Cite this Article
Huang Wei†, Wen Qiao-Yan, Liu Bin, Gao Fei. Multi-user quantum key distribution with collective eavesdropping detection over collective-noise channels. Chinese Physics B, 24(7): 070308  
Permissions
Multi-user quantum key distribution with collective eavesdropping detection over collective-noise channels
Huang Wei†a),b), Wen Qiao-Yana), Liu Bina), Gao Feia)
State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
Science and Technology on Communication Security Laboratory, Chengdu 610041, China

Corresponding author. E-mail: huangwei096505@aliyun.com

*Project supported by the National Natural Science Foundation of China (Grant Nos. 61272057, 61170270, and 61309029), Beijing Higher Education Young Elite Teacher Project, China (Grant Nos. YETP0475 and YETP0477), and BUPT Excellent Ph.D. Students Foundation, China (Grant No. CX201441).

Abstract

A multi-user quantum key distribution protocol is proposed with single particles and the collective eavesdropping detection strategy on a star network. By utilizing this protocol, any two users of the network can accomplish quantum key distribution with the help of a serving center. Due to the utilization of the collective eavesdropping detection strategy, the users of the protocol just need to have the ability of performing certain unitary operations. Furthermore, we present three fault-tolerant versions of the proposed protocol, which can combat with the errors over different collective-noise channels. The security of all the proposed protocols is guaranteed by the theorems on quantum operation discrimination.

PACS: 03.67.Dd; 03.67.Hk; 03.67.Pp
Keyword: quantum cryptography; quantum key distribution; collective eavesdropping detection; collective noise
1. Introduction

Over the last two decades, the principles of quantum mechanics have been widely applied in the field of information, which has promoted rapid developments of quantum cryptography and quantum computation. Since the pioneering work of Bennett and Brassard in 1984, [1] quantum cryptography has attracted a great deal of attention and become one of the most promising applications of quantum information processing. There are several remarkable branches of quantum cryptography, including quantum key distribution (QKD), [114] quantum secure direct communication (QSDC), [1522] quantum secret sharing (QSS), [2328] and secure multi-party computation (SMC).[2933] The multi-party quantum cryptographic protocols (MQCPs) which involve at least three participants, such as quantum private comparison (QPC) protocols and QSS protocols, are more complicated than the two-party ones. Therefore, more attention is needed in the research of MQCPs.

In most MQCPs, the quantum information carriers need to be transmitted more than once, and usually eavesdropping detection should be taken in every step of the transmission. However, this detection strategy, which is called step-by-step detection, always makes the protocols inefficient and complicated. First, it is known that the security analysis of the quantum cryptographic protocols is based on the error rate analysis with theories in statistics. Hence, the proportion of the detection states (i.e., states chosen for eavesdropping detection) in the transmitted states should not be too small. If the detection is taken in every step of the transmission of the quantum information carriers, a lot of states will be used for checking eavesdropping and the qubit efficiency of the corresponding protocol will decrease with the increase of the number of detections. Second, detecting in every step of the transmission usually requires all the participants in such a protocol to be equipped with many quantum devices, e.g., the quantum state measurement machine, the quantum state generation machine, and the quantum storage machine. However, based on the current technology, these quantum devices are still expensive because of their construction difficulties. As a consequence, it is uneconomical to require that every participant is equipped with most of these quantum devices. Apparently, an MQCP would be more efficient and easier to realize if the detection is taken only once in the whole procedure of the protocol. Fortunately, if an MQCP makes use of the collective eavesdropping detection strategy, it could meet such a requirement. Collective detection is an efficient and useful eavesdropping detection strategy for MQCPs. On one hand, in an MQCP which employs the collective detection strategy, the detection needs to be taken only once after the whole transmission procedure of the quantum information carriers. On the other hand, this strategy can also reduce the hardware requirement for the implementation of the protocol, since all the users (except for the center who is responsible for preparing and measuring states) only need to perform certain unitary operations in the whole executing procedure of the protocol. To date, much attention has been focused on the collective detection strategy and a lot of MQCPs have been proposed by utilizing it (for simplicity, we will call the MQCP which uses collective detection MQCP-CD), [3441] including QKD, [3436] QPC, [37] QSS, [3840] and QSQC.[41]

In an MQCP-CD, all the users (except for the center) just need to be capable of performing certain unitary operations. Therefore, the operations performed by them are very important to the security of the protocol. In this paper, a method for constructing the operations needed in the MQCP-CD is presented. It is a method that can be used to construct the unitary operations which meet the security requirements of the MQCP-CD with different kinds of quantum states, such as single photons, EPR pairs, and GHZ states. Based on this method, we present a multi-user quantum key distribution (MQKD) protocol with collective detection and single particles. Our protocol is presented on a star network where any two of the involved users can execute quantum key distribution with the help of a serving center. There are several merits of this protocol. First, to establish a random key by employing this protocol, two users only need to be capable of performing certain unitary operations. Second, none of the participants (all the users and the center) in our protocol needs to be equipped with a quantum storage machine. As storing quantum qubits is still a very difficult task in reality, our protocol is more feasible than the ones[3436] in which the quantum storage machine is required. In addition, our protocol can resist various kinds of attacks from both outside eavesdroppers and a dishonest center.

Actually, quantum states transmitted in a channel interact with the environment uncontrollably, which will introduce noise into the communication and influence both the correctness and efficiency of the communication. If the variation of the noise is slower than the time delay between the quantum states transmitted inside a time window, the states will be affected by the same noise. This kind of noise is called collective noise.[42, 43] To combat the errors caused by the collective noise, we further introduce three fault-tolerant versions of our protocol with the idea of decoherence-free subspace (DFS), [4454] which can resist the collective-dephasing noise, the collective-rotation noise, and all kinds of unitary collective noise, respectively.

The remainder of this paper is organized as follows. The next section presents our method for constructing the required unitary operations in the MQCP-CD. In Section 3, our MQKD protocol and its three fault-tolerant versions, which utilize the collective detection and block transmission, are proposed in detail. The block transmission, which was proposed firstly by Long et al. in Ref.  [15], is one of the most important techniques for transmitting quantum states in quantum information processing. In block transmission, the quantum states are ordered and transmitted in blocks, and the eavesdropping detection is also executed on the blocks. In Section 4, the security of our proposed protocols is analyzed by using the theorems on quantum operation discrimination. Finally, a discussion as well as a short conclusion is given in Section 5.

