This example protocol implements the task of Anonymous Transmission in a multi-node quantum network. The protocol uses an untrusted $n$-partite GHZ state to enable two nodes, Sender and Receiver, to establish a link which they use to transmit a quantum message. In addition to adversarial nodes, the source of the GHZ state may be controlled by an adversary. To address this, the protocol includes verification of the GHZ state. It incorporates a reduced fidelity GHZ state used for anonymous transmission, resulting in a notion of anonymity for imperfect scenarios called $\epsilon$-anonymity.

Anonymity for Practical Quantum Networks

This verified GHZ-based quantum anonymous transmission protocol is based on the work of [1], which uses the following subroutines and protocols:

• Parity [3]: privately computes the parity of an input string.
• LogicalOR [3]: privately computes the logical OR of an input string, using a modified version of Parity.
• Notification [3]: allows one player to anonymously notify another player, using LogicalOR.
• RandomBit [1]: allows one player to anonymously choose a bit according to a probability distribution, using LogicalOR.
• Verification [4,5]: a protocol that allows one player (the Verifier) to run a test to check if the shared state is the GHZ state. The Verifier instructs each player to measure their qubit in a particular basis and checks the parity of the measurement outcomes.
• Anonymous Entanglement [2]: $n-2$ nodes (all except for $\mathcal {S}$ and $\mathcal {R}$) measure in the $X$ basis and broadcast their measurement outcome. $\mathcal {S}$ and $\mathcal {R}$ broadcast random dummy bits. The parity of measurement outcomes allows the establishment of an entangled link between $\mathcal {S}$ and $\mathcal {R}$ which is called anonymous entanglement.

The protocol for quantum anonymous transmission consists of the following steps:

1. Receiver notification: The Sender $\mathcal {S}$ notifies the Receiver $R$ by running Notification.
2. State distribution: A source, who may be untrusted, distributes a state claiming to be the GHZ state.
3. Verification or anonymous transmission: $\mathcal {S}$ anonymously chooses whether to verify the state or use it for anonymous transmission, using RandomBit.

If verification is chosen, a player is chosen to run Verification, using $\log _{2}n$ repetitions of RandomBit. If the test passes, the protocol goes back to the State distribution stage and runs again. If the test fails, the players abort.

If anonymous transmission is chosen, the players run Anonymous Entanglement, establishing an anonymous entanglement link between $\mathcal {S}$ and $\mathcal {R}$. $\mathcal {S}$ then teleports the message state $ |\psi \rangle$ to $\mathcal {R}$ using the established anonymous entanglement. The classical message $m$ associated with teleportation is also sent anonymously.

• Network: The network consists of $n$ nodes (honest or adversarial) with pairwise authenticated classical channels and a classical broadcast channel.
• Source: Untrusted multipartite state source.
• Adversarial model: Active adversary who can control the source.

• $n$ : number of network nodes taking part in the anonymous transmission.
• $t$: number of adversarial network nodes taking part in the anonymous transmission.
• $ |\psi \rangle $: quantum message which the Sender wants to send anonymously.
• $ |GHZ\rangle ={\frac {1}{\sqrt {2}}}(|0^{n}\rangle +|1^{n}\rangle )$: GHZ state.
• $ |\Psi \rangle$ : state provided by the untrusted source for anonymous transmission (in the ideal case, this is the GHZ state).
• $ \mathcal {S}$: the Sender of the quantum message.
• $R$: the Receiver of the quantum message.
• $q$: the security parameter.

The pseudocode given below implements anonymous transmission of a quantum message, incorporating a verification stage. Further, the following analysis considers anonymous transmission with a reduced fidelity state rather than a perfect GHZ state.

Let $C_{\epsilon}$ be the event that the protocol does not abort and the state used for anonymous transmission is such that, no matter what operation the adversarial players do to their part, the fidelity of the state with the GHZ state is at most $\sqrt{1 – \epsilon^2}$. Then,

$$
P[C_{\epsilon}] \leq 2^{-q} \frac{4n}{1 – \sqrt{1 – \epsilon^2}}
$$

By doing many repetitions of the protocol, the honest players can ensure that this probability is negligible.

If the state used for anonymous transmission is of fidelity at least $\sqrt{1 – \epsilon^2}$ with the GHZ state,

$$
P_{\text{guess}}[\mathcal{S} | C, \mathcal{S} \notin \mathcal{A}] \leq \frac{1}{n – t} + \epsilon
$$

$$
P_{\text{guess}}[\mathcal{R} | C, \mathcal{S} \notin \mathcal{A}] \leq \frac{1}{n – t} + \epsilon
$$

where $\mathcal{A}$ is the subset of $t$ adversaries among $n$ nodes and $C$ is the register that contains all classical and quantum side information accessible to the adversaries.

