Efficient travelling-mode quantum key agreement against participant's attacks.

Quantum key agreement (QKA) is to negotiate a final key among several participants fairly and securely. In this paper, we show that some existing travelling-mode multiparty QKA protocols are vulnerable to internal participant's attacks. Dishonest participants can exploit a favorable geographical location or collude with other participants to predetermine the final keys without being discovered. To resist such attacks, we propose a new travelling-mode multiparty QKA protocol based on non-orthogonal Bell states. Theoretical analysis shows that the proposed protocol is secure against both external and internal attacks, and can achieve higher efficiency compared with existing travelling-mode multiparty QKA protocols. Finally we design an optical platform for each participant, and show that our proposed protocol is feasible with current technologies.

Introduction

In 1984, the first quantum cryptographic protocol, known as BB84 quantum key distribution protocol was proposed by Bennett and Brassard[1]. Since its unconditional security is guaranteed by the laws of quantum mechanics, quantum cryptography has become a heated topic, and various protocols including quantum key distribution (QKD)[1,2], quantum secure direct communication (QSDC)[3-9], quantum secret sharing (QSS)[10,11], etc., have been proposed. Recently, Quantum key agreement(QKA), a new branch of quantum cryptography, has attracted extensive attention.

Different from QKD, QKA can fairly and securely negotiate a final key among users. That is, the final key is equally determined by each participant and any non-trivial subset of the participants cannot absolutely predetermine the final key. In 2004, Zhou et al. proposed the first QKA protocol by utilizing the quantum teleportation technique[12]. In the same year, Hsueh and Chen proposed another QKA protocol by employing the entangled states[13]. Nevertheless, Tsai et al. pointed that neither of the two protocols is secure[14,15]. In 2010, Chong and Hwang devised a QKA protocol based on BB84[16]. However, the above protocols are all based on two-party. To extend QKA to the multi-party case, Shi and Zhong designed the first multiparty QKA (MQKA) protocol based on Bell states in 2013[17]. Since then, many MQKA protocols using single or entanglement quantum states have been proposed[18-34].

Liu[18] pointed out that existing MQKA protocols can be classified into three types according to the transmission topology of quantum photons: complete-graph-type[17,20], circle-type[19,21-34] (also known as travelling-mode) and tree-type[35]. In the first type, every participant sends each of other participants a sequence of photons which carries the information of his/her secret key. In the second type, each participant only sends out one sequence, which will be operated by each of other participants by turns and sent back to the one who prepares it. The third type is one participant generates a sequence of high dimensional photon states (e.g. GHZ states) and sends each of other participants one of its particles. Since the travelling-mode is more efficient than complete-graph-type and easier to satisfy the fairness property compared with the tree-type, it has attracted comprehensive study. In 2013, Sun et al. presented a MQKA protocol[19] in travelling-mode to improve the efficiency of Liu et al’s MQKA protocol[20]. In 2014, Shukla et al. proposed a travelling-mode MQKA protocol based on Bell state and Bell measurements[21]. In 2015, Zhu et al. put forward the attack strategy to defeat Shukla et al’s protocol and proposed an improved version[22]. In 2018, Abulkasim pointed out that Wang and Ma’s protocol[23] is susceptible to participant’s attacks and proposed an improved protocol[24]. Meanwhile, Cao and Ma proposed two MQKA protocols which were designed to be immune to the collusive attack[25]; they also presented a MQKA protocol based on non-orthogonal quantum entangled pairs[34]. Besides, some protocols based on higher-dimensional quantum states, such as five-qubit brown states[26], G-Like states[28], and four-qubit symmetric W state[29], were presented.

In these travelling-mode MQKA protocols, we find that some protocols[25-30] cannot resist dishonest participant’s attacks, which leads to the failure of fairness property[19]. The dishonest participant can take advantage of a favorable geographical location or collude with other participants to predetermine the final keys of honest participants without being discovered. Besides, we also find there exists the problem of information leakage in Cao-Ma MQKA protocol[34]. Following we take two Cao-Ma MQKA protocols[25,34] as examples to demonstrate the attacks in detail. To resist these attacks, We propose a new MQKA protocol based on non-orthogonal Bell states by utilizing Pauli and rotation operations. Our proposed protocol has three noticeable advantages: Firstly, owing to the use of non-orthogonal Bell states, the proposed protocol can resist attacks from both internal dishonest participants and external eavesdroppers. It also effectively solves the problem of information leakage in Cao-Ma protocol. Secondly, the frequency of eavesdropping detection has been greatly reduced. Hence, the qubit efficiency and measurement efficiency of our proposed protocol are higher than those of the existing secure ones[20,32-34]. Thirdly, since only Bell states and unitary operations are employed, the protocol is feasible with the current technology.

