Conference key agreement with single-photon interference

The intense research activity on Twin-Field (TF) quantum key distribution (QKD) is motivated by the fact that two users can establish a secret key by relying on single-photon interference in an untrusted node. Thanks to this feature, variants of the protocol have been proven to beat the point-to-point private capacity of a lossy quantum channel. Here we generalize the main idea of the TF-QKD protocol introduced by Curty et al to the multipartite scenario, by devising a conference key agreement (CKA) where the users simultaneously distill a secret conference key through single-photon interference. The new CKA is better suited to high-loss scenarios than previous multipartite QKD schemes and it employs for the first time a W-class state as its entanglement resource. We prove the protocol’s security in the finite-key regime and under general attacks. We also compare its performance with the iterative use of bipartite QKD protocols and show that our truly multipartite scheme can be advantageous, depending on the loss and on the state preparation.

state. In section 3 we prove the CKA security in the finite-key scenario (the detailed proof is given in appendix A). In section 4 we provide simulations of the protocol's secret key rate and compare them with the repeated use of bipartite schemes (further comparisons in appendix C). We present our conclusions in section 5. In appendix B we report in detail the calculations of the relevant parameters for an honest implementation of the protocol.

Conference key agreement
As anticipated in the introduction, our CKA scheme is an extension of the original bipartite TF-QKD protocol [24], Protocol 1 to a scenario with N users who want to establish a secret conference key. The parties distill the secret key by sending optical pulses to an untrusted node and by performing suitable measurements on a qubit they hold. In order to keep the notation symmetric, the N parties involved in the multipartite QKD protocol are named: Alice , Alice 1 2 , ..., Alice N . The protocol is composed of L rounds, each round is characterized by the following eight steps (see figure 1): (i) Every party (Alice i ) prepares an optical pulse a i in an entangled state with a qubit A i , given by: is the vacuum state, 1 a i ñ | is the single-photon state, and 0 , 1 }is the computational basis of qubit A i .
(ii) Every party sends her optical pulse a i to the untrusted node via optical channels characterized by transmittance t, in a synchronized manner.
(iii) The central node applies a Bell-multiport beam splitter [43][44][45][46][47][48] with M input and output ports 1 to the incoming pulses and features a threshold detector D i at each output port (i=1, K, M). The action of the multiport beam splitter is defined by the unitary transformation given in figure 1.
(iv) The central node announces the measurement outcome k i for every detector D i , with k i =0 and k i =1 corresponding to a no-click and a click event, respectively. The round gets discarded if k 1 i M i 1 å ¹ = , i.e. whenever single-photon interference did not occur in the central node. The probability that only detector D j clicked is p j . (v) According to a preshared secret key of L h p PE · ( ) bits 2 , the round is classified as a parameter-estimation (PE) round with probability p PE or as a key-generation (KG) round with probability (b) In case of a KG round, conditioned on detector D j clicking, Alice i measures her qubit in the basis of the operator O X Y cos sin (where X and Y are the Pauli operators), with U arg i ij j = ( ) (U ij is given in figure 1). The parties announce m randomly chosen measurement results in order to estimate the quantum bit error rate (QBER) by computing the frequency: ( ) ( ) ) , i.e. the frequency of discordant outcomes.
(vi) The secret key shared by the N users is extracted from the remaining n Mp L m 2 j = raw key bits of the KG rounds.
(vii) Alice 1 broadcasts the error correction information that every other party uses to correct her raw key to Alice 1 ʼs raw key.
(viii) Alice 1 broadcasts a suitable two-universal hash function and every party applies it to her key for privacy amplification.
Remarks. Note that the quantity Q Z m is the frequency of the outcome +1 when the parties measure the operator Z N Ä . By making an analogy with the bipartite scenario, one can view Q Z m as an estimation of the phase-error rate between Alice 1 and the other N 1 parties (when the phase-error rate is defined as in [24]).
Since the Bell-multiport beam splitter redirects each incoming photon with equal probability to each potential output port, the probability of having a click in only one specific detector is the same for all detectors, i.e. p j reads the same for j=1, K, M. For this reason, the total probability of having exactly one click in any detector is given by Mp j .
In an honest implementation of the protocol, where the parties' state preparation and the operations of the central node are carried out as described above, the state of the qubits A 1 , K, A N from which the parties distill a secret key is approximately a W-class state of N qubits [42], as we show in section 2. Therefore, the protocol here introduced represents an alternative to other multipartite QKD protocols [34][35][36][37][38] where the entanglement resource used to generate the key is, instead, a noisy version of the GHZ state of N qubits. Moreover, the W-class state used by the CKA is an entangled state which is post-selected after the interference of one single photon at the multiport beam splitter. Thus the resulting key rate scales linearly with the transmittance t of one of the quantum channels linking the parties to the central node. This is in contrast to the other mentioned multipartite QKD protocols [34][35][36][37][38], where the distribution of an N-qubit GHZ state (e.g. encoded in orthogonal polarizations of a photon) would lead to a key rate which scales with t N (with t being the transmittance of the link between one party and the node distributing the GHZ state). This makes our CKA much more suited to highloss scenarios than previously proposed multipartite QKD protocols.

