Efficient travelling-mode quantum key agreement against participant’s attacks

Quantum key agreement (QKA) is to negotiate a final key among several participants fairly and securely. In this paper, we show that some existing travelling-mode multiparty QKA protocols are vulnerable to internal participant’s attacks. Dishonest participants can exploit a favorable geographical location or collude with other participants to predetermine the final keys without being discovered. To resist such attacks, we propose a new travelling-mode multiparty QKA protocol based on non-orthogonal Bell states. Theoretical analysis shows that the proposed protocol is secure against both external and internal attacks, and can achieve higher efficiency compared with existing travelling-mode multiparty QKA protocols. Finally we design an optical platform for each participant, and show that our proposed protocol is feasible with current technologies.


Efficient travelling-mode quantum key agreement against participant's attacks
Wei-cong Huang, Yong-kai Yang, Dong Jiang * & Li-jun Chen * Quantum key agreement (QKA) is to negotiate a final key among several participants fairly and securely. In this paper, we show that some existing travelling-mode multiparty QKA protocols are vulnerable to internal participant's attacks. Dishonest participants can exploit a favorable geographical location or collude with other participants to predetermine the final keys without being discovered. To resist such attacks, we propose a new travelling-mode multiparty QKA protocol based on nonorthogonal Bell states. Theoretical analysis shows that the proposed protocol is secure against both external and internal attacks, and can achieve higher efficiency compared with existing travelling-mode multiparty QKA protocols. Finally we design an optical platform for each participant, and show that our proposed protocol is feasible with current technologies.
Different from QKD, QKA can fairly and securely negotiate a final key among users. That is, the final key is equally determined by each participant and any non-trivial subset of the participants cannot absolutely predetermine the final key. In 2004, Zhou et al. proposed the first QKA protocol by utilizing the quantum teleportation technique 12 . In the same year, Hsueh and Chen proposed another QKA protocol by employing the entangled states 13 . Nevertheless, Tsai et al. pointed that neither of the two protocols is secure 14,15 . In 2010, Chong and Hwang devised a QKA protocol based on BB84 16 . However, the above protocols are all based on two-party. To extend QKA to the multi-party case, Shi and Zhong designed the first multiparty QKA (MQKA) protocol based on Bell states in 2013 17 . Since then, many MQKA protocols using single or entanglement quantum states have been proposed [18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33][34] .
Liu 18 pointed out that existing MQKA protocols can be classified into three types according to the transmission topology of quantum photons: complete-graph-type 17,20 , circle-type 19,[21][22][23][24][25][26][27][28][29][30][31][32][33][34] (also known as travelling-mode) and tree-type 35 . In the first type, every participant sends each of other participants a sequence of photons which carries the information of his/her secret key. In the second type, each participant only sends out one sequence, which will be operated by each of other participants by turns and sent back to the one who prepares it. The third type is one participant generates a sequence of high dimensional photon states (e.g. GHZ states) and sends each of other participants one of its particles. Since the travelling-mode is more efficient than complete-graph-type and easier to satisfy the fairness property compared with the tree-type, it has attracted comprehensive study.  22 . In 2018, Abulkasim pointed out that Wang and Ma's protocol 23 is susceptible to participant's attacks and proposed an improved protocol 24 . Meanwhile, Cao and Ma proposed two MQKA protocols which were designed to be immune to the collusive attack 25 ; they also presented a MQKA protocol based on non-orthogonal quantum entangled pairs 34 . Besides, some protocols based on higher-dimensional quantum states, such as five-qubit brown states 26 , G-Like states 28 , and four-qubit symmetric W state 29 , were presented.
In these travelling-mode MQKA protocols, we find that some protocols [25][26][27][28][29][30] cannot resist dishonest participant's attacks, which leads to the failure of fairness property 19 . The dishonest participant can take advantage of a favorable geographical location or collude with other participants to predetermine the final keys of honest participants without being discovered. Besides, we also find there exists the problem of information leakage in Cao-Ma MQKA protocol 34 . Following we take two Cao-Ma MQKA protocols 25,34 as examples to demonstrate the attacks in detail. To resist these attacks, We propose a new MQKA protocol based on non-orthogonal Bell states by utilizing Pauli and rotation operations. Our proposed protocol has three noticeable advantages: Firstly, owing to the use of non-orthogonal Bell states, the proposed protocol can resist attacks from both internal dishonest participants and external eavesdroppers. It also effectively solves the problem of information leakage in Cao-Ma protocol. Secondly, the frequency of eavesdropping detection has been greatly reduced. Hence, the qubit efficiency and measurement efficiency of our proposed protocol are higher than those of the existing secure ones 20,[32][33][34] . Thirdly, since only Bell states and unitary operations are employed, the protocol is feasible with the current technology.
