Single-State Multi-Party Quantum Key Agreement with Single-Particle Measurement

Abstract

In this study, we propose a single-state multi-party quantum key agreement (MQKA) protocol with single-particle measurement. Firstly, a single-state three-party quantum key agreement protocol with single-particle measurement is introduced, followed by a security analysis that validated its capability to resist potential internal and external attacks. Furthermore, we utilize multi-particle entangled states to present a multi-party version of the single-state multi-party quantum key agreement with single-particle measurement. In comparison to previous MQKA protocols, our approach presents the following advantages: it employs one kind of multi-particle entangled state as the quantum resource; eliminates the need for entanglement swapping techniques, unitary operations, or pre-shared keys between participants; uses only the X measurement basis and Z measurement basis; transmits fewer qubits; consumes fewer qubits; and has higher qubit efficiency.

1. Introduction

Quantum cryptography, with its theoretically unconditional security feature, has gradually become an important research area in the field of cryptography. Unlike classical cryptography, the security of quantum cryptography is based on the quantum no-cloning theorem and Heisenberg’s uncertainty principle. As a result, it has attracted significant attention from researchers. Quantum cryptography includes several research areas, such as quantum key distribution (QKD) [1,2,3,4], quantum secret sharing (QSS) [5,6,7], quantum secure direct communication (QSDC) [8,9,10], quantum private query (QPQ) [11,12,13,14], and quantum key agreement (QKA). Among these, quantum key agreement (QKA) requires each participant to equally contribute to the generation of the negotiated key, ensuring that any non-trivial subset of participants cannot independently determine the key. In 2004, Zhou et al. [15] innovatively applied quantum teleportation to key agreement, proposing the first quantum key agreement (QKA) protocol. However, Tsai et al. [16] identified a significant flaw in Zhou’s protocol where a participant could independently determine the negotiated key. Subsequently, Hsueh et al. [17] implemented a QKA protocol using maximally entangled states. Nevertheless, Hsueh et al.’s protocol was vulnerable to controlled-NOT attacks [18]. In 2011, Chong et al. [19] enhanced the security of Hsueh et al.’s protocol. In 2013, Shi et al. [20] extended the two-party QKA to be multi-party and proposed the first multi-party QKA protocol, which utilizes the Bell state as the quantum resource state and employs entanglement swapping technology. On this basis, Sun et al. [21] proposed an efficient quantum key agreement protocol based on commutative encryption. Wang et al. [22] proposed a multi-party semiquantum key agreement without entanglement. In addition to these efforts, numerous QKA protocols have been proposed, such as the schemes based on a single particle [23,24,25,26], the Bell state [27,28,29,30,31,32], and a multi-particle entangled state [33,34,35,36,37,38,39,40].

Resently, Xu et al. [41] proposed a single-state multi-party semiquantum key agreement protocol based on multi-particle entangled states which offers several key advantages: it uses only one kind of multi-particle entangled state as the initial quantum resource; it does not require pre-shared keys between different parties; and it eliminates the need for unitary operations or quantum entanglement swapping. Subsequently, Yang et al. [42] proposed an efficient single-state multi-party quantum key agreement which retains most of the advantages of Xu et al.’s scheme while achieving significant improvements in the number of quantum state transmissions, the number of qubits consumed, and qubit efficiency.

In this paper, a single-state three-party quantum key agreement protocol utilizing single-particle measurements is proposed. We conduct a detailed analysis demonstrating that our scheme can resist potential internal and external attacks. Furthermore, we extend the proposed single-state three-party quantum key agreement protocol to be N-party by using N-particle entangled states instead of three-particle entangled states as the quantum resource states. Compared to previous multi-party QKA schemes, our protocol retains most of the advantages presented in references [41,42] while only requiring the use of the X measurement basis and Z measurement basis. Additionally, our protocol further reduces the number of qubits transmitted and consumed, and enhances qubit efficiency.

The rest of the paper is organized as follows: In Section 2, we describe the single-state three-party quantum key agreement protocol in detail. Section 3 provides a security analysis of the protocol. In Section 4, we extend the proposed single-state three-party quantum key agreement protocol to be N-party. Section 5 discusses the performance of our scheme. Section 6 provides a conclusion.

2. The Proposed Single-State Three-Party Quantum Key Agreement with Single-Particle Measurement

Suppose $P_1$, $P_2$, and $P_3$ seek to establish a private key over a quantum channel, ensuring that each participant contributes equally to the generation of the key and that the key cannot be fully determined by any non-trivial subset of them. In the negotiation phase, the utilization of a hash function outputting m bits is necessary.

Step 1: $P_1$, $P_2$, and $P_3$ randomly generate the CHECK keys

$$\begin{array}{c}\hfill {\overline{K}}_{P_1}=\left\{{\overline{K}}_{P_1}^1,{\overline{K}}_{P_1}^2,\dots ,{\overline{K}}_{P_1}^l\right\},\end{array}$$

(1)

$$\begin{array}{c}\hfill {\overline{K}}_{P_2}=\left\{{\overline{K}}_{P_2}^1,{\overline{K}}_{P_2}^2,\dots ,{\overline{K}}_{P_2}^l\right\},\end{array}$$

(2)

$$\begin{array}{c}\hfill {\overline{K}}_{P_3}=\left\{{\overline{K}}_{P_3}^1,{\overline{K}}_{P_3}^2,\dots ,{\overline{K}}_{P_3}^l\right\},\end{array}$$

(3)

and the INFO keys

$$\begin{array}{c}\hfill K_{P_1}=\left\{K_{P_1}^1,K_{P_1}^2,\dots ,K_{P_1}^n\right\},\end{array}$$

(4)

$$\begin{array}{c}\hfill K_{P_2}=\left\{K_{P_2}^1,K_{P_2}^2,\dots ,K_{P_2}^n\right\},\end{array}$$

(5)

$$\begin{array}{c}\hfill K_{P_3}=\left\{K_{P_3}^1,K_{P_3}^2,\dots ,K_{P_3}^n\right\}.\end{array}$$

(6)

Here, l represents the number of the CHECK particles, n represents the length of the negotiated key, and ${\overline{K}}_{P_1},{\overline{K}}_{P_2},{\overline{K}}_{P_3},K_{P_1},K_{P_2},K_{P_3}\in \left\{0,1\right\}$. They calculate the hash values $H\left(K_{P_1}\right),H\left(K_{P_2}\right),H\left(K_{P_3}\right)$ corresponding to the keys $K_{P_1},K_{P_2},K_{P_3}$ and announce the values.

