# Difference between revisions of "Anonymous Conference Key Agreement using GHZ states"

This example protocol achieves the functionality of quantum conference key agreement. This protocol allows multiple parties in a quantum network to establish a shared secret key anonymously.

## Requirements

We require the following resources for this protocol:

1. A source of n-party GHZ states
2. Private randomness sources
3. A randomness source that is not associated with any party
5. Pairwise private communication channels

## Outline

• First, the sender notifies each receiver in the network anonymously
• The entanglement source generates and distributes sufficient GHZ states to all nodes in the network
• The GHZ states are distilled to establish multipartite entanglement shared only by the participating parties (the sender and receivers)
• Each GHZ state is randomly chosen to be used for either Verification or Key Generation. For Key Generation rounds, a single bit of the key is established using one GHZ state by measuring in the Z-basis
• If the sender is content with the Verification results, they can anonymously validate the protocol and conclude that the key has been established successfully.

## Notation

• ${\displaystyle n}$: Total number of nodes in the network
• ${\displaystyle m}$: Number of receiving nodes
• ${\displaystyle L}$: Number of GHZ states used
• ${\displaystyle D}$: Security parameter; expected number of GHZ states used to establish one bit of key
• ${\displaystyle k}$-partite GHZ state: ${\displaystyle {\frac {1}{\sqrt {2}}}(|0\rangle ^{\otimes k}+|1\rangle ^{\otimes k})}$

## Protocol Description

### Protocol 1: Anonymous Verifiable Conference Key Agreement

Input: Parameters ${\displaystyle L}$ and ${\displaystyle D}$

Requirements: A source of n-party GHZ states; private randomness sources; a randomness source that is not associated with any party; a classical broadcasting channel; pairwise private communication channels

Goal: Anonymoous generation of key between sender and ${\displaystyle m}$ receivers

1. The sender notifies the ${\displaystyle m}$ receivers by running the Notification protocol
2. The source generates and shares ${\displaystyle L}$ GHZ states
3. The parties run the Anonymous Multipartite Entanglement protocol on the GHZ states
4. For each ${\displaystyle (m+1)}$-partite GHZ state, the parties do the following:
• They ask a source of randomness to broadcast a bit ${\displaystyle b}$ such that Pr${\displaystyle [b=1]={\frac {1}{D}}}$
• Verification round: If b = 0, the sender runs Verification as verifier on the state corresponding to that round, while only considering the announcements of the ${\displaystyle m}$ receivers. The remaining parties announce random values.
• KeyGen round: If b = 1, the sender and receivers measure in the Z-basis.
5. If the sender is content with the checks of the Verification protocol, they can anonymously validate the protocol

Input: Sender's choice of ${\displaystyle m}$ receivers

Goal: The ${\displaystyle m}$ receivers get notified

Requirements: Private pairwise classical communication channels and randomness sources

For agent ${\displaystyle i=1,...,n}$:

1. All agents ${\displaystyle j\in \{1,...,n\}}$ do the following:
• When agent ${\displaystyle j}$ is the sender: If ${\displaystyle i}$ is not a receiver, the sender chooses ${\displaystyle n}$ random bits ${\displaystyle \{r_{j,k}^{i}\}_{k=1}^{n}}$ such that ${\displaystyle \bigoplus _{k=1}^{n}r_{j,k}^{i}=0}$. Otherwise, if ${\displaystyle i}$ is a receiver, the sender chooses ${\displaystyle n}$ random bits such that ${\displaystyle \bigoplus _{k=1}^{n}r_{j,k}^{i}=1}$. The sender sends bit ${\displaystyle r_{j,k}^{i}}$ to agent ${\displaystyle k}$
• When agent ${\displaystyle j}$ is not the sender: The agent chooses ${\displaystyle n}$ random bits ${\displaystyle \{r_{j,k}^{i}\}_{k=1}^{n}}$ such that ${\displaystyle \bigoplus _{k=1}^{n}r_{j,k}^{i}=0}$ and sends bit ${\displaystyle r_{j,k}^{i}}$ to agent ${\displaystyle k}$
2. All agents ${\displaystyle k\in \{1,...,n\}}$ receive ${\displaystyle \{r_{j,k}^{i}\}_{j=1}^{n}}$, and compute ${\displaystyle z_{k}^{i}=\bigoplus _{j=1}^{n}r_{j,k}^{i}}$ and send it to agent ${\displaystyle i}$
3. Agent ${\displaystyle i}$ takes the received ${\displaystyle \{z_{k}^{i}\}_{k=1}^{n}}$ to compute ${\displaystyle z^{i}=\bigoplus _{k=1}^{n}z_{k}^{i}}$. If ${\displaystyle z^{i}=1}$, they are thereby notified to be a designated receiver.

### Protocol 3: Anonymous Multiparty Entanglement

Input: ${\displaystyle n}$-partite GHZ state ${\displaystyle {\frac {1}{\sqrt {2}}}(|0\rangle ^{\otimes n}+|1\rangle ^{\otimes n})}$

Output: ${\displaystyle (m+1)}$-partite GHZ state ${\displaystyle {\frac {1}{\sqrt {2}}}(|0\rangle ^{\otimes (m+1)}+|1\rangle ^{\otimes (m+1)})}$ shared between the sender and receivers

Requirements: A broadcast channel; private randomness sources

1. Sender and receivers draw a random bit each. Everyone else measures their qubits in the X-basis, yielding a measurement outcome bit ${\displaystyle x_{i}}$
2. All parties broadcast their bits in a random order, or if possible, simultaneously.
3. The sender applies a Z gate to their qubit if the parity of the non-participating parties' bits is odd.

### Protocol 4: Verification

Input: A verifier V; a shared state between ${\displaystyle k}$ parties

Goal: Verification or rejection of the shared state as the GHZ${\displaystyle _{k}}$ state by V

Requirements: Private randomness sources; a classical broadcasting channel

1. Everyone but V draws a random bit ${\displaystyle b_{i}}$ and measures in the X or Y basis if their bit equals 0 or 1 respectively, obtaining a measurement outcome ${\displaystyle m_{i}}$. V chooses both bits at random
2. Everyone (including V) broadcasts ${\displaystyle (b_{i},m_{i})}$
3. V resets her bit such that ${\displaystyle \sum _{i}b_{i}=0(}$mod ${\displaystyle 2)}$. She measures in the X or Y basis if her bit equals 0 or 1 respectively, thereby also resetting her ${\displaystyle m_{i}=m_{v}}$
4. V accepts the state if and only if ${\displaystyle \sum _{i}m_{i}={\frac {1}{2}}\sum _{i}b_{i}(}$mod ${\displaystyle 2)}$

## Properties

• Protocol 1 has an asymptotic key rate of ${\displaystyle {\frac {L}{D}}}$
• This protocol satisfies the following notions of anonymity:
• Sender Anonymity: A protocol allows a sender to remain anonymous sending a message to ${\displaystyle m}$ receivers, if an adversary who corrupts ${\displaystyle t\leq n-2}$ players, cannot guess the identity of the sender with probability higher than ${\displaystyle {\frac {1}{n-t}}}$
• Receiver Anonymity: A protocol allows a receiver to remain anonymous receiving a message, if an adversary who corrupts ${\displaystyle t\leq n-2}$ players, cannot guess the identity of the receiver with probability higher than ${\displaystyle {\frac {1}{n-t}}}$
• Error correction and privacy amplification must be carried out anonymously and are not considered in the analysis of this protocol.

## References

• The protocols and their security analysis, along with an experimental implementation for ${\displaystyle n=4}$ can be found in Hahn et al.(2020)