Multipartite QKD with a W state
As mentioned at the end of section 1, the entanglement resource exploited to distill the secret key is a noisy Wclass state of N qubits [42], which is post-selected after single-photon interference occurred in the central node. In fact, the optimization of the CKA key rate (section 4) over the parameter q weighting the initial superposition of the qubit-photon state always yields values of q close to 1. This means that the quantum signal sent by the parties is strongly unbalanced towards the vacuum. Thus the events in which one of the detectors clicks are mainly caused by the arrival and detection of one photon. However, because of the balanced superposition generated by the multiport beam splitter, the detected photon could be sent by any party with equal probability. Since the photon is initially entangled to the qubit in state 1ñ | , the qubits' state conditioned on the detection is a coherent superposition of states in which one qubit is in state 1ñ | and all the others are in state 0ñ | , that is the mentioned W-class state. A secret conference key can then be extracted by proper measurements performed on such a state.
It has been proven [35] that the parties cannot extract perfectly correlated outcomes in any set of local measurement bases (for N3). Indeed, the only N-qubit state achieving that and yielding uniformly distributed random measurement outcomes is the GHZ state. Nevertheless, the N-partite W state can still be used to extract a secret conference key. The key bits are given by the outcomes of the X-basis measurements performed by the N parties on their respective qubit. The expected QBER between any two parties is given by N 1 2 1 -, which amounts to subtracting the fraction h N 1 2 1 -( ) from the secret key rate due to error correction (h(x) is the binary entropy). On the other hand, the eavesdropper's knowledge about the key can be estimated via the phaseerror rate Q Z (as defined in section 1, more details in appendix A), which turns out to be zero on the W state. This is crucial for having a non-zero key rate even when the number of parties is large. The resulting asymptotic key rate, when the parties share an N-partite W state, is given by ) . Our CKA is constructed following the same philosophy. The only difference is that the conditional state shared by the parties after the detector's click is not exactly the W state given by (2.1), but rather a noisy W-class state (the full expression is given in appendix B). Indeed, the multiport beam splitter introduces complex phases in the balanced superposition of states shared by the parties, that depend on which detector clicked. For this reason, we require the parties to adjust their KG measurements in the X, Y plane in order to remove such phases and obtain the same QBER ( N 1 2 1 -) they would observe by measuring in the X-basis had they shared the standard W state (2.1). However, the adjusted KG measurements do not commute with the operations performed in the untrusted node and prevent the CKA from being recast as an MDI prepare-and-measure scheme, opposed to its bipartite version [24]. Consequently, the multipartite scheme presented here is more challenging to implement than its bipartite counterpart, i.e. the TF-QKD protocol. In particular, it cannot be reformulated as a scheme where the parties prepare coherent states and send them to node C for measurement. Nonetheless, the operations that the parties are required to perform seem to be within technological reach [49,50]. In particular, the qubit system could be realized by a nitrogen-vacancy electron spin, whose coherence time has recently reached the order of seconds [51]. The entanglement between the electron spin and the photon's Fock state would then be generated via selective optical pulses and coherent rotations [49], which would entangle the electron spin with the presence or absence of a photon.

