Tripartite Layered Quantum Key Distribution Scheme with a Symmetrical Key Structure

Abstract

Asymmetric entanglement could provide a crucial layered key structure for quantum cryptography. A new symmetrical tripartite quantum key distribution scheme based on the simplest layered quantum key distribution (L-QKD) model is devised. With an interesting rotational symmetrical key distribution scheme, the proposed tripartite QKD protocol could establish a more integrated key system, which expands the number of conference keys for secure broadcast and distribute layered secret keys among any legitimate participants simultaneously. The proposed scheme is more flexible, robust and efficient to guarantee the fairness among communication parties than the original L-QKD protocol, and our scheme also could be applied to encryption in the butterfly network precisely. Moreover, based on three asymmetric (4, 4, 2) entangled state, a novel symmetric (4, 4, 4) entangled state to implement L-QKD scheme is discussed. Finally, the security of L-QKD scheme is analyzed via information-theoretic proof.

1 Introduction

Quantum key distribution (QKD) is the most concerned branch of quantum cryptography [1]. The goal of QKD is to allow authenticated parties to create a random and secure key under the quantum no-cloning theorem [2] or the non-classical properties of entanglement [3]. BB84 protocol [4], Ekert protocol [5] and several variations of these original protocols together with their security, have been widely investigated [6,7,8].

With the advent of QKD, entanglement has become a crucial resource as quantum information carrier frequently. Thus, substantial entangled states have been widely exploited in conventional entanglement-based QKD protocols [9,10,11] and quantum networks [12,13,14,15]. However, it is known that the dimension of quantum states plays a vital role on actual key rate, the robustness of such protocols against noise [16,17,18] and capability of tolerating quantum bit error [19]. Therefore, the generalization or preparation of multi-particle entanglement [20] and high-dimensional entanglement, especially high-dimensional multipartite entanglement becomes topical [21,22,23,24].

Surprisingly, multipartite high-dimensional quantum states are readily available in experiment [18]. A particular multipartite high-dimensionally entangled quantum state with multiple particles and high dimensions has been demonstrated experimentally [23]. Such a state has an asymmetric entanglement structure, which is not only significant in increasing the efficiency of quantum communication but also interesting for “layered” key structure. Based on this idea, a novel layered quantum key distribution (L-QKD) was proposed [18], where the asymmetric entangled states provide multiple keys between arbitrary agents simultaneously. However, it is noticed that the original layered key structure is powerless to guarantee the fairness among communication parties, since the particular nature of the asymmetric entanglement structure. To raise a more integrated key system, a new symmetrical tripartite quantum key distribution scheme is devised by adopting a rotational symmetrical layered key structure. Furthermore, the communication network via connections among the source party and agents also have been considered.

The paper is structured as follows: the idea behind the L-QKD protocol with the simplest mode is introduced in Sect. 2. Tripartite layered quantum key distribution scheme with rotational symmetrical key structure is presented in Sect. 3. Additionally, in Sect. 4, the strategy to connect the source party with agents is presented, and a simple application scenario is introduced briefly. A novel scheme via symmetric (4, 4, 4) entangled state to implement L-QKD is discussed in Sect. 5. In addition, the security analysis and a brief comparison with the original L-QKD protocol is arrived at in Sect. 6. Finally, a brief conclusion will be drawn in Sect. 7.

2 Ideal Tripartite L-QKD Protocol

The model for tripartite layered quantum distribution is shown in Fig. 1(a). An authorized Source (S) distributes asymmetric entangled states for three agents, i.e., Alice (A), Bob (B) and Charlie (C). These asymmetric entangled states enable two parties to share an additional layer of secure information and build a conference key among all the three parties. Therefore, agents could share keys in two layers, i.e., K_ABC and k_BC.