The rest of the paper is organized as follows. Next section first reviews and analyzes the security of Cao-Ma MQKA protocols, then introduces our improved travelling-mode MQKA protocol in detail, followed by the security analysis and efficiency comparisons with existing secure protocols. Furthermore, an optical setup is provided. Finally, a short conclusion of this paper is given in the final section.

Results

Review of Cao-Ma MQKA protocols

In this section we briefly describe the Cao-Ma MQKA protocol 1[25] without trust party and Cao-Ma MQKA protocol 2[34] based on non-orthogonal quantum entangled pairs respectively.

Cao-Ma MQKA protocol 1

The main process of Cao-Ma MQKA protocol without trust party can be divided into two stages. The first stage is initialization and encoding stage. Each participant P(i = 0, 1, …, N−1) possesses a n-bit 0–1 sequence and TS as his secret key and additional random sequence, and calculates . Then he prepares a sequence of Bell states randomly selected from four Bell states, wherein the states of the photon sequence can be expressed as W. Each participant keeps the first photon sequence in his hand and sends the second photon sequence which is inserted into decoy photons to next participant P. P and P perform eavesdropping checking. If the communication is secure, P performs one of the four Pauli operations on the received photon sequence according to K. Next, P inserts decoy photons into the photon sequence and sends it to next participant P. This process continues until P gets the sequence which he generated. The second stage is final key negotiation stage. After each participant gets the sequence he generates, he performs Bell measurements on corresponding photon pairs. The measurement results of the sequence can be expressed as V. Then each participant P publishes his random sequence TS and calculates TS = TS0 ⊕ TS1 ⊕ … ⊕ TS. Finally, each participant can obtain the final common key K, where .

Cao-Ma MQKA protocol 2

This protocol is based on non-orthogonal quantum pairs and adopts the idea of Pauli and Hadamard operations mixed encoding. The process is as follows. Firstly, there are eight photon pairs which are in BS = {|ϕ+〉, |ϕ−〉, |ψ+〉, |ψ−〉} and DBS = {H|ϕ−〉, H|ϕ+〉, H|ψ−〉, H|ψ+〉}, and four unitary operations in U = {U00, U11, U01, U10} = {I, iY, H, iYH}, wherein H is Hadamard operation. Each participant P(i = 0, 1, …, N−1) generates a sequence of classical bits K as his private key, wherein K ∈ {00, 11, 01, 10}. Moreover, P also generates a sequence C, where C is 0 if K ∈ {00, 11} and C is 1 if K ∈ {01, 10}. Then each participant P prepares a random quantum pair sequence from BS or DBS and transmitted the second photon sequence to the next participant P. After receiving the sequence, P executes the eavesdropping checking and performs unitary operations on the received quantum sequence according to his private key. Until each participant has encoded his private key on the photon sequences of others and receives the sequence he generates, he publishes a classical sequence C to reveal the measurement basis and calculates C = C1 ⊕ C2 ⊕ … ⊕ C. Each participant performs BS or DBS measurements on the photon pairs according to C. If C is 0, the measurement basis is the same as the initial state; otherwise, the measurement basis is the dual basis of the initial states. Finally, all participants can extract the common key by comparing the initial states and measurement results.

Security analysis of the Cao-Ma MQKA protocols

In this section, we first show that the dishonest participant in Cao-Ma MQKA protocol 1 can take advantage of a favorable geographical location or collude with other participants to predetermine the final key without being discovered, leading to the failure of fairness property. Next we reveal the problem of information leakage in Cao-Ma MQKA protocol 2.

Fairness analysis

In travelling-mode MQKA protocols, participants encode their secret keys on photons by performing the unitary operations. Besides, they usually perform additional random operations on photons in case to divulge the secret keys. Therefore, once the additional operation is obtained, the participant will deduce the final key directly. Following we take the tripartite (Alice, Bob and Charlie) example to introduce the attack strategy. Suppose Bob is a dishonest participant, his detailed attack process is as follows.

Before Alice and Bob publish the random sequence TS and TS, Bob selects an advantageous geographical position aside Alice and Charlie so that he can get TS and TS earlier than expected.