2. Method for constructing the unitary operations required in MQCP-CD

Thus far, many MQCP-CDs[34, 35, 5557] have been attacked since the unitary operations used in those protocols can be discriminated unambiguously (by a single use) if an eavesdropper utilizes some special attack strategies, such as dense-coding attack[35] and fake-signal attack.[55] It is just because there is still no effective method for constructing the required unitary operations that some improper ones were used in those protocols. In this section, we introduce a method for constructing the required unitary operations which can be used in designing a secure MQCP-CD. This method can be used to construct the required unitary operations with different kinds of quantum states. Afterwards, we prove the correctness of this method based on the conclusions on quantum operation discrimination.

2.1. The detailed method

Before presenting the method for constructing the required operations, we first briefly introduce the basic principle of the MQCP-CD.[3441] In this kind of protocol, two mutually unbiased bases, which are denoted as {| a⟩ , | b⟩ } and {| c⟩ , | d⟩ }, are required for secure communication. Here, ⟨ a| b⟩ = ⟨ c| d⟩ = 0, and | ⟨ a| c⟩ | 2 = | ⟨ a| d⟩ | 2 = | ⟨ b| c⟩ | 2 = | ⟨ b| d⟩ | 2 = 1/2. Besides, there should be a center who is responsible for generating and measuring the quantum states. The center first generates a sequence of states in the two bases and sends them to the first user. Then the first user processes the received states by performing four unitary operations according to his secret binary string and controlling binary string. After the operations, the first user sends the processed sequence to the next user. The following users execute procedures just like the first user one by one. When the last user finishes his operations, he sends the sequence back to the center. After the center receives the sequence, the users randomly choose some states to check eavesdropping with the information of the unitary operations performed on the chosen states and the corresponding measurement outcomes provided by the center. If the whole transmitting procedure is secure, the remaining states (or measurement outcomes) can be used to realize the main function of the protocol.

Concretely, when a user receives a sequence of quantum states, he first encodes his secret string by performing the operation I (identity operator)/U (encoding operation) on each of the received states if the corresponding bit of the secret string is 0/1. The effect of the unitary operation U is flipping a state in the same MB, i.e., U| a⟩ = α | b⟩ , U| b⟩ = β | a⟩ , U| c⟩ = γ | d⟩ , and U| d⟩ = δ | c⟩ . Here α , β , γ , and δ are global phase factors which can be ignored. After that, he disturbs the encoded states by performing the operation I/C (controlling operator) on each of these states if the corresponding bit in his controlling string is 0/1. The effect of the unitary operation C is flipping each one of the four states in {| a⟩ , | b⟩ , | c⟩ , | d⟩ } from one basis to the other basis. When a user encodes his secret string on the received states, each of the bits in the secret string and the controlling string will be used only once. If an eavesdropper wants to obtain some information of a bit in the secret string without leaving a trace in the eavesdropping detection, he should have the ability of discriminating between the four unitary operations I, U, C, and UC unambiguously with only one opportunity (i.e., under the condition that the device can be accessed only once). Therefore, one of the key steps in designing a secure MQCP-CD is to find appropriate unitary operations U and C which make I, U, C, and UC impossible to be discriminated unambiguously with a single use.

Now we give the method for constructing the required unitary operations. Suppose V is a d-dimensional Hilbert space. By employing the Gram– Schmidt procedure, it is easy to construct an orthonormal basis of V, {| 0′ ⟩ , … , | (d− 1)′ ⟩ }. It can be easily proved that {| 0′ ⟩ , | 1′ ⟩ } and {| + ′ ⟩ , | − ′ ⟩ } are two mutually unbiased bases of a 2-dimensional subspace, where

Then the encoding operation is chosen in the form of

where part M should meet the following two conditions. First, M should be in a proper form to make U be a unitary operation, i.e., UU = UU = I. Second, M should be orthogonal to both | 0′ ⟩ and | 1′ ⟩ . It can be easily verified that the operation U could flip each one of the states in {| 0′ ⟩ , | 1′ ⟩ , | + ′ ⟩ , | − ′ ⟩ } in its own basis when M is in the required form. There are many feasible choices for the form of M, such as M = | 2′ ⟩ ⟨ 2′ | + · · · + | (d − 1)′ ⟩ ⟨ (d − 1)′ | and M = | 2′ ⟩ ⟨ 3′ | + | 3′ ⟩ ⟨ 4′ | + · · · + | (d − 1)′ ⟩ ⟨ 2′ | . After getting the encoding operation U, we choose one of the square roots of U as the controlling operation, which could flip each one of the states in {| 0′ ⟩ , | 1′ ⟩ , | + ′ ⟩ , | − ′ ⟩ } from one basis to the other basis, i.e., . The selection method for the operation C will be given in the following proof section. Thus, a method for constructing the required encoding operation and controlling operation has been introduced. In other words, if operations U and C are constructed by this method, the four unitary operations I, U, C, and UC cannot be discriminated unambiguously with only one opportunity.

2.2. Proof of the proposed method

Herein we demonstrate that the four unitary operations I, U, C, and UC cannot be discriminated unambiguously with a single use if U and C are constructed by our method. Before giving the proof, we first introduce an important theorem on quantum operation discrimination.

Theorem 1[58] Under the condition that the device can be accessed only once, the minimum error probability to discriminate two unitary operations U1 and U2 is

where stands for the distance between the origin of the complex plane and the polygon whose vertices are the eigenvalues of the unitary operator (see also Fig.  1), and U is the adjoint matrix of U.

Fig.  1. Definition of the function r(U) = r, where λ 1, λ 2, λ 3, and λ 4 are eigenvalues of the matrix U, and r is the distance between the origin of the complex plane o and the polygon λ 1λ 2λ 3λ 4. Obviously, r = 0 indicates that o is in/on the polygon λ 1λ 2λ 3λ 4.