Fig. 1

Tripartite layered quantum key distribution model. a In this model, an authorized Source (S) distributes asymmetric entangled states to three agents Alice (A), Bob (B), Charlie (C). Hence, two keys K_ABC and k_BC could be shared among three agents simultaneously. K_ABC (blue area) is a conference key among three agents, while k_BC (red dotted line) is a layered secret key only shared between B and C. b A novel asymmetric (4, 4, 2) entangled state \( \left|{\varPsi}_{442}\right\rangle =\frac{1}{2}\left(\left|000\right\rangle +\left|111\right\rangle +\left|220\right\rangle +\left|331\right\rangle \right) \) shared among three parties. Here the first two photons live in a four-dimensional space, while the third photon lives in a two-dimensional space

The first L-QKD protocol, as well as the first such an asymmetric (3, 3, 2) entangled state \( \left|{\varPsi}_{332}\right\rangle =\frac{1}{\sqrt{3}}\left(\left|000\right\rangle +\left|111\right\rangle +\left|221\right\rangle \right) \), was proposed in [14]. The local dimensions for |Ψ₃₃₂〉 are 3 for the first two photons and 2 for the third photon. Since the idealized key rate based on |Ψ₃₃₂〉 is not perfect in the first L-QKD protocol, recently, Pivoluska M, et al. proposed a simple motivating tripartite asymmetric (4, 4, 2) entangled state [18]. Such an ideal state \( \left|{\varPsi}_{442}\right\rangle =\frac{1}{2}\left(\left|000\right\rangle +\left|111\right\rangle +\left|220\right\rangle +\left|331\right\rangle \right) \) guarantees perfect idealized key rate and beautiful key structure, as shown in Fig. 1(b). Firstly, let us introduce the L-QKD protocol with the asymmetric (4, 4, 2) entangled state briefly.

1. (a)

   State preparation: Source S distributes |Ψ₄₄₂〉 to three agents A, B and C, as shown in Fig. 1(b).

$$ {\left|{\varPsi}_{442}\right\rangle}_{BCA}=\frac{1}{2}{\left(\left|000\right\rangle +\left|111\right\rangle +\left|220\right\rangle +\left|331\right\rangle \right)}_{BCA} $$

(1)

where the subscript BCA denotes that the first two particles are assigned to agents B and C, while the third particle is assigned to A.

1. (b)

   Measurement: After measuring the state |Ψ₄₄₂〉_BCA locally in the computational basis respectively, the outcomes of three agents will exhibit peculiar correlations: the outcomes of B and C (00, 11, 22, and 33) are correlated and independent of the ones of A (0 and 1)_.

2. (c)

   Key generation: Agents B and C could encode bit strings K_ABC and k_BC according to their outcomes.

$$ {K}_{ABC}=\left\{\begin{array}{c}1,\mathrm{for}\ \mathrm{outcomes}\ 1\ \mathrm{and}\ 3;\\ {}0,\mathrm{for}\ \mathrm{outcomes}\ 0\ \mathrm{and}\ 2.\end{array}\right. $$

$$ {k}_{BC}=\left\{\begin{array}{c}1,\mathrm{for}\ \mathrm{outcomes}\ 2\ \mathrm{and}\ 3;\\ {}0,\mathrm{for}\ \mathrm{outcomes}\ 0\ \mathrm{and}\ 1.\end{array}\right. $$

It is known that K_ABC is correlated to Alice’s measurement outcomes correctly and k_BC is independent of Alice’s data entirely. On one hand, Alice, Bob and Charlie develop a conference key K_ABC, which has interesting secure broadcast applications. On the other hand, Bob and Charlie share a layered secret key k_BC that is unknown to Alice.

1. (d)

   After parameter estimation and post-processing in raw keys, key strings could be used to encrypt messages among all three agents with one-time pad (OTP). More details can be found in [18].

In the L-QKD protocol, a layered key structure is more efficient in term of the number of quantum channels used. However, it is noticed that the power of the three-party agents to possess key information is unequal. In other words, the original layered key structure is incapable of guaranteeing the fairness among agents. For example, a secret layered key could be built only between Bob and Charlie in the above case, while distributing layered keys between Alice and Bob (Charlie) is not allowed.

To resolve this problem, an improved scheme with rotational symmetrical key structure could be considered.

3 Tripartite L-QKD Scheme with the Rotational Symmetrical Key Structure

To achieve fairness among three agents, first of all, three rounds of asymmetric entangled states are needed, as shown in Fig. 2.