The rest of the paper is organized as follows. Next section first reviews and analyzes the security of Cao-Ma MQKA protocols, then introduces our improved travelling-mode MQKA protocol in detail, followed by the security analysis and efficiency comparisons with existing secure protocols. Furthermore, an optical setup is provided. Finally, a short conclusion of this paper is given in the final section.

Results
Review of Cao-Ma MQKA protocols. In this section we briefly describe the Cao-Ma MQKA protocol 1 25 without trust party and Cao-Ma MQKA protocol 2 34 based on non-orthogonal quantum entangled pairs respectively.
Cao-Ma MQKA protocol 1. The main process of Cao-Ma MQKA protocol without trust party can be divided into two stages. The first stage is initialization and encoding stage. Each participant P i (i = 0, 1, …, N−1) possesses a n-bit 0-1 sequence ∼ K i and TS i as his secret key and additional random sequence, and calculates = ⊕ ∼ K K TS i i i . Then he prepares a sequence of Bell states randomly selected from four Bell states, wherein the states of the photon sequence can be expressed as W i . Each participant keeps the first photon sequence in his hand and sends the second photon sequence which is inserted into decoy photons to next participant P i+1 . P i and P i+1 perform eavesdropping checking. If the communication is secure, P i+1 performs one of the four Pauli operations on the received photon sequence according to K i+1 . Next, P i+1 inserts decoy photons into the photon sequence and sends it to next participant P i+2 . This process continues until P i gets the sequence which he generated. The second stage is final key negotiation stage. After each participant gets the sequence he generates, he performs Bell measurements on corresponding photon pairs. The measurement results of the sequence can be expressed as V i . Then each participant P i publishes his random sequence TS i and calculates TS = TS 0 ⊕ TS 1 ⊕ … ⊕ TS N−1 . Finally, each participant can obtain the final common key Then each participant P i prepares a random quantum pair sequence from BS or DBS and transmitted the second photon sequence to the next participant P i+1 . After receiving the sequence, P i+1 executes the eavesdropping checking and performs unitary operations on the received quantum sequence according to his private key. Until each participant has encoded his private key on the photon sequences of others and receives the sequence he generates, he publishes a classical sequence C i to reveal the measurement basis and calculates C = C 1 ⊕ C 2 ⊕ … ⊕ C N . Each participant performs BS or DBS measurements on the photon pairs according to C. If C is 0, the measurement basis is the same as the initial state; otherwise, the measurement basis is the dual basis of the initial states. Finally, all participants can extract the common key by comparing the initial states and measurement results.

Security analysis of the Cao-Ma MQKA protocols.
In this section, we first show that the dishonest participant in Cao-Ma MQKA protocol 1 can take advantage of a favorable geographical location or collude with other participants to predetermine the final key without being discovered, leading to the failure of fairness property. Next we reveal the problem of information leakage in Cao-Ma MQKA protocol 2.
Fairness analysis. In travelling-mode MQKA protocols, participants encode their secret keys on photons by performing the unitary operations. Besides, they usually perform additional random operations on photons in case to divulge the secret keys. Therefore, once the additional operation is obtained, the participant will deduce the final key directly. Following we take the tripartite (Alice, Bob and Charlie) example to introduce the attack strategy. Suppose Bob is a dishonest participant, his detailed attack process is as follows.