Corollary 1 Under the condition that the device can be accessed only once, two unitary operations U1 and U2 can be discriminated unambiguously if and only if

As defined in the presented method, . It can be easily found that r(IC) = r(UUC) = r(C), and r(UC) = r(U− 1C) = r(C− 1) = r(C). According to Theorem 1 and Corollary 1, under the condition that the device can be accessed only once, the two operations U and C (I and C, U and UC) constructed by our method cannot be discriminated unambiguously if and only if neither r(C) and r(C) equal to zero. Now we demonstrate that r(C) > 0 and r(C) > 0. Since U is a unitary operator, all the eigenvalues of U are points on the unit circle in the complex plane. Namely, all the eigenvalues of U can be written in the form of ei(θ + 2kπ ), here ei(θ + 2) = eiθ , θ ∈ [0, 2π ), kZ. Therefore, all the eigenvalues of the operator should be in the form of ei(β + ), here β = θ /2 ∈ [0, π ), kZ. It is obvious that U has more than one square root. Take the Pauli operation σ 0 as a simple example, since σ 0 can be written as either ei· 0| 0⟩ ⟨ 0| + ei· 0| 1⟩ ⟨ 1| or ei· 0| 0⟩ ⟨ 0| + ei· 2π | 1⟩ ⟨ 1| , both ei· 0| 0⟩ ⟨ 0| + ei· 0| 1⟩ ⟨ 1| and ei· 0| 0⟩ ⟨ 0| + eπ | 1⟩ ⟨ 1| are the square roots of . Here | 0⟩ and | 1⟩ represent the horizontal and the vertical polarizations of photons, respectively.

As shown above, all the eigenvalues of the operator should be in the form of ei(β + ), kZ. In our method, we choose the square root (of U) whose eigenvalues are all in the form of eiβ (which means that the corresponding parameter k is even) as the controlling operation C. As β ∈ [0, π ), all the eigenvalues of C are points on the upper half of the unit circle (except for − 1) in the complex plane and therefore r(C) > 0. In addition, since all the eigenvalues of C are points on the upper half of the unit circle (except for − 1), it is evident that all the eigenvalues of C are points on the bottom half of the unit circle (except for 1), which means r(C) > 0. That is to say, the two operations U and C (I and C, U and UC) constructed by our method cannot be discriminated unambiguously under the condition that the device can be accessed only once.

Till now, we have proved that the four unitary operations I, U, C, and UC constructed by our method cannot be discriminated unambiguously under the condition that the device can be accessed only once. Utilizing this method, we can construct the required unitary operations for designing a secure MQCP-CD with different kinds of quantum states.

2.3. Role of the proposed method

If someone wants to design an MQCP-CD using a certain kind of quantum state in his favor, one of the most important things he should do first is to find the corresponding encoding operation U and controlling operation C which satisfy the security requirement of the MQCP-CD. Obviously, the method we just proposed can be used to construct such unitary operations. For example, if he wants to design an MQCP-CD with single photons, a natural choice for one of the two bases could be {| 0⟩ , | 1⟩ }. By employing our method, the other basis could be chosen as {| + ⟩ , | − ⟩ }, where and , and the corresponding encoding operation Us and controlling operation Cs can be constructed as

It can be easily verified that {| 0⟩ , | 1⟩ } and {| + ⟩ , | − ⟩ } form two mutually unbiased bases. The effect of the operations Us and Cs on the four states can be illustrated as

Utilizing the two bases and two operations (Us and Cs) given above, one can design different kinds of MQCP-CDs (QSS, QPC, etc.) with single photons. Evidently, there are still some other choices for the two operations if other single particles are chosen to be the quantum information carriers. To date, in order to improve the qubit efficiency or reduce the hardware requirement, some MQCP-CDs [3441] have been proposed with single photons. Unfortunately, all of those protocols need to store the quantum qubits, which is still a difficult task in reality. To make use of the collective detection under the current techniques, we present a more feasible MQKD protocol without employing a quantum storage machine in the next section. More importantly, we also enhance the proposed protocol to be immune to the errors over different collective-noise channels based on the above method.

3. The proposed MQKD protocols

In this section, we present an MQKD protocol by employing single particles and the collective detection on a star network (see Fig.  2). In this protocol, there is a center who is responsible for generating and measuring quantum states. With the help of the center, any two users involved in the network can securely establish a random key just by performing unitary operations on the states transmitted to them. If user i wants to share a random key with user j, they can encode their random binary strings into the states produced by the center, and then they are able to deduce a random key with the measurement outcomes published by the center, where 1 ≤ i, jn. In this circumstance, users i and j only need to hide their secrets in the transmitted states with proper unitary operations. In the network, we assume that any two of the participants (the center and all the users) can transmit quantum states between them. Similar to most of the previous quantum cryptographic protocols, the classical channels involved in this protocol are supposed to be authenticated. Compared with the existing MQKD

Fig.  2. A simple illustration of the MQKD with seven users on a star network. In this network, any two of the seven users can establish a shared secret key only with unitary operations.

protocols which also utilize the collective detection, [3436] our protocol has the following two advantages. First, it is secure against attacks from both outside eavesdroppers and a dishonest center. Second, it does not need a quantum storage machine, which indicates that our protocol is more feasible in practice under current techniques. By utilizing the method presented in Section 2, two fault-tolerant versions of the proposed protocol are proposed by using two-qubit states: one is immune to the collective-dephasing noise, and the other is immune to the collective-rotation noise. Then we also present a more robust version of the protocol, which can resist all kinds of unitary collective noise by using four-qubit states.

3.1. The proposed MQKD protocol with single particles

If two users in the network, say Alice and Bob, want to share a random key, they can execute the MQKD protocol as described below (see also Fig.  3).

Fig.  3. The subsystem of the presented QKD network with single particles.

1) Alice generates two random binary strings of length 4n, which are denoted as A and A′ , respectively. Similarly, Bob generates two random binary strings of length 4n, which are denoted as B and B′ , respectively. After that, Alice informs the center that she wants to establish a random key with Bob.

2) The center receives Alice’ s request, prepares a sequence of 4n single particles which are all in the state | 0⟩ (denoted as sequence S), and sends it to Alice.

