# Difference between revisions of "Anonymous Conference Key Agreement using GHZ states"

(Created page with "<!-- This is a comment. You can erase them or write below --> <!-- Intro: brief description of the protocol --> This [https://arxiv.org/abs/2007.07995 example protocol] achie...") |
m (Fixed section name) |
||

(2 intermediate revisions by the same user not shown) | |||

Line 2: | Line 2: | ||

<!-- Intro: brief description of the protocol --> | <!-- Intro: brief description of the protocol --> | ||

− | This [https://arxiv.org/abs/2007.07995 example protocol] achieves the functionality of quantum conference key agreement | + | This [https://arxiv.org/abs/2007.07995 example protocol] achieves the functionality of quantum conference key agreement. This protocol allows multiple parties in a quantum network to establish a shared secret key anonymously. |

<!--Tags: related pages or category --> | <!--Tags: related pages or category --> | ||

+ | '''Tags:''' [[:Category: Multi Party Protocols|Multi Party Protocols]], [[:Category: Quantum Enhanced Classical Functionality|Quantum Enhanced Classical Functionality]], [[:Category: Specific Task|Specific Task]] | ||

− | == | + | ==Requirements== |

<!-- It describes the setting in which the protocol will be successful. --> | <!-- It describes the setting in which the protocol will be successful. --> | ||

− | + | We require the following resources for this protocol: | |

+ | # A source of n-party GHZ states | ||

+ | # Private randomness sources | ||

+ | # A randomness source that is not associated with any party | ||

+ | # A classical broadcasting channel | ||

+ | # Pairwise private communication channels | ||

==Outline== | ==Outline== | ||

Line 20: | Line 26: | ||

==Notation== | ==Notation== | ||

<!-- Connects the non-mathematical outline with further sections. --> | <!-- Connects the non-mathematical outline with further sections. --> | ||

+ | *<math>n</math>: Total number of nodes in the network | ||

+ | |||

+ | *<math>m</math>: Number of receiving nodes | ||

+ | |||

+ | *<math>L</math>: Number of GHZ states used | ||

+ | |||

+ | *<math>D</math>: Security parameter; expected number of GHZ states used to establish one bit of key | ||

+ | *<math>k</math>-partite GHZ state: <math>\frac{1}{\sqrt{2}}(|0\rangle^{\otimes k} + |1\rangle^{\otimes k})</math> | ||

<!-- ==Knowledge Graph== --> | <!-- ==Knowledge Graph== --> | ||

<!-- Add this part if the protocol is already in the graph --> | <!-- Add this part if the protocol is already in the graph --> | ||

Line 44: | Line 58: | ||

===Protocol 2: Notification=== | ===Protocol 2: Notification=== | ||

+ | ''Input: '' Sender's choice of <math>m</math> receivers | ||

+ | |||

+ | ''Goal: '' The <math>m</math> receivers get notified | ||

+ | |||

+ | ''Requirements: '' Private pairwise classical communication channels and randomness sources | ||

+ | |||

+ | For agent <math>i = 1,...,n</math>: | ||

+ | # All agents <math>j \in \{1,...,n\}</math> do the following: | ||

+ | #* '''When agent <math>j</math> is the sender''': If <math>i</math> is not a receiver, the sender chooses <math>n</math> random bits <math>\{r_{j,k}^i\}_{k = 1}^n</math> such that <math>\bigoplus_{k=1}^n r_{j,k}^i = 0</math>. Otherwise, if <math>i</math> is a receiver, the sender chooses <math>n</math> random bits such that <math>\bigoplus_{k=1}^n r_{j,k}^i = 1</math>. The sender sends bit <math>r_{j,k}^i</math> to agent <math>k</math> | ||

+ | #* '''When agent <math>j</math> is not the sender''': The agent chooses <math>n</math> random bits <math>\{r_{j,k}^i\}_{k = 1}^n</math> such that <math>\bigoplus_{k=1}^n r_{j,k}^i = 0</math> and sends bit <math>r_{j,k}^i</math> to agent <math>k</math> | ||

+ | # All agents <math>k \in \{1,...,n\}</math> receive <math>\{r_{j,k}^i\}_{j = 1}^n</math>, and compute <math>z_k^i = \bigoplus_{j=1}^n r_{j,k}^i</math> and send it to agent <math>i</math> | ||

