Introduction

Quantum communication1,2,3 with continuous variables (CV) systems4,5,6 has attracted increasing attention over the past years. In particular, quantum key distribution (QKD) has been a rapidly developing field7. Theoretical studies have considered one-way protocols with coherent states8,9,10, thermal protocols11,12,13,14,15,16, and two-way protocols17,18,19,20,21, with a number of experimental demonstrations22,23,24,25,26,27,28,29,30,31,32. It is known that CV-QKD protocols may achieve very high rates. As a matter of fact, ideal coherent-state protocols9 may achieve rates as high as half of the Pirandola-Laurenza-Ottaviani-Banchi bound33,34 for private communication over a lossy channel, i.e., \( - {\mathrm{log}}_2(1 - \eta )\) bits per use, with η being the channel transmissivity (see ref. 35 for a recent review on bounds for private communication).

In addition to point-to-point protocols, there has been effort towards network implementations36,37,38. An important step is the design of a scalable QKD network whose rate is high enough to compete with the classical infrastructure. Another feature to achieve is an end-to-end architecture where middle nodes may be untrusted. The first steps in this direction were moved in 2012 with the introduction of a swapping protocol based on an untrusted relay39,40, a technique that became known as “measurement-device independence” (MDI), and recently extended to CV-QKD41,42,43,44,45,46. However, until today, MDI protocols have been limited to a small number of remote users, e.g., 2 in ref. 39, and 3 in ref. 47.

In this work we remove these limitations. In particular, we introduce a modular architecture that combines trusted and untrusted nodes, as well as quantum and classical communication methods, allowing secure quantum conferencing among an arbitrary number of users. At the core of our design there are MDI star-network modules, interconnected by shared nodes, which can run one-time pad protocols between different modules. Each module consists of a central (untrusted) relay performing a general N-mode Bell detection that allows an arbitrary number of users to share the same quantum conference key. The security of the protocol is first proven in the asymptotic limit of many signals exchanged, and then extended to the composable setting which incorporates finite-size effects. This modular design is scalable, because it allows us to increase arbitrarily the number of users and the achievable distance between them, while maintaining a high and constant rate. Moreover, it can be implemented using linear optical elements, and it allows to add extra modules resorting just on classical communication protocols. From this point of view the scheme is very flexible and represents a good prototype to be developed into a large scale CV-QKD network.

Results

Modular network for quantum conferencing

In our modular architecture (see Fig. 1), each individual module is a star network running a multipartite MDI-QKD quantum conferencing protocol based on the generalization of symmetric CV-MDI-QKD43. Each star-network module Mi is labeled by \(i = 1, \ldots, N^ \star\) and hosts Ni users. The generic user k in module Mi sends bright coherent states4 \(|\alpha _k^i\rangle\) to a central untrusted relay, whose amplitude \(\alpha _k^i\) is Gaussianly modulated with variance \(\mu _k^i\). With no loss of generality we may assume that \(\mu _k^i\) is the same for any k, so that we may associate a single variance parameter μi to module Mi. The eavesdropping is assumed to be performed by entangling cloners7, so that the link connecting the arbitrary user k to the relay in module Mi is described by two parameters: the transmissivity \(\eta _k^i\) of the link, and its thermal noise \(\bar n_k^i\).

Within module Mi the untrusted relay performs a multipartite Bell detection on the incoming Ni modes; this consists of a suitable cascade of beam-splitters followed by Ni homodyne detections, as shown in Fig. 2. The homodynes on the left measure quadratures \(\hat q_2, \ldots, \hat q_{N_i}\), while the single one on the right measures \(\hat p\). The outcomes of the measurements are combined into the global outcome \(\gamma _i: = (q_2, \ldots ,q_{N_i},p)\). After γi is broadcast to the users of the module, their individual variables \(\alpha _k^i\) share correlations that can be post-processed into a secret key Ki via classical error correction and privacy amplification. All the users in module Mi reconcile their data with respect to a trusted user which is shared with another module Mj.

