Anonymous Quantum Conference Key Agreement

Conference Key Agreement (CKA) is a cryptographic effort of multiple parties to establish a shared secret key. In future quantum networks, generating secret keys in an anonymous way is of tremendous importance for parties that want to keep their shared key secret and at the same time protect their own identity. We provide a definition of anonymity for general protocols and present a CKA protocol that is provably anonymous under realistic adversarial scenarios. We base our protocol on shared Greenberger-Horne-Zeilinger states, which have been proposed as more efficient resources for CKA protocols, compared to bipartite entangled resources. The existence of secure and anonymous protocols based on multipartite entangled states provides a new insight on their potential as resources and paves the way for further applications.


I. INTRODUCTION
One of the main applications of quantum information processing is to provide additional security for communication.The most common setting is one of two parties, Alice and Bob, who want to establish a shared secret key in order to encrypt further communication.Since their introduction [1], Quantum Key Distribution (QKD) protocols have been proposed and implemented in a standard fashion, although several practical challenges remain to be addressed [2].
Here, we examine a more generalised scenario, where several parties want to establish a shared secret key.In this multiparty setting we introduce a new notion of anonymity, where we request that the identities of the parties sharing the secret key are all protected.Such scenarios are highly relevant for several reasons.One example is the case of whistle-blowing; a person might want to broadcast an encrypted message such that specific parties can decrypt it, while keeping the identities of all involved parties secret.For such anonymous whistleblowing, the underlying protocol needs to involve nonparticipating parties, such that an authority maintaining the network cannot uncover who takes part in the secret communication.To the best of our knowledge, this is the first multipartite protocol that provides anonymity for a sender and multiple receivers alike.
To succeed in attaining this goal, we need to address two different elements, anonymity and multiparty key generation.For a concise review of the latter, often referred to as conference key agreement (CKA), we refer the interested reader to [3].Combining the two elements, we achieve anonymous conference key agreement, which allows a sender to transmit a private message to specific receivers of her choice, while keeping their identities secret from external parties and even from each other.
Previous work [4] has shown how to achieve anonymous transmission of classical bits using the correlations natural to the GHZ state [5] and how to anonymously create bipartite entanglement from a larger GHZ state.In [6] the latter is developed further, by adding a scheme for anonymous notification of the receiver and for verification [7,8] of the anonymous entanglement generation.However, since extracting multiple bipartite Bell states from a single GHZ state is impossible, we need an alternative approach that enables us to perform anonymous CKA between a subset of a given network.One approach could be to use other multipartite entangled quantum states [9][10][11] to create bipartite entanglement between the sender and all receivers separately; however, that would increase the use of quantum resources.We show that it is in fact possible to anonymously establish the necessary entanglement between sender and receivers simultaneously, using a single GHZ state shared by a source through the network.
In this paper, we introduce a protocol to establish a secret key between the sender 'Alice' and m receiving parties of her choice.We use both 'Bob' and 'receiver' to refer to each of those receiving parties and 'participants' to refer to Alice and all Bobs.The m + 1 ≤ n participants are part of a larger network of n parties.The m Bobs are notified anonymously by Alice through a notification protocol.A large GHZ state is then shared between the n parties, which can either be done centrally or using a given network infrastructure via quantum repeaters or quantum network coding [12].From this GHZ n state, we subsequently show how to anonymously extract a GHZ m+1 state shared only between the participants.The resulting state can be either verified or used to run the CKA protocol.Both the participants' identities and their shared key are hidden from an attacker 'Eve' in our protocols.We either assume Eve to follow the protocol and control a single node in the network, or to diverge from the protocol and control multiple non-participating nodes.

