Privacy Preserving Quantum Anonymous Transmission via Entanglement Relay

Anonymous transmission is an interesting and crucial issue in computer communication area, which plays a supplementary role to data privacy. In this paper, we put forward a privacy preserving quantum anonymous transmission protocol based on entanglement relay, which constructs anonymous entanglement from EPR pairs instead of multi-particle entangled state, e.g. GHZ state. Our protocol achieves both sender anonymity and receiver anonymity against an active adversary and tolerates any number of corrupt participants. Meanwhile, our protocol obtains an improvement in efficiency compared to quantum schemes in previous literature.

In fact, some work has been conducted to establish anonymous entanglement using less resource based on single photons. In 2010, Wang et al. presented an excellent QAT scheme (WWZ10) 21 . They employ single photons to construct anonymous entanglement instead of multi-partite entangled states in their protocol. The WWZ10 scheme shares advantages of low photons costs and low communication complexity, and thus be "economical". Their solution requires only O(3) qubits to construct an anonymous entangled state, which is very economical and efficient. However, the scheme is vulnerable against collusion attack. For example, if participant 1 and participant 3 collude with each other and one of them is notified to be the receiver, then they will get the identity of participant 2 with a certain probability. Another QAT scheme using single photons was proposed by Ronghua Shi et al. 22 . They demonstrated an anonymous quantum communication (ACQ) via the nonmaximally entanglement state 23 based on the dining cryptographer problem. However, their protocol also has security loophole. Using the attacking method introduced in ref. 24, half of the secret bits of the sender in ref. 22 will be disclosed. This may suggest that single photons are not desirable resources to establish anonymous entanglement.
In this paper, we present a privacy preserving anonymous transmission protocol for quantum messages. In our protocol, we utilize EPR pairs to generate anonymous entanglement rather than using multi-particle entangled state. Our protocol achieves both sender anonymity and receiver anonymity against an active adversary and tolerates any number of corrupt participants. Thorough analysis and comparisons with other QAT protocols manifest that our protocol outperforms previous schemes in efficiency and conciseness.

Preliminaries
We consider the same scenario as in refs 16,19. Within a set of n participants that are consecutively numbered, the sender intends to transmit a private quantum message to the receiver while protecting the anonymity of both sender and receiver. For the sender, anonymity means that he is unknown to all other participants, i.e. even the receiver cannot get the identity of the sender; for the receiver, it means no one except the sender knows his identity. This setting can be regarded as an instance of Secure Multi-party Computation (SMC), so we review two mostly considered security models in SMC 25 : an adversary controls and corrupts a portion of participants in either a passive or an active manner. In the passive model (also called semi-honest model or honest-but-curious model), corrupt participants follow the protocol honestly, but collude with each other by gathering all the information and then sharing them in order to get more information than their common inputs and outputs. In the active model (also called malicious model), corrupt participants may take active steps to disrupt the execution of the protocol. In our paper, we justify our protocol in the case of active adversary and assume that the set of corrupt participants is fixed before the protocol starts (defined as non-adaptive).
We herein introduce two tools that are useful in the construction of our protocol. They are anonymous broadcast of classical message 14 and notification protocol 20 . 20 ) There are n participants within which one sender has a message msg to broadcast. There exists one anonymous broadcast protocol so that: (1) Everyone receives msg. (2) An adversary controlling t participants can correctly guess the identity of the sender with probability no larger than 1/(n − t). (3) Any disruption of the protocol will be detected. 20 ) There exists a notification protocol in which any player can notify other players of his choice. Each player's output is one private bit specifying if he has been notified at least once; this value is correctly computed with probability exponentially close to 1.

Theorem 2. ( Notification protocol
In Theorem 1 and Theorem 2, classical broadcast channels are needed. According to ref. 20, there are generally two kinds of broadcast channels. The first one is the regular broadcast channel. It is an authentic broadcast channel for which the sender is sure that all participants obtain the same message and they are aware of who is the sender. The second kind is called the simultaneous broadcast channel. This a collection of broadcast channels which can prevent one participant from inputting rely on any other participant's input. In the context of the present paper, we use broadcast channel to denote a regular classical broadcast channel.

