Experimental anonymous quantum conferencing

Anonymous quantum conference key agreement (AQCKA) allows a group of users within a network to establish a shared cryptographic key without revealing their participation. Although this can be achieved using bi-partite primitives alone, it is costly in the number of network rounds required. By allowing the use of multi-partite entanglement, there is a substantial efficiency improvement. We experimentally implement the AQCKA task in a six-user quantum network using Greenberger-Horne-Zeilinger (GHZ)-state entanglement and obtain a significant resource cost reduction in line with theory when compared to a bi-partite-only approach. We also demonstrate that the protocol retains an advantage in a four-user scenario with finite key effects taken into account.


INTRODUCTION
A wide range of modern communication tasks involve group settings where multiple parties communicate, e.g. in a conference call, or in a sensor network [1][2][3][4][5][6][7].These group sessions can be secured cryptographically, in addition one may require anonymity where sub-groups can communicate securely without revealing their participation to the wider group.Anonymous group encryption can be built up from pair-wise encryption for which can be made unconditionally secure via quantum key distribution [8].Multi-partite entanglement can be used to establish a group key between N users, consuming (N − 1) times fewer network resources than equivalent pair-wise entanglement schemes; this task is known as quantum conference key agreement [9][10][11][12][13].More recently, it has been shown that anonymous quantum conference key agreement (AQCKA) [14] obtains a larger efficiency advantage from multi-partite entanglement with a theoretical maximum of N (N − 1) for an N -user network [15].More so, by increasing the anonymity criteria of this task, an even larger advantage of up to N (N − 1) 2 can be achieved.
There are different ways to realise a quantum network.A modular approach uses underlying entanglement already present in the network, entangling operations and local operations to dynamically allocate the desired quantum resources to users [16,17].A more direct approach to realise a network invokes a central quantum server, which directly generates and distributes entangled resources to required parties [8,12,18,19].We consider the task of AQCKA with the latter network approach, as illustrated in Fig. 1, where N users are connected to the quantum server.
The task is outlined as follows.Users form two subsets: M keyholders (including a sender) while remaining N − M as non-keyholders.The keyholders' aim to establish a conference key, co-ordinated by the sender, while the non-keyholders do not learn the key nor iden-tities of keyholders.Bi-partite resources are distributed in an all-to-all configuration for pairwise keys to satisfy anonymous subprotocols [8,20].This ensures anonymity whereby any user adopts the role of sender by first carrying out a subroutine to ensure only one sender is attempting to initialise AQCKA.Upon success, the sender anonymously notifies only the keyholders of the conference key agreement subroutine, which determines how the shared entanglement is to be used to securely distill the conference key.Once the roles have been assigned, every round requires users to perform measurements on their resource to either distill a raw key, or check for eavesdropping.At this stage, users can conduct the remaining steps of the protocol with either bipartite resources, or multi-partite resources through either a maximally-entangled GHZ state [14,15,21] or a linear cluster [22,23].The non-keyholders, unaware of who the keyholders are, repeatedly perform disentangling measurements for the multi-partite variant.Any deviation by non-keyholders, or interaction by an unwanted eavesdropper, will introduce noise that is detected during parameter estimation-a step dedicated to testing the errors in the distributed state, and will lead to the protocol being aborted.Provided the protocol does not abort, the sender anonymously broadcasts the information the keyholders require to perform error correction on their respective raw keys, followed by a verification round to ensure the keys are identical.Lastly, the keyholders implement privacy amplification on their key to arrive at the final secret conference key.
In this work, we experimentally perform multi-partite and bi-partite variants of AQCKA by generating a sixqubit photonic GHZ state that is distributed from a central server, forming a six-user network.To realise each variant, users perform different measurements on the network to distill either Bell pairs for bi-partite resources or GHZ states for multi-partite resources.The key rate performance, in the asymptotic limit, is evaluated for both variants with two different anonymity conditions in a six-user network.Using a four-user network and con- 2 unique pairwise keys.The sender (blue) assigns each user their role via anonymous messaging primitives, e.g., keyholders (black) and non-keyholders (gray).The anonymous conference key can be established by consuming N (N − 1) bi-partite key bits per conference key bit (see red path).Alternatively, by sharing N -party GHZ states and applying a pre-shared measurement sequence, the group can directly obtain up to one conference key bit per copy of the GHZ state (see blue path).
sidering finite-key effects, we provide an in-depth analysis of AQCKA based on multi-partite entanglement to highlight the amount of rounds required for performing each subprotocol and the finite-key rate.

