1 Introduction

In 1984, Bennett and Brassard proposed a secure quantum key distribution (QKD) protocol [1], which is the first key distribution protocol that uses the principles of quantum mechanics to ensure security. Subsequently, several QKD protocols and related protocols have been proposed [5, 10,11,12,13,14, 22]. However, in these QKD protocols, the shared secret key is first determined by a participant or a third-party and then distributed to the other participants. Obviously in this approach, each involved participant does not contribute to the shared key equally.

Different from the QKD protocols to ensure that all participants have equal contribution to the shared key, quantum key agreement (QKA) protocols have been proposed. In other words, QKA protocol has to not only guarantee the security of the shared key but also assure the fairness property. The fairness property in particular means that each participant has equal contribution to the final shared key [19]. That is, none proper subset of the involved participants can determine any part of the final key without being detected by the others. In 2004, Zhou et al. proposed the first QKA protocol based on the quantum teleportation technique [29]. However, in 2006, Liu et al. [9] pointed out that Zhou et al.’s QKA protocol cannot achieve the security property by the intercept and resend attack. That is, in the quantum particles transmission process, the outside attacker Eve can use the photons generated by herself instead of the participants’ particles to obtain the final shared key without being detected. Subsequently, Chong and Hwang [3] proposed a QKA protocol based on BB84 [1] and He et al. proposed a QKA protocol with four-particle GHZ states. However, these QKA protocols are just for two participants to negotiate a key.

In 2013, Shi and Zhong [16] proposed the first multi-party quantum key agreement (MQKA) protocol based on Bell states and Bell measurements. The protocol uses quantum entanglement swapping technique to help several participants to establish a secure and fair key. However, Liu et al. [7] pointed out that Shi et al.’s protocol cannot achieve fairness property by the participant attack. In addition, they proposed an MQKA protocol based on single photons. Subsequently, Sun et al. [19] complained about the efficiency of Liu et al.’s protocol. Instead, they proposed an MQKA protocol to improve the efficiency of Liu et al.’s protocol. However, Huang et al. [6] pointed out that Sun et al.’s MQKA protocol cannot avoid the participant attack. In 2015, Sun et al. proposed an MQKA based on an entangled Six-qubit state [20]. But, according to Liu et al.’s research [8], Sun et al.’s protocol cannot avoid the collusive attack which also implies that Sun et al.’s protocol cannot achieve fairness property. In 2016, an MQKA based on quantum secret direct communication was proposed by Zeng et al. [28]. In addition to these, several MQKA protocols [17, 18] have been proposed.

Recently, Xu et al. [23] proposed an MQKA protocol based on GHZ states. They claimed that the proposed protocol allows the involved participants to share a fair and secure final key. However, this study will point out that Xu et al.’s protocol cannot achieve fairness property by the participant attack. That is, the last participant can manipulate the final key without being detected by others which is not allowed in the quantum key agreement. Moreover, the paper [27] has already shown that Xu et al.’s protocol cannot also avoid the public discussion attack. To avoid these two flaws, an improved protocol is proposed. According to the security analysis and the fairness analysis, the modification can ensure the involved participants to establish a secure and fair key.

The rest of this paper is organized as follows. Section 2 provides a brief review of Xu et al.’s protocol. Section 3 analyzes Xu et al.’s protocol and shows that their protocol cannot achieve the fairness property Section 4 introduces the improved protocol and discusses the security, the fairness and the cost of it. At last, a brief conclusion is given in Section 5.

2 Brief Review of Xu et al.’s Protocol [23]

In this section, we briefly review Xu et al.’s MQKA protocol, where several participants A 1, A 2, ⋯, A N use GHZ states \(\left \vert {{\Psi }_{N}} \right \rangle =\left \vert {\Psi } \right \rangle _{q_{1} q_{2} \mathellipsis q_{N}} =\frac {1}{\sqrt {2}} \left (\left \vert {00\mathellipsis 0} \right \rangle _{q_{1} q_{2} \mathellipsis q_{N}} +\right .\) \(\left .\left \vert {11\mathellipsis 1} \right \rangle _{q_{1}q_{2} \mathellipsis q_{N}} \right )\) to establish a shared key The protocol is described as follows.

