Anonymous and secret communication in quantum networks

Secure communication is one of the key applications of quantum networks. In recent years, following the demands for identity protection in classical communication protocols, the need for anonymity has also emerged for quantum networks. Here, we demonstrate that quantum physics allows parties - besides communicating securely over a network - to also keep their identities secret. We implement such an anonymous quantum conference key agreement by sharing multipartite entangled states in a quantum network. We demonstrate the protocol with four parties and establish keys in subsets of the network - different combinations of two and three parties - whilst keeping the participating parties anonymous. We additionally show that the protocol is verifiable and run multiple key generation and verification routines. Our work thus addresses one of the key challenges of networked communication: keeping the identities of the communicating parties private.

Quantum communication has developed from first proof-of-principle demonstrations to real-world applications. Since the first proposals of using quantum physics to establish secret keys between two parties more than three decades ago [1][2][3], numerous demonstrations of quantum key distribution have been performed. Starting from proof-of-concept experiments, intermediate and large-scale quantum networks spanning thousands of kilometres have recently been developed [4][5][6][7][8][9][10]. These experiments use single photons or entangled photon pairs to exchange a secret key between two parties and are known as quantum key distribution (QKD) protocols [11,12].
With growing complexity of quantum networks, new possibilities arise for multiparty protocols that go beyond bipartite secure communication. One example is conference key agreement (CKA), a cryptographic primitive that allows parties in a large-scale network to jointly establish a shared secret key [13]. Several approaches have been proposed with different requirements for quantum resources, ranging from bipartite to multipartite quantum states shared over the network. Interestingly, sharing multipartite states was shown to be more efficient in specific cases, e.g. for networks that have bottlenecks [14]. Recently, experimental implementations of CKA protocols have been performed [15].
Beyond the security of key generation, quantum networks open up a wide range of possibilities regarding other aspects of secure communication. One such aspect is anonymity [13,[15][16][17][18]. In a broad range of cases, internet users put much effort into keeping their activities and identities secret. As classical networks are replaced by their quantum counterparts, anonymity will likewise be a vital requirement for networked quantum communication.
Various levels of anonymity can be envisioned, and there exist multiple real-life scenarios where the identities of one or more of the communicating parties need to be kept secret. One example is whistle blowing, where it is imperative that the identity of the sender is kept secret. Combining anonymity with the requirement for private communication between multiple parties leads to anonymous conference key agreement (ACKA) [16]. Here, the goal is to establish a secret key between several parties across a larger network in such a way that their identities are hidden from everyone else in the network, including each other, and are only known to the initiating party (see Fig. 1).
In this work, we demonstrate how to anonymously establish a secret key in a quantum network of four parties using multipartite entanglement. We focus on a protocol first proposed in [16], extending the work of [17,19] on bipartite key generation.
Our protocol works as follows: first, each party is notified whether they are meant to participate in the key exchange or not [20]. Then, Greenberger-Horne-Zeilinger (GHZ) states are repeatedly shared with all parties in the network, such that each party receives one qubit from every shared state [21][22][23][24][25]. A few of these shared states are used to generate a secret key; the majority is used to detect an eavesdropper or any deviation of the parties from the protocol, making the protocol also verifiable. In our implementation, we demonstrate six different configurations for anonymously establishing a secret key between a sender and one or two participants in a four-partite network.