EXPERIMENT
We prepare the six-photon GHZ state using three entangled-photon-pair sources as shown in Fig. 2. The sources exploit type-II parametric down-conversion using aperiodically-poled KTP (aKTP) crystals tailored to produce spectrally separable biphoton states.This suppresses unwanted spectral correlations created in conventional parametric down-conversion sources allowing us to omit narrowband spectral filtering which improves photon-pair coupling efficiencies [24,25].All three sources are pumped by a mode-locked laser that produces 1.3 ps pulses at a repetition rate of 80 MHz and centre wavelength of 775 nm, creating degenerate telecom photon pairs at 1550 nm.We create polarisation-entangled photon pairs by optically pumping the aperiodicallypoled KTP crystal bidirectionally in a Sagnac configuration [26] to produce the |Φ + ⟩ Bell state with pair production rate of ∼ 2 × 10 3 Hz/mW/s.Two linear optical fusion gates interfere photons from separate sources in order to create the six-photon GHZ state.The success of these fusion gates is conditioned on the detection of a single photon in each measurement stage, see Fig. 2 for details.We measure an average six-photon rate of 0.67 Hz for a pump power of 300 mW.We also prepare a four-photon GHZ state, using two sources and one fusion gate, measuring a four-photon rate of 41.6 Hz at 300 mW.
To characterise the quality of our photonic GHZ states, we establish a lower-bound fidelity to the ideal state through stabiliser measurements [27].Our estimated fidelities for the four-and six-photon GHZ states are 0.933(4) and 0.825 (5) respectively at a nominal pump Each EPS embeds an aKTP crystal in a Sagnac configuration consisting of a dual-wavelength polarising beamsplitter (dPBS), half-wave plate (dHWP) and dichroic mirror (DM).Diagonally-polarised pump photons propagate clockwise and anti-clockwise to generate orthogonally polarised photon-pairs through type-II spontaneous parametric downconversion process in the aKTP crystal.The photon pairs are separated by the dPBS, upon which they are coupled into single-mode fibres.Two fusion gates (FG) are realised by interfering two photons on a PBS, with a delay stage (δτ ) to ensure temporal indistinguishability. Two quarter-wave plates (QWP) and a HWP compensate for phase effects in the FGs.All six photons are then sent to measurement stages (M) featuring a QWP, HWP and PBS, with both outputs coupled to superconducting nanowire single photon detectors (SNSPD).
power, see Appendix for further details.In the AQCKA task, both bi-partite and multi-partite resources are required from the quantum server which is distributing GHZ states in every round of the task.When a smaller GHZ state or Bell pair is required, non-keyholders locally measure their photon in the Pauli-X basis to disentangle themselves from the network, whilst keyholders measure in the Pauli-Z basis.For example, to obtain a Bell pair resource in a six-party network, four users measure in X and the remaining two measure in Z.As a result, the generation rate of the Bell pairs is the same as the fullsized GHZ state as post-selecting on six-folds is required for the N = 6 case.

Asymptotic-key regime
We first evaluate the performance of the AQCKA protocol without multi-partite entanglement, denoted AQCKA B henceforth and detailed in Appendix, by measuring the noise terms of every Bell pair in the six-user network.This yields fifteen configurations of user pairs indexed by q and t, where {q, t} ∈ 1, ..., 6 and t > q.In each case we measure the quantum bit error rate (Q q,t Zb ) and phase error (Q q,t Xb ) respectively.Each user pair implements standard BBM92 protocol [28] to establish bipartite secret keys, whose asymptotic key rate (AKR) is given by: σ q,t B = 1 − h(Q q,t Zb ) − h(Q q,t Xb ), where h(•) denotes the binary entropy function.These key rates dictate the overall performance of AQCKA B as the protocol relies exclusively on the bi-partite keys to transmit the conference key directly to the keyholders.In particular, in the asymptotic limit of infinitely many rounds, the amount of bi-partite keys used for the initial designation of each users' role becomes negligible-which is also the case for AQCKA with multi-partite entanglement.What impacts the performance of AQCKA B is the distribution of the conference key to the intended keyholders: for each conference key bit, the protocol consumes N (N − 1) bits from the bi-partite keys, independently of the actual number of keyholders.The resulting AKR for AQCKA B is r ∞ B = 0.0109(2) (for more details on the calculation see Appendix).We remark that the AQCKA approach without multi-partite entanglement does not require anonymity in its quantum phase, i.e., when the bi-partite keys are established, and can thus rely on conventional QKD primitives.The anonymous distribution of the conference key is then carried out with classical anonymous messaging primitives [20] based on the established bi-partite keys.
Next, we evaluate the performance of AQCKA M which uses multi-partite entanglement in the form of six-party GHZ states.Once users are notified of their roles, nonkeyholders measure only in the X basis while keyholders measure in either Z or X, following the prescribed testkey sequence, corresponding to key-generation and test rounds respectively.The group collectively estimate the phase error, Q X , by announcing their X measurement outcomes using anonymous messaging primitives.Unlike in conventional conference key agreement protocols, the key error rate Q Z , which is defined as the maximum pairwise error, is not estimated during the protocol.Instead, the keyholders will use a pre-established Q Z that is representative of the network, which allows fewer anonymous messaging rounds while allowing error correction to take place-see Appendix for a detailed description of AQCKA M protocol.For the purposes of providing a complete characterisation of the network, we measure Q Z for all possible configurations of keyholders.We obtain the asymptotic key rate of r ∞ M = 0.235 (12), which corresponds to an increase over the AQCKA protocol without multi-parite entanglement of r ∞ M /r ∞ B = 21.6(1.1).Theoretically we expect a ratio of 30 for our N = 6 network, however this only holds in the ideal scenario where noise is symmetric.In practice, channel noise will impose a higher penalty on the AQCKA M protocol, as we must operate under the highest link noise to preserve anonymity.
Using the same data set, we evaluated the performance of a related AQCKA task, denoted fully-AQCKA in [15], that demands a stronger anonymity condition where even the keyholders are oblivious to each other (except for the sender who selects the keyholders).The immediate consequence of this modification is that the keyholders can no longer use a pre-shared conference key to perform efficient multi-party error correction, instead they must use the more costly bi-partite private channels.Similarly, the amount of bi-partite resources consumed by the protocol without multi-partite entanglement increases by an extra factor of (N − 1) in order to hide the identity of the sender.In this scenario, a maximum multi-partite resource advantage of N (N −1) 2 can be obtained which for a N = 6 network is 150.However this advantage quickly diminishes with increasing Q Z , due to a larger overhead in the required anonymous messaging for error correction.Our noise parameters lead to a r ∞ fully-M = 0.0075(6) which equates to a multi-partite resource advantage of 3.42 (27) which is not unexpected owing to the strong Q Z dependence.For further information on this scaling and the protocols, see Appendix.

