New J. Phys. 23 (2021) 083026 https://doi.org/10.1088/1367-2630/ac1808
OPEN ACCESS
RECEIVED
15 April 2021
REVISED
2 July 2021
ACCEPTED FOR PUBLICATION
27 July 2021
PUBLISHED
12 August 2021
Original content from
this work may be used
under the terms of the
Creative Commons
Attribution 4.0 licence.
Any further distribution
of this work must
maintain attribution to
the author(s) and the
title of the work, journal
citation and DOI.
PAPER
Anonymous and secret communication in quantum networks
Christopher Thalacker1,2,FrederikHahn
3,JarndeJong
4, Anna Pappa4and
Stefanie Barz1,2,∗
1Institute for Functional Matter and Quantum Technologies, Universität Stuttgart, 70569 Stuttgart, Germany
2Center for Integrated Quantum Science and Technology (IQST), Universität Stuttgart, 70569 Stuttgart, Germany
3Dahlem Center for Complex Quantum Systems, Freie Universität Berlin, 14195 Berlin, Germany
4Electrical Engineering and Computer Science Department, Technische Universität Berlin, 10587 Berlin, Germany
∗Author to whom any correspondence should be addressed.
E-mail: [email protected]t.de
Keywords: quantum communication, quantum networks, conference key agreement
Abstract
Secure communication is one of the key applications of quantum networks. In recent years,
following the demands for identity protection in classical communication protocols, the need for
anonymity has also emerged for quantum networks. Here, we demonstrate that quantum physics
allows parties—besides communicating securely over a network—to also keep their identities
secret. We implement such an anonymous quantum conference key agreement by sharing
multipartite entangled states in a quantum network. We demonstrate the protocol with four
parties and establish keys in subsets of the network—different combinations of two and three
parties—whilst keeping the participating parties anonymous. We additionally show that the
protocol is verifiable and run multiple key generation and verification routines. Our work thus
addresses one of the key challenges of networked communication: keeping the identities of the
communicating parties private.
Quantum communication has developed from first proof-of-principle demonstrations to real-world
applications. Since the first proposals of using quantum physics to establish secret keys between two parties
more than three decades ago [1–3], numerous demonstrations of quantum key distribution (QKD) have
been performed. Starting from proof-of-concept experiments, intermediate and large-scale quantum
networks spanning thousands of kilometres have recently been developed [4–10]. These experiments use
single photons or entangled photon pairs to exchange a secret key between two parties and are known as
QKD protocols [11,12].
With growing complexity of quantum networks, new possibilities arise for multiparty protocols that go
beyond bipartite secure communication. One example is conference key agreement (CKA), a cryptographic
primitive that allows parties in a large-scale network to jointly establish a shared secret key [13]. Several
approaches have been proposed with different requirements for quantum resources, ranging from bipartite
to multipartite quantum states shared over the network. Interestingly, sharing multipartite states was shown
to be more efficient in specific cases, e.g. for networks that have bottlenecks [14]. Recently, experimental
implementations of CKA protocols have been performed [15].
Beyond the security of key generation, quantum networks open up a wide range of possibilities
regarding other aspects of secure communication. One such aspect is anonymity [13,15–18]. In a broad
range of cases, internet users put much effort into keeping their activities and identities secret. As classical
networks are replaced by their quantum counterparts, anonymity will likewise be a vital requirement for
networked quantum communication.
Various levels of anonymity can be envisioned, and there exist multiple real-life scenarios where the
identities of one or more of the communicating parties need to be kept secret. One example is whistle
blowing, where it is imperative that the identity of the sender is kept secret. Combining anonymity with the
© 2021 The Author(s). Published by IOP Publishing Ltd on behalf of the Institute of Physics and Deutsche Physikalische Gesellschaft
New J. Phys. 23 (2021) 083026 CThalackeret al
Figure 1. Anonymous conference key agreement. A sender (blue) aims to establish a secret key with mparticipants (orange)
while their identities remain secret, both from each other and from the remaining non-participants (black).
Figure 2. Sketch of the anonymous conference key agreement protocol. A sender (blue) notifies mparticipants (orange) and
establishes a secret key. The identities of the participants remain secret from each other, and also from the remaining
non-participants (black). See main text for detailed explanation of the protocol.
requirement for private communication between multiple parties leads to anonymous conference key
agreement (ACKA) [16]. Here, the goal is to establish a secret key between several parties across a larger
network in such a way that their identities are hidden from everyone else in the network, including each
other, and are only known to the initiating party (see figure 1).
