Efficient multiparty quantum key agreement with collective detection

As a burgeoning branch of quantum cryptography, quantum key agreement is a kind of key establishing processes where the security and fairness of the established common key should be guaranteed simultaneously. However, the difficulty on designing a qualified quantum key agreement protocol increases significantly with the increase of the number of the involved participants. Thus far, only few of the existing multiparty quantum key agreement (MQKA) protocols can really achieve security and fairness. Nevertheless, these qualified MQKA protocols are either too inefficient or too impractical. In this paper, an MQKA protocol is proposed with single photons in travelling mode. Since only one eavesdropping detection is needed in the proposed protocol, the qubit efficiency and measurement efficiency of it are higher than those of the existing ones in theory. Compared with the protocols which make use of the entangled states or multi-particle measurements, the proposed protocol is more feasible with the current technologies. Security and fairness analysis shows that the proposed protocol is not only immune to the attacks from external eavesdroppers, but also free from the attacks from internal betrayers.

pointed out that this protocol failed to achieve the fairness property, and further put forward a distributed-mode MQKA protocol with single photons. In 2013, Sun et al. 57 made the attempt to improve the efficiency of Liu et al. 's MQKA protocol and propose a MQKA protocol in travelling mode. Unfortunately, this protocol has also been demonstrated to be unfairness 58 . In 2014, a distributed-mode MQKA protocol is proposed with GHZ states by Xu et al. 59 . In the same year, two travelling-mode MQKA protocols were presented with cluster states and six-qubit states, respectively by Sun et al. 60,61 . Meanwhile, Shukla et al. put forward a travelling-mode MQKA protocol by employing Bell state and Bell measurements 62 . Nevertheless, Zhu et al. found out that there exist some loopholes in Shukla et al. 's protocol and further proposed an improved version of this protocol 63 . In 2016, Sun et al. presented an MQKA protocol based on commutative encryption 64 . However, these travelling-mode MQKA protocols 60,61,63,64 are unfair under the collusion attack from internal betrayers 65,66 . In other words, a non-trivial subset of the involved participants can conspire to predetermine the final common key without being noticed by others. In 2016, Huang et al. proposed a travelling-mode MQKA protocol with single photons and unitary operations 67 . Recently, Cao et al. also presented a travelling-mode MQKA protocol based on quantum search algorithm 68 .
In a travelling-mode MQKA protocol, every quantum information carrier sequence, which is used for encoding secret information, will sequentially be processed by all the involved participants of the protocol. That is to say, in an n-party QKA protocol, each quantum information carrier sequence will be transmitted n times. If the eavesdropping is checked after every transmission, a lot of quantum states (usually referred to the decoy qubits) need consuming, and hence the qubit efficiency and measurement efficiency will drop substantially. To our best knowledge, all of the existing travelling-mode MQKA protocols have fallen into this category 57,[60][61][62][63][64]67 , i.e., eavesdropping check is needed in each transmission of the quantum information carriers sequence. To improve the qubit efficiency of travelling-mode MQKA, we devote ourselves to designing a travelling-mode MQKA protocol where the eavesdropping check is not required in each transmission of the quantum information carrier sequence. In this paper, we propose an efficient travelling-mode MQKA with single photons, inspired by the results of refs 11,12,64,67 . By employing the ideas of collective eavesdropping detection strategy 11,12 which was first proposed by Shih et al. 11 , the number of eavesdropping checks needed in this protocol has been significantly reduced. Hence, the qubit efficiency and measurement efficiency of the proposed protocol are higher than those of the existing ones (including both the protocols in travelling mode and the ones in distributed mode) in theory. In addition, compared with the protocols which utilize the entangled states or multi-particle measurements, the proposed protocol is more feasible with the current technologies due to the utilization of single photons and single-particle measurements.
The remainder of this paper is organized as follows. Next section first presents our travelling-mode MQKA protocol with single photons in detail. Then the security and fairness of the proposed protocol is analyzed. Finally, a discussion as well as a brief conclusion is given in the "Discussion section".

