## Abstract

Quantum networks will provide multinode entanglement enabling secure communication on a global scale. Traditional quantum communication protocols consume pair-wise entanglement, which is suboptimal for distributed tasks involving more than two users. Here, we demonstrate quantum conference key agreement, a cryptography protocol leveraging multipartite entanglement to efficiently create identical keys between *N* users with up to *N-1* rate advantage in constrained networks. We distribute four-photon Greenberger-Horne-Zeilinger (GHZ) states, generated by high-brightness telecom photon-pair sources, over optical fiber with combined lengths of up to 50 km and then perform multiuser error correction and privacy amplification. Under finite-key analysis, we establish 1.5 × 10^{6} bits of secure key, which are used to encrypt and securely share an image between four users in a conference transmission. Our work highlights a previously unexplored protocol tailored for multinode networks leveraging low-noise, long-distance transmission of GHZ states that will pave the way for future multiparty quantum information processing applications.

## INTRODUCTION

Conference key agreement (CKA) is a multiuser protocol for sharing a common information-theoretic secure key beyond the two-party paradigm (*1*). This key allows group-wide encryption for authenticated users to communicate securely, wherein, exclusively, members of the group can decrypt messages broadcast by any other member. Traditional two-party quantum key distribution (2QKD) primitives (*2*–*5*) can be used to share *N-1* individual key pairs between *N* users followed by classical computational steps to distill a conference key. However, this is inefficient for producing conference keys when users have access to a fully connected quantum network, as envisioned in the “quantum internet” (*6*, *7*). An efficient alternative is to derive conference keys directly from multipartite entangled states created in these networks (*8*–*10*)—we refer to these methods as quantum CKA (QCKA).

QCKA is a generalization of entanglement-based QKD to *N* users (*1*). The currently most practical QCKA variant is based on the distribution of GHZ states (*9*). This protocol has been proven secure including for the finite-key scenario and offers performance advantages over conference key generation from pair-wise keys (2QKD) under different noise models, channel capacity constraints, and network router configurations (*8*, *9*, *11*–*15*). The clearest advantage of QCKA arises in true quantum networks (*16*): GHZ states can be distilled from an underlying network graph state in as little as a single network use, while 2QKD requires up to *N* − 1 copies to generate the required key pairs (*8*).

Here, we experimentally demonstrate the salient features of the N-BB84 protocol introduced in (*9*) with a state-of-the-art photonic platform. An untrusted quantum server prepares and distributes *L* rounds of the maximally entangled GHZ state, *N* participants in the network. In our work, we implement a four-party protocol consisting of Alice (A), Bob 1 (B_{1}), Bob 2 (B_{2}), and Bob 3 (B_{3}) (see Fig. 1A). Each user performs quantum measurements on their respective photon in either the *Z*-basis {∣0⟩, ∣1⟩} constituting type-1 rounds or the *X*-basis *p*, for a total of *m* = *L* · *p* rounds, and are used to detect the presence of an eavesdropper. Users coordinate the measurement sequence using *L* · *h*(*p*) bits of a preshared key; here, *h*( · ) is the Shannon entropy. In particular, one user generates the *L*-bit string, indicating the measurement type of each round. The string can be classically compressed, shared, and decompressed by the other parties. Note that the values of *p* are typically on the order of 0.02, leading to a small value of *h*(*p*), i.e., the amount of information to be initially preshared is small.

Once the measurements are complete, the users proceed to verifying the security of their key by performing parameter estimation. All users announce their outcomes for a subset of the type-1 rounds, *m* in total and randomly chosen, and all *m* type-2 rounds to determine *i* = {1, 2, 3} and *n* = *L* − 2*m* bits forming the raw conference key, subsequently corrected with an error correction scheme and shortened with privacy amplification to ensure security. Last, all users remove *L* · *h*(*p*) bits from their secret conference key to encode the preshared keys for subsequent protocols. Hence, our protocol is a key-growing routine, as in any known QKD scheme.

