1 Introduction

Quantum key distribution (QKD) allows two authorized participants to establish a shared secret key over a public channel. The shared key can be used for encryption or authentication protocols. A lot of QKD protocols have been proposed [1, 2] since the pioneering works of Bennett–Brassard (BB84) [3] and Ekert (E91) [4], and they have been theoretically proven unconditionally secure [5]. Key agreement is another way to distribute keys, i.e., it allows two or more parties to establish a secret key freely and securely over insecure channel without the need for a previously established shared secret. However, compared with the key distribution, in which one party distributes a secret key to the other, all involved parties in a key agreement protocol can equally influence the outcome of the protocol, and no one can decide the shared key alone. In other words, in addition to have the same ability of resisting adversaries from the outside world as the key distribution protocol does, a secure key agreement protocol is also required to prevent the participant attacks, i.e., the dishonest party may try to determine the secret key alone. Therefore, it is useful to establish a shared key by the key agreement protocol in the scenario that all participants do not trust each other. The first practical solution to the key agreement problem was proposed in 1976 [6] by Deffie and Hellman (DH). Since their pioneering work, a large number of variant solutions to the key agreement were proposed. However, the security of these protocols is mainly based on the DH problem or discrete logarithm problem. Since Shor introduced a polynomial-time quantum algorithms for prime factorization and discrete logarithm in 1997 [7], the security of classical key agreement protocols become increasingly vulnerable. Fortunately, quantum cryptography, which is based on the principle of quantum mechanical to perform cryptographic tasks, can provide unconditional security. And it attracts many researchers’ attention and has been developed quickly, such as quantum secret sharing [8, 9], quantum secure direct communication [10, 11], quantum private comparison [1214] and quantum oblivious transfer [15].

Quantum key agreement (QKA) is a new branch of quantum cryptography, which was first proposed by Zhou et al. [16]. In their protocol, the quantum teleportation technique was used to generate a secret key. However, one party can fully determine the shared key alone [17], and it is susceptible to the participant attack [18]. Later, Chong and Hwang [19] proposed a new QKA protocol by using the technique of delayed measurement. Recently, Huang et al. [20] considered the QKA protocol in the collective noise channels. Shen et al. proposed an efficient two-party QKA scheme with four-qubit cluster states [21], which has been extended to multiparty case [22]. However, only two participants were involved in the above QKA protocols. Recently, an enhanced interest on multiparty QKA protocols has been observed. Shi and Zhong [23] first proposed the multiparty QKA protocol based on EPR pairs and entanglement swapping. Liu et al. [24] found that their protocol was not a fair QKA because a dishonest participant can determine the secret key independently, and they presented a secure multiparty QKA protocol with single particles. However, the efficiency of the proposed protocol is not very satisfactory. How to improve the efficiency of the multiparty QKA protocol is an open problem in this field. In order to solve this problem, Sun et al. extended the classical circle-type conference key agreement to the quantum world and proposed a circle-type QKA protocol [25], and the efficiency of Liu et al.’s protocol was improved. Recently, three-party QKA [26] protocol and five-party QKA protocol [27] were also proposed based on Bell state.

In this paper, we propose a multiparty quantum key agreement protocol using quantum superposition states. The presented protocol uses a commutative encryption to protect participants’ agreement key. The shared key is influenced by all parties. And no one can determine the shared key alone. The exclusive-OR operations of participants’ secret keys is realized by the property of the commutative encryption. And the exclusive-OR operation is performed on the plaintext in the encrypted state without decrypting it. We encode the participant’s secret key into particular rotation angles. Rotating the encryption state by \(90^{\circ }\) changes the plaintext, logic-one to logic-zero or logic-zero to logic-one. The efficiency of the proposed protocol, compared with other multiparty QKA protocols, is also improved. Entanglement states, joint measurement and even the unitary operations are not needed, and only rotation operations and single-state measurement are required. As it is known, rotation operation and single-state measurement are easier to be realized with current technologies. Thus, the proposed protocol is more practical, compared to other previous QKA protocols. The security of the presented protocol is also proved to be secure against both outside and participant attacks.

The rest of this paper is organized as follows. Section 2 introduces the commutative encryption scheme. Then, our multiparty QKA protocol with quantum superposition states is presented. The security analysis is given in Sect. 4. Section 5 gives a short conclusion.

