Ming-Ming Wang^,1, Rui-Fan Han, Lin-Ming GongShaanxi Key Laboratory of Clothing Intelligence, State and Local Joint Engineering Research Center for Advanced Networking and Intelligent Information Services, School of Computer Science, Xi’an Polytechnic University, Xi’an 710048, China

First author contact: ¹Author to whom any correspondence should be addressed.
Received:2020-01-20Revised:2020-03-12Accepted:2020-04-9Online:2020-05-22


Abstract
The key agreement protocols allow two or more users to negotiate a shared key for establishing a secure communication channel without a third trusted party in such a way that the shared key is determined by all authorized players rather than any subset of them. We propose the first real multiparty semiquantum key agreement (SQKA) protocols based on single-photons. Our protocols include only one quantum player, while the others are classical players who only need to measure and prepare states in the classical basis. We first present a symmetric three-party SQKA protocol, where two classical players can fairly negotiate a key with a quantum player by using single-photons as message carriers. Then we present an asymmetric SQKA protocol where a relatively low percentage of quantum states are used for eavesdropping detection. And we further extend them to an asymmetric multiparty SQKA protocol. Our SQKA protocols require fewer quantum resources than the previous SQKA protocols for classical players, especially without requirement of entanglement, which makes them easier to implement using current technologies. Our protocols are secure against external eavesdroppers and are fair against a minority of internal dishonest players.
Keywords： multiparty semiquantum key agreement;single-photon;fairness;efficiency;symmetric and asymmetric protocol


PDF (299KB)MetadataMetricsRelated articlesExportEndNote|Ris|BibtexFavorite
Cite this article
Ming-Ming Wang, Rui-Fan Han, Lin-Ming Gong. Multiparty semiquantum key agreement without entanglement. Communications in Theoretical Physics, 2020, 72(6): 065107- doi:10.1088/1572-9494/ab8a10

1. Introduction

Since Bennett and Brassard proposed the first quantum key distribution (QKD) protocol [1] in 1984, quantum cryptography has attracted the attention of more and more researchers. Many directions of quantum cryptography, such as QKD [1–3], quantum secret sharing [4–6], and quantum authentication [7, 8], etc, have been developed. Quantum key agreement (QKA) [9] is an important branch of quantum cryptography which tries to generate a shared key by two or more players. Unlike QKD, QKA emphasizes fairness, i.e. the shared key of QKA is determined by all players rather than any subset of them. The first QKA protocol was proposed by Zhou et al [9] in 2004. However, their protocol was unfair since one player could fully determine the shared key [10]. In 2010, Chong and Huang proposed a QKA protocol using the delayed measurement technique [11]. In 2013, Shi and Zhong used the entanglement swapping technique to extend the QKA protocol of two players to multi-players, and proposed the first multiparty QKA protocol [12]. But Liu et al [13] pointed out that Shi and Zhong’s QKA protocol was not secure and they proposed a multiparty QKA protocol using single-photons. Subsequently, various two-party and multiparty QKA protocols were proposed [14–21].

Implementations of quantum cryptographic protocols require players to equip quantum devices for preparing, manipulating or measuring quantum states. To simplify the implementation of the conventional QKD, in 2007, Boyer et al proposed the idea of semiquantum key distribution (SQKD) [22] where one player has full quantum capabilities, while the other player Bob is restricted to measure or prepare qubits only in the classical basis (the Z basis). They further proposed two SQKD protocols based on techniques of measurement-resend and randomization [23]. Since then, various SQKD protocols have been proposed based on different quantum resources and techniques [24–32]. Several multiparty SQKD protocols can also be found in [24, 28, 33]. Security proofs of SQKD protocols have been developed in the asymptotic scenario in [28, 31, 34–36]. Besides SQKD, other semiquantum cryptographic protocols, such as semiquantum secret sharing [37–40], semiquantum information splitting [41], and semiquantum secure direct communication [42, 43] have also been studied.

To reduce the requirements of the players for quantum devices, semi-QKA (SQKA) has also been developed. In 2017, Shukla et al proposed a two-party SQKA protocol [44] based on Bell states. Unfortunately, additional quantum devices are required for the classical player Bob since he needs to permutate or reorder his qubits in the SQKA protocol. As is introduced in [45], a possible way for reordering qubits is to use optical delay lines. However, since the storage time of an optical delay line is fixed by the delay length [46], Bob has to set an on-demand delay-time for each line. While a multiparty QKA protocol [47] was proposed based on delegating quantum computation. However, players in the QKA protocol need to prepare four BB84 qubits and store them during the protocol, which means the protocol is not a semiquantum one since classical players have to prepare qubits in two different bases rather than only the classical basis.

We study multiparty SQKA in the paper and propose the first real multiparty SQKA protocols based on single-photons. Our protocols include only one quantum player, while the other players are classical ones who only need to perform states preparations and measurements in the classical basis. Compared with the existing two-party SQKA protocol based on Bell states [44], our protocols cost fewer quantum resources, require no quantum memory for classical players, and are easier to implement using current technologies. Our protocols are real semiquantum ones since classical players only need to measure and prepare classical states, while no reordering or preparing of the other states is required.