  • Step 1 A 1 generates m GHZ states \(\left \vert {{\Psi }_{N}} \right \rangle \) and sends all the ith particles to the ith participant.

  • Step 2 A 2 checks whether there exists any eavesdropper or not by choosing a part positions of q 2 and sends the information of the selected positions to the other participants. The particles in these positions are used as decoy photons. For each decoy photon A 2 randomly uses either \(X\left \{ {\left \vert + \right \rangle ,\left \vert - \right \rangle } \right \}\) basis or \(Z\left \{ {\left \vert 0 \right \rangle ,\left \vert 1 \right \rangle } \right \}\) basis to measure it and informs the other participants to measure the decoy photons in the same basis. Subsequently, the other participants \(\left \{ {A_{1} ,A_{3} ,A_{4} ,\mathellipsis ,A_{N}} \right \}\) send the measurement results to A 2. Upon receiving all the measurement results, A 2 checks whether all these measurement results are correct or not [23]. If the error rate exceeds a predetermined value, they abort this protocol. Otherwise, they continue the next step.

  • Step 3 Similar to the Step 2, each participant does the same eavesdropping checking one by one. If all participants finish the checking positively, they continue the next step. Otherwise, they abort this protocol.

  • Step 4 Each participant uses \(Z\left \{ {\left \vert 0 \right \rangle ,\left \vert 1 \right \rangle } \right \}\) basis to measure the remaining particles and gets the measurement results. The measurement results are the final shared secret key K.

It appears that the final shared key is determined by the quantum uncertainty principle, i.e. none of the participants can manipulate the shared secret key. However, the next section will show that the last involved participant has the ability to manipulate the final shared key without being detected.

3 Problem with Xu et al.’s Protocol

In this section, we show that Xu et al.’s protocol cannot ensure the involved participants to share a fair and secure key by introducing two loopholes. The first loophole (the participant attack) is that the last participant can measure all the remaining particles at the beginning of his/her eavesdropping checking process and choose the preferred values to be the final key which is not allowed in QKA. The other loophole is that the paper [27] pointed out that Xu et al.’s protocol cannot avoid the public discussion attack where each of the involved participants can manipulate the final shared key by announcing a fake eavesdropping detecting result. The details of participant attack and public discussion attack in Xu et al.’s protocol are respectively described in Sections 3.1 and 3.2.

3.1 Participant Attack

Assume that the last participant, A N , is a malicious participant who intends to manipulate the final shared key. In Step 3, to perform the attack, A N uses \(Z\left \{ {\left \vert 0 \right \rangle ,\left \vert 1 \right \rangle } \right \}\) basis to measure enough of the remained particles before he/she selects the positions for decoy photons. For simplicity, assume here that he/she measures all the remained particles with Z basis. Upon obtaining the measurement results, A N intentionally divides the remaining particles into two sequences \({K}^{\prime }\) and C. More precisely, A N chooses those positions of his/her preference to be the final shared key \({K}^{\prime }\), and sets the others to be C as the decoy photons which can be measured either in X basis or in Z basis. After the eavesdropping detection, all participants will use Z basis to measure the remaining particles to obtain the final shared key \({K}^{\prime }\) in Step 4.

It is obvious that A N is able to choose preferred values as final shared key by using the above strategy. If we assume the final shared key is n bits and the number of remaining decoy photons which were measured by Z-basis is m, then according to the Combinatorics [15], there are \(C_{n+m}^{n} =C\left ({n+m,n} \right )=\frac {\left ({n+m} \right )!}{n!}\) alternatives to be chosen by A N as the final shared key. Obviously, the probability of having different combinations is \(1-2\times \frac {1}{2^{n+m}}\) which is closed to 1 if the number n + m is large enough. Hence, A N is able to choose a preferred one from the different combinations as the final shared key without being detected by the others. In this way, the final shared key of the MQKA could be completely decided by A N .