Finite-key regime
When a finite number of rounds are performed, the correct designation of the users' roles, the conference key security, and the anonymity of the keyholders cannot be attained with certainty.To account for a small probability of failure, ϵ, for each of these three features, we adopt the ϵ-secure framework introduced in [15] as an extension of the composability framework of QKD [29].In this framework, the conference key length (ℓ) depends on the total number of protocol rounds (L tot ), as well as on the parameter ϵ.For example, the conference key length of AQCKA M with finite-key effects reads: where: L is the number of multi-partite rounds, p is the fraction of the multi-partite rounds that are used for parameter estimation and γ is the statistical fluctuation of Q X .We do not consider statistical fluctuations of Q Z since the accepted error rate is fixed before running the protocol and does not affect the secrecy of the key.Finally, C > 0 is a constant which includes some of the ϵ parameters: C = log 2 (2(N − 1)/ϵ EC ) + 2 log 2 (1/2ϵ P A ) + N .Both γ and L are functions of L tot , p, and the ϵ parameters of the protocol.In parallel, the total security parameter of the protocol depends on the ϵ parameters and is fixed to ϵ tot = 1 × 10 −8 .We refer the reader to Appendix for more details.
We analyse the finite-key rate of AQCKA M in a smaller network of N = 4 users, instead of N = 6 used for the AKR evaluations, to increase the raw key generation rate with three users being keyholders.In L multipartite rounds, the users share four-photon GHZ states to extract shared key bits.In L B = L tot − L bi-partite rounds, Bell pairs are shared between pairs of users to establish six bi-partite keys used for anonymous classical subprotocols.The finite-key rate (FKR) is defined as the fraction of secure conference key bits established per round (ℓ/L tot ).In Fig. 3 we optimized the FKR by numerically maximizing the key length in (1) over the ϵ parameters and p, while keeping the total security parameter fixed.We measured Q X and Q Z to be 0.0304(1) and 0.01589(5) respectively and use these noise parameters to numerically simulate the FKR, shown as the blue trend line in Fig. 3. Further, we simulate the AQCKA B FKR as a comparison (red line in Fig. 3), whose finite-key length (ℓ ′ ) is reported in Appendix.Note that while the AQCKA B protocol reaches the expected AKR for symmetric noise across all pairwise channels for low number of rounds, the FKR is on par with AQCKA M and then drastically overtaken from 2 × 10 5 rounds on wards.
In a real scenario, a round constitutes an instance where all users detect one photon.Therefore, instead of a collecting measurement statistics over some time, we allocate a measurement time sufficient to detect only a single four-photon generation event per round.The yellow points in Fig. 3 show the experimentally measured FKR for increasing L tot up to 6.5 million rounds.Each yellow data point has a fixed Q Z , but a different Q X -found by evaluating the average error in the joint-X measurements from a random sample of Lp test rounds.Note that we account for finite-key effects even in the generation of the pairwise keys with the L B rounds, where Q Zb is also fixed to the maximum pairwise error rate: 0.0144 (3).We highlight four points, labelled A-D, and show in an inset how their respective L tot is decomposed into multi-partite and bi-partite rounds.At D, with 6.5 million rounds and an FKR of 0.47, we obtained a secure and anonymous conference key of approximately 3 Mbits. .The FKR of the AQCKAM protocol, given by ℓ/Ltot, with ℓ given in (1).The yellow points are experimental data points while the blue line is a simulation of the FKR for fixed noise parameters evaluated from the experiment: QX = 0.0304(1), QZ = 0.01589 (5) and Q Zb = 0.0144 (3).The rounds are partitioned into the multi-partite rounds for key generation and testing, and bi-partite rounds for establishing pairwise keys to run classical subprotocols anonymously.The dashed line at the top shows an AKR of the AQCKAM protocol of 0.6853(2), which is the asymptotic limit of the FKR.The dotted line is the AQCKAB AKR of 0.0579(4) and the red line is the corresponding FKR given by ℓ ′ /Ltot, with ℓ ′ reported in Appendix.