+ | # Agent <math>i</math> takes the received <math>\{z_k^i\}_{k=1}^n</math> to compute <math>z^i = \bigoplus_{k=1}^nz_k^i</math>. If <math>z^i = 1</math>, they are thereby notified to be a designated receiver. | ||

+ | |||

===Protocol 3: Anonymous Multiparty Entanglement=== | ===Protocol 3: Anonymous Multiparty Entanglement=== | ||

+ | ''Input: '' <math>n</math>-partite GHZ state <math>\frac{1}{\sqrt{2}}(|0\rangle^{\otimes n} + |1\rangle^{\otimes n})</math> | ||

+ | |||

+ | ''Output: '' <math>(m+1)</math>-partite GHZ state <math>\frac{1}{\sqrt{2}}(|0\rangle^{\otimes (m+1)} + |1\rangle^{\otimes (m+1)})</math> shared between the sender and receivers | ||

+ | |||

+ | ''Requirements: '' A broadcast channel; private randomness sources | ||

+ | |||

+ | # Sender and receivers draw a random bit each. Everyone else measures their qubits in the X-basis, yielding a measurement outcome bit <math>x_i</math> | ||

+ | # All parties broadcast their bits in a random order, or if possible, simultaneously. | ||

+ | # The sender applies a Z gate to their qubit if the parity of the non-participating parties' bits is odd. | ||

===Protocol 4: Verification=== | ===Protocol 4: Verification=== | ||

+ | |||

+ | ''Input: '' A verifier V; a shared state between <math>k</math> parties | ||

+ | |||

+ | ''Goal: '' Verification or rejection of the shared state as the GHZ<math>_k</math> state by V | ||

+ | |||

+ | ''Requirements: '' Private randomness sources; a classical broadcasting channel | ||

+ | |||

+ | # Everyone but V draws a random bit <math>b_i</math> and measures in the X or Y basis if their bit equals 0 or 1 respectively, obtaining a measurement outcome <math>m_i</math>. V chooses both bits at random | ||

+ | # Everyone (including V) broadcasts <math>(b_i,m_i)</math> | ||

+ | # V resets her bit such that <math>\sum_ib_i = 0 (</math>mod <math>2)</math>. She measures in the X or Y basis if her bit equals 0 or 1 respectively, thereby also resetting her <math>m_i = m_v</math> | ||

+ | # V accepts the state if and only if <math>\sum_im_i = \frac{1}{2}\sum_ib_i (</math>mod <math>2)</math> | ||

==Properties== | ==Properties== | ||

<!-- important information on the protocol: parameters (threshold values), security claim, success probability... --> | <!-- important information on the protocol: parameters (threshold values), security claim, success probability... --> | ||

− | + | * Protocol 1 has an asymptotic key rate of <math>\frac{L}{D}</math> | |

− | + | * This protocol satisfies the following notions of anonymity: | |

− | < | + | ** '''Sender Anonymity''': A protocol allows a sender to remain anonymous sending a message to <math>m</math> receivers, if an adversary who corrupts <math>t \leq n-2 </math> players, cannot guess the identity of the sender with probability higher than <math> \frac{1}{n-t}</math> |

+ | ** '''Receiver Anonymity''': A protocol allows a receiver to remain anonymous receiving a message, if an adversary who corrupts <math>t \leq n-2 </math> players, cannot guess the identity of the receiver with probability higher than <math> \frac{1}{n-t}</math> | ||

+ | * Error correction and privacy amplification must be carried out anonymously and are not considered in the analysis of this protocol. | ||

==References== | ==References== | ||

+ | * The protocols and their security analysis, along with an experimental implementation for <math>n = 4</math> can be found in [https://arxiv.org/abs/2007.07995 Hahn et al.(2020)] | ||

+ | <div style='text-align: right;'>''*contributed by Chirag Wadhwa''</div> |

## Latest revision as of 20:45, 19 January 2022

This example protocol achieves the functionality of quantum conference key agreement. This protocol allows multiple parties in a quantum network to establish a shared secret key anonymously.