Fig. 2

Tripartite layered key distribution with rotational symmetrical structure. Here, after three rounds distribution shown in (a-c), all three parties could share three conference keys \( \left\{{K}_{ABC}^{R_1},{K}_{ABC}^{R_2},{K}_{ABC}^{R_3}\right\} \), at the same time, any two of parties could build a secure channel shared only among themselves equally shown in (d)

Formally, the authorized Source S produces three asymmetric (4, 4, 2) entangled states, then agents A, B and C share |Ψ₄₄₂〉 states as shown in Fig. 2(a)-(c).

$$ {\left|{\varPsi}_{442}\right\rangle}_{BCA}=\frac{1}{2}{\left(\left|000\right\rangle +\left|111\right\rangle +\left|220\right\rangle +\left|331\right\rangle \right)}_{BCA} $$

(2)

$$ {\left|{\varPsi}_{442}\right\rangle}_{ABC}=\frac{1}{2}{\left(\left|000\right\rangle +\left|111\right\rangle +\left|220\right\rangle +\left|331\right\rangle \right)}_{ABC} $$

(3)

$$ {\left|{\varPsi}_{442}\right\rangle}_{ACB}=\frac{1}{2}{\left(\left|000\right\rangle +\left|111\right\rangle +\left|220\right\rangle +\left|331\right\rangle \right)}_{ACB} $$

(4)

After processing the necessary L-QKD steps mentioned in Sect. 2, ideally, conference keys could be shared among three agents three times, and bipartite keys between any pairs of agents could be built simultaneously, as shown in Fig. 2(d). Thus, the key system for three agents is obtained, as listed in Table 1.

Table 1 Layered key system for three agents

Therefore, the unfairness among three parties is overcome by using the rotational symmetrical key structure, where any two parties could build a layered secure channel to share bipartite keys only among themselves equally.

4 An Implementation Strategy for Connecting the Source Party with Agents

As is known, it is necessary to connect central source router with agents for building communication network. Therefore, to improve the integrity of system structure, the strategy connecting the source party with agents is presented in our scheme.

Apart from building a layered key structure in three agents as shown in Sect. II, similarly, the layered key structure among source party and agents is constructed, as shown in Fig. 3.

Fig. 3

An improved symmetrical tripartite layered key distribution. The final scheme (g) consists of six-level layered key structures (a-f)

Note that the authorized Source S prepares six-round asymmetric (4, 4, 2) entangled states, and the entangled states are distributed as follows:

$$ {\left|{\varPsi}_{442}\right\rangle}_{BCA}=\frac{1}{2}{\left(\left|000\right\rangle +\left|111\right\rangle +\left|220\right\rangle +\left|331\right\rangle \right)}_{BCA} $$

(5)

$$ {\left|{\varPsi}_{442}\right\rangle}_{ABC}=\frac{1}{2}{\left(\left|000\right\rangle +\left|111\right\rangle +\left|220\right\rangle +\left|331\right\rangle \right)}_{ABC} $$

(6)

$$ {\left|{\varPsi}_{442}\right\rangle}_{ACB}=\frac{1}{2}{\left(\left|000\right\rangle +\left|111\right\rangle +\left|220\right\rangle +\left|331\right\rangle \right)}_{ACB} $$

(7)

$$ {\left|{\varPsi}_{442}\right\rangle}_{SCA}=\frac{1}{2}{\left(\left|000\right\rangle +\left|111\right\rangle +\left|220\right\rangle +\left|331\right\rangle \right)}_{SCA} $$

(8)

$$ {\left|{\varPsi}_{442}\right\rangle}_{SAB}=\frac{1}{2}{\left(\left|000\right\rangle +\left|111\right\rangle +\left|220\right\rangle +\left|331\right\rangle \right)}_{SAB} $$

(9)

$$ {\left|{\varPsi}_{442}\right\rangle}_{SBC}=\frac{1}{2}{\left(\left|000\right\rangle +\left|111\right\rangle +\left|220\right\rangle +\left|331\right\rangle \right)}_{SBC} $$

(10)

Likewise, after necessary L-QKD steps performed, a greater key system could be obtained, as shown in Table 2.

Table 2 The greater layered key system involving the source party

Conference keys for any tripartite have been shared, as well as layered secret keys for any bipartite. Thus key system grows more extensive and more integrated, which could enrich our symmetrical L-QKD scheme more flexible and more robust. Furthermore, this layered key system with central source could implement a quantum communication network. As an ideal application, our scheme will be discussed in the butterfly network [25,26,27] briefly.

Suppose Alice wants to send bits a and b to both Bob and Charlie. The classical case can be shown in Fig. 4(a). To ensure the security of bits a and b, an alternative encryption structure with asymmetric entangled states could be designed, as shown in Fig. 4(b).

