Efficient source-independent quantum conference key agreement

Quantum conference key agreement (QCKA) enables the unconditional secure distribution of conference keys among multiple participants. Due to challenges in high-fidelity preparation and long-distance distribution of multi-photon entanglement, entanglement-based QCKA is facing severe limitations in both key rate and scalability. Here, we propose a source-independent QCKA scheme utilizing the post-matching method, feasible within the entangled photon pair distribution network. We introduce an equivalent distributing virtual multi-photon entanglement protocol for providing the unconditional security proof even in the case of coherent attacks. For the symmetry star-network, comparing with previous $n$-photon entanglement protocol, the conference key rate is improved from $O(\eta^{n})$ to $O(\eta^{2})$, where $\eta$ is the transmittance from the entanglement source to one participant. Simulation results show that the performance of our protocol has multiple orders of magnitude advantages in the intercity distance. We anticipate that our approach will demonstrate its potential in the implementation of quantum networks.

Multi-photon entanglement-based QCKA protocols require the generation of Greenberger-Horne-Zeilinger (GHZ) states [37,42,45,50,51] or "twisted" versions of them [52][53][54] corresponding to the number of participants.When employing such protocols, both the system complexity and error rate of entanglement source will significantly increase as the number of protocol participants rises.Several experimental studies [34,40,[55][56][57][58] have already analyzed the actual performance of the GHZ state distribution protocol, such as the experiment based on the "N-BB84" protocol [40], the N-partite version of the asymmetric BB84 quantum key distribution protocol.This work utilized state-of-the-art four-photon entanglement sources, encrypting and securely sharing an image among four participants over 50 km fiber.This kind of protocol is still far from being realized.Challenges such as preparing multi-photon entanglement state [59,60], as well as issues like limited coincidence count rates, present significant obstacles.
A measurement-device-independent (MDI) QCKA protocol [25] was introduced to avoid the preparation and transmission of multi-photon entanglement states.It distributes post-selected GHZ entanglement, inspired by both the decoy state method and entanglement swapping operation.Subsequently, various protocols use weak coherent-state sources as a substitute for the entanglement source, which include schemes based on single-photon interference [36,44,61].These types of protocol inherit features from related twin-field quantum key distribution [12], which means strict request on the intensity and sending probability of signal states and decoy states.The optimal parameters change with both the number of participants and the distances between them.Moreover, these schemes rely on the independence of measurement devices and cannot be extended to scenarios involving more than three participants by only expanding system structures.Recently, an MDI-QCKA protocol based on spatial multiplexing and adaptive operation has been proposed [33], which has broken the limitation on key rate under multiple participants.However, in this work, confirming the arrival of transmitted photons requires quantum non-demolition measurements, and guiding these photons to the GHZ analyzer through optical switches necessitates high-speed active feedforward techniques.These technical requirements constrains its practical applications.The issues of poor practicality and low key rates in QCKA have not been completely addressed, particularly in scenarios involving multiple participants.
Quantum entanglement networks based on entangled photon pairs have achieved remarkable accomplishments through the utilization of spatial and wavelength multiplexing techniques [62][63][64].Here, we propose a source-independent QCKA protocol based on the network of Bell states, which features straightforward hardware implementation and good scalability.With the aid of the post-matching method [65], measurement outcomes among participants can be correlated through a series of classical operations (Note that post-matching method has been extended to construct asynchronous measurement-device-independent quantum key distribution [10,11]).Thus, results equivalent to measurements of GHZ states can be obtained and the need for multiphoton entanglement sources is avoided.We employ an equivalent virtual protocol to prove that our scheme can resist coherent attacks.The simulation results and a composable finite-key analysis are also provided.The results indicate that our protocol achieves a transmission distance of over 320 kilometers under the condition of 6 participants.In the case of 3 participants, our protocol achieves a key rate three orders of magnitude higher than N-BB84 [45] at a transmission distance of 200 kilometers.As participant numbers increase, this key rate advantage becomes more evident.Furthermore, our protocol allows for freely adjusting the number of participants without altering the system structure of the entanglement provider and other protocol participants.The system of our protocol can be integrated into the complex and dynamic quantum networks.We believe that our scheme provides a promising method for providing keys to multiple participants with one entangled photon pair source.The setup of QCKA protocol.The untrusted entanglement provider at the central node, named Eve, employs a polarization-entangled photon pair source to generate entangled photon pairs.These pairs can be distributed to Alice and Bob i through the wavelength division multiplexer (WDM) and optical switch.Alice and Bob i utilize a combination of polarization controller (PC), beam splitter (BS), half-wave plate (HWP), polarization beam splitter (PBS), and superconducting nanowire single-photon detector for their detection apparatus.