The rest of the paper is organized as follows. Our multiparty SQKA protocols are described in section 2. The symmetric three-party SQKA protocol based on BB84 qubits is described firstly. And the asymmetric three-party SQKA protocol is presented to improve efficiency. We further extend them to the asymmetric multiparty SQKA protocol including one quantum player and an arbitrary number of classical players. The security and fairness of our protocols are analyzed in section 3. This paper is further discussed and concluded in section 4.

2. Multiparty SQKA protocols without entanglement

We firstly present two SQKA protocols including three players, i.e. a quantum player Alice who is capable of generating and measuring quantum states in two different bases, and two classical players Bob and Charlie who are restricted to do operations only in the classical basis. Three players can fairly negotiate a secret key. Then we extend these three-party protocols to multiparty one that includes one quantum player and an arbitrary number of classical players.

2.1. Protocol 1: the symmetric three-party SQKA protocol without entanglement

In the symmetric protocol, half of the quantum states are used for security detection, and the others are used for generating and transmitting secret information. The symmetric three-party SQKA protocol runs as follows.

(1) Alice prepares a set of $16N(1+\delta )$ polarized BB84 single-photons, which are chosen randomly from $\{\left|0\right\rangle ,\left|1\right\rangle ,\left|+\right\rangle =\tfrac{1}{\sqrt{2}}(\left|0\right\rangle +\left|1\right\rangle ),\left|-\right\rangle =\tfrac{1}{\sqrt{2}}(\left|0\right\rangle -\left|1\right\rangle )\}\}$, with N is the length of each player’s secret key and δ>0 is a fixed parameter similar to the original SQKD protocol [22]. She sends half of the qubits to Bob, and the other half to Charlie.

(2) For each of the qubits from Alice, Bob performs the following three actions.– REFLECT: with half of the probability, Bob reflects the qubit back to Alice without any change.
– MEASURE-RESEND: with a probability of $\tfrac{3}{8}$, Bob measures the coming qubit in the classical basis and resends the same state back to Alice. His measurement results are denoted as K₁, R₁, and R₂, with the length of the bits strings $| {K}_{1}| \geqslant N$, $| {R}_{1}| \geqslant N$, and $| {R}_{2}| \geqslant N$.
– DISCARD-PREPARE-RESEND: with a probability of $\tfrac{1}{8}$, Bob discards the coming qubit. He prepares a new state in $\{\left|0\right\rangle ,\left|1\right\rangle \}$ according to his secret key K_B in the first N position and sends it back to Alice.


(3) Charlie performs the same three actions as Bob does. Her MEASURE-RESEND action gets measurement results K₂ and R₃, and R₄ with their lengths $| {K}_{2}| ,| {R}_{3}| ,| {R}_{4}| \geqslant N$. Her DISCARD-PREPARE-RESEND action prepares new states in $\{\left|0\right\rangle ,\left|1\right\rangle \}$ according to his secret key K_C and sends them back to Alice.

(4) Alice stores all the returning qubits from Bob. Bob publishes his actions on each qubit. Alice performs the following actions according to Bob’s actions.– She measures REFLECT qubits in the bases she prepared to check the security of their quantum channel. She compares her measurement results with the initial states. They abort the protocol if the error rate is larger than a pre-defined threshold.
– She measures MEASURE-RESEND qubits in the classical basis. She takes the first N bits of her measurement results as K₁ and the following 2N bits as R₁ and R₂, where K₁ will be used by Alice to encrypt K_A for Bob, and R₁ and R₂ by classical players Bob and Charlie to encrypt their K_B and K_C for each other.
– She measures DISCARD-PREPARE-RESEND qubits in the classical basis. She will get Bob’s secret key K_B from the first N bits.


(5) Similarly, Charlie and Alice check the security of their quantum channel by measuring their REFLECT qubits. If the test passes, Alice measures DISCARD-PREPARE-RESEND qubits to get K_C, and measures MEASURE-RESEND qubits to get K₂, R₃, and R₄, where K₂ will be used by Alice to encrypt K_A for Charlie, and R₃ and R₄ by Bob and Charlie to encrypt K_B and K_C.

(6) Alice sends to Bob the value of $({K}_{1}\oplus {K}_{A})| | {h}_{1}({K}_{A})$, where ${h}_{1}(\cdot )$ is a hash function chosen by Bob uniformly from a family of hash functions and announced to Alice over a classical channel. Besides, Alice sends to Charlie the value of $({K}_{2}\oplus {K}_{A})| | {h}_{2}({K}_{A})$, where h₂ (·) is chosen by Charlie. Bob and Charlie decode them by using K₁ and K₂ to get K_A, respectively. They also verify whether the hash value is correct or not. They abort if an error occurs.