Fig. 4

The butterfly network. In the classical case, Alice wants to send bits a and b to both Bob and Charlie by employing the linear network code given by the transmitted symbols written onto the channels (⊕ means XOR) [6]. a Classical linear network. b An encryption structure with asymmetric entangled states

Firstly, the Source produces two asymmetric (4, 4, 2) entangled states for AC and AB, respectively, i.e., \( {\left|{\varPsi}_{442}\right\rangle}_{ACS}=\frac{1}{2}{\left(\left|000\right\rangle +\left|111\right\rangle +\left|220\right\rangle +\left|331\right\rangle \right)}_{ACS} \) and \( {\left|{\varPsi}_{442}\right\rangle}_{ABS}=\frac{1}{2}{\left(\left|000\right\rangle +\left|111\right\rangle +\left|220\right\rangle +\left|331\right\rangle \right)}_{ABS} \). As mentioned, the conference key K_ACS could be shared among Alice, Charlie and Source, so could K_ABS. Furthermore, the layered secret keys k_AB and k_AC could be distributed simultaneously. Hence, Alice possesses {K_ACS, K_ABS, k_AB, k_AC}, Bob and Charlie hold {K_ABS, k_AB} and {K_ACS, k_AC}, respectively.

Encryption: Alice encrypts bits a and b via bitwise XOR operation with her keys, i.e., a ⊕ k_AC, (a ⊕ b) ⊕ K_ACS, b ⊕ k_AB and (a ⊕ b) ⊕ K_ABS. Then Alice transmits the encrypted messages a ⊕ k_AC and (a ⊕ b) ⊕ K_ACS to Charlie, while sends messages b ⊕ k_AB and (a ⊕ b) ⊕ K_ABS to Bob.

Decryption: After receiving encoded messages, Charlie and Bob decrypt the bits with their keys respectively. i.e., Charlie computes k_AC ⊕ (a ⊕ k_AC) and K_ACS ⊕ ((a ⊕ b) ⊕ K_ACS), while Bob operates k_AB ⊕ (b ⊕ k_AB) and K_ABS ⊕ ((a ⊕ b) ⊕ K_ABS).

Therefore Charlie obtains bits a and a ⊕ b, while Bob obtains bits b and a ⊕ b. Performing simple XOR operation on their outcomes, i.e., a ⊕ (a ⊕ b) → b and b ⊕ (a ⊕ b) → a, both Bob and Charlie could receive bits a and b finally.

It is known that the security is guaranteed by the layered key structure and one-time pad encryption algorithm, even if the source is under the control of eavesdropper, only the result of a ⊕ b could be leaked.

5 A Symmetric L-QKD Scheme Via Symmetric (4, 4, 4) Entangled State

Apart from the above, another scheme to achieve fairness among three agents is discussed below. Based on three asymmetric (4, 4, 2) entangled state|Ψ₄₄₂〉, a novel symmetric (4, 4, 4) entangled state |Ψ₄₄₄〉 is considered for our protocol.

$$ {\displaystyle \begin{array}{c}{\left|{\varPsi}_{444}\right\rangle}_{AB C}=\frac{1}{2\sqrt{2}}{\left(\left|000\right\rangle +\left|111\right\rangle +\left|220\right\rangle +\left|331\right\rangle +\left|202\right\rangle +\left|313\right\rangle +\left|022\right\rangle +\left|133\right\rangle \right)}_{AB C}\\ {}=\frac{1}{2\sqrt{2}}\Big[{\left|0\right\rangle}_A\otimes {\left(\left|00\right\rangle +\left|22\right\rangle \right)}_{BC}+{\left|1\right\rangle}_A\otimes {\left(\left|11\right\rangle +\left|33\right\rangle \right)}_{BC}+\\ {}\kern2.75em {\left|2\right\rangle}_A\otimes {\left(\left|20\right\rangle +\left|02\right\rangle \right)}_{BC}+{\left|3\right\rangle}_A\otimes {\left(\left|31\right\rangle +\left|13\right\rangle \right)}_{BC}\Big]\\ {}=\frac{1}{2\sqrt{2}}\Big[{\left|0\right\rangle}_B\otimes {\left(\left|00\right\rangle +\left|22\right\rangle \right)}_{AC}+{\left|1\right\rangle}_B\otimes {\left(\left|11\right\rangle +\left|33\right\rangle \right)}_{AC}+\\ {}\kern2.75em {\left|2\right\rangle}_B\otimes {\left(\left|20\right\rangle +\left|02\right\rangle \right)}_{AC}+{\left|3\right\rangle}_B\otimes {\left(\left|31\right\rangle +\left|13\right\rangle \right)}_{AC}\Big]\\ {}=\frac{1}{2\sqrt{2}}\Big[{\left|0\right\rangle}_C\otimes {\left(\left|00\right\rangle +\left|22\right\rangle \right)}_{AB}+{\left|1\right\rangle}_C\otimes {\left(\left|11\right\rangle +\left|33\right\rangle \right)}_{AB}+\\ {}\kern2.75em {\left|2\right\rangle}_C\otimes {\left(\left|20\right\rangle +\left|02\right\rangle \right)}_{AB}+{\left|3\right\rangle}_C\otimes {\left(\left|31\right\rangle +\left|13\right\rangle \right)}_{AB}\Big]\end{array}} $$

