Multiparty Quantum Key Agreement Based on Quantum Search Algorithm

Quantum key agreement is an important topic that the shared key must be negotiated equally by all participants, and any nontrivial subset of participants cannot fully determine the shared key. To date, the embed modes of subkey in all the previously proposed quantum key agreement protocols are based on either BB84 or entangled states. The research of the quantum key agreement protocol based on quantum search algorithms is still blank. In this paper, on the basis of investigating the properties of quantum search algorithms, we propose the first quantum key agreement protocol whose embed mode of subkey is based on a quantum search algorithm known as Grover’s algorithm. A novel example of protocols with 5 – party is presented. The efficiency analysis shows that our protocol is prior to existing MQKA protocols. Furthermore it is secure against both external attack and internal attacks.

Since the first quantum key distribution (QKD) protocol known as BB84 1 was proposed by Bennett and Brassard in 1984, quantum cryptography has been attracted more and more attention, and many kinds of schemes such as QKD [2][3][4] , quantum secret sharing (QSS) [5][6][7][8][9] , quantum direct communication(QDC) [10][11][12][13] , quantum privacy comparison (QPC) 14,15 , have been proposed. Especially, QKD has received wide attention because of its numerous applications in quantum communication. Different from the classic cryptography schemes, quantum protocols that are based on the principles of quantum mechanics, could provide unconditionally security. Hence, quantum cryptography is innately superior to the classic cryptography.
Anther very important topic named Quantum key agreement(QKA) [16][17][18][19][20][21][22][23][24][25][26][27][28][29] also received widespread concerns. Compared with QKD protocols in which one participant distributes a predetermined secret key to the other participants, QKA protocols require that all participants need to negotiate mutually and equally to derive a common secret key, and any nontrivial subset of participants could not fully determine the target key. Furthermore, any unauthorized users cannot extract the key through illegal means. Hence, the justice and fairness can be better reflected in the procession of QKA protocols because all participants are involved in the selection of the target key K and their contribution to it are equal. In 2004, the firstly QKA protocol (ZZX protocol) 16 based on Einstein -Podolsky -Rosen (EPR) pairs was proposed by Zhou, Zeng and Xiong. However, in 2009, Tsa and Hwang 17 pointed out that ZZX protocol is not a fair QKA because one party could fully determine the target key without being detected, and they proposed an improvement one (TH protocol) 18 . Unfortunately, TH protocol is also not a really QKA because the shared key is produced based on random measurement results without negotiation. In 2004, based on maximally entangled states, Hsueh and Chen also proposed a QKA protocol (HC protocol) 28 . In 2011, Chong, Tsai and Hwang 18 claimed that HC protocol is susceptible to eavesdropping attack and internal attacks. In 2010, Chong and Hwang proposed the first successful QKA protocol (CH protocol) 19 based on BB84 by using the technique of delayed measurement. In 2013, Liu, Gao, Huang and Wen proposed the first secure multiparty quantum key agreement (MQKA) protocol (LGHW protocol) 20 by utilizing single particles. In the same year, Sun, Zhang and Wang et al. 29 improved the LGHW protocol and the efficiency is improved obviously. Subsequently, several QKA and MQKA [21][22][23][24][25][26][27] protocols were proposed.
Furthermore, quantum search algorithms (QSA) 30 are also a research focus in quantum theory, and are famous for the Grover's algorithm. The target could be probabilistic found in an unsorted database by executing the Grover's algorithm which is faster than the best known classical search algorithms. Grover's algorithm plays an important role in quantum computation and quantum communication. Recently, based on the ideas of QSA, some quantum protocols, liking QSS 6 , QPC 14 and QDC 31,32 , have been proposed.
. Similarly to the cases w 1 = w 3 and w 2 = w 3 .
, and w 1 , w 2 and w 3 are different from each other, then |w 1 〉 , |w 2 〉 , |w 3 〉 and |w 4 〉 are orthogonal to each other because of the relation ⊕ ⊕ = w w w w 3 2 1 4 . In this case, we can get Hence, . We will give the proof by using the mathematical induction to the odd positive integer n.
(a) n = 1, the result is trivial. (b) Suppose that the result is correct in the case of n = k, where k is a positive odd integer. That is to say, . The correctness of Theorem 2 could be verified for each value of the tuples (w, v, w 0 , w 1 ) ∈ {00, 01, 10, 11} 4 one by one.
