Multi-partite entanglement speeds up quantum key distribution in networks

The laws of quantum mechanics allow for the distribution of a secret random key between two parties. Here we analyse the security of a protocol for establishing a common secret key between N parties (i.e. a conference key), using resource states with genuine N-partite entanglement. We compare this protocol to conference key distribution via bipartite entanglement, regarding the required resources, achievable secret key rates and threshold qubit error rates. Furthermore we discuss quantum networks with bottlenecks for which our multipartite entanglement-based protocol can benefit from network coding, while the bipartite protocol cannot. It is shown how this advantage leads to a higher secret key rate.

The laws of quantum mechanics allow for the distribution of a secret random key between two parties. Here we analyse the security of a protocol for establishing a common secret key between N parties (i.e. a conference key), using resource states with genuine N-partite entanglement. We compare this protocol to conference key distribution via bipartite entanglement, regarding the required resources, achievable secret key rates and threshold qubit error rates. Furthermore we discuss quantum networks with bottlenecks for which our multipartite entanglement-based protocol can benefit from network coding, while the bipartite protocol cannot. It is shown how this advantage leads to a higher secret key rate. In the quantum world, randomness and security are built-in properties [1][2][3]: two parties may establish a random secret key by exploiting the no-cloning theorem [4], as in the BB84 protocol [5], or by using the monogamy of entanglement [6], as in the Ekert protocol [7]. Several variations of these seminal protocols have been suggested [8][9][10][11][12], and their security has been analysed in detail [13][14][15][16][17][18][19].
In the advent of quantum technologies, much effort is devoted to building quantum networks [20][21][22][23][24][25] and creating global quantum states across them [26,27]. Thus, the generalization of quantum key distribution (QKD) to multipartite scenarios is topical. In order to establish a common secret key (the conference key) for N parties, one can follow mainly two different paths: building up the multipartite key from bipartite QKD links (2QKD) [28], see Fig. 1(a), or exploiting correlations of genuinely multipartite entangled states (NQKD) [29][30][31][32], see Fig. 1(b). In this article we provide an information theoretic security analysis of NQKD, by generalising methods developed for 2QKD in [16,33], and perform an analytical calculation of secret key rates. This enables us to quantitatively compare the two approaches; we find that NQKD may outperform 2QKD, for example in networks with bottlenecks.
The article is structured as follows. In the Section I we introduce the NQKD protocol and its prepare-and-measure variant, perform a detailed security analysis and the secret key rate calculation. In Section II we define the 2QKD protocol, summarise the steps of the NQKD protocol in an implementation and calculate the secret key rate for the example of a depolarised state. We explicitly model noise introduced by imperfect gates and channels in order to compare the performance of the two different approaches. Quantum networks are discussed in Section III. The article concludes with a discussion of the results.