Step 2: $P_1$ prepares $l+n$ three-particle GHZ states $\left|GHZ\right.〉={\displaystyle \frac{1}{\sqrt{2}}}\left(\left|000\right.〉+\left|111\right.〉\right)$. For each GHZ state, $P_1$ keeps the first particle, and sends the second particle to $P_2$ and the third particle to $P_3$. We denote the first particle sequence as $S_{P_1}$, the second particle sequence as $S_{P_2}$, and the third particle sequence as $S_{P_3}$ as follows:

$$\begin{array}{c}\hfill S_{P_1}=\left\{S_{P_1}^1,S_{P_1}^2,\dots ,S_{P_1}^{l+n}\right\},\end{array}$$

(7)

$$\begin{array}{c}\hfill S_{P_2}=\left\{S_{P_2}^1,S_{P_2}^2,\dots ,S_{P_2}^{l+n}\right\},\end{array}$$

(8)

$$\begin{array}{c}\hfill S_{P_3}=\left\{S_{P_3}^1,S_{P_3}^2,\dots ,S_{P_3}^{l+n}\right\}.\end{array}$$

(9)

Step 3: After $P_2$ receives $S_{P_2}$ and $P_3$ receives $S_{P_3}$, $P_1$ randomly selects l particles as the CHECK particles, and informs $P_2$, $P_3$ of the positions of the CHECK particles. Here, the CHECK particles held by $P_1,P_2,P_3$ are denoted as $U_{P_1},U_{P_2},U_{P_3}$, respectively, as follows:

$$\begin{array}{c}\hfill U_{P_1}=\left\{U_{P_1}^1,U_{P_1}^2,\dots ,U_{P_1}^l\right\},\end{array}$$

(10)

$$\begin{array}{c}\hfill U_{P_2}=\left\{U_{P_2}^1,U_{P_2}^2,\dots ,U_{P_2}^l\right\},\end{array}$$

(11)

$$\begin{array}{c}\hfill U_{P_3}=\left\{U_{P_3}^1,U_{P_3}^2,\dots ,U_{P_3}^l\right\}.\end{array}$$

(12)

Then, $P_1,P_2,P_3$ announce the CHECK keys ${\overline{K}}_{P_1},{\overline{K}}_{P_2},{\overline{K}}_{P_3}$. They calculate

$$\begin{array}{c}\hfill \overline{K}={\overline{K}}_{P_1}\oplus {\overline{K}}_{P_2}\oplus {\overline{K}}_{P_3}.\end{array}$$

(13)

In this equation, $\overline{K}=\left\{{\overline{K}}^1,{\overline{K}}^2,\dots ,{\overline{K}}^l\right\}$. For the q-th CHECK particle, when the value of ${\overline{K}}^q$ is 0, $P_i$ uses basis Z to measure the particle $U_{P_i}^q$ and publishes the results, where $q\in \left\{1,2,\dots ,l\right\}$. When the value of ${\overline{K}}^q$ is 1, $P_i$ uses basis X to measure the particle $U_{P_i}^q$ and publishes the results, where $q\in \left\{1,2,\dots ,l\right\}$. Suppose that the measurement results in basis Z are $U_{z{P}_i}^q=\left\{+1,-1\right\}$, and in basis X are $U_{x{P}_i}^q=\left\{+1,-1\right\}$. According to the entanglement properties of the three-particle GHZ state and Equation (14),

$$\begin{array}{c}\hfill \begin{array}{c}\left|GHZ\right.〉={\displaystyle \frac{1}{\sqrt{2}}}\left(\left|000\right.〉+\left|111\right.〉\right)\hfill \\ ={\displaystyle \frac{1}{\sqrt{4}}}\left(\left|+++\right.〉+\left|+--\right.〉+\left|-+-\right.〉+\left|--+\right.〉\right)\hfill \end{array}.\end{array}$$

(14)

$P_i$ can check the correctness of the measurement results. When the chosen basis is Z, the measurement results must satisfy $U_{z{P}_1}^q=U_{z{P}_2}^q=U_{z{P}_3}^q$. When the chosen basis is X, the measurement results must satisfy ${\Pi }_{i=1}^3{U}_{x{P}_i}^q=1$. If the error exceeds the threshold, the protocol aborts. The remaining particles serve as INFO particles $V_{P_i}=\left\{V_{P_i}^1,V_{P_i}^2,\dots ,V_{P_i}^n\right\}$. $P_i$ measures the particles with basis Z.

Step 4: The measurement results are represented by $V_{z{P}_i}$. If the measurement result is $\left|0\right.〉$, its value is taken as 0; if the measurement result is $\left|1\right.〉$, its value is taken as 1. According to the entanglement properties of the three-particle GHZ state, we can obtain $V_{z{P}_1}=V_{z{P}_2}=V_{z{P}_3}$. $P_1$ calculates $E_{P_1}=V_{z{P}_1}\oplus K_{P_1}$ and sends it to $P_2$, $P_3$. $P_2$ calculates $E_{P_2}=V_{z{P}_2}\oplus K_{P_2}$ and sends it to $P_1$, $P_3$. $P_3$ calculates $E_{P_3}=V_{z{P}_3}\oplus K_{P_3}$ and sends it to $P_1$, $P_2$.