Main protocol: $\epsilon$-anonymous transmission of a quantum message

Input: Security parameter $q$.

Goal: $\mathcal{S}$ sends message qubit $|\psi\rangle$ to $\mathcal{R}$ with $\epsilon$-anonymity.

• Receiver notification: Run Notification for $\mathcal{S}$ to notify $\mathcal{R}$ as the Receiver.
• Distribution of state: A source (who may be untrusted) generates a state $|\Psi\rangle$ and distributes it to the players (in the ideal case, $|\Psi\rangle$ is the GHZ state).
• $\mathcal{S}$ anonymously chooses verification or anonymous transmission:
  1. Run RandomBit, with the input of $\mathcal{S}$ chosen as follows: she flips $q$ fair classical coins, and if all coins are heads, she inputs 0, else she inputs 1. Let the outcome be $x$.
  2. If $x = 1$:
     1. Run RandomBit $\log_2 n$ times, with the input of $mathcal{S}$ chosen according to the uniform random distribution. Let the outcome be $v$.
     2.  Run Verification with player $v$ as the Verifier. If she accepts the outcome of the test, return to step 2, otherwise abort.
  3. Else if $x = 0$: Run Anonymous Transmission.

If at any point in the protocol, $\mathcal{S}$ realises someone does not follow the protocol, she stops behaving like the Sender and behaves as any player.

Subroutine 1: Parity

Input: ${x_i}_{i=1}^{n}$.
Goal: Each player gets $y_i = \bigoplus_{i=1}^{n} x_i$.

1. Every player $i$ chooses random bits ${r_i^j}_{j=1}^{n}$ such that $\bigoplus_{j=1}^{n} r_i^j = x_i$;
2. Every player $i$ sends their $j$th bit $r_i^j$ to player $j$ (including when $j = i$);
3. Every player $j$ computes $z_j = \bigoplus_{i=1}^{n} r_i^j$ and reports it in the simultaneous broadcast channel;
4. The value $z = \bigoplus_{j=1}^{n} z_j$ is computed, which equals $y_i$.

Subroutine 2: LogicalOR

Input: ${x_i}_{i=1}^{n}$, security parameter $q$
Goal: Each player gets $y_i = \bigvee_{i=1}^{n} x_i$

1. The players agree on $n$ orderings, each with a different last participant.
2. For each ordering:
   1. Each player $i$ picks $p_i$: if $x_i = 0$, then $p_i = 0$; if $x_i = 1$, then $p_i = 1$ with probability $\frac{1}{2}$ and $p_i = 0$ with probability $\frac{1}{2}$;
   2. Run Parity with ${p_i}_{i=1}^{n}$ using regular (not simultaneous) broadcast according to the current ordering. If the result is 1, then $y_i = 1$;
   3. Repeat steps 2.1-2.2 for $q$ rounds. If Parity result is never 1, then $y_i = 0$.

Subroutine 3: Notification

Input: Security parameter $q$, $\mathcal{S}$’s choice of $\mathcal{R}$ is player $r$.
Goal: $\mathcal{S}$ notifies $\mathcal{R}$.

For each player $i$:

1. Each player $j \neq i$ picks $p_j$:
   1. If $i = r$ and $j$ is $\mathcal{S}$, then $p_j = 1$ with probability $\frac{1}{2}$ and $p_j = 0$ otherwise. Otherwise, $p_j = 0$. Let $p_i = 0$.
   2. Run Parity with ${p_i}_{i=1}^{n}$ where player $i$ does not broadcast and using regular broadcast channel. If result is 1, then $y_i = 1$.
   3. Repeat for $q$ rounds. If result is never 1, then $y_i = 0$.
2.  If player $i$ obtained $y_i = 1$, then she is $\mathcal{R}$.

Subroutine 4: RandomBit

Input: All: parameter $q$. $\mathcal{S}$: distribution $D$.
Goal: $\mathcal{S}$ chooses a bit according to $D$.

1. Players pick bits ${x_i}_{i=1}^{n}$: $\mathcal{S}$ picks $x_i$ according to $D$. All others pick $x_i = 0$.
2. Run LogicalOR with input ${x_i}_{i=1}^{n}$ and security parameter $q$ and output its result.

Subroutine 5: Verification

The verification subroutine uses the verification protocol.

Subroutine 6: Anonymous Transmission

Input: $n$ players share a GHZ state.
Goal: Anonymous transmission of quantum message $|\psi\rangle$ from $\mathcal{S}$ to $\mathcal{R}$.