I. MULTIPARTITE QKD: PROTOCOL AND SECURITY ANALYSIS
The entanglement-based Ekert protocol [7] can be generalised to N parties as follows, see also [31]. The parties A and B 1 , B 2 , ..., B N −1 share an N -partite entangled state and perform local projective measurements. The best performance in the ideal (noiseless) case is ensured if one requires that the measurement outcomes of all parties are perfectly correlated for one set of local bases -which we can choose without loss of generality to be the Z-basesand occur with a uniform distribution. The only pure N -qubit quantum state that fulfils these requirements is the Greenberger-Horne-Zeilinger (GHZ) state [34]; however, for N ≥ 3, the existence of perfect correlations in one set of bases forbids perfect correlations (even only pairwise) in any other bases, see Appendix A. We remark that other protocols with less than perfectly correlated resource states are possible, but will introduce intrinsic errors [35]. A. The protocol for N-party quantum conference key distribution The protocol for N-party quantum conference key distribution (NQKD), with N ≥ 2, consists of the following basic steps: 1) State preparation: The parties A and B i , i = 1, 2, ..., N − 1, share the N -qubit GHZ state 2) Measurement: There are two types of measurements. First type: Party A and parties B i measure their respective qubits in the Z-basis. Second type: They measure randomly, with equal probability, in the X-or Y -basis. Similar to the standard bipartite QKD protocol [36], the latter case is much less frequent. The parties know the type of the measurement from a short pre-shared random key.
3) Parameter estimation: The parties announce the measurement bases and outcomes for the second type and an equal number of randomly chosen rounds of the first type. The announced data allows to estimate the parameters Q X and Q Z , which determine the secret key rate, see below.
4) Classical post-processing: As in the bipartite protocol, error correction and privacy amplification is performed, for the details see below.
Note that the state preparation in step 1) can be achieved by locally preparing the GHZ-state at Alice's site and sending qubits to the Bobs (see Fig. 1(b)), or any suitable sub-protocol that achieves the same task. We analyse the distribution via quantum repeaters [26] and quantum network coding [27] below. In the following section we briefly discuss prepare-and-measure variants of conference key distribution. Because the security proof of the NQKD protocol is done in the entanglement-based picture, this description is not necessary for understanding the rest of the paper.
B. N-party prepare-and-measure schemes We now sketch two different prepare-and-measure schemes for conference key distribution. 1) Preparing and measuring single qubits: Single qubits are experimentally easier to prepare and to distribute than entangled states. Thus, establishing a conference key for N parties by using single qubits is an interesting possibility, which has been studied for the case N = 3 in [37]. The protocol proceeds in complete analogy to the case of N = 2, e.g. for BB84 [5]: Alice prepares randomly N − 1 copies of a state |φ k , k = 1, ...4, taken from the set S BB84 = {|0 , |1 , |+ , |− }, with |± = 1/ √ 2(|0 ± |1 ). She sends each party B i , with i = 1, ..., N , one of the copies. Each party B i measures in the Z-or X-basis. In the sifting step, the N parties keep only those cases where all parties used the same basis, and thus establish a joint key. We point out, however, that the secret key rate in this scenario decreases with increasing N , even for perfect channels and measurements, and goes to zero for N → ∞: an eavesdropper can eavesdrop on all N − 1 sent states at the same time, i.e. she has to distinguish the four global states |φ k > ⊗(N −1) , pairs of which have either overlap 0 or (1/ √ 2) N −1 , i.e. the distinguishability increases with increasing N . In the limit of infinite N the four global states are orthogonal and therefore perfectly distinguishable.
Thus, this prepare-and-measure-scheme is (for N ≥ 3) not equivalent to entanglement-based NQKD as described in the present article.
2) Prepare-and-measure equivalent of NQKD: The entanglement-based protocol NQKD described above can be formulated as a prepare-and-measure protocol, analogous to the six-state protocol [8]. Instead of producing the GHZ state of Eq. (1) and measuring her qubit afterwards, Alice can directly produce the (N −1)-qubit projection of the GHZ state according to her fictitious, random outcome. Thus, for the X-, Y -and Z-basis, the six different (N − 1)-qubit states she distributes among the Bobs, are |ψ z,0 =|00...0 and |ψ z,1 = |11...1 . ( This protocol is equivalent to NQKD, because it reproduces the correlations between A, B 1 , ... B N −1 . Note that the six-state protocol is included as the special case N = 2. The described protocol uses (N − 1)-partite entanglement for four of the sent states, which are, however, sent much less frequent than the two product states. This fact renders an experimental implementation of our protocol more realistic than the entanglement-based description might suggest.
In the remainder of this article we use the equivalent entanglement-based description of the NQKD protocol.
C. Security analysis of the N-party quantum key distribution The composable security definition of the bipartite scenario [16,17] can be generalised in an analogous way to the N -partite case. Our security analysis proceeds along analogous lines as the bipartite case in [33]. See Appendix B for explicit details of these generalisations. By employing this security definition and using one-way communication only, we prove secrecy of the key under the most general eavesdropping attack allowed by the laws of quantum mechanics, so-called coherent attacks [38,39], independent of the context in which the key is used. In the asymptotic limit, i.e. for infinitely many rounds, the secret fraction r ∞ , i.e. the ratio of secret bits and the number of shared states (without parameter estimation rounds), is given by where U ← K denotes a bitwise preprocessing channel on Alice's raw key bit K, S(U |E) is the conditional von-Neumann entropy of the (classical) key variable, given the state of Eve's system E, H(U |K i ) is the conditional Shannon entropy of U given K i , which is B i 's guess of K, and Γ is the set of all density matrices σ A{Bi} of Alice and the Bobs which are consistent with the parameter estimation. The secret key rate is where the repetition rate R rep = 1 trep is given by the time t rep that one round (steps 1 and 2) takes. For now we set t rep = 1. The secret key rate in Eq. (4) as a figure of merit does not directly account for the amount of needed local randomness, classical communication, qubits and gates. Depending on the context one might want to incorporate one or more of the former quantities into a cost-performance ratio as a figure of merit [40]. Note that we have not assumed any symmetry about the quality of the channels connecting A and B i . Therefore, the worst-case information leakage in the error correction step is determined by the noisiest channel, see the maximisation in the last term of Eq. (3). This is the main difference with respect to the bipartite case.