Step 5: $P_1$ calculates $H\left(E_{P_2}\oplus V_{z{P}_1}\right)$, $H\left(E_{P_3}\oplus V_{z{P}_1}\right)$. If $H\left(E_{P_2}\oplus V_{z{P}_1}\right)=H\left(K_{P_2}\right)$ and $H\left(E_{P_3}\oplus V_{z{P}_1}\right)=H\left(K_{P_3}\right)$, $P_1$ will infer the final negotiated key

$$\begin{array}{c}\hfill K=K_{P_1}\oplus \left(E_{P_2}\oplus V_{z{P}_1}\right)\oplus \left(E_{P_3}\oplus V_{z{P}_1}\right).\end{array}$$

(15)

$P_2$ calculates $H\left(E_{P_1}\oplus V_{z{P}_2}\right)$, $H\left(E_{P_3}\oplus V_{z{P}_2}\right)$. If $H\left(E_{P_1}\oplus V_{z{P}_2}\right)=H\left(K_{P_1}\right)$ and $H\left(E_{P_3}\oplus V_{z{P}_2}\right)=H\left(K_{P_3}\right)$, $P_2$ will infer the final negotiated key

$$\begin{array}{c}\hfill K=K_{P_2}\oplus \left(E_{P_1}\oplus V_{z{P}_2}\right)\oplus \left(E_{P_3}\oplus V_{z{P}_2}\right).\end{array}$$

(16)

$P_3$ calculates $H\left(E_{P_1}\oplus V_{z{P}_3}\right)$, $H\left(E_{P_2}\oplus V_{z{P}_3}\right)$. If $H\left(E_{P_1}\oplus V_{z{P}_3}\right)=H\left(K_{P_1}\right)$ and $H\left(E_{P_2}\oplus V_{z{P}_3}\right)=H\left(K_{P_2}\right)$, $P_3$ will infer the final negotiated key

$$\begin{array}{c}\hfill K=K_{P_3}\oplus \left(E_{P_1}\oplus V_{z{P}_3}\right)\oplus \left(E_{P_2}\oplus V_{z{P}_3}\right).\end{array}$$

(17)

As shown in Figure 1, the flowchart depicts the mechanism of the proposed MQKA protocol.

3. Security Analysis

This section will discuss the security of the proposed protocol. Without loss of generality, we analyze the security of the proposed three-party QKA protocol. The security analysis encompasses both internal attacks and external attacks.

3.1. External Attack

In the proposed three-party protocol, in order to obtain the negotiated key, an external attacker may launch typical attacks during the transmission of quantum states, including the Trojan horse attack, the intercept–resend attack, the entangle–measure attack, and the measure–resend attack.

3.1.1. The Trojan Horse Attack

In our scheme, since each particle is transmitted only once, our three-party QKA protocol is immune to the delay-photon Trojan horse attack [43] and the invisible eavesdropping Trojan horse attack [44].

3.1.2. The Intercept–Resend Attack

The external attacker may intercept the particles $P_1$ transmitted and resend the fake states to $P_2$, $P_3$. Without loss of generality, suppose that Eve intercepts the particles $S_{P_3}$ and sends the fake particles to $P_3$. Taking the q-th fake CHECK particle ${\tilde{U}}_{P_3}^q$($\left|0\right.〉$) as an example, the q-th system state can be described as

$$\begin{array}{c}\hfill \begin{array}{c}\tilde{\Psi }={\displaystyle \frac{1}{\sqrt{2}}}\left(\left|00\right.〉+\left|11\right.〉\right)\left|0\right.〉\hfill \\ ={\displaystyle \frac{1}{\sqrt{4}}}\left(\left|+++\right.〉+\left|++-\right.〉+\left|--+\right.〉+\left|---\right.〉\right)\hfill \end{array}.\end{array}$$

(18)

Firstly, we consider the scenario where the measurement basis is Z. When the measurement results of $U_{P_1}^q,U_{P_2}^q,{\tilde{U}}_{P_3}^q$ are $\left|000\right.〉$, we can obtain $U_{z{P}_1}^q=U_{z{P}_2}^q={\tilde{U}}_{z{P}_3}^q$. Eve is capable of evading eavesdropping detection.

When the measurement results of $U_{P_1}^q,U_{P_2}^q,{\tilde{U}}_{P_3}^q$ are $\left|110\right.〉$, we can obtain $U_{z{P}_1}^q=U_{z{P}_2}^q\ne {\tilde{U}}_{z{P}_3}^q$. Eve can be detected by the eavesdropping detection.

Secondly, we consider the scenario where the measurement basis is X. When the measurement results of $U_{P_1}^q,U_{P_2}^q,{\tilde{U}}_{P_3}^q$ in $\left|+++\right.〉$ or $\left|--+\right.〉$, we can obtain $U_{x{P}_1}^q·U_{x{P}_2}^q·{\tilde{U}}_{x{P}_3}^q=1$. Eve is capable of evading eavesdropping detection.

When the measurement results of $U_{P_1}^q,U_{P_2}^q,{\tilde{U}}_{P_3}^q$ in $\left|++-\right.〉$ or $\left|---\right.〉$, we can obtain $U_{x{P}_1}^q·U_{x{P}_2}^q·{\tilde{U}}_{x{P}_3}^q=-1$. Eve is unable to evade eavesdropping detection.