**Tags:** Multi Party Protocols, Quantum Enhanced Classical Functionality, Specific Task

## Contents

## Requirements[edit]

We require the following resources for this protocol:

- A source of n-party GHZ states
- Private randomness sources
- A randomness source that is not associated with any party
- A classical broadcasting channel
- Pairwise private communication channels

## Outline[edit]

- First, the sender notifies each receiver in the network anonymously
- The entanglement source generates and distributes sufficient GHZ states to all nodes in the network
- The GHZ states are distilled to establish multipartite entanglement shared only by the participating parties (the sender and receivers)
- Each GHZ state is randomly chosen to be used for either Verification or Key Generation. For Key Generation rounds, a single bit of the key is established using one GHZ state by measuring in the Z-basis
- If the sender is content with the Verification results, they can anonymously validate the protocol and conclude that the key has been established successfully.

## Notation[edit]

- : Total number of nodes in the network

- : Number of receiving nodes

- : Number of GHZ states used

- : Security parameter; expected number of GHZ states used to establish one bit of key

- -partite GHZ state:

## Protocol Description[edit]

### Protocol 1: Anonymous Verifiable Conference Key Agreement[edit]

*Input*: Parameters and

*Requirements*: A source of n-party GHZ states; private randomness sources; a randomness source that is not associated with any party; a classical broadcasting channel; pairwise private communication channels

*Goal*: Anonymoous generation of key between sender and receivers

- The sender notifies the receivers by running the
*Notification*protocol - The source generates and shares GHZ states
- The parties run the
*Anonymous Multipartite Entanglement*protocol on the GHZ states - For each -partite GHZ state, the parties do the following:
- They ask a source of randomness to broadcast a bit such that Pr
**Verification round:**If b = 0, the sender runs*Verification*as verifier on the state corresponding to that round, while only considering the announcements of the receivers. The remaining parties announce random values.**KeyGen round:**If b = 1, the sender and receivers measure in the Z-basis.

- If the sender is content with the checks of the
*Verification*protocol, they can anonymously validate the protocol

### Protocol 2: Notification[edit]

*Input: * Sender's choice of receivers

*Goal: * The receivers get notified

*Requirements: * Private pairwise classical communication channels and randomness sources

For agent :

- All agents do the following:
**When agent is the sender**: If is not a receiver, the sender chooses random bits such that . Otherwise, if is a receiver, the sender chooses random bits such that . The sender sends bit to agent**When agent is not the sender**: The agent chooses random bits such that and sends bit to agent

- All agents receive , and compute and send it to agent
- Agent takes the received to compute . If , they are thereby notified to be a designated receiver.

### Protocol 3: Anonymous Multiparty Entanglement[edit]

*Input: * -partite GHZ state

*Output: * -partite GHZ state shared between the sender and receivers

*Requirements: * A broadcast channel; private randomness sources

- Sender and receivers draw a random bit each. Everyone else measures their qubits in the X-basis, yielding a measurement outcome bit
- All parties broadcast their bits in a random order, or if possible, simultaneously.
- The sender applies a Z gate to their qubit if the parity of the non-participating parties' bits is odd.

### Protocol 4: Verification[edit]

*Input: * A verifier V; a shared state between parties

*Goal: * Verification or rejection of the shared state as the GHZ state by V

*Requirements: * Private randomness sources; a classical broadcasting channel

- Everyone but V draws a random bit and measures in the X or Y basis if their bit equals 0 or 1 respectively, obtaining a measurement outcome . V chooses both bits at random
- Everyone (including V) broadcasts
- V resets her bit such that mod . She measures in the X or Y basis if her bit equals 0 or 1 respectively, thereby also resetting her
- V accepts the state if and only if mod

## Properties[edit]

- Protocol 1 has an asymptotic key rate of
- This protocol satisfies the following notions of anonymity:
**Sender Anonymity**: A protocol allows a sender to remain anonymous sending a message to receivers, if an adversary who corrupts players, cannot guess the identity of the sender with probability higher than**Receiver Anonymity**: A protocol allows a receiver to remain anonymous receiving a message, if an adversary who corrupts players, cannot guess the identity of the receiver with probability higher than

- Error correction and privacy amplification must be carried out anonymously and are not considered in the analysis of this protocol.

## References[edit]

- The protocols and their security analysis, along with an experimental implementation for can be found in Hahn et al.(2020)

**contributed by Chirag Wadhwa*