Results
The proposed travelling-mode MQKA protocol. Herein we propose a new travelling-mode MQKA protocol by employing single photons, where n participants, P 1 , P 2 , …, P n cooperate to establish a common key securely and fairly. For each of the involved participant P i , 1 ≤ i ≤ n, we suppose that he/she has an (l + kl)-bit private random key K i and n−1(l + kl)-bit random controlling strings C i i ( 1) ( 1) , where + C i j n ( ) = C ij , and k is the detection rate. Similar to the existing QKA protocols 46-67 , the classical communication channels are assumed to be authenticated in this protocol. Moreover, the technique of "block transmission" [13][14][15][16] where the quantum information carriers are ordered and transmitted in blocks, is utilized to ensure the security of the photon transmission in this protocol. The detailed steps of the proposed MQKA protocol can be described as follows.
(1) Each of the n participants P i (i = 1, 2, …, n) prepares an ordered sequence (denoted as S i ) of l + kl single photons, each of which is randomly in one of the four states in { 0 | 〉, 1 | 〉, |+〉, |−〉}. Here, Then P i sends S i to + P i 1 , for i = 1, 2, 3, …, n, where P n i + = P i . (2) After the reception of S i , + P i 1 announces the fact. Then he/she encodes his private key and the corresponding controlling binary string, K i 1 where p is a prime number, and p < n. The effect of F and π ( ) W p n on the four polarized photons, 0 | 〉, | 〉 1 , |+〉 and |−〉, can be respectively described as Scientific RepoRts | 7: 15264 | DOI:10.1038/s41598-017-15227-6 π π π π π π π π π π π π Meanwhile, each of the other n−1 participants processes his/her received sequence just in the same way and sends the obtained new sequence to next participant. That is, Here, we denote what the n participants have done in this step as the first round of encoding (denoted as Round 1).
(3) The n participants execute another n−2 rounds of encoding similar to the process of Round 1. That is, just in the same way as P i 1 + dose in steps (2), the n participants repeatedly execute information encoding phase until In other words, for each participant P i , i = 1, 2, 3, …, n, when he/she receives the photon sequence from − P i 1 in Round v, v ∈ {2, …, n−1}, he/she encodes K i and ) ) onto the received sequence. Afterwards, he/she sends the processed sequence − − + ...
− , P i announces the fact. Once conforming that every participant has received the photon sequence prepared by himself/herself, all the n participants cooperate to randomly choose kl positions (from l + kl positions), at which the quantum information carriers will be used to check eavesdropping hereafter. Concretely, P 1 randomly chooses       (5) After the participants finishing choosing the positions used for checking eavesdropping, each participant announces his/her n−1 controlling strings. Namely, P i announces C ij , for i = 1, 2, 3, …, n, and j = i + 1, i + 2, …, i −1. With the announced information, each of the participants deduces a (l + kl)-bit string as follows.
− . After that, he/she measures each of the l + kl processed photons in the original basis as he/she prepares it. That is, if the original state of the processed photon is in basis In ideal condition, P i can obtain an (l + kl)-bit string K i = K i 1 + ⊕ + K i 2 ⊕…⊕ − K i 1 according to the l + kl measurement results. To be specific, if the measurement result of the j-th photon is the same as (opposite to) its original state, Just in the same manner, each participant gets his/her corresponding (l + kl)-bit string, i.e., P i gets K î for i = 1, 2, 3, …, n. Obviously, in ideal condition, these n binary strings should be identical if there exists no eavesdropping.
(6) The n participants check eavesdropping with the kl positions chosen in step (4) and the (l + kl)-bit strings obtained in step (5). Specifically, each of the n participants publishes the values of the kl positions of his/her obtained string, i.e., P i publishes the corresponding kl bits of K î for i = 1, 2, 3, …, n. Then each participants compares his/her announced kl-bit string with the ones published by the other participants. With the comparison results of the kl positions, they can judge whether the procedure is secure. If there exists no eavesdropping, each participant P i drops the bits used for checking eavesdropping and getting an l-bit binary string with the remaining bits, i.e., ˆ′ K i , i = 1, 2, 3, …, n; otherwise, they abort the protocol. In ideal condition, by utilizing steps (1)-(5), the n established random strings should be identical, i.e., ′ To check consistency of the n binary strings, each participant P i calculates the hash value h(λ ′ K i ). Here, h: ⁎ {0,1} →{0,1} s is a one-way hash function previously chosen by the n participants, and λ = f ( , , , ) where λ i is a random bit generated and announced by P i after deducing ′ K i , i = 1, 2, …, n. If all the n hash values are identical, the n participants have established a common key K = ˆ′ K 1 = ˆ′ K 2 = … = ˆ′ K n ; otherwise, they abort the results and restart the protocol.