(7) Alice publishes the value of $({R}_{2}\oplus {R}_{4})| | {h}_{3}({R}_{2}\oplus {R}_{4})$ to Bob, where ${h}_{3}(\cdot )$ a hash function chosen by the Bob. Similarly, Alice publishes $({R}_{1}\oplus {R}_{3})| | {h}_{4}({R}_{1}\oplus {R}_{3})$ to Charlie, where ${h}_{4}(\cdot )$ is chosen by Charlie. Besides, Bob sends ${R}_{1}\oplus {K}_{B}| | {h}_{5}({K}_{B})$ to Charlie, while Charlie sends ${R}_{4}\oplus {K}_{C}| | {h}_{6}({K}_{C})$ to Bob, respectively, where these hash functions are chosen by the receivers.

(8) Bob decodes ${R}_{4}\oplus {K}_{C}$ by using R₂ and ${R}_{2}\oplus {R}_{4}$ to get K_C, while Charlie decodes ${R}_{1}\oplus {K}_{B}$ by using R₃ and ${R}_{1}\oplus {R}_{3}$ to get K_B, respectively. They also check whether the key they received is consistent with the corresponding hash value. They continue if there is no error. Since all players have got K_A, K_B and K_C, they calculate the negotiated key as(1)$\begin{eqnarray}K={K}_{A}\oplus {K}_{B}\oplus {K}_{C}.\end{eqnarray}$

(9) Any two players can cooperatively verify whether the secret key they received is the same or not. For example, suppose Bob has received ${K}_{A}^{{\prime} }$ and Charlie ${K}_{A}^{{\prime\prime} }$, they randomly select a hash function ${h}_{{BC}}(\cdot )$ to verify whether ${h}_{{BC}}({K}_{A}^{{\prime} })\mathop{=}\limits^{?}{h}_{{BC}}({K}_{A}^{{\prime\prime} })$, and they confirm Alice is honest if the answer is positive.

2.2. Protocol 2: the asymmetric three-party SQKA protocol without entanglement

To achieve high efficiency, we simplify our SQKA protocol to an asymmetric one following the idea in [48]. Our asymmetric SQKA protocol is performed as follows.

(1) Alice prepares a set of $(8N+2\tau )(1+\delta )$ polarized BB84 single-photons, where N is the length of the key and τ is the length of the REFLECT qubits used for security detection of two quantum channels. She sends half of the states to Bob, the other half of the states to Charlie.

(2) Bob performs three actions with different probabilities after receiving qubits from Alice.– REFLECT: with a probability of $\tfrac{\tau }{4N+\tau }$.
– MEASURE-RESEND: with a probability of $\tfrac{3N}{4N+\tau }$.
– DISCARD-PREPARE-RESEND: with a probability of $\tfrac{N}{4N+\tau }$.


Steps (3)–(9) are the same as our SQKA Protocol 1.

2.3. Protocol 3: the asymmetric multiparty SQKA protocol without entanglement

We further extend our SQKA to the most general (M + 1)-party SQKA protocol that includes one quantum player Alice and M classical players Bob₁, Bob₂, ⋯, Bob_M who want to negotiate a secret key with the length of N. Our multiparty SQKA protocol runs as follows.

(1) Alice prepares a set of $M[2N(M-1)\,+2N+\tau ](1+\delta )$ BB84 single-photons, where N is the length of the key and τ is the length of the REFLECT qubits used for security detection. She sends $[2N(M-1)+2N\,+\tau ](1+\delta )$ of these states to Bob_i for i=1 to M.

(2) Each Bob_i performs three actions with different probabilities after receiving qubits from Alice.– REFLECT: with a probability of $\tfrac{\tau }{2N(M-1)+2N+\tau }$, Bob_i reflects the qubit back to Alice.
– MEASURE-RESEND: with a probability of $\tfrac{2N(M-1)+N}{2N(M-1)+2N+\tau }$, Bob_i measures the coming qubit in the classical basis and resends the same state back to Alice. Their measurement results are denoted as K_i with $| {K}_{i}| \geqslant N$, and a set of (M−1) bits strings ${R}_{1}^{(i)},{R}_{2}^{(i)},\cdots ,{R}_{j}^{(i)},\cdots ,{R}_{M}^{(i)}$ with $j\in [1,M]$, $j\ne i$ and $| {R}_{j}^{(i)}| \geqslant 2N$. Similar to Protocol 1, K_i will be used by Alice to encrypt K_A to Bob_i, while ${R}_{j}^{(i)}$ will be used by classical players to securely exchange their keys with other classical players.
– DISCARD-PREPARE-RESEND: with a probability of $\tfrac{N}{2N(M-1)+2N+\tau }$, Bob_i discards the coming qubit and prepares a new state in $\{\left|0\right\rangle ,\left|1\right\rangle \}$ according to his secret key ${K}_{{B}_{i}}$ and sends it back to Alice.


(3) Alice stores all the returning qubits from Bob_i. Bob_i publishes his actions on each qubit. For each qubit from Bob_i, Alice performs the following actions.– She measures REFLECT qubits to check the security of their quantum channel.
– She measures MEASURE-RESEND qubits in the classical basis. Alice takes the first N bits as K_i. She takes following 2N bits as ${R}_{j}^{(i)}$ for j=1 to M and $j\ne i$.
– She measures DISCARD-PREPARE-RESEND qubits in the classical basis and gets Bob_i's secret key ${K}_{{B}_{i}}$ from the first N bits.