As an example, we use a 4-bit key generation process to explain this attack. (see also Fig. 1). Here, eight particles are supposed to remain for A N after the other participants \(\left \{ {A_{1} ,A_{2} ,\mathellipsis ,A_{N-1}} \right \}\) finish performing the eavesdropping detection processes in Step 2 and Step 3. Subsequently, A N measures all the remaining particles \(\left \{ {q_{N1} ,q_{N2} ,\mathellipsis ,q_{N8}} \right \}\) in Z basis. If \(A_{N}^{\prime } \mathrm {s}\) measurement results is 10110001 and according to the combinations of the measurement results {0000, 0001, 0100, 0101, 0110, 0111, 1000, 1001, 1010, 1011, 1100, 1101, 1110, 1111} he/she prefers 0000 to be the final shared secret key K, then he/she classifies \(\left \{ {q_{N2} ,q_{N5} ,q_{N6} ,q_{N7}} \right \}\) as \({K}^{\prime }\) and sets \(\left \{ {q_{N1} ,q_{N3} ,q_{N4} ,q_{N8}} \right \}\) as C. After the eavesdropping detection, all participants will remove the decoy photons and subsequently use Z basis to measure the remaining particles \(\left \{ {q_{i2} ,q_{i5} ,q_{i6} ,q_{i7}} \right \}\) to obtain the final shared key \(K={K}^{\prime }=0000\) which is a key determined by A N .

Fig. 1
figure 1

Key manipulation by A N

Full size image

3.2 Public Discussion Attack [27]

In Xu et al.’s protocol, during the public discussion process, if a malicious participant does not satisfy with the negotiated shared secret key to be the final shared key, he/she can deliberately abort the protocol and then impute the error to an eavesdropping incident without being detected by the other participants. For example, after the last participant A N announces the positions of decoy photons during the public discussion process, each participant can remove the decoy photons and obtain the final shared key by measuring the remaining particles with Z basis. At this moment, if any participant do not satisfy with the derived final shared key, he/she can deliberately announce a fake measurement result to fail the eavesdropping detection process. That is, this participant can let the other participants think that there is an eavesdropping. Hence, the protocol will be aborted and a new protocol will be started again. After several rounds, this participant could obtain a preferred final shared key. Obviously, this is against the fairness property. Though [27] pointed out this problem, they did not propose a corresponding modification to improve Xu et al.’s protocol.

4 Improvement on Xu et al.’s Protocol

This section first proposes an improvement to avoid the problems that we mentioned before, and then gives the security and fairness analyses.

4.1 Improved Protocol

To improve Xu et al.’s protocol, a modified version is described in detail as follows.

  • Step 1* A 1 prepares m GHZ states \(\left | {\Psi }_{N}\right \rangle \) to form a quantum sequence S, i.e. \(S= \left \{ {\left \vert {{\Psi }_{N}} \right \rangle _{q_{1} q_{2} \mathellipsis q_{N}} ,\left \vert {{\Psi }_{N}} \right \rangle _{q_{1} q_{2} \mathellipsis q_{N}} ,{\cdots } ,\left \vert {{\Psi }_{N}} \right \rangle _{q_{1} q_{2} \mathellipsis q_{N}} } \right \}\). Subsequently, A 1 generates a random binary number sequence R H1 and performs \(H_{y} =\frac {1}{\sqrt {2}} \left ({\left \vert 0 \right \rangle \left \langle {0\vert } \right .+\left \vert 0 \right \rangle \left \langle {1\vert } \right .+i\left \vert 1 \right \rangle \left \langle {0\vert } \right .-i\left \vert 1 \right \rangle \left \langle {1\vert } \right .} \right )\) on S according to R H1 to obtain S 1. (For the ith particle, if the ith value of R H1 is 1, A 1 performs H y on it. Otherwise, A 1 performs \(I=\left \vert 0 \right \rangle \left \langle {0\vert } \right .+\left \vert 1 \right \rangle \left \langle {1\vert } \right .\) on it.) Then A 1 sends S 1 to A 2. Upon receiving S 1, A 2 checks whether there is a Torjan horse attack [2, 4, 26] or not during the transmission. If there is a Torjan horse attack in the transmission, he/she aborts this protocol. Otherwise, similar to A 1, A 2 generates a random binary number sequence R H2 and performs H y on S 1 according to R H2 to obtain S 2. Then sends it to A 3, so on and so forth. Again, after the Torjan horse checking, the ith participant \(A_{i} \left ({i\in \left \{ {3,4,5,\mathellipsis ,N-1} \right \}} \right )\) generates R H i and performs H y on S i−1 according to R H i to obtain S i . Then A i sends it to A i+1. Subsequently, A N performs H y on the S N−1 according to R H N to obtain \(S_{N} =\left \{ {\left \vert {{\Psi }_{N}} \right \rangle _{q_{_{1} }^{N} q_{_{2}}^{N} \mathellipsis q_{_{N}}^{N}} ,\left \vert {{\Psi }_{N}} \right \rangle _{q_{_{1}}^{N} q_{_{2}}^{N} \mathellipsis q_{_{N}} ^{N}} ,{\cdots } ,\left \vert {{\Psi }_{N}} \right \rangle _{q_{_{1}}^{N} q_{_{2}}^{N} \mathellipsis q_{_{N}}^{N}} } \right \}\) and sends all the \({q_{i}^{N}} \left ({i\in \left \{ {1,2,3,\mathellipsis ,N-1} \right \}} \right )\) to the ith participant (A N sends all the ith particles of \(\left \vert {{\Psi }_{N}} \right \rangle \) to the ith participant.).