To reduce the parameters of the problem we may introduce the minimum transmissivity \(\eta _i = \min _{k \in [1,N_i]}\eta _k^i\) and maximum thermal noise \(\bar n_i = \max _{k \in [1,N_i]}\bar n_k^i\) associated to module Mi. From a physical point of view this is a symmetrization of the star network to the worst-case scenario, assuming all its links to have the worst combination of parameters. This condition clearly provides a lower bound \(K(\mu _i,N_i,\eta _i,\bar n_i)\) to the actual key rate Ki of the module. By optimizing over the Gaussian modulation, we may consider the value \(K(N_i,\eta _i,\bar n_i): = {\mathrm{max}}_{\mu _i}K(\mu _i,N_i,\eta _i,\bar n_i)\). Once each module has generated its key, the shared nodes run sessions of one-time pad where the keys from different modules are composed to generate a common key for all the network, with rate

$${{K}}_{{\mathrm{net}}} = \mathop {\mathrm{min}}\limits_{i \in[1,N^{\star}]} K(N_{i},\eta_{i},\bar n_{i}).$$
(1)

Therefore, the entire network can work at the rate of the least performing module. However, if this rate is high then the lego-like structure of the network allows all the users to communicate at the same high rate no matter how far they are from each other (see Fig. 1).

Fig. 1
figure 1

Modular network for secure quantum conferencing. Each module Mi is a continuous-variable (CV) measurement-device-independent (MDI) quantum key–distribution (QKD) star network, composed by a central untrusted relay and Ni trusted users, whose connections are independently affected by loss and noise. Each module Mi first runs an independent protocol of quantum conference key-agreement. Because two different modules have a shared trusted user, we may implement classical one-time pad sessions where the keys from each module are processed into a final common key for the entire network

Detailed description the MDI star-network module

In this section we describe the modus operandi of a single module. To simplify the notation we omit the label i. In a single module, we consider an arbitrary number N of users (or “Bobs”) sending Gaussian-modulated coherent states |αk〉 to a middle untrusted relay, as depicted in Fig. 2. Each of the coherent states is affected by a thermal-loss channel \({\cal{E}}\) modeled as a beam-splitter with transmissivity η and thermal noise \(\bar n\), i.e., mixing the incoming signal with an environmental thermal state with \(\bar n\) mean photons. As explained before, we assume the worst-case scenario, so that η is the minimum transmissivity of the links and \(\bar n\) is the maximum thermal noise. After the action of the channel \({\cal{E}}\) on each link, the states are detected by a multipartite N-mode Bell detection.

Fig. 2
figure 2

Each Bob sends a Gaussian-modulated coherent state \(\left| {\alpha _k} \right\rangle \) to an untrusted relay through a link which is described by a thermal-loss channel \({\cal{E}}\) with transmissivity η and thermal noise \(\bar n\). At the relay, the incoming states are subject to a multipartite continuous-variable (CV) Bell detection, by using a cascade of beam-splitters with transmissivities Tk = 1 − k−1 for k = 2, …, N, followed by homodyne detectors in the \(\hat q\) or \(\hat p\) quadrature as shown in the figure. The global outcome γ = (q2, …, qN,p) is broadcast to the Bobs, so that a posteriori correlations are created in their local variables α1, …, αN. These correlations are used to extract a secret key for quantum conferencing

This detection consists of a suitable cascade of beam-splitters followed by N homodyne detections. More precisely, we have a sequence of beam-splitters with increasing transmissivities Tk = 1 − k−1 for k = 2, …, N as depicted in Fig. 2. Then, all the homodynes at the left measure the \(\hat q\)-quadrature while the final one at the bottom measures the \(\hat p\)-quadrature, with global outcome γ : = (q2, …, qN, p) (see Supplementary Notes 1 and 2 for further description). One can check that this measurement ideally projects onto a displaced version of an asymptotic bosonic state Ψ that realizes the multipartite Einstein-Podolsky-Rosen (EPR) conditions \(\mathop {\sum}\nolimits_{k = 1}^N {\hat p_k} = 0\) and \(\hat q_k - \hat q_{k\prime } = 0\) for any k, k′ = 1, …, N.

After the classical outcome γ is broadcast to the users, their individual variables αk will share correlations which can be post-processed into secret keys via error correction and privacy amplification. We may pick the shared trusted user as the one encoding the key, with all the others decoding it in direct reconciliation7.