Finite-key analysis
The protocol presented in section 1 can be effectively regarded as an N-partite QKD protocol solely characterized by the unknown quantum state A A A Mp L ... N j 1 2 r , which is the global state of the parties' qubits in all the rounds that were not discarded 3 . In this way we allow the eavesdropper, who is in total control of the untrusted node, to perform any kind of operation (coherent attacks) on the whole set of signals sent by the parties in the different rounds. As described above, in each round the parties perform trusted measurements on the state r , according to the preshared key they hold. The security of such a multipartite QKD protocol can be proven thanks to the finite-key analysis developed in [37]. In particular, since Alice 1 (who holds the key to which all the other parties correct their raw key) measures her qubit only in the two mutually unbiased bases Z and X, the protocol's security proof follows analogous lines to the one of the N-BB84 protocol presented in [37]. The security is guaranteed even when the state preparation and the measurement devices of the other parties (Alice , ,Alice N 2 ¼ ) are not trusted (a detailed proof is given in appendix A).
Theorem 1. The CKA in section 1, with the optimal 1-way error-correction protocol (which is EC e -fully secure and We remark that the length L h p PE · ( )of the preshared key must be subtracted from the secret key length in order to have the net amount of fresh secret key bits. We also remark that our leakage estimation considers the worst-case QBER affecting the parties' raw keys, which is (with high probability) not larger than the QBER observed in appositely designated KG rounds with the appropriate statistical correction. This is in contrast to several other finite-key analyses [52][53][54][55], where either the QBER is assumed to be known a priori or its estimation does not account for statistical fluctuations.In the asymptotic regime (L  ¥), the finite-size effects are not present and the secret key rate (r=ℓ/L) reads: where Q Z and Q A A i 1 are the probabilities correspondent to the frequencies defined in section 1.

Simulations
In this section we provide plots of the secret key rate-number of secret key bits per round-achieved by the CKA both with finite-key effects (3.1) and in the asymptotic regime (3.4), as a function of the loss in one of the channels linking a party to the central node, measured in dB ( t 10 log 10 - ). We assume that the protocol is honestly implemented as described in section 1 and we account for a dark count probability of p 10 d 9 =in every detector (which can be attained with superconducting nanowire single photon detectors [29]) and for a polarization and a phase misalignment between Alice 1 and each other party of 2%. The relevant error rates and probabilities for this configuration are given in appendix B. The plots are optimized over the parameter q of the initial superposition between the two qubit-photon states, unless otherwise stated. The finite-key plots are further optimized over the probability p PE of performing a PE round and over the security parameters , , and ε PA , constrained by a fixed total security parameter of ε tot =10 −8 .
In order to assess the performance of our CKA with an untrusted node, we consider the situation in which the central node is removed and the N parties are linked by a star network, where the transmittance of the link between any two parties is t 2 . For this configuration, we consider the conference key rate generated by the following strategy and compare it to our CKA key rate. One selected party performs the best possible bipartite QKD scheme with every other party in the network, i.e. N−1 times. Because of the network symmetry, every bipartite secret key has the same length and its asymptotic rate is upper bounded by the Pirandola-Laurenza-Ottaviani-Banchi bound [33] given by: ). Then, the selected party encodes the final conference key by using the keys she/he established singularly with each other party. Hence, the conference key length is equal to the bipartite keys' lengths, but the total number of rounds 4 needed to establish the conference key is given by the number of rounds performed by a pair of parties, multiplied by the number of bipartite schemes (N−1). Thus the conference key rate achieved by this strategy is upper bounded by: We will refer to (4.1) as the direct-transmission bound, even though we emphasize that it only upper bounds the achievable conference key rate when the strategy we just described is employed. Indeed, we do not claim that this strategy yields the highest possible conference key rate for the considered network configuration. In this section we show that our CKA provides an advantage, in terms of performance, with respect to the above strategy (4.1).