Design of the QAT Protocol via Entanglement Relay
In our protocol, we make the same assumptions as those in ref. 19: a classical broadcast channel as well as a private authenticated quantum channel is between each pair of participants.
Building Blocks. Our way of generating anonymous entanglement works like a relay. We suppose each participant holds one pair of EPR at the beginning of the protocol (without loss of generality, we suppose all of the EPR pairs are in state Φ + ), as shown in phase 1 of Fig. 1. We use P u v to indicate the related qubit, where v = 1 or 2 is the first or second qubit of the EPR pair held by the uth participant. Now the relay starts.
A randomly chosen participant (here we designate the chosen one as P 1 ) transmits his second qubit (P 1 2 ) to his right-hand neighbor, who then performs a Bell-State Measurement (BSM) on P 1 2 and the first one of his EPR pair P 2 1 . This will result in entanglement swapping, see phase 2), between the two bell states held by P 1 and P 2 . Similarly P 2 transmits P 2 2 to the next one, and this relay continues until = − P t s ( 1 ) t 2 reaches the sender P s (the receiver P r 's behavior is identical to that of sender P s ). P s not only performs a BSM on P t 2 and P s 1 , but after BSM he performs a C-NOT transformation on P s 2 and an additional qubit Q a in state 0 , where P s 2 acts as the control qubit and Q s a acts as the target qubit (phase 3 of Fig. 1).
It is clear that at the end of the relay, as shown in phase 4 of Fig. 1, the four separate qubits held by P 1 , P s , P r and P n stay in the state ϒ = + 1/ 2 ( 0000 1111 ) nab 1 where b denotes the additional qubit introduced by the receiver. P 1 and P n then run the last step by measuring P 1 1 and P n 2 in Hadamard basis Scientific RepoRts | 6:26762 | DOI: 10.1038/srep26762 respectively. This will cast Q a and Q b into Φ + (two measurement outcomes are identical) or Φ − (two measurement outcomes differ, and Φ − can be transformed into Φ + easily, see below), as shown in Eq. (1). Thus after this round of relay, we have successfully built one instance of anonymous entanglement = Φ + AE between P s and P r . Note that in the description above, different possible outcomes of BSM (entanglement swapping) may occur in each step of the relay. In order for the sender P s to transform the final Bell state to the desired Φ + , we require that each participant anonymously broadcasts the outcome of his BSM. Then P s knows the final entangled state AE , and corresponding unitary transformations can be performed on his qubit of AE to obtain Φ + : where σ x , σ z are Pauli operators. Protocol 1 gives a concise summary.

Protocol 1. Establishment of Anonymous Entanglement.
Goal: anonymously sharing Φ + between sender and receiver in a group of n members. Requirements: each participant hold one EPR pair in Φ + , a classical broadcast channel, C-NOT gate.

1.
n participants are ordered by P 1 , P 2 , , P n . One participant is chosen randomly (assume to be P 1 ) to initiate the protocol by sending his second qubit of Φ + to his right-hand neighbor.

2.
Each participant performs the BSM in turn to realize entanglement swapping and continue the relay till the nth participant's operation. During this procedure, the sender P s (the same for receiver P r ) introduces an additional qubit Q in 0 , and performs C-NOT on his second qubit (control qubit) and Q (target qubit) after his BSM.

3.
Every participant (except P 1 ) anonymously broadcasts the outcome of his BSM. P s performs corresponding unitary transformations on Q. 4. P 1 and P n perform measurements in Hadamard basis, and broadcast the outcomes. If the two values differ, P s performs σ z on Q otherwise he does nothing and the protocol completes. In practice, to prevent malicious behavior by adversary and corrupt participants, sender and receiver have to employ additional methods to protect their anonymity and data privacy. See protocol 2.

Protocol 2. Malicious Act Detection.
Goal: Detecting malicious act with probability exponentially close to 1. Requirements: anonymous broadcast channel for classical messages.
For (α + β) instances of Φ + that need verifying: 1. P s and P r measure α pairs of Q a and Q b in Hadamard basis.

2.
P s and P r measure β pairs of Q a and Q b in computational basis. 3. P s and P r publish the outcomes using the anonymous broadcast channel.