Once Bob gets the sequence, he calculates the final key and M = K ⊕ K′, where K′ is the final key he excepts.

Then Bob informs Alice and Charlie of  = M ⊕ TS. Thus, Alice and Charlie will get the illegal final keys K =  = K′ and K =  = K′ as Bob anticipates.

Through the above operations, Bob can determine the final keys of Alice and Charlie. Following, we will analyze the collusion attack in detail. For clarity, we assume that four participants P0, P1, P2 and P3 want to generate the final key. P1 and P3 are dishonest and want to steal P2’s secret key. The detailed attack process is as follows:

P0 prepares a sequence of Bell states |PS10PS20〉, then he transmits the second photon sequence |PS20〉 with decoy photons to P1.

P1 performs unitary operations on the received photons according to his secret key and sends the sequence to P3 instead of P2 as illustrated in Fig. 1. Meanwhile, P1 prepares a fake sequence of Bell states |S11S21〉 and sends the first photon sequence to P3 and the second photon sequence to P2.

Figure 1

Dishonest participants’ collusive attack strategy. P1 and P3 collude to eavesdrop on the honest participant P2’s secret key.

After security checking, as P2 does not know the received photon sequence is fake, he encodes the sequence by performing unitary operations according to TS2 and sends the sequence to P3.

After confirming P3 has received the sequence , P2 and P3 execute eavesdropping checking. If the communication is secure, P1 and P3 will perform Bell measurement on |S11→3〉 and |U2S21→2〉. Then they can get P2’s unitary operations, i.e.,  ⊕ TS, by comparing the measurement results and initial states.

P3 encodes photon sequence |U1PS20→1〉 with P2’s unitary operations and his unitary operations. P3 also generates some decoy photons and inserts them in to |U3U2U1PS20→1〉 randomly. Then he sends the sequence to P0.

P1 and P3 wait for the common key negotiation stage, where every participant publishes his TS. By comparing P2’s unitary operations and TS2, P1 and P3 can effortlessly recover . For example, suppose the fake photon pairs prepared by P1 is |ϕ+〉, and the result of Bell measurement by P1 and P3 is |ϕ+〉 after P2’s encoding, they can deduce the operation performed by P2 is U00. Assume the TS2 published by P2 is 01, P1 and P3 can definitely deduce the P2’s secret key is 01 according to Table 1. Then P1 and P3 can determine P2’s final key by announcing fake TS1 and TS3.

Table 1

Relationship between P1’s photon states, P2’s operations and P3’s measurement results.

Initial State	K_2˜⊕TS	Final State
|ϕ+〉	00 ⊕ 00	|ϕ+〉
	11 ⊕ 11
	01 ⊕ 01
	10 ⊕ 10
|ϕ+〉	00 ⊕ 11	|ϕ−〉
	11 ⊕ 00
	01 ⊕ 10
	10 ⊕ 01
|ϕ+〉	00 ⊕ 01	|ψ+〉
	11 ⊕ 10
	01 ⊕ 00
	10 ⊕ 11
|ϕ+〉	00 ⊕ 10	|ψ−〉
	11 ⊕ 01
	01 ⊕ 11
	10 ⊕ 00

In addition to the Cao-Ma protocol 1, these agreements[26-30] are also vulnerable to dishonest participants’ collusion attack, where indicates the protocols cannot satisfy the fairness property.

Information leakage analysis

Information leakage is that Eve can extract some information about secret key without any active attack[36]. In Cao-Ma MQKA protocol 2, each participant P needs to publish a classical sequence C after he receives the sequence he generates. However, C and K are closely related. If C is 0, Eve can draw a conclusion that the secret key of P must be 00 or 11; otherwise, the K is 01 or 10, which contains bit of information. Thus, one bit of the secret information is leaked to Eve unconsciously.

The improved travelling-mode MQKA protocol

Herein we design a new travelling-mode MQKA protocol based on non-orthogonal Bell states, where n participants negotiate a final key fairly and securely. The detailed process of our protocol is as follows:

Initialization phase

Each participant P first generates a (l + kl)-bit 0–1 secret key sequence K = {K, K, …, K}, m ∈ {1, 2, …, l + kl}. Besides he also generates a random (l + kl)-bit 0–1 controlling string RH, where k is the detection rate, i, j ∈ {1, 2, …, n} and i ≠ j. Then P prepares a sequence BS = {|BS〉, |BS〉, …, |BS〉} of l + kl Bell states, where |BS〉 ∈ {|BS00〉, |BS01〉, |BS10〉, |BS11〉} and W = (w, w, …, w, w) is a random 2(l + kl)-bit 0–1 sequence.