Therefore, for each CHECK particle, Eve is capable of evading eavesdropping detection with the probability of

$$\begin{array}{c}\hfill \begin{array}{c}{\displaystyle \frac{1}{2}}\times {\displaystyle \frac{1}{2}}+{\displaystyle \frac{1}{2}}\times \left({\displaystyle \frac{1}{4}}+{\displaystyle \frac{1}{4}}\right)={\displaystyle \frac{1}{2}}\hfill \end{array}.\end{array}$$

(19)

For all l CHECK particles, Eve can be detected with the probability of $1-{\left({\displaystyle \frac{1}{2}}\right)}^l$.

3.1.3. The Entangle–Measure Attack

The external attacker may perform the entangle–measure attack. Without loss of generality, suppose that Eve intercepts the particles $P_1$ transmitted to $P_2$ ($P_3$), and performs unitary operation $U_E$ on the intercepted particles. If this attack does not introduce any errors, the system state of Eve’s probe should be independent of the measurement results of $S_{P_1},S_{P_2},S_{P_3}$. The effect of $U_E$ on $\left|0\right.〉$ and $\left|1\right.〉$ can be described as

$$\begin{array}{c}\hfill \begin{array}{c}{U}_E\left(\left|0\right.〉\left|E\right.〉\right)={\epsilon }_{00}\left|0\right.〉\left|e_{00}\right.〉+{\epsilon }_{01}\left|1\right.〉\left|e_{01}\right.〉\hfill \end{array},\end{array}$$

(20)

$$\begin{array}{c}\hfill \begin{array}{c}{U}_E\left(\left|1\right.〉\left|E\right.〉\right)={\epsilon }_{10}\left|0\right.〉\left|e_{10}\right.〉+{\epsilon }_{11}\left|1\right.〉\left|e_{11}\right.〉\hfill \end{array}.\end{array}$$

(21)

In this equation, $\left|e_{00}\right.〉$, $\left|e_{01}\right.〉$, $\left|e_{10}\right.〉$, and $\left|e_{11}\right.〉$ are the probe state of Eve on $U_E$, and ${\left|{\epsilon }_{00}\right|}^2+{\left|{\epsilon }_{01}\right|}^2=1$, ${\left|{\epsilon }_{10}\right|}^2+{\left|{\epsilon }_{11}\right|}^2=1$. The global state of the system can be described as

$$\begin{array}{c}\hfill \begin{array}{c}{U}_E\left({\left|GHZ\right.〉}_{P_1{P}_2{P}_3}\left|E\right.〉\right)\hfill \\ =U_E\left({\displaystyle \frac{1}{\sqrt{2}}}\left({\left|0\right.〉}_{P_1}{\left|0\right.〉}_{P_2}{\left|0\right.〉}_{P_3}+{\left|1\right.〉}_{P_1}{\left|1\right.〉}_{P_2}{\left|1\right.〉}_{P_3}\right)\left|E\right.〉\right)\hfill \\ ={\displaystyle \frac{1}{\sqrt{2}}}\left\{\begin{array}{c}{\left|0\right.〉}_{P_1}\left({\epsilon }_{00}{\left|0\right.〉}_{P_2}\left|e_{00}\right.〉+{\epsilon }_{01}{\left|1\right.〉}_{P_2}\left|e_{01}\right.〉\right)\left({\epsilon }_{00}{\left|0\right.〉}_{P_3}\left|e_{00}\right.〉+{\epsilon }_{01}{\left|1\right.〉}_{P_3}\left|e_{01}\right.〉\right)+\hfill \\ {\left|1\right.〉}_{P_1}\left({\epsilon }_{10}{\left|0\right.〉}_{P_2}\left|e_{10}\right.〉+{\epsilon }_{11}{\left|1\right.〉}_{P_2}\left|e_{11}\right.〉\right)\left({\epsilon }_{10}{\left|0\right.〉}_{P_2}\left|e_{10}\right.〉+{\epsilon }_{11}{\left|1\right.〉}_{P_2}\left|e_{11}\right.〉\right)+\hfill \end{array}\right\}\hfill \\ ={\displaystyle \frac{1}{\sqrt{2}}}\left\{\begin{array}{c}{\epsilon }_{00}{\epsilon }_{00}{\left|0\right.〉}_{P_1}{\left|0\right.〉}_{P_2}{\left|0\right.〉}_{P_3}\left|e_{00}\right.〉\left|e_{00}\right.〉+{\epsilon }_{00}{\epsilon }_{01}{\left|0\right.〉}_{P_1}{\left|0\right.〉}_{P_2}{\left|1\right.〉}_{P_3}\left|e_{00}\right.〉\left|e_{01}\right.〉+\hfill \\ {\epsilon }_{01}{\epsilon }_{00}{\left|0\right.〉}_{P_1}{\left|1\right.〉}_{P_2}{\left|0\right.〉}_{P_3}\left|e_{01}\right.〉\left|e_{00}\right.〉+{\epsilon }_{01}{\epsilon }_{01}{\left|0\right.〉}_{P_1}{\left|1\right.〉}_{P_2}{\left|1\right.〉}_{P_3}\left|e_{01}\right.〉\left|e_{01}\right.〉+\hfill \\ {\epsilon }_{10}{\epsilon }_{10}{\left|1\right.〉}_{P_1}{\left|0\right.〉}_{P_2}{\left|0\right.〉}_{P_3}\left|e_{10}\right.〉\left|e_{10}\right.〉+{\epsilon }_{10}{\epsilon }_{11}{\left|1\right.〉}_{P_1}{\left|0\right.〉}_{P_2}{\left|1\right.〉}_{P_3}\left|e_{10}\right.〉\left|e_{11}\right.〉+\hfill \\ {\epsilon }_{11}{\epsilon }_{10}{\left|1\right.〉}_{P_1}{\left|1\right.〉}_{P_2}{\left|0\right.〉}_{P_3}\left|e_{11}\right.〉\left|e_{10}\right.〉+{\epsilon }_{11}{\epsilon }_{11}{\left|1\right.〉}_{P_1}{\left|1\right.〉}_{P_2}{\left|1\right.〉}_{P_3}\left|e_{11}\right.〉\left|e_{11}\right.〉\hfill \end{array}\right\}\hfill \end{array},\end{array}$$

