Anonymous Conference Key Agreement using GHZ states: Difference between revisions

From Quantum Protocol Zoo
Jump to navigation Jump to search
(Created page with "<!-- This is a comment. You can erase them or write below --> <!-- Intro: brief description of the protocol --> This [https://arxiv.org/abs/2007.07995 example protocol] achie...")
 
m (Fixed section name)
 
(2 intermediate revisions by the same user not shown)
Line 2: Line 2:


<!-- Intro: brief description of the protocol -->
<!-- Intro: brief description of the protocol -->
This [https://arxiv.org/abs/2007.07995 example protocol] achieves the functionality of quantum conference key agreement anonymously. This protocol allows multiple parties in a quantum network to establish a shared secret key anonymously.
This [https://arxiv.org/abs/2007.07995 example protocol] achieves the functionality of quantum conference key agreement. This protocol allows multiple parties in a quantum network to establish a shared secret key anonymously.


<!--Tags: related pages or category -->
<!--Tags: related pages or category -->
'''Tags:''' [[:Category: Multi Party Protocols|Multi Party Protocols]], [[:Category: Quantum Enhanced Classical Functionality|Quantum Enhanced Classical Functionality]], [[:Category: Specific Task|Specific Task]]


==Assumptions==
==Requirements==
<!-- It describes the setting in which the protocol will be successful. -->
<!-- It describes the setting in which the protocol will be successful. -->
 
We require the following resources for this protocol:
# A source of n-party GHZ states
# Private randomness sources
# A randomness source that is not associated with any party
# A classical broadcasting channel
# Pairwise private communication channels


==Outline==
==Outline==
Line 20: Line 26:
==Notation==
==Notation==
<!--  Connects the non-mathematical outline with further sections. -->
<!--  Connects the non-mathematical outline with further sections. -->
*<math>n</math>: Total number of nodes in the network
*<math>m</math>: Number of receiving nodes
*<math>L</math>: Number of GHZ states used
*<math>D</math>: Security parameter; expected number of GHZ states used to establish one bit of key


*<math>k</math>-partite GHZ state: <math>\frac{1}{\sqrt{2}}(|0\rangle^{\otimes k} + |1\rangle^{\otimes k})</math>
<!-- ==Knowledge Graph== -->
<!-- ==Knowledge Graph== -->
<!-- Add this part if the protocol is already in the graph -->
<!-- Add this part if the protocol is already in the graph -->
Line 44: Line 58:


===Protocol 2: Notification===
===Protocol 2: Notification===
''Input: '' Sender's choice of <math>m</math> receivers
''Goal: '' The <math>m</math> receivers get notified
''Requirements: '' Private pairwise classical communication channels and randomness sources
For agent <math>i = 1,...,n</math>:
# All agents <math>j \in \{1,...,n\}</math> do the following:
#* '''When agent <math>j</math> is the sender''': If <math>i</math> is not a receiver, the sender chooses <math>n</math> random bits <math>\{r_{j,k}^i\}_{k = 1}^n</math> such that <math>\bigoplus_{k=1}^n r_{j,k}^i = 0</math>. Otherwise, if <math>i</math> is a receiver, the sender chooses <math>n</math> random bits such that <math>\bigoplus_{k=1}^n r_{j,k}^i = 1</math>. The sender sends bit <math>r_{j,k}^i</math> to agent <math>k</math>
#* '''When agent <math>j</math> is not the sender''':  The agent chooses <math>n</math> random bits <math>\{r_{j,k}^i\}_{k = 1}^n</math> such that <math>\bigoplus_{k=1}^n r_{j,k}^i = 0</math> and sends bit <math>r_{j,k}^i</math> to agent <math>k</math>
# All agents <math>k \in \{1,...,n\}</math> receive <math>\{r_{j,k}^i\}_{j = 1}^n</math>, and compute <math>z_k^i = \bigoplus_{j=1}^n r_{j,k}^i</math> and send it to agent <math>i</math>
# Agent <math>i</math> takes the received <math>\{z_k^i\}_{k=1}^n</math> to compute <math>z^i = \bigoplus_{k=1}^nz_k^i</math>. If <math>z^i = 1</math>, they are thereby notified to be a designated receiver.
===Protocol 3: Anonymous Multiparty Entanglement===
===Protocol 3: Anonymous Multiparty Entanglement===
''Input: '' <math>n</math>-partite GHZ state <math>\frac{1}{\sqrt{2}}(|0\rangle^{\otimes n} + |1\rangle^{\otimes n})</math>
''Output: '' <math>(m+1)</math>-partite GHZ state <math>\frac{1}{\sqrt{2}}(|0\rangle^{\otimes (m+1)} + |1\rangle^{\otimes (m+1)})</math> shared between the sender and receivers
''Requirements: '' A broadcast channel; private randomness sources
# Sender and receivers draw a random bit each. Everyone else measures their qubits in the X-basis, yielding a measurement outcome bit <math>x_i</math>
# All parties broadcast their bits in a random order, or if possible, simultaneously.
# The sender applies a Z gate to their qubit if the parity of the non-participating parties' bits is odd.


