Open-Destination Measurement-Device-Independent Quantum Key Distribution Network

Quantum key distribution (QKD) networks hold promise for sharing secure randomness over multi-partities. Most existing QKD network schemes and demonstrations are based on trusted relays or limited to point-to-point scenario. Here, we propose a flexible and extensible scheme named as open-destination measurement-device-independent QKD network. The scheme enjoys security against untrusted relays and all detector side-channel attacks. Particularly, any users can accomplish key distribution under assistance of others in the network. As an illustration, we show in detail a four-user network where two users establish secure communication and present realistic simulations by taking into account imperfections of both sources and detectors.


Introduction
Quantum key distribution (QKD) [1][2][3][4] provides unconditional security between distant communication parties based on the fundamental laws of quantum physics. In the last three decades, QKD has achieved tremendous progress in both theoretical developments and experimental demonstrations. To extend to a large scale, the QKD network holds promise to establish an unconditionally secure global network. Different topologies for QKD network have been demonstrated experimentally during the past decades [5][6][7][8][9][10][11]. However, due to high demanding on security and the relatively low detection efficiency, the realization of large-scale QKD networks is still challenging.
On the one hand, many previous demonstrations of quantum networks heavily rely on the assumption of trusted measurement devices. From security point of view, however, such assumption is challenging in realistic situations, as various kinds of detector side-channel attacks are found due to the imperfections of practical devices [12][13][14][15][16]. Fortunately, measurement-device-independent QKD (MDI-QKD) protocol [17,18] can remove all kinds of attacks in the detector side-channel. Since its security does not rely on any assumptions on measurement devices, MDI-QKD networks are expected

Open-Destination MDI-QKD Network
Consider an N-party quantum network. We are particularly interested in the case where arbitrary two users want to share secure keys. This scenario is denoted as (N, 2) for convenience. To simplify the discussion, here we focus on the star-type network, where both the user and a central source emit quantum signals. The signals are measured by untrusted relays located between each user and the central source.

Protocol
The (N, 2) open-destination MDI-QKD runs as follows. An illustration of the (4, 2) example is shown in Figure 1.
Step. 1 Preparation: A third party, which may be untrusted, prepares N-partite GHZ state where |0 and |1 denote two eigenstates of the computational basis Z. All users prepare BB84 polarization states, i.e., |0 , |1 , |+ , and |− with |± = (|0 ± |1 )/ √ 2 being the two eigenstates of the basis X. The third party and all users distribute the prepared quantum states to their relays, which may also be untrusted.
Step. 3 Announcement: All relays announce their successful BSM results among a public classical authenticated channel. The two communication users announce their photons bases, and other users announce their states prepared in the X basis.
Step. 4 Sifting: The two communication user keep the strings where all the relays get successful BSM results and other users use X bases. Then, they discard the strings where different preparation bases are used. To guarantee their strings to be correctly correlated, one of the two users flip or not flip his/her bit according to the corresponding BSM results and other users' prepared states (see Appendix A for details). Then, the two users obtain the raw key bits.
Step. 5 Post-processing: The two communication users estimate the quantum phase error and quantum bit error rate (QBER) in Z and X bases, according to which they further perform error correction and privacy amplification to extract correct and secure keys.
In this protocol, the multi-partite GHZ state between distant users can also be established through a prior distributed singlets, following the scheme of Bose et al. [24]. In fact, the open-destination feature allows arbitrary two users in the network to share secure keys based on the same experiment statistics. To accomplish the task of MDI-QKD among arbitrary two users, a natural scheme is to establish direct MDI-QKD between each two users. This requires either the central source to adjust his devices such that EPR pairs (the maximally entangled quantum states of a two qubit system, named after Einsetin, Podolski and Rosen Paradox [25]) are sent along desired directions, or a number N(N − 1)/2 of two-user combinations to establish direct MDI-QKD using the same number of untrusted relays. The open-destination scheme is an alternative scheme. It does not require the central source to adjust his devices according to the demand of communications, at the same time involve only N untrusted relays. In a practical scenario, all the users can use weak coherent pulses to reduce experimental cost and apply decoy-state techniques [26][27][28] to avoid photon-number-splitting attack, as well as to estimate the gain and the error rate. An optical diagram for the polarization-encoding (4,2) open-destination measurement-device-independent quantum key distribution (MDI-QKD) network. The GHZ source outputs 4-partite GHZ entangled state in polarization and the light source outputs BB84 polarization state. The BSM represents the Bell state measurement, where BS is the 50:50 beam splitter, PBS is the polarization beam splitter, and D 1H , D 2H , D 1V , and D 2V are single-photon detectors. A click in D 1H and D 2V , or in D 1V and D 2H , indicates a projection into the Bell state |ψ − = (|01 − |10 )/ √ 2, and a click in D 1H and D 1V , or in D 2H and D 2V , indicates a projection into the Bell state |ψ + = (|01 + |10 )/ √ 2.