Asymptotic regime
In figure 2 we plot the asymptotic key rate of the CKA (equation (3.4), solid and dotted lines) as a function of the loss in one of the quantum channels, for different number parties establishing the secret conference key. In particular, the solid lines are obtained by fixing M=N, i.e. the number of input (output) ports of the beam splitter is given by the number of parties taking part to the protocol. The dotted lines are instead obtained by fixing the number of ports to M = 10. Finally, the dashed lines represent the direct-transmission bound (4.1) for the correspondent number of parties. We observe that the CKA key rate can surpass the direct-transmission bound for sufficiently high losses. This is expected since the CKA key rate basically scales linearly with the transmittance t of the quantum channel linking one party to the central node, while the direct-transmission rate scales linearly with the transmittance (t 2 ) of the whole channel linking two parties [33]. We note, however, that the performance advantage of the CKA with respect to the direct-transmission bound decreases for increasing number of parties. This is due to the fact that an increase of the number of parties is more detrimental for the CKA rate as it severely affects the QBER 5 , than for the direct-transmission bound, where it simply increases the total number of rounds dividing the key length. Moreover, the presence of dark counts in the detectors prevents the CKA from outperforming the directtransmission bound if the number of parties is too large (see the N=9 case in figure 2). Indeed, they are the cause of the sudden drop of the key rate at high losses, i.e. where the probability of detecting one photon becomes comparable to the probability of having a dark count. Moreover, their effect increases with the number of parties since the key rate optimization yields a lower probability of having a single click in one of the detectors, when more parties are involved. Note, however, that while the CKA rate accounts for devices' imperfections (e.g. dark counts), the direct-transmission bound is attained only in the ideal scenario of no imperfections.
From figure 2 we also deduce that performing the CKA with a higher number of ports in the beam splitter (dotted lines, where M = 10) is advantageous at low losses and disadvantageous at high losses. The advantage of having more output ports is that the probability that two photons arrive at the same detector diminishes (this is an error source in our CKA). However, these errors could only occur if there is a non-negligible probability that two photons arrive at the central node, i.e. when the losses are low. At the same time, the presence of more output ports-and thus detectors-increases the chances of a dark count. And the negative effect of dark counts on the performance becomes tangible when their probability is comparable to the probability of having a click in a detector, i.e. at high losses.
Another relevant scenario for assessing the CKA performance in comparison to the iteration of bipartite protocols could be the following. The parties are given the same CKA experimental setup but they are now allowed to use it in pairs (or larger subgroups) in consecutive runs, effectively performing the original TF-QKD protocol [24], Protocol 1 between one selected party and every other party. The different established keys are then used to encode the final conference key, similarly to the direct-transmission scenario. This strategy can then be compared to the case where the parties choose to use the CKA setup all at once, thus performing a truly multipartite QKD scheme. A detailed analysis of this comparison in the asymptotic regime is given in appendix C. It turns out that, depending on the loss and on the state preparation, it is still advantageous to perform a multipartite protocol instead of iteratively executing bipartite protocols, on the CKA experimental setup.

Finite-key effects
In figure 3(a) we plot the finite-key conference rate (equation (3.1) divided by L) as a function of the number of rounds L, for different fixed values of the loss (20 and 30 dB, solid and dotted-dashed lines) and different number of parties. We stress the fact that we normalize the key length to the total number of rounds (L), i.e. we , dashed lines), as a function of the loss in the channel linking one party to the central node, for different number of parties N=2, 3, 5 and 9 (black, blue, red and green; top to bottom). The CKA key rate overcomes the correspondent direct-transmission bound for increasing losses, as the number of parties increases. For instance, the CKA performed by 5 parties becomes advantageous at distances larger than 150 km (assuming a fiber attenuation of α = 0.2 dB km −1 ). We also observe that having more ports in the beam splitter than parties involved in the protocol is advantageous at low losses (dotted lines are above the solid lines) but disadvantageous at high losses, where more ports imply a higher chance of having a dark count. 5 The QBER scales with the number of parties as also take into account the rounds that get discarded due to double-clicks or no click in the detectors. The horizontal dashed lines correspond to the value of the direct-transmission bound (4.1) for the various combinations of losses and number of parties. We observe that the number of rounds leading to a non-zero key rate is in general higher than other multipartite schemes (see for example [37]). This is caused by the fact that the CKA devised here relies on single-photon interference events, which are only a fraction of all the events occurring in an experiment run. A considerable amount of rounds gets thus discarded, but still contributes to the rounds' count. Nevertheless, the number of rounds needed for a non-zero key rate is comparable to other bipartite TF-QKD protocols [56,57]. On the other hand, the advantage of relying on single-photon interference in a multipartite scenario is the excellent scaling of the protocol's key rate with respect to losses, which allows it to overcome the asymptotic direct-transmission bound (dashed lines) even with a finite number of rounds.
In figure 3(b) we instead plot the minimum number of rounds (L min ) such that the finite-key rate (ℓ/L) does not decrease more than 90% with respect to its asymptotic value r (3.4), i.e.: L L r 10 min min  ℓ ( ) . The threshold L min is plotted as a function of the number of parties (N) and for fixed values of the loss. We observe that L min increases both with the number of parties and with the loss. The reason is that, in both cases, the fraction of the total number of rounds that gets discarded increases. This has a negative effect both on the asymptotic rate and on the finite-key rate, however the effect on the latter is greater, thus requiring a larger number of rounds L min to maintain the finite-key rate within 90% range of the asymptotic one. Indeed, a larger fraction of discarded rounds decreases the prefactor Mp j in both the finiteand the asymptotic-key rates, but it additionally decreases the number of rounds used for PE in the finite-key regime. This causes larger statistical fluctuations and thus a smaller finite-key rate.