  • Step 2* A 1 randomly chooses a subset out of S N to be the decoy photon set for eavesdropping detection. Subsequently, he/she requests \(A_{i} \left ({i\in \left \{ {2,3,4,\mathellipsis ,N} \right \}} \right )\) to announce the corresponding values of R H i which were performed on the decoy photons of A 1’s choice. Notice that A 1 also has to announce the corresponding values of R H1 in the decoy photon set. After each participant gets the values of the other participants’ R H of the decoy photon set, they recover the original state of the decoy photons. Subsequently, for each decoy photon, A 1 randomly uses either X basis or Z basis to measure it and asks the others to measure the decoy photons in the same basis. Then, the other participants \(\left \{ {A_{2} ,A_{3} ,A_{4} ,\mathellipsis ,A_{N}} \right \}\) send the measurement results to A 1 to check whether all participants’ \(\left \{ {A_{1}^{\prime } \mathrm {s},A_{2}^{\prime } \mathrm {s},\mathellipsis ,A_{N}^{\prime } \mathrm {s}} \right \}\) measurement results are satisfied or not [23]. If the error rate exceeds a predetermined value, they abort this protocol. Otherwise, they continue the next step.

  • Step 3* Similar to Step 2*, the other participants do the same eavesdropping detection one by one. If the established particles are correct, they continue the next step. Otherwise, they abort this protocol.

  • Step 4* After all participants finish the eavesdropping detections, the \(i\text {th} \left ({i\!\in \! \left \{ {1\!,2,3,\mathellipsis ,N} \right \}} \right )\) participant announces the remaining values of R H i . Subsequently, each participant recovers the remaining particles to the initial state \(\left \vert {{\Psi }_{N}} \right \rangle \) and uses Z basis to measure them to get the final shared secret key K.

4.2 Security Analysis and Fairness Analysis

In this section, we analyze several well-known attacks (Measure-resend attack, Intercept-replace attack, Entangle-measure attack) to show that the proposed improvement can avoid the outside attacks. In addition, a fairness analysis is given to prove that the proposed improvement can achieve the fairness property.