II. PRELIMINARIES
We label with N the set of all n := |N| parties in the network and with P := {A, B 1 , . . ., B m } the set of the protocol's participants, where A refers to Alice and {B i } to the m Bobs chosen by her.Let Eve be an attacker whose goal it is to learn P. If Eve corrupts some parties, she trivially learns their role in the protocol, i.e. whether or not they belong to P. By I Eve we denote this information as well as any prior information on {Pr(G = P)} G⊂N , i.e. the probability distribution that a subset G of the parties is equal to P. Denoting with I + Eve the additional information that becomes available to Eve during the protocol, we can define anonymity by demanding that running the protocol increases Eve's knowledge only in a trivial way.
Definition 1 (Anonymity) A protocol is anonymous from the perspective of Eve if for all subsets G ⊂ N where I + Eve is the information that becomes available to Eve during the protocol and I Eve is both the information that Eve has beforehand and trivial information that she obtains about the parties that she corrupts.
Here, by trivial information we mean the information that is available to each party regarding their role in the protocol, i.e. whether they belong in P or not.In the context of key agreement, we can assume that the participants are not corrupted by a fully malicious Eve, since this would jeopardise the whole key.We therefore assume that they are honest-but-curious, i.e. that they obey the protocol in order to establish a key, but may otherwise be interested in learning other participants' identities.For the non-participating parties we consider the same honest-but-curious model, as well as a fully dishonest one.Hence, N can be partitioned into the three disjoint sets of: P: honest-but-curious participating parties, H: honest-but-curious non-participating parties, C: dishonest and colluding non-participating parties.
We either assume Eve to follow the protocol and control a single party in P or H, or to diverge from the protocol and control C. Note however that our definition of anonymity is applicable to other corruption models and therefore applies more generally to any cryptographic protocol.
As previously mentioned, our CKA protocol exploits the correlations of a shared GHZ state to generate the conference key.Since the parties in C could apply an arbitrary quantum map to their system, this would result in a state -close to ρ N := |N N|, with |N equal to Here, the two states on C need not be orthogonal.They neither need to be pure, but since mixed states do not offer an advantage to Eve we may assume they are.For a discussion on untrusted or faulty sources we refer to the Discussion.
With the above definitions, we are now ready to introduce the subprotocols of the Anonymous Conference Key Agreement protocol.All protocols we propose are anonymous according to Def. 1, with the corresponding proofs detailed in the Appendix.

III. GENERATING ANONYMOUS MULTIPARTY ENTANGLEMENT
We start by presenting two sub-protocols, namely Notification and Anonymous Multiparty Entanglement (AME).Our version of Notification is based on [13] and is a classical protocol used by Alice to notify the m receiving agents, while maintaining anonymity for all parties involved.The protocol requires pairwise private classical communication -which can be established using a key generation protocol with a Bell pair -and access to private sources of randomness.An illustration of Protocol 1 can be found in App. A.

Protocol 1 Notification
Input.Alice's choice of m receivers.Goal.The m receivers get notified.
(a) When j corresponds to Alice (j a ), and i is not a receiver, she chooses n random bits {r i j,k } n k=1 such that n k=1 r i j,k = 0.If i is a receiver, she chooses n random bits such that n k=1 r i j,k = 1.She sends bit r i j,k to agent k.(b) When j = j a , the agent chooses n random bits {r i j,k } n k=1 such that n k=1 r i j,k = 0 and sends bit r i j,k to agent k.

All agents
,k and send it to agent i.

Agent i takes the received {z
they are thereby notified to be a designated receiver.
Analysis: Anonymity is maintained following the work of [13].Remember that by the nature of our goal, the identities of the Bobs are available to Alice since she has chosen them.The Notification protocol requires O(n 3 ) communication channel uses between pairs of parties.Note that the Notification protocol is allowing Alice FIG. 1. Visualisation of Protocol 2. A GHZn state is shared with all agents left of arrow (1).Here, the participants are highlighted in green and blue.tSince the shared GHZn state is agnostic of the receivers' identities and all agents are entangled right of arrow (1), they are all highlighted in pink.Right of arrow ( 2), all non-participating parties are disentangled and therefore not highlighted anymore.The m Bobs and Alice now share a GHZm+1 state after completing the steps of AME.
to anonymously transmit the same bit to all receivers to establish a common key.Such a process would however be extremely inefficient; if one Bell pair is required for each private classical communication round, then for each bit of generated key, O(n 3 ) Bell pairs would be consumed.
If instead we use Notification only once to notify the receivers, we can exploit the properties of the shared multipartite entanglement to establish a common key more efficiently while maintaining the anonymity that Protocol 1 provides.We now introduce the second subprotocol AME, visualised in Fig. 1.As a generalisation of the protocol first proposed in [4] for anonymously distributing Bell states, it is a protocol for anonymously establishing GHZ states.Here, n parties are sharing a GHZ state, and m+1 of them (Alice and m receivers) want to anonymously end up with a smaller, (m + 1)-partite GHZ state.To achieve this, all parties require access to a broadcast channel -a necessary requirement to achieve any type of anonymity for participants in a communication setting [14].

Protocol 2 Anonymous Multiparty Entanglement
Input.A shared GHZ n state; Alice knowing the identities of the non-participants P. Goal.A GHZ m+1 state shared between P.

