Modular network for high-rate quantum conferencing

One of the main open problems in quantum communication is the design of efficient quantum-secured networks. This is a challenging goal, because it requires protocols that guarantee both unconditional security and high communication rates, while increasing the number of users. In this scenario, continuous-variable systems provide an ideal platform where high rates can be achieved by using off-the-shelf optical components. At the same time, the measurement-device independent architecture is also appealing for its feature of removing a substantial portion of practical weaknesses. Driven by these ideas, here we introduce a modular design of continuous-variable network where each individual module is a measurement-device-independent star network. In each module, the users send modulated coherent states to an untrusted relay, creating multipartite secret correlations via a generalized Bell detection. Using one-time pad between different modules, the network users may share a quantum-secure conference key over arbitrary distances at constant rate. The ability of modern society to move towards quantum communications is dependent on the capacity to realize quantum networks with the ability to securely transmit and share information over long distance and among multiple users. The authors propose a protocol for a scalable quantum network made of modules each consisting of continuous-variable measurement-device independent applied to quantum key distribution, allowing to perform secure quantum conferencing among an arbitrary number of users.

In addition to point-to-point protocols, there has been effort towards network implementations [36][37][38] .An important step is the design of a scalable QKD network whose rate is high enough to compete with the classical infrastructure.Another feature to achieve is an end-to-end architecture where middle nodes may be untrusted.The first steps in this direction were moved in 2012 with the introduction of a swapping protocol based on an untrusted relay 39,40 , a technique that became known as "measurement-device independence" (MDI), and recently extended to CV-QKD [41][42][43][44][45][46] .However, until today, MDI protocols have been limited to a small number of remote users, e.g., 2 in ref. 39 , and 3 in ref. 47 .
In this work we remove these limitations.In particular, we introduce a modular architecture that combines trusted and untrusted nodes, as well as quantum and classical communication methods, allowing secure quantum conferencing among an arbitrary number of users.At the core of our design there are MDI star-network modules, interconnected by shared nodes, which can run one-time pad protocols between different modules.Each module consists of a central (untrusted) relay performing a general N-mode Bell detection that allows an arbitrary number of users to share the same quantum conference key.The security of the protocol is first proven in the asymptotic limit of many signals exchanged, and then extended to the composable setting which incorporates finite-size effects.This modular design is scalable, because it allows us to increase arbitrarily the number of users and the achievable distance between them, while maintaining a high and constant rate.Moreover, it can be implemented using linear optical elements, and it allows to add extra modules resorting just on classical communication protocols.From this point of view the scheme is very flexible and represents a good prototype to be developed into a large scale CV-QKD network.