From Theorem 1 and Theorem 2, we can get Theorem 3 at once. (a) If w 1 = w 2 , the result is trivial.
, 01, 10, 11},then |w 1 〉 , |w 2 〉 , |w 3 〉 and |w 4 〉 are orthogonal to each other. In this case, we can get Now, we show that there exists w 0 ∈ {00, 01, 10, 11} such that Hence, we can select a proper w 0 ∈ {00, 01, 10, 11} such that , and we can easily get the relation ⊕ ⊕ = w w w w 2 1 0 from Table 1. The Proposed QKA Protocol. Suppose that there are N (N ≥ 2) participants P 0 , P 1 , P 2 , … , and P N−1 , and each of them generate a random sequence with length 2n as his or her secret key firstly. where the element . Next, P 0 , P 1 , P 2 , … , and P N−1 want to negotiate a common key Here, ⊕ denotes the bitwise Exclusive OR. Now, The detailed description of the proposed MQKA protocol can be seen in Fig. 1 and the following explanation.
The Detailed Description of MQKA.
Step 1 Initialization Phase. Each participant P i selects two random sequences S I and V I with length 2n, and prepares a two-particle quantum state sequence S i,i+1 according to the random sequence S I . with Different w, w 2 and w 1 . Figure 1. The performance of the proposed MQKA without considering eavesdropping checking. Each participant P i sends a random two-particle state sequence from the solid circle to the next participant, and with solid diamond as the end. After encoded by all other participants, the sequence is transmitted back to P i . can be seen in equation (1) 2 1 ,2 , and the resulted sequence be denoted as S i→i+1 . He also generates kn (k is the detection rate) decoy particles from {|0〉 , |1〉 } or {|+ 〉 , |− 〉 } randomly, and gets a new sequence ′ → + S i i 1 by inserting them into the sequence S i→i+1 . Meanwhile, P i records the initial states and corresponding positions of every checking particles, and then sends the sequence ′ → + S i i 1 to the next participant P i+1 ,where + denotes modulo N addition.
Step 2 Eavesdropping Checking Phase. After confirming that all P i+1 have received the sequence ′ → + S i i 1 , P i and P i+1 can calculate the error probability by comparing the measurement results with the initial states of decoy particles. If the error ratio exceeds the predetermined threshold value, P i declares that the communication is invalid. Otherwise, and the process continues to Step 3.
Step 3 Encoding Phase. By deleting the decoy states from ′ → + S i i 1 , P i+1 can get the sequence S i→i+1 . Then according to the private key K i+1 , P i+1 performs unitary operations 1,2 (t = 1, 2, … , n) on every two-particle state in S i→i+1 , and denotes the resulted sequence as S i→i+2 . Here the definition of can be seen in equation (2). Next, P i+1 will get a new sequence ′ → + S i i 1 by inserting the decoy particles into S i→i+2 similar to Step 1, and send it to P i+2 .
Step 4 Encoding Recursively Phase. After confirming that P i+2 have received the sequence ′ → + S i i 2 , P i+1 and P i+2 execute eavesdropping checking mentioned in Step 2. If the error ratio exceeds the predetermined threshold value, P i declares that the communication is invalid. Otherwise, the process continues. P i+2 execute Encoding Phase similar to P i+1 in Step3. P i+3 , … , P i−1 execute eavesdropping checking mentioned in Step 2 and Encoding Phase similar to P i+1 in Step3.
Step 5 Extracting Common Key Phase. When P i has received the sequence ′ → S i i from P i−1 , he firstly does eavesdropping checking with P i−1 . Then he will obtains the sequence S i→i by deleting the decoy particles from ′ → S i i . Next, P i performs unitary operation on the corresponding two-particle state in the sequence S i→i according the sequence ,2 . The 2n -bit sequence [K i ] is the target common key [K] of the N participants.

Correctness of The Proposed Protocol. Now, we show that
1 . In fact, the sequence W I defined in step 5 can be got by using Theorem 3 or Theorem 4 separately. Namely, after performed unitary operations − U S s i t s i t ,2 1 , ,2 on every two-particle state of sequence S i→i , the t-th two-particle state of the resulted sequence can be represented as i.e., P i , P i+1 , … , and P i−1 perform unitary operations defined by equation (2)  (i) If N is odd, then we can get the conclusion that the t -th two-particle state mentioned in (4) will be in {|00〉 , |01〉 , |10〉 , |11〉 }, and the state of (4) equals − w w i t i t ,2 1 ,2 by using Theorem 3. Furthermore, we can also get Then, (ii) If N is even, then we can get the conclusion that the t -th two-particle state mentioned in (4) will be in {|+ + 〉 , |− + 〉 , |+ − 〉 , |− − 〉 }, and the state of (4) equals − Sw w i t i t ,2 1 ,2 by using Theorem 4. Furthermore, we can also get Then, Hence, From (i) (ii), we can know that all participants obtain the target common key sequence successfully, i.e.