===Protocol 4: Verification===
===Protocol 4: Verification===
''Input: '' A verifier V; a shared state between <math>k</math> parties
''Goal: '' Verification or rejection of the shared state as the GHZ<math>_k</math> state by V
''Requirements: '' Private randomness sources; a classical broadcasting channel
# Everyone but V draws a random bit <math>b_i</math> and measures in the X or Y basis if their bit equals 0 or 1 respectively, obtaining a measurement outcome <math>m_i</math>. V chooses both bits at random
# Everyone (including V) broadcasts <math>(b_i,m_i)</math>
# V resets her bit such that <math>\sum_ib_i = 0 (</math>mod <math>2)</math>. She measures in the X or Y basis if her bit equals 0 or 1 respectively, thereby also resetting her <math>m_i = m_v</math>
# V accepts the state if and only if <math>\sum_im_i = \frac{1}{2}\sum_ib_i (</math>mod <math>2)</math>


==Properties==
==Properties==
<!-- important information on the protocol: parameters (threshold values), security claim, success probability... -->
<!-- important information on the protocol: parameters (threshold values), security claim, success probability... -->
 
* Protocol 1 has an asymptotic key rate of <math>\frac{L}{D}</math>
==Further Information==
* This protocol satisfies the following notions of anonymity:
<!-- theoretical and experimental papers including requirements, security proof (important), which protocol does it implement, benchmark values... -->
** '''Sender Anonymity''': A protocol allows a sender to remain anonymous sending a message to <math>m</math> receivers, if an adversary who corrupts <math>t \leq n-2 </math> players, cannot guess the identity of the sender with probability higher than <math> \frac{1}{n-t}</math>
** '''Receiver Anonymity''': A protocol allows a receiver to remain anonymous receiving a message, if an adversary who corrupts <math>t \leq n-2 </math> players, cannot guess the identity of the receiver with probability higher than <math> \frac{1}{n-t}</math>
* Error correction and privacy amplification must be carried out anonymously and are not considered in the analysis of this protocol.


==References==
==References==
* The protocols and their security analysis, along with an experimental implementation for <math>n = 4</math> can be found in [https://arxiv.org/abs/2007.07995 Hahn et al.(2020)]
<div style='text-align: right;'>''*contributed by Chirag Wadhwa''</div>

Latest revision as of 19:45, 19 January 2022


This example protocol achieves the functionality of quantum conference key agreement. This protocol allows multiple parties in a quantum network to establish a shared secret key anonymously.