4.2.1 Measure-Resend Attack Analysis

Suppose that Eve uses Z basis or X basis to measure the particles during the photon transmission and uses corresponding single photons instead of the original ones in Step 1* to try to obtain any useful information of the final shared key. It is obvious that this attack can be detected by the participants in Step 2* and Step 3*. That is, the involved participants will find that their particles have no correlations with the other participants’ particles. For example, assume here that the initial state is \(\left \vert {{\Psi }_{N}} \right \rangle =\left \vert {\Psi } \right \rangle _{q_{1} q_{2} \mathellipsis q_{N}} =\frac {1}{\sqrt {2}} \left ({\vert 00\mathellipsis \left . 0 \right \rangle _{q_{1} q_{2} \mathellipsis q_{N}} +\vert 11\mathellipsis \left . 1 \right \rangle _{q_{1} q_{2} \mathellipsis q_{N}} } \right )\) and none of the involved participants performs H y on them. Subsequently, Eve uses Z basis to measure them and the measurement results are \(\left \vert 0 \right \rangle _{q_{1}} \left \vert 0 \right \rangle _{q_{2}} \mathellipsis \left \vert 0 \right \rangle _{q_{N}} \) or \(\left \vert 1 \right \rangle _{q_{1}} \left \vert 1 \right \rangle _{q_{2}} \mathellipsis \left \vert 1 \right \rangle _{q_{N}} \). According to these measurement results, Eve uses N single photons \(\left \vert 0 \right \rangle ^{\otimes N}\) or \(\left \vert 1 \right \rangle ^{\otimes N}\) instead of the original ones and sends them back to the participants. In Step 2* and Step 3*, for each pair of the decoy photons, the participants have a probability of \(\frac {1}{2}\) to measure them with X basis. If the participants use X basis to detect the eavesdropping, for each qubit, there will be a probability of \(\frac {1}{2}\) to get an incorrect measurement result. Overall, the probability of that Eve can avoid this detection is \(\left ({\frac {1}{2}} \right )^{l}\left ({\frac {1}{2}} \right )^{N}(l\) is the number of decoy photon pairs). Hence, this attack can be detected with a probability of \(1-\left ({\frac {1}{2}} \right )^{l}\left ({\frac {1}{2}} \right )^{N}\approx 1\) (if the number l is large enough). According to this, we can consider that this attack is unworkable.

4.2.2 Intercept-Replace Attack Analysis

Suppose that Eve intercepts the particles and uses several particles generated by herself instead of the original ones in Step 1* to try to obtain any useful information of the final shared key. Similar to the Measure-resend attack analysis, this attack can be detected by the involved participants in the eavesdropping detection. That is, because of that Eve cannot know whether the participants perform H y on the particles or not, she cannot generate same states with the original ones. Hence, after all the participants recover the decoy photons in Step 2* and Step 3*, the eavesdropping can be detected with a probability of \(1-\left ({\frac {1}{2}} \right )^{l}\left ({\frac {1}{2}} \right )^{N}\approx 1\) (if the number l is large enough). According to this, we can think that the proposed improvement can avoid the Intercept-replace attack.

4.2.3 Entangle-Measure Attack Analysis

Suppose that Eve intercepts the particles and uses q 1 to be the control bit and uses a particle \(\left \vert 0 \right \rangle \) to be the target bit T to perform the C-NOT operation (\(C\text {-}NOT=\left \vert {00} \right \rangle \left \langle {00\vert } \right .+\left \vert {01} \right \rangle \left \langle {01\vert +\left \vert {10} \right \rangle \left \langle {11\vert } \right .+\left \vert {11} \right \rangle \left \langle {10\vert } \right .} \right .)\). Subsequently, Eve can obtain a new N + 1 bits GHZ state and send the particles q 1, q 2, …, q N back to the participants. Obviously, the involved participants can detect this attack in the eavesdropping detection in Step 2* and Step 3*. For example, assume here that there are just two participants involved in the protocol, the original state will be \(\left \vert {{\Psi }_{2}} \right \rangle =\left \vert {\Psi } \right \rangle _{q_{1} q_{2}} =\frac {1}{\sqrt {2}} \left ({\left \vert {00} \right \rangle _{q_{1} q_{2}} +\left \vert {11} \right \rangle _{q_{1} q_{2}} } \right )\). If none of the participants performs H y on them, after Eve performs the C-NOT operations, T and \(\left \vert {{\Psi }_{2}} \right \rangle \) will be transformed into \(\left \vert {{\Psi }_{3}} \right \rangle =\left \vert {\Psi } \right \rangle _{Tq_{1} q_{2}} =\frac {1}{\sqrt {2}} \left ({\left \vert {000} \right \rangle _{Tq_{1} q_{2}} +\vert 1{11}\rangle _{Tq_{1} q_{2}} } \right )\). In the eavesdropping detections, the involved participants can use X basis to detect it. That is, with X basis, the state \(\left \vert {{\Psi }_{3}} \right \rangle \) is \(\left \vert {{\Psi }_{3}} \right \rangle =\left \vert {\Psi } \right \rangle _{Tq_{1} q_{2}} =\frac {1}{2}\left [ {\left \vert + \right \rangle _{T} \left ({\left \vert {++} \right \rangle +\left \vert {--} \right \rangle } \right )_{q_{1} q_{2}} +\left \vert - \right \rangle _{T} \left ({\left \vert {+-} \right \rangle +\left \vert {-+} \right \rangle } \right )_{q_{1} q2}} \right ]\). For each pair of the decoy photons (\(\left \{ {q_{1} ,q_{2}} \right \})\) there will be a probability of \(\frac {1}{2}\) to get an incorrect measurement result. Obviously, this attack can be detected with a probability of \(1-\left ({\frac {1}{2}} \right )^{l}\approx 1\) (if the number l is large enough). Hence, we can consider that the Entangle-measure attack is unworkable.

