One-to-Many Simultaneous Secure Quantum Information Transmission

Abstract

This paper presents a new quantum protocol designed to transmit information from one source to many recipients simultaneously. The proposed protocol, which is based on the phenomenon of entanglement, is completely distributed and is provably information-theoretically secure. Numerous existing quantum protocols guarantee secure information communication between two parties but are not amenable to generalization in situations where the source must transmit information to two or more recipients. Hence, they must be executed sequentially two or more times to achieve the desired goal. The main novelty of the new protocol is its extensibility and generality to situations involving one party that must simultaneously communicate different, in general, messages to an arbitrary number of spatially distributed parties. This is achieved in the special way employed to encode the transmitted information in the entangled state of the system, one of the distinguishing features compared with previous protocols. This protocol can prove expedient whenever an information broker, say, Alice, must communicate distinct secret messages to her agents, all in different geographical locations, in one go. Due to its relative complexity compared with similar cryptographic protocols, as it involves communication among n parties and relies on $|GH{Z}_n⟩$ tuples, we provide an extensive and detailed security analysis so as to prove that it is information-theoretically secure. Finally, in terms of its implementation, the prevalent characteristics of the proposed protocol are its uniformity and simplicity, because it only requires CNOT and Hadamard gates and the local quantum circuits are identical for all information recipients.

1. Introduction

In today’s world, advocating for the significance of privacy and security in every facet of our lives as individuals hardly needs justification. Privacy is not just a fundamental constitutional right but a cornerstone that demands respect and safeguarding in all circumstances. This imperative has driven the development and deployment of robust technical tools aimed at securing our digital data. The pursuit of foolproof algorithms and protocols to protect our privacy from unauthorized access stands as a prominent theme in current research. However, this endeavor is far from simple, given that we have entered a new scientific epoch, the quantum era, offering the potential of unprecedented computational power. This untapped power introduces novel algorithms that have the potential to compromise the security provided by well-established classical methods. Two illustrative examples underscoring this point are Shor’s algorithm [1] and Grover’s algorithm [2]. Shor’s algorithm has the capability to factorize large numbers in polynomial time, posing a practical threat to public key cryptosystems. Grover’s algorithm accelerates unordered search tasks and may also be leveraged to attack symmetric key cryptosystems like AES.

As of today, quantum computers with the potential to challenge the classical status quo have not materialized. However, recent remarkable progress, as exemplified by IBM’s 127-qubit Eagle processor [3], the subsequent 433-qubit Osprey processor [4], and the just unveiled, groundbreaking 1121 superconducting qubit Condor processor [5], suggests that this may change sooner than initially expected. It appears prudent, if not imperative, to enhance our algorithms and protocols significantly before they become a vulnerability to our security infrastructure. This tremendous effort has given rise to two new scientific fields: post-quantum or quantum-resistant cryptography and quantum cryptography. The former represents an evolutionary step from the current state of affairs [6,7,8,9], addressing security concerns by relying on carefully chosen computationally challenging problems, an approach that has proven effective thus far. The latter, quantum cryptography, capitalizes on the laws of nature, such as entanglement, monogamy of entanglement, the no-cloning theorem, and nonlocality, to establish unassailable security.

In our view, the long-term trajectory of cryptography inevitably leads to quantum cryptography, which stands as a pivotal and contemporary research focus. This transition arises from the overwhelming advantages offered by the fundamental properties of quantum mechanics. These properties not only enable the secure protection of information but also facilitate efficient information transmission through the utilization of entangled states, as initially proposed by Arthur Ekert [10]. Ekert’s groundbreaking E91 quantum key distribution protocol demonstrated the feasibility of key distribution using EPR pairs. Following this seminal work by Ekert, the field of quantum cryptography experienced a rapid proliferation of entanglement-based key distribution protocols [11,12,13,14,15,16]. This proliferation has underscored the significance of this approach and has spurred the research community to further extend the field by exploring other cryptographic primitives, such as quantum secret sharing. Quantum cryptography harnesses these unique and potent quantum phenomena to design secure protocols for a wide array of critical applications, including key distribution [10,12,13,14,15,16,17], secret sharing [18,19,20], quantum teleportation [21], cloud storage [22,23], and blockchain [24,25,26]. Undoubtedly, quantum cryptography stands out as a rapidly advancing and captivating field, featuring various directions, including continuous-variable quantum key distribution (as explored in [27,28]). This dynamic landscape extends to numerous research avenues, as evidenced by recent state-of-the-art works, such as [29,30,31,32,33].

Another notable research direction in this field is Quantum Secure Direct Communication, which was initiated in [34]. Its most important characteristic, which distinguishes it from standard key distribution, which establishes a common random key between two parties, is that it transmits information directly and without using an existing key. The classical channel is employed only for detection purposes and not for transmitting information necessary to decipher the secret message. The intended recipient deciphers the secret information after receiving the quantum states via the quantum channel. For a thorough and comprehensive review of the current state of the field, we refer the reader to the recent reference [35]. In a similar vein, the concept of Direct Secure Quantum Communication was initially proposed and further pursued in [36,37,38]. Direct Secure Quantum Communication, which is also different from quantum key distribution, is designed to transmit a secret message directly without establishing in advance a shared random key to encrypt it. Its characteristic trait is that in order to decode the secret information, one additional classical bit is required for each qubit. We also mention the important concept of Quantum Private Comparison, which applies to situations where multiple users who do not trust each other want to conduct secure multi-party computation and obtain the results without revealing their private information. Quantum Private Comparison allows all participants to obtain the privacy comparison results at the same time, while ensuring that the privacy information of each participant is confidential and cannot be stolen by other participants. For more details, one may consult the recent reference [39] and references therein.

In this study, we introduce an innovative entanglement-based protocol designed for the secure quantum transmission of information from one sender to multiple recipients simultaneously. The primary motivation behind this research is to propose a novel protocol enabling a single sender to communicate concurrently with several recipients who are assumed to be spatially distributed. This assumption aims to enhance flexibility and broaden the applicability of the protocol to diverse scenarios. The necessity of establishing coherent connections among n distinct and distributed parties using entanglement requires utilizing n-tuples of qubits entangled in the $|GH{Z}_n\rangle$ state. Using an entanglement scheme based on EPR pairs would be insufficient, as it can only establish connections between two parties. Another noteworthy feature of this new protocol is its scalability, allowing for seamless generalization to accommodate an arbitrary number of entities. The protocol is described as a quantum game, starring the usual protagonist, Alice. Although Alice’s agents are assumed to be too many to be named individually, in some small-scale examples, they are referred to as the usual sidekicks, Bob and Charlie. It is expected that the pedagogical nature of games will make the presentation of the technical concepts easier to follow. Quantum games, from their inception in 1999 [40,41], have known great acceptance, since quantum strategies are sometimes superior to classical ones [42,43,44]. The famous prisoners’ dilemma game provides the most prominent example, which also applies to other abstract quantum games [41]. The quantization of many classical systems can even apply to political structures, as was shown in [45].