An Example of The Proposed Protocol with N = 5. In the following, we will give an example of five-party quantum key agreement protocol without considering eavesdropping checking. Suppose P 0 , P 1 , P 2 , P 3 , and P 4 want to negotiate a common sequence with length 6 as the target key. Firstly, they select their private key separately as follows. Next,they run the protocol.
Step 1 Initialization Phase. P i selects two random sequences V I and S I with length 2n, and prepares a two-particle quantum state sequence S i,i+1 according to the random sequence S I .   1, 2, 3), and the resulted sequence be denoted as S 0→1 . P 1 , P 2 , P 3 and P 4 perform the same operations similarly. P 0 (or P 1 or P 2 or P 3 or P 4 ) sends S 0→1 (or S 1→2 or S 2→3 or S 3→4 or S 4→0 ) to P 1 (or P 2 or P 3 or P 4 or P 0 ).
Step 2 Encoding Phase and Encoding Recursively Phase. P 1 (or P 2 or P 3 or P 4 or P 0 ) encodes S 0→1 (or S 1→2 or S 2→3 or S 3→4 or S 4→0 ) by using a unitary operation according to his private key. The encoding procession continues until P 0 has received the sequence S 0→0 Encoded by K 1 , K 2 , K 3 , and K 4 ) separately. S 0→0 , S 1→1 , S 2→2 , S 3→3 and S 4→4 can be represented as follows. Step 3 Extracting Common Key Phase. P 0 (or P 1 or P 2 or P 3 or P 4 ) performs unitary operations decided by S 0,1 (or S 1,2 or S 2,3 or S 3,4 or S 4,0 ) on S 0→0 (or S 1→1 or S 2→2 or S 3→3 or S 4→4 ), and takes measurements on every two-particle state of the resulted sequence with basis {|00〉 , |10〉 , |01〉 , |11〉 } because N = 5 is odd. Then the measurement results of P 0 (or P 1 or P 2 or P 3 or P 4 ) will be At last, P 0 computes , and it is easy to verif y that . P 1 , P 2 , P 3 and P 4 can also obtain the target common key sequence Security Analysis of The Proposed Protocol. In this section, we will show that the proposed MQKA protocol is secure against external and internal attacks. The external attacks contains intercept-resend attack and entangling attack. Without loss of generality, we only consider the circumstance that there are only three participants named P 0 , P 1 and P 2 in the proposed scheme, and it is similar to other cases. Here, we suppose that an eavesdropper named Eve wants to eavesdrop the target common key of P 0 , P 1 and P 2 without being detected. Firstly, let us discuss the intercept-resend attack. Suppose that P 0 prepares a two-particle quantum state sequence S 0→1 according to a random sequence S 0 with length 2n. P 0 inserts 2n decoy particles into it and sends the new sequence ′ → + S i i 1 to P 1 . If Eve intercepts the sequence and re-sends a fake sequence prepared beforehand instead of ′ → + S i i 1 , then she wants to obtain the operations performed by P 1 through the fake sequence. However, Eve will be detected with probability − ( ) 1 n 3 4 2 in the eavesdropping check phase by P 0 and P 1 because she does not know about the positions and basis of decoy particles. Hence, Eve will be detected with probability converging to 1 when n is large enough. Similar to the intercept-resend attack in the channel between P 1 and P 2 or P 2 and P 0 .
Secondly, let us discuss the entangling attack. Suppose Eve intercepts a transmitting particles to the sequence ′ → S 0 1 , and performs a unitary operation U e on the intercepted particles to entangle an ancillary particles |E〉 prepared beforehand. The unitary operation U e can be defined by the following equations: If the decoy particle belongs to {|0〉 , |1〉 }, in order to pass the eavesdropping checking phase, Eve has to set b = c = 0 which implies that a = d = 1. Then Eve cannot distinguish |e 00 〉 from |e 11 〉 , and cannot get any useful information. Hence the entangling attack cannot work in the proposed scheme.