(4) Alice sends to each Bob_i the value of ${K}_{i}\oplus {K}_{A}| | {h}_{i}({K}_{A})$ where ${h}_{i}(\cdot )$ is chosen by Bob_i. Bob_i decodes it by using K_i to get K_A. He continues if the hash value is correct.

(5) Let the first N bits of ${R}_{j}^{(i)}$ be $R{1}_{j}^{(i)}$, and the last N bits be $R{2}_{j}^{(i)}$, i.e., ${R}_{j}^{(i)}=R{1}_{j}^{(i)}| | R{2}_{j}^{(i)}$ with $| R{1}_{j}^{(i)}| =| R{2}_{j}^{(i)}| =N$. Alice publishes the value of ${R}_{j}^{(i)}\oplus {R}_{i}^{(j)}| | {h}_{{ij}}({R}_{j}^{(i)}\oplus {R}_{i}^{(j)})$ for all $i,j\in [1,N]$ and $i\ne j$, where ${h}_{{ij}}(\cdot )$ is chosen by Bob_i. Each Bob_i encodes his private key as ${K}_{{B}_{i}}\oplus R{1}_{j}^{(i)}$ if i<j, as ${K}_{{B}_{i}}\oplus R{2}_{j}^{(i)}$ if i>j. He sends the encoded information and the hash value ${h}_{j}^{{\prime} }(\cdot )$ to Bob_j, where ${h}_{j}^{{\prime} }(\cdot )$ is chosen by Bob_j.

(6) Each Bob_j decodes the other classical players ${K}_{{B}_{i}}$ by calculating(2)$\begin{eqnarray}\begin{array}{l}{K}_{{B}_{i}}\oplus R{1}_{j}^{(i)}\oplus {\rm{substring}}({R}_{j}^{(i)}\oplus {R}_{i}^{(j)}\\ \quad \oplus \,{R}_{i}^{(j)},1,N)={K}_{{B}_{i}},\,\,\mathrm{if}\,i\lt j,\\ {K}_{{B}_{i}}\oplus R{2}_{j}^{(i)}\oplus {\rm{substring}}({R}_{j}^{(i)}\oplus {R}_{i}^{(j)}\\ \quad \oplus \,{R}_{i}^{(j)},N+1,2N)={K}_{{B}_{i}},\,\,\mathrm{if}\,i\gt j,\end{array}\end{eqnarray}$where substring(target, start, end) returns the substring of the ‘target’ between the ‘start’ and ‘end’ indexes. They also check whether each hash value they received is correct or not. They abort is one of ${h}_{{ij}}(\cdot )$ or ${h}_{j}^{{\prime} }(\cdot )$ is not consistent with the message they received.

(7) Since all players have got K_A and all ${K}_{{B}_{i}}$, they calculate the negotiated key as(3)$\begin{eqnarray}K={K}_{A}\oplus \underset{i=1}{\overset{M}{\displaystyle \bigoplus }}{K}_{{B}_{i}}.\end{eqnarray}$

(8) Similar to our three-party SQKA protocols, a majority of players can cooperatively verify the honesty of the other players by performing a public discussion on the integrity of ${K}_{{B}_{i}}$ they have got, and they should select a different hash function for each ${K}_{{B}_{i}}$.

3. Security

3.1. Security of quantum channels

There are two-way quantum channels between the quantum player and each of the classical players in our SQKA protocols. Similar to previous results of SQKD [22], the quantum bit error rate (QBER) on REFLECT qubits has been tested to detect the attack on these two-way quantum channels. According to the security proof works in [28, 31, 34–36], the security of our two-way quantum channels can be guaranteed if the QBER obtained by Alice is below a pre-defined threshold. For the Trojan horse attack [49] on quantum channels, wavelength filters can be placed on classical players’ sides before qubits reach their laboratory to effectively resist the Trojan horse attack.

3.2. Security of player’s private keys

In our three-party protocols, K₁ and K₂ are used to encode Alice’s private key K_A before sending them to Bob and Charlie, respectively. Besides, Bob’s K_B is encrypted by R₁ and Charlie’s K_C is encrypted by R₄. While Bob decrypts K_C by using R₃, and Charlie decrypts K_B by using R₂. Since K₁, K₂, R₁, R₂, R₃, and R₄ are randomly generated session keys and have been used just once, they can keep the secrecy of players’ private keys. And publications of ${R}_{1}\oplus {R}_{2}$ and ${R}_{3}\oplus {R}_{4}$ will not leak information of session keys.