(22)

In this equation, the subscripts $P_1$, $P_2$, and $P_3$ denote the particles from $S_{P_1}$, $S_{P_2}$, and $S_{P_3}$, respectively. If Eve does not introduce any errors during the eavesdropping check by participants, the measurement results of $P_1$, $P_2$, and $P_3$ should be the same. Thereby, Eve’s attack $U_E$ should be satisfied with the conditions

$$\begin{array}{c}\hfill \begin{array}{c}{U}_E\left({\left|GHZ\right.〉}_{P_1{P}_2{P}_3}\left|E\right.〉\right)\hfill \\ ={\displaystyle \frac{1}{\sqrt{2}}}\left({\epsilon }_{00}{\epsilon }_{00}{\left|0\right.〉}_{P_1}{\left|0\right.〉}_{P_2}{\left|0\right.〉}_{P_3}\left|e_{00}\right.〉\left|e_{00}\right.〉+{\epsilon }_{11}{\epsilon }_{11}{\left|1\right.〉}_{P_1}{\left|1\right.〉}_{P_2}{\left|1\right.〉}_{P_3}\left|e_{11}\right.〉\left|e_{11}\right.〉\right)\hfill \end{array}.\end{array}$$

(23)

Based on Equation (22), we can infer

$$\begin{array}{c}\hfill \begin{array}{c}{\epsilon }_{00}{\epsilon }_{01}\left|e_{00}\right.〉\left|e_{01}\right.〉+{\epsilon }_{01}{\epsilon }_{00}\left|e_{01}\right.〉\left|e_{00}\right.〉+{\epsilon }_{01}{\epsilon }_{01}\left|e_{01}\right.〉\left|e_{01}\right.〉+\hfill \\ {\epsilon }_{10}{\epsilon }_{10}\left|e_{10}\right.〉\left|e_{10}\right.〉+{\epsilon }_{10}{\epsilon }_{11}\left|e_{10}\right.〉\left|e_{11}\right.〉+{\epsilon }_{11}{\epsilon }_{10}\left|e_{11}\right.〉\left|e_{10}\right.〉=0\hfill \end{array}.\end{array}$$

(24)

Here, 0 represents a column zero vector. Then, we can obtain

$$\begin{array}{c}\hfill \begin{array}{c}{\epsilon }_{00}{\epsilon }_{01}+{\epsilon }_{01}{\epsilon }_{00}+{\epsilon }_{01}{\epsilon }_{01}+{\epsilon }_{10}{\epsilon }_{10}+{\epsilon }_{10}{\epsilon }_{11}+{\epsilon }_{11}{\epsilon }_{10}=0\hfill \end{array}.\end{array}$$

(25)

Furthermore, we can obtain

$$\begin{array}{c}\hfill \begin{array}{c}{\epsilon }_{00}{\epsilon }_{00}={\epsilon }_{11}{\epsilon }_{11}\hfill \end{array}.\end{array}$$

(26)

$$\begin{array}{c}\hfill \begin{array}{c}\left|e_{00}\right.〉\left|e_{00}\right.〉=\left|e_{00}\right.〉\left|e_{11}\right.〉\hfill \end{array}.\end{array}$$

(27)

Therefore, we can obtain

$$\begin{array}{c}\hfill \begin{array}{c}{U}_E\left({\left|GHZ\right.〉}_{P_1{P}_2{P}_3}\left|E\right.〉\right)={\left|GHZ\right.〉}_{P_1{P}_2{P}_3}\left|e_{00}\right.〉\left|e_{00}\right.〉\hfill \end{array}.\end{array}$$

(28)

Based on the aforementioned proof, in the absence of errors induced by Eve’s attack, the ultimate system state of Eve’s probe should be independent of the measurement results of the particles from $S_{P_1}$, $S_{P_2}$, and $S_{P_3}$. Therefore, Eve is unable to obtain any useful information about the measured particles. Once Eve acquires any useful information, Eve’s attack will be detected with a nonzero probability.

3.1.4. The Measure–Resend Attack

The external attacker may intercept the particles $P_1$ transmitted, measure the particles, and resend the fake states to $P_2$, $P_3$. Without loss of generality, suppose that Eve intercepts the particles $S_{P_3}$, measures the intercepted particles with Z basis, and sends the fake particles to $P_3$. Clearly, the system state has a probability of ${\displaystyle \frac{1}{2}}$ for being $\left|000\right.〉$ and a probability of ${\displaystyle \frac{1}{2}}$ for being $\left|111\right.〉$.

Firstly, we consider the scenario where the system state is $\left|000\right.〉$. When the measurement basis is Z, the measurement results of $U_{P_1}^q$, $U_{P_2}^q$, ${\tilde{U}}_{P_3}^q$ are $\left|000\right.〉$, and we can obtain $U_{z{P}_1}^q=U_{z{P}_2}^q={\tilde{U}}_{z{P}_3}^q$. Eve is capable of evading eavesdropping detection.

When the measurement basis is X and the measurement results of $U_{P_1}^q$, $U_{P_2}^q$, ${\tilde{U}}_{P_3}^q$ in $\left|+++\right.〉$, $\left|+--\right.〉$, $\left|-+-\right.〉$ or $\left|--+\right.〉$, we can obtain $U_{x{P}_1}^q·U_{x{P}_2}^q·{\tilde{U}}_{x{P}_3}^q=1$. Eve is capable of evading eavesdropping detection.