Tags: Multi Party Protocols, Quantum Enhanced Classical Functionality, Specific Task

Requirements[edit]

We require the following resources for this protocol:

  1. A source of n-party GHZ states
  2. Private randomness sources
  3. A randomness source that is not associated with any party
  4. A classical broadcasting channel
  5. Pairwise private communication channels

Outline[edit]

  • First, the sender notifies each receiver in the network anonymously
  • The entanglement source generates and distributes sufficient GHZ states to all nodes in the network
  • The GHZ states are distilled to establish multipartite entanglement shared only by the participating parties (the sender and receivers)
  • Each GHZ state is randomly chosen to be used for either Verification or Key Generation. For Key Generation rounds, a single bit of the key is established using one GHZ state by measuring in the Z-basis
  • If the sender is content with the Verification results, they can anonymously validate the protocol and conclude that the key has been established successfully.

Notation[edit]

  • : Total number of nodes in the network
  • : Number of receiving nodes
  • : Number of GHZ states used
  • : Security parameter; expected number of GHZ states used to establish one bit of key
  • -partite GHZ state:

Protocol Description[edit]

Protocol 1: Anonymous Verifiable Conference Key Agreement[edit]

Input: Parameters and

Requirements: A source of n-party GHZ states; private randomness sources; a randomness source that is not associated with any party; a classical broadcasting channel; pairwise private communication channels

Goal: Anonymoous generation of key between sender and receivers

  1. The sender notifies the receivers by running the Notification protocol
  2. The source generates and shares GHZ states
  3. The parties run the Anonymous Multipartite Entanglement protocol on the GHZ states
  4. For each -partite GHZ state, the parties do the following:
    • They ask a source of randomness to broadcast a bit such that Pr
    • Verification round: If b = 0, the sender runs Verification as verifier on the state corresponding to that round, while only considering the announcements of the receivers. The remaining parties announce random values.
    • KeyGen round: If b = 1, the sender and receivers measure in the Z-basis.
  5. If the sender is content with the checks of the Verification protocol, they can anonymously validate the protocol

Protocol 2: Notification[edit]

Input: Sender's choice of receivers

Goal: The receivers get notified

Requirements: Private pairwise classical communication channels and randomness sources

For agent :

  1. All agents do the following:
    • When agent is the sender: If is not a receiver, the sender chooses random bits such that . Otherwise, if is a receiver, the sender chooses random bits such that . The sender sends bit to agent
    • When agent is not the sender: The agent chooses random bits such that and sends bit to agent
  2. All agents receive , and compute and send it to agent
  3. Agent takes the received to compute . If , they are thereby notified to be a designated receiver.

Protocol 3: Anonymous Multiparty Entanglement[edit]

Input: -partite GHZ state

Output: -partite GHZ state shared between the sender and receivers

Requirements: A broadcast channel; private randomness sources

  1. Sender and receivers draw a random bit each. Everyone else measures their qubits in the X-basis, yielding a measurement outcome bit
  2. All parties broadcast their bits in a random order, or if possible, simultaneously.
  3. The sender applies a Z gate to their qubit if the parity of the non-participating parties' bits is odd.

Protocol 4: Verification[edit]

Input: A verifier V; a shared state between parties

Goal: Verification or rejection of the shared state as the GHZ state by V

Requirements: Private randomness sources; a classical broadcasting channel

  1. Everyone but V draws a random bit and measures in the X or Y basis if their bit equals 0 or 1 respectively, obtaining a measurement outcome . V chooses both bits at random
  2. Everyone (including V) broadcasts
  3. V resets her bit such that mod . She measures in the X or Y basis if her bit equals 0 or 1 respectively, thereby also resetting her
  4. V accepts the state if and only if mod

Properties[edit]

  • Protocol 1 has an asymptotic key rate of
  • This protocol satisfies the following notions of anonymity:
    • Sender Anonymity: A protocol allows a sender to remain anonymous sending a message to receivers, if an adversary who corrupts players, cannot guess the identity of the sender with probability higher than
    • Receiver Anonymity: A protocol allows a receiver to remain anonymous receiving a message, if an adversary who corrupts players, cannot guess the identity of the receiver with probability higher than
  • Error correction and privacy amplification must be carried out anonymously and are not considered in the analysis of this protocol.

References[edit]

  • The protocols and their security analysis, along with an experimental implementation for can be found in Hahn et al.(2020)
*contributed by Chirag Wadhwa