Secure multiparty quantum key agreement against collusive attacks

Quantum key agreement enables remote participants to fairly establish a secure shared key based on their private inputs. In the circular-type multiparty quantum key agreement mode, two or more malicious participants can collude together to steal private inputs of honest participants or to generate the final key alone. In this work, we focus on a powerful collusive attack strategy in which two or more malicious participants in particular positions, can learn sensitive information or generate the final key alone without revealing their malicious behaviour. Many of the current circular-type multiparty quantum key agreement protocols are not secure against this collusive attack strategy. As an example, we analyze the security of a recently proposed multiparty key agreement protocol to show the vulnerability of existing circular-type multiparty quantum key agreement protocols against this collusive attack. Moreover, we design a general secure multiparty key agreement model that would remove this vulnerability from such circular-type key agreement protocols and describe the necessary steps to implement this model. The proposed model is general and does not depend on the specific physical implementation of the quantum key agreement.

www.nature.com/scientificreports/ a secure CT-MQKA protocol. In response to this question, several CT-MQKA protocols have been proposed to avoid collusive attacks. However, in this work, we show that many of the existing CT-MQKA protocols are also not secure against a collusive attack. We study, as an example, the security of Sun et al. 's 19 MQKA protocol (named SCWZ protocol hereafter) to show the vulnerability of the existing CT-MQKA protocols to collusive attacks. Furthermore, we design a general secure model for CT-MQKA protocols and propose the necessary steps for this model.

The insecurity of existing CT-MQKA protocols
In this section, we show that many of the recently published works in CT-MQKA are not secure against collusive attacks [19][20][21]25,26 . In general, there are two main collusive attack strategies, which could be applied to the CT-MQKA protocols: The first collusive attack strategy. The first collusive attack strategy has been pointed out in 18,19 . Any two dishonest participants P i and P j (where i > j ; i, j ∈ {1, 2, . . . , n} and n is the number of participants) in particular positions in the circle-type protocols can control the final key if their particular positions meet the following two conditions: The second collusive attack strategy. The second collusive attack strategy can be described as follows.
In the CT-MQKA schemes, any two dishonest participants P i and P j can steal the private inputs of an honest participant P k ( i, j, k ∈ {1, 2, . . . , n} ) without being detected, if their positions meet one of the two following conditions: Note, in our previous work 8 , we mentioned that two malicious users may try to deduce the private information of an honest one. However, in this work, we formulate and describe the general situation in which two dishonest participants can steal the private information of the honest ones as indicated in Eqs. (3) and (4).

Review of SCWZ's protocol.
In SCWZ's protocol 19 , there are n participants and each participant P i ( i = 1, 2, . . . , n ) has an m − bit key ( K i ). The participants want to generate a shared secret key K fairly, where K = K 1 ⊕ K 2 ⊕ · · · ⊕ K n . The steps of the SCWZ's protocol can be described as follows.
1) Preparation phase. The server generates n sequences of random single-photons. Each sequence S i ( i = 1, 2, . . . , n ) contains m single-photons and each photon is selected randomly from the four states (|0 � ± |1 �) . The server also generates n sequences of random single photons (called C i ), which are used as decoy photons to check the existence of eavesdroppers. Each single decoy photon is randomly selected from the states { |+ �, |− �, +y �, −y � }, where ±y � = 1 √ 2 (|0 � ± i|1 �) . The server then randomly inserts and distributes the single-photons of C i into S i getting a new sequence S ′ i , and sends the new sequence ( S i ) to P i . 2) Detection phase. Upon receiving S ′ i , each participant sends an acknowledgment to the server. Then the server announces the positions of C i and their measurement bases. Each P i measures C i based on the corresponding measurement bases and stores the results. P i then randomly announces half of the measurement results of C i ; the server, in turn, announces the initial states of the second half of C i . Then both the server and P i collaborate to compute the error rate. They end the protocol if the error rate higher than a predefined value. Otherwise, they continue with the protocol. 3) After P i gets the secure sequence S i , each participant performs the next sub-steps: A. Encoding phase. P i encodes secret information ( K i ) onto S i by applying the unitary operation U = |0 ��1| − |1 ��0| when the classical bit of the secret K i is 1, and the unitary operation I = |0 ��0| + |1 ��1| when the classical bit K i is 0. P i then reorders the decoy states that were prepared and inserted by the server in Step (1) and reinserts them in random positions into the encoded sequence obtaining a new sequence ( S i+1 i ), and sends S i+1 i to P i+1 . B. Eavesdropping check phase. Upon receiving S i+1 i , P i+1 and P i check the security of the transmission by performing the same process indicated in step (2) between the server and P i . C. Encoding phase. After checking the security of transmission, P i+1 encodes secret information ( K i+1 ) onto S i following the same rules as in step (A). P i+1 then reorders the decoy states and reinserts them in random positions into the encoded sequence obtaining a new sequence ( S i+2 i ), and sends S i+2 i to P i+2 . D. Similarly, the rest of the participants ( P i+2 , P i+3 , . . . , P i−2 ) perform the Eavesdropping check phase and the Encoding phase indicated in steps (B) and (C).