Correctness and Security Analysis
We will show the correctness and security of the open-destination MDI-QKD protocol, i.e., the communication users end up with sharing a common key in an honest run and any eavesdropper can only obtain limited information of the final key. The following analysis applies for the (N, 2) case. As an illustration, we show a detailed derivation of the (4,2) in Appendix A.
For the correctness of the protocol, we show that after successful BSMs and other users announce the X-basis states, the two communication users can perform flip their bits locally to obtain perfectly correlated sifted keys. We start from rewriting the GHZ state as Here, χ ∈ {+, −} N−2 is a string of N − 2 bits with bit value "+" or "−" and σ χ = 0(1) if the number of "−" is even (odd).
We label each user by 1 , 2 , . . . , N and let the two communication users be 1 and 2 . In a successful run of the protocol, suppose that users 1 and 2 prepare states |α , |β ∈ {0, 1, +, −}, respectively, and other users 3 , . . . , N prepare state in the X basis, denoted as a string χ ∈ {+, −} N−2 . In addition, denote the successful BSM results as a string υ ∈ {+, −} N , with the kth bit υ k denoting the BSM outcome on the state prepared by the user k and the k-th particle of the GHZ state. Here, υ k = ± corresponds to projections |ψ ± ψ ± |, respectively. Then, when other users send states denoted by |χ and when all untrusted relays announce successful BSM results υ, the equivalent measurement M Here, τ = σ χ ⊕υ ⊕ υ 1 ⊕ υ 2 withυ = υ 3 υ 4 . . . υ N ∈ {+, −} N−2 and σ χ ⊕υ = +(−) if the number of "−" in χ ⊕υ is even (odd). Therefore, when the user 1 and 2 both prepare Z-basis states, or when they both prepare X-basis states with τ = 0, the corresponding strings are correctly correlated; otherwise, when they both prepare X-basis states but τ = 1, their strings are anticorrelated, and one party needs to flip all his/her bits.
For the security of the protocol, here we show that an open-destination MDI-QKD can be equivalent to a standard bipartite MDI-QKD if we only focus on the two communication users. Recall that, in the standard MDI-QKD, two parties, Alice and Bob, prepare and send quantum signals to a remote untrusted relay, which announces a successful BSM result or not. In our scheme, one can treat all parts outside the two users 1 and 2 as an untrusted relay [29]. That is, the GHZ source, the BSM setups and all other users serve as a big untrusted relay, and the successful BSM results in the standard MDI-QKD corresponds to all BSMs announcing successful measurements together with all other users announcing X-basis states (see Figure A1 as an example of the (4, 2) case). In this sense, our scheme is reduced to the MDI-QKD and the two has the same security. Additionally, although we require the preparation device of each user to be trusted in the protocol, the two communication users need not to trust these preparation devices of other users.