2 A quantum commutative encryption scheme

In this section, we introduce a quantum commutative encryption scheme, which will be used in the proposed multiparty quantum key agreement protocol. In our protocol, the horizontally polarized photon \(|0\rangle \) represents zero in a binary representation. The vertically polarized photon \(|1\rangle \) represents one. And, all transmitted polarized photons are encrypted before the transmission. The encryption key is defined as a set of angles \(K = \{ \theta _{i} : 0 \le \theta _{i} < \pi , i = 1, 2, \ldots , n\}\) for an n-bit message, where the subscript indicates the position in the message where the encryption with the angle \(\theta _{i}\) is applied. The encryption is defined as the rotation operation. And, \(E_{K}[M]\) is denoted as an encryption of data M with a secret key K. The decryption is defined as the rotation the encrypted photon by the angle \(\theta _{i}\) in the opposite direction. \(D_{K}[M]\) is the decryption of data M with the secret key K. We give a simple example to show the mathematical representation of the encryption and decryption processes as follows.

Suppose the message M is a single photon encoded as \(M : |\psi _{0}\rangle = |0\rangle \) for simplicity. By using the Jones matrix representation, the rotation operation can be represented by the following matrix:

$$\begin{aligned} R(\theta ) = \left( \begin{array}{cc} \cos \theta &{} \sin \theta \\ -\sin \theta &{} \cos \theta \end{array} \right) \end{aligned}$$
(1)

The data qubit \(|\psi _{0}\rangle \) encryption with \(\theta \) can be represented as follows

$$\begin{aligned} E_{K}[M]= & {} R(\theta ) |0\rangle \nonumber \\= & {} \left( \begin{array}{cc} \cos \theta &{} \sin \theta \nonumber \\ -\sin \theta &{} \cos \theta \end{array} \right) \left( \begin{array}{c} 1\\ 0 \end{array} \right) \nonumber \\= & {} \left( \begin{array}{c} \cos \theta \\ -\sin \theta \end{array} \right) = \cos \theta |0\rangle -\sin \theta |1\rangle \nonumber \\= & {} |\psi _{0}\rangle ^{'} \end{aligned}$$
(2)

In order to read the message M, we need to rotate the photon \(|\psi _{0}\rangle ^{'}\) by \(\theta \) in the opposite direction, i.e., the decryption can be represented as follows:

$$\begin{aligned} R(-\theta ) |\psi _{0}\rangle ^{'}= & {} \left( \begin{array}{cc} \cos (-\theta ) &{} \sin (-\theta ) \nonumber \\ -\sin (-\theta ) &{} \cos (-\theta ) \end{array} \right) \left( \begin{array}{c} \cos \theta \\ -\sin \theta \end{array} \right) \nonumber \\= & {} \left( \begin{array}{c} \cos ^{2}\theta + \sin ^{2}\theta \\ \sin \theta \cos \theta -\cos \theta \sin \theta \end{array} \right) \nonumber \\= & {} \left( \begin{array}{c} 1\\ 0 \end{array} \right) = |0\rangle \end{aligned}$$
(3)

The security of this quantum encryption is proven in Ref. [28]. A main advantage of this encryption scheme is that we do not have to decrypt a cipher text in the exact reverse order as encrypted with different secret key. For example, \(E_{K_{2}}E_{K_{1}} [M]= E_{K_{1}}E_{K_{2}}[M]\), where \(K_{1} \ne K_{2}\). And we know that rotating the photon by \(90^{\circ }\) changes the plaintext, logic-one to logic-zero or logic-zero to logic-one, i.e., \(E_{\frac{\pi }{2}} |0\rangle = R(\frac{\pi }{2})|0\rangle = -|1\rangle , E_{\frac{\pi }{2}} |1\rangle = R(\frac{\pi }{2})|1\rangle = |0\rangle \) since the \(-\) has no observable effects, and for that reason we can effectively write \(E_{\frac{\pi }{2}} |0\rangle = |1\rangle , E_{\frac{\pi }{2}} |1\rangle = |0\rangle \). Therefore, an exclusive-OR operation can be performed on the plaintext in the encrypted state without decrypting it, i.e., he rotates \(90^{\circ }\) on the encoded state if the input is 1; otherwise, \(0^{\circ }\) is rotated. For example, suppose the input is 1, we have \(K_{2}= \frac{\pi }{2}\), then