## RESULTS

In our experiment (see Fig. 1B), we use two high-brightness, polarization-entangled photon-pair sources (*17*) at telecommunication wavelength (1550 nm). We generate four-photon GHZ states by nonclassically interfering one photon from each source on a polarizing beamsplitter (PBS), which has success probability of 1/2 [see, for example, (*18*) or Materials and Methods for details]. We use commercially available superconducting nanowire single-photon detectors (SNSPDs) with typical quantum efficiencies of >80% at this wavelength.

We establish the upper bound on the performance of our protocol by assuming an infinite number of rounds can be performed, *L* → ∞. In this asymptotic regime, nearly all rounds are used to extract the raw key, *p* → 0. We evaluate the asymptotic key rate (AKR) as the fraction of secret bits, ℓ, extracted from the total rounds (*9*)*h*(*x*) = −*x*log_{2}*x*−(1−*x*)log_{2}(1−*x*). From Eq. 1, we note that the AKR depends only on the noise parameters *Q _{X}* and QBER. We estimate these parameters experimentally using a large sample size of type-1 and type-2 measurements to minimize uncertainties. The results are shown in Fig. 2.

We denote the network topology as {*d*_{1}, *d*_{2}, and *d*_{3}}, where *d*_{i} is the fiber length in kilometers between *B*_{i} and the server. Alice remains fixed at 2 m from the server in all cases. We implement four scenarios, such as {0, 0, 0}, {0, 0, 20}, {0, 10, 20}, and {20, 10, 20}, corresponding to measured network losses (in dB) of 0, 4.84, 7.57, and 11.77. The observed four-photon generation rates *g*_{R} for these scenarios are 40.89, 12.68, 6.31, and 2.03 Hz. The conference key rate is determined as a product of the fractional AKR and the recorded generation rates *g*_{R}. In all cases, we observe similar noise parameters, and thus AKR, indicating that the entanglement quality is not degraded substantially by the transmission in fibers. The experimental AKR is mainly limited by multiple-pair generations at the sources and by spectral impurities of the photons (see the Supplementary Materials for details). Our work demonstrates the distribution of 1550-nm four-qubit entangled state in long telecom fibers, proving the viability of polarization-encoded photons to remain highly entangled over long distances.

We also include the adjusted conference key rates when we perform the protocol with actively switched measurement bases. In our experiment, this is accomplished by rotating wave plates with motorized stages that are slow compared to the clock rate of our sources. Hence, this leads to a reduced overall rate as shown in Fig. 2 (see Materials and Methods for details).

The AKR results allowed us to establish upper bounds for several different fiber arrangements comparably quickly. To also show the N-BB84 performance in a real-world scenario, we implemented the complete protocol, including error correction and privacy amplification, for a fifth asymmetric fiber network {5, 10, 20} with a measured loss of 9.53 dB in total. Because of the low rates, we need to apply finite-key analysis for this step, i.e., the secret key rate (SKR) is adjusted to account for finite statistics from parameter estimation. For our experiment, we determine the optimal fraction of type-2 measurements to be *p* = *m*/*L* = 0.012. With this value of *p*, the amount of information reserved for the preshared key is *h*(*p*) = 0.093 (see Materials and Methods for more details). Moreover, we set a total security parameter i.e., the maximal probability that an eavesdropper gains nonzero information about the key to be 1.8 × 10^{−8} (see the Supplementary Materials for details).

We obtain more than 4.09 × 10^{6} type-1 rounds and 5.01 × 10^{4} type-2 rounds during 177 hours of continuous measurement. Because of the long measurement time, active polarization feedback was implemented to minimize noise owing to thermal drifts in the laboratory (see Materials and Methods for details). Once the raw key is distilled by all users, we implement one-way error correction using low-density parity check (LDPC) codes complying with the Digital Video Broadcasting (DVB-S2) standard (*19*). The code was adapted to our multiparty scenario, simultaneously correcting Bob 1, Bob 2, and Bob 3’s keys. This step ensures that all parties share a common key, which is not yet perfectly secure because of information leaked during error correction and any potential eavesdropping during the distribution step. To reduce the information held by any potential eavesdropper, we implement one round of privacy amplification on the entire raw key, reducing its final length. We use Toeplitz matrices for this purpose, a class of 2-universal hash functions (*20*) that can be implemented efficiently for our given key size.