1.1. Contribution

This paper presents a new quantum protocol designed to simultaneously transmit information from one source to many recipients. The proposed entanglement-based protocol is completely distributed and is provably information-theoretically secure. Although there many quantum protocols that achieve secure information communication between two parties, most of them are not amenable to generalization to situations where the source must transmit information to two or more recipients in parallel. By using a typical QKD protocol in a parallel fashion, one may also achieve the desired outcome of having Alice send distinct secret messages to a plethora of Bobs simultaneously. However, the advantage of the new protocol is that it generalizes the standard method of QKD to many receivers at the same time. As a matter of fact, the present method subsumes the classical QKD approach, as it can be readily used by Alice to secretly send a key to a single Bob (this was initially presented in [16]). It also subsumes quantum secret sharing in the special case where all the recipients reside at the same geographical location, meaning that Alice can employ this protocol to distribute a secret to a group of agents. If used in conjunction with the protocol introduced in [20], which accomplishes the reverse task, i.e., many senders transmit their partial secrets to one receiver, it can achieve many-to-many secret communication.

Another noteworthy novelty of the new protocol is its extensibility and generalizability to situations involving one source that must simultaneously communicate different, in general, messages to an arbitrary number of spatially distributed parties. This is achieved in the special way where the transmitted information is embedded in the entangled state of the system, one of the distinguishing features compared with previous protocols. This protocol can prove expedient whenever an information broker, say, Alice, must communicate distinct secret messages to a distributed network of agents in one go. Due to its relative complexity compared with similar cryptographic protocols, as it involves communication among n parties and relies on $|GH{Z}_n\rangle$ tuples, we provide an extensive and detailed security analysis so as to prove that it is information-theoretically secure. The methods used in our analysis are inspired by modern textbooks, such as [46], and recent articles, like [29,47]. In terms of the capabilities of modern quantum apparatus, the implementation of the proposed protocol does not present any difficulty because it only requires CNOT and Hadamard gates. An additional advantage is that the local quantum circuits are identical for all information recipients.

1.2. Organization

The paper is organized as follows: Section 1 contains an introduction to the subject along with bibliographic pointers to related works. Section 2 presents the underlying machinery necessary for understanding the technicalities of the protocol. Section 3 provides an analytical and rigorous exposition of the proposed quantum protocol. Section 4 is devoted to the detailed security analysis of the protocol, and finally, Section 5 gives a brief summary of this work and outlines directions for future research.

2. Background and Terminology

In the realm of quantum physics, one encounters peculiar hallmark properties that defy classical physics and challenge our everyday intuition. One of the prime examples of this strangeness is entanglement, a phenomenon that not only bewilders but also holds immense potential for accomplishing feats that are difficult or even impossible in the classical world. Entanglement arises in composite quantum systems, typically composed of at least two subsystems, often situated at separate locations. From a mathematical standpoint, a composite system is considered entangled when its state can only be described as a linear combination of two or more product states involving its subsystems. One of the remarkable advantages of quantum entanglement is that when a measurement is performed on one qubit of an entangled pair or tuple, the other qubit (qubits) instantaneously collapses (collapse) to the corresponding basis state in the product, regardless of the physical distance separating them. It is precisely this celebrated characteristic of quantum entanglement that finds application in various quantum cryptographic protocols, such as key distribution and secret sharing, among others.

Arguably, the most well-known examples of maximal entanglement are pairs of qubits in one of the four Bell states, also referred to as EPR pairs. For more details, including their precise mathematical description, the interested reader may consult any standard textbook, such as [48,49,50]. Fortunately, maximal entanglement is generalized in the most straightforward and intuitive way in the case of multipartite systems. Perhaps, the most celebrated form of maximal entanglement encountered in composite systems consisting of n qubits, where $n\ge 3$, is the $|GH{Z}_n\rangle$ state (GHZ are the initials of the researchers Greenberger, Horne, and Zeilinger). In such a scenario, a composite quantum system consists of n individual qubits, possibly spatially separated, with each qubit being considered a separate subsystem. All these n qubits are entangled in the $|GH{Z}_n\rangle$ state, which is mathematically described as follows:

$$\begin{array}{c}\hfill |GH{Z}_n\rangle =\frac{{|0\rangle }_{n-1}{|0\rangle }_{n-2}\dots {|0\rangle }_0+{|1\rangle }_{n-1}{|1\rangle }_{n-2}\dots {|1\rangle }_0}{\sqrt{2}}.\end{array}$$

(1)

In the previous formula, Formula (1), the subscript $i,0\le i\le n-1$, designates the ith individual qubit. Today, existing quantum computers can produce arbitrary GHZ states using standard quantum gates, such as the Hadamard and CNOT gates. Moreover, the circuits that generate these states are very efficient because they require $lgn$ steps for the $|GH{Z}_n\rangle$ state [51].

The protocol introduced in this work requires a more elaborate and general distributed quantum system, in which each individual subsystem is not just a single qubit but a quantum register $r_i$, $0\le i\le n-1$, consisting of m qubits. In this respect, the defining property of this setting is that the corresponding qubits of all the n registers are entangled in the $|GH{Z}_n\rangle$ state. This is formalized by the following, Definition 1.

Definition 1

(Entanglement Distribution Scheme). The $(n,m)$ Symmetric Bit-Wise Entanglement Distribution Scheme asserts the existence of n spatially distributed quantum registers $r_0,r_1,\dots ,r_{n-1}$, each containing m bits, satisfying the property that for each $j,0\le j\le m-1$, the n qubits occupying the jth position of each register are entangled in the $|GH{Z}_n\rangle$ state.

As a result, the global state of the composite distributed system is expressed by the next equation, proved in [20].

$$\begin{array}{cc}\hfill {|GH{Z}_n\rangle }^{\otimes m}& =\frac{1}{\sqrt{2^m}}\sum _{\mathbf{x}\in {\mathbb{B}}^m}{|\mathbf{x}\rangle }_{n-1}\dots {|\mathbf{x}\rangle }_0.\hfill \end{array}$$

(2)

In the above equation, Equation (2), the following notation is employed:

• $\mathbb{B}$ stands for $\{0,1\}$.
• We follow the typical convention of writing bit vectors $\mathbf{x}$ $\in {\mathbb{B}}^m$ in boldface. A bit vector $\mathbf{x}$ of length m is simply a sequence of m bits: $\mathbf{x}=x_{m-1}\dots x_0$. In this fashion, the zero-bit vector is designated by $\mathbf{0}=0\dots 0$.
• The notation $\mathbf{x}\in {\mathbb{B}}^m$ means that the bit vector $\mathbf{x}$ ranges through all the $2^m$ bit vector representations of the basis kets.
• To avoid any possible confusion, we use again the i indices, $0\le i\le n-1$, to make it clear that ${|\mathbf{x}\rangle }_i$ denotes the state of the ith quantum register.

A visual depiction of this setup is given in Figure 1, where the corresponding qubits comprising the $|GH{Z}_n\rangle$ n-tuple are drawn in the same color. This composite system contains $mn$ distributed qubits in total because there exist m qubits in each of the n registers. The registers are all assumed to be at different geographic locations, but the entanglement effect due to the m$|GH{Z}_n\rangle$ n-tuples provides the necessary correlation that enables us to view this as one, albeit distributed, system.

Example 1

(Alice, Bob, and Charlie). Let us consider a special case of the general setting, featuring the three prolific players Alice, Bob, and Charlie. They are all at different geographical locations, and they possess their own local quantum registers. Moreover, each register contains 9 qubits. According to the Entanglement Distribution Scheme outlined in Definition 1, there are nine triplets of qubits, and in each triplet, the qubits are entangled in the $|GH{Z}_3\rangle$ state. The resulting setting is shown in Figure 2.