Sending photons

P divides BS into two single photon sequence: the first photon sequence |BS1〉 and the second photon sequence |BS2〉 (symbol ‘+’ in i + 1 denotes the additional mod n). Then P keeps the first photon sequence in home and transmits the second photon sequence to the next participant P.

Encoding phase

After P receives the photon sequence, he performs unitary operation I or Z on |BS2〉 according to his private key sequence, where I = |0〉〈0| + |1〉〈1| and Z = |0〉〈0| − |1〉〈1|.

Controlling operations

Depending on whether the sequence RH is 1 or 0, P performs rotation operation on the sequence |BS2〉 or does nothing, where is the rotation operator of the z axis and the definition is as follows:

The rotation operator can change the state of the |BS〉 to |DBS〉 = {|DBS00〉, |DBS01〉, |DBS10〉, |DBS11〉}, where |DBS〉 are defined as follows. Table 2 shows the relationship of the unitary operations and the transformed Bell states.

Table 2

Effects of unitary operations {I, Z, RI, RZ} on the second particles of Bell states |BS〉.

State	|BS00〉	|BS01〉	|BS10〉	|BS11〉
Operation
I	|BS00〉	|BS01〉	|BS10〉	|BS11〉
Z	|BS01〉	|BS00〉	|BS11〉	|BS10〉
R z I	|DBS00〉	|DBS01〉	|DBS10〉	|DBS11〉
R z Z	|DBS01〉	|DBS00〉	|DBS11〉	|DBS10〉

After performing the extra unitary operation, P sends the sequence |BS2〉 to the next participant P. Meanwhile, each of the other n − 1 participants processes his received sequence just in the same way and sends the obtained new sequence to next participant. This process continues until P receives the sequence which he generated from P.

Security checking

Once receiving his own sequence, each participant P announces the fact, confirms other participants have received their sequences and informs participant j of his controlling sequence RH. Then all participants cooperate to choose kl positions from l + kl Bell states for security checking, and the remaining l Bell states are used to form the final key, i.e., K′, i= 1, 2, 3, …, n. Specifically, P randomly selects positions from the remaining positions and announces the positional information. After finishing selection, each participant publishes the secret key sequence at the kl positions. Then they calculate the XOR results of other participants’ secret keys, offset the extra controlling operations according to RH (the detailed process is shown in the next step) and perform Bell measurements on the photon pairs at their chosen positions. If the measurements are consistent with the calculations, they drop the kl bits used for security checking and continue; otherwise they terminate the protocol.

Secret extraction

Each participant P offsets the controlling operations for the remaining l positions according to RH. Concretely, since commutes with each of the encoding operations {I, Z}, we can deduce that and . Therefore, each participant P can offset all controlling operations by repeating C operations (i.e., by performing once operation ) on the j-th pair of photons in sequence BS after all the participants have completed their encoding operations E and controlling operations C in turn: CECECE = CCCEEE, where C is the j-th bit of the sequence C (C = RH + RH + … + RH), and . After that, each participant performs Bell measurements on the l processed photon pairs and obtains . Finally P can get the final key .

So far, we have demonstrated our proposed travelling-mode MQKA protocol. In the real scenario, the raw keys may have very few mistakes which are caused by the channel noise. We can use the multiparty cascade error-correcting protocols for information reconciliation[37,38] and utilize the universal hashing to realize privacy amplification process[39].

Security analysis

Herein we give a detailed security analysis for both outside and participant’s attacks. It is proved that the proposed protocol can satisfy the fairness property effectively. We also show the problem of information leakage does not exist in our protocol.

Outside Attacks

Suppose Eve wants to eavesdrop the final key, he should obtain each participant’s private key first. Here are three mainstream attack methods he may take.