Thus far, we have presented a new efficient travelling-mode MQKA protocol. In practical situation, there may exist a certain number of errors, which are caused by the noise, in ′ K i , i = 1, 2, …, n. And this may lead the protocol fails in step (6) with a high probability. To circumvent this problem, several existing methods, such as quantum error correction codes (QECC) 69 and quantum error avoiding codes (QEAC) 70 could be utilized. Moreover, as the proposed MQKA protocol contains two-way quantum communication, the participants involved in the protocol should also make use of a filter and a beam splitter to prevent the Trojan horse attack and the invisible-photon attack in practical implementation 71,72 . Security and fairness analysis. Herein we analyze the security and fairness of the proposed MQKA protocol. We first demonstrate that the protocol can achieve security property, i.e., be secure against the attacks from the external eavesdropper. Then we show its fairness property, i.e., be immune to the attacks from dishonest participants.

Security analysis.
To analyze the security of the proposed protocol, we first suppose that Eve is an evil attacker who wants to eavesdrop the final common key without being noticed by the legal participants. Based on the principles of the proposed MQKA protocol, if Eve wants to achieve this goal, she should be capable of obtaining the private key of each participant without being found. To get a participant's private key, Eve can make use of different kinds of attacks. For instance, she could intercept and substitute the travelling photons, which are sent to the legal receiver, with the ones prepared by herself, or she could entangle the travelling photons with some additional states, with which she may be able to extract some valuable information about the encoded private key. However, in the proposed protocol, the private keys and controlling strings of the participants are encoded on the transmitted photons by performing certain unitary operations. Hence, whatever kind of attack Eve utilizes, the action to eavesdrop a participant's private key is equivalent to discriminate the operations that he/she has performed on the transmitted photon sequences. For example, when P i receives the photon sequence from P i 1 − in Round v, v∈ {1, 2, 3, …, n−1}, he/she encodes K i j and C i i n v j ( ) ) onto the j-th photon of the received . Hence according to according to Theorem 1, these four operations cannot be unambiguously discriminated by a single use. Namely, when these four unitary operations are respectively performed on a single qubit or one qubit of any entangled state, they cannot be unambiguously discriminated. Moreover, in practical implementation, the participants involved in this protocol will make use of the methods given in refs 71,72 to resist the Trojan horse attack and invisible photon attack in each transmission of the every photon sequence. Therefore, the protocol is also immune to these two attacks.
Fairness analysis. It is well known that, for a multiparty quantum cryptographic protocol, the participant attacks 74 (i.e., the attacks from dishonest participants) are always more threatening than external attacks (i.e., the attacks from external eavesdroppers). In the executing process of a multiparty protocol, a dishonest participant has more opportunities to attack the protocol. First, he/she is able to replace the legal photon sequences, which are prepared or received by himself/herself, with whatever he/she wants. Second, in order to avoid introducing errors into the eavesdropping check, he/she could tell lies in the phase of classical information exchange. More important, in order to occupy a greater advantage, some dishonest participants can collaborate to cheat in the executing process of the protocol. Now, we make an analysis on the fairness of the proposed protocol to show its immunity to the participant attacks.
In the participant attack on the proposed protocol, one or more dishonest participants try to predetermine the final common key without being found by the honest participant. To show the immunity of the proposed protocol to such kind of attack, we consider the worst case, where the number of the honest participants is 1. In other words, n-1 dishonest participants collaborate to determine the final common key. Obviously, if the proposed protocol is immune to the participant attack under this assumption, it can also resist the participant attacks where the number of the dishonest participants is less than n−1.