In addition to $|GH{Z}_n\rangle$ tuples, our communication scheme makes use of two other signature states, namely, $|+\rangle$ and $|-\rangle$, defined as

$$\begin{array}{c}\hfill |+\rangle =H|0\rangle =\frac{|0\rangle +|1\rangle }{\sqrt{2}}\end{array}$$

(3)

$$\begin{array}{c}\hfill |-\rangle =H|1\rangle =\frac{|0\rangle -|1\rangle }{\sqrt{2}}\end{array}$$

(4)

During the formal mathematical analysis of the proposed protocol, it will be necessary to apply the important and useful formula that expresses the m-fold Hadamard transform of an arbitrary basis ket. This formula, proved in most standard textbooks, such as [48,52], is given below.

$$\begin{array}{cc}\hfill H^{\otimes m}|\mathbf{x}\rangle & =\frac{1}{\sqrt{2^n}}\sum _{\mathbf{z}\in {\mathbb{B}}^m}{(-1)}^{\mathbf{z}·\mathbf{x}}|\mathbf{z}\rangle .\hfill \end{array}$$

(5)

In (5), the symbolism $\mathbf{x}·\mathbf{y}$ denotes the inner product modulo 2 operation. Given bit vectors $\mathbf{x},\mathbf{y}\in {\mathbb{B}}^m$, with $\mathbf{x}=x_{m-1}\dots x_0$ and $\mathbf{y}=y_{m-1}\dots y_0$, $\mathbf{x}·\mathbf{y}$ is defined as

$$\mathbf{x}·\mathbf{y}=x_{n-1}{y}_{n-1}\oplus \cdots \oplus x_0{y}_0,$$

(6)

where ⊕ stands for addition modulo 2. The inner product modulo 2 operation satisfies the following characteristic property: If $\mathbf{c}\in {\mathbb{B}}^m$ is different from $\mathbf{0}$, then for half of the elements $\mathbf{x}\in {\mathbb{B}}^m$, the result of the operation $\mathbf{c}·\mathbf{x}$ is 0, and for the remaining half, the result of the operation $\mathbf{c}·\mathbf{x}$ is 1. Obviously, if $\mathbf{c}=\mathbf{0}$, then for all $\mathbf{x}\in {\mathbb{B}}^m$, $\mathbf{c}·\mathbf{x}=0$ (a more detailed analysis can be found in [20]). For future reference, this property is referred to as the characteristic inner product property.

$$\begin{array}{c}\hfill \mathbf{c}=\mathbf{0}\Rightarrow \left\{\mathrm{for}\mathrm{all}{2}^m\mathrm{bit}\mathrm{vectors}\mathbf{x}\in {\mathbb{B}}^m,\mathbf{c}·\mathbf{x}=0\right\}\end{array}$$

$$\mathbf{c}\ne \mathbf{0}\Rightarrow \left\{\begin{array}{c}\hfill \mathrm{for}{2}^{m-1}\mathrm{bit}\mathrm{vectors}\mathbf{x}\in {\mathbb{B}}^m,\mathbf{c}·\mathbf{x}=0\\ \hfill \mathrm{for}{2}^{m-1}\mathrm{bit}\mathrm{vectors}\mathbf{x}\in {\mathbb{B}}^m,\mathbf{c}·\mathbf{x}=1\end{array}\right\}$$

(7)

As a final note, let us clarify that measurements are performed with respect to the computational basis $\{|0\rangle ,|1\rangle \}$, unless otherwise specified. During the implementation of our protocol, when performing the first validation test, it will also be necessary to make measurements with respect to the Hadamard basis $\{|+\rangle ,|-\rangle \}$. Whenever such an occasion arises, it will be mentioned explicitly.

3. The One-to-Many Simultaneous Secure Quantum Information Transmission Protocol

This section contains an in-depth presentation of the entanglement-based protocol for one-to-many simultaneous secure quantum information transmission, abbreviated to OtMSQIT from now on. The presentation has the form of a quantum game, involving n players. One of them is the famous spymaster, Alice, who must simultaneously communicate to each of her $n-1$ agents a secret message. In the general exposition of the game, we refer collectively to the $n-1$, who remain anonymous. In the examples, where the game is played by a small number of players, Alice’s agents are the equally prominent heroes, Bob and Charlie. The secret messages are generally different for every agent, although it is conceivable that in special cases, all the messages are identical. The messages themselves may encode secret commands or encryption keys, or some other type of instruction. Their exact purpose is not important; the crucial thing is that the whole process is information-theoretically secure, so as to ensure that Eve, the adversary who eavesdrops, does not obtain any secret information. The most Eve can do is to obstruct the execution of the protocol, but even in this case, she is detected and the protocol is aborted before the final decryption takes place. The envisioned situation is specified by the next definition, Definition 2.

Definition 2

(One to Many Simultaneous Secure Quantum Information Transmission). Consider the following situation:

• Alice controls a network of $n-1$ agents: Agent${}_0$, …, Agent${}_{n-2}$. Alice and all her agents reside at different geographical locations.
• Alice must transmit to each of her agents a personalized information bit vector ${\mathbf{i}}_k,0\le k\le n-2$.
• Time is of the essence, so to speed things up, Alice wants the information transmission to her agents to take place simultaneously, in one go.
• Given the personalized information bit vectors ${\mathbf{i}}_0,\dots ,{\mathbf{i}}_{n-2}$, Alice constructs aggregated information bit vector $\mathbf{i}$ as their concatenation.
• Most importantly, the communication must be information-theoretically secure, so that her adversary, the eavesdropper, Eve, cannot obtain any secret information.

The task at hand is to come up with a quantum protocol that provably guarantees that Alice attains all the above goals.

Let us make some clarifications, to eliminate any possible misunderstanding:

• Theoretically, the number (n) of players is totally arbitrary, i.e., it may be any large integer. The only conceivable limitation could be the ability of our currently available apparatus to generate $|GH{Z}_n\rangle$ tuples when n goes beyond a certain limit.
• Alice assigns a specific ordering to her network of agents. The position, $i,0\le i\le n-2$, of each agent in this ordering is common knowledge, that is, Alice and all her agents know who Agent${}_0$, …, Agent${}_{n-2}$ are.
• In general, the personalized information bit vectors are assumed to be of different lengths. Obviously, our protocol can easily handle the special case where the information bit vectors have a fixed length.
• Alice communicates via the classical channel to all of her agents the length of the aggregated information bit vector and the lengths ($|{\mathbf{i}}_0|,\dots ,|{\mathbf{i}}_{n-2}|$) of the personalized bit vectors. This does not compromise secrecy, because knowing the length of a secret vector does not reveal its contents. We use the symbolism $|·|$ to designate the length, i.e., number of bits, of the enclosed bit vector.