$$\begin{aligned} E_{\frac{\pi }{2}} E_{K_{1}} |0\rangle= & {} E_{K_{1}}R\left( \frac{\pi }{2}\right) |0\rangle = E_{K_{1}}|1\rangle = E_{K_{1}}|1\oplus 0\rangle , \end{aligned}$$
(4)
$$\begin{aligned} E_{\frac{\pi }{2}} E_{K_{1}} |1\rangle= & {} E_{K_{1}} R\left( \frac{\pi }{2}\right) |1\rangle = E_{K_{1}}|0\rangle = E_{K_{1}} |1\oplus 1\rangle , \end{aligned}$$
(5)

where \(\oplus \) denotes the addition module 2.

The rotation operation can be realized by current technologies. The photon is linearly polarized by a polarizing apparatus called linear polarizer and the direction can be determined by the orientation of the polarizer. In order to rotate the polarized photon, the photon is passed through a Faraday effect modulator. The rotation angle is controlled by the strength of the magnetic field parallel to the light beam. The output polarization from the Faraday effect modulator can be rotated by the desired angle [28].

3 Multiparty quantum key agreement protocol

Suppose that there are N participants \(P_{0}, \ldots , P_{N-1}\), and they have secret bit strings keys \(K_{0}, \ldots , K_{N-1}\), respectively (Eq.(6)). They want to derive a secret shared key \(K=K_{0} \oplus \cdots \oplus K_{N-1}\) (Eq.(7)), wherein no one can determine the shared key alone.

$$\begin{aligned} K_{0}= & {} (k_{0,1} \cdots k_{0,n} ), \nonumber \\&\ldots \nonumber \\ K_{i}= & {} (k_{i,1} \ldots k_{i,n} ), \nonumber \\&\ldots \nonumber \\ K_{N-1}= & {} (k_{(N-1),1} \ldots , k_{(N-1),n} ), \end{aligned}$$
(6)
$$\begin{aligned} K_{0} \oplus \cdots \oplus K_{N-1}= & {} (k_{0,1}\oplus \cdots \oplus k_{(N-1),1} \ldots k_{0,n} \oplus \cdots \oplus k_{(N-1),n}). \end{aligned}$$
(7)

Here n is the length of secret bit string. In our protocol, we assume that the classic channel is authenticated. Then, the multiparty QKA protocol can be described as follows:

  1. 1.

    The party \(P_{i} (i = 0, \ldots , N-1)\) randomly generates a secret key \(\varTheta _{i} = (\theta ^{i}_{1}, \theta ^{i}_{2}, \ldots , \theta ^{i}_{n})\). Here, \(0 \le \theta ^{i}_{j} < \pi ,j= 1,2,\ldots , n\). Then, he encodes his secret key \(K_{i}\) into n photons \(|\psi _{K_{i}}\rangle = |\psi _{k_{i,1}}\rangle |\psi _{k_{i,2}}\rangle \ldots |\psi _{k_{i,n}}\rangle \). Here, if \(k_{i,j}=0\), \(|\psi _{k_{i,j}}\rangle = |0\rangle \), otherwise \(|\psi _{k_{i,j}}\rangle = |1\rangle \). \(P_{i}\) encrypts \(|\psi _{K_{i}}\rangle \) with \(\varTheta _{i}\). The resulting state can be written as

    $$\begin{aligned} E_{\varTheta _{i}}[|\psi _{K_{i}}\rangle ] = R(\theta ^{i}_{1})|\psi _{k_{i,1}}\rangle \otimes \cdots \otimes R(\theta ^{i}_{n})|\psi _{k_{i,n}}\rangle , \end{aligned}$$
    (8)

    where \(R(\theta ^{i}_{j})\) is the rotation operation.

  2. 2.