3) Once receiving S, Alice performs the unitary operations UAi and on the i-th particle in S for 1 ≤ i ≤ 4n. Here, Ai and are respectively the i-th bit in strings A and A′ , U1 = Us, C1 = Cs, and U0 = C0 = Is is the identity density operator on the two-dimensional Hilbert space, i.e., Is = | 0⟩ ⟨ 0| + | 1⟩ ⟨ 1| . After that, she sends the new sequence (denoted as S1) to Bob.

4) Upon receiving the sequence S1, Bob performs operations UBi and on the i-th particle in S1 for 1 ≤ i ≤ 4n. Then he sends the new sequence (denoted as S2) back to the center.

5) Once receiving S2, the center makes a measurement on each of the particles randomly in σ z-basis or σ y-basis, and then publishes the measurement outcome of each of the particles in S2, where σ z-basis = {| 0⟩ , | 1⟩ } and σ y-basis = {| + ⟩ , | − ⟩ }. According to the i-th measurement outcome announced by the center, Alice and Bob could learn which of the two bases was used to measure the i-th particle in S2. Concretely, if the measurement outcome is | 0⟩ or | 1⟩ (| + ⟩ or | − ⟩ ), the σ z-basis (σ y-basis) was used.

6) After the center announced the measurement outcomes of all the particles in S2, Alice and Bob publish A′ and B′ , respectively, where indicates whether Alice (Bob) has performed Cs on the i-th particle in the travelling sequence. Based on the announced information, Alice and Bob are able to determine which of the particles in S2 were measured in correct bases. Here measuring the i-th particle in the correct basis represents that the i-th measurement outcome is | 0⟩ or | 1⟩ (| + ⟩ or | − ⟩ ) under the condition that is 0 or 2 (1). According to the probabilistic theory, half of the particles in S2 (i.e., 2n particles in S2) have been measured by the center with correct measuring bases. For the positions of the measurement outcomes obtained from incorrect measuring bases, Alice and Bob discard the corresponding bits in A, B, A′ , and B′ , where the new strings are denoted as Ā , , Ā ′ , and , respectively. Then Alice and Bob can deduce a 2n-bit string C with the measurement outcomes obtained with the correct measuring bases. Concretely, if the measurement outcome is | 0⟩ or | + ⟩ (| 1⟩ or | − ⟩ ), the corresponding bit of C is 0 (1). The relationship among the values of Ā j, , , and Cj when no error occurs is shown in Table  4, where 1 ≤ j ≤ 2n and ⊕ denotes the additional module 2.

7) To check eavesdropping, Bob randomly chooses n positions in string C and requires Alice to tell him the corresponding bits in Ā . According to the information announced by Alice and Table  1, Bob checks whether the corresponding bits in C are in accordance with the theoretical values. If the error rate is higher than acceptable, they abort the results; otherwise, Bob can trust the transmission and deduce the rest n bits of Ā with the corresponding bits of C and . At last, Alice and Bob utilize error correction and privacy amplification[59, 60] to establish a secure session key.

Table 1. The relationship among the values of Ā j, , , and Cj when no errors occur.

In this protocol, with the help of the center, any two of the involved users can establish a random key with only unitary operations. Although the qubit efficiency of our protocol is half of that of the protocols in Refs.  [34]– [36], our protocol does not need to store quantum qubits. Hence, our protocol is more feasible with the current techniques. Besides, users should set up a filter and a beam splitter to prevent a Trojan horse attack and an invisible-photon attack.[61, 62]

3.2. Fault-tolerant MQKD protocols against collective noise

Herein we introduce three fault-tolerant versions of the proposed MQKD protocol based on the method in Section 2 and the idea of DFS, which can be immune to the collective-dephasing noise, the collective-rotation noise, and all kinds of unitary collective noise, respectively.

3.2.1. Fault-tolerant MQKD protocol against collective-dephasing noise

The collective-dephasing noise[42, 45, 63] can be described as

where ϕ is the noise parameter and fluctuates with time. A logical qubit, which is composed of two physical qubits with antiparallel parity as

is immune to the collective-dephasing noise, as both qubits obtain the same phase factor eiϕ through this kind of channel. To communicate securely, at least two non-orthogonal measuring bases are required. According to the presented method, one basis could be {| 0⟩ L, | 0⟩ L}, and the other one is {| + ⟩ L, | − ⟩ L}, where

It is straightforward to verify that | ⟨ + | 0⟩ L| 2 = | ⟨ + | 1⟩ L| 2 = | ⟨ − | 0⟩ L| 2 = | ⟨ − | 1⟩ L| 2 = 1/2, which indicates that {| 0⟩ L, | 1⟩ L} and {| + ⟩ L, | − ⟩ L} form two mutually unbiased bases. Based on the method given in Section 2, we construct the following encoding operation Udp and controlling operation Cdp for our MQKD protocol which can resist the collective-dephasing noise:

The effect of the operations Udp and Cdp on the four states can be illustrated as

In this case, with the help of the center, any two of the involved users can establish a shared secret key over the collective-dephasing channel with the same steps of the protocol given in Subsection 3.1. Certainly, there are some differences between these two cases. First, the four states | 0⟩ , | 1⟩ , | + ⟩ , and | − ⟩ should be respectively replaced by | 0⟩ L, | 1⟩ L, | + ⟩ L, and | − ⟩ L. Second, the unitary operations Is, Us, and Cs should be substituted with , Udp, and Cdp, respectively, where . Accordingly, the measuring bases used by the center in step 5) should be replaced by {| 0⟩ L, | 1⟩ L} and {| + ⟩ L, | − ⟩ L}.