Key Generation Rate
The key generation rate for open-destination MDI-QKD can be derived similarly as the standard MDI-QKD, i.e., by converting it to an entanglement purification scheme. Suppose that the two communication users both have virtual singlets at their hands and then send one particle to the untrusted relays. In a successful run of the protocol, the remaining virtual particles of the two communication users will be entangled. When the entanglement between the virtual particles is sufficiently strong, the monogamy property of entanglement [30][31][32] guarantees the extraction of information-theoretically secure key bits between the two users. In this sense, the secret key rate can be roughly viewed as the gains of entanglement purification in the asymptotic case. Taking account of imperfections, such as basis misalignment, channel loss, and dark counts of the detectors, the key generation rate is given by the GLLP method [33] Here, we have assumed that the user 1 and 2 use Z basis to generate keys and use X basis to estimate phase errors. In the equation, Q ZZ denotes the overall gain in the Z basis, and e XX (e ZZ ) denotes the phase (bit) error rate, f > 1 is the error correction inefficiency for the error correction process, and is the binary Shannon entropy function. In a realistic experiment, if using weak coherent pulses and adopting decoy-state techniques, Q ZZ , e ZZ , and e XX can be efficiently estimated [27,28].

Comparison with the Standard MDI-QKD
The open-destination MDI-QKD network is different from the conventional MDI-QKD. The main difference comes from the open-destination feature, which in fact allows the all 2-party users in the network generate their own secure keys independently and simultaneously. There are in fact N(N − 1)/2 combinations of such two-party users. If one uses the conventional MDI-QKD scheme, the same number of untrusted relays are required. To increase the communication distance, one may further add the same number of relays and EPR sources to construct the user-relay-EPR source-relay-user structure. Such construction of quantum network could be expensive considering the number of devices required. One could also use the optical switches to reduce the number of relays; however, in this case the communication would be arranged in time order and some users have to wait. In the open-destination scheme, N untrusted relays are sufficient to connect each other supplied with good-quality GHZ central source. Although the distribution of GHZ states may lead to other technological challenges, the open-destination scheme can reduce the number of devices significantly in constructing the network. As for the performance, the two schemes in fact have similar performance in the ideal case. The difference is that the open-destination scheme generates secure keys for any two-party users in one round of implementation while the bipartite MDI-QKD scheme costs N(N − 1)/2 rounds. Furthermore, the open-destination scheme also establishes conference key agreements among arbitrary users, which can not be accomplished directly via the bipartite MDI-QKD. We will discuss this case in the next section.

Numerical Simulation
As an example, we will analyze the secure key rate for the (4,2) open-destination MDI-QKD (see Appendices B and C for details). For simplicity, the single-photon source and the asymptotic approximations are assumed. We let the BSM setups be located in each user's side, although, in a realistic experiment, the BSM setups can be located in anywhere to increase the communication distance. We suppose that quantum channels are identically depolarizing such that untrusted relays receive the GHZ state in a mixture form [34]: where 0 ≤ p ≤ 1. We also assume that all detectors are identical, i.e., they have the same dark count rates and the same detection efficiencies. After numerical simulation, the lower bound of secure key rates with respective to communication distance between user and central source are shown in Figure 2. Lower bound on the secret key rate R versus communication distance between communication users using Werner-like states source. The red line denotes p = 1, i.e., the perfect GHZ source. The parameters are chosen according to experiments [35] : the detection efficiency η d = 40%, the misalignment-error probability of the system e d = 2%, the dark count rate of the detector p d = 8 × 10 −8 , the error correction efficiency f = 1.16, the intrinsic loss coefficient of the standard telecom fiber channel α = 0.2 dB/km. The simulation shows that the secure key rate and the largest communication distance decrease when p decreases. To implement open-destination MDI-QKD efficiently, good-quality GHZ sources and single-photon sources are necessary. If such requirements are satisfied, our scheme can tolerate a high loss of more than 500 km of optical fibers, i.e., 100 dB, using perfect GHZ source and single-photon source, even when the BSM setups are located in every user's side. One can double the communication distance by putting the BSM setups in the middle of the users and the GHZ source, which is similar with the case in MDI-QKD [17,18]. For the realistic case where weak coherent pulses are used, our analysis can be generalized by considering the decoy state method [27,28] and following the procedures in Refs. [36,37].