DISCUSSION
The drastic resource advantage AQCKA M offers is observed in networks, and similar to QCKA [13] our main premise is that the multi-node network resources are provided in the background, as might be the case in a future quantum internet.Despite the considerable resource overhead, with current state-of-the-art photon generation systems it would be faster to generate anonymous conference keys through bi-partite point-to-point connections.However, at present such an approach is limited to trusted-node networks.While the advantage we observed for fully-AQCKA M was lower than AQCKA M , it has a much greater potential as long as the error rates are below Q Z < 1%, which would be the case in an quantum network which incorporates entanglement purification [30][31][32] at its untrusted nodes.
When analysing AQCKA M with finite key effects, we find that the number of rounds required for parameter estimation is saturated by a very small fraction of the total rounds.This has the benefit of a greater fraction of total rounds being allocated as multi-partite rounds for distilling a raw key, as well as requiring fewer bi-partite rounds for the anonymous classical subprotocols.Nevertheless, this comes at the cost of a larger statistical correction when estimating Q X , which leads to a larger amount of key reduction in the privacy amplification step.Indeed, even in the regime with over 1 million total rounds, the majority of rounds are multi-partite rounds used for key generation, yet a fairly modest FKR is obtained.This is due to the statistical correction term, γ, whose value of 0.03 is comparable to the measured Q X term.
In conventional, non-anonymous, QCKA [12] the statistical correction can be drastically reduced by simply increasing the share of parameter estimation rounds in the multi-partite rounds, i.e. by increasing p.However, in AQCKA M , this would also increase the number of bipartite rounds required to run the anonymous classical subprotocols, which in turn would further decrease the number of multi-partite rounds used for key generation, making such a choice disadvantageous.This effect is ascribed to the additional security feature in AQCKA compared to QCKA, i.e. the anonymity of the keyholders.In the AQCKA B protocol, this behaviour is not observed as the pairwise keys are established with conventional QKD schemes, but distilling the conference key anonymously requires N (N − 1) more resources than AQCKA M .
As quantum networks grow in size, and the number of connecting users increases, there will be demands for anonymity.It has already been shown that multi-partite entanglement provides advantages in quantum secret sharing protocols [33] and distributed sensing schemes [34].Our work highlights that multipartite entanglement provides advantages when layers of anonymity are added to group key encryption tasks.Motivated by this, there may be other quantum-based cryptographic schemes that gain similar resource advantages when anonymity is added-for example in election voting [35,36], distributed parameter estimation [37][38][39][40], or in multi-party computation [41].The modifications of such protocols and their specific resource advantage is the focus of future work.