3.2.2. Fault-tolerant MQKD protocol against collective-rotation noise

The collective-rotation noise[42, 45, 63] can be described as

where θ is the parameter of noise which fluctuates with time. Two Bell states, and , are invariant under this collective-rotation noise. Naturally, logical qubits in this case can be chosen as

For secure communication, at least two non-orthogonal measuring bases are required. According to the presented method, one basis could be {| 0rL, | 0rL}, and the other one is {| + rL, | − rL}, where

It is easy to verify that | ⟨ r+ | 0rL| 2 = | ⟨ r+ | 1rL| 2 = | ⟨ r− | 0rL| 2 = | ⟨ r− | 1rL| 2 = 1/2, which indicates that {| 0rL, | 1rL} and {| + rL, | − rL} form two mutually unbiased bases. Using the method given in Section 2, we construct the encoding operation Ur and controlling operation Cr for the MQKD protocol over the collective-rotation channel as follows:

The effect of the operations Ur and Cr on the four states can be illustrated as

In this case, with the help of the center, any two of the involved users can establish a shared secret key over the collective-rotation channel with the same steps of the protocol presented in Subsection 3.1. Of course, there are some differences between these two cases. One difference is that the four states | 0⟩ , | 1⟩ , | + ⟩ , and | − ⟩ should be respectively replaced by | 0rL, | 1rL, | + rL, and | − rL. Another difference is that the unitary operations Is, Us, and Cs should be substituted with , Ur, and Cr, respectively. Accordingly, the measuring bases used by the center in step 5 should be replaced by bases {| 0rL, | 1rL} and {| + rL, | − rL}.

3.2.3. Fault-tolerant MQKD protocol against all kinds of unitary collective noise

Decoherence-free (DF) states[43, 54] are a type of state which is changeless under any n-lateral unitary transformation (i.e., Un| ψ ⟩ = | ψ ⟩ , where Un = U⊗ · · · ⊗ U denotes the tensor product of n unitary transformations U). The amount of quantum information that a given N-qubit DFS is able to protect depends on the number of its qubits. If N is even, the DFS spanned by the eigenstates of the whole Hamiltonian of the qubit– bath system has dimension[43, 50]

For N = 2, there exists only one DF state, the singlet state | ψ ⟩ . For N = 4, the dimension of the DFS is 2. Hence, 4 qubits are sufficient to fully protect one arbitrary logical qubit from all kinds of unitary collective noise.[50] A natural choice for the orthogonal basis of the 4-qubit DFS is

To communicate securely, at least two non-orthogonal measuring bases are required. According to the presented method, One basis could be {, }, and the other one should be chosen as {, }, where

It can be easily verified that , which means {, } and {, } form two mutually unbiased bases. Let us suppose that W is the 4-qubit Hilbert space whose dimension is 16, then we are able to find an orthonormal basis {, , … , } for W by employing the Gram– Schmidt procedure. For the sake of simplicity, we do not give the concrete form of the states , , … , as the well known Gram– Schmidt procedure is not complicated. Once obtaining all the states of the orthonormal basis, we can construct the corresponding encoding operation Ū and controlling operation for our robust MQKD protocol based the presented method. The encoding operation Ū and controlling operation are in the forms

Here, we have many feasible choices for O, such as and . When , the effect of operations Ū and on the states can be illustrated as

In this case, with the help of the center, any two of the involved users can establish a shared secret key over the channel with all kinds of collective-noise with the same steps described in the protocol proposed in Subsection 3.1. Certainly, there are some differences between these two cases. That is, the four states | 0⟩ , | 1⟩ , | + ⟩ , and | − ⟩ should be respectively substituted with , , , and , and the unitary operations Is, Udp, and Cdp should be replaced by , Ū , and , respectively. Accordingly, the center should utilize the bases {, } and {, } to measure each of the states in S2 in step 5.

4. Security analysis

In this section, we analyze the security of the MQKD protocol with single particles. For the security of the ones over collective-noise channels, it can be analyzed in the same way. For clarity, we first consider the attacks from outside eavesdroppers. After that, we take into account the situation in which the center tries to eavesdrop the key.

4.1. Security against outside attacks

Let us assume that Eve is an attacker who wants to eavesdrop the users’ secret key without being noticed in the eavesdropping detection. Eve could intercept the traveling particles sent to the receiver and replace them with the ones prepared by herself, [55] or she can entangle the travelling particles with additional states and try to extract information from these states.[64] Since the secret strings of the users are encoded on the travelling particles via the operations performed, the action to eavesdrop on the users’ secret strings is equivalent to discriminating between the operations that they have performed. For instance, if Eve wants to obtain the value of Ai (1 ≤ i ≤ 4n), she should know which one of the operations Is, Us, Cs, and UsCs Alice has performed on the corresponding particle. In other words, Eve should be capable of discriminating between the four unitary operations. Actually, the quantum operation discrimination has been well studied. In addition to Theorem 1 and Corollary 2, here we introduce another theorem.

Theorem 3[65] The quantum operations γ 1, … , γ n can be unambiguously discriminated by a single operation if and only if for any i = 1, 2, … , n, supp(γ i) ⊈ supp(Si), where supp(γ ) denotes the support of quantum operation γ and Si = {γ j : ji}.

In the proposed protocol with single particles, the unitary operations performed by both users (Alice and Bob) can be viewed as a whole with four unitary operations, i.e. Is, Us, Cs, and UsCs. Here, Is is the identity density operator on the two-dimensional Hilbert space and the operations Us and Cs are respectively the encoding operation and controlling operation defined in Eq.  (4). It can be easily found that these operations satisfy , which indicates that supp{Cs} ⊆ supp{Is, Us, UsCs}. Therefore, these four operations cannot be unambiguously discriminated by a single operation (i.e., with only one opportunity) according to Theorem 3. Moreover, we can also obtain the same conclusion according to Theorem 1. For example, the eigenvalues of the operator are 1 and − i, therefore, and the minimum error probability to discriminate Us and Cs is

In the same way, we obtain the minimum error probability Pe(Is, Cs) = Pe(Is, UsCs) = Pe(Us, UsCs) ≈ 0.15, which means that these operations cannot be discriminated unambiguously under the condition that the device can be accessed only once.

In the proposed protocol, the users’ secret strings are encoded in the operations they performed on the states. If Eve wants to obtain a bit of a user’ s secret string without leaving a trace in the eavesdropping detection, she should have the ability of unambiguously finding out which of Is, Us, Cs, and UsCs has been performed on the corresponding particle with only one opportunity. However, as we analyzed above, the four operations cannot be unambiguously discriminated under this condition. Consequently, well-known attacks, such as the intercept-resend attack, the measurement-resend attack, the entanglement-measure attack, and the dense-coding attack, from an outside eavesdropper will inevitably be found in the eavesdropping detection.