    \(P_{i}\) sends \(E_{\varTheta _{i}}[|\psi _{K_{i}}\rangle ]\) to \(P_{(i+1) mod N}\) using the decoy state method [2931]. For example, he prepares \(\kappa n\) decoy particles which are randomly in four states \(|+\rangle , |-\rangle \), \(|+y\rangle , |-y\rangle \), and inserts the \(\kappa n\) decoy particles randomly in \(E_{\varTheta _{i}}[|\psi _{K_{i}}\rangle ]\). Then he sends the \(n + \kappa n\) photons to the next participant \(P_{(i+1) mod N}\). Here, \(\kappa \) is the detection rate, and \(|+\rangle =\frac{1}{\sqrt{2}}(|0\rangle + |1\rangle )\), \(|-\rangle = \frac{1}{\sqrt{2}}(|0\rangle - |1\rangle )\), \(|+y\rangle =\frac{1}{\sqrt{2}}(|0\rangle + i|1\rangle )\), \(|-y\rangle = \frac{1}{\sqrt{2}}(|0\rangle - i|1\rangle )\). For simplicity, \(P_{(i+1) mod N}\) is denoted as \(P_{i+1}\) in the following parts.

  3. 3.

    After confirming that \(P_{i+1}\) has received the photons, \(P_{i}\) and \(P_{i+1}\) begin to check eavesdropping. For example, \(P_{i}\) announces the positions and the corresponding bases \(\{ |+\rangle , |-\rangle \}\) or \(\{|+y\rangle , |-y\rangle \) of the decoy particles, and then \(P_{i+1}\) measures the decoy particles in the correct bases and randomly announces half of the measurement results. Then \(P_{i}\) announces the initial states of the left half of the decoy particles. If the initial states and the measurement results are consistent, they claim that \(E_{\varTheta _{i}}[|\psi _{K_{i}}\rangle ]\) is secure; otherwise, they abandon the protocol.

  4. 4.

    If all the parties announce the received photons are secure, \(P_{i+1}\) performs the commutative encryption on the photons \(E_{\varTheta _{i}}[|\psi _{K_{i}}\rangle ]\) according to his secret key \(K_{i+1}\), i.e., if \(k_{i+1, j} =0\), the corresponding encryption key is \(\theta _{i+1,j} = 0\); otherwise \(\theta _{i+1,j} = \frac{\pi }{2}\), where \(j = 1, 2, \ldots , n\).

  5. 5.

    After performing the commutative encryption, the photons \(E_{\varTheta _{i}}[|\psi _{K_{i}}\rangle ]\) become \(E_{\varTheta _{i}}[|K_{i+1} \oplus K_{i}\rangle ]\). Then, \(P_{i+1}\) sends the new photons to the next party \(P_{i+2}\) using the decoy- states method described in step 2.

  6. 6.

    The parties \(P_{i+2}, \ldots , P_{i-1}\) sequentially execute eavesdropping check and the commutative encryption processes in the same way as participants did in steps 3–5, i.e., they, one after another, check eavesdroppers, and if all the photons are secure, they perform commutative encryption on the received photons according to their secret keys and then insert the decoy particles randomly in the photons and send them to the next participant.

  7. 7.

    When \(P_{i}\) has received the photons from \(P_{i-1}\), he first does eavesdropping check with \(P_{i-1}\). Then he obtains \(E_{\varTheta _{i}}[|K_{i-1} \oplus \cdots \oplus K_{i+1} \oplus K_{i}\rangle ]\) if there is no eavesdropper. Then, he decrypts it with key \(\varTheta _{i}\),

    $$\begin{aligned} D_{\varTheta _{i}}[E_{\varTheta _{i}}[|K_{i-1} \oplus \cdots \oplus K_{i+1} \oplus K_{i}\rangle ]] = |K_{i-1} \oplus \cdots \oplus K_{i+1} \oplus K_{i}\rangle . \end{aligned}$$
    (9)

    The result of \(P_{i}\)’s measurement on \(|K_{i-1} \oplus \cdots \oplus K_{i+1} \oplus K_{i}\rangle \) is the final shared key \(K= K_{0} \oplus K_{1}\oplus \cdots \oplus K_{N-1}\).

4 Security analysis of the presented multiparty QKA protocol

In this section, we will prove that the presented protocol is correct and secure.