APPENDIX I. ANONYMOUS CONFERENCE KEY AGREEMENT PROTOCOLS
We outline in Table I, Table II, Table III, and Table IV the main steps of AQCKA B , fully-AQCKA B , AQCKA M , and fully-AQCKA M protocols respectively.We note that AQCKA B and fully-AQCKA B are multi-party generalisations of the Anonymous Message Transmission protocol [20] that includes specific subprotocols and additional error correction procedures.The reader is directed to [15] for further details.
Table I.AQCKAB protocol.Bell states constitute the protocol's resource and are used to establish pairwise keys amongst all users with a BBM92 protocol [28].In order to obtain a conference key, the protocol uses N (N − 1) bi-partite bits for each bit of conference key.
Step Description 0 Pre-established keys.Every pair of users in the N -user network performs twoparty quantum key distribution to obtain pairwise secret keys.In total there are Identity designation (ID).A single Sender is assigned anonymously.The Sender notifies the remaining parties of their roles as keyholder or non-keyholder and informs the keyholders about the identities of the Sender and of the other keyholders.This consumes bi-partite keys to ensure anonymity.2 The Sender generates a random bitstring of length L b which is the conference key Each user sends a random bitstring of length L b (except the Sender) to every other user through the bi-partite channels.The Sender sends ⃗ k Conf to the keyholders and a random bitstring to the non-keyholders.The keyholders identify the string ⃗ k Conf received by the Sender as the conference key.
Table II.Fully-AQCKAB protocol.Bell states are the protocol's resource and are used to establish pairwise keys amongst all users with a BBM92 protocol.In order to obtain a conference key, the protocol uses N (N − 1) 2 bi-partite bits for each bit of conference key.
Step Description 0 Pre-established keys.Every pair of users in the N -user network perform two-party quantum key distribution to obtain pairwise secret keys.In total there are N 2 combinations.1 Identity designation (ID).A single Sender is assigned anonymously.The Sender notifies the remaining parties of their roles as keyholder or non-keyholder.This consumes bi-partite keys to ensure anonymity.2 The Sender generates a random bitstring of length L b which is the conference key The parties repeat the following for N − 1 times: the Sender anonymously notifies one of the parties and subsequently communicates the conference key if they are a keyholder or a random string if the party is a non-keyholder.In doing so, the Sender remains anonymous.4 The protocol aborts publicly if any of the keyholders detects a failure in one of the previous steps.This consumes bi-partite keys to ensure anonymity.
Table III.AQCKAM protocol.Bell pairs and N -party GHZ states are used as resources by the protocol.More precisely, the anonymous subprotocols use Bell pairs while the quantum measurements in step 3 use N -party GHZ states.We note that the anonymous subprotocols, e.g., Parity, Identity Designation, Error Correction, as well as the full protocol itself is established in [15], where the reader is redirected for more information.
Step Description 0 Pre-established keys.The protocol assumes that each subset of parties that are potential keyholders have access to a secure pre-shared conference key ⃗ kP re.Moreover, each pair of parties in the network establishes a pairwise key, for a total of N 2 pairwise keys, with quantum key distribution.1 Identity designation (ID).A single Sender is assigned anonymously.The Sender notifies the remaining parties of their roles as keyholder or non-keyholder and informs the keyholders about the identities of the Sender and of the other keyholders.This consumes bi-partite keys to ensure anonymity.2 Testing key distribution (TKD).The Sender generates a random string of length L, where each bit indicates if the round is a test round (bit 1) or a key-generation round (bit 0).The probability that a bit is equal to 1 is given by p.The string is compressed into a string ⃗ kT of L • h(p) bits.The Sender encodes (with one-time pad) the string ⃗ kT using L • h(p) bits of the pre-shared key ⃗ kP re and anonymously broadcast it.This is done via a public broadcast channel: the keyholders and non-keyholders broadcast random bit-strings of length L • h(p), while the Sender broadcast the encoding of ⃗ kT .Using ⃗ kP re, the keyholders recover ⃗ kT .3 Quantum measurements.For L rounds, the N -party GHZ state is distributed across the multi-partite channels.The Sender and keyholders follow the recipe for measurements indicated by ⃗ kT , where a 1 is a test round and 0 is a key generation round.This translates to either measuring in the X-basis or in the Z-basis, respectively.The non-keyholders measure in the X-basis in every round.4 Testing key broadcast (TKB).The Sender anonymously broadcasts ⃗ kT to all users using the (anonymous) Parity protocol [20] for L • h(p) times, which consumes bi-partite keys to ensure anonymity.For each use of Parity, the Sender inputs a bit of ⃗ kT while all other users input 0 such that the users recover a final string ⃗ k ′ T .5 Parameter estimation (PE).For each test round according to ⃗ k ′ T , the users performs the Parity protocol as follows: the keyholders and non-keyholders input their measured X outcome.The Sender always inputs a coin flip.The outcome of this is a string ⃗ oT , which the Sender uses to calculate the observed test error rate Q obs X .Verification fails if Q obs X + γ(Q obs X ) > QX + γ(QX ), where γ is a statistical correction and QX is the predefined phase error threshold in the X basis.6 Classical post-processing.According to a predefined pairwise quantum bit error rate QZ , the Sender anonymously broadcasts L ϵ EC bits of information to all users such that each keyholder can correct their raw key to match the Sender's key.The broadcast is encrypted by consuming bits from the string ⃗ kP re, hence only the keyholders can decrypt it.The protocol aborts if at least one between the error correction and the PE verification failed for any of the keyholders.This information is only available to the keyholders by having each keyholder broadcast a bit encrypted with ⃗ kP re.Privacy amplification extracts a secure key from the error-corrected keys of the keyholders by applying a twouniversal hash function.The resulting conference key has length l Final secure key.
ϵ EC + N bits of ⃗ kP re are consumed by the protocol, the net length of the resulting secure conference key is: ℓ = l − lc and the resulting key rate is ℓ L tot ,where Ltot = L + LB accounts for the rounds used to generate the required pre-shared bi-partite keys.
Table IV.Fully-AQCKAM protocol.Bell pairs and N -party GHZ states are used as resources by the protocol.More precisely, the anonymous subprotocols use Bell pairs while the quantum measurements in step 3 use N -party GHZ states.We note that the anonymous subprotocols, e.g., Parity, Identity Designation, Error Correction, as well as the full protocol itself is established in [15], where the reader is redirected for more information.
Step Description 0 Pre-established keys.Each pair of parties in the network establishes a pairwise key, for a total of N 2 pairwise keys, with quantum key distribution.1 Identity designation (ID).A single Sender is assigned anonymously.The Sender notifies the remaining parties of their roles as keyholder or non-keyholder.This consumes bi-partite keys to ensure anonymity.2 Testing key distribution (TKD).The parties consume bi-partite keys in order for the Sender to anonymously distribute to each other keyholder: a string ⃗ kT , of size L • h(p) bits, encoding the test and key-generation rounds and a string ⃗ r l that will be used to encode the information about whether the protocol aborts.3 Quantum measurements.For L rounds, the N -party GHZ state is distributed across the multi-partite channels.The Sender and keyholders follow the recipe for measurements indicated by ⃗ kT , where a 1 is a test round and 0 is a key generation round.This translates to either measuring in the X-basis or in the Z-basis, respectively.The non-keyholders measure in the X-basis in every round.4 Testing key broadcast (TKB).The Sender anonymously broadcasts ⃗ kT to all users using the (anonymous) Parity protocol [20] for L • h(p) times, which consumes bi-partite keys to ensure anonymity.For each use of Parity, the Sender inputs a bit of ⃗ kT while all other users input 0 such that the users recover a final string ⃗ k ′ T .5 Parameter estimation (PE).For each test round according to ⃗ k ′ T , the users performs the Parity protocol as follows: the keyholders and non-keyholders input their measured X outcome.The Sender always inputs a coin flip.The outcome of this is a string ⃗ oT , which the Sender uses to calculate the observed test error rate Q obs X .Verification fails and the protocol aborts if , where γ is a statistical correction and QX is the predefined phase error threshold in the X basis.6 Classical post-processing.According to a predefined pairwise quantum bit error rate QZ , the Sender anonymously broadcasts (with the Parity protocol) ϵ EC bits of information to all users such that each keyholder can correct their raw key to match the Sender's key.If the error correction fails for at least one keyholder, the protocol aborts but this information is encoded with ⃗ r l and only available to the keyholders.Privacy amplification extracts a secure key from the error-corrected keys of the keyholders by applying a two-universal hash function.The resulting conference key has length: Final secure key.The final secure conference key rate is given by ℓ L tot , where Ltot = L + LB accounts for the rounds used to generate the required pre-shared bi-partite keys.