For our multiparty SQKA protocol, each Bob_i uses a set of M−1 session keys $\{{R}_{j}^{(i)}\}$ for encryption of his private key ${K}_{{B}_{i}}$ that will be sent to Bob_j. Bob_i uses the first N bits if i<j, while he uses the last N bits if i>j. That is, the bidirectional communications between Bob_i and Bob_j consume two different session keys for encryption of ${K}_{{B}_{i}}$ to Bob_j and ${K}_{{B}_{j}}$ to Bob_i. The session keys used among classical players can be represented in a matrix form as follows(4)$\begin{eqnarray}\left(\begin{array}{ccccc}- & {R}_{2}^{(1)} & {R}_{3}^{(1)} & \cdots & {R}_{M}^{(1)}\\ {R}_{1}^{(2)} & - & {R}_{3}^{(2)} & \cdots & {R}_{M}^{(2)}\\ {R}_{1}^{(3)} & {R}_{2}^{(3)} & - & \cdots & {R}_{M}^{(3)}\\ \vdots & \vdots & \vdots & \ddots & \vdots \\ {R}_{1}^{(M)} & {R}_{2}^{(M)} & {R}_{3}^{(M)} & \cdots & -\end{array}\right),\end{eqnarray}$where two symmetrical elements ${R}_{j}^{(i)}$ and ${R}_{i}^{(j)}$ are used for encryption of ${K}_{{B}_{i}}$ to Bob_j and ${K}_{{B}_{j}}$ to Bob_i, similar to the usage of ${R}_{1}| | {R}_{2}$ and ${R}_{3}| | {R}_{4}$ in our three-party protocols.

3.3. Fairness against dishonest players

To prevent dishonest players from announcing wrong keys to undermine the fairness, a set of universal hash functions are used to guarantee the integrity of the secret keys from each players, i.e. each secret key (K_A or K_B) or session key (R) can not be modified intentionally after it has been sent to others. A multiparty SQKA protocol assumes that the number of honest players should be the majority, i.e. at least half of the players are honest in our protocols. Otherwise, they can not negotiate an agreed key among them.

We firstly discuss the fairness of our three-party SQKA protocols. Note that the quantum Alice is more powerful than the other classical players since she controls session keys among classical players. Dishonest Alice might try to fully control the negotiated key without the participation of classical Bob and Charlie. For example, suppose Alice sets $({R}_{1}\oplus {R}_{3})^{\prime} \,={R}_{1}\oplus {R}_{3}\oplus {K}_{C}$, Charlie will decode Bob’s secret key as ${K}_{B}^{{\prime} }\,={K}_{B}\oplus {K}_{C}$. If Alice publishes $({K}_{1}\oplus {K}_{A})^{\prime} ={K}_{1}\oplus {K}_{A}\oplus {K}_{B}$, Charlie will decode Alice’s secret key ${K}_{A}^{{\prime} }={K}_{A}\oplus {K}_{B}$, which implies that Charlie’s agreed key becomes $K^{\prime} \,={K}_{A}^{{\prime} }\oplus {K}_{B}^{{\prime} }\oplus {K}_{C}={K}_{A}\oplus {K}_{B}\oplus {K}_{B}\oplus {K}_{C}\oplus {K}_{C}={K}_{A}$. Similarly, if Alice sets $({R}_{2}\oplus {R}_{4})^{\prime\prime} ={R}_{2}\oplus {R}_{4}\oplus {K}_{B}$ and $({K}_{2}\oplus {K}_{A})^{\prime\prime} ={K}_{2}\oplus {K}_{A}\oplus {K}_{C}$, Bob will decode Charlie’s secret key as ${K}_{C}^{{\prime\prime} }={K}_{B}\oplus {K}_{C}$, and Alice’s as ${K}_{A}^{{\prime\prime} }={K}_{A}\oplus {K}_{C}$. Subsequently, Bob’s agreed key becomes $K^{\prime\prime} \,={K}_{A}^{{\prime\prime} }\oplus {K}_{B}\oplus {K}_{C}^{{\prime\prime} }={K}_{A}\oplus {K}_{C}\oplus {K}_{B}\oplus {K}_{B}\oplus {K}_{C}={K}_{A}$. In this case, the agreed key is fully decided by Alice.

To prevent Alice from sending wrong information (K_A, ${R}_{1}\oplus {R}_{3}$, and ${R}_{2}\oplus {R}_{4}$) to classical players, Bob and Charlie can perform the verification as follows. Bob and Charlie first check the integrity of K_A. They calculate the key he (she) received as ${K}_{A}^{{\prime} }$ (${K}_{A}^{{\prime\prime} }$), then they check whether their hash values are the same by comparing ${h}_{1}({K}_{A})\mathop{=}\limits^{?}{h}_{1}({K}_{A}^{{\prime} })$ and ${h}_{2}({K}_{A})\mathop{=}\limits^{?}{h}_{2}({K}_{A}^{{\prime\prime} })$, respectively. Secondly, Bob calculates ${R}_{4}^{{\prime} }=({R}_{2}\oplus {R}_{4})^{\prime} \oplus {R}_{2}$, and checks whether ${h}_{3}({R}_{2}\oplus {R}_{4})\,\mathop{=}\limits^{?}{h}_{3}({R}_{2}\oplus {R}_{4}^{{\prime} })$. Similarly, Charlie calculates ${R}_{1}^{{\prime} }=({R}_{1}\,\oplus {R}_{3})^{\prime} \oplus {R}_{3}$, and checks whether ${h}_{4}({R}_{1}\oplus {R}_{3})\mathop{=}\limits^{?}{h}_{4}({R}_{1}^{{\prime} }\oplus {R}_{3})$. On the other hand, a dishonest classical player might send different players with different keys. To defeat this kind of attack, the other two players can work together to compare their keys by using a family of universal hash functions, as is shown in step (9) of Protocol 1.