Step 1: Sender n notifies the receivers Step 2: Quantum server distributes GHZ state Step 3: Non-participants measure in X-basis Step 4 -key generation: Sender and participants measure in Z-basis Step 4 -verification: Participants measure randomly in X-/Ybasis, sender chooses X or Y such that number of Y's is even  L + P U y t F f Z y l Z q S y b d z i Y g t k 6 r S P f a E U L b D l r R x + B P u J f a + w / r 8 3 J E p Z V j i G t a C Y U 4 p X w G O 6 A 2 N e p p c y p 7 X M z 5 R d x d S j E 9 W N g / p C h c g + 7 R + d C i I C 2 E B F d D p X z D 4 0 L H U e 4 Q V 8 2 B o q k K 8 8 V d B V x 1 1 Y p i x X K n 6 q y K A n Y O X r o x 6 M 2 f w 7 1 F m n f l g y j Z J 5 f V Q s n 6 Y D z 9 I u 7 d E B p n p M Z b q k K u q Q c 3 m h V 3 r T 6 t q D 9 q g 9 f V O 1 T J q z Q 7 + W 9 v w F 9 I C T U g = = < / l a t e x i t > < l a t e x i t s h a 1 _ b a s e 6 4 = " n K I g X F q d R j D V n A b 2 i P v Y s W d t F X 4 = " > A A A C 1 n i c h V F N S 8 N A E H 3 G r 9 b P q k c v x S J 4 s S Q i 6 F G 0 i h e h g t V C L b J J t z U 0 T e I m F W q p N / H q z a v + L P 0 t H n x Z U 0 F F u m E z s 2 / e v J 3 Z s U P P j W L T f B s z x i c m p 6 Y z 2 Z n Z u f m F x d z S 8 n k U d J U j K 0 7 g B a p q i 0 h 6 r i 8 r s R t 7 s h o q K T q 2 J y / s 9 k E S v 7 i V K n I D / y z u h b L e E S 3 f b b q O i A n V L 5 t K O P 3 S p j X o l w Z X u Y J Z N P X K / 3 W s 1 C k g X e U g 9 4 5 L N B D A Q R c d S P i I 6 X s f U U b f L 6 r I d j t n 4 P 9 a 9 z v l W 0 z K J 1 u l 3 Y 2 0 8 H n s E q 1 r D B q e 5 g D 8 c o s w 4 H N 3 j G C 1 6 N q n F v P B i P X 1 R j L M 1 Z w Y 9 l P H 0 C V r m T 1 w = = < / l a t e x i t > Step 1: Sender notifies the receivers Step 2: Quantum server distributes GHZ state Step 3: Non-participants measure in X-basis Step 4 -key generation: Sender and participants measure in Z-basis Step 4 -verification: Participants measure randomly in X-/Y-basis, sender chooses X or Y such that number of Y's is even

I. THE PROTOCOL FOR ANONYMOUS CONFERENCE KEY AGREEMENT
The goal of the protocol is for a sender to anonymously establish a key with m participants of their choice while they form part of a larger network of n parties. The network is able to distribute a state between all n parties (cf. Fig. 2). The protocol starts with the n parties running a classical notification protocol that allows the sender to anonymously notify m participants-and thereby implicitly the non-participants [20]. This requires private classical communication between all pairs of parties. Once the participants are notified, the remainder of the protocol is repeated L times. In each round, a GHZ n state is distributed to the n parties and the non-participants measure their qubits in the X-basis. This results in a GHZ m+1 state between only the sender and the participants, with an additional phase of ±1 depending on the parity ∆ of the measurement outcomes of the nonparticipants, i.e.
In order for this phase to be compensated, the non-participants publicly announce their measurement outcomes-while the participants hide their identity by announcing random bits. The sender can tell everyone apart and can now apply a local correction to her qubit, thereby canceling this phase. This allows the sender and the participants to anonymously 'extract' a smaller GHZ m+1 state shared only between themselves. This state can consequently be used to anonymously generate a shared secret key due to its inherent correlations when measured in the computational basis.
Note that, however, the non-participants could have diverged from their expected behaviour-for instance by not measuring their qubits and announcing instead a random bit. This would allow them to be part of the keygenerating network, without being noticed. To prevent this, the participants use a large percentage of the shared GHZ m+1 states for anonymous verification. In these Verification rounds, the participants perform measurements of random stabilisers on the GHZ m+1 state, whose outcome parity is known to be one. All participants announce their measurement bases and outcomes, while the non-participants announce two random bits concealing their roles. Only the sender is able to distinguish between these announcements and can thus validate the results. By performing D − 1 randomly chosen Verification rounds out of every D rounds in total, the sender can thus estimate the closeness of the distilled state to the ideal GHZ m+1 state [26]. This guarantees that the resulting key is provably secure and secret, while also preserving anonymity as no communication takes place during the KeyGen rounds. We obtain a key of length L/D which is provably secure and the participants remain anonymous. Which of the rounds will be Verification rounds and which KeyGen rounds is decided by a 1/D-biased public source of randomness.