Generalization to The (N,C) Case
As aforementioned, the complete analysis has been focused on the (N, 2) open-destination MDI-QKD case. Here, we show that the case of two communication users can also generalized to the case of C communication users. Note that the open-destination feature enables any C users to generate secure keys at the same time.
Suppose that, in an N-party quantum network with users 1, 2, · · · , N, the communication users are denoted by the subset C = {i 1 , i 2 , . . . , i C }, where C = |C|. The auxiliary set denoted by A consists of auxiliary users, i.e., users that assist communication users to generate secure keys, with A = |A| = N − C users. According to Equation (3), for a general C communication users case, the GHZ state can be rewritten as Here, χ ∈ {+, −} N−C is a string of N − C bits with bit value "+" or "−" and σ χ = 0(1) if the number of "−" is even (odd). Intuitively, with the assistance of N − C auxiliary users, C-qubit GHZ states are shared among arbitrary C communication users. Meanwhile, based on the C-qubit GHZ state, the communication users can complete different quantum information tasks with the merit of open destination, such as quantum conference key agreement [24,34,[38][39][40] and quantum secret sharing [39,[41][42][43]. In general, we call it the (N, C) open-destination quantum communication task. When C = 2, and the aim is to establish QKD, the task is reduced to the (N, 2) open-destination MDI-QKD network discussed above.
For instance, in the general case of (N, C) open-destination quantum conference key agreement, all users prepares and sends BB84 states to their respective untrusted relays. The central source simultaneously distribute the GHZ state, which is measured together with the state from user on the untrusted relay. When the relays announce successful BSM outcomes and when all auxiliary users announce their prepared states in X-basis, the communication users virtually share a multipartite entangled state, as the same of the (N, 2) case. After suitable local operations of bit flips, all communication users share correctly correlated bits.
By slightly modifying the scheme, the experimental cost, especially the number of detectors can be reduced significantly. For instance, when all users announce their preparation basis X for assisting others while keep the bits corresponding to Z basis for distill the key, any C users can share secure keys simultaneously. This is because their respective sifted keys corresponds to different portions of the raw data. If one insists on using the conventional two-party QKD and multi-party conference key agreement scheme to realize the same function of the open-destination scheme under discussion, about (2 N − 2)N detectors are required. In the open-destination scheme, the number of detectors is reduced to 4N, which only increases linearly with the user number N.
As an example, we consider the case of (N, 3) open-destination quantum conference key agreement. From Equation (10), the post-selected 3-party GHZ state is |φ ± 3-party = (|000 ± |111 )/ √ 2 according to the announcements of the states and the BSM results related with auxiliary users. Meanwhile, as shown in Table 1, an equivalent GHZ analyzer among three communication users can be obtained according to the post-selected GHZ state |φ ± 3-party and the BSM results of their corresponding relays. Then, according to the MDI-QCC protocol in Ref. [39], (N, 3) open-destination quantum conference key agreement can be directly conducted based on the equivalent GHZ analyzer.
Similar to the open-destination MDI-QKD in Section (2) of the (N, 2) case, the security of the (N, 3) open-destination quantum conference key agreement is also based on the entanglement purification discussion [39,44,45]. According to the multi-partite entanglement purification scheme [46], the secret key rate can be written as follows [34,39,40]: where Q Z is the overall gains when three communication users send out quantum states in Z basis, E Z 12 (E Z 13 ) is the marginal quantum bit error rate between user 1 and user 2 (3) in Z basis, E X is the overall quantum bit error rate in X basis, f is the error correction efficiency, and is the binary Shannon entropy function. Q Z , E X , E Z 12 , and E Z 13 can be gotten directly from the experimental results. Meanwhile, the estimation of key rate can be slightly different if the sources of users are weak coherent states [33].

Conclusions
As a conclusion, we proposed a flexible and extensible scheme of the (N, 2) open-destination MDI-QKD network. We proved the correctness and security of the protocol, and derived practical key generation rate formula. For an illustration, we studied a specific network where two of four users want to distill quantum secure keys. For the scenario, we presented a polarization-encoding scheme for experimental implementation and offered in detail a simulation by taking the imperfections in both source and detectors into account. The simulation results show that the scheme enjoys a promising structure and performance in real-life situation.
A significant virtue of our scheme is the security against untrustful relays and all detector side-channel attacks. Moreover, the open-destination feature enables any two users to establish MDI-QKD without changing the network structures. In fact, one can establish MDI-QKD among arbitrary users even after the entangled source have been distributed and all the measurements have been completed. Furthermore, following the multi-entanglement swapping scheme, the network can be extended into a large scale by adding shared multi-partite GHZ states.
We would like to remark that currently the efficiency was relatively low (seen from Figure 2). This can be overcome by taking optimization in network topology, basis selections, and measurements for both the auxiliary and communication parties, as well as considering asymmetric loss for various channels, etc., like techniques adopted in Ref. [47]. Any future improvement on distributing multipartite entanglement efficiently and effectively will definitely benefit the proposed scheme and push it forward practical applications.