Thirdly, let us discuss the internal attack. Without loss of generality, suppose the dishonest participants, P 1 and P 2 , want to cooperate to determine the target common key alone by illegal means. In the encoding procession P 0 → P 1 → P 2 → P 0 , P 0 does not leaks any information. In the encoding procession P 1 → P 2 → P 0 → P 1 , P 0 encodes the two-particle states by his private key in the last step, and meanwhile, he has already obtained the information of the ′ P s 1 and ′ P s 2 private keys from S 0→0 . So we only need to consider the encoding procession P 2 → P 0 → P 1 → P 2 . Firstly, P 2 sends S2 → 0 to P 0 . Meanwhile, he also sends his private information S 2 and V 2 to P 1 . Secondly, after the eavesdropping checking phase between P 0 and P 1 , P 1 perform unitary operations defined by equation (3) according to the ′ P s 2 private information S 2 . Next, P 1 takes measurements on the two-particle state in the resulted sequence with the basis |++〉 |−+〉 |+−〉 |−−〉 { , , , }. At last, P 1 eavesdrops ′ P s 1 private key successfully from the value of the measurement results, S 2 and V 2 . Even so, P 1 and P 2 still can not determine the target common key alone. In fact, it is obvious that the only way to the P 0 to get the target key sequence is to compute ⊕ ⊕ ⊕ W V K S 0 0 0 0 , and the information of V 0 and S 0 is only known to P 0 . Suppose that P 1 and P 2 embed new private key in the procession P 0 → P 1 → P 2 → P 0 , then the behavior of them only affects the value of W 0 because of that P 1 and P 2 know nothing about V 0 and S 0 . Therefore, the final key [K 0 ] of P 0 will be different from the final key [K 1 ] and [K 2 ]. Hence, P 0 , P 1 and P 2 can not obtain the target common key sequence. In a word, P 1 and P 2 cannot determine the target common key alone by illegal means, and the proposed protocol is secure against internal attack.
Efficiency Comparison with Existing Protocol. In this section, we will compare the proposed MQKA protocols with five existing MQKA protocols in the following four aspects: number of qubit measurements, number of unitary operations, qubit efficiency and security against internal attack. The five existing MQKA protocols are "LGHW protocol" 20 , "SZ protocol" 21 , "SZWYZL protocol" 26 , "SYW protocol" 28 , and "SZWLL protocol" 29 . The qubit efficiency can be defined as η = + , where c is the length of target common key sequence, q is the number of qubits used in transmission and security checking, and "b" is the number of used classical bits. We only compare the internal attack because the internal attackers are the most powerful attackers in the multi-party protocols usually. Suppose the five protocols just mentioned will produce 2 -bit target common key sequence, i.e., c = 2. The parameter comparison can be seen in Table 2.
(i) LGHW protocol. The protocol is secure from internal attack, because it is based on BB84 and all participants transmit their privacy secret only once. However, the efficiency is too low and the number of measurements is larger than others. is not good, and the number of measurements and unitary operations are also high. (iv) SYW protocol. The protocol is similar to SZWYZL protocol, so it is secure for internal attack. The parameters of efficiency, the number of measurements and unitary operations, are all better than SZWYZL protocol. (v) SZWLL protocol. The protocol is an improvement on LGHW protocol, and it is much more efficient than any other secure protocols. However, it is susceptible to internal attacks. Without loss of generality, we consider three-party protocol. Suppose the dishonest participants, P 1 and P 2 , want to cooperate to obtain the private key of P 0 . Consider the message encoding phase in the procession P 2 → P 0 → P 1 → P 2 . Firstly, P 2 pre-agreed a common final key [K] with P 1 , and tells the original state of each photon in the sequence S 2 to P 1 . Secondly, after eavesdropping check between P 1 and P 0 , P 1 takes measures on S 2 0 with basis {|0〉 , |1〉 }, and obtains the privacy k 0 according to S 2 . Thirdly, P 1 sends k 1 and k 0 to P 2 . At last, P 2 encodes S 0 1 according to ⊕ K k [ ] 1 . Hence, P 0 , P 1 and P 2 obtain the final key [K] only determined by P 1 and P 2 only. (vi) Our protocol. Firstly, our protocol is secure against internal attack. Secondly, The number of measurements is better than LGHW protocol and SZWYZL protocol, but worse than SYW protocol. The unitary operations is not better than LGHW protocol, SZWYZL protocol and SYW protocol. However, the efficiency of our protocol is better than any other secure protocols.