D. The secret key rate
We now derive an analytical formula for the multipartite secret key rate based on a variant of the method of depolarisation [33]. In practice, the described depolarisation operations will be applied to the classical data only, as described in detail below. Readers who are not interested in the technical details can skip to Eq. (23). Let us denote the GHZ basis of N qubits as follows: where j takes the values 0, ..., 2 N −1 − 1 in binary notation, andj denotes the binary negation of j; i.e. for example if j = 01101 thenj = 10010.
Remember that any state of N qubits can be depolarised to a state which is diagonal in the GHZ basis by a sequence of local operations [41,42]. In our protocol we introduce the following extended depolarisation procedure. The set of depolarisation operators is where X and Z are Pauli operators and The parties apply each of these operators with probability 1/2 or 1 else. The operators from the first two sets of Eq. (6) make the density matrix GHZ diagonal as in [41,42]. We denote the coefficient in front so applying this operator with probability 1 2 transforms where j (k) denotes the kth bit of the string j. As this operation is applied for all k = 1, 2, ..., N − 1, it achieves that The resulting depolarised state reads In our multipartite scenario we define the qubit error rate (QBER) Q Z to be the probability that at least one Bob obtains a different outcome than Alice in a Z-basis measurement. Note that this value is not the same as the bipartite qubit error rate Q ABi , which is the probability that the Z-measurement outcome of B i disagrees with the one of Alice. Q Z can be read directly from the structure of the depolarised state in Eq. (11) and is given by For simplicity we neglect the possibility of increasing the key rate by adding pre-processing noise, i.e. we set q = 0 in the notation of [33] such that U = K. Because the asymptotic secret fraction is Note that we did not need to include the infimum over Γ, see Eq. (3), here because, as we will see below, the measurement statistics completely determine all relevant quantities in our protocol. The entropies involving the classical random variable K are directly obtained from the measurement statistics in the parameter estimation phase. They are given by with the binary Shannon entropy and the bipartite error rate Q ABi , given by where j (i) denotes the i-th bit of j and, because both outcomes are equiprobable, Giving Eve the purification of Eq. (11), the von-Neumann entropies involving Eve's system in Eq. (14) are given by and i.e.
Now λ + 0 and λ − 0 can be obtained with the additional X ⊗N measurement in the parameter estimation, because In analogy to Q Z we denote the probability that the X-measurement gives an unexpected result, i.e. one that is incompatible with the noiseless state, by Q X . Because ψ σ j |X ⊗N |ψ σ j = σ this leads to which can, as we will see in Section II B, be obtained from the measured data in the parameter estimation step. We remark that Q X is not the probability that at least one Bob gets a different X-measurement outcome than Alice, as the outcomes are not correlated, see Appendix A. Finally, inserting Eq. (21) into Eq. (14), and using Eq. (4), we arrive at the achievable secret key rate, Note that the parameters in this equation are obtained from the measured data and will depend on the number of parties N .

II. IMPLEMENTATION AND NOISE
In this section we compare the multipartite-entanglement-based protocol (NQKD) as introduced above to a protocol based on bipartite entanglement (2QKD), which we define in the following.

A. Conference key distribution with bipartite entangled quantum states (2QKD)
A suitable protocol to establish a secret joint key for N > 2 parties via bipartite entanglement proceeds as follows, see Fig. 1(a): Party A shares a Bell state with each of the N − 1 parties B i and establishes a (different) secret bipartite key S i with each party B i . For concreteness, we assume in our comparison that the six-state protocol [8] is used. In general, the N − 1 channels may be different and thus have individual QBERs. Party A then defines a new random key k c to be the conference key. She sends the encoded conference key k i = S i ⊕ k c to party B i who performs k i ⊕ S i = k c and thus regains the conference key. A comparison of the performance of the bipartite versus the multipartite entanglement-based strategy for N parties is subtle and has to consider various aspects, as different resources are needed: on one hand only bipartite entanglement is needed for 2QKD, while multipartite entanglement is needed for NQKD. (Note, however, that the number of necessary two-qubit gates for generation of the entangled states is in both cases N − 1.) On the other hand, the number of resource qubits per round is 2(N − 1) for 2QKD, while only N qubits are needed for NQKD. Finally, the 2QKD protocol requires to transmit (N − 1) additional classical bits (the encoded conference key). Thus, each of the two strategies has its own advantages. A quantitative comparison regarding imperfections in preparation and transmission is discussed below.