Acknowledgments:
We thank Yu-Ao Chen and Qiang Zhang for valuable and enlightening discussions.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. Sifting Procedure of The (4,2) Case
In this section, we describe the sifting procedure of open-destination MDI-QKD in detail for the (4, 2) case. We will show that such scenario can be reduced to the standard MDI-QKD scenario. The general case can be proved in a similar way, as shown in the main text. The schematic diagram is depicted in Figure A1a.
We start by writing the GHZ state as Up to the announcement of the quantum state of users 3 and 4 , the BSM(s) of relays 3 and 4 on the received quantum state from GHZ source and quantum state from users 3 (4 ) can be treated as an equivalent projective measurement on the whole GHZ state. Specifically, if the relays 3 and 4 perform the BSM and obtain equivalent projective measurement results |00 or |11 (|01 or |10 ), the photons received by relays 1 and 2 will be projected into state |φ + = (|00 + |11 )/ √ 2 (|φ − = (|00 − |11 ) √ 2) according to Equation (A1). After announcement of the successful BSM results and the quantum states of auxiliary users 3 and 4 , the projected state received by relays 1 and 2 can be determined. So, one can treat the GHZ source, the BSM setups of relays 3 and 4 and the quantum state of auxiliary user 3 and 4 as an virtual entanglement source, which outputs different Bell states. The protocol is thus directly equivalent to MDI-QKD with an entangled source in the middle [29] as illustrated in Figure A1b. Since the virtual Bell state with two BSMs along each side can be equivalent to a virtual BSM, the scheme is finally equivalent to implement MDI-QKD between users 1 and 2 as showed in Figure A1c. Therefore, in an honest run, the protocol is reduced to the honest standard MDI-QKD scenario, and the parties will end up with sharing a common key. Firstly, notice that the projection measurement of two systems onto one Bell state can be viewed as a POVM (positive operator valued measure) on one system if one knows the state of the other system. For example, as shown in Figure A1a, a successful BSM result of |ψ − of the relay 3 with auxiliary photons from auxiliary 3 in the state |α 3 can be viewed as a POVM tr 3 [|ψ − ψ − | 33 |α α| 3 ] on the state 3. In the open-destination scheme, we have |α ∈ {|+ , |− } and the BSM results {|ψ + , |ψ − }. The correspondence between the POVM on the system k and the untrusted relay announces a successful BSM together with auxiliary state are listed in Table A1.
Secondly, when the two auxiliary users prepare X-basis photons and the corresponding relays get successful BSM results, according to Table A1, the total GHZ state collapses into one of the maximally entangled states |φ ± = 1 √ 2 (|HH ± |VV ) at the side of two communication users. Thirdly, at the sides of the two communication users, according to the post-selected Bell state |φ ± and the BSM results of their corresponding relays, a BSM between two communication users can be obtained. Such correspondence is listed in Table A2.
Finally, as shown in Table A3, according to the final equivalent BSM result and the preparation bases, one of the communication users apply a bit flip or not such that their keys can be correlated. In fact, only when both communication users select X basis and the final equivalent BSM result is |φ − , one of them needs to apply a bit flip. After many rounds, they obtain enough raw key bits that can be used in the following data post-processing process.