When the measurement results of $U_{P_1}^q$, $U_{P_2}^q$, ${\tilde{U}}_{P_3}^q$ in $\left|++-\right.〉$, $\left|+-+\right.〉$, $\left|-++\right.〉$ or $\left|---\right.〉$, we can obtain $U_{x{P}_1}^q·U_{x{P}_2}^q·{\tilde{U}}_{x{P}_3}^q=-1$. Eve is unable to evade eavesdropping detection.

Secondly, we consider the scenario where the system state is $\left|111\right.〉$. When the measurement basis is Z, the measurement results of $U_{P_1}^q$, $U_{P_2}^q$, ${\tilde{U}}_{P_3}^q$ are $\left|111\right.〉$, and we can obtain $U_{z{P}_1}^q=U_{z{P}_2}^q={\tilde{U}}_{z{P}_3}^q$. Eve is capable of evading eavesdropping detection.

When the measurement basis is X and the measurement results of $U_{P_1}^q$, $U_{P_2}^q$, ${\tilde{U}}_{P_3}^q$ in $\left|+++\right.〉$, $\left|+--\right.〉$, $\left|-+-\right.〉$ or $\left|--+\right.〉$, we can obtain $U_{x{P}_1}^q·U_{x{P}_2}^q·{\tilde{U}}_{x{P}_3}^q=1$. Eve is capable of evading eavesdropping detection.

When the measurement results of $U_{P_1}^q$, $U_{P_2}^q$, ${\tilde{U}}_{P_3}^q$ in $\left|++-\right.〉$, $\left|+-+\right.〉$, $\left|-++\right.〉$ or $\left|---\right.〉$, we can obtain $U_{x{P}_1}^q·U_{x{P}_2}^q·{\tilde{U}}_{x{P}_3}^q=-1$. Eve is unable to evade eavesdropping detection.

Therefore, for each CHECK particle, Eve is capable of evading eavesdropping detection with the probability of

$$\begin{array}{c}\hfill \begin{array}{c}{\displaystyle \frac{1}{2}}\times \left({\displaystyle \frac{1}{2}}\times 1+{\displaystyle \frac{1}{2}}\times \left({\displaystyle \frac{1}{8}}+{\displaystyle \frac{1}{8}}+{\displaystyle \frac{1}{8}}+{\displaystyle \frac{1}{8}}\right)\right)+{\displaystyle \frac{1}{2}}\times \left({\displaystyle \frac{1}{2}}\times 1+{\displaystyle \frac{1}{2}}\times \left({\displaystyle \frac{1}{8}}+{\displaystyle \frac{1}{8}}+{\displaystyle \frac{1}{8}}+{\displaystyle \frac{1}{8}}\right)\right)={\displaystyle \frac{3}{4}}\hfill \end{array}.\end{array}$$

(29)

For all l CHECK particles, Eve can be detected with the probability of $1-{\left({\displaystyle \frac{3}{4}}\right)}^l$.

3.2. Internal Attack

A secure quantum key agreement protocol is required to possess the fairness property, ensuring that all participants contribute equally to the negotiated key. In the proposed protocol, under the condition that all participants honestly execute the protocol prior to Step 4, they will be able to successfully obtain $V_{z{P}_1}=V_{z{P}_2}=V_{z{P}_3}$. In Step 4, $P_i$ calculates the value of $E_{P_i}=V_{z{P}_i}\oplus K_{P_i}$ and publishes it to other participants, where $i\in \left\{1,2,3\right\}$. However, $P_i$ may announce the false value of ${\tilde{E}}_{P_i}$. Without loss of generality, suppose that $P_1$ intends to determine the negotiated key $\tilde{K}=\left\{{\tilde{K}}^1,{\tilde{K}}^2,\dots ,{\tilde{K}}^N\right\}$ alone. In Step 4, $P_2$ publishes the value of $E_{P_2}=V_{z{P}_2}\oplus K_{P_2}$, and $P_3$ publishes the value of $E_{P_3}=V_{z{P}_3}\oplus K_{P_3}$. Based on the value of $E_{P_2}$ and $E_{P_3}$, $P_1$ can calculate the value of

$$\begin{array}{c}\hfill \begin{array}{c}{\tilde{E}}_{P_1}=V_{z{P}_1}\oplus \left(\tilde{K}\oplus \left(E_{P_2}\oplus V_{z{P}_1}\right)\oplus \left(E_{P_3}\oplus V_{z{P}_1}\right)\right)\hfill \end{array}.\end{array}$$

(30)

and announce the false value of ${\tilde{E}}_{P_1}$ to $P_2$, $P_3$, where ${\tilde{E}}_{P_1}=\left\{{\tilde{E}}_{P_1}^1,{\tilde{E}}_{P_1}^2,\dots ,{\tilde{E}}_{P_1}^n\right\}$.

Based on the value of ${\tilde{E}}_{P_1}$, $P_2$ can infer the false value of

$$\begin{array}{c}\hfill \begin{array}{c}\tilde{K}=K_{P_2}\oplus \left({\tilde{E}}_{P_1}\oplus V_{z{P}_2}\right)\oplus \left(E_{P_3}\oplus V_{z{P}_2}\right)\hfill \end{array}.\end{array}$$

(31)

$P_3$ can infer the false value of

$$\begin{array}{c}\hfill \begin{array}{c}\tilde{K}=K_{P_3}\oplus \left({\tilde{E}}_{P_1}\oplus V_{z{P}_3}\right)\oplus \left(E_{P_2}\oplus V_{z{P}_3}\right)\hfill \end{array}.\end{array}$$

(32)

Nevertheless, as the hash value,

$$\begin{array}{c}\hfill \begin{array}{c}H\left({\tilde{E}}_{P_1}\oplus V_{z{P}_2}\right)\ne H\left(K_{P_1}\right)\hfill \end{array}.\end{array}$$

(33)

$$\begin{array}{c}\hfill \begin{array}{c}H\left({\tilde{E}}_{P_1}\oplus V_{z{P}_3}\right)\ne H\left(K_{P_1}\right)\hfill \end{array}.\end{array}$$

(34)

The dishonest behavior of $P_1$ will be detected by $P_2$, $P_3$.