II. EXPERIMENTAL IMPLEMENTATION
We demonstrate anonymous verifiable conference key agreement in a network with four parties. We generate four-photon GHZ 4 states encoded in polarisation (H = 0, V = 1) using an all-optical setup as shown in Fig. 3 (a) and in more detail in Fig. 5 in the Appendix. The generated states have a fidelity of F = 0.85(±0.02), estimated via quantum state tomography [27].
The four-photon state allows us to demonstrate various configurations of the anonymous conference key agreement: a sender and two receivers, and a bipartite protocol with a sender and one receiver. In all configurations, as shown in Fig. 3 (b), all participating parties remain anonymous. As a consequence, the non-participants do not know which and how many parties are in the end sharing a secret key, since they cannot distinguish between the different configurations.
We assume that the classical Notification protocol has already been performed and we start by distributing the GHZ 4 states to all parties. First, the non-participants perform a measurement in the X-basis, resulting in a smaller GHZ 3 or GHZ 2 state.
We then randomly choose between KeyGen rounds and Verification rounds. In a KeyGen round, all participants measure in the Z-basis and exploit the correlations of the GHZ state for establishing a shared key. In the Verification rounds, each participant randomly measures in the X-and Y -basis and announces their basis together with their measurement outcome, while the sender announces random bits. Then, the sender performs either an X-or Y -measurement so that the total number of Ymeasurements is even. Figure 3 (c) shows the different measurement configurations of each setting according to the protocol. In our implementation, all four measurements are implemented at the same time using motorised half-wave and quarterwave plates, together with a polarising beam splitter.
For each configuration we run the protocol between 150 and 300 times, each run corresponding to a specific measurement setting. For each run, we integrate over 10 min of measurement time; each four-photon event is considered a round; this leads to the total number of KeyGen and Verification rounds given in Fig. 4 (a).
We estimate the probability of a correct KeyGen round and a passed Verification for each run. We then calculate the averaged probabilities over all runs (see Fig. 4 (b)) for all measurement operators and all implemented three-partite (A, B, C and D) and bipartite (E and F) network configurations. The success probability averaged over all the KeyGen runs is 95.3 with a standard deviation of ±1.3%, whereas for the Verification rounds the average success rate is 89.3(±2.1)%.
The main source of noise in our implementation originates from higher-order emissions from the parametric down-conversion sources, which is about 3% of all fourfold coincidences at a pump power of 180 mW for each source. Furthermore, the generated Bell states show visibilities of about 0.97 when both qubits are measured in either the X-or the Z-basis. At the polarising beam splitter, we achieve two-photon interference visibility of 0.823 ± 0.02, mainly limited through higher-order emis-  sions, residual distinguishability of the photons, and, in particular, imperfect mode overlap.
As displayed in Figure 4(a), the effective security parameter D ranges from about 20 to 32. If we just consider the number of Verification rounds vs. the number of KeyGen rounds, the probability 1/D of an adversary correctly guessing a round to be a KeyGen round is on average about 4% (see Appendix). In that case they can perform a Z measurement instead of an X measurement. Thus, they would effectively take part in the KeyGen round and could compromise the security of the key. Note that this is the probability per individual key bit, and all key bits are uncorrelated in this regard.
In our implementation, the probability of a successful Verification round is smaller than one. The worst-case scenario would be that all failed Verification rounds are accepted, but are in fact caused by a malicious adversary actively cheating. Then, the adversary can cheat during all these failed Verification rounds without being caught, thereby getting more 'tries' to cheat during the KeyGen rounds. In that case, the adversary has η(D − 1) of these extra attempts, where η the failure rate of the Verification rounds. The average probability of the adversary correctly guessing the KeyGen round becomes then 1+η(D−1) D . In our experiment, the adversary has a probability of ∼ 14% of correctly guessing each KeyGen round averaged over all different configurations (see Appendix for individual values).