We estimate the theoretical performance of our postprocessing steps by evaluating the noise parameters *Q _{X}* = 0.05 and QBER = 0.0159, which we use to calculate the upper bound set by Eq. 5 (see Materials and Methods) and plotted in Fig. 3A (dashed line). When performing the protocol in earnest with a finite dataset to estimate these parameters, we replace the Shannon limit for the error correction term

*h*(QBER

*+ 2ξ*

^{m}_{z}) in Eq. 5, with the fraction of parity bits disclosed by Alice.

Last, we use the secret conference key to encrypt an image of a Cheshire cat that is shared between the parties in a brief conference call (Fig. 3B). As shown, the key established by CKA enables any honest user in the group to share a secret message among all other honest parties. This is in contrast with quantum secret sharing, a multiuser task demonstrated previously (*21*, *22*), which requires cooperation among a majority subset of users to verify honesty and obtain the secret message.

## DISCUSSION

A number of QCKA protocols have been proposed, including “*N*-six-state” with three measurement bases (*8*). We implemented N-BB84 because it is experimentally friendly and enables higher rates for short keys (*9*). Novel QCKA variants include adaptations of two-party twin-field (*23*) and phase-matching (*24*) protocols. These are attractive due to the high rates achievable with weak coherent pulse sources. However, they require a common phase reference between all *N* users, which will be challenging in a network.

The N-BB84 protocol inherits several features from the entropic security proofs (*25*) for the entanglement-based two-party protocols it is based on. In particular, an eavesdropper’s knowledge can be bounded without full characterization of all parties’ measurement devices. The GHZ-state source can be completely untrusted. Alice’s measurement device is trusted to ensure mutually unbiased measurement bases. The Bob devices can then be untrusted, since any deviation from ideal *X* measurements negatively affects the security parameter *Q _{X}* (

*9*). Last, all measurement devices are assumed to be memoryless, i.e., each measurement outcome is independent from any other outcome, and detector efficiencies must be basis independent (

*25*). Adapting the QCKA protocol for full (measurement-) device independence is work in progress (

*26*,

*27*).

Another open question is that of the achievable rates in conference settings. For direct GHZ-state transmission as demonstrated here, quantum CKA scales unfavorably with the number of users due to the exponential reduction in multiphoton detection due to unavoidable transmission losses. However, loss will not be a problem in fully featured quantum networks, where CKA has a significant (*N-1*) rate advantage. General bounds for distributing multipartite entanglement in networks with nontrivial connectivity and noise have only very recently been established (*28*). For our own four-user scenario, we show in the Supplementary Materials that the QCKA rates have a nontrivial dependence on asymmetric network noise.

The rate comparison between QCKA and 2QKD in (*8*) did not account for the fact that 2QKD primitives incur not only postprocessing overheads in respect to QCKA but also a cost on the SKRs with respect to the underlying point-to-point rates. In 2QKD, (*N-1*) unique pair-wise keys are transformed into a common secret key via bit-wise XOR operations. If each bipartite key is ϵ-secure, then the final conference key is (*N-1*)ϵ-secure owing to the composability of this multistep approach (*29*). To obtain an ϵ-secure conference key, the individual keys have to be postprocessed to a security threshold

Future experimental development will focus on increasing GHZ rates, the extension to more conference parties, and field tests in established fiber networks (*4*). Multiparty entanglement applications beyond CKA include entanglement-assisted remote clock synchronization (*30*), quantum secret sharing (*21*, *22*, *31*), and GHZ-based repeater protocols (*32*).

## MATERIALS AND METHODS

### Entangled photon source

We produce photon-pairs using type-2 collinear spontaneous parametric down conversion implemented in a 22-mm-long periodically poled KTP (PPKTP) crystal. Both of our sources are optically pumped using a mode-locked laser operating with a nominal repetition rate of 80 MHz, 1.4-ps pulses, and its central wavelength at 774.9 nm. A passive pulse interleaver is used to quadruple the 80-MHz pulse train to 320 MHz (*33*). The PPKTP crystals are embedded within a polarization-based Sagnac interferometer (*17*) and pumped bidirectionally using a half-wave plate (HWP) to set diagonally polarized light to create polarization-entangled photons at 1549.8 nm in the approximate state*h*⟩ ≡ ∣0⟩ and ∣*v*⟩ ≡ ∣1⟩ represent horizontal and vertical polarizations, respectively. This state can be mapped to any Bell state via local operation on one of the two photons.