Conclusions
In this work we introduced a new multipartite QKD protocol that exploits for the first time the correlations derived from an N-partite W state [42] to establish a secret conference key among the N users. In an honest implementation of the protocol, the W state is post-selected thanks to the interference of a single photon in a central node, extending the idea of the bipartite TF QKD protocol devised in [24] to the multipartite scenario. Hence the resulting key rate scales linearly with the transmittance of one of the quantum channels linking the parties to the central node, making the protocol particularly suited for conference keys established in high-loss scenarios.
We prove the protocol's security in the finite-key regime by considering the most adversarial situation possible, i.e. coherent attacks are allowed by the eavesdropper. In order to achieve this, we rely on previous results on the finite-key security of multipartite QKD schemes derived in [37] and employ the entropic uncertainty relation [58]. We observe that the rates quickly achieve their asymptotic value once the number of non-discarded rounds is enough to get a non-zero key. The CKA key rates overcome the direct-transmission bound (dashed lines) even in the finite-key scenario. (b) Minimum number of rounds such that the finite-key rate (equation (3.1) over L) is at least 10% of its asymptotic value, as a function of the number of parties and for fixed losses (1 dB blue circles, 20 dB red squares and 40 dB green diamonds). We notice that increasing the number of parties and/or the losses is more detrimental for the finite-key rate than for the asymptotic one, due to an increase of the fraction of discarded rounds and thus of the statistical fluctuations. Here we study the finite-key effects on our CKA. The number of ports in the beam splitter is given by the number of parties taking part to the protocol: M=N.
We provide simulations of the conference key rate both in the finiteand in the asymptotic-key regime. We compare the performance of our CKA to that achieved by performing bipartite QKD schemes between one party and each of the others and then using the established keys to encode the conference key. In particular, we analyze the cases where the bipartite schemes are performed with the same setup used for the CKA (in appendix C) and in the direct-transmission scenario (i.e. the central node is removed and the optimal bipartite QKD scheme is performed). We show that, in both cases, the execution of a truly multipartite scheme could be advantageous even when finite-key effects are accounted for.
Although the feasibility of the proposed CKA requires further investigation, with this work we demonstrate that, in principle, multipartite QKD does not necessarily need a GHZ-class state as its entanglement resource and that it can be implemented even in high-loss scenarios.

Acknowledgments
We thank Marcos Curty, Daniel Miller and Hua-Lei Yin for helpful discussions. This project has received funding from the European Unionʼs Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No. 675662.