Firstly, let us discuss the intercept-resend attack[25,35]. In intercept-resend attack, Eve intercepts and stores the photon sequences sent from participant P to P. Then he sends the second photon sequence of the fake Bell states which he prepared in advance to P. After step (3) and (4), P finishes performing his unitary operations and extra controlling operations on the photon sequence and sends to P. At this time Eve will intercept the photon sequence again and sends the original photon sequence to P. Since Eve does not know whether P performs the controlling operation on the photons or not, he won’t perform Bell measurements on his photon sequence until each participant publishes the random controlling sequence. Therefore he cannot deduce P’s operations and encode correct information on the original sequence. Eve will be detected with the probability (kl is big enough) when all participants perform security checking in step (5). Hence the proposed protocol can resist the intercept-resend attack.

Secondly, let us discuss the entangle-measure attack[35,40]. In entangle-measure attack, Eve wants to steal P’s secret key by intercepting the traveling photon sequence |BS2〉 and |BS2〉, and executing Controlled-not operation on it and his auxiliary photon |0〉, where intercepted photon is a control bit and photon |0〉 is a target bit. For instance, the Bell state prepared by P is . After Eve’s operation on q and e, the entangled state will transform to , which is composed of three entangled particles. Then Eve sends the particle q to P. After P performs unitary operations on the sequence and sends to P, Eve intercepts the particle q, performs Controlled-not operation on q and e again and sends q to P. After all participants have received their sequences, they start to announce the controlling sequence RH and offset the extra controlling operations on the checking photons. The states can be defined as follows:

According to the Eq. (4), the state of auxiliary photon e is always |0〉 whether P’s operation is I, Z, RI or RZ. Therefore Eve cannot obtain P’s secret key even if the photon e is entangled with transmitted photons sequence. We can consider that the Entangle-Measure attack is inefficient.

Thirdly, let us discuss the trojan horse attack. The trojan horse attack is another common attack in travelling-mode MQKA protocols which have been discussed in Li et al’s protocol[41]. To prevent this type of attack, participant can install some special quantum optical devices to detect the attack, such as the wavelength quantum filter to filter invisible photons and the photon number splitter(PNS) to discover the delay photons. If the multi-photon rate is unreasonable high, then such attack can be detected.

Fairness Analysis

The dishonest participants pose a greater threat to the security of the protocol than outside eavesdroppers. As we mentioned above, the dishonest participant can take the advantage position or collaborate with others to predetermine the final key. Following we conduct a fairness analysis to show that our protocol can resist participant’s attacks.

Let’s discuss the first attack strategy. For the sake of convenience, we suppose there are only three participants Alice, Bob and Charlie, wherein Bob is dishonest. In step (5), Bob selects an advantageous geographical position aside Alice and Charlie so he can obtain Alice’s and Charlie’s controlling sequence RH earlier than expected. According to the controlling sequences, Bob can perform the operations to remove the additional controlling operations and perform Bell measurements to obtain the final key in advance. Then Bob wants to predetermine the final keys of Alice and Charlie by announcing incorrect controlling sequences to them. However, we request that each participant first announces the controlling sequence before they cooperate to choose photons for security checking, so this ineluctably leads to the photon pairs for security checking in DBS basis being measured in BS basis and collapsing randomly into one of the four Bell states. Suppose the number of final keys which Bob wants to change is m, there is a probability that the selected photons are for security checking since bob cannot unambiguously distinguish the photons for security checking and for final keys. The probability that Bob will successfully pass the security checking is and predetermine the final key is according to Table 2 (if the number m is large enough). So the dishonest participant cannot predetermine the final keys of honest participants and the protocol can achieve fairness property.

Following we analyze the collusive attack. The worst case is that only one participant is honest and all others are dishonest. Let’s take three participants P1, P2 and P3 for example, where P1 and P3 are dishonest. They want to predetermine P2’s final key. The detailed attack strategies are as follows. P1 prepares Bell states and sends the photon sequence |BS21→2〉 to P2. After P2 completes his operations on the photon sequence |BS21→2〉 and sends the sequence |BS21→3〉 to P3, P1 and P3 won’t measure the Bell states until step (5) where each participant publishes their additional controlling sequences. After obtaining P2’s controlling sequence RH21, P1 and P3 can deduce P2’s secret key K2. However, the only method for P1 and P3 to determine the final key of P2 is to announce fake controlling sequences to him. Based on the analysis of the first participant’s attack strategy, we can conclude the probability they will successfully pass the security checking and predetermine P2’s final key is close to 0. Therefore n−1 dishonest participants cannot determine the final key. In summary, our proposed protocol can resist participant’s attacks.