For our multiparty SQKA protocol, a majority of players can cooperate to verify the other players’ honesty in a similar way to guarantee the fairness of the protocol.

4. Discussions and conclusions

The qubits efficiencies of our SQKA protocols are presented in table 1, where Protocol 3 is the (M+1)-party asymmetric SQKA protocol that includes one quantum player and M classical players. The qubits efficiency is defined as $\eta =\tfrac{s}{q+c}$ [50], where s is the length of the agreed key by the legitimate players, q is the number of qubits transmitted, and c is the number of classical bits needed. Note that the qubits efficiencies are calculated in the scenario without considering hash functions. For honest verification, the number of universal hash functions used are 9, 9, and M(M+2)+1 for Protocols 1, 2, and 3, respectively. As is shown, the communication efficiencies of our SQKA protocols are around O(M²) where M is the number of the classical players and $O(\cdot )$ is ‘big-O’ notation used in the communication complexity theory.


Table 1.
Table 1.Qubits efficiencies of our SQKA protocols, where M is the number of classical players, N is the length of each player’s secret key, and τ is the length of the REFLECT qubits used for security detection.

	Protocol 1	Protocol 2	Protocol 3
Key length: s	N	N	N
Qubits costs: q	32N	16N+4τ	$4{M}^{2}N+2M\tau $
Classical costs: c	22N	14N + 2τ	$4{M}^{2}N-{MN}+M\tau $
Efficiency: η	$\approx \tfrac{1}{54}$	$\approx \tfrac{N}{30N+6\tau }$	$\approx \tfrac{N}{8{M}^{2}N-{MN}+3M\tau }$

New window|CSV

As is shown in table 2, our protocols have fewer quantum requirements for classical players since they only need the ability to measure or prepare in the classical basis. While the existing SQKA protocol [44] needs the ability of reordering qubits for the classical player. The classical player in [44] needs to perform qubits permutations, which implies he has to delay or store quantum states for the implementation of a permutation. Besides, our SQKA protocols use single-photons as message carriers rather than entanglements in [44]. All of which means our protocols are easier to implement than the previous one.


Table 2.
Table 2.Comparisons of quantum requirements in our SQKA protocols and the SQKA protocol in [44], where M is the number of classical players and ‘RQ’ represents reordering qubits.

	[44]	Protocol 1	Protocol 2	Protocol 3
Number of players	2	3	3	$M+1\geqslant 3$
Quantum states	Bell states	single-photons	single-photons	single-photons
RQ for classical players	Yes	No	No	No

New window|CSV

In conclusion, we have proposed a set of real multiparty SQKA protocols that require fewer quantum resources than the previous one, especially for classical players, while without the requirement of entanglement, all of which make them easier to implement. Our SQKA protocols include only one quantum player, which the others are classical. We first present a symmetric three-party SQKA protocol where qubits used for the quantum channel detection and the message carriage are the same. Then, we modify the protocol to an asymmetric one where fewer qubits are required for quantum channels detections, while security can still hold [48, 51]. And we further extend the asymmetric SQKA protocol to the most general one where an arbitrary number of classical players are included. The analysis shows that our protocols are secure against external eavesdroppers and are fair against a minority of internal dishonest players.

Acknowledgments

This project was supported by the National Natural Science Foundation of China (Grant No. 61601358) and the Natural Science Basic Research Plan in Shaanxi Province of China (Program No. 2019JM-291).

Reference View Option By original order
By published year
By cited within times
By Impact factor

[1]Bennett C H Brassard G 1984 Quantum cryptography: public key distribution and coin tossing
Proc. IEEE Int. Conf. on Computers Systems and Signal ProcessingBangalore, India175179
[Cited within: 2]

[2]Ekert A K 1991 Quantum cryptography based on Bell’s theorem
Phys. Rev. Lett. 67 661663
DOI:10.1103/PhysRevLett.67.661

[3]Gisin N Ribordy G Tittel W Zbinden H 2002 Quantum cryptography
Rev. Mod. Phys. 74 145195
DOI:10.1103/RevModPhys.74.145 [Cited within: 1]

[4]Hillery M Bužek V Berthiaume A 1999 Quantum secret sharing
Phys. Rev. A 59 1829
DOI:10.1103/PhysRevA.59.1829 [Cited within: 1]

[5]Wang M-M Chen X-B Yang Y-X 2014 Quantum secret sharing for general access structures based on multiparticle entanglements
Quantum Inf. Process. 13 429443
DOI:10.1007/s11128-013-0660-3