Furthermore, as for the two special attacks of two-way communication, i.e., the Trojan horse attack and the invisible-photon attack, the users and the center can make use of the methods in Refs.  [61] and [62] to protect the proposed protocols. Hence, we omit a redundant description here.

4.2. Security against the center’ s attacks

It is known that an attack from a dishonest participant is more powerful than those from the outside eavesdroppers. On one hand, he knows parts of the legal information. On the other hand, he could tell lies in the executing procedure of the protocol to avoid being detected. Therefore, attacks from dishonest participants should be paid more attention. Such situations should also be considered in our protocol. First, in the case that the center has been corrupted by others, he may try to eavesdrop the random key shared between the users. Second, in some special situations, the center may be out of service and a person who has the ability of generating and measuring the quantum states may want to eavesdrop the key. That is, the one who is able to substitute the center may be dishonest. Now, we show that, if the users use the proposed protocol, a dishonest center cannot obtain the random key without leaving a trace in the eavesdropping detection,

Compared with the outside eavesdroppers, a dishonest center has the following two superiorities. First, he could replace the particles in S with whatever kind of states he wants. Second, he could modify the measurement outcomes which are announced in step 5. Nevertheless, he is still unable to obtain the key shared between the users without being noticed in the eavesdropping detection of our protocol. According to the analysis given above, no matter what kind of states the dishonest center has prepared in step 2, he is unable to unambiguously discriminate between the four unitary operations performed by the users under the condition that the device can be accessed only once. In other words, these four unitary operations cannot be precisely discriminated when they are performed on a single qubit or one qubit of any entangled state. That is to say, if the center utilizes a strategy to discriminate between these four operations, he will obtain an incorrect outcome with a non-negligible probability. In our protocol, the users will announce the controlling string A′ and B′ only after the center publishes the measurement outcomes of all the particles in S2. Also the bits utilized to check eavesdropping are randomly chosen by the users after the measurement outcomes are published. Since the dishonest center cannot precisely discriminate between the four unitary operations utilized in our protocol with only one opportunity, no matter what attack strategy he employs, once he obtains part of the useful information about the secret string, he will inevitably introduce errors into the eavesdropping detection and hence be noticed by the users.

Till now, we have analyzed the security of the MQKD protocol in Subsection 3.1 to show that it is secure against attacks from both the outside eavesdroppers and the dishonest center. For the fault-tolerant MQKD protocols against collective-dephasing noise, collective-rotation noise, and all kinds of unitary collective noise, we can show that they can be immune to all the present attacks in just the same way, since the operations in {I⊗ 2, Udp, Cdp, UdpCdp}/{I⊗ 2, Ur, Cr, UrCr}/{I⊗ 4, Ū , , } cannot be discriminated unambiguously (under the condition that the device can be accessed only once) according to the theorems given above.

5. Discussion and conclusion
5.1. Discussion

To combat the errors introduced by the collective-noise channel, Zhang has proposed a well-known fault-tolerant multiparty quantum secret sharing (MQSS) protocol.[28] It is easy to find that this MQSS protocol can also be used for MQKD. However, there are clear differences between this protocol and our protocol. First, by utilizing our protocol, two arbitrary users could establish a secret key with the help of the center, and then they could utilize this key for secure communication between each other. In this circumstance, the center is unable to obtain any useful information of the shared key. While by employing Zhang’ s protocol, a boss could establish a joint key with his agents. Only when all the agents collaborate can they deduce the joint key and then utilize this key for secure communication with the boss. Second, as there exists a serving center in our protocol, if two of the involved users want to establish a secret key, they only need to be capable of performing certain unitary operations. Nevertheless, in Zhang’ s protocol, if the boss wants to establish a joint key with his agents, the boss should be able to generate quantum states, and the agents should be capable of performing a certain unitary operation and measuring the quantum states. In addition, to establish a secret key, the quantum state sequence should be transmitted three times in our protocol, while the sequence in Zhang’ s protocol only needs to be transmitted twice.

In fact, with some minor modifications, the protocol proposed in Section 3 can also be used for secret sharing of a random key. Concretely, if we want this protocol to be used for QSS, the following modifications are needed. Firstly, in step 5, after the center finishes measuring all the received particles, he notifies the fact to Alice and Bob. Different to the original protocol, he no longer publishes the measurement outcomes. Secondly, in step 6, once receiving the center’ s notification, Alice and Bob publish Ā ′ and . With this information, the center judges which of the received particles have been measured in correct measuring bases. Then he informs Alice and Bob of the positions of the particles which have been measured incorrectly. With the positions, Alice and Bob discard the corresponding bits in A, B, A′ , and B′ , and obtain new strings which are denoted as Ā , , Ā ′ , and , respectively. Then the center deduces a 2n-bit string C according to the corresponding 2n measurement outcomes obtained from correct measuring bases. The relationship among the bit values of Ā j, , , and Cj is shown in Table  1, where 1 ≤ j ≤ 2n. Thirdly, in step 7, the center randomly chooses n positions out of string C and requires Alice and Bob to tell him the corresponding bits in Ā and , respectively. According to the received information and Table  1, the center checks whether there exists eavesdropping in the executing procedure of the protocol. If no eavesdropping exists, the center has successfully established a joint key with Alice and Bob. That is to say, only when Alice and Bob collaborate can they first establish a joint key with the center and then extract the secret messages from the center’ s encrypted messages later transmitted via a public channel.

So far, we have shown that the protocol proposed in Section 3 can be used for three-party QSS with some minor modifications. Nevertheless, QSS has different security requirements from QKD. On one hand, the boss (i.e., the message sender) of a QSS protocol is honest. On the other hand, the agents (i.e., sharers) of a QSS protocol may be dishonest. That is to say, some dishonest agents may cooperate to attack the protocol and try to obtain the key without the help of other agents. According to the security analysis given in Section 4, it is not hard to find that the three-party QSS we just mentioned is secure. However, when the number of agents is more than two, many more threatening attacking strategies for QSS, such as the entanglement swapping attack, [39] should be considered. That is to say, to extend the above three-party protocol to an n-party one, some extra strategies should be employed for resisting these attacks. As the related strategies have been discussed somewhere else, [40] we do not focus on this issue here.