B. Implementation of the NQKD protocol
We now describe how the depolarisation operations used in the security proof can effectively be implemented classically by adjusting the protocol.
For key generation and the Q Z estimation, the parties perform Z ⊗N -measurements. These are only affected by the X ⊗N depolarisation operator, which flips the outcomes of all parties. It can therefore be implemented on the classical data. The other depolarisation operators are diagonal in the Z-basis and thus do not change the Z-measurement outcome. Let us call the parameter estimation rounds, in which the parties measure X ⊗N (after depolarisation), estimation rounds of the second type. How the depolarisation step affects the X ⊗N -measurement is not so obvious and is described in the following. Note that the depolarisation operators X ⊗N and Z A Z B k , k = 1, 2, ..., N − 1 (see Eq. (6)), commute with the X ⊗Nmeasurement and thus these depolarisation operators do not have an effect in second type rounds. But i.e. applying the depolarisation operator R k is equivalent to Bob k measuring in Y -basis. Also note that so let κ j be the number of Bobs measuring in Y -basis in the j-th round, then Alice measures in the basis where a minus sign corresponds to a flip of the measurement outcome. Note that this measurement rule for Alice implies that always an even number of parties measures in Y -basis and that the outcome of the measurement is flipped whenever it is not a multiple of four. Each party measures in X or Y basis with probability 1/2. Note that the rule for M A described above means that only half of all possible combinations of these measurement bases are actually measured. However, in practice the parties can measure X and Y independently with probability 1/2 and throw away half of their data (where an odd number of parties has measured in Y -basis) and Alice still flips her measurement outcome whenever the number of parties measuring in Y -basis was not a multiple of four. This is not a problem, because in the parameter estimation rounds each party announces its measurement setting and outcome. We thus arrive at the implementation described initially. Letκ j be the number of parties measuring in Y -basis in run j, i.e. then where #exp is the number of experiments in the second type rounds with evenκ j , a i,j is the outcome of party i in experiment j, and We remark that, in contrast to full tomography, the number of rounds needed to get sufficient statistics for estimating X ⊗N dep does not increase with the number of parties N . Let us summarise the steps of an implementation of the NQKD protocol: 1. Distribution of the state GHZ state |ψ + 0 .
2. L · h(p p ) bits of pre-shared key are used to mark the second type rounds, where L is the total number of rounds and p p is the probability for an X ⊗N -round. This amount of key suffices, because an L-bit binary string with a 1 for each second type round can asymptotically be compressed to L · h(p p ) bits.
3. In each second type round each party measures randomly in the X-or Y -basis. 4. In all other cases all parties measure in Z-direction.

Parameter estimation:
(a) Alice announces a randomly chosen small subset of size L · h(p p ) of Z-measurement rounds, in which all parties announce their Z-measurement results. From this data the QBER Q Z and the individual QBER's Q ABi are estimated.
(b) The parties announce the measurement results of the second type rounds together with the chosen measurement basis. Alice flips her outcome if the number of parties who measured in Y -basis is not a multiple of four (see Eq. (30)). From the data where an even number of parties measured in Y -basis (including zero), the parameter Q X is calculated according to Eq. (29).
6. Alice announces which Z-measurement results all parties have to flip (the probability for each bit is 1/2). This effectively implements the depolarisation with operator X ⊗N .
7. Classical post-processing: (a) Alice sends error correction information (for max i Q ABi ) to all Bobs, which perform the error correction.
(b) In privacy amplification the parties obtain the key by applying a two-universal hash function, which was chosen randomly by Alice, to the error corrected data.
8. The achievable key rate is then given by Eq. (23).