4.
If different outcomes appear, then malicious acts have occurred, and the protocol aborts.
We can see the probability that a malicious act passes protocol 2 without being detected is at most 1/2 [α,β] , where [α, β] means the smaller one of α and β. Actually, any type of deviation from Φ + can be detected effectively by Protocol 2, which will be explained in detail in next section.
Protocol for QAT. Up to now, we have discussed all necessities of constructing a full protocol. We now present it in Protocol 3.

Protocol 3. Anonymous Transmission of Quantum Message.
Goal: Transmitting a message of m-qubit from an anonymous sender to an anonymous receiver, protecting the privacy of the message. Requirements: requirements in Protocols 1 and 2, Notification Protocol.

1.
The sender P s notifies the receiver P r via the Notification Protocol.

2.
Execute Protocol 1 for 2(m + k) times to share 2(m + k) instances of Φ + between P s and P r anonymously.

3.
For these instances, execute Protocol 2. If the detection passes, the protocol continues; otherwise the protocol aborts and restarts. The protocol will be terminated if the number of abortions reaches a larger enough predetermined parameter. 4. P s transmits the quantum message through teleportation using the m instances of Φ + , and then anonymously broadcasts the teleportation bits.

5.
P r reconstructs the quantum message. Then he anonymously broadcasts one bit to indicate whether or not the reconstruction has succeeded. If true, the protocol terminates successfully. 6. P r teleports the quantum state resulting from step 5 back to P s using the remaining m instances of Φ + . Then he broadcasts the teleportation bits anonymously. 7. P s reconstructs the quantum message. The protocol completes.