(1) Before Alice and Bob publish the random sequence TS A and TS C , Bob selects an advantageous geographical position aside Alice and Charlie so that he can get TS A and TS C earlier than expected.
www.nature.com/scientificreports www.nature.com/scientificreports/ Through the above operations, Bob can determine the final keys of Alice and Charlie. Following, we will analyze the collusion attack in detail. For clarity, we assume that four participants P 0 , P 1 , P 2 and P 3 want to generate the final key. P 1 and P 3 are dishonest and want to steal P 2 's secret key. The detailed attack process is as follows: to P 1 . (2) P 1 performs unitary operations on the received photons according to his secret key and sends the sequence to P 3 instead of P 2 as illustrated in Fig. 1 〉 with P 2 's unitary operations and his unitary operations. P 3 also generates some decoy photons and inserts them in to |U 3 U 2 U 1 PS 2 0→1 〉 randomly. Then he sends the sequence to P 0 . (6) P 1 and P 3 wait for the common key negotiation stage, where every participant publishes his TS i . By comparing P 2 's unitary operations and TS 2 , P 1 and P 3 can effortlessly recover ∼ K 2 . For example, suppose the fake photon pairs prepared by P 1 is |φ + 〉, and the result of Bell measurement by P 1 and P 3 is |φ + 〉 after P 2 's encoding, they can deduce the operation performed by P 2 is U 00 . Assume the TS 2 published by P 2 is 01, P 1 and P 3 can definitely deduce the P 2 's secret key is 01 according to Table 1. Then P 1 and P 3 can determine P 2 's final key by announcing fake TS 1 and TS 3 .
In addition to the Cao-Ma protocol 1, these agreements [26][27][28][29][30] are also vulnerable to dishonest participants' collusion attack, where indicates the protocols cannot satisfy the fairness property.   36 . In Cao-Ma MQKA protocol 2, each participant P i needs to publish a classical sequence C i after he receives the sequence he generates. However, C i and K i are closely related. If C i is 0, Eve can draw a conclusion that the secret key of P i must be 00 or 11; otherwise, the K i is 01 or 10, which contains − × = log 2 1  Sending photons. P i divides BS i into two single photon sequence: the first photon sequence |BS 1 i→i 〉 and the second photon sequence |BS 2 i→i+1 〉 (symbol '+' in i + 1 denotes the additional mod n). Then P i keeps the first photon sequence in home and transmits the second photon sequence to the next participant P i+1 .
Controlling operations. Depending on whether the sequence RH i+1 i is 1 or 0, P i+1 performs rotation operation π ( ) R z 2 on the sequence |BS 2 i→i+1 〉 or does nothing, where π ( ) R z 2 is the rotation operator of the z axis and the definition is as follows: The rotation operator can change the state of the |BS〉 to |DBS〉 = {|DBS 00 〉, |DBS 01 〉, |DBS 10 〉, |DBS 11 〉}, where |DBS〉 are defined as follows. Table 2 shows the relationship of the unitary operations and the transformed Bell states. After performing the extra unitary operation, P i+1 sends the sequence |BS 2 i→i+2 〉 to the next participant P i+2 . Meanwhile, each of the other n − 1 participants processes his received sequence just in the same way and sends the obtained new sequence to next participant. This process continues until P i receives the sequence which he generated from P i−1 .  www.nature.com/scientificreports www.nature.com/scientificreports/ Security checking. Once receiving his own sequence, each participant P i announces the fact, confirms other participants have received their sequences and informs participant j of his controlling sequence RH i j . Then all participants cooperate to choose kl positions from l + kl Bell states for security checking, and the remaining l Bell states are used to form the final key, i.e., K i ′, i= 1, 2, 3, …, n. Specifically, P i randomly selects kl n positions from the remaining + − − l kl i ( ) ( 1) kl n positions and announces the positional information. After finishing selection, each participant publishes the secret key sequence at the kl positions. Then they calculate the XOR results of other participants' secret keys, offset the extra controlling operations according to RH j i (the detailed process is shown in the next step) and perform Bell measurements on the photon pairs at their chosen kl n positions. If the measurements are consistent with the calculations, they drop the kl bits used for security checking and continue; otherwise they terminate the protocol.
. After that, each participant performs Bell measurements on the l processed photon pairs and obtains So far, we have demonstrated our proposed travelling-mode MQKA protocol. In the real scenario, the raw keys may have very few mistakes which are caused by the channel noise. We can use the multiparty cascade error-correcting protocols for information reconciliation 37,38 and utilize the universal hashing to realize privacy amplification process 39 .

