the users. 0 Table S1: Angular phase shifts for secret sharing and DBA experiments. Alice's settings look different compared to Bob's and Charlie's, but they are actually just the same settings multiplied by a global phase. This is due to our particular setup configuration. All these settings belong to mutually unbiased bases for three dimensions.