Similarly, in the event that two dishonest participants collude to execute the cheating behavior, their cheating behavior will be exposed through the utilization of the hash function’s properties.

4. The Extension of the Proposed Scheme

Suppose $P_1,P_2,\dots ,P_N$ seek to establish a private key over a quantum channel, ensuring that each participant contributes equally to the generation of the key and that the key cannot be fully determined by any non-trivial subset of them. In the negotiation phase, the utilization of a hash function outputting m bits is necessary.

Step 1: $P_i$ randomly generates the CHECK keys

$$\begin{array}{c}\hfill \begin{array}{c}{\overline{K}}_{P_i}=\left\{{\overline{K}}_{P_i}^1,{\overline{K}}_{P_i}^2,\dots ,{\overline{K}}_{P_i}^l\right\}\hfill \end{array},\end{array}$$

(35)

and the INFO keys

$$\begin{array}{c}\hfill \begin{array}{c}{K}_{P_i}=\left\{K_{P_i}^1,K_{P_i}^2,\dots ,K_{P_i}^n\right\}\hfill \end{array}.\end{array}$$

(36)

Here, l represents the number of the CHECK particles, n represents the length of the negotiated key, and ${\overline{K}}_{P_i},K_{P_i}\in \left\{0,1\right\}$, $i\in \left\{1,2,\dots ,N\right\}$. $P_i$ calculates the hash values $H\left(K_{P_i}\right)$ and announces the values.

Step 2: $P_1$ prepares $l+n$ N-particle GHZ states ${\left|GHZ\right.〉}_N={\displaystyle \frac{1}{\sqrt{2}}}\left(\left|00,\dots ,0\right.〉+\left|11,\dots ,1\right.〉\right)$. For each GHZ state, $P_1$ keeps the first particle, and sends the t-th particle to $P_t$, where $t\in \left\{2,\dots ,N\right\}$. We denote the i-th particle sequence as $S_{P_i}$ as follows:

$$\begin{array}{c}\hfill \begin{array}{c}{S}_{P_i}=\left\{S_{P_i}^1,S_{P_i}^2,\dots ,S_{P_i}^{l+n}\right\}\hfill \end{array}.\end{array}$$

(37)

Here, $i\in \left\{1,2,\dots ,N\right\}$.

Step 3: After $P_i$ receives $S_{P_i}$, $P_1$ randomly selects l particles as the CHECK particles and informs other participants of the positions of the CHECK particles. Here, the CHECK particles respectively held by $P_i$ are denoted as $U_{P_i}$ as follows:

$$\begin{array}{c}\hfill U_{P_i}=\left\{U_{P_i}^1,U_{P_i}^2,\dots ,U_{P_i}^l\right\}.\end{array}$$

(38)

Then, $P_i$ announces the CHECK keys ${\overline{K}}_{P_i}$ and calculates

$$\begin{array}{c}\hfill \begin{array}{c}\overline{K}={\overline{K}}_{P_1}\oplus {\overline{K}}_{P_2}\oplus \dots \oplus {\overline{K}}_{P_N}\hfill \end{array}.\end{array}$$

(39)

Here, $\overline{K}=\left\{{\overline{K}}^1,{\overline{K}}^2,\dots ,{\overline{K}}^l\right\}$. For the q-th CHECK particle, when the value of ${\overline{K}}^q$ is 0, $P_i$ uses the Z basis to measure the particle $U_{P_i}^q$ and publishes the measurement results, where $q\in \left\{1,2,\dots ,l\right\}$. When the value of ${\overline{K}}^q$ is 1, $P_i$ uses the X basis to measure the particle $U_{P_i}^q$ and publishes the measurement results, where $q\in \left\{1,2,\dots ,l\right\}$. Suppose that the measurement results in basis Z are $U_{z{P}_i}^q=\left\{+1,-1\right\}$ and in basis X are $U_{x{P}_i}^q=\left\{+1,-1\right\}$. According to the entanglement properties of the N-particle GHZ state and Equation (40),

$$\begin{array}{c}\hfill \begin{array}{c}{\left|GHZ\right.〉}_N={\displaystyle \frac{1}{\sqrt{2}}}\left(\underset{N}{\underbrace{\left|00,\dots ,0\right.〉}}+\underset{N}{\underbrace{\left|11,\dots ,1\right.〉}}\right)\hfill \\ ={\displaystyle \frac{1}{2^{\frac{N+1}{2}}}}{\displaystyle \sum _{{\sigma }_1{\sigma }_2,\dots ,{\sigma }_N}}\left(\left|{\sigma }_1{\sigma }_2,\dots ,{\sigma }_N\right.〉\right)\hfill \end{array}.\end{array}$$

(40)

In this equation, ${\sigma }_i\in \left\{+,-\right\}$, $i\in \left\{1,2,\dots ,N\right\}$, ${\sigma }_1\oplus {\sigma }_2\oplus \cdots \oplus {\sigma }_N=0$. $P_i$ can check the correctness of the measurement results. When the chosen basis is Z, the measurement results must satisfy $U_{z{P}_1}^q=U_{z{P}_2}^q=\dots =U_{z{P}_N}^q$. When the chosen basis is X, the measurement results must satisfy ${\Pi }_{i=1}^N{U}_{x{P}_i}^q=1$. If the error exceeds the threshold, the protocol aborts. The remaining particles serve as INFO particles $V_{P_i}=\left\{V_{P_i}^1,V_{P_i}^2,\dots ,V_{P_i}^n\right\}$. $P_i$ measures the particles with the Z basis.