Security analysis. Herein we give a detailed security analysis for both outside and participant's attacks. It
is proved that the proposed protocol can satisfy the fairness property effectively. We also show the problem of information leakage does not exist in our protocol.
Outside Attacks. Suppose Eve wants to eavesdrop the final key, he should obtain each participant's private key first. Here are three mainstream attack methods he may take.
Firstly, let us discuss the intercept-resend attack 25,35 . In intercept-resend attack, Eve intercepts and stores the photon sequences sent from participant P i to P i+1 . Then he sends the second photon sequence of the fake Bell states which he prepared in advance to P i+1 . After step (3) and (4), P i+1 finishes performing his unitary operations and extra controlling operations on the photon sequence and sends to P i+2 . At this time Eve will intercept the photon sequence again and sends the original photon sequence to P i+2 . Since Eve does not know whether P i+1 performs the controlling operation π ( ) R z 2 on the photons or not, he won't perform Bell measurements on his photon sequence until each participant publishes the random controlling sequence. Therefore he cannot deduce P i+1 's operations and encode correct information on the original sequence. Eve will be detected with the probabil- (kl is big enough) when all participants perform security checking in step (5). Hence the proposed protocol can resist the intercept-resend attack.
Secondly, let us discuss the entangle-measure attack 35,40 . In entangle-measure attack, Eve wants to steal P i+1 's secret key by intercepting the traveling photon sequence |BS 2 i→i+1 〉 and |BS 2 i→i+2 〉, and executing Controlled-not operation on it and his auxiliary photon |0〉 e , where intercepted photon is a control bit and photon |0〉 e is a target bit. For instance, the Bell state prepared by P i is |Ψ 〉 = | 〉 + | 〉s 00 11 pq 1 1 2 . After Eve's operation on q and e, the entangled state will transform to |Ψ 〉 = | 〉 + | 〉 000 111 pqe 2 1 2 , which is composed of three entangled particles. Then Eve sends the particle q to P i+1 . After P i+1 performs unitary operations on the sequence and sends to P i+2 , Eve intercepts the particle q, performs Controlled-not operation on q and e again and sends q to P i+2 . After all participants have received their sequences, they start to announce the controlling sequence RH i j and offset the extra controlling operations on the checking photons. The states can be defined as follows: According to the Eq. (4), the state of auxiliary photon e is always |0〉 e whether P i+1 's operation is I, Z, R z I or R z Z. Therefore Eve cannot obtain P i+1 's secret key even if the photon e is entangled with transmitted photons sequence. We can consider that the Entangle-Measure attack is inefficient.
Thirdly, let us discuss the trojan horse attack. The trojan horse attack is another common attack in travelling-mode MQKA protocols which have been discussed in Li et al's protocol 41 . To prevent this type of attack, participant can install some special quantum optical devices to detect the attack, such as the wavelength (2019) 9:16421 | https://doi.org/10.1038/s41598-019-51987-z www.nature.com/scientificreports www.nature.com/scientificreports/ quantum filter to filter invisible photons and the photon number splitter(PNS) to discover the delay photons. If the multi-photon rate is unreasonable high, then such attack can be detected.
Fairness Analysis. The dishonest participants pose a greater threat to the security of the protocol than outside eavesdroppers. As we mentioned above, the dishonest participant can take the advantage position or collaborate with others to predetermine the final key. Following we conduct a fairness analysis to show that our protocol can resist participant's attacks.
Let's discuss the first attack strategy. For the sake of convenience, we suppose there are only three participants Alice, Bob and Charlie, wherein Bob is dishonest. In step (5), Bob selects an advantageous geographical position aside Alice and Charlie so he can obtain Alice's and Charlie's controlling sequence RH i j earlier than expected.
According to the controlling sequences, Bob can perform the operations to remove the additional controlling operations and perform Bell measurements to obtain the final key in advance. Then Bob wants to predetermine the final keys of Alice and Charlie by announcing incorrect controlling sequences to them. However, we request that each participant first announces the controlling sequence before they cooperate to choose photons for security checking, so this ineluctably leads to the photon pairs for security checking in DBS basis being measured in BS basis and collapsing randomly into one of the four Bell states. Suppose the number of final keys which Bob wants to change is m, there is a  Table 2 (if the number m is large enough). So the dishonest participant cannot predetermine the final keys of honest participants and the protocol can achieve fairness property.