4.1 Correctness of the presented protocol

Suppose \(P_{i}\) starts the protocol, and after his encryption in step 1, the photon states can be written as

$$\begin{aligned} E_{\varTheta _{i}}[|\psi _{K_{i}}\rangle ] = R(\theta ^{i}_{1})|\psi _{k_{i,1}}\rangle \otimes \cdots \otimes R(\theta ^{i}_{n})|\psi _{k_{i,n}}\rangle . \end{aligned}$$
(10)

When \(P_{i+1}\) receives these secure photons, he perform the commutative encryption according to his secret key \(K_{i+1}\), i.e.,

$$\begin{aligned} E_{K_{i+1}} E_{\varTheta _{i}}[|\psi _{K_{i}}\rangle ]= & {} R(\theta _{i+1,1})R(\theta ^{i}_{1})|\psi _{k_{i,1}}\rangle \otimes \cdots \otimes R(\theta _{i+1,n}) R(\theta ^{i}_{n})|\psi _{k_{i,n}}\rangle \nonumber \\= & {} R(\theta ^{i}_{1}) R(\theta _{i+1,1})|\psi _{k_{i,1}}\rangle \otimes \cdots \otimes R(\theta ^{i}_{n})R(\theta _{i+1,n})|\psi _{k_{i,n}}\rangle \nonumber \\= & {} E_{\varTheta _{i}}[|K_{i+1} \oplus \psi _{K_{i}}\rangle ] \nonumber \\= & {} E_{\varTheta _{i}}[|K_{i+1} \oplus K_{i}\rangle ], \end{aligned}$$
(11)

where \(\theta _{i+1,j} = 0\) if \(k_{i+1, j} =0\) and \(\theta _{i+1,j} = \frac{\pi }{2}\) if \(k_{i+1, j} =1\), \(j = 1, 2, \ldots , n\).

Similarly, \(P_{i+2}, \ldots , P_{i-1}\) sequentially execute the commutative encryption processes in the same way as participant \(P_{i+1}\) did. According to Eq. (11), the final quantum states that \(P_{i}\) receives in the step 7 is \(E_{\varTheta _{i}}[|K_{i-1} \oplus \cdots \oplus K_{i+1} \oplus K_{i}\rangle ]\) if there is no eavesdropper. Since \(P_{i}\) has the secret key \(\varTheta _{i}\), he can decrypt the received qubits and then measures them in the basis \(\{|0\rangle , |1\rangle \}\). Thus, he obtains the shared secret key \(K= K_{0} \oplus K_{1}\oplus \cdots \oplus K_{N-1}\) correctly.

4.2 Security analysis of the presented protocol

Since the decoy-state method is used in our protocol to detect Eve, outside eavesdroppers cannot obtain the shared key without being detected. In decoy-state method, besides target states, several other non-orthogonal states as decoy states are used. Since Eve cannot distinguish between the target states and the decoy states, she has to apply the same strategy to all of them. As a result, any eavesdropping attempt by Eve will inevitably modify the photon statistic and expose her [2931]. Without loss of generality, the most general operation \(U_{E}\) Eve employed is to cause the sample photons to interact coherently with an auxiliary quantum system \( |E\rangle \) (if \(U_{E}\) is a swapping operation, this attack mode becomes the well-known intercept–resend attack), which can be defined as follows:

$$\begin{aligned} U_{E}|0\rangle |E\rangle= & {} a|0\rangle |E_{00}\rangle + b|1\rangle |E_{01}\rangle , \end{aligned}$$
(12)
$$\begin{aligned} U_{E}|1\rangle |E\rangle= & {} c|0\rangle |E_{10}\rangle + d|1\rangle |E_{11}\rangle , \end{aligned}$$
(13)

where \(|a|^{2} + |b|^{2} = 1\) and \(|c|^{2} + |d|^{2} = 1\). Since the decoy states involved in our protocol are \(|+\rangle \), \(|-\rangle \), \(|+y\rangle \) and \(|-y\rangle \), if Eve introduces no error in the eavesdropping check by participants, the general operation \(U_{E}\) must satisfy the following conditions:

$$\begin{aligned} U_{E}|+\rangle |E\rangle= & {} \frac{1}{\sqrt{2}}( a|0\rangle |E_{00}\rangle + b|1\rangle |E_{01}\rangle + c|0\rangle |E_{10}\rangle + d|1\rangle |E_{11}\rangle ) \nonumber \\= & {} \frac{1}{2}(|+\rangle (a|E_{00}\rangle + b|E_{01}\rangle + c|E_{10}\rangle + d|E_{11}\rangle )). \end{aligned}$$
(14)
$$\begin{aligned} U_{E}|-\rangle |E\rangle= & {} \frac{1}{\sqrt{2}}( a|0\rangle |E_{00}\rangle + b|1\rangle |E_{01}\rangle - c|0\rangle |E_{10}\rangle - d|1\rangle |E_{11}\rangle ) \nonumber \\= & {} \frac{1}{2}(|-\rangle (a|E_{00}\rangle - b|E_{01}\rangle - c|E_{10}\rangle + d|E_{11}\rangle )). \end{aligned}$$
(15)
$$\begin{aligned} U_{E}|+y\rangle |E\rangle= & {} \frac{1}{\sqrt{2}}( a|0\rangle |E_{00}\rangle + b|1\rangle |E_{01}\rangle + ic|0\rangle |E_{10}\rangle + id|1\rangle |E_{11}\rangle )\nonumber \\= & {} \frac{1}{2}(|+y\rangle (a|E_{00}\rangle - ib|E_{01}\rangle + ic|E_{10}\rangle + d|E_{11}\rangle )). \end{aligned}$$
(16)
$$\begin{aligned} U_{E}|-y\rangle |E\rangle= & {} \frac{1}{\sqrt{2}}( a|0\rangle |E_{00}\rangle + b|1\rangle |E_{01}\rangle - ic|0\rangle |E_{10}\rangle - id|1\rangle |E_{11}\rangle ) \nonumber \\= & {} \frac{1}{2}(|-y\rangle (a|E_{00}\rangle + ib|E_{01}\rangle - ic|E_{10}\rangle + d|E_{11}\rangle )). \end{aligned}$$
(17)

From the above Eqs. (14), (15), (16) and (17), we can get

$$\begin{aligned} a|E_{00}\rangle - b|E_{01}\rangle + c|E_{10}\rangle - d|E_{11}\rangle= & {} 0 \end{aligned}$$
(18)
$$\begin{aligned} a|E_{00}\rangle + b|E_{01}\rangle - c|E_{10}\rangle - d|E_{11}\rangle= & {} 0 \end{aligned}$$
(19)
$$\begin{aligned} a|E_{00}\rangle + ib|E_{01}\rangle + ic|E_{10}\rangle - d|E_{11}\rangle= & {} 0 \end{aligned}$$
(20)
$$\begin{aligned} a|E_{00}\rangle - ib|E_{01}\rangle - ic|E_{10}\rangle - d|E_{11}\rangle= & {} 0 \end{aligned}$$
(21)

Here 0 denote a column zero vector. Further, we can get \(a = d = 1\), \(b = c = 0\) and \(|E_{00}\rangle = |E_{11}\rangle \). Therefore,

$$\begin{aligned} U_{E}|0\rangle |E\rangle= & {} |0\rangle |E_{00}\rangle , \end{aligned}$$
(22)
$$\begin{aligned} U_{E}|1\rangle |E\rangle= & {} |1\rangle |E_{00}\rangle , \end{aligned}$$
(23)

i.e., Eve introduce no error in the eavesdropping only when her ancillary state and the target photon \(\{|0\rangle , |1\rangle \}\) are product states. So outside eavesdroppers cannot obtain the shared key without being detected.

On the other hand, the security of commutative encryption relies on the no-cloning theorem. Hence, by transmitting data as a superposition of state, no one can make a copy of the transmitted data without errors. Without the secret key (rotation angles), no one can obtain the secret data (the shared key) according to measuring the superposition states. Therefore, the commutative encryption can also protect the shared key from exposing to Eve.

Therefore, our proposed protocol is secure against outside attacks.

Generally speaking, the participant is the most powerful attacker. The participant attack is a normal attack mode in the multiparty computation protocols that participants are not of mutual trust. If it is possible for one party (suppose \(P_{i}\)) to know the final key before others, she will completely control the shared key by manipulating her secret key \(K_{i}\) as per her wish. For example, suppose \(P_{i}\) has already obtain the shared key K, where K is the bitwise of all parties’ keys. Then \(P_{i}\) encodes \(K^{'} \oplus K \oplus K_{i}\), instead of \(K_{i}\), as his secret key when he executes the protocol, where \(K^{'}\) is the key that \(P_{i}\) desired. It can be easily computed that other parties will accept \(K^{'}\) as the final shared key. Thus, this protocol is not a fair key agreement in this situation. To circumvent this attack, we require all participants, one after another, to check eavesdroppers, and only when all the transmitted photons are secure, they encode their secret key on these photons. This strategy introduces a delay in message encoding (commutative encryption operation), but this delayed message encoding strategy ensures that malicious participant cannot control the final key by knowing K prior to her message encoding. Thus, no one can get the final key beforehand, and all participants obtain the final key simultaneously. Therefore, the dishonest party has no way to influence the final key as her expected.