However, in reality, the fidelity of the GHZ 4 state is non-perfect, leading also to failed Verification rounds. We can estimate the expected failure rate due to noise based on the (non-unit) fidelity of the distributed GHZ 4 state. We look for a lower bound on the expected failure rate so that the adversary has the maximum number of cheating attempts based on our fidelity. Using the trace distance and relating it to the fidelity, the lower bound on the expected failure rate can be estimated to be r f ≥ 1 − √ F . We then replace η by η = η − r f , or 0 if this is negative. With this correction the probability of the adversary guessing the KeyGen round without being caught reduces to ∼ 7% in our experiment (see Appendix for more information).
In summary, our analysis shows that our KeyGen error rates are on average < 5% and are thus correctable using standard approaches. The probability of being correlated with the adversary can be bounded from above by 7%; additional correlations could be gained through error correction. Both contributions together are still expected to be within the limit that they can be reduced using privacy amplification [28]. Note that our arguments are meant to give an estimate of the viability of the experimental implementation and the subsequent post-processing steps. Performing these tasks in an anonymous fashion is a nontrivial task and further theoretical work is necessary to facilitate this.
Finally, we gather between 100 and 200 counts each run of 10 minutes integration time, which corresponds to 0.16 -0.33 bps. Taking into account that 1/30 to 1/20 are KeyGen rounds and the rest is Verification rounds, we get an effective keyrate between 0.006 and 0.017. The classical post-processing necessary to obtain a perfectly secure key is, as mentioned before, out of the scope of this article, but it will affect the effective key rate.

III. DISCUSSION
We have demonstrated how to anonymously and verifiably establish a shared key between several parties using multipartite quantum resources and exploiting the correlations of GHZ states. This is a significant step towards achieving secure and anonymous quantum communication, adding to the recent theoretical and experimental achievements in the field [13,[15][16][17][18].
For full-scale and real-life implementations of anonymous conference key agreement protocols, methods for error correction and privacy amplification need to be developed [29] and, also, finite key effects to be considered [15]. Even though we make a first attempt to quantify the effect of experimental imperfections on the security of the protocol, further research is still needed.
In this context, the effect of losses on general conference key agreement has been studied recently [30]; it would be interesting to investigate whether a similar approach can be deployed while preserving anonymity. Future steps will be the implementation of our protocol in larger-scale networks and active switching for closing loopholes [31]. Finally, it will be interesting to see whether anonymity can be maintained with multipartite entangled resources other than GHZ states.

APPENDIX
Here, we give more information on the experimental setup for the implementation of the anonymous conference key agreement protocol. The experimental setup for the generation of the four-photon GHZ state is depicted and described in Fig. 5. Fig. 6 depicts the reconstructed density matrix of the GHZ 4 state generated in the experiment. We also add more detailed information re the security parameters of our implementation. Fig. 7 shows the number of runs and rounds we perform in our experiment. In Fig. 8 we list the values that an adversary correctly guesses a KeyGen round for each configuration, assuming an ideal state or a non-ideal state.     Figure 8. Probabilities for a potential adversary to correctly guess which round is the KeyGen round for each configuration and multiple scenarios. In the first scenario, corresponding to the second column ("No failed Verification"), we assume the guessing probability is 1 D . This means we consider the number of Verification rounds vs. KeyGen rounds, meaning that effectively no failed Verification is allowed. The second scenario, corresponding to the fourth column ("Worst case"), is a worst-case analysis, where all allowed Verification failures (from our experimental results) are assumed to come from a malicious, cheating, adversary -such that the guessing probability becomes 1+η(D−1) D , where η is the failure rate of the Verification rounds. The third and final scenario takes a more realistic approach ("Non-unit fidelity"), where the non-unit fidelity of the shared GHZ4 state is taken into account. Here, η is updated to η to correct for the fact that some of the Verification rounds will fail purely because of noise in the system-the updated guessing probability can be found in the sixth column. These are heuristic analyses, but the guessing probability p can be seen as (influencing) the information that the adversary possesses about the final raw key. These correlations with the adversary have to be deleted in post-processing, giving up a fraction ∼ h(p) of the raw key, where h(p) is the binary entropy of p.