II. PROTOCOL DESCRIPTION
Our protocol is designed to be implemented based on entangled photon pairs distribution network.Any network user can be a protocol participant.The setup of our scheme, depicted in Fig. 1, illustrates a centrally symmetric and source-independent design.To cover all wavelength channels effectively, we select a wavelength division multiplexer (WDM) based on the frequency range of the entanglement source.The generated Bell states, represented as , can be allocated to different participants through WDM and optical switch [66][67][68].|0⟩, |1⟩ are a pair of eigenstates of the Z basis, and |+⟩, |−⟩ are a pair of eigenstates of the X basis, where The measurement results for |0⟩ and |+⟩ are noted as 0, and for |1⟩ and |−⟩, they are noted as 1.All participants have a set of devices to perform projection measurements on the received qubits.
While there exist n participants named as Alice, Bob 1 , Bob 2 , . . ., Bob n−1 , the entire process of our protocol is presented as follows: 1. Eve configures the optical switch according to the number and positions of the participants.Channel 1, 2, Eve prepares entangled photon pairs and distributes them to Alice and Bob i via WDM and optical switch.The entangled photon pairs respectively pass through corresponding channels, i and i ′ .
2. Alice and Bob i each select a basis and perform projection measurements on qubits, recording the outcomes and chosen basis.The probability of selecting the Z basis is represented as p a (p b ) and the probability of selecting the X basis is 1 − p a (1 − p b ).All participants announce the bases they selected in the past period of time through classical channel in the agreed time slot.The events in which one entanglement state is both successfully measured by Alice and corresponding Bob i under the same basis are denoted as valid events.
3. The participants apply the post-matching method to handle valid events under the Z and X-bases.Alice and Bob i arrange the measurement results of valid events in order, represented as a iz We provide a detailed explanation for post-matching method using an example.In a three-party scenario, measurement events between Alice and Bob i (i ∈ {1, 2}) can be represented as S i k , where k is the sequence of measurement events.It is supposed that the first four measurement events can be denoted in sequence as The superscript X indicates that Alice and Bob i both conduct measurements in the X basis, while the superscript Z means that Alice and Bob i both conduct measurements in the Z basis.The superscript D encompasses all other cases.In this scenario, the measurement results of S . Based on the selfinverse property of XOR, there are: Through the post-matching and data processing steps outlined above, Alice and Bob i establish correlations within each group of outcomes.They can obtain bit strings with GHZ correlation through the information processing steps above.There are: without considering noise.4. Alice and Bob i use the valid events in the X-basis for information leakage estimation, and the valid events in the Z basis for obtaining raw keys.The bit string for QCKA can be derived through error correction and privacy amplification [69] applied to the raw keys.The specific calculation steps are outlined in Sec.IV.
In our protocol, Bell states are generated and distributed by an untrusted provider (who can be the eavesdropper), which is similar to the Ekert91 [70] protocol.We make no assumptions about the light source in the protocol, and the attacker can generate any state he wants.However, the measurements for all participants are what we need to assume, namely perfect Z and X bases.Since the participants randomly choose the Z and X bases for measurement, these disturbances inevitably lead to an increase in error rates, which is unavoidably detectable through error rate estimation.Therefore, our protocol is a source-independent protocol [71], circumventing the source vulnerabilities present in traditional prepare-and-measure protocols.Its security can be analyzed even when the source end is controlled by an untrusted node.
The distribution of Bell states instead of multi-photon entanglement states contributes to a simplified system design [34,72].As the number of participants increases, the only requirement is adding detection devices with a corresponding number and connecting them to the optical switch through optical fibers.This scalability allows for the flexibility to add or remove participants as needed.