5.2. Conclusion

We introduce a method for constructing encoding operations and controlling operations, which are required in the MQCP-CD. Then by employing single particles and collective detection, we present an MQKD protocol on a star network without storing qubits, which can resist attacks from both outside eavesdroppers and a dishonest center. Based on the proposed method and the idea of DFS, we also introduce three fault-tolerant versions of the proposed protocol against collective-dephasing noise, collective-rotation noise, and all kinds of unitary collective noise.

Obviously, the presented method is useful as it can be used to construct the unitary operations required in the MQCP-CD with different kinds of quantum states. Compared with the existing MQCP-CDs, [3441] the protocols proposed in this paper have the following advantages. First, the proposed protocols are more feasible since they do not need to employ a quantum storage machine. Second, the proposed protocols can not only utilize the collective detection, but also be immune to the collective noise.

Reference
1 Bennett C H and Brassard G 1984Proceedings of the IEEE International Conference on Computers, Systems and Signal ProcessingsBangalore, India 175 179 [Cited within:2]
2 Ekert A E 1991 Phys. Rev. Lett. 67 661 DOI:10.1103/PhysRevLett.67.661 [Cited within:1]
3 Deng F G and Long G L 2003 Phys. Rev. A 68 042315 DOI:10.1103/PhysRevA.68.042315 [Cited within:1]
4 Deng F G and Long G L 2004 Phys. Rev. A 70 012311 DOI:10.1103/PhysRevA.70.012311 [Cited within:1]
5 Li H W, Yin Z Q, Wang S, Bao W S, Guo G C and Han Z F 2011 Chin. Phys. B 20 100306 DOI:10.1088/1674-1056/20/10/100306 [Cited within:1]
6 Phoenix S, Barnett S, Townsend P and Blow K 1995 J. Modern Opt. 42 1155 DOI:10.1080/09500349514551001 [Cited within:1]
7 Lin S, Huang C and Liu X F 2013 Phys. Scr. 87 035008 DOI:10.1088/0031-8949/87/03/035008 [Cited within:1]
8 Lo H K, Curty M and Qi B 2012 Phys. Rev. Lett. 108 130503 DOI:10.1103/PhysRevLett.108.130503 [Cited within:1]
9 Tang Y L, Yin H L and Chen S J 2014 Phys. Rev. Lett. 113 190501 DOI:10.1103/PhysRevLett.113.190501 [Cited within:1]
10 Wang Y, Bao W S, Li H W, Zhou C and Li Y 2014 Chin. Phys. B 23 080303 DOI:10.1088/1674-1056/23/8/080303 [Cited within:1]
11 Wang X B 2007 Phys. Rev. A 75 052301 DOI:10.1103/PhysRevA.75.052301 [Cited within:1]
12 Tomamichel M, Lim C C W, Gisin N and Renner R 2012 Nat. Commun. 3 634 DOI:10.1038/ncomms1631 [Cited within:1]
13 Zhao L Y, Li H W, Yin Z Q, Chen W, You J and Han Z F 2014 Chin. Phys. B 23 100304 DOI:10.1088/1674-1056/23/10/100304 [Cited within:1]
14 Huang P, Fan J and Zeng G H 2014 Phys. Rev. A 89 042330 DOI:10.1103/PhysRevA.89.042330 [Cited within:1]
15 Long G L and Liu X S 2002 Phys. Rev. A 65 032302 DOI:10.1103/PhysRevA.65.032302 [Cited within:2]
16 Boström K and Felbinger T 2002 Phys. Rev. Lett. 89 187902 DOI:10.1103/PhysRevLett.89.187902 [Cited within:1]
17 Wang C, Deng F G, Li Y S, Liu X S and Long G L 2005 Phys. Rev. A 71 044305 DOI:10.1103/PhysRevA.71.044305 [Cited within:1]
18 Deng F G and Long G L 2004 Phys. Rev. A 69 052319 DOI:10.1103/PhysRevA.69.052319 [Cited within:1]
19 Deng F G, Long G L and Liu X S 2003 Phys. Rev. A 68 042317 DOI:10.1103/PhysRevA.68.042317 [Cited within:1]
20 Man Z X, Zhang Z J and Li Y 2005 Chin. Phys. Lett. 22 18 [Cited within:1]
21 Gu B, Huang Y G, Fang X and Chen Y L 2013 Int. J. Theor. Phys. 52 4461 DOI:10.1007/s10773-013-1765-2 [Cited within:1]
22 Ye T Y and Jiang L Z 2013 Chin. Phys. Lett. 30 040305 DOI:10.1088/0256-307X/30/4/040305 [Cited within:1]
23 Hillery M, Bužek V and Bérthiaume A 1999 Phys. Rev. A 59 1829 DOI:10.1103/PhysRevA.59.1829 [Cited within:1]
24 Wang T Y and Wen Q Y 2011 Quant. Inf. Comput. 11 434 [Cited within:1]
25 Yang Y G, Wang Y A, Chai H P, Teng Y W and Zhang H 2013 Opt. Commun. 284 3479 DOI:10.1016/j.optcom.2011.03.017 [Cited within:1]
26 Zhou N R, Song H C and Gong L H 2013 Int. J. Theor. Phys. 52 4174 DOI:10.1007/s10773-013-1730-0 [Cited within:1]
27 Chen X B, Xu G, Su Y and Yang Y X 2014 Quant. Inf. Comput. 14 589 [Cited within:1]
28 Zhang Z J 2006 Phys. A 361 233 DOI:10.1016/j.physa.2005.07.005 [Cited within:2]