[6]Wang M-M Wang W Chen J-G Farouk A 2015 Secret sharing of a known arbitrary quantum state with noisy environment
Quantum Inf. Process. 14 42114224
DOI:10.1007/s11128-015-1103-0 [Cited within: 1]

[7]Dušek M Haderka O Hendrych M Myška R 1999 Quantum identification system
Phys. Rev. A 60 149156
DOI:10.1103/PhysRevA.60.149 [Cited within: 1]

[8]Howard B Claude C Daniel G Adam S Alain T 2002 Authentication of quantum messages
The 43rd Annual IEEE Symp. on Foundations of Computer ScienceVancouver, BC, Canada449458
[Cited within: 1]

[9]Zhou N Zeng G Xiong J 2004 Quantum key agreement protocol
Electron. Lett. 40 11491150
DOI:10.1049/el:20045183 [Cited within: 2]

[10]Tsai C W Hwang T 2009 On quantum key agreement protocol
Tech. Rep.C-S-I-E, NCKU, Taiwan, ROC
[Cited within: 1]

[11]Chong S-K Hwang T 2010 Quantum key agreement protocol based on BB84
Opt. Commun. 283 11921195
DOI:10.1016/j.optcom.2009.11.007 [Cited within: 1]

[12]Shi R-H Zhong H 2013 Multi-party quantum key agreement with Bell states and Bell measurements
Quantum Inf. Process. 12 921932
DOI:10.1007/s11128-012-0443-2 [Cited within: 1]

[13]Liu B Gao F Huang W Wen Q-Y 2013 Multiparty quantum key agreement with single particles
Quantum Inf. Process. 12 17971805
DOI:10.1007/s11128-012-0492-6 [Cited within: 1]

[14]Xu G-B Wen Q-Y Gao F Qin S-J 2014 Novel multiparty quantum key agreement protocol with GHZ states
Quantum Inf. Process. 13 25872594
DOI:10.1007/s11128-014-0816-9 [Cited within: 1]

[15]Huang W Su Q Xu B Liu B Fan F Jia H Yang Y 2016 Improved multiparty quantum key agreement in travelling mode
Sci. China Phys. Mech. Astron. 59120311
DOI:10.1007/s11433-016-0322-3

[16]Sun Z Yu J Wang P 2016 Efficient multi-party quantum key agreement by cluster states
Quantum Inf. Process. 15 373384
DOI:10.1007/s11128-015-1155-1

[17]Cao H Ma W 2017 Multiparty quantum key agreement based on quantum search algorithm
Sci. Rep. 7 45046
DOI:10.1038/srep45046

[18]Liu W-J Xu Y Yang C-N Gao P-P Yu W-B 2018 An efficient and secure arbitrary n-party quantum key agreement protocol using Bell states
Int. J. Theor. Phys. 57 195207
DOI:10.1007/s10773-017-3553-x

[19]Liu H-N Liang X-Q Jiang D-H Zhang Y-H Xu G-B 2019 Multi-party quantum key agreement protocol with Bell states and single particles
Int. J. Theor. Phys. 58 16591666
DOI:10.1007/s10773-019-04063-1

[20]Chou Y-H Zeng G-J Chang Z-H Kuo S-Y 2018 Dynamic group multi-party quantum key agreement
Sci. Rep. 8 4633
DOI:10.1038/s41598-018-21658-6

[21]Yang Y-G Li B-R Kang S-Y Chen X-B Zhou Y-H Shi W-M 2019 New quantum key agreement protocols based on cluster states
Quantum Inf. Process. 18 77
DOI:10.1007/s11128-019-2200-2 [Cited within: 1]

[22]Boyer M Kenigsberg D Mor T 2007 Quantum key distribution with classical Bob
Phys. Rev. Lett. 99140501
DOI:10.1103/PhysRevLett.99.140501 [Cited within: 3]

[23]Boyer M Gelles R Kenigsberg D Mor T 2009 Semiquantum key distribution
Phys. Rev. A 79032341
DOI:10.1103/PhysRevA.79.032341 [Cited within: 1]

[24]Lu H Cai Q-Y 2008 Quantum key distribution with classical Alice
Int. J. Quantum Inf. 06 11951202
DOI:10.1142/S0219749908004353 [Cited within: 2]

[25]Zou X Qiu D Li L Wu L Li L 2009 Semiquantum-key distribution using less than four quantum states
Phys. Rev. A 79052312
DOI:10.1103/PhysRevA.79.052312

[26]Wang J Zhang S Zhang Q Tang C-J 2011 Semiquantum key distribution using entangled states
Chin. Phys. Lett. 28100301
DOI:10.1088/0256-307X/28/10/100301

[27]Zou X Qiu D Zhang S Mateus P 2015 Semiquantum key distribution without invoking the classical party’s measurement capability
Quantum Inf. Process. 14 29812996
DOI:10.1007/s11128-015-1015-z

[28]Krawec W O 2015 Mediated semi-quantum key distribution
Phys. Rev. A 91032323
DOI:10.1103/PhysRevA.91.032323 [Cited within: 3]