C. Example of depolarising noise
In this section we assume that ρ AB1...B N −1 is a mixture of the GHZ-state and white noise, i.e. the parties share the state Here all coefficients other than λ + 0 are equal, i.e. λ ± j = λ − 0 = Q Z /(2 N −2) for j = 1, ..., 2 (N −1) −1 and λ + 0 = 1−Q Z 2 N −1 2 N −2 . The rate of unexpected results for the X ⊗N -measurement is thus given by For the highly symmetric state of Eq. (32) the key rate is then a function of Q Z and N only. The terms in Eq. (14) are and and inserting them into Eq. (14) leads to the asymptotic secret key rate as function of Q = Q Z and N , namely This function is shown in Fig. 2(a). For N = 2 the key rate coincides with the one of the six-state protocol [8,33], namely In the limit of large N the key rate simplifies to We also numerically determined the threshold values for the QBER, i.e. the value of Q until which a non-zero secret key rate is achievable, for different numbers of parties N , see Table I. Note that for fixed Q the key rate increases with the number of parties N . However, one might expect that in practice the QBER is not constant but increases with increasing number of parties N (because the experimental creation of the N -partite GHZ state becomes more demanding). This intuition is discussed quantitatively in the following section.

D. Noisy gates and channels
Let us compare the performance of NQKD and 2QKD when using imperfect two-qubit gates in the production of the entangled resource states. We employ, for both 2QKD and NQKD, the model of depolarising noise, i.e. if a two-qubit gate fails, which happens with probability f G , then the two processed qubits are traced out and replaced by the completely mixed state. When the GHZ resource state is produced in the network of Fig. 1(b), Alice starts with the state |+ A |0 ⊗N −1 and applies a controlled-NOT gate from A to each of the other qubits.
The secret key rate is shown in Fig. 2(b) as a function of the gate error rate f G . It captures the expectation that the demands on the gates for producing an N -party GHZ state increase with the number of parties N . We mention that the GHZ state could also be produced using a single multi-qubit gate, e.g. C X ⊗(N −1) = |0 0| ⊗ 1 + |1 1| ⊗ X ⊗(N −1) , which is locally equivalent to the controlled-Phase gate, see e.g. [43]. The QBER caused by this gate is Q = f G 2 . Because the threshold Q increases with N (cf. Fig. 2(a)), so does the threshold gate failure probability in this case.
In addition to imperfect gates, noise might be introduced by the transmission channel. Consider, for example, the situation when the qubit of each Bob is individually affected by a depolarising channel. Let the probability of depolarisation be f C , then the QBER is 40) and the key rate can be calculated according to Eq. (37).

III. QUANTUM KEY DISTRIBUTION IN NETWORKS
We will now show that in quantum networks with constrained channel capacity and with quantum routers, employing multipartite entanglement leads to a higher secret key rate than bipartite entanglement, when the gate quality is higher than a threshold value. Beyond the simple network of Fig. 1, the GHZ resource state can be distributed in many different networks. Consider a fixed but general network as given via a graph with vertices and directed edges. Let all channels have the same transmission capacity (also called bandwidth), which is associated with the direction of the corresponding edge. For the sake of a simple presentation, we assume that this transmission capacity is one qubit per second. Thus, the time t rep consumed in one round (steps 1 and 2 of the protocol) is proportional to the number of network uses in that round. A generic network has some bottlenecks. In this case the difference between the NQKD and 2QKD protocol becomes evident: Alice may send a single qubit in the NQKD scheme, while she has to transmit N − 1 qubits in the 2QKD case.
As an example consider the quantum network where all parties are connected to a single central router C, see Fig. 3. Because C is not trusted we assume it to be in the control of Eve. In this network the channel from A to C constitutes a bottleneck. Note, however, that this network can be much more economical than the one of Fig. 1 if the distance between A and C is large. The 2QKD protocol needs N − 1 network uses, i.e. t (2QKD) rep = (N − 1) s, to distribute the Bell pairs. In contrast to this the NQKD protocol can employ the quantum network coding [44][45][46][47][48][49][50] scheme of reference [27] to distribute the GHZ state in a single network use, i.e. t (NQKD) rep = 1 s. See Appendix C for the explicit calculation. Thus the key rate of the NQKD protocol is (N − 1) times larger than the one of the 2QKD protocol in the ideal case (r ∞ = 1). When again using noisy two-qubit gates (the QBER calculation is analogous to the case of the network shown in Fig 1(b) discussed above), the QBER for the NQKD protocol increases with N . These two effects lead to gate error thresholds below which the NQKD protocol outperforms 2QKD, see Fig. 4(a). For a fixed number of parties N there is a maximal gate error probability below which the NQKD protocol outperforms the bipartite approach in the quantum network of Fig. 3. For N = 3 already gate failure rates below 7.2 % imply that NQKD outperforms 2QKD. More values are listed in the Appendix D. The exact same behavior can be observed when considering noisy channels. In the ideal case NQKD outperforms 2QKD, while NQKD is more prone to channel noise. The resulting threshold noise levels are shown in Fig. 4(b). We mention that the famous butterfly network [44] leads to a similar advantage, see Appendix E for details.