II. ASYMPTOTIC KEY RATES
We describe here the AKR expressions for the AQCKA task.The respective AKRs for the protocol with and without multi-partite entanglement are given by: r where is the global error rate in the X-basis and Q Z = max (q,t) 1−⟨Zq⊗Zt⟩ 2 the maximum pairwise quantum bit error rate (QBER) in the Pauli Z-basis.Moreover σ (q,t) = 1 − h(Q Zb ) denote the rates at which private bits can be established between nodes q and t, for q, t ∈ {1 . . .N }, and Q (q,t) Zb are the respective observed quantum bit error rates in the Pauli X/Z basis in a QKD protocol between nodes q and t.
comparison with a protocol based only on bi-partite resources, our results show that the obtained advantage is lower than that of the AQCKA task.This is inline with the theoretical result as, in (4), there is a factor of h(Q Z ) that decreases this advantage.This factor arises as the identities of keyholders are not known hence they cannot use a pre-shared conference key for error correction, instead relying on bi-partite private links and anonymous meassage transmission.Fig. 4 shows the theoretical curve obtained for the ration r ∞ fully−M /r ∞ fully−B by varying the Q Z with two regions of interest highlighted.
We find, for a typical range of 0.01 ≤ Q Z ≤ 0.1, the multi-partite advantage reaches ∼ 25.For Q Z ≤ 0.01, the scaling becomes non-linear such that improvements on the order of 10 −3 to Q Z significantly boost the advantage.It is not atypical that large networks can operate at a Q Z between 1% to 10% indicated by the red region.While improvements to Q Z do increase the multi-partite advantage, the return for leading up to the 1% mark only starts to gain momentum from ≈ 2% onward.The most sensitive region to Q Z is below 1%, highlighted in green, where slight improvements have the largest gains.Despite the green region in Fig. 4 being out of reach for this experiment, it is not unfeasible as mentioned in the main text if, for example, purification protocols [42] or even quantum repeater network architectures [43,44] are used to increase the fidelity of the resource state.
The green shaded region is the region that is most sensitive to improvements in QZ .The red region is where our QZ values lie within.

IV. COMPARISON TO PREVIOUS WORKS
In Table VII, we summarise the experiments on anonymous communication with multi-partite quantum resources that have been carried out so far.We note that, in terms of minimum number of rounds for a non-zero finite key rate, Rückle et al. [23] achieved L min = 1.46 • 10 8 with a total security parameter of ϵ tot = 3 • 10 −5 , while our work achieves L min = 2.87 • 10 5 with ϵ tot = 10 −8 .As for the asymptotic key rates for each of the works, Thalacker et al. [21] performed a fully-AQCKA protocol whose asymptotic key rate tends to zero (r ∞ fully−M → 0) with a fixed anonymity parameter, while Rückle et al. [23] performed an AQCKA protocol with r ∞ M = 0.04 (6).For our work, we performed both the AQCKA and fully-AQCKA protocol whose respective AKR reached r ∞ M = 0.296(09) and r ∞ fully−M = 0.0114 (7).
Table VII.For each experiment, we specify (from left to right): the cryptographic task (AQCKA or fully-AQCKA); the type of security proof; the necessary assumptions for the security to hold; whether or not the protocol can tolerate noise; the number N of network users involved.
* By semi-trusted source, we intend that the source of entanglement is still verified by the protocol and any detected noise is assigned to the eavesdropper.However, the source cannot be actively malicious and prepare tailored states that would expose the parties' identities through their public announcements, at the cost of aborting the protocol.