[29]Boyer M Katz M Liss R Mor T 2017 Experimentally feasible protocol for semiquantum key distribution
Phys. Rev. A 96062335
DOI:10.1103/PhysRevA.96.062335

[30]Krawec W O 2018 Practical security of semi-quantum key distribution
Proc. SPIE 106601066009
DOI:10.1117/12.2303759

[31]Krawec W O Geiss E P 2018 Semi-quantum key distribution with limited measurement capabilities
2018 Int. Symp. on Information Theory and Its Applications (ISITA)Singapore462466
[Cited within: 2]

[32]Zhang W Qiu D 2017 A single-state semi-quantum key distribution protocol and its security proof
arXiv:1612.03087
[Cited within: 1]

[33]Zhang X-Z Gong W-G Tan Y-G Ren Z-Z Guo X-T 2009 Quantum key distribution series network protocol with m-classical Bobs
Chin. Phys. B 18 21432148
DOI:10.1088/1674-1056/18/6/006 [Cited within: 1]

[34]Krawec W O 2015 Security proof of a semi-quantum key distribution protocol
2015 IEEE Int. Symp. on Information Theory (ISIT)Hong Kong, China686690
[Cited within: 2]

[35]Krawec W O 2017 Quantum key distribution with mismatched measurements over arbitrary channels
Quantum Inf. Comput. 3&4 209241
DOI:10.26421/QIC17.3-4

[36]Zhang W Qiu D Mateus P 2018 Security of a single-state semi-quantum key distribution protocol
Quantum Inf. Process. 17 135
DOI:10.1007/s11128-018-1904-z [Cited within: 2]

[37]Li Q Chan W H Long D-Y 2010 Semiquantum secret sharing using entangled states
Phys. Rev. A 82022303
DOI:10.1103/PhysRevA.82.022303 [Cited within: 1]

[38]Wang J Zhang S Zhang Q Tang C-J 2012 Semiquantum secret sharing using two-particle entangled state
Int. J. Quantum Inf. 101250050
DOI:10.1142/S0219749912500505

[39]Li L Qiu D 2013 Quantum secret sharing with classical Bobs
J. Phys. A: Math. Theor. 46045304
DOI:10.1088/1751-8113/46/4/045304

[40]Xie C Li L Qiu D 2015 A novel semi-quantum secret sharing scheme of specific bits
Int. J. Theor. Phys. 54 38193824
DOI:10.1007/s10773-015-2622-2 [Cited within: 1]

[41]Nie Y-Y Li Y-H Wang Z-S 2013 Semi-quantum information splitting using GHZ-type states
Quantum Inf. Process. 12 437448
DOI:10.1007/s11128-012-0388-5 [Cited within: 1]

[42]Zou X Qiu D 2014 Three-step semiquantum secure direct communication protocol
Sci. China Phys. Mech. Astron. 57 16961702
DOI:10.1007/s11433-014-5542-x [Cited within: 1]

[43]Wang M-M Liu J-L Gong L-M 2019 Semiquantum secure direct communication with authentication based on single-photons
Int. J. Quantum Inf. 171950024
DOI:10.1142/S0219749919500242 [Cited within: 1]

[44]Shukla C Thapliyal K Pathak A 2017 Semi-quantum communication: protocols for key agreement, controlled secure direct communication and dialogue
Quantum Inf. Process. 16 295
DOI:10.1007/s11128-017-1736-2 [Cited within: 7]

[45]Gu J Lin P-H Hwang T 2018 Double C-NOT attack and counterattack on ‘three-step semi-quantum secure direct communication protocol
Quantum Inf. Process. 17 182
DOI:10.1007/s11128-018-1953-3 [Cited within: 1]

[46]Lvovsky A I Sanders B C Tittel W 2009 Optical quantum memory
Nat. Photon. 3 706714
DOI:10.1038/nphoton.2009.231 [Cited within: 1]

[47]Liu W-J Chen Z-Y Ji S Wang H-B Zhang J 2017 Multi-party semi-quantum key agreement with delegating quantum computation
Int. J. Theor. Phys. 56 31643174
DOI:10.1007/s10773-017-3484-6 [Cited within: 1]

[48]Lo H-K Chau H F Ardehali M 2005 Efficient quantum key distribution scheme and a proof of its unconditional security
J. Cryptol. 18 133165
DOI:10.1007/s00145-004-0142-y [Cited within: 2]

[49]Tan Y-G Lu H Cai Q-Y 2009 Comment on ‘quantum key distribution with classical Bob’
Phys. Rev. Lett. 102098901
DOI:10.1103/PhysRevLett.102.098901 [Cited within: 1]

[50]Cabello A 2000 Quantum key distribution in the Holevo limit
Phys. Rev. Lett. 85 56355638
DOI:10.1103/PhysRevLett.85.5635 [Cited within: 1]

[51]Krawec W O 2015 Security proof of a semi-quantum key distribution protocol: extended version
arXiv:1412.0282
[Cited within: 1]