1. $\mathcal{S}$ and $\mathcal{R}$ do nothing to their part of the state;
2. Each player $j \in [n] \setminus {\mathcal{S}, \mathcal{R}}$:
   1. Applies Hadamard to qubit;
   2. Measures in computational basis: $m_j$;
   3. Broadcasts $m_j$.
3. $\mathcal{S}$ picks random $b \in_R {0, 1}$, broadcasts $b$;
4. If $b = 1$, $\mathcal{S}$ applies phase flip $Z$;
5. $\mathcal{R}$ picks random $b’ \in_R {0, 1}$, broadcasts $b’$;
6. If $b \oplus \bigoplus_{j \in [n] \setminus {\mathcal{S},\mathcal{R}}} m_j = 1$, $\mathcal{R}$ applies $Z$;
7. $\mathcal{S}$ and $\mathcal{R}$ now share $\epsilon$-anonymous entanglement. $\mathcal{S}$ uses teleportation on input $|\psi\rangle$, obtaining $m_0, m_1$;
8. Players run protocol to anonymously send $m_0, m_1$ from $\mathcal{S}$ to $\mathcal{R}$;
9.  $\mathcal{R}$ applies transformation described by $m_0, m_1$ to obtain $|\psi\rangle$.

• For simplicity, the same security parameter $q$ has been used throughout, however, this is not required.
• Although Parity requires a simultaneous broadcast channel, only modified versions of Parity that remove this requirement are used in the anonymous transmission protocol.
• The protocol assumes there is only one Sender for simplicity. However, if this is not the case, the players can run a classical [3] or quantum [2] collision detection protocol to deal with multiple Senders.
• To send classical teleportation bits $m_0$, $m_1$, the players can run Fixed Role Anonymous Message Transmission from [3], or the anonymous transmission protocol for classical bits with quantum resources from [2].
• Verification was experimentally demonstrated for 3- and 4-party GHZ states in [5].
• The Broadbent-Tapp protocol [3] implements classical anonymous transmission. It requires pairwise authenticated classical channels and a classical broadcast channel.
• The Christandl-Wehner protocol [2] implements both classical and quantum anonymous transmission. However, this protocol assumes the nodes share a perfect, trusted GHZ state.
• The Brassard et. al. protocol [6] implements verified quantum anonymous transmission. While their protocol includes a verification stage, it requires each player to perform a size-$n$ quantum circuit and to have access to quantum communication with all other agents.
• The Lipinska et. al. protocol [7] implements quantum anonymous transmission with a trusted W state instead of a GHZ state. While this is beneficial in terms of robustness to noise, the protocol proceeds to create anonymous entanglement only probabilistically, whereas GHZ-based anonymous entanglement proceeds deterministically.

1. Unnikrishnan, Anupama, Ian J. MacFarlane, Richard Yi, Eleni Diamanti, Damian Markham, and Iordanis Kerenidis. “Anonymity for practical quantum networks.” Physical review letters 122, no. 24 (2019): 240501.
2. Christandl, Matthias, and Stephanie Wehner. “Quantum anonymous transmissions.” In International conference on the theory and application of cryptology and information security, pp. 217-235. Berlin, Heidelberg: Springer Berlin Heidelberg, 2005.
3. Broadbent, Anne, and Alain Tapp. “Information-theoretic security without an honest majority.” In International Conference on the Theory and Application of Cryptology and Information Security, pp. 410-426. Berlin, Heidelberg: Springer Berlin Heidelberg, 2007.
4. Pappa, Anna, André Chailloux, Stephanie Wehner, Eleni Diamanti, and Iordanis Kerenidis. “Multipartite entanglement verification resistant against dishonest parties.” Physical review letters 108, no. 26 (2012): 260502.
5. McCutcheon, Will, Anna Pappa, Bryn A. Bell, Alex Mcmillan, André Chailloux, Tom Lawson, Mhlambululi Mafu et al. “Experimental verification of multipartite entanglement in quantum networks.” Nature communications 7, no. 1 (2016): 13251.
6. Brassard, Gilles, Anne Broadbent, Joseph Fitzsimons, Sébastien Gambs, and Alain Tapp. “Anonymous quantum communication.” In Advances in Cryptology–ASIACRYPT 2007: 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2-6, 2007. Proceedings 13, pp. 460-473. Springer Berlin Heidelberg, 2007.
7. Lipinska, Victoria, Gláucia Murta, and Stephanie Wehner. “Anonymous transmission in a noisy quantum network using the W state.” Physical Review A 98, no. 5 (2018): 052320.