Experiments
The aKTP crystals are in the centre of a Sagnac interferometer configuration, which allows erasure of the which-path information.The quality of each of our sources can be quantified by running a two-qubit tomographic measurement on each of the sources, determining the fidelity and purity.For sources labelled {S1, S2, S3} pumping with 20mW, we report fidelities of {98.82%, 98.60%, 98.60%} and purities of {97.98%, 97.90%, 97.40%}.The photons are then sent to the circuit consisting of two probabilistic fusion gates [46], each with a probability of success of 1/2.As we directly generate Bell states from the sources, our total six-party GHZ baseline probability of success is 1/4.With the local rotations on each of the Bell states mentioned prior, as well as the entanglement operations of the fusion gates, we arrive at the six-party GHZ state, In order to have a high quality fusion operation, the fusion gate need to be optimised in the spectral, temporal, spatial and polarisation degrees of freedom.The spectral and polarisation degrees of freedom are bound to the quality of the source, specifically how indistinguishable the photons entering the two ports of the fusion gate are.The polarisation is optimised though optimising the fidelity with respect to a |Ψ − ⟩ state.The spectral degree of freedom is optimised by performing a two-photon interference measurement on the fusion gate, with the two inputs being the two outputs of a source, and temperature tuning the aKTP crystal.The remaining degrees of freedom, temporal and spatial, are determined by the fusion gate itself.Temporal optimisation is performed by spatially moving one of the inputs back and fourth, scanning the range in which the difference in delay between both photons entering the PBS is minimum.Spatial optimisation is done by precise alignment of the input and output couplers with respect to the PBS, such that the two paths the photons can go through are maximally overlapped.
The pump power going into each of the sources varies the overall performance in terms of key rates.While increasing the pump power increases the six-fold rate, it has a negative effect on the quality of the GHZ state due to multiphoton events.A mask of multi-photon events greater than six is taken from the FPGA, which records all possible detector patterns, and subtracted from the six-fold pattern we post select on.This allows the removal of a subset of multi-photon events from the data.The Q Z in the Z basis, for 300mW of pump power on each source, for each network scenario are presented in Fig. 5.Note that users can remove themselves from the network by measuring in X.A set of initial measurements are taken to evaluate the error rates in the different configurations.Table VIII shows a tally of the number of rounds experimentally obtained for the finite key analysis and the associated errors, excluding the initiation rounds for channel estimates.In an actual run of the protocol, precursory knowledge of the channel error rates would be known.For this, initiation rounds were run for each of the configurations.To highlight the point of this, for the 3 user scenarios the measured highest error rates for {XZZZ, ZXZZ, ZZXZ, ZZZX} were {0.016(1), 0.013(1), 0.016(2), 0.014(2)} respectively and were each measured for around 5 minutes.The highest error rate came from the ZZXZ scenario, so the error correction code would be set at this rate -note that this is not the scenario used in the finite-key analysis, the configuration used for our finite-size AQCKA implementation was ZXZZ, and yet the users in all other possible scenarios remain anonymous.
In Fig. 3 of the main text, we optimize the conference key length in (11) over all the security parameters in ( 13), for a fixed total number of rounds L tot and fixed ϵ tot .In particular, the optimal allocation of the total set of rounds (L tot ) into multi-partite rounds (L) and bi-partite rounds (L B = L tot − L) is obtained by requiring that the secret key length ℓ B of each pairwise key is just long enough to cover the needs of each pairwise private channel used by the classical anonymous subprotocols.Now, the total number of pairwise key bits required by the identity designation (ID), testing key broadcast (TKB) and parameter estimation (PE) subprotocols are, respectively: where ] is an encoded string used to ensure the success of the ID subprotocol, see [15] for further details.Hence, we find the optimal L by solving the following equation for L: Note that the function γ in ( 12) is defined implicitly [15], hence the solution for L is numerical.
Once the optimal value for L is obtained by solving (17), the total number of bi-partite rounds L B is obtained as: L B = L tot − L. This ensures that the parties have just enough bi-partite rounds to establish pairwise keys whose length is sufficient to run the anonymous subprotocols.At the end of AQCKA M , the pairwise keys are completely depleted.
Furthermore, it is interesting to analyze the different demands for bi-partite key bits of the three anonymous subprotocols, namely ID, TKB, and PE, and how this affects the total number of bi-partite rounds L B .For example, the ID subprotocol requires a number of bits that is independent of L, while the TKB and PE subprotocols require a number of bits linear in L. To analyze how such demands affect the allocation of rounds to bi-partite rounds, we can partition L B in proportion to the number of bi-partite bits required by each subprotocol: where we defined: L P E = P E ID + T KB + P E L B .  3 of the main text.The A title is not shown as there is no secure key rate for the number of total rounds.The bi-partite rounds are partitioned into Testing Key Broadcast (TKB), which is a subprotocol that anonymously broadcasts the testing key to all users, Parameter Estimation (PE) which computes the noise parameters from the data of the test rounds, and Identity Designation (ID) which establishes the identity of sender and keyholders.
In Fig. 6 we highlight the experimental points B, C and D to analyse how multi-partite and bi-partite rounds are optimally for increasing values of L tot .For points B to D, as more rounds become available, the optimal allocation clearly favours multi-partite rounds over bi-partite rounds.In particular, the bi-partite subprotocols PE and TKB require a number of pairwise key bits that is proportional to L • p and L • h(p), respectively.The fraction of test rounds becomes negligible in the asymptotic limit (p → 0), the ratio L/L B increases from B to D, until the finite key rate attains the asymptotic key rate for an infinite number of rounds.For a full breakdown of what constitutes the different yellow datapoints in Fig. 3 IX.Table of the data used to form the points in Fig. 3 of the main text.The QX are taken from the joint-X measurement dataset at random of lengths of L • h(p).The quantum bit error rates are constant and hence not shown in the table.
For comparison, in Fig. 3 of the main text we also report the FKR of the AQCKA B protocol (ℓ ′ /L tot ), which exclusively relies on bi-partite resources.In this case, the conference key length ℓ ′ is obtained by equating the total number of pairwise key bits required by AQCKA B : to the total number of pairwise secret key bits established by every party pair: By solving for ℓ ′ , we obtain the finite conference key length of the AQCKA B protocol: where ID is given in (14).