Herein we show the immunity of the proposed protocol to the worst case. Without loss of generality, we suppose that P i is the only participant who is honest, i∈{1, 2, …, n}. According to the principles of the proposed protocol, we can find out that the final key gotten by P i (i.e., ˆ′ K i ) is part of the (l + kl)-bit string K i , i∈{1, 2, …, n}. Hence, if the n−1 dishonest participants could predetermine K i , they will have significant advantage in determining ˆ′ K i . Apparently, the key point for the n−1 dishonest participants to predetermine K i is to eavesdrop P i 's private key K i before S i i i ( 1) ( 1) + ... − is sent back to P i . For example, if the n−1 dishonest participants have obtained K i and want K i to be ⁎ K , they can attack as follows. When P i j + receives the sequence generated by P i , i.e., S i i i j ( 1) ( 1) + .. + − , for j = 1, 2, …, n-2, he/she only encodes his/her corresponding controlling string . This is equivalent to the case that K i j + is a zero vector. After receiving S i i i ( 1) ( 2) ( 2) . Then he/she sends the sequence + .. − S i i i ( 1) ( 1) to P i . Obviously, if there exists no external eavesdropping and the n−1 dishonest participants honestly announces their controlling strings in step (5). The (l + kl)-bit string obtained by P i is K ⁎ , i.e., K î = K ⁎ ⊕K i ⊕K i = ⁎ K . As we analyzed in security analysis, the bits of K i and the corresponding controlling string are encoded onto the received photon sequence with the four unitary operations, I, F, ( ) W p n π and F π ( ) W p n . In other words, no matter what kind of attacking strategy the dishonest participants utilize, if they want to get K i before being aware of P i 's controlling strings, they should be capable of unambiguously discriminating the four unitary operations with a single use. Nevertheless, according to the conclusion given above, the dishonest participants can never have this ability since these four unitary operations cannot be unambiguously discriminated with a single use. For instance, according to the principles of the proposed protocol, if the j-th photon of a sequence sent from P i 1 − , i.e., S i  ( 1) . More precisely, the dishonest participants are unable to get K i before P i publishes his/her controlling strings. Under this circumstance, to eavesdrop K i , each of the dishonest participants has to process the photon sequence, which is generated by P i , strictly following the principles of the proposed protocol. It is not hard to find that, by utilizing this strategy, the dishonest participants could deduce K i with the photon sequences prepared by themselves and the controlling strings announced by P i . After obtaining K i , the dishonest participants can deduce K i ′ , which will be obtained by P i in step (6), before announcing their controlling own strings. However, once the protocol proceed to this step, the only method that they can use to modify K i ′ , is to announce fake controlling strings. Concretely, if the dishonest participants want to modify the j-th bit of . Till now, we have shown that the proposed protocol is immune to the participant attack.

Discussion
Thus far, an efficient travelling-mode MQKA protocol has been proposed. In order to illustrate the advantages of this protocol, a discussion, where the proposed protocol is compared with the existing MQKA protocols, is made first in this section. After that, we end this paper with a short conclusion.

Key indicators of the proposed protocol.
Before comparing the proposed protocol with the existing MQKA protocols, we first focus on some key indicators of the proposed protocol, i.e., qubit efficiency, measurement efficiency and the unitary operation efficiency.