In this work, we demonstrate how to anonymously establish a secret key in a quantum network of four
parties using multipartite entanglement. We focus on a protocol first proposed in [16], extending the work
of [17,19] on bipartite key generation.
Our protocol works as follows: first, each party is notified whether they are meant to participate in the
key exchange or not [20]. Then, Greenberger–Horne–Zeilinger (GHZ) states are repeatedly shared with all
parties in the network, such that each party receives one qubit from every shared state [21–25]. A few of
these shared states are used to generate a secret key; the majority is used to detect an eavesdropper or any
deviation of the parties from the protocol, making the protocol also verifiable. In our implementation, we
demonstrate six different configurations for anonymously establishing a secret key between a sender and
one or two participants in a four-partite network.
2
New J. Phys. 23 (2021) 083026 CThalackeret al
Figure 3. The setting of our implementation. (a) Sketch of the experimental setup with four receivers. Two polarisation-encoded
EPR photon pairs are generated and two photons—one of each pair—are superimposed on a PBS to generate a four-photon
GHZ4state. This state is then distributed to the four parties. (b) Different network configurations implemented in our
demonstration. The sender and the participants are highlighted in colour, while the non-participants are displayed in black.
(c) Resulting measurement settings for each configuration and type of round, KeyGen or verification.
1. The protocol for anonymous conference key agreement
The goal of the protocol is for a sender to anonymously establish a key with mparticipants of their choice
while they form part of a larger network of nparties. The network is able to distribute a state
|GHZn:=1
√2|0⊗n+|1⊗n(1)
between all nparties (cf figure 2).
The protocol starts with the nparties running a classical notification protocol that allows the sender to
anonymously notify mparticipants—and thereby implicitly the non-participants [20]. This requires private
classical communication between all pairs of parties. Once the participants are notified, the remainder of
the protocol is repeated Ltimes. In each round, a GHZnstate is distributed to the nparties and the
non-participants measure their qubits in the X-basis. This results in a GHZm+1state between only the
sender and the participants, with an additional phase of ±1 depending on the parity Δof the measurement
outcomes of the non-participants, i.e.
|GHZm+1,Δ=1
√2|0⊗(m+1) +(−1)Δ|1⊗(m+1).(2)
In order for this phase to be compensated, the non-participants publicly announce their measurement
outcomes—while the participants hide their identity by announcing random bits. The sender can tell
3
New J. Phys. 23 (2021) 083026 CThalackeret al
Figure 4. Experimental results. (a) Total number of KeyGen and verification rounds with corresponding security
parameter D=#Verification+#KeyGen
#KeyGen . (b) Success probability for key generation rounds (stripe pattern) and verification rounds
(plain colour) for the different configurations. We calculate the probabilities per run; the error bars show the standard deviation
over the number of runs.
Figure 5. Experimental setup. Two β-barium borate (BBO) crystals are pumped with a fs-pulsed laser (390 nm) to generate
polarisation-entangled photon pairs via type-II spontaneous parametric down-conversion. After passing a half-wave plate and an
additional BBO, the photons are prepared in state |ψ−=(|H,V−|V,H)/√2. Two photons, one from each source, are
superimposed on a polarising beam splitter (PBS) to generate the four-photon state |GHZ=(|H,H,H,H+|V,V,V,V)/√2
after postselecting four-photon events. The measurements as described in the main protocol are realised using quarter-wave
(HWP) and half-wave plates (HWP), together with PBSs and avalanche photo detectors (APDs). FPC indicates fibre paddles for
controlling the polarisation.
everyone apart and can now apply a local correction to her qubit, thereby canceling this phase. This allows
the sender and the participants to anonymously ‘extract’ a smaller GHZm+1state shared only between
themselves. This state can consequently be used to anonymously generate a shared secret key due to its
inherent correlations when measured in the computational basis.
Note that, however, the non-participants could have diverged from their expected behaviour—for
instance by not measuring their qubits and announcing instead a random bit. This would allow them to be
part of the key-generating network, without being noticed. To prevent this, the participants use a large
percentage of the shared GHZm+1states for anonymous verification. In these verification rounds, the
participants perform measurements of random stabilisers on the GHZm+1state, whose outcome parity is
known to be one. All participants announce their measurement bases and outcomes, while the
non-participants announce two random bits concealing their roles. Only the sender is able to distinguish
between these announcements and can thus validate the results. By performing D−1randomlychosen
verification rounds out of every Drounds in total, the sender can thus estimate the closeness of the
distilled state to the ideal GHZm+1state [26]. This ensures that—even with arbitrary deviations from the
protocol by the non-participants—the probability that the state is accepted despite being not close in trace
distance to the GHZ state is small, as shown in [27]. It is therefore guaranteed that the resulting key is
provably secure and secret, while also preserving anonymity as no communication takes place during the
KeyGen rounds. We obtain a key of length L/Dwhichisprovablysecureandtheparticipantsremain
anonymous. Which of the rounds will be verification rounds and which KeyGen rounds is decided
randomly with a bias such that 1/Drounds are used for verification.