4.2.4 Fairness Analysis

In Step 1*, after each participant performs H y on each particle according to R H i , none of the participants can get the correct measurement results of the particles without knowing the others’ R H i s. Because of that H y operation can transform the p, article into another state (\(H_{y} \left ({\left \vert 0 \right \rangle } \right )=\left \vert + \right \rangle _{y} , H_{y} \left ({\left \vert 1 \right \rangle } \right )=\left \vert - \right \rangle _{y} \), \(H_{y} \left ({\left \vert + \right \rangle } \right )=\left \vert 0 \right \rangle _{y}, H_{y} \left ({\left \vert - \right \rangle } \right )=\left \vert 1 \right \rangle _{y} )\). Hence, if the particle \(\left \vert 0 \right \rangle \) has been transformed by H y and the malicious participant uses Z basis to measure it, he/she will have a probability of \(\frac {1}{2}\) to get \(\left \vert 0 \right \rangle \) and a probability of \(\frac {1}{2}\) to get \(\left \vert 1 \right \rangle \). It is obvious that the malicious participant cannot make sure whether the measurement result is correct or not. In Step 3*, though A N can get all the other participants’ R H i s\(\left ({1\le i\le N-1} \right )\) performed on the decoy-photon set, he/she cannot obtain the R H i s performed on the remaining particles which used for sharing the final key. Consequently, A N cannot manipulate the final shared key with the method mentioned in Section 3.1. Hence, the participant attack can be avoided in the proposed improvement. Similarly, during the eavesdropping detection processes of the proposed improvement, none of the involved participants can obtain the final shared key. Hence the public discussion attack can be avoided too.

4.3 Comparison

Suppose that \(\eta =\frac {c}{q}\) is the qubit efficiency of a quantum protocol [24,25,26], where c denotes the total number of shared classical bits and q denotes the total number of qubits generated in the protocols. Thus, the qubit efficiency of the proposed improvement is \(\eta =\frac {1}{2^{N-1}N}\), where c = 1, q = 2N−1 N, N denotes the total number of the involved participants. The comparison of several QKA protocols with multiparty participants is shown in Table 1. Though the proposed improvement does not have satisfactory qubit efficiency, the improvement can help each participant to share a fair and secure key.

Table 1 Comparison of QKA protocols with several multiparty participants
Full size table

5 Conclusion

This paper points out that Xu et al.’s multi-party quantum key agreement protocol suffers from the participant attack, which is against the fairness property of a QKA. To avoid this flaw and the public discussion attack [27], a modification is proposed in this paper. In addition, the security analysis and the fairness analysis shows that the modification can achieve both the security property and the fairness property. Though the modification can ensure the participants to share a secure and fair key, the efficiency of the modified protocol is not satisfactory. It would be interesting to design a secure and fair multi-party quantum key agreement protocol with better efficiency.