(11)

It is noted any individual agent could distribute the layered keys to others by the partially entangled states |0〉_A/B/C ⊗ (|00〉 + |22〉)_BC/AC/AB and |1〉_A/B/C ⊗ (|11〉 + |33〉)_BC/AC/AB, which is equal to the asymmetric (4, 4, 2) entangled state. Besides, the rest of entangled states |2〉_A/B/C ⊗ (|20〉 + |02〉)_BC/AC/AB and |3〉_A/B/C ⊗ (|31〉 + |13〉)_BC/AC/AB also could be of benefit to build conference keys. The implementation of the scheme is described briefly below.

Similarly, three agents A, B and C share N three symmetric (4, 4, 4) entangled states \( {\left|{\varPsi}_{444}\right\rangle}_{ABC}^{\otimes N} \). After performing measurements on the states in order, each of the eight possible combinations 000, 111, 220, 331, 202, 313, 022, 133 is distributed uniformly. Then three agents label the N outcomes with 0, 1, 2 and 3 individually.

Suppose they intend to achieve L-QKD scheme shown in Fig. 2(a), i.e., A, B and C share K_ABC while B and C share k_BC secretly. In this case, firstly agent A only announces the labeled number of outcomes 0 and 1 publicly, then B and C picks up corresponding labeled particles from A's announcement, according to the correlation of |Ψ₄₄₄〉 and the key generation in Sect. 2, three agents could implement the L-QKD scheme. Furthermore, the remaining unselected particles, could also be applied to generate conference key string K_ABC.

$$ {K}_{ABC}=\left\{\begin{array}{l}1,\mathrm{for}\ \mathrm{outcomes}\ 1\ \mathrm{and}\ 3;\\ {}0,\mathrm{for}\ \mathrm{outcomes}\ 0\ \mathrm{and}\ 2.\end{array}\right. $$

where K_ABC is correlated to agent’s measurement outcomes correctly. Similarly, after parameter estimation and post-processing in raw keys, key strings could be used to encrypt messages among all three agents with one-time pad (OTP). Moreover, it is easy to achieve fairness among three agents, for example, if agents desire to implement the scheme shown in Fig. 2(c), only few steps need to be changed, where B firstly announces the labeled number of outcomes 0 and 1 in his hand publicly, then A and C select the same marked particles to build the layered key structure.

It is noted that since only half outcomes of N entangled states |Ψ₄₄₄〉 could contribute to L-QKD scheme, the implementation results of a three symmetric (4, 4, 4) entangled states in the idealized key rates are \( {R}_{K_{ABC}}=1 \) and \( {R}_{k_{AB}/{k}_{BC}/{k}_{AC}}=1/2 \).

6 Security Analysis and Comparison

As stated above, the proposed symmetrical tripartite quantum key distribution scheme is based on the L-QKD model (see Fig. 1). Therefore, the primary issue is the security of the L-QKD protocol, wherein the asymmetric (4, 4, 2) entangled state |Ψ₄₄₂〉_{i, j, u}, i, j, u ∈ {A, B, C}, is a crucial process.