We make the important remark that in the construction of the aggregated information bit vector, the order in which the individual bit vectors are concatenated is in accordance with the ordering depicted in Figure 1. This is because for consistency we adhere to the Qiskit [53] convention in the ordering of qubits by placing the least significant qubit at the top of the figure and the most significant one at the bottom. To rigorously define the aggregated information bit vector, we must first define an auxiliary sequence of positive integers as

$$\begin{array}{c}\hfill m_0=|{\mathbf{i}}_0|,m_1=|{\mathbf{i}}_1|+|{\mathbf{i}}_0|,\dots ,m_{n-3}=|{\mathbf{i}}_{n-3}|+\cdots +|{\mathbf{i}}_0|,m=|{\mathbf{i}}_{n-2}|+\cdots +|{\mathbf{i}}_0|,\end{array}$$

(8)

which allows us to proceed to the following definition of aggregated information bit vector $\mathbf{i}$.

$$\begin{array}{c}\hfill \mathbf{i}=i_{m-1}\cdots i_0=\underset{{\mathbf{i}}_{\mathbf{n}-\mathbf{2}}}{\underbrace{i_{m-1}\cdots i_{m_{n-3}}}}\underset{{\mathbf{i}}_{n-3}}{\underbrace{i_{m_{n-3-1}}\cdots i_{m_{n-4}}}}\dots \underset{{\mathbf{i}}_1}{\underbrace{i_{m_1-1}\cdots i_{m_0}}}\underset{{\mathbf{i}}_0}{\underbrace{i_{m_0-1}\cdots i_0}}.\end{array}$$

(9)

From now on, and in accordance with the previous equation, Equation (9), we will use m to designate the length of the aggregated information bit vector.

3.1. Entanglement Distribution and Validation Stage

It is helpful to describe the evolution of our protocol in stages. Before we begin in earnest, let us point out that our protocol does not violate the no-cloning theorem [54] because Alice initially creates and sends $|GH{Z}_n\rangle$ tuples and decoys either in state $|+\rangle$ or in state $|-\rangle$. Therefore, in this stage, the state of all qubits is known to all parties involved in the protocol. In a subsequent stage, Alice embeds the secret information to the distributed entangled state of the system, which is also a state known to Alice. The reader interested in a recent work regarding broadcasting entangled states may consult [55]. The first stage of the protocol is the entanglement distribution and validation stage, during which the following tasks take place:

(EDV₁)

Alice prepares a sequence of m$|GH{Z}_n\rangle$ tuples, that is, $mn$ qubits, called the information sequence, which is used for the actual transmission of the aggregated information bit vector.

(EDV₂)

Additionally, Alice prepares the decoy sequence, consisting of d nonentangled n-tuples, called decoy tuples, which is used during the first stage of the protocol for the validation test. In a decoy tuple, each qubit is prepared in a state that is chosen randomly and with equal probability from the states $\{|+\rangle ,|-\rangle \}$. It is important to emphasize that each qubit of the decoy tuple is prepared independently of the other qubits of the same tuple. Altogether, $dn$ decoy qubits are prepared in the Hadamard basis.

(EDV₃)

Assuming that in each n-tuple the qubits are numbered from 0 (the least significant) to $n-1$ (the most significant), Alice performs the following:

⋄

Storing, in her input register, denoted by $AIR$ in Figure 3, the $(n-1)$th qubit of each of the $m+d$ in total n-tuples

⋄

Sending to Agent${}_i$ the ith qubit, $0\le i\le n-2$, of each of the $m+d$ tuples through the quantum channel. These qubits populate Agent${}_i$’s input register, designated by $I{R}_i$ in Figure 3. Overall, Alice prepares $(m+d)n$ qubits and transmits $(m+d)(n-1)$ qubits to her agents, out of which $m(n-1)$ are information carriers and $d(n-1)$ are decoys.

(EDV₄)

It is of critical importance that Alice inserts the decoy sequence randomly and uniformly within the information sequence, using an appropriate probability distribution. Obviously, Alice must keep track of the positions of decoy tuples. Moreover, for each decoy tuple, Alice must record the states of all of its qubits.

(EDV₅)

After the distribution of the $m+d$ tuples has been completed, Alice proceeds to conducting the validation test, which is analyzed in detail in Section 4. During this test, the d decoy tuples are measured and consumed. If the outcome of the test is deemed a success, Alice knows that her adversary, Eve, did not manage to tamper with the distribution of the entangled qubits. Thus, the protocol can safely proceed to the next stage, in which only the m$|GH{Z}_n\rangle$ tuples are used. If the outcome of the test is considered a failure, the execution of the protocol is aborted.

Figure 3. The above figure shows the quantum circuits employed by Alice and her agents. Although these circuits are spatially separated, they are correlated due to entanglement and constitute a composite system. The state vectors $|{\psi }_0\rangle$, $|{\psi }_1\rangle$, $|{\psi }_2\rangle$, and $|{\psi }_f\rangle$ describe the evolution of the distributed system.

Figure 3. The above figure shows the quantum circuits employed by Alice and her agents. Although these circuits are spatially separated, they are correlated due to entanglement and constitute a composite system. The state vectors $|{\psi }_0\rangle$, $|{\psi }_1\rangle$, $|{\psi }_2\rangle$, and $|{\psi }_f\rangle$ describe the evolution of the distributed system.

Let us point out that the case where the protocol is aborted indicates that the security measures are not up to the task at hand. Hence, measures must be taken to enhance security, before the process can be performed all over again. We also emphasize that in the mathematical analysis of the protocol and the forthcoming figures, we intentionally omit the decoy tuples in order to streamline and simplify the computation and to avoid the overcluttering of the figures. Of course, the utilization of these tuples in the validation test is thoroughly explained in Section 4.

3.2. Secret Embedding Stage

During this stage, the aggregated information bit vector is embedded into the entanglement. Alice, using her local quantum circuit, distributes the information she wants to communicate to her agents into the entangled input registers. In this stage, each input register contains m qubits, since the d decoy tuples have been previously consumed. Alice and her $n-1$ agents, all at different geographical locations, operate on their local quantum circuits. Alice’s circuit consists of her input register ($AIR$), with m qubits, and her output register ($AOR$), with just one qubit in the $|-\rangle$ state, upon which she acts using unitary transforms. All agents have identical local circuits, comprising m-qubit input registers ($I{R}_i,0\le i\le n-2$), respectively, on which they apply the m-fold Hadamard transform. Although the quantum input registers are spatially separated, they constitute one composite distributed quantum circuit because of the strong correlations among their qubits due to the Entanglement Distribution Scheme of Definition 1. The whole setup is shown in Figure 3. Recall that all quantum circuits in this paper follow the Qiskit [53] convention in the ordering of qubits, by placing the least significant qubit at the top of the figure and the most significant one at the bottom.