Alice and the Bobs each draw a random bit.
Everyone else measures in the X-basis, yielding a measurement outcome bit x i for i ∈ P.
2. All parties broadcast their bits in a random order or, if possible, simultaneously.
3. Alice applies a Z gate if the parity of the nonparticipating parties' bits is odd.
Analysis: The correctness of the protocol follows from the proof in [4].With the Hadamard matrix H we can rewrite the GHZ n state as proportional to With respect to anonymity, the key elements are the intrinsic correlations of GHZ states.As observed in [4], any rotation around the ẑ-axis applied to any qubit of a GHZ state has the same effect on the global state independent of the chosen qubit.To correct the state, Alice only needs the parity of the measurement outcomes of the non-participating parties, yet, masking their identity, each Bob announces a random bit too.No information about the operations performed by the different parties can be inferred, since all announced bits can be shown to be uniformly random and a Z-gate does not reveal the position of the qubit it was applied to either.Only Alice knows the identities of the Bobs, so only she is able to discern the measurement outcomes from the random bits.For a detailed discussion on why the protocol does not leak any information about the identity of either Alice or the Bobs in untrusted settings, we refer to App.B.
A combination of the above two protocols allows for an anonymous distribution of a GHZ m+1 state, which in turn can be measured in the Z-basis by all participants to generate a shared secret key.However, to be secure against dishonest or eavesdropping parties, the state needs to be verified.

IV. ANONYMOUS QUANTUM CONFERENCE KEY AGREEMENT
In the setting of an untrusted source any verification could be performed immediately after the distribution of the state.However, a party in P might not measure in Protocol 2, and thereby be part of the extracted, then (> m + 1)-partite, GHZ state.This security risk was independently noticed in [15] for the case of twoparty communication.To detect both a faulty source and dishonest parties, the verification of the state has to be postponed until after Protocol 2. Note that in this setting, only the communication of authorized parties will be considered by Alice.Protocol 3 verifies that the state on P is close to the GHZ m+1 state, and therefore also disentangled from all other parties, including C. Protocol 3 is similar to [7] and inspired by the pseudotelepathy studies of [16], but adjusted here to protect the identities of the participants and to always set the verifier to be Alice.It requires private sources of randomness and a classical broadcasting channel.Analysis: From [7] we know that the state is verified to be increasingly close to the GHZ state with the number of passed Verification rounds.To mask their identity, the parties in P need both H and C to announce random bits as well.This renders all public communication uniformly random.Since the relevant quantum correlations are only accessible to Alice, all parties are indistinguishable from the perspective of Eve.We refer to App.B for further details.
We are now ready to define Protocol 4 for anonymously sharing a key between P, where we introduce the parameters L as the number of shared GHZ-states and D as a parameter both determining the level of security and the length of the generated shared key.The main difference between the proposed protocol and the one in [6] is that the non-participating parties are asked to announce random values to mask the identities of the authorized parties and that the protocol aborts if the values are not announced in time.Protocol 4 combines all previous protocols and additionally requires a public source of randomness.

Protocol 4 Anonymous Conference Key Agreement
Input.Alice as initiator; parameters L and D. Goal.Anonymous generation of secret key between P.

Alice notifies the m Bobs by running the
Notification protocol.
2. The source generates and shares L GHZ states.
3. The parties run the AME protocol on them.

If Alice is content with the checks of the
Verification protocol, she can anonymously validate the protocol.

Analysis:
The above protocol establishes a secret key between the participants, while keeping their identities secret from both outsiders and each other.The Verification rounds ensure that the state on P is -close to the GHZ m+1 , which exhibits correlations that only Alice can observe.Likewise, neither the public communication nor the remainder of the state are correlated with the identities.On average D − 1 out of D states will be used to verify the state and only one to provide a secret key; therefore the key rate of Protocol 4 approaches L D in the asymptotic regime.We refer to App.B for a detailed proof of anonymity and to the Discussion for the case where Alice does not accept the shared state.
Note that Verification implicitly verifies the Notification protocol, as the bits that Alice takes into consideration will not have the correct correlations otherwise.It is further worth mentioning that as presented, all protocols are self-contained.However, when combined, one could reduce both the communication overhead and the number of applied quantum operations.Specifically, instead of outputting random values, the participants could simply announce the outputs of the verification process during the next round.In the same spirit, Alice does not need to perform the Z-correction at the end of the AME protocol, since she can choose a complementary set of stabiliser measurements during the Verification protocol.