Entanglement-based representation

Let us write the network in entanglement-based representation. For each user, the coherent state |α〉 can be generated by using a two-mode squeezed vacuum (TMSV) state ΦAB where mode B is subject to heterodyne detection. The random outcome β of the detection is fully equivalent to prepare a coherent state on mode A whose amplitude α is one-to-one with β41. Recall that a TMSV state is a Gaussian state with covariance matrix (CM)4

$${\mathbf{V}}_{AB} = \left( {\begin{array}{*{20}{c}} {\mu {\mathbf{I}}} & {\sqrt {\mu ^2 - 1} {\mathbf{Z}}} \\ {\sqrt {\mu ^2 - 1} {\mathbf{Z}}} & {\mu {\mathbf{I}}} \end{array}} \right), \left\{ {\begin{array}{*{20}{l}} {{\mathbf{Z}}: = {\mathrm{diag}}(1, - 1),} \hfill \\ {{\mathbf{I}}: = {\mathrm{diag}}(1,1),} \hfill \end{array}} \right.$$
(2)

where parameter μ ≥ 1 quantifies the noise variance of each thermal mode. Up to factors41, parameter μ also provides the variance of the Gaussian modulation of the coherent amplitude α on mode A after heterodyning B.

Assume that the users have N copies of the same TMSV state, whose A-part is sent to the relay through a communication channel \({\cal{E}}\). Also assume that the CM of the two-mode state after the channel has the form

$${\mathbf{V}}_{AB}^\prime = \left( {\begin{array}{*{20}{c}} {x{\mathbf{I}}} & {z{\mathbf{Z}}} \\ {z{\mathbf{Z}}} & {y{\mathbf{I}}} \end{array}} \right){\kern 1pt} .$$
(3)

Because we consider a thermal-loss channel with transmissivity η and thermal noise \(\bar n\), we have \(x = \eta \mu + (1 - \eta )(2\bar n + 1)\), y = μ, and \(c = \sqrt \eta \sqrt {\mu ^2 - 1}\). Then, after the Bell measurement and the communication of the outcome γ, the local modes B := B1BN are projected onto a symmetric N-mode Gaussian state with CM

$${\mathbf{V}}_{{\mathbf{B}}|\gamma } = \left( {\begin{array}{*{20}{c}} {\mathbf{\Delta }} & {\mathbf{\Gamma }} & \cdots & {\mathbf{\Gamma }} \\ {\mathbf{\Gamma }} & {\mathbf{\Delta }} & \ddots & {\mathbf{\Gamma }} \\ \vdots & \ddots & \ddots & \vdots \\ {\mathbf{\Gamma }} & {\mathbf{\Gamma }} & \cdots & {\mathbf{\Delta }} \end{array}} \right),$$
(4)

where we have set Γ := (N−1x−1z2)Z, and

$${\mathbf{\Delta }}: = {\mathrm{diag}}\left( {y - \frac{{N - 1}}{N}\frac{{z^2}}{x},y - \frac{1}{N}\frac{{z^2}}{x}} \right) .$$
(5)

Details on the the derivation of Eq. (4) are given in the Supplementary Note 2.

Note that the conditional state \(\rho _{B_iB_j|\gamma }\) between any pair of Bobs i and j is Gaussian with CM

$${\mathbf{V}}_{B_iB_j|\gamma } = \left( {\begin{array}{*{20}{c}} {\mathbf{\Delta }} & {\mathbf{\Gamma }} \\ {\mathbf{\Gamma }} & {\mathbf{\Delta }} \end{array}} \right).$$
(6)

For N = 2 this state describes the shared state in a standard CV-MDI-QKD protocol41. Assuming no thermal noise \((\bar n = 0)\), the state \(\rho _{B_iB_j|\gamma }\) is always entangled and we may compute its relative entropy of entanglement (REE) \(E_R(\rho _{B_1B_2|\gamma })\)48,49,50 using the formula for the relative entropy between Gaussian states33,51. This REE provides an upper bound to the rate achievable by any MDI-QKD protocol (DV or CV) based on a passive untrusted relay. For N > 2, one can check that the bipartite state \(\rho _{B_iB_j|\gamma }\) may become separable when we decrease the transmissivity η, while it certainly remains discordant52,53,54. In the multi-user scenario, the security between two Bobs may still hold because the purification of their state is held partially by Eve and partially by the other Bobs, which play the role of trusted noise. In trusted noise QKD we know that security does not rely on the presence of bipartite entanglement while quantum discord provides a necessary condition55.