(1) i − j = n 2 when n is even, when n is odd. www.nature.com/scientificreports/ E. Upon receiving S i−2 i , P i−1 and P i−2 check the security of transmission. If the quantum channel between P i−1 and P i−2 is secure, P i−2 discards the decoy photons to get S i , and informs the server of this fact. 4) When all the P i−1 receive S i , they send an acknowledgment to the server, and the server announces the measurement bases of S i to all the P i−1 . After that, each P i−1 uses the corresponding measurement bases to measure Finally, P i−1 can recover the final shared secret The collusive attack against CT-MQKA protocols. In this section, we show that the SCWZ's protocol, as an example of CT-MQKA protocols, is insecure against a collusive attack. Although the authors of SCWZ's protocol have presented a security analysis to prove the security of their protocol against the first model of the collusive attack, their protocol is not secure against the second security model of collusive attack. That is to say, any two dishonest participants P i and P j in particular positions meeting the conditions in (3) and (4) can easily steal the private key of honest participants ( P k ).
Without loss of generality, assume we have three participants P 1 , P 2 , and P 3 and they have three private keys, e.g., K 1 = 1000 , K 2 = 0101 , and K 3 = 1001 , respectively. And the three participants intend to share a secret key ( K ), here K = K 1 ⊕ K 2 ⊕ K 3 = 0100 . We also assume that P 1 and P 3 are two dishonest participants and they need to steal the private key of the honest one ( P 2 ); hence they can deduce the final key without being caught.
In SCWZ's protocol, the server generates three random sequences, e.g., S 1 = {|+ �, |0 �, |1 �, |− �} , S 2 = {|0 �, |1 �, |0 �, |1 �} , and S 3 = {|0 �, |+ �, |− �, |1 �} each one consists of four single-photons. Also, the server generates three random sequences C 1 , C 2 , and C 3 each one consists of four decoy single-photon states. Then the server randomly inserts the decoy state �} ) and sends it to P 1 ( P 2 /P 3 ). After checking the security of the transmission, each participant discards the decoys and encodes their private information based on the encoding rule mentioned in Step 3.A. Subsequently, each participant sends the sequence in a circle to the other participants to encode their private inputs until the sequence is returned to the participant.
For simplicity, we show here the circle of S 1 (Fig. 1a) which will be used by the participant P 1 to get the final key ( K ). First, P 1 receives S 1 = {|+ �, |0 �, |1 �, |− �} from the server to encode her or his information and get the final key. Second, P 1 encodes a private input, i.e., K 1 = 1000 into S 1 getting the new sequence S 1 = {U|+ �, I|0 �, I|1 �, I|− �} . Third, P 1 inserts some decoy photons into S 1 and sends it to the dishonest P 3 instead of sending it to P 2 . After checking the security of the transmission, P 3 discards the decoy states and gets S 1 = {U|+ �, I|0 �, I|1 �, I|− �} . At the same time, the dishonest P 1 generates a counterfeit sequence, e.g., S ′ 1 = {|0 �, |0 �, |− �, |+ �} with decoy states and sends it to both P 2 and P 3 . P 1 only tells P 3 that the sequence S ′ 1 is the counterfeit one. Since the honest participant ( P 2 ) does not have K 1 = 1000 and does not knows S 1 = {|+ �, |0 �, |1 �, |− �} , she or he cannot know what the received new sequence looks like (i.e., Obviously, P 2 cannot distinguish between the genuine sequences and the counterfeit ones. So, P 2 encodes the private data, i.e., K 2 = 0101 into S with decoy states to P 3 . After checking the security of the transmission, P 3 discards the decoy qubits and gets S ′ 1 . P 3 then requests the corresponding measurement bases of S ′ 1 from P 1 to get K 2 = 0101 . Based on her or his private key, i.e., K 3 = 1001 and the private key of P 2 , P 3 applies the corresponding unitary operations to the genuine sequence S 1 = {U|+ �, I|0 �, I|1 �, I|− �} getting S 1 = {U(I(U|+ �)), I(U(I|0 �)), I(I(I|1 �)), U(U(I|− �))} and sends it to P 1 . Then the participants announce to the server that the quantum channels are secure. Finally, the server announces the measurement bases of S 1 to P 1 thus enabling P 1 to get K.