IV. CONCLUSION
In this paper we analysed a quantum conference key distribution (QKD) protocol for N parties which is based on multipartite entangled resource states. We generalised the information theoretic security analysis of [16] to this N -partite scenario. Using the depolarisation method we derived an analytical formula for the secret key rate as a function of the quantum bit error rate (QBER). For a fixed QBER the secret key rate is found to increase with the number of parties. Accordingly, the threshold QBER until which a non-zero secret key can be obtained increases with the number of parties. Furthermore, we presented an example where multipartite entanglement-based QKD outperforms the approach based on bipartite QKD links. We found this advantage in networks with bottlenecks and showed that it holds above a certain threshold gate quality which depends on the number of parties. We expect more interesting insights from analysing further aspects of the multipartite entanglement-based QKD protocol. Regarding implementations the secret key calculation of the protocol for finite numbers of rounds will be beneficial. Various examples of network layouts and the link to network coding schemes will deserve more detailed investigations.
In this section we derive the form of a pure quantum state that fulfils the requirements of perfect correlations for one set of local measurement bases, with uniformly distributed random measurement outcomes. (These local bases are used for the key generation.) We also prove properties of the resource state regarding correlations of measurement outcomes in any other set of local bases. A general normalized N -qubit state reads with complex coefficients a i1,i2,...i N that satisfy 1 i1,i2,...i N =0 |a i1,i2,...i N | 2 = 1. To achieve perfect correlations, we can assume without loss of generality that all parties measure in the Z-basis and get the same outcome, as the choice of another local basis corresponds to a local rotation, and an opposite outcome could be flipped locally. The requirement of perfect correlations in the Z-basis is only fulfilled by a quantum correlated state of the form |φ corr = a 0,...,0 |0, ..., 0 + a 1,...,1 |1, ..., 1 . (A2) It turns out that this requirement of perfect correlations in one set of local bases forbids perfect correlations, even only pairwise, in any other local bases, for all N ≥ 3. Proof. Measuring in the Z-basis, perfect correlations follow trivially. For the reverse implication, let us denote the direction of measurement for party i by the vector M i , with components M x i , M y i and M z i . An observable M ij of two parties i and j is given by where σ denotes the vector of Pauli matrices and the identity operators for the parties = i, j are omitted. Observe that because all other combinations of Pauli operators change |φ corr to an orthogonal state. Denoting by p α i (±) the probability that party i finds eigenvalue ±1 when measuring σ α , we also have φ corr |σ α i ⊗ σ β j |φ corr = 2[p α i (+)p β j (+) + p α i (−)p β j (−)] − 1, and thus p α i (+)p β j (+) + p α i (−)p β j (−) = 1, unless α = β = z. Therefore, perfect correlations between two parties are not possible in any other than the Z-basis. This also excludes perfect correlations between any other number of parties. -Note that the above argument, in particular Eq. (A4), does not hold for N = 2, which is special.
Thus, any state of the form (A2) contains the resource of perfect multipartite correlations in the local Z-bases. In order to ensure uniformity of the outcome, i.e. randomness of the resulting secure bit string, we choose for the key generation protocol |a 0,...,0 | = 1/ √ 2 = |a 1,...,1 |, i.e. the unique perfect resource is a GHZ state [34].