Key rate of a star-network module

Once γ is received, the ith Bob heterodynes his local mode Bi with random outcome βi, which is one-to-one with an encoded amplitude αi in the prepare and measure description. In this way the local mode Bj of the jth Bob is mapped into a Gaussian state \(\rho _{{{B}}_{{j}}|\gamma \beta _i}\) with CM \({\mathbf{V}}_{{{B}}_j|\gamma \beta _i}\) that can be computed using tools from refs. 4,56,57,58. The subsequent heterodyne detection of mode Bj generates an outcome βj which is one-to-one with an encoded αj. It is clear that the Bell detection at the relay and the local heterodyne meaurements of the various Bobs all commute, so that we may change their time order in the security analysis of the protocol. Thus, we can derive the mutual information I(βi : βj) between the two Bobs. Similarly, we may compute the Holevo information χ(βi : E) between the ith Bob and an eavesdropper (Eve) performing a collective Gaussian attack59,60,61 associated with the thermal-loss channels4.

The expression K  = I(βi : βj) − χ(βi : E), which is a function of all the parameters of the protocol, provides the asymptotic rate of secret key generation between any pair of users (see Supplementary Note 3). This is a conferencing key shared among all Bobs; it can be optimized over μ, and will depend on the number of Bobs N besides the channel parameters η and \(\bar n\). Assuming a standard optical fiber with attenuation of 0.2 dB per km, we can map the transmissivity into a fiber distance d, using η := 10−0.02d. Therefore, we have a rate of the form \(K(\mu ,N,d,\bar n)\) which can be optimized over μ to give the maximal conferencing rate \(K(N,d,\bar n)\). The maximization over μ is required because for N > 2 the maximum rate is not obtained in the limit \(\mu \gg 1\).

The conferencing rate is plotted in Fig. 3a for an MDI star network with an increasing number of users N. We compare the rates over the link-distance d for different values of thermal noise \(\bar n\). As expected the rate decreases for increasing N. Despite this effect, our result shows that high-rate quantum conferencing is possible. For instance, in a star network with N = 50 users at \(d {\lesssim} 40\,{\mathrm{m}}\) from the central relay and thermal noise \(\bar n = 0.05\), the key rate may be greater than \( \simeq \! 0.1\) bits per use. In Fig. 3b, we set \(\bar n = 0\) and plot the maximum distance for quantum conferencing versus the number of users, solving the equation K(N, d, 0) = 0. We see a trade-off between maximum distance and number of users. Despite this trade-off, we conclude that fiber-optic secure quantum conferencing between tens of users (belonging to a single star-network module) is indeed feasible within the typical perimeter of a large building.

Fig. 3
figure 3

Secret key rates and maximum distances for quantum conferencing. a We plot the conferencing key rate for a measurement-device-independent star network of N = 2 (black), 10 (gray), and 50 (red) users, as a function of the fiber distance d and assuming thermal noise \(\bar n = 0\) (solid curves) and \(\bar n = 0.05\) (dashed curves). The top blue curve is the relative entropy of entanglement (REE) of the reduced bipartite state specified by Eq. (6), which upper bounds the maximal key rate achievable with standard continuous-variable measurement-device-independent quantum-key-distribution CV-MDI-QKD (N = 2). b We plot the maximum fiber distance d versus the number of users N in a quantum conference

Finite-size composable security

Within a module, consider a pair of Bobs, i and j, with local variables βi and βj after heterodyne detection. They aim at generating a secret key by reconciliating on βi. The error correction routine is characterized by an error correction efficiency ξ (0,1)62,63, a residual probability of error δEC, and an abort probability 1 − p > 0. We also remark that βi must be mapped into a discrete variable \(\bar \beta _i\) taking 2d values per quadrature.