Appendix A. Security proof
In order to prove the security of our CKA in the finite-key scenario, we start from the general security statement given in [37, theorem 1]. The resulting secret key length is thus determined by the amount of information the eavesdropper has about the secret key and by the information the parties leak during the classical postprocessing. The former is quantified by the min-entropy H E XE n min r e ( | ), where XE n r is the classical-quantum state of Alice 1 ʼs raw key and the eavesdropper's quantum system E which is partially correlated to it. Since the eavesdropper's system is unknown, one cannot directly compute the mentioned min-entropy. Nevertheless, it can be bounded by means of the uncertainty relation [58] for smooth-entropies as follows: where the max-entropy on the rhs quantifies the uncertainty of Alice 1 ʼs Z-measurement results when the Zoutcomes of the remaining N−1 parties are known, if all parties would measure Z in the n rounds yielding the raw-key. The max-entropy can be upper bounded via the phase-error rate Q n Z -as defined in section 1-of the n raw-key rounds. We get: ). Finally, since the parties do not directly observe the phase-error rate Q n Z of the n rounds producing the raw key, this can be inferred through the theory of random sampling without replacement. In particular, the phase-error rate of the raw key (Q n Z ) can be upper bounded with high probability, once the observed phase-error rate (Q Z m ) is known. For this, we make use of the following tail inequality [56, lemma 1] which features a tighter bound with respect to the Serfling inequality. Lemma 1. [56]. Let n m  + be a random binary string of n m + bits, m  be a random sample (without replacement) of m entries from the string n m  + and n  be the remaining bit string. Upon calling m L and n L the frequencies of bit value 1 in string m  and n  , respectively, for any 0 e > it holds: The remaining part of the secret key length that needs to be estimated is the error-correction information sent through the classical public channel, and thus leaked to the eavesdropper. Since we consider a one-way scheme where Alice 1 broadcasts the same error-correction information to all the parties through the public channel, the information gained by the eavesdropper is bounded by the binary entropy of the worst QBER between Alice 1 and any other party, by means of [37, theorem 2].
Putting these considerations together, we obtain the security statement given in theorem 1.
We remark that the only requirements needed for the security proof to hold are that Alice 1 is actually measuring qubits and that her measurement device is working as expected (i.e. it measures in the X and Z basis) [58,59]. This means that we do not need to trust the measurement devices of the other parties (as long as they are memoryless), nor their state preparation (including Alice 1 ʼs).

Appendix B. Channel model
In this section we compute the QBER (Q A A k 1 ), the phase-error rate (Q Z ) and the probability that a given detector clicked (p j ), assuming that the protocol is implemented as described in section 1. We also account for a dark count probability p d in each detector and we consider the specific scenario in which there are a polarization and a phase misalignment of angles θ and f, respectively, between Alice 1 and each other party. In the simulations of section 4 we set: p d =10 −9 and arcsin 0.02 q f = = . For simplicity, we assume that the input signals of the N parties enter the first N ports of the M-port beam splitter. Nevertheless, the results in terms of achieved key rate are independent of which input ports are used, thanks to the balanced redistribution of the input photons to the output ports of the considered Bell-multiport beam splitter (see figure 1). We remark that the expressions derived here together with the asymptotic key rate given in (3.4) reproduce those of the original TF-QKD protocol [24,Protocol 1] in the case of two parties (N=2) with a balanced 2-port beam splitter (M=2).
We first derive the QBER, the phase-error rate and the probability p j assuming no dark counts in the detectors, i.e. every click is caused by the arrival of one or more photons. In the last Subsection we use the derived expressions to obtain analogous quantities, with the assumption that every detector has a probability p d of clicking conditioned on no photon arriving.