III. SECURITY ANALYSIS
In this section, we introduce a virtual protocol that can be transformed into the actual QCKA protocol outlined above to demonstrate the security of our scheme.The virtual protocol allows participants to employ quantum memory for storing the generated Bell states, while the classical data storage available to participants in the actual protocol only permits them to store the results of projection measurements.The correlations among multiple Bell states stored are established by quantum gates, resulting in a different sequence of operations and measurements in the virtual protocol compared to the actual one.Figure 2 illustrates the generation process of GHZ states.Through multi-party entanglement purification [69,73,74], the noise introduced during the protocol can be eliminated, leading to the attainment of maximum entanglement.The specific steps of the virtual protocol are as follows: 1.
In the case of n protocol participants, the polarization-entangled photon pair source generates n − 1 pairs of Bell state . One of the qubits in Bell state is distributed to Alice and the other to corresponding Bob i .Alice and Bob i store them by quantum mem-ory.The total system of the generated Bell states is given by:

2.
Alice and Bob i establish entanglement among the qubits they store by performing multiple CNOT operations.Taking a 1 as control bits, Alice perform local CNOT operations with a 2 , a 3 • • • a n−1 in order.Following this, the participants perform non-local CNOT operations sequentially on a i and corresponding b i (i ∈ {2, 3, • • • , n − 1}) as control and target bits, respectively.Without considering the noise, the evolution processes of the quantum state are as follows: The state of subsystem 3. After obtaining a sufficient number of noisy GHZ states, the participants select a subset of them and perform measurements in the X basis to estimate parameters.Subsequently, they perform purification on the remaining GHZ states, extracting approximately pure GHZ states.The measurements of these GHZ states are performed in the Z basis.Alice and Bob i record the results as secret keys.
The steps of virtual and actual protocols correspond one-to-one.Quantum memory corresponds to classical data storage.While quantum memory stores and retrieves quantum information using qubits, classical data storage performs a similar function in classical computing by storing and retrieving classical bits.The CNOT operations are equivalent to XOR operations and bit flips.For the Z basis, the local CNOT operations correspond to XOR operations between a 1z j and a iz j c iz j = a 1z j ⊕ a iz j in the actual protocol.The non-local CNOT operations correspond to deciding whether to perform a bit flip on b iz j based on c iz j .For the X basis, the local CNOT operations correspond to that Alice performs computation . The non-local CNOT operations do not affect the measurement outcomes in the X basis.
Entanglement purification can be converted into the quantum error correction [69,74], where the Calderbank-Shor-Steane code are divided into two subcodes, designed for qubit flip errors and phase errors, respectively.The correction of qubit flip error and phase flip error are correspond to classical bit error correction and privacy amplification.Considering the monogamy of entanglement [75], these obtained pure GHZ states almost leak no information to eavesdroppers.Therefore, the actual protocol is equivalent to the virtual protocol and can effectively prevent information leakage.