The initial state of the distributed quantum circuit (consult Figure 3) is denoted by $|{\psi }_0\rangle$. With the help of (2), $|{\psi }_0\rangle$ can be written as

$$\begin{array}{c}\hfill |{\psi }_0\rangle =\frac{1}{\sqrt{2^m}}\sum _{\mathbf{x}\in {\mathbb{B}}^m}{|-\rangle }_A{|\mathbf{x}\rangle }_A{|\mathbf{x}\rangle }_{n-2}\dots {|\mathbf{x}\rangle }_0.\end{array}$$

(10)

Alice initiates the execution of the protocol by acting on her local input register, $AIR$, using the unitary transform, $U_{f_A}$. By doing so, she embeds the secret information she intends to communicate to her $n-1$ agents in the distributed circuit. The unitary transform, $U_{f_A}$, is based on the function $f_A$, which uses the aggregated information bit vector $\mathbf{i}$, as shown below.

$$\begin{array}{cc}\hfill f_A\left(\mathbf{x}\right)& =\mathbf{i}·\mathbf{x}.\hfill \end{array}$$

(11)

The unitary transform $U_{f_A}$ itself implements the ubiquitous scheme

$$\begin{array}{c}\hfill U_{f_A}:{|y\rangle }_A{|\mathbf{x}\rangle }_A\to {|y\oplus f_A\left(\mathbf{x}\right)\rangle }_A{|\mathbf{x}\rangle }_A.\end{array}$$

(12)

By combining (11) and (12), $U_{f_A}$ can be explicitly written as

$$\begin{array}{c}\hfill U_{f_A}:{|-\rangle }_A{|\mathbf{x}\rangle }_A\to {(-1)}^{\mathbf{i}·\mathbf{x}}{|-\rangle }_A{|\mathbf{x}\rangle }_A.\end{array}$$

(13)

The action of $U_{f_A}$ drives the system at the end of Phase 1 to state $|{\psi }_1\rangle$:

$$\begin{array}{cc}\hfill |{\psi }_1\rangle & =\frac{1}{\sqrt{2^m}}\sum _{\mathbf{x}\in {\mathbb{B}}^m}\left(U_{f_A}{|-\rangle }_A{|\mathbf{x}\rangle }_A\right){|\mathbf{x}\rangle }_{n-2}\dots {|\mathbf{x}\rangle }_0\hfill \\ \hfill & \stackrel{\left(13\right)}{=}\frac{1}{\sqrt{2^m}}\sum _{\mathbf{x}\in {\mathbb{B}}^m}{(-1)}^{\mathbf{i}·\mathbf{x}}{|-\rangle }_A{|\mathbf{x}\rangle }_A{|\mathbf{x}\rangle }_{n-2}\dots {|\mathbf{x}\rangle }_0.\hfill \end{array}$$

(14)

Therefore, at the end of Phase 1, the aggregated information bit vector is embedded in a distributed and implicitly way in the state $|{\psi }_1\rangle$ of the distributed quantum circuit. The next subsection describes the process through which it can be deciphered by the players.

3.3. Decryption Stage

The key ingredient in the decryption of the secret is the m-fold Hadamard transform that all players apply to their input registers during Phase 2, as visualized in Figure 3. Let us clarify that Alice and her agents refrain from performing any additional operations beyond the Hadamard transform. This deliberate limitation is imposed to avoid unintended disruptions to the entangled state of the system that already encodes Alice’s secret information. For some different possibilities in this stage, we refer to [56,57,58]. Hence, at the end of Phase 2, the state of the system has become $|{\psi }_2\rangle$:

$$\begin{array}{c}\hfill |{\psi }_2\rangle =\frac{1}{\sqrt{2^m}}\sum _{\mathbf{x}\in {\mathbb{B}}^m}{(-1)}^{\mathbf{i}·\mathbf{x}}{|-\rangle }_A{H}^{\otimes m}{|\mathbf{x}\rangle }_A{H}^{\otimes m}{|\mathbf{x}\rangle }_{n-2}\dots H^{\otimes m}{|\mathbf{x}\rangle }_0\end{array}$$

(15)

Using Formula (5), $H^{\otimes m}{|\mathbf{x}\rangle }_A$, $H^{\otimes m}{|\mathbf{x}\rangle }_{n-2}$, …, $H^{\otimes m}{|\mathbf{x}\rangle }_0$ can be rewritten as shown below.

$$\begin{array}{cc}\hfill H^{\otimes m}{|\mathbf{x}\rangle }_A& =\frac{1}{\sqrt{2^m}}\sum _{\mathbf{a}\in {\mathbb{B}}^m}{(-1)}^{\mathbf{a}·\mathbf{x}}{|\mathbf{a}\rangle }_A\hfill \\ \hfill H^{\otimes m}{|\mathbf{x}\rangle }_{n-2}& =\frac{1}{\sqrt{2^m}}\sum _{{\mathbf{y}}_{n-2}\in {\mathbb{B}}^m}{(-1)}^{{\mathbf{y}}_{n-2}·\mathbf{x}}{|{\mathbf{y}}_{n-2}\rangle }_{n-2}\hfill \\ \hfill & \dots \hfill \\ \hfill H^{\otimes m}{|\mathbf{x}\rangle }_0& =\frac{1}{\sqrt{2^m}}\sum _{{\mathbf{y}}_0\in {\mathbb{B}}^m}{(-1)}^{{\mathbf{y}}_0·\mathbf{x}}{|{\mathbf{y}}_0\rangle }_0\hfill \end{array}$$

This allows us to express $|{\psi }_2\rangle$ as

$$\begin{array}{c}\hfill |{\psi }_2\rangle =\frac{1}{(\sqrt{2^m{)}^{n+1}}}\sum _{\mathbf{a}\in {\mathbb{B}}^m}\sum _{{\mathbf{y}}_{n-2}\in {\mathbb{B}}^m}\cdots \sum _{{\mathbf{y}}_0\in {\mathbb{B}}^m}\sum _{\mathbf{x}\in {\mathbb{B}}^m}{(-1)}^{(\mathbf{i}\oplus \mathbf{a}\oplus {\mathbf{y}}_{n-2}\oplus \cdots \oplus {\mathbf{y}}_0)·\mathbf{x}}{|-\rangle }_A{|\mathbf{a}\rangle }_A{|{\mathbf{y}}_{n-2}\rangle }_{n-2}\dots {|{\mathbf{y}}_0\rangle }_0.\end{array}$$

(16)

At this point, it is expedient to recall the characteristic inner product property (7). This property implies that whenever $\mathbf{i}\oplus \mathbf{a}\oplus {\mathbf{y}}_{n-2}\oplus \cdots \oplus {\mathbf{y}}_0\ne \mathbf{0}$, or, equivalently, $\mathbf{a}\oplus {\mathbf{y}}_{n-2}\oplus \cdots \oplus {\mathbf{y}}_0\ne \mathbf{i}$, the sum ${\sum }_{\mathbf{x}\in {\mathbb{B}}^m}$${(-1)}^{(\mathbf{i}\oplus \mathbf{a}\oplus {\mathbf{y}}_{n-2}\oplus \cdots \oplus {\mathbf{y}}_0)·\mathbf{x}}$${|-\rangle }_A$${|\mathbf{a}\rangle }_A$${|{\mathbf{y}}_{n-2}\rangle }_{n-2}$…${|{\mathbf{y}}_0\rangle }_0$ in (16) is just 0. In contrast, if $\mathbf{i}\oplus \mathbf{a}\oplus {\mathbf{y}}_{n-2}\oplus \cdots \oplus {\mathbf{y}}_0=\mathbf{0}$ or, equivalently, $\mathbf{a}\oplus {\mathbf{y}}_{n-2}\oplus \cdots \oplus {\mathbf{y}}_0=\mathbf{i}$, the sum ${\sum }_{\mathbf{x}\in {\mathbb{B}}^m}$${(-1)}^{(\mathbf{i}\oplus \mathbf{a}\oplus {\mathbf{y}}_{n-2}\oplus \cdots \oplus {\mathbf{y}}_0)·\mathbf{x}}$${|-\rangle }_A$${|\mathbf{a}\rangle }_A$${|{\mathbf{y}}_{n-2}\rangle }_{n-2}$…${|{\mathbf{y}}_0\rangle }_0$ is equal to $2^m$${|-\rangle }_A$${|\mathbf{a}\rangle }_A$${|{\mathbf{y}}_{n-2}\rangle }_{n-2}$…${|{\mathbf{y}}_0\rangle }_0$. Thus, $|{\psi }_2\rangle$ can be cast in the following reduced form:

$$\begin{array}{c}\hfill |{\psi }_2\rangle =\frac{1}{(\sqrt{2^m{)}^{n-1}}}\sum _{\mathbf{a}\in {\mathbb{B}}^m}\sum _{{\mathbf{y}}_{n-2}\in {\mathbb{B}}^m}\dots \sum _{{\mathbf{y}}_0\in {\mathbb{B}}^m}{|-\rangle }_A{|\mathbf{a}\rangle }_A{|{\mathbf{y}}_{n-2}\rangle }_{n-2}\dots {|{\mathbf{y}}_0\rangle }_0,\end{array}$$

(17)

where

$$\begin{array}{c}\hfill \mathbf{a}\oplus {\mathbf{y}}_{n-2}\oplus \cdots \oplus {\mathbf{y}}_0=\mathbf{i}.\end{array}$$

(18)

Following [20,59], we call Equation (18) the Fundamental Correlation Property that intertwines Alice and her agents’ input registers. This equation has arisen due to the initial entanglement among all the input registers. At the end of Phase 2, the aggregated information bit vector is embedded in the global state of the distributed quantum circuit and manifests itself by imposing this constraint upon the contents of the input registers.

Subsequently, Alice and her agents complete the quantum part of the protocol by measuring the contents of their input registers in the computational basis and driving the system to its final state, $|{\psi }_f\rangle$.

$$\begin{array}{c}\hfill |{\psi }_f\rangle ={|-\rangle }_A{|\mathbf{a}\rangle }_A{|{\mathbf{y}}_{n-2}\rangle }_{n-2}\dots {|{\mathbf{y}}_0\rangle }_0,\mathrm{where}\mathbf{a},{\mathbf{y}}_{n-2},\dots ,{\mathbf{y}}_0\in {\mathbb{B}}^m\mathrm{and}\mathbf{a}\oplus {\mathbf{y}}_{n-2}\oplus \cdots \oplus {\mathbf{y}}_0=\mathbf{i}.\end{array}$$

(19)

We write the contents of Alice and her agents’ input registers explicitly as

$$\mathbf{a}=a_{m-1}\cdots a_0,\mathrm{and}$$

(20)

$${\mathbf{y}}_i=y_{m-1}^i\cdots y_0^i,0\le i\le n-2.$$

(21)

Accordingly, we may conceptually divide the aggregated information bit vector and each input register into $n-1$ segments, so that all the corresponding segments are correlated to a specific information bit vector ${\mathbf{i}}_j,0\le j\le n-2$. We employ the notation ${\mathbf{i}}^j$, ${\mathbf{a}}^j$, and ${\mathbf{y}}_i^j,0\le i,j\le n-2$, to designate the jth segment of the aggregated information bit vector, that of Alice’s input register, and that of Agent${}_i$’s input register, respectively. The formal definition of segments, which is presented below, relies on the sequence of positive numbers $m_0,\dots ,m_{n-3}$ that was given in (8).

$$i^0=i_{m_0-1}\cdots i_0,i^j=i_{m_j-1}\cdots i_{m_{j-1}},1\le j\le n-2,$$

(22)

$$a^0=a_{m_0-1}\cdots a_0,a^j=a_{m_j-1}\cdots a_{m_{j-1}},1\le j\le n-2,\mathrm{and}$$

(23)

$$y_i^0=y_{m_0-1}^i\cdots y_0^i,y_i^j=y_{m_j-1}^i\cdots y_{m_{j-1}}^i,0\le i\le n-2,1\le j\le n-2.$$

(24)

In view of (22)–(24), we may rewrite (9), (20), and (21) as

$$\mathbf{i}=\underset{\mathrm{segment}n-2}{\underbrace{i^{n-2}}}\underset{\mathrm{segment}n-3}{\underbrace{i^{n-3}}}\cdots \underset{\mathrm{segment}1}{\underbrace{i^1}}\underset{\mathrm{segment}0}{\underbrace{i^0}},$$

(25)

$$\mathbf{a}=\underset{\mathrm{segment}n-2}{\underbrace{a^{n-2}}}\underset{\mathrm{segment}n-3}{\underbrace{a^{n-3}}}\cdots \underset{\mathrm{segment}1}{\underbrace{a^1}}\underset{\mathrm{segment}0}{\underbrace{a^0}},\mathrm{and}$$

(26)

$${\mathbf{y}}_i=\underset{\mathrm{segment}n-2}{\underbrace{y_i^{n-2}}}\underset{\mathrm{segment}n-3}{\underbrace{y_i^{n-3}}}\cdots \underset{\mathrm{segment}1}{\underbrace{y_i^1}}\underset{\mathrm{segment}0}{\underbrace{y_i^0}},0\le i\le n-2.$$

(27)

By combining (9), (19), and (25)–(27), we conclude that

$$\begin{array}{c}\hfill {\mathbf{a}}^j\oplus {\mathbf{y}}_{n-2}^j\oplus \cdots \oplus {\mathbf{y}}_0^j={\mathbf{i}}^j={\mathbf{i}}_j,0\le j\le n-2.\end{array}$$

(28)

Equation (28) expresses the Fundamental Correlation Property among the $n-1$ segments, which is aptly named Segment Correlation Property. This property asserts that by simply XOR-ing the jth segments of all the input registers, we can recover personalized information bit vector ${\mathbf{i}}_j$.

From this point onward, the execution of the protocol utilizes only the classical channel. For the actual decryption the following transmissions take place through the classical channel.

(EV₁)

Alice sends to every Agent${}_i$, $0\le i\le n-2$, the ith segment (${\mathbf{a}}^i$) of her input register.

(EV₂)

Agent${}_i$, $0\le i\le n-2$, sends to every other Agent${}_j$, $0\le j\ne i\le n-2$, the jth segment (${\mathbf{y}}_i^j$) of their input register.

Let us emphasize that during the decryption stage, the following apply:

• No agent sends any information to Alice.
• Agent${}_i$ keeps to themselves the ith segment ${\mathbf{y}}_i^i$ of their input register. Ergo, Eve, despite her knowing segments ${\mathbf{a}}^i$ and ${\mathbf{y}}_j^i$, $0\le j\ne i\le n-2$, which are transmitted via the classical channel, lacks the crucial ingredient, ${\mathbf{y}}_i^i$, and is thus unable to obtain information bit vector ${\mathbf{i}}_i$.