4
New J. Phys. 23 (2021) 083026 CThalackeret al
Figure 6. Reconstructed density matrix ρof the GHZ4state used to implement the anonymous conference key agreement.
2. Experimental implementation
We demonstrate anonymous verifiable CKA in a network with four parties. We generate four-photon GHZ4
states encoded in polarisation (H=0, V=1) using an all-optical setup as shown in figure 3(a) and in more
detail in figure 5in the appendix. The generated states have a fidelity of F=0.85(±0.02), estimated via
quantum state tomography [28].
The four-photon state allows us to demonstrate various configurations of the ACKA: a sender and two
receivers, and a bipartite protocol with a sender and one receiver. In all configurations, as shown in
figure 3(b), all participating parties remain anonymous. As a consequence, the non-participants do not
know which and how many parties are in the end sharing a secret key, since they cannot distinguish
between the different configurations.
We assume that the classical notification protocol has already been performed and we start by
distributing the GHZ4states to all parties. First, the non-participants perform a measurement in the
X-basis, resulting in a smaller GHZ3or GHZ2state.
We then randomly choose between KeyGen rounds and verification rounds. In a KeyGen
round, all participants measure in the Z-basis and exploit the correlations of the GHZ state for establishing
a shared key. In the verification rounds, each participant randomly measures in the X-orY-basis and
announces their basis together with their measurement outcome, while the sender announces random bits.
Then, the sender performs either an X-orY-measurement so that the total number of Y-measurements is
even.
Figure 3(c) shows the different measurement configurations of each setting according to the protocol. In
our implementation, all four measurements are implemented at the same time using motorised half-wave
and quarter-wave plates, together with a polarising beam splitter.
For each configuration we run the protocol between 150 and 300 times, each run corresponding to a
specific measurement setting. For each run, we integrate over 10 min of measurement time; each
four-photon event is considered a round; this leads to the total number of KeyGen and verification
rounds given in figure 4(a). Using these, we can calculate the effective security parameter
D=#Verification+#KeyGen
#KeyGen .
We estimate the probability of a correct KeyGen round and a passed verification for each run.
We then calculate the averaged probabilities over all runs (see figure 4(b)) for all measurement operators
and all implemented three-partite (A,B,Cand D)andbipartite(Eand F)networkconfigurations.The
success probability averaged over all the KeyGen runs is 95.3 with a standard deviation of ±1.3%,whereas
for the verification rounds the average success rate is 89.3(±2.1)%.
The main source of noise in our implementation originatesfromhigher-orderemissionsfromthe
parametric down-conversion sources, which is about 3%of all four-fold coincidences at a pump power of
180 mW for each source. Furthermore, the generated Bell states show visibilities of about ≃0.97 when both
qubits are measured in either the X-ortheZ-basis. At the polarising beam splitter, we achieve two-photon
5
New J. Phys. 23 (2021) 083026 CThalackeret al
Figure 7. List of all KeyGen and verification runs for each configuration. Each configuration has a certain set of
measurement bases for KeyGen and verification. For each run, we integrate over 10 min of measurement time. The
number of rounds refers to the total number of four-photon clicks in each basis, integrated over all runs. The number of
successful rounds refers to the total number of four-photon clicks that correspond to a measurement result expected from the
theory.
interference visibility of 0.823 ±0.02, mainly limited through higher-order emissions, residual
distinguishability of the photons, and, in particular, imperfect mode overlap.
As displayed in figure 4(a), the effective security parameter Dranges from about 20 to 32. If we just
consider the number of verification rounds vs the number of KeyGen rounds, the probability 1/D
of an adversary correctly guessing a round to be a KeyGen round is on average about 4%(see appendix).
In that case they can perform a Zmeasurement instead of an Xmeasurement. Thus, they would effectively
take part in the KeyGen round and could compromise the security of the key. Note that this is the
probability per individual key bit, and all key bits are uncorrelated in this regard.