It is known that |Ψ₄₄₂〉_{i, j, u} guarantees the key strings K_{i, j, u} and k_{i, j} independently, i.e., I(K_{i, j, u} ; k_{i, j}) = 0, and the idealized key rate of the L-QKD protocol could achieve 100%, which is better than the conventional EPR- and GHZ- QKD protocols. Here, by employing the composable security definition in [6], we principally discuss the security of the key under the most general eavesdropping attack, i.e., coherent attack [28].

Suppose that the agents i, j and u share N asymmetric (4, 4, 2) entangled states. The eavesdropper E is given to hold a purification of the global state. After performing respective computational measurement of three agents, the total quantum state is expressed by the density operator,

$$ {\displaystyle \begin{array}{c}{\rho}_{K_i{k}_i,{K}_j{k}_j,{K}_u,E}^N=\sum \limits_{M_i,{M}_j,{M}_u}{P}_{K_i{k}_i,{K}_j{k}_j,{K}_u,E}\left({M}_i,{M}_j,{M}_u\right)\left|{M}_i\right\rangle \left\langle {M}_i\right|\\ {}\otimes \left|{M}_j\right\rangle \left\langle {M}_j\right|\otimes \left|{M}_u\right\rangle \left\langle {M}_u\right|\otimes {\rho}_E^{M_i,{M}_j,{M}_u}\end{array}} $$

(12)

where the strings of measurement outcomes M_i, M_j and M_u of agents i, j and u, which occur with probability \( {P}_{K_i{k}_i,{K}_j{k}_j,{K}_u,E}\left({M}_i,{M}_j,{M}_u\right) \), are stored in key systems K_ik_i, K_jk_j and K_u, respectively.

Similar to the classical post-processing in the bipartite scheme, in the error correction step, agent u pre-processes the random key string K_u according to the channel V ← K_u and sends classical error correction information W (W is same as three agents) to i and j, who calculate their individual guesses V_i and V_j for V from K_i, K_j and W. Moreover, in the privacy amplification step, agent u randomly chooses hash function h, computes his key S_u = h(V) and announces the description of h, then i and j also perform S_i = h(V_i) and S_j = h(V_j). Therefore, the total quantum state could be described as \( {\rho}_{S_i{S}_j{S}_u{E}^{\varepsilon }} \). As is known from [6], the key system (S_i, S_j, S_u) is called ε-secure, if it is ε-close to the ideal state, i.e., \( \mathrm{tr}\left|{\rho}_{S_i{S}_j{S}_u{E}^{\varepsilon }}-{\rho}_{SSS}\otimes {\rho}_{E^{\varepsilon }}\right|\le 2\varepsilon \).

According to [29], the length \( {\varsigma}_{K_{i,j,u}}^{(N)} \) of the conference key K_{i, j, u} generated from N asymmetric (4, 4, 2) entangled states will then be denoted as

$$ {\zeta}_{K_{i,j,u}}^{(N)}=\underset{V\leftarrow {K}_u}{\sup}\left[{S}_2^{\varepsilon }(VE)-{S}_0^{\varepsilon }(E)-\underset{i,j}{\max }{H}_0^{\varepsilon}\left(\left.V\right|{K}_{i,j}\right)\right] $$

(13)

where V ← K_u denotes a bitwise preprocessing channel on raw key bit K_u of agent u, \( {S}_{\alpha}^{\varepsilon}\left(\rho \right) \) is a smooth Rényi entropy, and the last term \( \underset{i,j}{\max }{H}_0^{\varepsilon}\left(\left.V\right|{K}_{i,j}\right) \) denotes the maximal leakage to eavesdropper in the error correction step.

Without considering parameter estimation step, for the limit N → ∞, the secret fraction \( {r}_{K_{i,j,u}}^{\infty } \)is given by

$$ {r}_{K_{i,j,u}}^{\infty }=\underset{N\to \infty }{\lim }{\zeta}_{K_{i,j,u}}^{(N)}/N=\underset{V\leftarrow {K}_u}{\sup}\underset{\sigma_{i,j,u}\in \varGamma }{\operatorname{inf}}\left[S\left(\left.V\right|E\right)-\underset{i,j}{\max }H\left(\left.V\right|{K}_{i,j}\right)\right] $$

(14)

where S(V|E) is the conditional Von-Neumann entropy of the key variable, E denotes the system state of eavesdropper, H(V|K_{i, j}) is the conditional Shannon entropy, which denotes agents i and j's guess of K_u, and Γ is the set of all density matrices σ_{i, j, u} of all agents, which are consistent with the parameter estimation.