Similarly, if P 2 and P 3 ( P 2 and P 1 ) are the dishonest participants they can steal the private key of the honest participant P 1 ( P 3 ) in the circle while sending S 2 ( S 3 ), as shown in Fig. 1b (Fig. 1c). By applying the same attack strategy, most of the existing CR-MQKA protocols [19][20][21]25,26 are vulnerable to this collusive attack. In this section, we give a general secure model of CT-MQKA against the collusive attack described above. Whereas our protocol can be implemented with photons, we describe it in more general terms here. The idea of adopting a semi-honest client-server model (or a third party) has been adopted in many previous QKA protocols to ensure the security of communication 19,22,[27][28][29] . Suppose we have n participants who want to generate a shared secret key K fairly, where K = K 1 ⊕ K 2 ⊕ · · · ⊕ K n with length m . Every participant ( P i ) selects a private random classical key ( Here, l is the number of decoy states used for checking the security of a quantum channel, and i = 1, 2, . . . n.
The general steps of this secure CT-MQKA model can be described as follows: Step (1) The server generates n sequences S i ( i= 1, 2, …, n), with each sequence containing m + nl single qubits. The server records the position of every single qubit. Every qubit is selected randomly from the four quantum states |+� = 1 Step (2) The server also generates additional n sequences of random single qubits (called C i ), which are used as decoy states to check the existence of eavesdroppers. Every single decoy qubit is randomly selected from the four quantum states { |+ �, |− �, |0 �, |1 � }. The server inserts C i into S i producing a new sequence S ′ i , and sends the new sequence ( S ′ i ) to P i .
Step (3) Upon receiving S ′ i , every participant sends an acknowledgment to the server.
Step (4) In this step, the server announces the positions of C i and their measurement bases. Every P i measures C i based on the corresponding measurement bases and stores the results. Randomly, P i selects half of the qubits in C i and announces their measurement results to the server. The server, in turn, announces the initial states of the second half of C i . Both the server and P i collaborate to compute the error rate. They end the protocol if the error rate is higher than a predefined value. Otherwise, P i discards C i from S ′ i getting S i and continues to Step (5).
Step (5) After each P i gets the secure sequence S i , they start to perform the next sub-steps.  Table 1. b) Detecting the external attack phase. For detecting external eavesdroppers, P i generates a sequence of random single qubits ( C pi ) as in Steps (1) and (2), which are used as decoy qubits to check the existence of eavesdroppers in the quantum channel between P i and P i+1 (note, the symbol + in "i + 1" represents the additional mod n . P i inserts C pi into S i producing a new sequence S i →i+1 , and sends the new sequence ( S i →i+1 ) to P i+1 . As in Step (4), P i and P i+1 share the information of C pi and collaborate to compute the error rate. P i and P i+1 end the protocol if the error rate is higher than a predefined value. Otherwise, P i+1 discards C pi from S i →i+1 obtaining S i and continues to the next process. c) Detecting the internal attack phase. Upon confirming that the communication between P i and P i+1 is secure against external attackers, the server randomly selects l single-qubits as decoy qubits from S i →i+1 , by announcing their positions, and asks P i to publicly announce the unitary operations that were applied to the l qubits. Subsequently, the server announces the measurement bases of the l qubits to P i+1 . P i+1 measures the l qubits using the corresponding measurement bases. Based on the measurement results, the measurement bases, and the applied unitary operations, P i+1 can judge whether the l qubits are genuine or not. If not, P i+1 ends the protocol. Otherwise, the participants do the following: i) P i+1 discards the l qubits from S i →i+1 that were selected by the server; ii) The server also discards the corresponding l qubits from S i ; iii) Every P i discards the corresponding classical bits from their private keys K ′ i .