Example 2

(Alice, Bob, and Charlie employ the protocol). This example features our three protagonists, Alice, Bob, and Charlie. As always, they are at different geographical locations, and they possess their own local quantum input registers, each having 6 qubits. In particular, there are six triplets of qubits, with each triplet being entangled in $|GH{Z}_3\rangle$, according to the Entanglement Distribution Scheme outlined in Definition 1. Alice intends to send personalized information bit vectors ${\mathbf{i}}_B=101$ and ${\mathbf{i}}_C=010$ to Bob and Charlie, respectively. This implies that the resulting aggregated information bit vector is $\mathbf{i}=101010$, which can be embedded into the global state of the circuit via CNOT gates. The concrete implementation in Qiskit of the general quantum circuit of Figure 3 for this scenario is visualized in Figure 4.

The final measurements by Alice, Bob, and Charlie produce one of the $2^{18}$ = 262,144 equiprobable outcomes. Clearly, showing all these outcomes would result in an unintelligible figure, so we have depicted only 25 of them in Figure 5. One may trivially confirm that every outcome satisfies the Segment Correlation Property and verifies Equations (18) and (28). Therefore, if Alice and Charlie send their segment 1 to Bob, then Bob, by XOR-ing with his own segment 1, can uncover ${\mathbf{i}}_B=101$. Symmetrically, if Alice and Bob send their segment 0 to Charlie, then Charlie can decipher ${\mathbf{i}}_C=010$.

To see how this works in practice, let us consider the last bar of the histogram in Figure 5. The label of this bar is $111111100111110010$, which, according to the quantum circuit in Figure 3, means that Alice’s input register contains bit vector $\mathbf{a}=111111$, Bob’s input register contains bit vector $\mathbf{b}=100111$, and Charlie’s input register contains bit vector $\mathbf{c}=110010$. Consequently, Alice’s, Bob’s, and Charlie’s segments 0 are ${\mathbf{a}}^0=111$, ${\mathbf{b}}^0=111$, and ${\mathbf{c}}^0=010$, respectively. Alice and Bob communicate their segments 0 to Charlie, who XORs them with his own segment 0, i.e., ${\mathbf{a}}^0\oplus {\mathbf{b}}^0\oplus {\mathbf{c}}^0=111\oplus 111\oplus 010=010$. By doing so, Charlie retrieves Alice’s intended bit vector, ${\mathbf{i}}_C=010$. Analogously, Alice’s, Bob’s, and Charlie’s segments 1 are ${\mathbf{a}}^1=111$, ${\mathbf{b}}^1=100$, and ${\mathbf{c}}^1=110$, respectively. Alice and Charlie communicate their segments 1 to Bob, who XORs them with his own segment 1, i.e., ${\mathbf{a}}^1\oplus {\mathbf{b}}^1\oplus {\mathbf{c}}^1=111\oplus 100\oplus 110=101$. By doing so, Bob also uncovers Alice’s intended information bit vector, ${\mathbf{i}}_B=101$.

4. Security Analysis

This section contains the security analysis of the proposed protocol. We proceed by assuming the existence of Eve, who is the cunning adversary that strives to compromise the security of the protocol and obtain some secret information, say, an individual information bit vector ${\mathbf{i}}_j,0\le j\le n-2$. As usual, we take for granted the existence of a classical authenticated channel, which enables us to detect the presence of the eavesdropper, Eve. We emphasize that the classical channel is not used for the transition of secret information; this privilege belongs exclusively to the quantum channel. Our protocol involves communication among n parties and relies on $|GH{Z}_n\rangle$ tuples, which makes it substantially more complex than typical QKD protocols only involving Alice, Bob, and Eve. Therefore, we provide an extensive and detailed security analysis in order to prove that it is information-theoretically secure. When considering strategies that may be employed by Eve, we often distinguish subcases depending on whether she acts upon just one qubit or all $n-1$ qubits from each $|GH{Z}_n\rangle$ tuple, so as to account for all possibilities. This accounts for the rather lengthy and technical current section. For a recent comprehensive text analyzing security issues of quantum protocols in general, we refer to [46] and the more recent [29,47].

At the end of the day, the security analysis of not just this protocol but of every quantum protocol relies on certain well-understood assumptions. We briefly state them for the purpose of making the current work self-contained. Naturally, we assume that quantum theory is correct, which in turn means that hallmark features, such as the no-cloning theorem [54], the monogamy of entanglement [60], and nonlocality [61], are valid. The unique features and enhanced efficiency of quantum protocols are precisely due to these properties; otherwise, they would not offer any advantage over classical protocols. Secondly, we assume that quantum theory is complete, which implies that Eve is bound by the laws of quantum mechanics, and she cannot obtain more information beyond what these laws permit.

The importance of the validation test cannot be overestimated. If the test result is considered a failure, then the protocol must be aborted. The secret embedding stage can safely begin only after the validation test has been successfully completed. Due to its paramount importance, this stage has been extensively analyzed in the literature. Our protocol draws inspiration from the sophisticated methods that have already been described in previous works, such as [26,62,63,64,65]. For alternative but equally effective approaches to the validation issue, the reader may consult the recent references [66,67,68,69,70].

The test itself consists of the following steps:

(VT₁)

Alice communicates to every one of her agents (Agent${}_0$, …, Agent${}_{n-2}$) the positions of the decoys, so that they can measure them in the Hadamard basis.

(VT₂)

Each agents sends back to Alice the results of their measurements. It is important to realize that the expected measurement outcome is, in general, different for every agent, because according to (EDV${}_2$), each qubit of the decoy tuple is prepared independently from the other qubits of the same tuple.

(VT₃)

Alice analyzes the results received from her agents and decides whether the test is successful or not according to the following rationale:

⋄

If 0 or very few wrong measurement outcomes are found, then Alice considers the validation test successful.

⋄

If the number of errors is ≈$\frac{d}{4}$ or above a similar threshold, then Alice deems that validation test a failure, in which case she aborts and terminates the protocol.

In the ideal scenario, where there is no eavesdropping and the quantum channel is perfect, there are 0 wrong measurement outcomes. In a more realistic scenario, even when there is no eavesdropping, we anticipate a few errors due to channel imperfections, but the number of errors is expected to be ≪$\frac{d}{4}$. To understand the rationale behind the validation procedure, let us consider Eve’s possible actions during the distribution phase. First, we make the critical remark that Eve has no way of knowing the position of the decoys. Therefore, Eve must treat all tuples in an identical manner.

(EA₁)

Measure and resend. Eve intercepts one or more qubits from each $|GH{Z}_n\rangle$n-tuple during their transmission from Alice to her agents. After measuring the intercepted qubit(s), Eve sends them back to their intended recipient. We make the following observations:

⋄

With the act of measurement, Eve destroys the entanglement. In view of the fact that in order to embed an aggregated information bit vector into the global state of the distributed circuit, entanglement is absolutely necessary, the protocol fails. Hence, it is imperative that Alice discovers the loss of entanglement and aborts the execution of the protocol.

⋄

First, we examine the scenario where Eve always uses the computational basis for her measurements. In this scenario, the probability that Eve measures one decoy qubit and obtains the wrong outcome is $\frac{1}{2}$, since all the decoys are measured in the wrong basis, and the probability to obtain the wrong outcome in such a case is $\frac{1}{2}$. Consequently, the probability that Eve obtains the correct outcome is $\frac{1}{2}$. This last probability implies that if Eve measures a second qubit from the same tuple, the probability to obtain two correct outcomes is way smaller. So, if Eve intercepts and measures two or more qubits from the same tuple, she stands to gain nothing in case they belong to a $|GH{Z}_n\rangle$ tuple, while she risks increasing the number of errors each time they belong to a decoy tuple. Therefore, Eve, being rational, only measures one qubit from each tuple.