Analysis and Proof
Security. From previous discussions, we can see that our protocol preserves the anonymity of sender and receiver while the privacy of the quantum message is also protected. Formally, we have the fowling conclusion: Theorem 3. ( Security) Protocol 3 tolerates any number of corrupt participants, no matter whether they are controlled by a passive or an active adversary. The anonymity of sender and receiver is perfectly protected. The privacy of the message is secure except with a negligible probability.
Proof. Obviously, if all the participants are honest, Φ + is faithfully and anonymously shared between sender and receiver, because apparently there are no detectable differences in the behaviors of the anonymous sender P s and receiver P r with those of the other participants. This is true even in presence of passive adversary, since any number of honest-but-curious participants can never reveal the identity of P s and P r , based on all information they get (BSM outcomes, Hadamard measurement outcomes, etc.) during protocol 1.
To accomplish the security proof, we will construct corresponding simulator for each participant who attempts to deduce the identity of sender or receiver. The general idea underlying the method of simulator is that a if a simulator for a player can emulate the execution of a protocol with only the input this player's input and the output of the final outcome, then we can safely conclude that this protocol is secure against this player and he is not able to obtain more information about the other players' private data. This is because the simulator itself has no knowledge about those private data. For formal definitions of simulator, view and computational indistinguishable, we refer readers to ref. 26.
Let us start with the sender anonymity. We need to present a simulator for each party (except the sender) view. The simulator for participant i ( ≠ i s) is denoted as S i . On input u v ( , ) i i , where u i is the local input to participant i other than the sender, and v i is his local output, S i selects uniformly and randomly a Bell state t i from the set , and output u t ( , ) i i . We now show that this output is distributed identically to the view of participant i. Note that the BSM outcome for participant i is totally random and its value is taken from one of the four states Φ + , Φ − , Ψ + , and Ψ − uniformly, therefore there is no method to distinguish from v i and t i (formally, we say that they are computational indistinguishable). According to the basic idea of simulator, we are convinced that the sender anonymity is protected in our scheme. Similarly, we can construct simulators to prove receiver anonymity. We omit it here for brevity. Till now, we know that Protocol 3 achieves both sender and receiver anonymity, and thus Theorem 3 holds. In the following, we give some typical attacking strategies that an adversary may adopt to demonstrate the correctness of Protocol 3.
A direct means of attack for a malicious participant P m is to introduce also an additional qubit and perform C-NOT transformation to build a correlation with the anonymous entangled state AE shared by P s and P s . Thus the final quantum system will be in the state = + M 1/ 2 ( 000 111 ) abm , where m indicates the additional qubit Q m introduced by P m . P m thus may reveal the identity of P s or P r . If P s later uses this state to transmit quantum messages via teleportation, we know that either P m or P r can reconstruct the initial message, which destroys the privacy of the message. In order to prevent this, we observe a fact from a simple observation, that in case = Φ + AE , if P s and P s measure Q a and Q b in Hadamard basis respectively, they always have the same outcomes because Therefore, with a chance of 1/2, P s and P r will obtain different outcomes. If the participants run Protocol 1 for a sufficiently large number of rounds to generate a number of Φ + (possibly M ) between P s and P r , they can then select a portion of them (e.g. k pairs) and perform measurement in Hadamard basis. After comparison (using anonymous broadcast) of the outcomes, they have a high probability (1 − 1/2 k ) of detecting the malicious behavior. We would like to emphasize that no matter how many malicious participants apply this strategy, they would never succeed, that is because measurements of Q a and Q b are independent of the rest qubits. Thus the increase of entangled particles makes no difference as the malicious action will be caught with probability 1/2, and enough rounds of detection will improve the probability exponentially close to 1.
Another trick a malicious participant P m may play is to replace P m 2 with one qubit of an EPR pair that is prepared by himself (Figs 2 and 3). Here we assume that P m is between P s and P r , because both the cases that P m is before P s and P m is after P r would fall into the above discussion.
After the relay, there exist two instances of entanglement: one held by P 1 , P s and P m in state + 1/ 2 ( 000 111 ) am 1 ; the other by P m , P r and P n in state + ′ 1/ 2 ( 000 111 ) m bm . Now, the qubits possessed by P s and P r are unrelated. However, if they measure in Hadamard basis as well, so long as inconsistency (different measurement outcomes) happens, they should know that malicious participants exist. Moreover, the probability of the inconsistency happening is also 1/2, which will render the detection probability exponentially close to 1 with sufficient trials.
Here we again place no limitation on the number of corrupt participants. This is because the final quantum system will always be in the two states shown above. The only difference is which participants get to keep them, besides P s and P r . Thus the same detection applies naturally.
Previous discussions suffice in a standard SMC model. However, some participants are just so naughty that they broadcast false outcomes of their measurements to fool P s into performing unnecessary unitary transformation, causing AE to differ from Φ + . For example, suppose P S , P r , P s−1 and P r−1 all get Φ + in BSM, which means AE will also be in Φ + after P 1 's and P n 's operations. However, P r−1 broadcasts that he obtains Ψ + , which misleads sender and receiver into thinking that = Ψ + AE . The sender will perform a σ x on his qubit that turns the genuine Φ + to Ψ + . Note that Ψ = + = ++ − −− + 1/ 2 ( 01 10 ) 1/ 2 ( ) Therefore measurements in Hadamard basis will always lead to identical outcomes, which renders Protocol 2 futile. The solution lies in the fact that only Φ + results in identical measurement outcomes in both Hadamard basis and computational basis.
Hence, we can choose two subgroups of anonymous entangled states, then measure one group in Hadamard basis and the other in computational basis. As long as differences occur, malicious behavior is detected. Therefore, protocol 2 can detect inconsistency with Φ + , and the probability of success is exponentially close to 1. Thus any cheating strategy adopted by the adversary and the corrupt participants will be detected, which ensures the anonymity of sender and receiver. The quantum message remains private, and we teleport the message back to the sender when the receiver does not succeed in reconstructing it. This guarantees the state to be transmitted would never be destroyed even if the protocol aborts. Thus the privacy of the transmitted quantum message is also perfectly protected.
At last, let us consider an attack strategy by two corrupted participants. Let P i , P j and P k be any three consecutive participants. Provided P i and P k are corrupted, they collude with each other by performing as follows: P i creates an EPR pair and sends one subsystem to P j . P j does entanglement swapping (and applies the C-NOT provided he is the sender or receiver). P k broadcasts the measurement outcome and forwards the other particle to P k . Now, provided P j is not sender or receiver, P i and P k will share an EPR pair (thanks to the result of the P j 's BSM they know which one). In case P j is sender or receiver, they will share a GHZ state (with P j ), again fully specified. Now it only suffices to repeat this a number of times and discriminate between EPR and GHZ state, what is possible using certain entanglement testing. The two corrupted participants hope to verify whether P j is a normal participant, or sender or receiver, via this strategy.
However, this strategy will not work either. Note in the absence of this kind of attack, P s and P r will share a Φ + in a round of relay. In contrast the introduction of new EPR pair and annunciation of "fake" BSM outcomes by P i and P k will result in Q a and Q b being uncorrelated or in a state other than Φ + . Like before, the malicious action will be detected by a number of verifications between P s and P r . They will abort the current round of relay and restart the protocol. And, just as described in Protocol 3, the scheme will be terminated if the number of abortions reaches a predetermined parameter, which indicates too many malicious actions exist in the protocol. Moreover, consider the extreme situation where the number of corrupted participants reach n − 2 (except sender and receiver). Then they have no better method to distinguish between sender and receiver than by solely making a guess. Hence their chance of learn who is sender or receiver is not larger than 1/2.