It is easy to access the length \( {\zeta}_{k_{i,j}}^{(N)} \) of the layer secret key k_{i, j} and the secret fraction \( {r}_{k_{i,j}}^{\infty } \) between i and j, which are given by

$$ {\zeta}_{k_{i,j}}^{(N)}=\underset{U\leftarrow {k}_i}{\sup}\left[{S}_2^{\varepsilon }(UE)-{S}_0^{\varepsilon }(E)-\max {H}_0^{\varepsilon}\left(\left.U\right|{k}_j\right)\right] $$

(15)

$$ {r}_{k_{i,j}}^{\infty }=\underset{U\leftarrow {k}_i}{\sup}\underset{\sigma_{i,j}\in \varLambda }{\operatorname{inf}}\left[S\left(\left.U\right|E\right)-\max H\left(\left.U\right|{k}_j\right)\right] $$

(16)

Likewise, U ← k_i denotes a bitwise preprocessing channel on agent i‘s raw key bit k_i, H(U|k_j) denotes agents j‘s guess of k_i, and Λ is the set of all density matrices σ_{i, j} of agents i and j.

Finally, the conference secret key rate and the layer secret key rate are \( R={r}_{K_{i,j,u}}^{\infty }/{t}_{\mathrm{rep}} \) and \( R={r}_{k_{i,j}}^{\infty }/{t}_{\mathrm{rep}} \), respectively. Note that t_rep is the repetition time when one round protocol takes, generally we assume that t_rep = 1.

Additionally, to immune to the intercept-and-resend attack, extra techniques such as decoy state technique [30,31,32,34] could be used. In a practical implementation of the proposed scheme, the participants can also use of the methods given in [35, 36] to avoid the Trojan horse attack and in-visible-photon attack. The necessary post-processing, such as the parameter estimation results, error correction and privacy amplification, is inevitably involved.

With respect to the original L-QKD protocol, our rotational symmetrical L-QKD scheme has a more integrated key system, where one could perform authentication to resist dishonest participant attacks via the secure bipartite channel (i.e., k_SA, k_SB, k_SC, k_AB, k_AC, k_BC). Besides, our scheme enhances the capacity of the original layered key system by consuming more high-dimensional entangled states.

Herein, a brief comparison for the proposed protocols with the original L-QKD protocol is described.

For the rotational symmetrical L-QKD scheme in Sect. 3, a more integrated key system in a three-party case is established. Different from the original case, it exploits three rounds entanglement distribution to expand the type of keys from 2 (K_iju, k_ij) to 4 (K_iju, k_ij, k_iu, k_ju), and all idealized key rates are 100% similarly. More importantly, this scheme is immune to the participant attack via the fairness key structure among three parties.

Moreover, for the symmetric L-QKD scheme in Sect. 5, the layered key structure could be accomplished by half outcomes by utilizing symmetric (4, 4, 4) entangled states. Compared with the original protocol, the fairness among three agents could be achieved. The idealized key rates are \( {R}_{K_{iju}}=1 \), \( {R}_{k_{ij}/{k}_{iu}/{k}_{ju}}=1/2 \). It should be pointed out that the tripartite layered key distribution with rotational symmetrical structure is an application of the original L-QKD protocol, but it enhances the quality of the final key system.

7 Conclusion

A new symmetrical quantum key distribution scheme for three parties based on layered key structure is proposed. To raise a more integrated key system and guarantee the fairness among communication parties, an interesting rotational symmetrical key structure is generalized. Moreover, the strategy to implement a quantum communication network via the layered key system with a central source is presented, which could be employed to encrypt information in the butterfly network correctly. Furthermore, according to the three asymmetric (4, 4, 2) entangled states, a novel symmetric (4, 4, 4) entangled state is discussed for our L-QKD scheme. It is easy to achieve fairness among three agents via a different method. Finally, the security of our scheme via information-theoretic proof is analyzed.

In summary, our scheme expands the number of conference keys for secure broadcast and distributes the bipartite keys for any two participants. Such high dimension entangled states could be used for many cryptographic tasks. Furthermore, the idea of layered key structure could be extended to other quantum information fields, such as semi-quantum key agreement [37], quantum group authentication [38], quantum-information splitting [39], continuous-variable quantum key distribution [39], quantum networks communication, and so forth.