⋄

Now, we consider the scenario where Eve randomly chooses the measurement basis between the computational or the Hadamard basis with equal probability. In this situation, the probability that Eve measures one decoy qubit and obtains the wrong outcome is given as $\frac{1}{4}$, since the probability that a decoy is measured in the wrong basis is $\frac{1}{2}$ and, even then, the probability to obtain the wrong outcome is $\frac{1}{2}$. Consequently, the probability that Eve obtains the correct outcome is $\frac{3}{4}$. For the same reasons that we explained above, Eve only measures one qubit from each tuple.

(EA₂)

Intercept and send fake $|{\mathbf{GHZ}}_{\mathbf{n}}\rangle$n-tuples. Eve intercepts a number of qubits from every $|GH{Z}_n\rangle$n-tuple during their transmission from Alice to her agents. This number may range from just 1 to $n-1$. Eve cannot clone the intercepted qubits due to the no-cloning theorem, but it is conceivable that she has prepared her own $|GH{Z}_n\rangle$ tuples. This opens up the possibility that she keeps the intercepted qubits and forwards her own in their place. Again, we make the following remarks:

⋄

By doing so, Eve tampers with the entanglement. The protocol fails because at least one information bit vector is not encoded into the entanglement. Again, it is crucial that Alice discovers the loss of entanglement and aborts the execution of the protocol.

⋄

Eve, even if she were successful, would fail to gain any information. This is because her qubits are not entangled with Alice’s qubits. The latter is the unique source of information who embeds the individual information bit vectors in those registers that are entangled with her own.

⋄

The flaw in this scenario is once again that Eve has no way of knowing the position of the decoys. If Eve intercepts just one qubit from every tuple, she inadvertently replaces d decoy qubits with her $|GH{Z}_n\rangle$ qubits. When, during the validation test, these are measured in the Hadamard basis, the probability to obtain the wrong outcome is $\frac{1}{2}$. This produces approximately ≈$\frac{d}{2}$ errors, which can be easily noticed by Alice. If Eve intercepts k qubits from each tuple, the probability to obtain at least one wrong measurement in a decoy tuple is $\frac{2^k-1}{2^k}$, which results in approximately ≈$d\frac{2^k-1}{2^k}$ errors. In addition to the increased number of errors, Alice can easily notice that for k decoy qubits in every decoy tuple, the measurement results from her agents are identical, instead of uniformly distributed as they should be, as ordained by (EDV${}_2$). Practically, this strategy has almost zero chances of success, since Alice undoubtedly infers the presence of Eve.

(EA₃)

Entangle with ancilla qubits and measure later. Eve intercepts one qubit from every $|GH{Z}_n\rangle$n-tuple during their transmission from Alice to her agents. Now, instead of measuring or replacing the intercepted qubits, Eve entangles them with her ancilla qubits and then forwards them to their intended recipient. Eve plans to wait until the protocol is completed before measuring her qubits, hoping to gain useful information. In this case, we stress the following points:

⋄

The result of Eve’s actions is that, instead of having m$|GH{Z}_n\rangle$ tuples distributed among Alice and her $n-1$ agents, we end up with m$|GH{Z}_{n+1}\rangle$ tuples evenly distributed among Alice, her $n-1$ agents, and Eve. Eve, even if she were successful, would fail to gain any information. This is because in order to decipher even a single information vector, she would require the contents of Alice and her agents’ registers.

⋄

Of course, by doing so, Eve changes the entanglement. The protocol fails for the same reason as above, i.e., to decipher even a single information vector, Alice and her agents require the contents of Eve’s register. Again, it is imperative that Alice discovers the loss of entanglement and aborts the execution of the protocol.

⋄

Like in all previous cases, the decoys enable Alice to infer the presence of Eve. Recall that Eve has no way of knowing the position of the decoys. If Eve intercepts just one qubit from every tuple, she entangles d decoy qubits with her ancilla qubits. When, during the validation test, these are measured in the Hadamard basis, the probability to obtain the wrong outcome is $\frac{1}{2}$. This produces approximately ≈$\frac{d}{2}$ errors, which can be easily noticed by Alice. If Eve intercepts k qubits from each tuple, the probability to obtain at least one wrong measurement in a decoy tuple is $\frac{2^k-1}{2^k}$, which results in approximately ≈$d\frac{2^k-1}{2^k}$ errors. In addition to the increased number of errors, Alice easily notices that for k decoy qubits in every decoy tuple, the measurement results from her agents are identical, instead of uniformly distributed as they should be, as ordained by (EDV${}_2$). This policy too has practically zero chances of success.

The above security analysis demonstrates that by setting the error threshold at ≈$\frac{d}{4}$ the protocol is information-theoretically secure. Let us also emphasize the fact that even if Eve successfully eavesdrops during the entanglement distribution phase, she obtains no information whatsoever, because no information has been encoded yet. However, it is still possible that she may disrupt the execution of the protocol. The validation test is designed to detect such an interference and abort the protocol. In closing, we remark that in the eventuality where the protocol is aborted, the security measures are not up to the task at hand. Hence, first, measures must be taken to enhance security; then, the process can be performed all over again.

5. Discussion and Conclusions

In this article, we have presented a new entanglement-based protocol for one-to-many simultaneous secure quantum information transmission. The main incentive of this work was to introduce a novel protocol that allows one sender to communicate in parallel and simultaneously with many recipients that are assumed to be spatially distributed. This last assumption was intended to give greater flexibility and extend the range of situations where the protocol may find application. The requirement to link n distinguished and distributed parties in a coherent manner with the use of entanglement necessitates the use of n-tuples of qubits that are entangled in the $|GH{Z}_n\rangle$ state. An entanglement scheme based on EPR pairs would not suffice, as it would only be capable of linking just two parties. Another important property of the new protocol is its extensibility, as it can be seamlessly generalized to an arbitrary number of entities.

The proposed entanglement-based protocol is fully distributed and offers provable information-theoretic security. While numerous quantum protocols excel in secure communication between two parties, their applicability to scenarios where a source must transmit information to two or more recipients concurrently is limited. While leveraging a standard quantum key distribution (QKD) protocol in parallel achieves the goal of transmitting a secret message from Alice to multiple Bobs, our new protocol goes further by generalizing the standard QKD method to many receivers simultaneously. In fact, it encompasses classical QKD and quantum secret sharing, enabling Alice to distribute a secret to a group of agents.

A distinctive feature of the protocol is its extensibility, allowing one source to simultaneously communicate different messages to a spatially distributed group. This is facilitated by the unique embedding of transmitted information in the entangled state of the system, a notable difference from previous protocols. The protocol proves advantageous when an information broker, like Alice, needs to communicate distinct secret messages to a distributed network of agents at once. Despite its complexity, involving communication among n parties and reliance on $|GH{Z}_n\rangle$ tuples, our paper provides an extensive security analysis to establish its information-theoretic security. Drawing inspiration from modern textbooks and recent articles, our analysis ensures the robustness of the protocol. Implementation of the proposed protocol is straightforward with modern quantum apparatus, requiring only CNOT and Hadamard gates. An added benefit is that local quantum circuits remain identical for all information recipients.