Step 4: The measurement results are represented by $V_{z{P}_i}$. If the measurement result is $\left|0\right.〉$, its value is taken as 0; if the measurement result is $\left|1\right.〉$, its value is taken as 1. According to the entanglement properties of the N-particle GHZ state, we can obtain $V_{z{P}_1}=V_{z{P}_2}=\dots =V_{z{P}_N}$. $P_i$ calculates $E_{P_i}=V_{z{P}_i}\oplus K_{P_i}$ and sends it to other participants.

Step 5: $P_i$ calculates $H\left(E_{P_j}\oplus V_{z{P}_i}\right)$. If $H\left(E_{P_j}\oplus V_{z{P}_i}\right)=H\left(K_{P_j}\right)$, $P_i$ will infer the final negotiated key

$$\begin{array}{c}\hfill \begin{array}{c}K={\displaystyle \sum _{j=1}^N}\left(E_{P_j}\oplus V_{z{P}_i}\right)\left(mod2\right)\hfill \end{array},\end{array}$$

(41)

In this equation, $i\in \left\{1,2,\dots ,N\right\}$, $j\in \left\{1,2,\dots ,N\right\}$. If any participant refuses K as the negotiated key, the protocol will be terminated and restarted.

5. Discussions

Reference [45] provides a definition of qubit efficiency,

$$\begin{array}{c}\hfill \begin{array}{c}\eta ={\displaystyle \frac{f}{q+c}}\hfill \end{array},\end{array}$$

(42)

In this equation, q is the number of transmitted qubits, c is the number of consumed classical bits, and f is the number of bits of the negotiated key. In the proposed protocol, $P_1$ prepares $l+n$ N-particle entangled states, and it has $q=\left(l+n\right)N$. For the consumed classical bits, in order to announce the hash $H\left(K_{P_i}\right)$, the CHECK keys ${\overline{K}}_{P_i}$, the measurement results of $U_{P_i}$, and the ciphertext $E_{P_i}$, $P_i$ needs to spend m, l, l, and n classical bits, respectively, where m is the length of the hash function $H\left(x\right)$. For N participants, the number of needed classical bits is $c=\left(2l+n+m\right)N$. The length of the negotiated key is n; therefore, $f=n$. Therefore, the qubit efficiency is $\eta ={\displaystyle \frac{n}{\left(3l+2n+m\right)N}}$. When l is the same as n, the qubit efficiency $\eta ={\displaystyle \frac{n}{\left(5n+m\right)N}}$.

In comparison to the previous MQKA protocols, as illustrated in

Table 1. Comparison between our protocol and the previous MQKA protocols.

The MQKA Protocols	Quantum Resource States	Entanglement Swapping Technology	Unitary Operations	Pre-Shared Keys	Extra Qubits Transmission	Measurement Bases	Consumed Qubits	Quantum Efficiency
Protocol [41]	GHZ states	No	No	No	Yes	GHZ basis, Z basis	$2^{N-1}n$ $\left(3N-1\right)$	${\displaystyle \frac{n}{2^{N-1}n\left(3N-1\right)+mN+nN}}$
Protocol [42]	GHZ states	No	No	No	No	X basis, Y basis, Z basis	$2nN$	${\displaystyle \frac{n}{6nN+mN}}$
Our scheme	GHZ states	No	No	No	No	X basis, Z basis	$2nN$	${\displaystyle \frac{n}{5nN+mN}}$

, our protocol demonstrates great advantages. Our scheme retains most of the advantages of the schemes in [41,42] using one kind of multi-particle entangled state as the initial quantum resource, and eliminates the need for entanglement swapping techniques, unitary operations, or pre-shared keys between participants. In addition, our scheme uses only the X and Z bases for measurement, making it simpler and more practical than scheme [41], which uses GHZ and Z bases, and scheme [42], which uses X, Y, and Z bases. In terms of qubit transmission, our scheme and reference [42] require only one transmission from participant P1 to P2 (P3), while scheme [41] involves additional steps of reflecting or resending particles. Regarding qubit consumption, our scheme and reference [42] consume $2nN$ qubits, whereas reference [41] consumes $2^{N-1}n(3N-1)$ qubits. Moreover, our scheme achieves a qubit efficiency of ${\displaystyle \frac{n}{5nN+mN}}$, compared to ${\displaystyle \frac{n}{2^{N-1}n(3N-1)+mN+nN}}$ for reference [41] and ${\displaystyle \frac{n}{6nN+mN}}$ for reference [42]. These advantages make our scheme more efficient and practical for implementation.

6. Conclusions

In this paper, a single-state multi-party quantum key agreement (MQKA) protocol utilizing single-particle measurement is proposed. We introduce a single-state three-party quantum key agreement protocol with single-particle measurement followed by a comprehensive security analysis. Building on this foundation, we further extend this approach by employing multi-particle entangled states to develop a multi-party version of the single-state multi-party quantum key agreement with single-particle measurement. Specifically, it employs one kind of multi-particle entangled state as the quantum resource, eliminating the need for entanglement swapping techniques, unitary operations, or pre-shared keys between participants. Moreover, the protocol uses only the X measurement basis and Z measurement basis, which results in fewer qubits being transmitted and consumed, and higher qubit efficiency. While our method can be extended to a multi-party version, the preparation of multi-particle entangled states remains a significant challenge that warrants further investigation.