Firstly, to check eavesdropping, the proposed protocol only need the n participants cooperate to perform one eavesdropping detection, i.e, the detection in step (6). In other words, in the process of the photon sequence transmitting, i.e., in steps (1)-(5), a participant need not perform any eavesdropping detection when they received a photon sequence from his/her previous participant. Obviously, this is the main merit of the proposed protocol since it can greatly reduce the number of the photons used for checking eavesdropping, and hence make the proposed efficient, i.e., has a high qubit efficiency. The qubit efficiency here is defined as η = n c /n q , where n c is the length of the final common key established in this protocol, and n q is the total number of the photons used for establishing the corresponding final common key. Concretely, to establish an l-bit final common key in ideal condition, each of the involved participants should prepare a sequence of l + kl photons. In the only one eavesdropping detection, each participant will use kl photons in his/her sequences for checking eavesdropping. Since there are n participants involved in the proposed protocol, the total number of the photons, which will be used in establishing an l-bit final common key, is + n l kl ( ) . Therefore, the qubit efficiency of the proposed protocol is l n l kl n k ( ) Secondly, as the proposed protocol only need one eavesdropping detection, the number of the measurements required in this protocol is relatively small. Specifically, to establish an l-bit final common key, each of the participants need perform l + kl measurements in theory. Namely, (l + kl)n measurements are needed in this whole procedure of the protocol. Hence, the measurement efficiency (the ratio of the length of final common key to the number of the performed measurements) of the protocol is Thirdly, since the security of the protocol is mainly based on the unitary operations performed on the transmitted photons. Here we calculate the unitary operation efficiency (the ratio of the length of final common key to the number of the performed unitary operations) of the protocol. Concretely, to establish an l-bit final common key, each of the participants need perform n(l + kl) unitary operations in theory. That is to say, (l + kl)n 2 unitary operations are needed in total. Thus, the unitary operation efficiency of the proposed protocol is Moreover, in the existing MQKA protocols, after the participants confirm that there exists no eavesdropping in the executing procedure of the protocol, each participant directly makes use of the measurements results of the remaining quantum information carriers to deduce a binary string as his/her final key. However, they do not check whether the keys in their hands are identical. In order to solve this problem, we have added a step, i.e., step (6), in this proposed to check the consistency of the final keys in the participants' hands.
Comparison. Herein we compare the proposed protocols with seven existing MQKA protocols in the following five aspects: qubit efficiency, measurement efficiency, unitary operation efficiency, security against participant attack and key consistency check. The seven existing protocols are SZ13 protocol 55 , LGHW13 protocol 56 , SZWLL13 protocol 57 , SYW16 protocol 60 , SZWYZL16 protocol 61 , SHW15 protocol 64 , HSXLFJY16 protocol 67 and HM17 protocol 68 . The indicators of these existing MQKA protocols are calculated below, and the specific comparison results are shown in Table 1 and Table 2.
SZ13 protocol. This protocol make use of entanglement to establish the final common key, and utilize the technique of decoy particles to assure its security. The qubit efficiency of this protocol is + kn n 1 (2 ) . The measurement efficiency of this protocol is k n 2 (2 ) 2 + . It should be pointed out that the measurements performed in this protocol includes both single-particle measurements and multi-particle measurements (i.e., Bell measurements). More important, this protocols is vulnerable to the participant attack 55,56 .
LGHW13 protocol. The protocol is immune to the participant attack, and it does not need utilize entanglement to establish the final key 56 . However, this protocol is quite inefficient due to a low qubit efficiency , respectively. It should be noticed that the cluster basis measurements performed in this protocol is more difficult to implement than single-particle measurements under the current techniques. Moreover, this protocol is susceptible to the participant attack 60,65 .  HSXLFJY16 protocol. This protocol is presented with single photons, single-particle measurements and unitary operations 67 . Since the eavesdropping detection is needed is each step of the sequence transmission, The qubit efficiency, measurement efficiency and unitary operation efficiency are respectively .

Conclusion
In this paper, we focus on improving the efficiency of the travelling-mode MQKA protocol and propose an efficient MQKA protocol with single photons. Security and fairness analysis shows that the proposed protocol is immune to both the external attack and participant attack. By utilizing the ideas of collective eavesdropping, the qubit efficiency and measurement efficiency of this protocol are higher than those of the existing protocols, especially the ones which are also secure and fair. In addition, due to the utilization of single photons and single-particle measurement, the proposed protocol is more feasible with the current technologies than the ones which employ entanglement or multi-particle measurements. Finally, we should point out that, to design a really practical QKA protocol, one should not only consider the fairness in the quantum exchange process (i.e., the process to generate raw keys), but also propose qualified information reconciliation process and privacy amplification process which can be utilized in QKA protocols for negotiating the final key fairly. How to design a qualified classical postprocessing processes for QKA/MQKA, still remains an open problem, which we would like to research in future.