This protocol achieves the functionality of quantum conference key agreement. This protocol allows multiple parties in a quantum network to establish a shared secret key anonymously.

Anonymous Conference Key Agreement in Quantum Networks

• First, the sender notifies each receiver in the network anonymously
• The entanglement source generates and distributes sufficient GHZ states to all nodes in the network
• The GHZ states are distilled to establish multipartite entanglement shared only by the participating parties (the sender and receivers)
• Each GHZ state is randomly chosen to be used for either Verification or Key Generation. For Key Generation rounds, a single bit of the key is established using one GHZ state by measuring in the Z-basis
• If the sender is content with the Verification results, they can anonymously validate the protocol and conclude that the key has been established successfully.

This protocol relies on reliable shared entanglement and private randomness

It also assumes pairwise private communication channels

Network stage: entanglement generation

The following resources are required for this protocol:

• A source of n-party GHZ states
• Private randomness sources
• A randomness source that is not associated with any party
• A classical broadcasting channel
• Pairwise private communication channels

• $n$: Total number of nodes in the network
• $m$: Number of receiving nodes
• $L$: Number of GHZ states used
• $D$: Security parameter; expected number of GHZ states used to establish one bit of key
• $k$-partite GHZ state: $\frac{1}{\sqrt{2}} \left( |0\rangle^{\otimes k} + |1\rangle^{\otimes k} \right)$

• Protocol 1 has an asymptotic key rate of $\frac{L}{D}$
• This protocol satisfies the following notions of anonymity:
  • Sender Anonymity: A protocol allows a sender to remain anonymous sending a message to $m$ receivers, if an adversary who corrupts $t \leq n – 2$ players cannot guess the identity of the sender with probability higher than $\frac{1}{n – t}$.
  • Receiver Anonymity: A protocol allows a receiver to remain anonymous receiving a message, if an adversary who corrupts $t \leq n – 2$ players cannot guess the identity of the receiver with probability higher than $\frac{1}{n – t}$.
• Error correction and privacy amplification must be carried out anonymously and are not considered in the analysis of this protocol.

Main protocol: Anonymous Verifiable Conference Key Agreement

Input: Parameters $L$ and $D$
Output: Anonymous generation of key between sender and $m$ receivers
Requirements: A source of $n$-party GHZ states; private randomness sources; a randomness source that is not associated with any party; a classical broadcasting channel; pairwise private communication channels

1. The sender notifies the $m$ receivers by running the Notification protocol.
2. The source generates and shares $L$ GHZ states.
3. The parties run the Anonymous Multipartite Entanglement protocol on the GHZ states.
4. For each $(m+1)$-partite GHZ state, the parties do the following:
   1. They ask a source of randomness to broadcast a bit $b$ such that $\Pr[b=1] = \frac{1}{D}$.
   2. Verification round: If $b = 0$, the sender runs Verification as verifier on the state corresponding to that round, while only considering the announcements of the $m$ receivers. The remaining parties announce random values.
   3. KeyGen round: If $b = 1$, the sender and receivers measure in the Z-basis.
5. If the sender is content with the checks of the Verification protocol, they can anonymously validate the protocol.

Subroutine 1: Notification

Input: Sender’s choice of $m$ receivers
Goal: The $m$ receivers get notified
Requirements: Private pairwise classical communication channels and randomness sources

For agent $i = 1,…,n$:

• All agents $j \in \{1,…,n\}$ do the following:
  • When agent $j$ is the sender: If $i$ is not a receiver, the sender chooses $n$ random bits $\{r_{j,k}^{i}\}_{k=1}^{n}$ such that $\bigoplus_{k=1}^{n}r_{j,k}^{i}=0$. Otherwise, if $i$ is a receiver, the sender chooses $n$ random bits such that $\bigoplus_{k=1}^{n}r_{j,k}^{i}=1$. The sender sends bit $r_{j,k}^{i}$ to agent $k$.
  • When agent $j$ is not the sender: The agent chooses $n$ random bits $\{r_{j,k}^{i}\}_{k=1}^{n}$ such that $\bigoplus_{k=1}^{n}r_{j,k}^{i}=0$ and sends bit $r_{j,k}^{i}$ to agent $k$.
• All agents $k \in \{1,…,n\}$ receive $\{r_{j,k}^{i}\}_{j=1}^{n}$, and compute $z_{k}^{i} = \bigoplus_{j=1}^{n}r_{j,k}^{i}$ and send it to agent $i$.
• Agent $i$ takes the received $\{z_{k}^{i}\}_{k=1}^{n}$ to compute $z^{i} = \bigoplus_{k=1}^{n}z_{k}^{i}$. If $z^{i}=1$, they are thereby notified to be a designated receiver.

Subroutine 2: Anonymous Multiparty Entanglement Protocol

Here Anonymous Multiparty Entanglement Protocol is run as a subroutine (check the protocol page).
Input: $n$-partite GHZ state $\frac{1}{\sqrt{2}}(|0\rangle^{\otimes n} + |1\rangle^{\otimes n})$
Output: $(m+1)$-partite GHZ state $\frac{1}{\sqrt{2}}(|0\rangle^{\otimes (m+1)} + |1\rangle^{\otimes (m+1)})$ shared between the sender and receivers
Requirements: A broadcast channel; private randomness sources

Subroutine 3: Verification

Input: A verifier $V$; a shared state between $k$ parties
Goal: Verification or rejection of the shared state as the GHZ$_k$ state by $V$
Requirements: Private randomness sources; a classical broadcasting channel

• Everyone but $V$ draws a random bit $b_i$ and measures in the X or Y basis if their bit equals 0 or 1 respectively, obtaining a measurement outcome $m_i$. $V$ chooses both bits at random.
• Everyone (including $V$) broadcasts $(b_i, m_i)$.
• $V$ resets her bit such that $\sum_i b_i = 0 \mod 2$. She measures in the X or Y basis if her bit equals 0 or 1, respectively, thereby also resetting her $m_i = m_v$.
• $V$ accepts the state if and only if $\sum_i m_i = \frac{1}{2}\sum_i b_i \mod 2$.

The protocols and their security analysis, along with an experimental implementation for $n=4$ can be found in [1]

1. Hahn, Frederik, Jarn de Jong, Christopher Thalacker, Bülent Demirel, Stefanie Barz, and Anna Pappa. “Anonymous conference key agreement in quantum networks.” arXiv preprint arXiv:2007.07995 (2020).