B.1. Qubits' state conditioned on one click
According to the protocol, the global state of the parties' qubits and signals, before sending the signals to the central node, reads: where the phase mismatch f k is defined as zero if k=1 and as f if k 1 ¹ , which means that every other party has the same phase mismatch with respect to Alice 1 . The signals a k are then sent to the central node through lossy optical channels, which are modeled as beam splitters with transmittance t. The global state after the transmission of the signals to the untrusted relay reads: where l k † is the creation operator of the lost photon in channel k b ,  is a N-bit vector that runs from 0 to 2 1 Nin binary notation (covering all the possible combinations of qubit states) and b  | | is the Hamming weight of vector b  . From now on, we denote as g (·) the bijective function that takes as input a binary vector and outputs the correspondent decimal number.
We assume now that the polarization of the photons sent by Alice ,... Alice N 2 is rotated by an angle θ with respect to Alice 1 ʼs signal: where θ k is defined as zero if k=1 and as θ if k 1 ¹ , while the subscripts P and P^i ndicate the polarization of Alice 1 ʼs signal and its orthogonal direction, respectively.
Finally, the global state after the application of the Bell-multiport beam splitter on the incoming signals (its action on the incoming creation operators is reported in figure 1) is: where j,P s † and j,P s † are the creation operators of the output signals in the two orthogonal polarizations and U kj is reported in figure 1. At this point, every output signal is measured in the respective threshold detector. Since the detectors do not distinguish the polarization of the output signals, we will use the subscript j s to indicate the combined Hilbert space of the signals exiting port j, when there is no ambiguity.
We are now ready to compute the conditional state of the qubits A A , , N 1 ¼ when only detector D j clicked: where p j is the probability that only detector D j clicked, A A j ... N 1 r is the normalized conditional state of the qubits and P 0 j ñ s | is the projector on the vacuum state of output signal j. In order to compute (B.5), we start by calculating the following quantity: where the effect of the projectors is to select the outcome signal σ j and to remove the case g b 0 =  ( ) , since it would correspond to a vacuum state for the outcome signal σ j . We now focus on rewriting the following term: where we expanded the product in the first line of (B.7) by introducing a sum over the binary vector d  . The sum runs over all the N-bit vectors d . This is to make sure that the kth factor in the first line does not contribute to the expanded product in the second line whenever b k =0. The remaining bits of d  that are not affected by the mentioned condition, can be either 1 or 0. If d k =1 we intend that, for this particular term in the sum, the contribution of the kth factor in the first line of (B.7) is given by its first addend ( t U ... kj ( )). While if d k =0 and b k =1, we mean that the contribution is coming from the second addend ( t l 1 k - † ). The exponents in the second line of (B.7) are chosen according to these rules. Finally, (B.8) is obtained by using the definition of U kj from figure 1 and by applying the creation operators on the vacuum. We now expand the remaining product in (B.8) with the same technique and obtain the following expression: cos sin e e 1 cos sin . B.9 We now substitute (B.9) back into (B.6) and note that the effect of the projectors P P id ). Hence we get: By substituting (B.10) into (B.5) we finally get the state of the qubits conditioned on D j clicking: We use the Kronecker deltas to reduce the sums over d d f , , ¢    and f ¢  . The third delta fixes the value of d¢ The fixed value of d¢  combined with the other constraints on this vector imply additional constraints on d Putting everything together allows to simplify (B.11) as follows: where the sets of binary vectors b b d , , )are defined as follows: B.15 We can now sum over the vectors f ¢  since no term depends on them in (B.12): where the asterisk on the binomial coefficient means that it is defined as Finally, since every term just depends on f  | |, we can sum over all the vectors f  with equal Hamming weight and obtain the final expression for the conditional state of the qubits when detector D j clicked:

B.2. Probability of exactly one click
We can now compute the probability p j of having just one click in detector D j by simply computing the trace of both sides in (B.17): In order to obtain an easier expression to compute, we distinguish the cases: The remaining sum over m can be similarly simplified as follows: where b   ( ) is a set of at most 2 binary vectors, defined as: 6 . This means that the sum over b¢ ... ... 1, 2 1 : , We notice that the first addend in (B.27) is proportional to p j (B.18): B.28 In a similar fashion, one computes the probability of A 1 measuring the outcome −1 and A k measuring the outcome +1 and obtains an identical expression to (B.29). In conclusion, the QBER conditioned on D j clicking is given by twice the probability given in (B.29). By fixing the angles j 1 and j k as mentioned in the protocol's description: j 1 =0 and U arg )( ) we minimize the QBER and thus increase the secret key rate. This requires Alice k to adjust her measurement depending on which detector clicked, implying that such measurement does not commute with the operations performed by node C. On the other hand, the QBER is now minimal and reads the same regardless of which couple (A 1 , A k ) one considers or which detector D j clicks: where p j is given in (B.24).