Results
Modular network for quantum conferencing.In our modular architecture (see Fig. 1), each individual module is a star network running a multipartite MDI-QKD quantum conferencing protocol based on the generalization of symmetric CV-MDI-QKD 43 .Each star-network module M i is labeled by i ¼ 1; ; N ?and hosts N i users.The generic user k in module M i sends bright coherent states 4 jα i k i to a central untrusted relay, whose amplitude α i k is Gaussianly modulated with variance μ i k .With no loss of generality we may assume that μ i k is the same for any k, so that we may associate a single variance parameter μ i to module M i .The eavesdropping is assumed to be performed by entangling cloners 7 , so that the link connecting the arbitrary user k to the relay in module M i is described by two parameters: the transmissivity η i k of the link, and its thermal noise n i k .Within module M i the untrusted relay performs a multipartite Bell detection on the incoming N i modes; this consists of a suitable cascade of beam-splitters followed by N i homodyne detections, as shown in Fig. 2. The homodynes on the left measure quadratures q2 ; ; qN i , while the single one on the right measures p.The outcomes of the measurements are combined into the global outcome γ i :¼ ðq 2 ; ; q N i ; pÞ.After γ i is broadcast to the users of the module, their individual variables α i k share correlations that can be post-processed into a secret key K i via classical error correction and privacy amplification.All the users in module M i reconcile their data with respect to a trusted user which is shared with another module M j .
To reduce the parameters of the problem we may introduce the minimum transmissivity η i ¼ min k2½1;N i η i k and maximum thermal noise n i ¼ max k2½1;N i n i k associated to module M i .From a physical point of view this is a symmetrization of the star network to the worst-case scenario, assuming all its links to have the worst combination of parameters.This condition clearly provides a lower bound Kðμ i ; N i ; η i ; n i Þ to the actual key rate K i of the module.By optimizing over the Gaussian modulation, we may consider the value KðN i ; η i ; Once each module has generated its key, the shared nodes run sessions of one-time pad where the keys from different modules are composed to generate a common key for all the network, with rate Therefore, the entire network can work at the rate of the least performing module.However, if this rate is high then the legolike structure of the network allows all the users to communicate at the same high rate no matter how far they are from each other (see Fig. 1).
Detailed description the MDI star-network module.In this section we describe the modus operandi of a single module.To simplify the notation we omit the label i.In a single module, we consider an arbitrary number N of users (or "Bobs") sending Gaussian-modulated coherent states |α k 〉 to a middle untrusted relay, as depicted in Fig. 2. Each of the coherent states is affected Fig. 1 Modular network for secure quantum conferencing.Each module M i is a continuous-variable (CV) measurement-device-independent (MDI) quantum key-distribution (QKD) star network, composed by a central untrusted relay and N i trusted users, whose connections are independently affected by loss and noise.Each module M i first runs an independent protocol of quantum conference key-agreement.Because two different modules have a shared trusted user, we may implement classical one-time pad sessions where the keys from each module are processed into a final common key for the entire network by a thermal-loss channel E modeled as a beam-splitter with transmissivity η and thermal noise n, i.e., mixing the incoming signal with an environmental thermal state with n mean photons.As explained before, we assume the worst-case scenario, so that η is the minimum transmissivity of the links and n is the maximum thermal noise.After the action of the channel E on each link, the states are detected by a multipartite N-mode Bell detection.
This detection consists of a suitable cascade of beam-splitters followed by N homodyne detections.More precisely, we have a sequence of beam-splitters with increasing transmissivities T k = 1 − k −1 for k = 2, …, N as depicted in Fig. 2.Then, all the homodynes at the left measure the q-quadrature while the final one at the bottom measures the p-quadrature, with global outcome γ : = (q 2 , …, q N , p) (see Supplementary Notes 1 and 2 for further description).One can check that this measurement ideally projects onto a displaced version of an asymptotic bosonic state Ψ that realizes the multipartite Einstein-Podolsky-Rosen (EPR) conditions P N k¼1 pk ¼ 0 and qk À qk′ ¼ 0 for any k, k′ = 1, …, N.
After the classical outcome γ is broadcast to the users, their individual variables α k will share correlations which can be postprocessed into secret keys via error correction and privacy amplification.We may pick the shared trusted user as the one encoding the key, with all the others decoding it in direct reconciliation 7 .
Entanglement-based representation.Let us write the network in entanglement-based representation.For each user, the coherent state |α〉 can be generated by using a two-mode squeezed vacuum (TMSV) state Φ AB where mode B is subject to heterodyne detection.The random outcome β of the detection is fully equivalent to prepare a coherent state on mode A whose amplitude α is one-to-one with β 41 .Recall that a TMSV state is a Gaussian state with covariance matrix (CM) 4 where parameter μ ≥ 1 quantifies the noise variance of each thermal mode.Up to factors 41 , parameter μ also provides the variance of the Gaussian modulation of the coherent amplitude α on mode A after heterodyning B.
Assume that the users have N copies of the same TMSV state, whose A-part is sent to the relay through a communication channel E. Also assume that the CM of the two-mode state after the channel has the form Because we consider a thermal-loss channel with transmissivity η and thermal noise n, we have . Then, after the Bell measurement and the communication of the outcome γ, the local modes B := B 1 …B N are projected onto a symmetric N-mode Gaussian state with CM where we have set Γ := (N −1 x −1 z 2 )Z, and Details on the the derivation of Eq. ( 4) are given in the Supplementary Note 2. Note that the conditional state ρ B i B j jγ between any pair of Bobs i and j is Gaussian with CM For N = 2 this state describes the shared state in a standard CV-MDI-QKD protocol 41 .Assuming no thermal noise ð n ¼ 0Þ, the state ρ B i B j jγ is always entangled and we may compute its relative entropy of entanglement (REE) E R ðρ B 1 B 2 jγ Þ 48-50 using the formula for the relative entropy between Gaussian states 33,51 .This REE provides an upper bound to the rate achievable by any MDI-QKD protocol (DV or CV) based on a passive untrusted relay.For N > 2, one can check that the bipartite state ρ B i B j jγ may become separable when we decrease the transmissivity η, while it certainly remains discordant [52][53][54] .In the multi-user scenario, the security between two Bobs may still hold because the purification of their state is held partially by Eve and partially by the other Bobs, which play the role of trusted noise.In trusted noise QKD we know that security does not rely on the presence of bipartite entanglement while quantum discord provides a necessary condition 55 .
Key rate of a star-network module.Once γ is received, the ith Bob heterodynes his local mode B i with random outcome β i , which is one-to-one with an encoded amplitude α i in the prepare and measure description.7][58] .The subsequent heterodyne detection of mode B j generates an outcome β j which is one-to-one with an encoded α j .It is clear that the Bell detection at