In our implementation, the probability of a successful verification round is smaller than one. The
worst-case scenario would be that all failed verification rounds are accepted, but are in fact caused by
a malicious adversary actively cheating. Then, the adversary can cheat during all these failed
verification rounds without being caught, thereby getting more ‘tries’ to cheat during the KeyGen
rounds. In that case, the adversary has η(D−1) of these extra attempts, where ηis the failure rate of the
verification rounds. The average probability of the adversary correctly guessing the KeyGen
round becomes then 1+η(D−1)
D. In our experiment, the adversary has a probability of ∼14% of correctly
guessing each KeyGen round averaged over all different configurations (see appendix for individual
values).
6
New J. Phys. 23 (2021) 083026 CThalackeret al
Figure 8. Probabilities for a potential adversary to correctly guess which round is the KeyGen round for each configuration and
multiple scenarios. In the first scenario, corresponding to the second column (‘no failed verification’), we assume the
guessing probability is 1
D. This means we consider the number of verification rounds vs KeyGen rounds, meaning that
effectively no failed verification is allowed. The second scenario, corresponding to the fourth column (‘worst case’), is a
worst-case analysis, where all allowed verification failures (from our experimental results) are assumed to come from a
malicious, cheating, adversary—such that the guessing probability becomes 1+η(D−1)
D,whereηis the failure rate of the
verification rounds. The third and final scenario takes a more realistic approach (‘non-unit fidelity’), where the non-unit
fidelity of the shared GHZ4state is taken into account. Here, ηis updated to ηtocorrectforthefactthatsomeofthe
verification rounds will fail purely because of noise in the system—the updated guessing probability can be found in the
sixth column. These are heuristic analyses, but the guessing probability pcan be seen as (influencing) the information that the
adversary possesses about the final raw key. These correlations with the adversary have to be deleted in post-processing, giving up
afraction∼h(p) of the raw key, where h(p)isthebinaryentropyofp.
However, in reality, the fidelity of the GHZ4state is non-perfect, leading also to failed verification
rounds. We can estimate the expected failure rate due to noise based on the (non-unit) fidelity of the
distributed GHZ4state. We look for a lower bound on the expected failure rate so that the adversary has the
maximum number of cheating attempts based on our fidelity. Using the trace distance and relating it to the
fidelity, the lower bound on the expected failure rate can be estimated to be rf⩾1−√F.Wethenreplaceη
by η=η−rf, or 0 if this is negative. With this correction the probability of the adversary guessing the
KeyGen round without being caught reduces to ∼7%in our experiment (see appendix for more
information).
In summary, our analysis shows that our KeyGen error rates are on average <5%and are thus
correctable using standard approaches. The probability of being correlated with the adversary can be
bounded from above by 7%; additional correlations could be gained through error correction. Both
contributions together are still expected to be within the limit that they can be reduced using privacy
amplification [29]. Note that our arguments are meant to give an estimate of the viability of the
experimental implementation and the subsequent post-processing steps. Performing these tasks in an
anonymous fashion is a nontrivial task and further theoretical work is necessary to facilitate this.
Finally, we gather between 100 and 200 counts each run of 10 min integration time, which corresponds
to 0.16–0.33 bps. Taking into account that 1/30 to 1/20 are KeyGen rounds and the rest is
verification rounds, we get an effective keyrate between 0.006 and 0.017 bps. The classical
post-processing necessary to obtain a perfectly secure key is, as mentioned before, out of the scope of this
article, but it will affect the effective key rate.
3. Discussion
We have demonstrated how to anonymously and verifiably establish a shared key between several parties
using multipartite quantum resources and exploiting the correlations of GHZ states. This is a significant
step towards achieving secure and anonymous quantum communication, adding to the recent theoretical
and experimental achievements in the field [13,15–18].
For full-scale and real-life implementations of ACKA protocols, methods for error correction and
privacy amplification need to be developed [30]and,also,finitekeyeffectstobeconsidered[15]. Even
though we make a first attempt to quantify the effect of experimental imperfections on the security of the
protocol, further research is still needed.
7
New J. Phys. 23 (2021) 083026 CThalackeret al
In this context, the effect of losses on general CKA has been studied recently [31]; it would be interesting
to investigate whether a similar approach can be deployed while preserving anonymity. Future steps will be
the implementation of our protocol in larger-scale networks and active switching for closing loopholes [32].
Finally, it will be interesting to see whether anonymity can be maintained with multipartite entangled
resources other than GHZ states—and also, whether one can apply concepts like the one presented here to
other quantum cryptographic primitives.