A. Calculation of the key rate
According to the description of the protocol above, the bit strings with entanglement correlation are finally shared by the protocol participants.The key rate in the asymptotic case [25,33] is given by: where Q Z is the gain of the system in the Z basis, E X(n) is the total bit error rate in the X basis, and E 1,i Z indicates the marginal error rates between Alice and corresponding Bob i .f represents the error correction efficiency, and We denote the efficiency of all detectors as η.Considering the central symmetric network architecture, the quantum channels efficiency of Alice and Bob i can be gotten: 10 , where α is the optical fiber attenuation coefficient, and L is the length of optical fiber between participants and the untrusted entanglement provider.Taking into account the type-II source of polarization entanglement, the gain for kphoton pairs [76,77] is as follows: By summing up Q k , we can get the gain in the Z basis of two-party entanglement system: where λ is half of the expected photon pair number µ, and Y 0A (Y 0B ) is the detector dark count.Due to the entangled photon pair source, we only need to consider the collection efficiency of two participants involved.The gain of the system remains unchanged with variations in the number of participants.Considering the symmetry between measurements in the Z and X bases, we can derive the bit error rate e in them: where e 0 is the background error rate, e d is the misalignment rate.e represents the probability that Alice and Bob i have discordant outcomes in a single valid event.
To estimate E X(n) and E 1,i Z , we present tables in Fig. 3 for the mesurement results in three-party scenario and extended the analysis to multiple participants, assuming that no errors are introduced during the classical operations.According to Fig. 3a the generation of a correct key becomes unattainable if any one measurement result in the Z basis contains an error.Since the marginal error rates E 1,i Z are exclusively introduced by the discordant outcomes of Alice and Bob i in a single valid event, there are E 1,i Z = e(1 − e) + e 2 = e.which remains unaffected by variations in the number of participants.The total bit error rate of n participants where at least one measurement result of Bob i differs from Alice ′ s in the Z basis is as follows: While entangled photon pairs are measured in the X basis, the data in the first and fourth rows in Fig. 3b satisfy Eq. 3. Therefore, in the three-party scenario, the total bit error rate in the X basis is denoted as Z .(b) The second and third row represent the total error rate E X(3) , which is the probability that measurement results fail to satisfy entanglement correlation.
Considering the identity property of the XOR operation, with an even number of incorrect measurements, the correctness of the results will not be affected.In this case, the key distribution is considered to be successful.Otherwise, it is deemed a failure.In the expansion of E X(n) , there are no even-powered terms of e, while odd-powered terms remain unaffected: When n is an even number, t = n 2 − 1.When n is an odd number, t = n−3 2 .The finite key analysis for the experiment is provided below.The universally composable security framework is employed as our security criteria.We define the length of the security key as L QCKA according to the calculation in Ref. [33,45,78]: where n z is the number of entangled pairs measured in the Z basis.ϕ z is the upper limit of the phase error rate in the Z basis considering statistical fluctuations.ε cor is the failure probability of error verification, and ε sec is the failure probability of privacy amplification [36].
Due to the challenge of counting phase errors in valid events, it is not feasible to obtain the phase error rate in Conference key rate (per pulse) FIG. 4: rate of our protocol and N-BB84.
Under the conditions of perfect entanglement sources, we numerically simulate the key rate for different number of participants (3,4,5,6) using the parameters in Table I.The horizontal axis represents the distance between the central node and each participants.The solid line represents key rate of our protocol, while the dashed line represents that of N-BB84 [45] protocol.the Z basis directly.However, since the density matrix of the n-photon state is the same in the Z and X bases, bit flips in the X basis correspond to phase flips in the Z basis.Consequently, we can utilize the property that the phase error rate in the Z basis is identical to the bit error rate in the X basis to calculate ϕ z .
We define the superscript * and overline to denote expected value and observed value.The number of bit error under the X basis can be defined as m x = N Q X E X(n) , assuming that the gain in the X basis Q X = Q Z .Then the numerical equation for the variant of Chernoffbound [78,79] is used to obtain the limit of expected value m * x .m * x = m x + β + 2βm x + β 2 , of which β = − ln ε and ε = 10 −10 is the failure probability.Since the phase error rate in the Z basis is identical to the bit error rate in the X basis in the asymptotic limit, there is m * zt = m * x n z /n x , where m * zt represents the upper limit of the expected number of qubits with phase errors in the Z basis.Subsequently, a similar procedure is employed to Conference key rate (per pulse) FIG. 5: Simulation schematic under finite key conditions.The solid lines represent the key rates corresponding to different key lengths in the case of three participants, while the dashed lines indicate the key rates in the scenario of five participants.N is the number of pulses allocated to each participant by the entanglement source.Conference key rate (per pulse) FIG. 6: Simulation schematic under different misalignment rate of the basis.We provide the asymptotic key rate under the scenario of three participants.Our protocol can still achieve a transmission distance exceeding 300 kilometers with a misalignment rate of 0.05 for the basis.
estimate the upper limit of the number of phase errors observed in the Z basis: mzt = m * zt + β 2 + 2βm * zt + β 2 4 .Ultimately, the upper limit of the phase error rate can be determined as ϕ z = mzt /n z .