Appendix B. Detector Analysis
Since the BSM with the auxiliary photon is equivalent to an probabilistic projective measurement, one can use an equivalent detector to replace the BSM device with the corresponding light source in the key rate analysis. Here, we develop a method to derive the equivalent detector parameters, i.e., the detection efficiency and the dark count of the equivalent detector. We use the BSM setup with polarization encoding as illustrated in Figure A2.
In H/V basis, suppose that Alice and Bob encode the same polarization states; then, the state becomes as follows after the BS: where a † (b † ) denotes creation operators, and |vac denotes vacuum state. The probability of the successful BSM when the input states are |H and |H , is given by where η d is the detection efficiency, and p d is the dark count. Suppose that Alice and Bob encode different polarization state; then, after the BS, the state becomes as follows: The probability of the successful BSM when the input states are |H and |V is given by Thus, the equivalent detection probability when the input state is |H is given by Due to symmetry, the equivalent detection probability when the input state is |V has the same form with the case that the input state is |H , i.e., one has η V = η H . Similarly, by using the transformation relation under {+, −} basis one can ontain the equivalent detection probability when the input state is |+ as follows: Due to symmetry, one has η − = η + . We consider practical experimental parameters, which are listed in Table A4. For the experimental parameters, one arrives at where η Z d denotes the equivalent detection efficiency for H/V basis, i.e., Z basis, and η X d denotes the equivalent detection efficiency for +/− basis, i.e., X basis. To calculate the parameters for equivalent dark count, one should consider the case in which there was no incoming photon. Suppose the local photon being |H , and the incoming photon being vacumm state, the states become as follows after the BS: where b † H denotes the creation operator of local photon. So, one can get the probability of the successful BSM as follows: Due to symmetry, one has that P + = P − = P V = P H . Here, P x denotes the probability of the successful BSM result when the local photon is |x and there is no incoming photon. So, one can get the equivalent dark count as For the experimental parameters given in Table A4, one arrives at Finally, one can achieve the parameters for the equivalent detectors shown in Table A5.

Appendix C. Simulation for (4,2)-Scenario
For simulation purposes, one can assume practically that the source has the form of Werner-like states in which |GHZ 4 = (|HHHH + |VVVV )/ √ 2 is the 4-partite GHZ states, I/16 is the 4-partite maximal mixed states, and 0 ≤ p ≤ 1. As proven in the previous section, according to the measurement results of auxiliary side, the photons received by communication side will be projected into different Bell states. Here, we consider the case in which auxiliary side get the |+ ⊗ |+ results, due to the symmetry. When auxiliary side get the |+ ⊗ |+ result, the particles received by communication side will collapse into where φ + = (|HH + |VV )/ √ 2 is one of the Bell states. So, it is equivalent with the case in which the two communication users (denoted by Alice and Bob) perform an entanglement-based QKD using the two-qubit Werner states ρ AB as a source and the equivalent detectors as detection device, as illustrated in Figure A3, from the perspective of key rate analysis.
Taking these imperfections of the source and detectors into account, the key generation rate in a realistic setup will be given by In the following, we discuss how one can derive each quantity in this key rate formula, i.e., Q ZZ 11 , e XX 11 , Q ZZ µν , and E ZZ µν . Figure A3. Equivalent setup for Alice and Bob when tracing the BSM results of the auxiliary users. PBS denotes polarization beam splitter, PM denotes polarization modulator, and EPR denotes EPR source.
Yield. Denote the yield of single-photon pair as Y 11 , i.e., the conditional probability of a coincidence detection event given that the entanglement source emits an single-photon pair. Then, Y 11 is given by where Y 0A = Y 0B = p d are the background count rates on Alice's and Bob's sides in the Z basis, and η A = η B = η Z d × 10 −αL/20 denotes the total detection efficiency considering the channel loss. Equation (A17) is also applicable to the X basis. Then, the gain of the single photon part and the overall gain are given by Q ZZ µν = Q ZZ 11 = Y 11 . (A18) Error Rate. The error rate of single-photon pair in the X basis e XX 11 has three main contributions taking some imperfections into account: (i) The imperfections of entanglement source, i.e., the maximal mixed states component, which brings 50% error rate e 0 = 1/2; (ii) Background counts, which are random noises e 0 = 1/2; (iii) Intrinsic detector error e d , which characterizes the alignment and stability of the optical system. So, the error rate of single-photon pair e XX 11 is given as follows: where the first item comes from background counts, the second term comes from intrinsic errors, and the third term comes from the mixed part of the source. So, one achieves the error rate of single-photon pair e XX 11 as follows: Similarly, the error rate in the Z basis is given by