d) As in
Step (5.a), P i+1 encodes the secret information ( K ′ i+1 ) onto S i and inserts some random decoy states ( C pi+1 ) into S i →i+1 producing S i →i+2 . Afterwards, P i+1 sends S i →i+2 to P i+2 . e) Upon P i+2 receiving S i →i+2 , P i+1 and P i+2 collaborate to check the security of communication by performing Step (5.a-5.d). f) P i+2 encodes her or his information and sends the new sequences to the next participants. This process continues until P i receives the secure quantum message ( S i →i−1 ) from P i−1 ; here, the symbol "−" in "i − 1" represents the subtraction mod n.
Step (6): When all P i s receive S i →i−1 , they discard the decoy qubits getting S i . Hence, each participant loses nl classical bits from K ′ i getting K i with length m . After that, they send an acknowledgment to the server, and the Table 1. The encoding rules. The unitary operation I represents 0 and the unitary operation U represents 1. www.nature.com/scientificreports/ server announces the measurement bases of S i to all the P i s. Finally, every P i uses the corresponding measurement bases to measure S i obtaining K , where K = K 1 ⊕ K 2 ⊕ · · · ⊕ K n .

Illustration of the proposed protocol
For simplicity, suppose we have three participants P 1 , P 2 , and P 3 and they want to generate a shared secret key K = K 1 ⊕ K 2 ⊕ K 3 with length m (e.g., m = 3 ). P 1 , P 2 , and P 3 have three private keys K ′ 1 , K ′ 2 , and K ′ 3 , respectively, with length m + nl , e.g., m + nl = 3 + (3 * 3) = 12 ; here nl is the number of decoy states for checking the security of all quantum channels in one complete circle, and for the n circle it will be m + nl . Here, there are three complete circles for three participants, and the number of decoy qubits for checking the security of all quantum channels is n * nl= 9l . Also, we assume that, K ′ 1 = 000001101101 , K ′ 2 = 111011101000 , and K ′ 3 = 110011010110. The server generates a sequence of quantum states contains 12 random states (e.g., S 1 = |0 �, |0 �, |0 �, |1 �|0 �, |0 �, |1 �|0 �, |1 �, |− �, |+ �, |− � ) for the first circle and sends it to P 1 . P 1 checks the security of the transmission with the server as in Step (4). Based on her/his private data ( K To secure the communication, P 1 inserts some decoy qubits into S 1 →2 and sends S 1 →2 to P 2 . Subsequently, P 2 performs Step (5.b) to detect the external attack.
As in Step (5.c), the server chooses random l states (e.g., l = 1 ) from S 1 and announce the position of l (e.g., the position of last state in S 1 ) to P 1 and P 2 . The server asks P 1 to announce the unitary operation that was applied to l , and asks P 2 to announce the measurement result of the corresponding states in S 1 →2 (i.e., −|+ � ), respectively. Based on the announced information ( |− � , U , −|+ � ), the server can judge whether P 2 has received genuine information or not.
The updated private keys after completing one circle are as follows: K Finally, each participant can get the final key K = K 1 ⊕ K 2 ⊕ K 3 = 000 ⊕ 111 ⊕ 110 = 001 . Note that for simplicity, we assumed that the server frequently chooses the last qubit for checking the security of communication; but the selected positions should be completely random. Applying the proposed model to SCWZ's protocol. Taking SCWZ's protocol 19 as an example, we show in this section how to address the vulnerability of CT-MQKA protocols to the collusive attack.