V. DISCUSSION
We demonstrated how to efficiently achieve anonymity for conference key agreement by using multipartite quantum states.Starting from a large GHZ state shared between n parties, our method enables a sender to anonymously notify a set of receivers and establish a secret key.While here we focused on GHZ states, other types of quantum states have also been used for creating anonymous entanglement, as well as for CKA [17,18]; it is however unknown whether we can combine these to achieve the same task as presented here.
We assumed that the source is not actively malicious; the protocol will abort if the state is not close to the GHZ state, but anonymity is then not guaranteed.The AME protocol is run before each Verification round, which means that a privacy leak during the AME round due to an actively malicious source can never be caught in time.This is easily fixed by additionally verifying the GHZ n after its initial sharing but omitted here for simplicity.We note however that an anonymous version of the protocol in [7] should be performed, similar to Protocol 3.
Finally, practical sources and channels can be faulty and hence the need for anonymous error correction and privacy amplification arises [12,19].We intend to address this in follow-up work, together with the finite-key effects of real-world implementations.
3. Agent i takes the received {z i k } n k=1 (Fig. 2d) to compute z i = n k=1 z i k ; if z i = 1 they are thereby notified to be a designated receiver.
The table contains all i j,k for a fixed agent Pi ∈ N in the Notification protocol.Here, we identify Alice with P1.She chooses {r i 1,k } n k=1 and sends them to P k in Step 1a (Fig. 2a).Note that only if Pi is a receiver, the green row adds up to 1 (mod 2); otherwise to 0 (mod 2).Analogously, the pink highlighting shows Step 1b from the perspective of P j (Fig. 2b).This and all other rows add up to 0 (mod 2).The {r i j,j } n j=1 that P j receives in Step 2 (Fig. 2c) are highlighted in purple.The last row, highlighted in blue, shows the {z i k } n k=1 received by Pi in Step 3 (Fig. 2d).By construction, only if Pi is a receiver, it adds up to 1 (mod 2).

Anonymity during the AME protocol
At the start of the AME protocol, the shared quantum state is as given by the following equation: While the AME protocol prescribes measurements to both H and C, the parties in C might not measure and announce something unrelated to their arbitrary actions on the quantum state -therefore we now only calculate the probability of the measurement outcomes We want to show that they are uniformly random and that there are no correlations between the outcomes and any Eve that she might exploit, where Eve might be anyone in the network but Alice.That is, we want to show where the second equality implies that the probability distribution of the measurement outcomes is uniform and the first equality implies that there are no correlations between the information accessible to Eve -including her quantum state -and the measurement outcomes.Moreover, we also want to show that the post-measurement state does not possess any other correlations regarding the roles of the parties that are accessible or exploitable by Eve.
The measurements on H in the AME protocol are a PVM with outcomes {x α H } and associated projectors which results in the probability of the measurement outcome µ α H taking the value x α H being given by This satisfies the second equality in Eq. (B3), showing that the measurement outcomes are uniformly random, thereby ensuring that all the communication of the AME column of Tab.II is indistinguishable -excluding the trivial case where C reveals itself.
The global post-measurement state ρ postAME is then showing that the only correlation between the measurement outcome and the state on P ∪ C is in the phase, where one could in principle learn the parity of the measurement outcome x α H .However, any such phase estimation is impossible if one does not have access to the complete state (i.e.tracing out P that does not collude with Eve results in a state on C that is uncorrelated with the measurement outcome x α H ).This means that the post-measurement state of any attacker in P \ A or C is uncorrelated from the measurement outcome x α H and the roles of H. Therefore, for either of these types of Eve everyone in H remains anonymous (cf. 1 in Tab.I).
Furthermore H is disentangled from the rest of the network and |H itself is separable over the constituents of H. Therefore, nobody in H can learn anything about the roles of any other party in the network.We can conclude that for Eve in H, Def.(1) holds for any of the subsets of N (cf. 2 in Tab.I).
When Eve is a party in P \ A, the roles of the parties in either P or C are hidden because the relevant correlations of the state are unchanged by running the AME protocol -they essentially share a GHZ state, possibly including some additional phase, and therefore there are no revealing correlations available to anyone but Alice, meaning that here Def.(1) also holds.The exact same argument holds for Eve in C with respect to the anonymity of P (cf. 3 in Tab.I).