Appendix B: Security analysis of the NQKD protocol
In this appendix we generalise the composable security definition of the bipartite scenario [16,17] to the N -partite case. As mentioned in the main text, the security analysis proceeds along analogous lines as the bipartite case in [33,51]. We assume that the parties A and B i , for i = 1, ..., N − 1 share n multipartite states. The eavesdropper E is supposed to hold a purification of the global state. The total quantum state after Z-measurement of A and all B i is described by the density operator where x and x i describe the classical strings of parties A and B i , respectively. Note that the classical post-processing is identical to the bipartite case: In an error correction step the parties transform their only partially correlated raw data into a fully correlated shorter string. Party A pre-processes her random string K according to the channel U ← K and sends classical error correction information W to parties B i , who compute their respective guesses U i for U from K i and W. The error correction information W is the same for all Bobs, thus there is no additional information leakage compared to the bipartite case. In a second step, the privacy amplification, Party A randomly chooses f from a two-universal family of hash functions, computes her key S A = f (U) and sends the description of f to all parties B i who also perform the privacy amplification to arrive at their respective keys S B i = f (U i ). The total quantum state will then be denoted as where δ(ρ, σ) = tr|ρ − σ|/2 denotes the trace distance. Note that we have not assumed any symmetry about the quality of the channels connecting A and B i . The information leaking to the eavesdropper in the error correction step is determined by the amount of error correction information which the Bob with the noisiest channel requires. This is the main difference with respect to the bipartite case.
Therefore we arrive at the following key length (n) , generated from n multipartite entangled states, in analogy to [33,51]: 4. The router measures C in X basis. If the outcome is −1, i.e. |− C , then it applies X B1 . The state is now |± C |GHZ .
Up to a local basis choice (Hadamard gate), the resource state of the main text has been distributed and the multipartite entanglement based quantum key distribution (NQKD) protocol can be performed. To see that it is impossible to create N − 1 Bell pairs by sending a single qubit from Alice to the router, let us group the router and all Bobs into a single party B. When Alice sends one qubit across the channel, the entropy of entanglement E A|B ≤ 1. The N − 1 Bell pairs, however, have entropy of entanglement E A|B = N − 1, so they cannot be created from the received state by local operations on B. Instead, N − 1 network uses are necessary and the key rate decreases accordingly.
Appendix D: Gate error rates and the QBER In this appendix we give details for the key rate calculations regarding the quantum networks of Figs. 1(b) and 3 with imperfect gates. We start with the simple network of Fig. 1(b). The GHZ resource state is prepared as follows. Alice starts with the state |+ A |0 ⊗N −1 and applies a controlled-Not gate from A to each of the other qubits, see Fig. 5. When a controlled-Not gate acts on qubits i (control) and j (target) we denote it by where X = |0 1| + |1 0| is a Pauli matrix. We use a depolarizing noise model for the gate errors. The action of the imperfect gate on the density matrix is where σ = {1, X, Y, Z} contains Pauli matrices. It will be convenient to extend the notation of the GHZ basis to include the number of parties as a subscript, i.e.
The initial state is The first gate turns it into the second into FIG. 5. The GHZ state that is to be distributed across the network of Fig. 1(b) can be produced by Alice using controlled-Not gates as depicted in this quantum circuit diagram. and the third into in front of the corresponding term in ρ. These prefactors determine the overlap between |ψ ± j,0 ψ ± j,0 | and ρ, i.e. the coefficients λ ± 0 (f G ) of ρ in the GHZ basis. They read where |x| H is the Hamming weight of x. After some combinatorics x c(x) for a given weight w = |x| H (unequal to N − 1) can be expressed in a more compact form by summing over all possible "subset counts" β as which leads to the relevant coefficients in the GHZ basis, From Eq. (D12) one obtains the QBER using Eq. (12). We show it in Fig. 6. The secret key rate is calculated using Eq. (23) with which is the average Q ABi for one to N − 1 gates, because we use a random order of the gates. This effectively mixes all λ ± j with j of same Hamming weight and accomplishes that all Q ABi are equal. Compared to a fixed gate order it  improves the key rate and removes the maximum in Eq. (23).
In the case of the network shown in Fig. 3, N − 1 gates are performed at C and one additional gate is performed at A. The initial state at C depends on whether the gate of A was successful, i.e. it is i.e.
and the previous results can be used to obtain the key rate in this case. Note that while the final density matrix depends on whether a router was used or not, the QBER (and Q ABi ) does not, because the additional phase error does not contribute to it. For a fixed number of parties N there is a threshold gate error probability below which the NQKD protocol outperforms the bipartite approach in the quantum network of Fig. 3. These values are listed in Table II.
The key rate as a function of N is shown for different values of the gate error rate f G in Fig. 7.