In SCWZ's protocol 19 , there are n participants and each participant P i ( i = 1, 2, . . . , n ) has an m-bit key ( K i ). All participants want to fairly generate a shared secret key ( K = K 1 ⊕ K 2 ⊕ · · · ⊕ K n ). Also, there is a server that generates n sequences of random single-photons. Each sequence S i contains m random single-photons. The server generates additional n sequences of random single photons ( C i ), which are used as decoy photons to check the existence of eavesdroppers.
Based on our proposed model, SCWZ's protocol should be modified as follows.
1-Each participant ( P i ) should prepare the length of her/his private keys ( K i ) to be m + nl.
2-The length of the quantum sequences generated by the server should also be m + nl.

3-As in
Step (5.b), P i should generate a sequence of random single-qubits ( C pi ) to check the security of the quantum channel between the sender ( P i ) and receiver ( P i+1 ). 4-To detect the collusive attack, the server randomly selects l single-qubits from the m + nl single-qubits and uses them as decoy qubits to check the security of quantum channels between every two participants, as proposed in Step (5.c). 5-All participants update their keys by discarding the classical bits corresponding to the single qubits that were used as decoy qubits.
The security analysis. This section presents detailed security analyses for both external eavesdropping and internal attacks.
Server's attack. In this work, we assume that the server is semi-honest. That is, it faithfully executes the operations delegated by participants and does not collude with other participants to steal sensitive information, but may try to get the information of secret keys. Participants employ the decoy photon method to secure the communications between every two participants. Hence, the server must adopt one of the external attack strategies if it wants to get sensitive information. However, we show in the "External attack" section that the proposed model is secure against external attacks. Accordingly, the malicious server may resort to guessing the required information or generate the final key as follows: a) Passing the security check. In Step (1), the server sends S i to P i as an initial quantum sequence for generating the final key. In Step (5), P i uses S i to encode her/his private data and inserts some decoy qubits for security check before sending them to P i+1 . To successfully pass the security check, the server must correctly guess the measurement bases of the decoy qubits and guess the initial bases to correctly resend P i 's qubits to P i+1 without been caught. The probability of correctly guessing a measurement basis for each qubit is 50%, and the probability of correctly guessing an initial basis is also 50%. Therefore, the probability ( pr ) of passing the eavesdropping check is as follows: here, pr i ( i = 1, 2, . . . , n ) is the probability of correctly guessing the i th sequence of decoy qubits, and l is the length of each decoy qubit sequence. b) Guessing participants' private keys. Since K = K 1 ⊕ K 2 ⊕ · · · ⊕ K n , the server needs to correctly guess all participants' private keys to get K . The probability ( pr ) of correctly guessing the final key K is as follows: here, pr i ( i = 1, 2, . . . , n ) is the probability of correctly guessing K i , and l is the length of K i . c) Guessing the final key ( K ). The server may try to directly guess the final key ( K ). In that case, the probability ( pr ) is as follows: In Eqs. (9)(10)(11), if l is large enough the probability of guessing the final key or required information is close to zero or negligible.
Collusive attack. A collusive attack is the most powerful internal attack in which two or more dishonest participants collude together to extract sensitive information or generate the final key alone without revealing their malicious behaviour. In this section, we show that the proposed model is immune to collusive attacks, such that any group of dishonest participants trying to perform a collusive attack (including the two attack strategies mentioned in the section The insecurity of existing CT-MQKA protocols) will be detected immediately.
(9) pr = pr 1 × pr 2 × · · · × pr n = www.nature.com/scientificreports/ qubits and asking the participants to divulge the related information. Accordingly, the protocol guarantees that the honest participant has received genuine data, and the dishonest participants cannot obtain useful information to generate the final key alone or steal the private inputs of honest participants. Moreover, if the dishonest participants try to adopt guessing strategies they will be detected with high probability as indicated in Eqs. (9)(10)(11). Thus, we can say that the proposed model is secure against internal attacks.

Conclusion
In this work, we showed that most of the existing circular-type multiparty quantum key agreement protocols are insecure against a specific type of collusive attack. We analyzed the security of a recently proposed circulartype multiparty quantum key agreement protocol to demonstrate the vulnerability of such protocols. Then, we proposed a general secure quantum key agreement model to avoid the different types of collusive attacks. We showed that the proposed protocol could generate the final key correctly and that the proposed protocol is secure against all known collusive attack strategies.