Figure 1 .
Figure 1.Sketch of the AQCKA protocol.A quantum server distributes bi-partite or multi-partite entangled resources to N users.The users perform quantum key distribution with bi-partite entanglement to distill N2 unique pairwise keys.The sender (blue) assigns each user their role via anonymous messaging primitives, e.g., keyholders (black) and non-keyholders (gray).The anonymous conference key can be established by consuming N (N − 1) bi-partite key bits per conference key bit (see red path).Alternatively, by sharing N -party GHZ states and applying a pre-shared measurement sequence, the group can directly obtain up to one conference key bit per copy of the GHZ state (see blue path).

Figure 2 .
Figure2.Experimental setup.A pulsed Ti:sapph laser pumps three entangled photon-pair sources (EPS).Each EPS embeds an aKTP crystal in a Sagnac configuration consisting of a dual-wavelength polarising beamsplitter (dPBS), half-wave plate (dHWP) and dichroic mirror (DM).Diagonally-polarised pump photons propagate clockwise and anti-clockwise to generate orthogonally polarised photon-pairs through type-II spontaneous parametric downconversion process in the aKTP crystal.The photon pairs are separated by the dPBS, upon which they are coupled into single-mode fibres.Two fusion gates (FG) are realised by interfering two photons on a PBS, with a delay stage (δτ ) to ensure temporal indistinguishability. Two quarter-wave plates (QWP) and a HWP compensate for phase effects in the FGs.All six photons are then sent to measurement stages (M) featuring a QWP, HWP and PBS, with both outputs coupled to superconducting nanowire single photon detectors (SNSPD).

Figure 3
Figure 3.The FKR of the AQCKAM protocol, given by ℓ/Ltot, with ℓ given in (1).The yellow points are experimental data points while the blue line is a simulation of the FKR for fixed noise parameters evaluated from the experiment: QX = 0.0304(1), QZ = 0.01589(5) and Q Zb = 0.0144(3).The rounds are partitioned into the multi-partite rounds for key generation and testing, and bi-partite rounds for establishing pairwise keys to run classical subprotocols anonymously.The dashed line at the top shows an AKR of the AQCKAM protocol of 0.6853(2), which is the asymptotic limit of the FKR.The dotted line is the AQCKAB AKR of 0.0579(4) and the red line is the corresponding FKR given by ℓ ′ /Ltot, with ℓ ′ reported in Appendix.

Figure 4 .
Figure 4. Figure sketching the theoretical curve of the ratio between the fully-AQCKAM and fully-AQCKAB protocol.The yellow point is taken at the worst performing QZ for the 6-party network.The Q Zb values are taken from Fig. 5(a) where if QZ≤ Q Zb then Q Zb is set to Q Zb := QZ .The green shaded region is the region that is most sensitive to improvements in QZ .The red region is where our QZ values lie within.

Figure 5 .
Figure 5.The measured QZ for all permutations in the (a) two-user, (b) three-user, (c) four-user and (d) five-user network scenarios in the 300mW pump power regime.The labels are read from left to right for each qubit, for example users 1 and 2 measuring in Z while users 3, 4, 5 and 6 measure in X corresponds to Z1, Z2, X3, X4, X5, X6 = ZZXXXX.Error bars are estimated via Monte-Carlo simulation assuming Poissonian statistics and reported at one standard deviation.

Figure 6 .
Figure 6. Figure of bi-partite rounds used for increasing number of rounds in the AQCKAM protocol.The titles B-D highlight the same points indicated in Fig.3of the main text.The A title is not shown as there is no secure key rate for the number of total rounds.The bi-partite rounds are partitioned into Testing Key Broadcast (TKB), which is a subprotocol that anonymously broadcasts the testing key to all users, Parameter Estimation (PE) which computes the noise parameters from the data of the test rounds, and Identity Designation (ID) which establishes the identity of sender and keyholders.
The |Ψ − ⟩ states produced by the Bell state sources are locally rotated to obtain |Φ + ⟩, allowing us to reach a product state such as,

Table VIII .
Table of experimentally obtained results for the finite key expression Eq. 11.The measurement time for ZXZZ is around 115 hours, the two user configurations being around 3 hours each and XXXX taking around 19 minutes.
in the main text, see TableIX.