B.4. Phase-error rate
Finally we compute the phase-error rate, defined as the probability that the product of the Z-measurement results of all the parties equals +1 (i.e. the qubit of an even number of parties collapsed in state 1ñ | , which corresponds to the outcome Z=−1):

B.5. Dark counts
So far we computed the quantities p Q , and Q Z assuming that every click in the detectors is due to the arrival of one or more photons. By naming Ω ph the event in which one or more photons arrive at detector D j and no other photon arrives at any other detector, we can formally express the computed quantities as: Although we have shown in section 4 that a truly multipartite QKD scheme can outperform the iterative use of any bipartite QKD scheme in the direct-transmission scenario (i.e. the central node is removed), this does not necessarily hold when one has at hand the CKA experimental setup and uses it to perform bipartite QKD protocols. In other words, it might be possible to outperform the multipartite CKA by iteratively executing its bipartite version (fix N=2 in equation (3.4)) between one selected party and all the other N−1 users, and then using the established secret keys to encode the final conference key via one-time pad encryption. In this case the asymptotic conference key rate would be r N 2 1 -( ) ( ) according to the reasoning given at the beginning of section 4, where r(N) is given in (3.4). More generally, it might be advantageous to group the N parties in subsets of equal cardinality, let them perform the CKA within the subset, and then use the secret keys established in each subset to encode the conference key. Since one selected party must belong to every subset in order to distribute the final conference key to the others in a secure way, there are N d 1 -( ) subsets of d+1 users each. In this case the asymptotic conference key rate would read: d r d N 1 1 + -· ( ) ( ). In order to investigate which of these configurations yields the highest asymptotic conference key rate, we optimize the rate with respect to the possible subdivisions of the N parties in groups of equal cardinality (i.e. we maximize it with respect to all the divisors d of N−1): In figure C1(a) we plot the optimized conference key rate for N=5 parties (equation (C.1), solid lines) as a function of the loss in each quantum channel, for different fixed values of the parameter q and a fixed number of input (output) ports of the beam splitter: M=5. We also plot the direct transmission bound (4.1) for the same number of parties. The correspondent optimal number of parties within each subset depends on the loss and on the value of q, and it is given in figure C1(b).
From figure C1(a) we observe that the resulting key rate, although not being optimized over the parameter q, is similar to the N=5 key rate in figure 2 for most losses, since we fixed q to values close to the optimal ones. Furthermore, it performs better than the standard CKA with five parties in the high-loss region. Indeed, as already explained in figure 2, the effect of dark counts becomes greater when more parties are performing the CKA at the same time. Thus, allowing for a lower number of parties within each subset increases the maximum tolerated loss.
In figure C1(b) we observe that at low losses it is optimal for the five parties to perform a truly multipartite scheme rather than iteratively performing bipartite protocols. The reason is that in the ideal scenario of extremely low losses (t 1 ⟶ ) and q close to 1, there is only one party successfully sending one photon to the central node to be detected. In this case the post-selected state shared by the parties is the W-class state used for establishing the secret key. Of course, there are more chances that this event is going to happen when more parties are involved, thus a multipartite scheme is advantageous with respect to an iteration of bipartite schemes. One can see this also analytically, by showing that the asymptotic rate (3.4) of the CKA performed by N parties all at once can be approximated as follows (when the above assumptions hold): while the rate achieved by subdividing the task in N−1 bipartite schemes is: By numerically comparing (C.2) with (C.3) for sufficiently high values of q, one notices that the former results in a higher key rate. When the value of q decreases, the probability that two or more parties send their photon to the central node increases, reducing the key rate. Being such events more likely when more parties are involved, the iterative execution of bipartite schemes is favored. Similarly, increasing the loss transforms the same eventswhich are more likely with more parties-from neglected events (if they cause double clicks) to harmful events (when some photons get lost in the transmission), thus favoring the iteration of schemes with a low number of parties.

ORCID iDs
Federico Grasselli https:/ /orcid.org/0000-0003-2966-7813 Figure C1. . We also plot the direct transmission bound (equation (4.1), dashed line) for five parties. We observe that the optimized key rate outperforms the standard CKA especially at high losses (compare with the case N=5 in figure 2), since having a lower number of parties taking part to the CKA all at once reduces the negative effect of dark counts. (b) The optimal number of parties belonging to the subsets in which the total number of users (N=5) have been subdivided, as a function of the loss in one quantum channel, for different fixed values of q: q=0.995, 0.998 and 0.999 (bottom to top). We observe that performing a truly multipartite scheme could be optimal especially at low losses, i.e. when the parties' shared state is well approximated by a multipartite W state. We optimize the conference key rate achieved by N=5 parties over the cardinality of the subsets of parties performing the CKA all at once. The different keys established within each subgroup (which can be composed of either two, three or five parties each) are then used to encode the final conference key.