In addition to the above attacks, information leakage should also be considered. In our protocol, only the controlling string RH needs to be published in stage (5). Since RH has nothing to do with the secret key, Eve can only guess that the operation performed by each participant is either I or Z, which contains bit of uncertain information for Eve. As a result, Eve cannot obtain any information of secret key without taking any active attacks. The problem of information leakage does not exist in our agreement.

Efficiency analysis

Following we compare the proposed MQKA protocol with the existing four secure protocols, i.e., LGHW13 protocol[20], HSXL16 protocol[33], CM17 protocol[34] and HSL17 protocol[32], in five aspects: qubit efficiency η, measurement efficiency η, unitary operation efficiency η, quantum resource and category of the protocol. The definitions are as follows: qubit efficiency η = , measurement efficiency η = , and unitary operation efficiency η = , where l denotes the length of the final common key, q is the number of the transmitted qubits on the quantum channel, m is the number of quantum measurements, and u is the number of unitary operations. Table 3 shows the detailed comparison results between these four MQKA protocols and ours. The efficiency analysis is given as follows.

Table 3

Comparison between existing security protocols.

Protocol	η q	η m	η u	Quantum resource	Category
LGHW13	1n(n−1)(1+k)	1n(n−1)(1+k)	0	Single photons	Complete-graph
HSXL16	1n(1+kn)	1n(1+kn)	1n^2	Single photons	Circle
CM17	1n(1+kn)	1n(1+kn)	2n(n+1)	Two particles	Circle
HSL17	1n(1+k)	1n(1+k)	1n^2(1+k)	Single photons	Circle
Ours	1n(1+k)	1n(1+kn)	1n^2(1+k)	Bell states	Circle

η, η and η are qubit efficiency, measurement efficiency and unitary operation efficiency, respectively.

In our protocol, each participant will prepare l + kl photon pairs to establish l-bit final key, wherein kl bits are used for security detection. As there are only half photon sequence transmitted in the quantum channel and n participants involved in our protocol, the total number of transmitted photons on the quantum channel is n(l + kl). Hence, the qubit efficiency is

Since only one eavesdropping detection for each participant, the number of measurements required in this protocol is greatly reduced. To establish an l-bit final key, each participant needs to perform measurements. Therefore, the measurement efficiency of our protocol is

The security of our protocol is mainly based on the controlling operations of each participant on the photon sequences. To establish an l-bit final key, each participant needs perform n(l + kl) unitary operations. Thus, the unitary operation efficiency of the proposed protocol is

The specific comparison results are shown in Fig. 2. As shown in the two subgraphs (a) and (b), the qubit efficiency of the improved protocol is no less than that of the existing security protocols, and it has higher measurement efficiency. Although we increase the number of unitary operations in exchange for higher qubit efficiency and measurement efficiency, the unitary operations can be easily realized with the rapid development of quantum technology. Therefore our protocol is efficient and feasible.

Figure 2

The comparisons of the number of transmissions and measurements, where k = 1.

Optical setup

As shown in Fig. 3, we design an optical setup for each participant. In the experiment, ultraviolet (UV) laser pulses pass through a BBO crystal to produce polarization-entangled photon pairs[42]. One of the photon pairs can be first stored in Pc delay line and the other is sent to P. P encodes his secret key and controlling information on other participant’s photon sequence by utilizing electro-optic modulator[43] and sends the photon sequence to next participant P. This process continues until P receives the sequence which he generates. After offsetting the extra controlling operations on his second photon sequence by utilizing electro-optic modulator, P fetches the first photon sequence from the delay line and performs Bell measurement[42] on the photon pairs. According to the measurement results and initial states, all participants can obtain the consistent final key.

Figure 3

Experimental setup of participants. BBO: beta barium borate. BS: beam splitter. OS: optical switch. DL: delay line. PBS: polarization beam splitter. Each participant can generate and measure the polarization-entangled photon pairs, encode the received photon sequence and send the photon sequence to next participant.

Conclusion

In this paper, we find that some existing travelling-mode MQKA protocols are generally vulnerable to the internal dishonest participants. Besides, we also find the problem of information leakage in Cao-Ma MQKA protocol. Then We take Cao-Ma MQKA protocols as examples to illustrate these attacks in detail. To resist the attacks, we propose a robust travelling-mode MQKA protocol based on non-orthogonal Bell states. The analyses show that our protocol can resist the both outside and participant’s attacks and achieve higher efficiency. Finally, We design an optical platform for each participant, and show that our proposed protocol can be realized with feasible technologies.