With loose bandpass filters of 3-nm bandwidth, we measure an average source brightness of ∼4100 pairs/mW per second, with a symmetric heralding efficiency of ∼60% (*34*). The average heralding efficiency reduces by ∼12%, with a commensurate decrease of 45% in source brightness at the point of detection of the four users for zero fiber length. We characterize each photon pair source by performing quantum state tomography, reconstructing the density matrix using a maximum-likelihood estimation followed by Monte-Carlo simulations based on Poissonian count statistics to determine errors. For each source, we obtain a typical two-photon Bell-state fidelity *F* = 95.58 ± 0.15% and purity *P* = 92.07 ± 0.27%, while entanglement is measured by C = 92.38 ± 0.21%.

The four-photon GHZ state is created by interfering one photon from each source on a PBS, which transmits horizontally and reflects vertically polarized photons. After selecting on the case where one photon is emitted in each output, which occurs with a probability of 1/2, we obtain the state*P* = 81.39 ± 0.83% and *F* = 87.58 ± 0.48%, respectively.

### Active switching

Most QKD protocols require random switching of the measurement basis, either passively or actively, with each clock cycle. This is also required for the N-BB84 protocol, with the optimal performance attained by ensuring users switch between the *Z*/*X* measurement bases according to a pre-agreed random sequence. Since all users implement the same measurement sequence, passive basis choice cannot be used to achieve the optimal key rates. Note that if passive random measurements are used followed by reconciliation among the *N* users, then the overall key rate incurs a ∼1/(2* ^{N}*) reduction, as the fraction of useable rounds depends on attaining the correct

*Z*

^{⊗N}and

*X*

^{⊗N}, respectively.

As noted, *p* is typically small; hence, switching between bases occurs relatively infrequently. In addition, the multiphoton detection rates in our experiment are low; hence, the standard method of polarization switching with electro-optic modulators would be excessive. We therefore implemented active switching using motorized rotation stages with switching speeds on the order of seconds—marginally slower than our average required switching periods, which reduces the maximum possible raw generation rate *g*_{R}.

We evaluate the adjusted generation rate *p* = 0.02; thus, 20 type-2 rounds are randomly allocated in the measurement sequence. We measured the reduced key generation rate and found

This adjustment ratio is rate dependent. We find the lower bound on _{s} is the switching speed. We use this equation to extrapolate the adjusted generation rates obtained in the asymptotic case, as shown by orange dots in Fig. 2.

### Active polarization control

The optical fiber links in our experiment are realized by spools of bare SMF28 fiber. Thermal drifts in the laboratory introduces unwanted rotations in polarization, which, if uncorrected, leads to added noise in the protocol. These effects are typically negligible for short-fiber lengths, e.g., in our testing, we found that the 5-km spool added no observable noise greater than with a 2-m fiber link, while the 10- and 20-km spools showed significant added noise in *Q*_{ABi} measurements.

We implement active polarization control to correct for these effects during key transmission to preserve low-noise operation throughout the protocol. The feedback control loop is implemented by performing single-qubit tomography in each fiber to characterize the unitary transformation on the polarization qubits. We then use the polarization optics in the measurement stages to undo the rotations on the qubits and perform measurements in the required basis. In our setup, we carry out one-qubit tomography of all four fiber links simultaneously, including postprocessing, to obtain an estimate of the unitary operation and implement the corrective action on the motorized waveplates. This takes less than 30 s and is performed once every ∼20 min for an optimal trade-off between maintaining a high-duty cycle while minimizing bit error rates.

This feedback loop is not monitored for tampering by an eavesdropper. From a strict security perspective, a clever adversary may exploit this channel for executing a variant of the “time-shift” attack to gain control over a user’s detectors. In principle, this can be mitigated by each user who swaps which detectors register the {∣0⟩, ∣1⟩, ∣+ ⟩, ∣−⟩} events randomly in each round by rotating their waveplates. This can be performed locally without additional communication overhead among users.