Following we analyze the collusive attack. The worst case is that only one participant is honest and all others are dishonest. Let's take three participants P 1 , P 2 and P 3 for example, where P 1 and P 3 are dishonest. They want to predetermine P 2 's final key. The detailed attack strategies are as follows. P 1 prepares Bell states and sends the photon sequence |BS 2 1→2 〉 to P 2 . After P 2 completes his operations on the photon sequence |BS 2 1→2 〉 and sends the sequence |BS 2 1→3 〉 to P 3 , P 1 and P 3 won't measure the Bell states until step (5) where each participant publishes their additional controlling sequences. After obtaining P 2 's controlling sequence RH 2 1 , P 1 and P 3 can deduce P 2 's secret key K 2 . However, the only method for P 1 and P 3 to determine the final key of P 2 is to announce fake controlling sequences to him. Based on the analysis of the first participant's attack strategy, we can conclude the probability they will successfully pass the security checking and predetermine P 2 's final key is close to 0. Therefore n−1 dishonest participants cannot determine the final key. In summary, our proposed protocol can resist participant's attacks.
Information leakage analysis. In addition to the above attacks, information leakage should also be considered. In our protocol, only the controlling string RH i j needs to be published in stage (5). Since RH i j has nothing to do with the secret key, Eve can only guess that the operation performed by each participant is either I or Z, which contains − × = 2 log 1 1 2 2 1 2 bit of uncertain information for Eve. As a result, Eve cannot obtain any information of secret key without taking any active attacks. The problem of information leakage does not exist in our agreement.
Efficiency analysis. Following we compare the proposed MQKA protocol with the existing four secure protocols, i.e., LGHW13 protocol 20 , HSXL16 protocol 33 , CM17 protocol 34 Table 3 shows the detailed comparison results between these four MQKA protocols and ours. The efficiency analysis is given as follows.  www.nature.com/scientificreports www.nature.com/scientificreports/ In our protocol, each participant will prepare l + kl photon pairs to establish l-bit final key, wherein kl bits are used for security detection. As there are only half photon sequence transmitted in the quantum channel and n participants involved in our protocol, the total number of transmitted photons on the quantum channel is n(l + kl). Hence, the qubit efficiency is Since only one eavesdropping detection for each participant, the number of measurements required in this protocol is greatly reduced. To establish an l-bit final key, each participant needs to perform + l kl n measurements. Therefore, the measurement efficiency of our protocol is The specific comparison results are shown in Fig. 2. As shown in the two subgraphs (a) and (b), the qubit efficiency of the improved protocol is no less than that of the existing security protocols, and it has higher measurement efficiency. Although we increase the number of unitary operations in exchange for higher qubit efficiency and measurement efficiency, the unitary operations can be easily realized with the rapid development of quantum technology. Therefore our protocol is efficient and feasible.  www.nature.com/scientificreports www.nature.com/scientificreports/ Optical setup. As shown in Fig. 3, we design an optical setup for each participant. In the experiment, ultraviolet (UV) laser pulses pass through a BBO crystal to produce polarization-entangled photon pairs 42 . One of the photon pairs can be first stored in P i c delay line and the other is sent to P i+1 . P i encodes his secret key and controlling information on other participant's photon sequence by utilizing electro-optic modulator 43 and sends the photon sequence to next participant P i+1 . This process continues until P i receives the sequence which he generates. After offsetting the extra controlling operations on his second photon sequence by utilizing electro-optic modulator, P i fetches the first photon sequence from the delay line and performs Bell measurement 42 on the photon pairs. According to the measurement results and initial states, all participants can obtain the consistent final key.

Conclusion
In this paper, we find that some existing travelling-mode MQKA protocols are generally vulnerable to the internal dishonest participants. Besides, we also find the problem of information leakage in Cao-Ma MQKA protocol. Then We take Cao-Ma MQKA protocols as examples to illustrate these attacks in detail. To resist the attacks, we propose a robust travelling-mode MQKA protocol based on non-orthogonal Bell states. The analyses show that our protocol can resist the both outside and participant's attacks and achieve higher efficiency. Finally, We design an optical platform for each participant, and show that our proposed protocol can be realized with feasible technologies.