Anonymity during the Verification rounds
At the start of the Verification round, the state is the post-measurement state from Eq. (B7), up to the correction by A. We allow for a faulty correction, therefore keeping the phase arbitrary in the following analysis, writing (−1) ∆ = ±1 for the phase.We again calculate the probability that, based on some basis choice {b i } and given the AME measurement outcome x α H , the measurement outcome µ α = {µ j | j ∈ P \ A} takes some particular value o α = {o α i } ∈ {0, 1} |P\A| , show that the outcome is uniformly random and that there are no correlations between the outcome and the quantum states of all possible Eves.That is, we want to show that where Eve may be anyone in P \ A, H or C. Again, we also show that the post-measurement states do not possess any other correlations regarding the roles of the parties which are exploitable by anyone in P \ A, H or C. Each measurement outcome is associated with a certain measurement projector O α P\A , which is itself dependent on the basis choice {b i }.Explicitly, we define Hence, for any outcome x α H during the AME protocol, the probability of the measurement outcome µ α being equal to o α becomes (remember that ∆ may depend on which satisfies the second equation in Eq. (B8).The global post-measurement state ρ postVER becomes where γ = (−1) ∆ × (−i) |{bi}| and |N postVER is the pure state and |P \ A is the state associated with the measurement outcome o α From the perspective of H, all communication is indistinguishable (cf. the Verification column in Tab.II); H is dis-entangled from everyone else and the state on H is itself separable.We can conclude that -with anyone in H as Eve -the anonymity of everyone in the network is preserved 1 in Tab.I).Moreover, P \ A is dis-entangled from all other parties in the network and their post-measurement state is separable as well.Again, all communication from their perspective is uniformly random (cf. the Verification column in Tab.II), so we can conclude that -with anyone in P \ A as Eve -the anonymity of everyone in the network is maintained (cf. 2 in Tab.I).
The only relevant information is |{b i }|, which is encoded into the phase of the state on A ∪ C; any phase estimation algorithm to retrieve this information would require access to the entire state, including the state of A, which is inaccessible to C. Again, from the perspective of C all communication is indistinguishable (cf. the Verification column in Tab.II) and we can conclude that -with C as Eve -here too the anonymity of all parties in the network is preserved (cf. 3 in Tab.I).
Note that the Verification round can only pass if |Ψ C = |Φ C , that is when C is not entangled to A and P \ A. However, this is not a necessary condition for anonymity, since the identity of Alice is preserved even if the Verification round fails.There is no information encoded into the state regarding the distribution of P and H, nor into the measurement outcome o α .The only valuable information in the state is the parity of the number of Y -measurements, encoded in the phase of the qubit of A, which is dis-entangled from all other parties and therefore only accessible to A.

Anonymity during the KeyGen rounds
As the Verification rounds ensure that the GHZ m+1 state on P is dis-entangled from the non-participating parties in P and after running the AME protocol no party in H is entangled to any other party, all subsets listed in Tab.I are dis-entangled from each other.Hence, we can write the full-network state at the start of the KeyGen round as Since there is no communication during the KeyGen rounds, there is no leakage from P, H, C outside the subset itself (cf. 1 in Tab.I).As |H is a separable state, the case H is trivial (cf. 2 in Tab.I).Finally, due to its symmetries, the GHZ m+1 state cannot reveal who the parties sharing the state are.This ensures that there is no privacy leakage for P either (cf. 3 in Tab.I).

Protocol 3 2 . 3 . 2 i
Verification Input.A shared state between |P| = m + 1 parties.Goal.Verification or rejection of the shared state as a GHZ m+1 state by Alice. 1.Every B i draws a random bit b i and measures in the X-or Y -basis if it equals 0 or 1 respectively, obtaining a measurement outcome o i .Everyone broadcasts (b i , o i ), including Alice, who chooses her bits (b 0 , o 0 ) at random.Alice resets her bit such that m i=0 b i = 0 (mod 2).She measures in the X-or Y -basis if her bit equals 0 or 1 respectively, thereby also resetting o 0 .4. If and only if 1 b i + m i=0 o i = 0 (mod 2), Alice accepts the state.

4 .
The parties ask a public source of randomness to broadcast a bit b such that Pr[b = 1] = 1 D .Verification round: If b = 0, Alice runs the Verification protocol on the (m + 1)partite state.The remaining parties announce random values.KeyGen round: If b = 1, Alice and the Bobs Zmeasure to obtain a shared secret bit.
P , where x contains all measurement outcomes announced in Step 2. Finally, calculating ∆(x) in Step 3, Alice locally corrects the state to obtain the desired GHZ m+1 state.