29 Wang T Y, Cai X Q and Zhang R L 2014 Quantum Inf. Process. 13 1677 DOI:10.1007/s11128-014-0760-8 [Cited within:1]
30 Yang Y G and Wen Q Y 2009 J. Phys. A: Math. Theor. 42 055305 DOI:10.1088/1751-8113/42/5/055305 [Cited within:1]
31 Zeng G H, Lee M H, Guo Y and He G Q 2007 Int. J. Quantum Inf. 5 553 DOI:10.1142/S0219749907003031 [Cited within:1]
32 Zeng G H and Keitel C H 2002 Phys. Rev. A 65 042312 DOI:10.1103/PhysRevA.65.042312 [Cited within:1]
33 Wen X J 2010 Phys. Scr. 82 065403 DOI:10.1088/0031-8949/82/06/065403 [Cited within:1]
34 Shih H, Lee K and Hwang T 2009 IEEE J. Sel. Top. Quant. Electron. 15 1602 DOI:10.1109/JSTQE.2009.2019617 [Cited within:9]
35 Gao F, Qin S J, Guo F Z and Wen Q Y 2011 IEEE J. Quant. Electron. 47 630 DOI:10.1109/JQE.2011.2107889 [Cited within:2]
36 Liu B, Gao F and Wen Q Y 2011 IEEE J. Quant. Electron. 47 1383 DOI:10.1109/JQE.2011.2167743 [Cited within:4]
37 Liu B, Gao F, Jia H Y and Huang W 2013 Quantum Inf. Process. 12 887 DOI:10.1007/s11128-012-0439-y [Cited within:1]
38 Lin S, Wen Q Y, Qin S J and Zhu F C 2009 Opt. Commun. 282 4455 DOI:10.1016/j.optcom.2009.07.053 [Cited within:1]
39 Gao G 2010 Opt. Commun. 283 2997 DOI:10.1016/j.optcom.2010.03.030 [Cited within:1]
40 Liu B, Gao F and Wen Q Y 2011 Int. J. Theor. Phys. 51 1211 DOI:10.1007/s10773-011-0997-2 [Cited within:2]
41 Huang W, Wen Q Y, Liu B, Gao F and Chen H 2012 Int. J. Theor. Phys. 51 2787 DOI:10.1007/s10773-012-1154-2 [Cited within:5]
42 Li X H, Deng F G and Zhou H Y 2008 Phys. Rev. A 78 022321 DOI:10.1103/PhysRevA.78.022321 [Cited within:3]
43 Zanardi P and Rasetti M 1997 Phys. Rev. Lett. 79 3306 DOI:10.1103/PhysRevLett.79.3306 [Cited within:3]
44 Lin S 2014 Quantum Inf. Comput. 14 845 [Cited within:1]
45 Yang Y G, Teng Y W, Chai H P and Wen Q Y 2011 Phys. Scr. 83 025003 DOI:10.1088/0031-8949/83/02/025003 [Cited within:2]
46 Yang C W and Tsai C W Hwang T 2013 Quantum Inf. Process. 12 3043 DOI:10.1007/s11128-013-0582-0 [Cited within:1]
47 Wu G T, Zhou N R, Gong L H and Liu S Q 2014 Acta Phys. Sin. 63 060302 DOI:10.7498/aps.63.060302 (in Chinese) [Cited within:1]
48 Chang Y, Zhang S B, Li J and Yan L L 2014 Sci. China-Phys. Mech. Astron. 57 1907 DOI:10.1007/s11433-014-5434-0 [Cited within:1]
49 Huang W, Wen Q Y, Jia H Y, Qin S J and Gao F 2012 Chin. Phys. B 21 100308 DOI:10.1088/1674-1056/21/10/100308 [Cited within:1]
50 Cabello A 2007 Phys. Rev. A 75 020301 DOI:10.1103/PhysRevA.75.020301 [Cited within:2]
51 Sun Y, Wen Q Y, Gao F and Zhu F C 2009 Phys. Rev. A 80 032321 DOI:10.1103/PhysRevA.80.032321 [Cited within:1]
52 Gu B, Zhang C Y, Cheng G S and Huang Y G 2011 Sci. China-Phys. Mech. Astron. 54 942 DOI:10.1007/s11433-011-4265-5 [Cited within:1]
53 Walton Z D, Abouraddy A F and Sergienko A V 2003 Phys. Rev. Lett. 91 087901 DOI:10.1103/PhysRevLett.91.087901 [Cited within:1]
54 Kwiat P G, Berglund A J, Altepeter J B and White A G 2000 Science 290 498 DOI:10.1126/science.290.5491.498 [Cited within:2]
55 Qin S J, Gao F, Wen Q Y and Zhu F C 2006 Phys. Lett. A 357 101 DOI:10.1016/j.physleta.2006.04.030 [Cited within:3]
56 Zhang Z J, Li Y and Man Z X 2005 Phys. Rev. A 71 044301 DOI:10.1103/PhysRevA.71.044301 [Cited within:1]
57 Deng F G, Li X H, Chen P and Zhou H Y 2006 arXiv: 0604060 [Cited within:1]
58 Mauro D’Ariano G, Presti P L and Paris M G A 2001 Phys. Rev. Lett. 87 270404 DOI:10.1103/PhysRevLett.87.270404 [Cited within:1]
59 Gisin N, Ribordy G, Tittel W and Zbinden H 2002 Rev. Mod. Phys. 74 145 DOI:10.1103/RevModPhys.74.145 [Cited within:1]
60 Deutsch D, Ekert A, Jozsa R, Macchiavello C, Popescu S and Sanpera A 1996 Phys. Rev. Lett. 77 2818 DOI:10.1103/PhysRevLett.77.2818 [Cited within:1]
61 Cai Q Y 2006 Phys. Lett. A 351 23 DOI:10.1016/j.physleta.2005.10.050 [Cited within:2]
62 Li X H, Deng F G and Zhou H Y 2006 Phys. Rev. A 74 054302 DOI:10.1103/PhysRevA.74.054302 [Cited within:2]
63 Xie C M, Liu Y M, Li G F and Zhang Z J 2014 Quantum Inf. Process. 13 2713 DOI:10.1007/s11128-014-0822-y [Cited within:2]
64 Gao F, Qin S J, Wen Q Y and Zhu F C 2010 Opt. Commun. 283 192 DOI:10.1016/j.optcom.2009.09.047 [Cited within:1]
65 Wang G M and Ying M S 2006 Phys. Rev. A 73 042301 DOI:10.1103/PhysRevA.73.042301 [Cited within:1]