Consider the mutual information I(βi : βj) and Eve’s Holevo bound χ(βi : E) obtained from the reduced state of Eq. (6). Then, we have the following estimate for the δ-secret key rate after n uses of the module46

$$r_n^\delta \gtrsim \xi I(\beta _i:\beta _j) - \chi (\beta _i:{\mathbf{E}}) - \frac{1}{{\sqrt n }}\,\Delta _{{\mathrm{AEP}}}(2p\delta _{\mathrm{s}}/3,d){\kern 1pt} ,$$
(7)

where δ = δs + δEC + δPE, and \(\Delta _{{\mathrm{AEP}}}(\xi ,d) \le 4(d + 1)\sqrt {{\mathrm{log}}(2/\xi ^2)}\). Here the error term δs is the smoothing parameter of the smooth conditional min-entropy46. For the Holevo bound χ(βi : E) we assume the worst-case value compatible with the experimental data, up to a probability smaller than δPE. The rate \(r_n^\delta\) is obtained conditioned that the protocol does not abort and yields a δ-secure key against collective Gaussian attacks.

The generalization to coherent attacks is obtained, as in ref. 46, by applying a Gaussian de Finetti reduction. We find that the asymptotic rates are approximately achieved for block sizes of 106–109 data points depending on the loss and noise in the channels. Examples for N = 3, 5, 10 are described in Fig. 4.

Fig. 4
figure 4

Finite-size composable secret key rate \(r_n^\delta \) of Eq. (7) (bits per use) versus sample size n, for error correction efficiency ξ = 98%62,63, success probability of the error correction routine p = 0.9, and security parameter δ < 10−20. The plot is obtained for a symmetric configuration with N users at a distance of 0.18 km from the relay (assuming 0.2 dB loss per km and thermal noise of \(\bar n = 0.05\) photons). From top to bottom we consider N = 3, 5, 10

The composable security analysis starts from a parameter estimation procedure. As mentioned above, in estimating the channel parameters, we adopt the worst-case scenario where we choose the largest possible value of the thermal noise in each channel, and the lower available transmissivity, within the confidence intervals. This procedure may not be optimal at high loss, so that our estimates for the achievable communication distances are conservative estimates. Alternative (more performing) parameter estimation procedures, as those described in refs. 64,65,66, could be adapted to our network model and further improve its performance.

Discussion

We have introduced a network for quantum conferencing where modules can be linked together to achieve constant high-rate secure communication over arbitrarily long distances. The design of each module is based on a CV-MDI star network with many users. Our analysis shows how the secret key-rate of each star network decreases by increasing the distance from the central relay and/or the number of users. In ideal conditions, we find that 50 users may privately communicate at more than 0.1 bit per use within a radius of 40 m, distance typical of a large building. With a clock of 25 MHz67, this is a key rate of the order of 2.5 Mbits per second for all the users. The secret keys established in the modules are then cascaded through the entire modular network: Adjacent modules are connected by trusted users generating a common key via one-time pad sessions.

We have studied the implementation of our protocol using coherent states, which are important for practical reasons. In Supplementary Note 4, we have also considered the case where the users use squeezed states. In such a case the performance improves, both in terms of achievable distance and the number of users. In any case, we remark that our network protocol provides a powerful application of CV-MDI-QKD that greatly outperforms its DV counterpart. In fact, while our protocol is deterministic, any linear optical implementation of a DV multi-partite Bell detection is highly probabilistic, with a probability of success scaling as \( \simeq \! 2^{ - N}\) for N users. This means that a corresponding DV-MDI-QKD star network has an exponentially low rate no matter at what distance is implemented. See Supplementary Note 5 for details.

In Supplementary Note 6, we further analyze the performance of the protocol based on coherent states, assuming practical imperfections affecting the homodyne detectors and the beam splitters of the relay. Such undesirable features may arise from imperfect beam splitting operations, perturbing the multipartite Bell detection and degrading the performance of the scheme. Our results show that a proof-of-principle experiment is feasible with current technology, allowing to secure up to 9 users per module, over a radius of 12 m.

In conclusion, let us remark that our network is based on a generalization of CV MDI-QKD, where the multiuser keys are extracted within each single module. For this reason the final key is shorter than the private key extractable by just two remote end-users. In other words, the key rate of our protocol cannot reach the existing upper bounds for end-to-end network quantum communication68,69 (see also refs. 70,71). Finally, let us also note that additional studies may consider the multimode nature of sources and detectors, particularly for the optimized configuration of the protocol described in the Supplementary Note 4. In such a case, the security of the scheme can be recovered by applying the symmetrization of the multimode source described in ref. 72.

Methods

A detailed description of methods and techniques employed to obtain the results can be found in the Supplementary Notes accompanying this work.