Anonymous Conference Key Agreement using GHZ states: Difference between revisions

This example protocol achieves the functionality of quantum conference key agreement. This protocol allows multiple parties in a quantum network to establish a shared secret key anonymously.

Tags: Multi Party Protocols, Quantum Enhanced Classical Functionality, Specific Task

Requirements[edit]

We require the following resources for this protocol:

1. A source of n-party GHZ states
2. Private randomness sources
3. A randomness source that is not associated with any party
4. A classical broadcasting channel
5. Pairwise private communication channels

Outline[edit]

• First, the sender notifies each receiver in the network anonymously
• The entanglement source generates and distributes sufficient GHZ states to all nodes in the network
• The GHZ states are distilled to establish multipartite entanglement shared only by the participating parties (the sender and receivers)
• Each GHZ state is randomly chosen to be used for either Verification or Key Generation. For Key Generation rounds, a single bit of the key is established using one GHZ state by measuring in the Z-basis
• If the sender is content with the Verification results, they can anonymously validate the protocol and conclude that the key has been established successfully.

Notation[edit]

• ${\displaystyle n}$: Total number of nodes in the network

• ${\displaystyle m}$: Number of receiving nodes

• ${\displaystyle L}$: Number of GHZ states used

• ${\displaystyle D}$: Security parameter; expected number of GHZ states used to establish one bit of key

• ${\displaystyle k}$-partite GHZ state: ${\displaystyle {\frac {1}{\sqrt {2}}}(|0\rangle ^{\otimes k}+|1\rangle ^{\otimes k})}$

Protocol Description[edit]

Protocol 1: Anonymous Verifiable Conference Key Agreement[edit]

Input: Parameters ${\displaystyle L}$ and ${\displaystyle D}$

Requirements: A source of n-party GHZ states; private randomness sources; a randomness source that is not associated with any party; a classical broadcasting channel; pairwise private communication channels

Goal: Anonymoous generation of key between sender and ${\displaystyle m}$ receivers

1. The sender notifies the ${\displaystyle m}$ receivers by running the Notification protocol
2. The source generates and shares ${\displaystyle L}$ GHZ states
3. The parties run the Anonymous Multipartite Entanglement protocol on the GHZ states
4. For each ${\displaystyle (m+1)}$-partite GHZ state, the parties do the following:
   • They ask a source of randomness to broadcast a bit ${\displaystyle b}$ such that Pr${\displaystyle [b=1]={\frac {1}{D}}}$
   • Verification round: If b = 0, the sender runs Verification as verifier on the state corresponding to that round, while only considering the announcements of the ${\displaystyle m}$ receivers. The remaining parties announce random values.
   • KeyGen round: If b = 1, the sender and receivers measure in the Z-basis.
5. If the sender is content with the checks of the Verification protocol, they can anonymously validate the protocol

Protocol 2: Notification[edit]

Input: Sender's choice of ${\displaystyle m}$ receivers

Goal: The ${\displaystyle m}$ receivers get notified

Requirements: Private pairwise classical communication channels and randomness sources

For agent ${\displaystyle i=1,...,n}$:

1. All agents ${\displaystyle j\in \{1,...,n\}}$ do the following:
   • When agent ${\displaystyle j}$ is the sender: If ${\displaystyle i}$ is not a receiver, the sender chooses ${\displaystyle n}$ random bits ${\displaystyle \{r_{j,k}^{i}\}_{k=1}^{n}}$ such that ${\displaystyle \bigoplus _{k=1}^{n}r_{j,k}^{i}=0}$. Otherwise, if ${\displaystyle i}$ is a receiver, the sender chooses ${\displaystyle n}$ random bits such that ${\displaystyle \bigoplus _{k=1}^{n}r_{j,k}^{i}=1}$. The sender sends bit ${\displaystyle r_{j,k}^{i}}$ to agent ${\displaystyle k}$
   • When agent ${\displaystyle j}$ is not the sender: The agent chooses ${\displaystyle n}$ random bits ${\displaystyle \{r_{j,k}^{i}\}_{k=1}^{n}}$ such that ${\displaystyle \bigoplus _{k=1}^{n}r_{j,k}^{i}=0}$ and sends bit ${\displaystyle r_{j,k}^{i}}$ to agent ${\displaystyle k}$
2. All agents ${\displaystyle k\in \{1,...,n\}}$ receive ${\displaystyle \{r_{j,k}^{i}\}_{j=1}^{n}}$, and compute ${\displaystyle z_{k}^{i}=\bigoplus _{j=1}^{n}r_{j,k}^{i}}$ and send it to agent ${\displaystyle i}$
3. Agent ${\displaystyle i}$ takes the received ${\displaystyle \{z_{k}^{i}\}_{k=1}^{n}}$ to compute ${\displaystyle z^{i}=\bigoplus _{k=1}^{n}z_{k}^{i}}$. If ${\displaystyle z^{i}=1}$, they are thereby notified to be a designated receiver.

Protocol 3: Anonymous Multiparty Entanglement[edit]

Input: ${\displaystyle n}$-partite GHZ state ${\displaystyle {\frac {1}{\sqrt {2}}}(|0\rangle ^{\otimes n}+|1\rangle ^{\otimes n})}$

Output: ${\displaystyle (m+1)}$-partite GHZ state ${\displaystyle {\frac {1}{\sqrt {2}}}(|0\rangle ^{\otimes (m+1)}+|1\rangle ^{\otimes (m+1)})}$ shared between the sender and receivers

Requirements: A broadcast channel; private randomness sources

1. Sender and receivers draw a random bit each. Everyone else measures their qubits in the X-basis, yielding a measurement outcome bit ${\displaystyle x_{i}}$
2. All parties broadcast their bits in a random order, or if possible, simultaneously.
3. The sender applies a Z gate to their qubit if the parity of the non-participating parties' bits is odd.

Protocol 4: Verification[edit]

Input: A verifier V; a shared state between ${\displaystyle k}$ parties

Goal: Verification or rejection of the shared state as the GHZ${\displaystyle _{k}}$ state by V

Requirements: Private randomness sources; a classical broadcasting channel

1. Everyone but V draws a random bit ${\displaystyle b_{i}}$ and measures in the X or Y basis if their bit equals 0 or 1 respectively, obtaining a measurement outcome ${\displaystyle m_{i}}$. V chooses both bits at random
2. Everyone (including V) broadcasts ${\displaystyle (b_{i},m_{i})}$
3. V resets her bit such that ${\displaystyle \sum _{i}b_{i}=0(}$mod ${\displaystyle 2)}$. She measures in the X or Y basis if her bit equals 0 or 1 respectively, thereby also resetting her ${\displaystyle m_{i}=m_{v}}$
4. V accepts the state if and only if ${\displaystyle \sum _{i}m_{i}={\frac {1}{2}}\sum _{i}b_{i}(}$mod ${\displaystyle 2)}$

Properties[edit]

• Protocol 1 has an asymptotic key rate of ${\displaystyle {\frac {L}{D}}}$
• This protocol satisfies the following notions of anonymity:
  • Sender Anonymity: A protocol allows a sender to remain anonymous sending a message to ${\displaystyle m}$ receivers, if an adversary who corrupts ${\displaystyle t\leq n-2}$ players, cannot guess the identity of the sender with probability higher than ${\displaystyle {\frac {1}{n-t}}}$
  • Receiver Anonymity: A protocol allows a receiver to remain anonymous receiving a message, if an adversary who corrupts ${\displaystyle t\leq n-2}$ players, cannot guess the identity of the receiver with probability higher than ${\displaystyle {\frac {1}{n-t}}}$
• Error correction and privacy amplification must be carried out anonymously and are not considered in the analysis of this protocol.

References[edit]

• The protocols and their security analysis, along with an experimental implementation for ${\displaystyle n=4}$ can be found in Hahn et al.(2020)