Untrusted relay
Fig. 2 Each Bob sends a Gaussian-modulated coherent state α k j i to an untrusted relay through a link which is described by a thermal-loss channel E with transmissivity η and thermal noise n.At the relay, the incoming states are subject to a multipartite continuous-variable (CV) Bell detection, by using a cascade of beam-splitters with transmissivities T k = 1 − k −1 for k = 2, …, N, followed by homodyne detectors in the q or p quadrature as shown in the figure.The global outcome γ = (q 2 , …, q N ,p) is broadcast to the Bobs, so that a posteriori correlations are created in their local variables α 1 , …, α N .These correlations are used to extract a secret key for quantum conferencing the relay and the local heterodyne meaurements of the various Bobs all commute, so that we may change their time order in the security analysis of the protocol.Thus, we can derive the mutual information I(β i : β j ) between the two Bobs.Similarly, we may compute the Holevo information χ(β i : E) between the ith Bob and an eavesdropper (Eve) performing a collective Gaussian attack [59][60][61] associated with the thermal-loss channels 4 .
The expression K = I(β i : β j ) − χ(β i : E), which is a function of all the parameters of the protocol, provides the asymptotic rate of secret key generation between any pair of users (see Supplementary Note 3).This is a conferencing key shared among all Bobs; it can be optimized over μ, and will depend on the number of Bobs N besides the channel parameters η and n.Assuming a standard optical fiber with attenuation of 0.2 dB per km, we can map the transmissivity into a fiber distance d, using η := 10 −0.02d .Therefore, we have a rate of the form Kðμ; N; d; nÞ which can be optimized over μ to give the maximal conferencing rate KðN; d; nÞ.The maximization over μ is required because for N > 2 the maximum rate is not obtained in the limit μ ) 1.
The conferencing rate is plotted in Fig. 3a for an MDI star network with an increasing number of users N. We compare the rates over the link-distance d for different values of thermal noise n.As expected the rate decreases for increasing N. Despite this effect, our result shows that high-rate quantum conferencing is possible.For instance, in a star network with N = 50 users at d≲40 m from the central relay and thermal noise n ¼ 0:05, the key rate may be greater than ' 0:1 bits per use.In Fig. 3b, we set n ¼ 0 and plot the maximum distance for quantum conferencing versus the number of users, solving the equation K(N, d, 0) = 0. We see a trade-off between maximum distance and number of users.Despite this trade-off, we conclude that fiber-optic secure quantum conferencing between tens of users (belonging to a single star-network module) is indeed feasible within the typical perimeter of a large building.
Finite-size composable security.Within a module, consider a pair of Bobs, i and j, with local variables β i and β j after heterodyne detection.They aim at generating a secret key by reconciliating on β i .The error correction routine is characterized by an error correction efficiency ξ ∈ (0,1) 62,63 , a residual probability of error δ EC , and an abort probability 1 − p > 0. We also remark that β i must be mapped into a discrete variable β i taking 2 d values per quadrature.
Consider the mutual information I(β i : β j ) and Eve's Holevo bound χ(β i : E) obtained from the reduced state of Eq. ( 6).Then, we have the following estimate for the δ-secret key rate after n uses of the module 46 where δ = δ s + δ EC + δ PE , and Here the error term δ s is the smoothing parameter of the smooth conditional min-entropy 46 .For the Holevo bound χ(β i : E) we assume the worst-case value compatible with the experimental data, up to a probability smaller than δ PE .The rate r δ n is obtained conditioned that the protocol does not abort and yields a δ-secure key against collective Gaussian attacks.
The generalization to coherent attacks is obtained, as in ref. 46 , by applying a Gaussian de Finetti reduction.We find that the asymptotic rates are approximately achieved for block sizes of 10 6 -10 9 data points depending on the loss and noise in the channels.Examples for N = 3, 5, 10 are described in Fig. 4.
The composable security analysis starts from a parameter estimation procedure.As mentioned above, in estimating the channel parameters, we adopt the worst-case scenario where we choose the largest possible value of the thermal noise in each channel, and the lower available transmissivity, within the confidence intervals.This procedure may not be optimal at high loss, so that our estimates for the achievable communication distances are conservative estimates.Alternative (more performing) parameter estimation procedures, as those described in refs. 64,65,66, could be adapted to our network model and further improve its performance.

Discussion
We have introduced a network for quantum conferencing where modules can be linked together to achieve constant high-rate secure communication over arbitrarily long distances.The design of each module is based on a CV-MDI star network with many users.Our analysis shows how the secret key-rate of each star network decreases by increasing the distance from the central relay and/or the number of users.In ideal conditions, we find that 50 users may privately communicate at more than 0.1 bit per use within a radius of 40 m, distance typical of a large building.With a clock of 25 MHz 67 , this is a key rate of the order of 2.5 Mbits per second for all the users.The secret keys established in the  7) (bits per use) versus sample size n, for error correction efficiency ξ = 98% 62,63 , success probability of the error correction routine p = 0.9, and security parameter δ < 10 −20 .The plot is obtained for a symmetric configuration with N users at a distance of 0.18 km from the relay (assuming 0.2 dB loss per km and thermal noise of n ¼ 0:05 photons).From top to bottom we consider N = 3, 5, 10

Fig. 3 Fig. 4
Fig.3Secret key rates and maximum distances for quantum conferencing.a We plot the conferencing key rate for a measurement-device-independent star network of N = 2 (black), 10 (gray), and 50 (red) users, as a function of the fiber distance d and assuming thermal noise n ¼ 0 (solid curves) and n ¼ 0:05 (dashed curves).The top blue curve is the relative entropy of entanglement (REE) of the reduced bipartite state specified by Eq. (6), which upper bounds the maximal key rate achievable with standard continuous-variable measurement-device-independent quantum-key-distribution CV-MDI-QKD (N = 2).b We plot the maximum fiber distance d versus the number of users N in a quantum conference