Efficiency and Robustness.
In what follows we would like to discuss the efficiency and robustness of our scheme. In sharp contrast to previous protocols, the main quantum resources we utilize in our protocol are EPR pairs instead of generalized GHZ state. From present day techniques, multi-party entangled states are relatively difficult to realize. So far, the best work is done by W. B. Gao et al. whose group realized entanglement of ten photons 27 . Thus, our protocol envisages an application in the near future. Meanwhile, our protocol itself costs much fewer qubits. See the Entanglement Verification process in ref. 19, for example, each participant makes − n ( 1) pseudo copies of his qubit. This simple operation would consume − = n n On ( 1) ( ) 2 qubits. In our detection protocol, we make use of 2k instances of Φ + , while the success probability approaches 1 exponentially with k. The major difference is that we only require sender and receiver to operate the detection (without compromising anonymity, of course), but in ref. 19, all the participants should be included in order to keep anonymity. Meanwhile, after one round of protocol 1, every participant (except P 1 and P n ) still keeps one EPR pair because entanglement swapping leaves − P i 1 2 and P i 1 in one of the four Bell states. Thus, the total number of EPR pairs we need in Protocol 3 is just O n ( ). Moreover, ref. 19 takes advantage of a few sub-protocols that are complicated to run, e.g. quantum authentication. We only require anonymous broadcast and notification protocols in our proposal and this simplifies the execution of our protocol. Table 1 gives a comparison between several related protocols.
Note that ref. 19 utilizes several classical protocols proposed in ref. 20. These protocols share a common feature that a single corrupt participant can cause the protocol to abort, and this in return makes the protocol of ref. 19 prone to abort. Our protocol, however, takes advantage of a detection protocol which ensures that we terminate early in presence of malicious acts. If the detection passes, no disruption can cause the protocol to abort afterwards, except in the process of anonymous broadcast. However, we know from Theorem 2 that anyone who disrupts it will get caught and excluded in the next execution of the protocol. Thus our protocol stays more robust than ref. 19. Obviously, we also save time and the (quantum) resources used in the remaining steps of the protocol.
Nonetheless, we should pay attention to a problem that arises from step 3 in Protocol 3. As readers may have envisioned, how can P s and P r agree on which k of + m k 2( ) instances should be measured in Hadmard basis and which k instances should be measured in computational basis? If they choose completely at random, the probability that malicious participants are caught will be reduced dramatically. Moreover, in the worst case where not a single pair of choices accord, the detection protocol fails and there are only − m k 2( ) instances of Φ + remaining. Our solution is to add one step of anonymous broadcast for P s , during which he broadcasts his choices (say, the ... th in Computational basis). We can see this does work and makes no harm to the anonymity of the sender. Other strategies are also possible. For example, each participant shares a string of bits with everyone else in advance indicating the agreement. We will not elaborate on this issue, so long as our solution can resolve this problem effectively.

Summary
In this paper, we have presented a privacy preserving protocol for the anonymous transmission of quantum messages, where EPR pairs are used to construct anonymous entanglement. We have shown that our protocol works more efficiently and robustly than protocols in prior literature.
So far, we have not discussed the case of multiple senders. Of course, strategies used in related literature, like collision detection 20 , can be applied to our protocol naturally. However, as mentioned in ref. 19, collision detection may reveal information on the number of honest would-be senders. Thus we wish to find effective ways to handle this in the future, probably following the line of simultaneously sharing multiple instances of anonymous entanglement between different sender-receiver pairs. This will be our future work.  Table 1. Comparison between four QAT protocols, where ERR and QC are abbreviated for "entanglement resource required" and "qubits consumed", respectively.