### Error correction using LDPC codes

The use of LDPC codes allows one party to initialize the routine by computing (*j – k*) parity check bits from a block of *k* raw bits using a *H*_{(j − k) × k} parity check matrix. The ratio *r* = *k*/*j* defines the code rate, and higher code rates correspond to a smaller amount of information disclosed for error correction. The DVB-S2 standard provides *H* matrices already computed for a set of different code rates specified by an encoding block size of *j* = 64^{′}800 bits. In our experiment, we set the code rate according to the estimated QBER using *m* samples with appropriate ξ_{Z} correction. From the provided set of code rates, we used 2/3, 3/4, and 4/5 for small, mid, and large values of *L*, as shown in Fig. 3A. Alice computes the parity check bits by applying the parity check matrix *H* to *k*-bit blocks of her raw key. She then sends the parity check bits, together with *H*, to all parties through authenticated classical channels. With the information provided by the parity check bits, each Bob implements a decoding algorithm on his respective raw key, consisting of simple addition, comparison, and table look-up operations. The codes used here have been modified from MATLAB communication packages based on the DVB-S2 standards (*19*). The number of parity bits communicated during error correction (EC) is discarded to ensure security of the final conference key.

Optimal multiuser postprocessing for QCKA is still an open question. We know that CASCADE (*35*) can be more efficient than LDPC in the two-party setting for small error rates (*36*). However, as CASCADE relies on bidirectional communication, any benefits are quickly diminished by the increased communication overhead and required additional bit disclosures incurred between Alice and each Bob. In contrast, LDPC codes disclose a fixed amount of information that depends only on the largest QBER between Alice and any of the Bobs in the network. To the best of our knowledge, no proof exists for the optimal strategy to achieve the minimal bit disclosure rate when implementing error correction in multiuser QKD, and we leave this as an open question for future work.

### Finite-key conference rate

When using a finite number of rounds, the estimated parameters *m* type-2 and type-1 rounds, are affected by statistical error which must be taken into account in the final key rate. The fractional key rate is given by*N* is number of users in the protocol, (ξ_{X}, ξ_{Z}) are finite-key correction terms, and (ϵ_{EC}, ϵ_{PE}, ϵ_{PA}) sets are the security parameters of our protocol (see the Supplementary Materials for further details). The *h*(*p*) term in Eq. 5 is the fraction of the final key removed after privacy amplification (PA) to account for the preshared key required for marking the type-2 rounds.

## SUPPLEMENTARY MATERIALS

Supplementary material for this article is available at http://advances.sciencemag.org/cgi/content/full/7/23/eabe0395/DC1

This is an open-access article distributed under the terms of the Creative Commons Attribution-NonCommercial license, which permits use, distribution, and reproduction in any medium, so long as the resultant use is **not** for commercial advantage and provided the original work is properly cited.

## REFERENCES AND NOTES

**Acknowledgments:**

**Funding:**This work was supported by the UK Engineering and Physical Sciences Research Council (grant numbers EP/N002962/1 and EP/T001011/1). F.G. acknowledges the financial support from the European Union’s Horizon 2020 research and innovation program under the Marie Skłodowska-Curie grant agreement no. 675662. M.M. acknowledges the funding from the QuantERA ERA-NET Co-fund (FWF project I3773-N36) and the UK EPSRC (EP/P024114/1).

**Author contributions:**A.F. and M.M. conceived the project. M.P., J.H., and P.B. performed the experiment and collected the data. J.H. and M.P. analyzed the data. F.G., M.P., and J.H. developed the theory results. All authors contributed to writing the manuscript.

**Competing interests:**The authors declare that they have no competing interests.

**Data and materials availability:**All data needed to evaluate the conclusions in the paper are present in the paper and/or the Supplementary Materials. Additional data related to this paper may be requested from the authors.

- Copyright © 2021 The Authors, some rights reserved; exclusive licensee American Association for the Advancement of Science. No claim to original U.S. Government Works. Distributed under a Creative Commons Attribution NonCommercial License 4.0 (CC BY-NC).