Acknowledgments
We thank Jelena Mackeprang and Lukas Rückle for comments, and Bülent Demirel for setting up the early
stages of the experiment. AP and JdJ acknowledge support from the German Research Foundation (DFG,
Emmy Noether Grant No. 418294583) and FH from the Studienstiftung des deutschen Volkes. CT and SB
acknowledge support from the Carl Zeiss Foundation, the Centre for Integrated Quantum Science and
Technology (IQST), the German Research Foundation (DFG), the Federal Ministry of Education and
Research (BMBF, project SiSiQ), and the Federal Ministry for Economic Affairs and Energy (BMWi, project
PlanQK).
Data availability statement
The data that support the findings of this study are available upon reasonable request from the authors.
Appendix
Here, we give more information on the experimental setup for the implementation of the ACKA protocol.
The experimental setup for the generation of the four-photon GHZ state is depicted and described in
figure 5.Figure6depicts the reconstructed density matrix of the GHZ4state generated in the experiment.
We also add more detailed information re the security parameters of our implementation. Figure 7shows
the number of runs and rounds we perform in our experiment. In figure 8we list the values that an
adversary correctly guesses a KeyGen round for each configuration, assuming an ideal state or a non-ideal
state.
References
[1] Bennett C H and Brassard G 1984 IEEE Int. Conf. Computers, Systems, and Signal Processing pp 175–9
[2] Ekert A K 1991 Phys. Rev. Lett. 67 661
[3] Bennett C H, Bessette F, Brassard G, Salvail L and Smolin J 1992 J. Cryptol. 53
[4] Ursin R et al 2007 Nat. Phys. 3481
[5] Peng C-Z et al 2007 Phys.Rev.Lett.98 010505
[6] Peev M et al 2009 New J. Phys. 11 075001
[7] Sasaki M et al 2011 Opt. Express 19 10387
[8] Liao S-K et al 2017 Nature 549 43
[9] Pugh C J et al 2017 Quantum Sci. Technol. 2024009
[10] Chen Y-A et al 2021 Nature 589 214
[11] Krenn M, Malik M, Scheidl T, Ursin R and Zeilinger A 2016 Quantum Communication with Photons Optics in Our Time vol 18
ed M Al-Amri, M El-Gomati and M Zubairy (Berlin: Springer) p 455
[12] Flamini F, Spagnolo N and Sciarrino F 2018 Rep. Prog. Phys. 82 016001
[13] Murta G, Grasselli F, Kampermann H and Bruß D 2020 Adv. Quantum Technol. 32000025
[14] Epping M, Kampermann H, Macchiavello C and Bruß D 2017 New J. Phys. 19 093012
[15] Proietti M, Ho J, Grasselli F, Barrow P, Malik M and Fedrizzi A 2020 arXiv:2002.01491
[16] Hahn F, de Jong J and Pappa A 2020 PRX Quantum 1020325
[17] Unnikrishnan A, MacFarlane I J, Yi R, Diamanti E, Markham D and Kerenidis I 2019 Phys.Rev.Lett.122 240501
[18] Huang Z et al 2020 arXiv:2011.09480
[19] Yang Y-G, Yang Y-L, Lv X-L, Zhou Y-H and Shi W-M 2020 Phys. Rev. A101 062311
[20] Broadbent A and Tapp A 2007 Advances in Cryptology—ASIACRYPT (Lecture Notes in Computer Science vol 4833) ed
K Kurosawa (Berlin: Springer) pp 410–26
[21] Greenberger D M, Horne M A and Zeilinger A 1989 Bell’s Theorem, Quantum Theory and Conceptions of the Universe (Berlin:
Springer) pp 69–72
[22] McCutcheon W et al 2016 Nat. Commun. 713251
[23] Wang X-L et al 2016 Phys. Rev. Lett. 117 210502
[24] Wang X-L et al 2018 Phys. Rev. Lett. 120 260502
[25] Zhong H-S et al 2018 Phys. Rev. Lett. 121 250505
[26] Pappa A, Chailloux A, Wehner S, Diamanti E and Kerenidis I 2012 Phys.Rev.Lett.108 260502
[27] Markham D and Krause A 2020 Cryptography 43
[28] James D F V, Kwiat P G, Munro W J and White A G 2001 Phys. Rev. A64 052312
8
New J. Phys. 23 (2021) 083026 CThalackeret al
[29] Grasselli F 2021 Quantum Cryptography (Berlin: Springer) pp 55–70
[30] Grasselli F, Kampermann H and Bruß D 2019 New J. Phys. 21 123002
[31] Singkanipa P and Kok P 2021 arXiv:2101.01483 [quant-ph]
[32] Huang A, Barz S, Andersson E and Makarov V 2018 New J. Phys. 20 103016
9