4.3 Efficiency analysis

A well-known measure of efficiency of secure quantum communication is known as qubit efficiency was introduced by Cabello [36], which is given as

$$\begin{aligned} \eta =\frac{c}{q+b}, \end{aligned}$$
(24)

where c denotes the length of the transmitted message bits, q is the number of the used qubits and b is the number of classical bits exchanged for decoding of the message (classical communication used for checking of eavesdropping is not counted). Since the QKA protocols are not interested in communicating a message, so the meaning of c in \(\eta \) is modified to make it suitable for comparison of protocols of QKA. In the modified notion, c is the length of the shared key generated by the protocol. In the following part, we will take a simple comparison between previous proposed secure multiparty QKA protocols and ours from the following aspects: the quantum resource, the quantum operation and the qubit efficiency (Table 1). In order to generate n bits of shared key, each party has to prepare n single photons and \(\kappa n\) decoy particles in our protocol. There is no classical bits exchanged for decoding of the shared key. Hence, the qubit efficiency of our protocol can be computed, \(\eta = \frac{n}{(n +\kappa n)N}=\frac{1}{(\kappa +1)N}\), where \(\kappa \) is the detection rate and N is the number of the participants. The Ref. [24] proposed a secure multiparty QKA protocol, and its qubit efficiency is \(\frac{1}{(\kappa +1)N(N-1)}\), which is less efficient than ours. Later, an improved multiparty QKA protocol by using unitary operations was proposed by Sun et al. [25], which qubit efficiency is \(\frac{1}{(\kappa +1)N}\). Later, an efficient multiparty QKA with cluster states was also proposed [22].Compared with Refs. [25] and [22], the qubit efficiency of our protocol is almost as efficient as their. However, entanglement states, joint measurement and even the unitary operations are not needed in our protocol, only rotation operations and single-state measurement are required. As it is known, rotation operation and single-state measurement are easier to be realized with current technologies. Thus, the proposed protocol is more practical, compared to these previous QKA protocols. Hence, our new protocol is more efficient than previous proposed secure multiparty QKA protocols (see Table 1).

Table 1 Comparison between previously proposed multiparty QKA protocols and ours
Full size table

5 Conclusion and discussion

We have proposed a multiparty quantum key agreement protocol based on superposition states. By transmitting data as a superposition of state, no one can make a copy of the transmitted state without errors. And, when the superposition state is measured, no information regarding the secret key is left. Thus, Eve cannot obtain the final shared secret key. The message encoding process is realized by the commutative encryption operation in our protocol. And the exclusive-OR operation is performed by utilizing the commutative property of the commutative encryption. After performing the commutative encryption sequentially according to their secret keys, a final agreement key can be shared by the participants. Furthermore, the superposition states can be realized using current technologies, and it is easier to realize the rotation operations than the unitary operations. Therefore, it may be easier to realize our protocol physically. The commutative encryption has very interesting properties, and it may be also used to construct quantum private comparison protocol [14, 37] and quantum summation protocol, which need our further research.

The insufficiency of the presented protocol may be that it can only prevent one participant from determining the final key alone, i.e., it cannot resist collusion attacks. If more participants collaborate with each other, they can change the final key into their expected. Thus, it will be an unfair QKA protocol in this situation. In other words, there has to be a trade-off between efficiency and security if we want to improve the efficiency of the multiparty QKA. Thus, we first considered the simplest case where no party trusted each other, in the proposed protocol. And, this is indeed reasonable in some real-life situation. We are currently involved in research into how to prevent two or three participants collusion attacks. Finally, we will give the general circle-type QKA protocol that can resist collusion attacks in our following study.

Since our protocol transmits the same photons more than once, it may suffer from the Trojan horse attacks. Such kind of circular quantum transmission has been discussed [3235]. To prevent this type of attacks, participants can install a special quantum optical device such as the wavelength quantum filter and the photon number splitters (PNS) to detect an attack. According to Refs. [3235], Eve’s invisible photons can be filtered out by using the wavelength quantum filter, and the PNS can split each legitimate photon to discover the delay photons. If there is an irrational high rate of multiphoton signal, then the attack can be detected.