B. Simulation results
The convex optimization algorithm is used to simulate the protocol.We provide the asymptotic key rates for both our protocol and N-BB84 in Fig. 4. For a fair comparison, it is assumed that perfect entanglement sources are used in the system, which means a guarantee of perfectly entangled photon pairs.The specific parameters used are shown in Table I.The results shows that under identical experimental parameters and post-processing procedures, our protocol consistently exhibits a higher key rate and achieves a longer transmission distance.At a transmission distance of 200 km, the key rate of our protocol can be three orders of magnitude higher than that of N-BB84.The advantage becomes more evident with an increasing participant number.Our protocol still achieves successful key generation with 6 participants at 320 km.The robustness of our protocol in the face of rise in the number of participants is attributed to the improvement of valid event probability.Therefore, the protocol's key rate is enhanced fromO(η n ) to O(η 2 ), making it more suitable for large-scale quantum networks compared to previous entanglement-based QCKA protocols.
We have also calculated key rate under different constraint conditions taking the imperfect source into consideration.Figure 5 shows the key rate at different distances under finite-key conditions when the number of participants is 3 and 5, which provides a reference for the application of protocol.Under the condition of five participants, our protocol maintains the ability to generate keys at a distance of 140 km when N = 10 11 .Figure 6 illustrates that in the case of three participants, the key rate under different values of e d .The transmission distance can reach more than 300 km with a basis misalignment rate of 5%, which means it can withstand more interference from the field environment.

V. CONCLUSION
We have proposed a QCKA scheme based on Bell states, which can be extended to an arbitrary number of participants.The protocol establishes correlations among the measurement results of Bell states through classical operations and the post-matching method, thereby avoiding the challenges in generating multiphoton entangled states.A performance comparison with N-BB84 and a finite key analysis, considering composable security, is provided.Simulation results show that our protocol achieves a transmission distance exceeding 320 kilometers in the case of 6 participants and can tolerate a 5% misalignment rate of the basis, which represents an improvement over existing entanglement-based protocols.In recent years, significant progress has been made in the advantage distillation technique [80,81] within the realm of quantum key distribution.This technique enhances the correlation between raw keys, allowing for greater tolerance to channel loss and error rates.It's foreseeable that advantage distillation will be widely applied in QCKA.We believe that incorporating this technique into our protocol can further enhance its performance.
The flexibility and scalability of our protocol enable the free selection of new participants from network users, without requiring hardware changes for existing participants and entanglement providers.Therefore, our protocol can be inserted into the entanglement network with plug-and-play capability.Additionally, it constitutes a crucial application of the post-matching method, indicating greater adaptability to multi-party applications.Similar to Ref. [35], our protocol requires only minor adjustments to basis selection probabilities and post-processing procedures for efficient execution of quantum secret sharing tasks.This suggests the potential for extending our protocol to other areas of quantum cryptography.
FIG. 1:The setup of QCKA protocol.The untrusted entanglement provider at the central node, named Eve, employs a polarization-entangled photon pair source to generate entangled photon pairs.These pairs can be distributed to Alice and Bob i through the wavelength division multiplexer (WDM) and optical switch.Alice and Bob i utilize a combination of polarization controller (PC), beam splitter (BS), half-wave plate (HWP), polarization beam splitter (PBS), and superconducting nanowire single-photon detector for their detection apparatus.
is the index of Bob and j indicates the sequence of outcomes.They classified the valid events according to the selected basis and matched the measurement results in the same basis sequentially.Considering their common origin in the same Bell state, a iz j the effect of noise.

FIG. 3 :
FIG. 3: The error rate analysis.The probabilities of various outcomes arising after measurement and classical operations are provided.(a) The second and fourth row of the table represent the marginal error rate E 1,1 Z .The third and fourth row represent the marginal error rate E 1,2Z .(b) The second and third row represent the total error rate E X(3) , which is the probability that measurement results fail to satisfy entanglement correlation.

TABLE I :
Simulation parameters.e 0 is the background error rate.e d is the misalignment rate.η d is the detection efficiency of single photon detectors.p d is the dark count rate.α is the attenuation coefficient of the ultra-low-loss fiber.f is the error correction efficiency.ε cor , ε sec are the parameters of correctness and privacy.