Anonymous conference key agreement in linear quantum networks

Sharing multi-partite quantum entanglement between parties allows for diverse secure communication tasks to be performed. Among them, conference key agreement (CKA), an extension of key distribution to multiple parties, has received much attention recently. Interestingly, CKA can also be performed in a way that protects the identities of the participating parties, therefore providing anonymity. In this work, we propose an anonymous CKA protocol for three parties that is implemented in a highly practical network setting. Specifically, a line of quantum repeater nodes is used to build a linear cluster state among all nodes, which is then used to anonymously establish a secret key between any three of them. The nodes need only share maximally entangled pairs with their neighbours, therefore avoiding the necessity of a central server sharing entangled states. This repeater setup makes our protocol an excellent candidate for implementation in future quantum networks. We explicitly prove that our protocol protects the identities of the participants from one another and perform an analysis of the key rate in the finite regime, contributing to the quest of identifying feasible quantum communication tasks for network architectures beyond point-to-point.


Introduction
The goal of conference key agreement (CKA) protocols is to establish a shared key between multiple parties that do not use trusted means of communication.CKA has been explored in the quantum domain, with the aim of developing new schemes for cryptography and communication beyond bi-partite key distribution [1,2,3,4].Various quantum states have been proposed to achieve CKA, including both discrete-variable [5,6,7] and continuousvariable [8,9,10] states.In this work, we focus on the discrete-variable case.Particularly suitable for CKA protocols are quantum resource states that exhibit symmetric measurement outcome correlations for all participants of the respective communication protocol.Such states include GHZ states [11], which are ideal CKA resources due to their obvious correlation when measured in the computational basis [1,5,6].Other useful symmetric resources are W states [12], although they only allow for the probabilistic generation of a conference key [7].
In recent years, the need for privacy and anonymity has led researchers to develop anonymous versions of protocols that implement important cryptographic primitives [13,14,15].In the case of CKA, the goal would be to establish a key between a number of participants, while keeping their identities hidden from the other non-participating parties, and in some instances even from each other.Using shared GHZ states, anonymous protocols have been proposed [16,17] and implemented [18] that also provide an advantage in keyrate compared to sharing bi-partite entanglement [17].However, GHZ states are highly loss-prone and cannot be easily exchanged over long distances.Moreover, most previous approaches using these states require a central server to distribute the state.
In this work, we address and answer the question of how to achieve anonymous CKA within a minimal and in several ways experimentally feasible nearest neighbour architecture of discrete variable quantum states.Specifically, we assume a linear chain of quantum nodes 1 , and study how to anonymously share a secret key between three of them.These three participants (also referred to as Alice, Bob and Charlie) use shared bi-partite entanglement with their neighbours to establish a linear cluster state [19,20,21] that 'connects' the three of them and all the nodes in between.This linear cluster state is further used to anonymously establish a three-partite maximally entangled state between Alice, Bob and Charlie, which is used to run a conference key agreement protocol and share a key with provable security.Our new protocol is one of the few cryptographic demonstrations where non-maximally entangled states are used for practical tasks.It highlights the flexibility that multi-partite entanglement provides for cryptographic tasks involving more than two parties and complements known results supporting this approach [16,17,22,23,24].
This work is structured as follows.In Subsection 1.1 we provide the necessary preliminaries and definitions to subsequently introduce the protocol in Section 2. Section 3 contains an analysis and explanation of the protocol and its performance, specifically how anonymity and security are achieved, as well as how the (finite) key rate is calculated.Section 4 contains a general discussion.Some details of the protocol, as well as the proofs of security and anonymity have been deferred to Appendices A, B and C, respectively.

Preliminaries and definitions
Throughout this work, we denote with the ordered set N = {N 1 , N 2 , . . ., N n−1 , N n } the collection of all nodes in a linear network (Fig. 1).We fix a set of three nodes P = {N a , N b , N c } ⊂ N such that a < b < c and call them Alice, Bob and Charlie, respectively.The goal of these three parties is to establish a secret key between them, without revealing their identities to everyone else.We will refer to them as the participants and to all other nodes P := N \ P as the non-participants of our anonymous conference key agreement protocol.Alice, Bob and Charlie know each other's position within the network and can identify the communication from each N i with its index i.Moreover, they have access to a pre-shared secret key; note that our scheme is a key-expansion scheme, like all known quantum key distribution and CKA protocols.We assume that the participants are cooperating: neither do they reveal each other's identity nor do they reveal the created secret key.However, we allow the non-participants to be dishonest and to actively deviate from the protocol -as long as they do not collude with each other.This means that nonparticipants can perform arbitrary maps and measurements in deviating bases or disclose false measurement outcomes, but they cannot, jointly with other non-participants, perform a coordinated attack.
Regarding initial resources, we assume that all nodes share one copy of an entangled (potentially noisy) Bell pair -i.e.(|0, 0⟩ + |1, 1⟩)/ √ 2 -with each of their neighbours: node N i therefore holds two qubits with labels τ i and ω i .Qubit τ i is entangled with qubit ω i+1 from node N i+1 while qubit ω i is entangled with qubit τ i−1 from N i−1 .Since nodes N 1 and N n both have a single neighbour, they only have a qubit τ 1 and ω n , respectively.These Bell pairs are used to create three linear cluster states between the nodes.For a set of qubits {1, 2, . . ., n}, we define the n-qubit linear cluster state vector where |+⟩ ⊗n := n i=1 |+⟩ i and CZ i,i+1 is the controlled-Z quantum gate that is applied between neighbouring qubits labelled i and i + 1.Finally, from the linear cluster state, a three-partite GHZ state with state vector is extracted in an anonymous fashion.Fig. 2 depicts a visualization of our protocol.For clarity, throughout this work, we denote a unitary Pauli operation with a capital letter, where a superscript indicates a real power (e.g.Z b is a unitary Z operation for b = 1 and I for b = 0).To indicate measurement bases, we use the σ-notation, where a superscript indicates the qubit (i.e.σ i x refers to a measurement of qubit i in the Hadamard basis).

Protocol
Our protocol is divided into three parts -the preparation of the required multi-partite states from the Bell pairs (2.1), the anonymous extraction of the GHZ 3 states from the multi-partite states (2.2), and the subsequent key generation with post-processing (2.3).

3.
After discarding all measured qubits, each node but Alice and Charlie holds only one qubit.Therefore, we can rename τ i → i for all N i ∈ N \ {N a , N c , N n } and ω n → n.For Alice and Charlie we rename τ a and ω c to a and c as part of |L m ⟩ and ω a and τ c to ã and b as part of |L l ⟩ and |L r ⟩, respectively.From the network state we will now show how to anonymously extract a GHZ 3 state for Alice, Bob and Charlie.Protocol 1 and the above discussion is phrased under the assumption that neither Alice nor Charlie are at the 'ends' of N .If indeed N a = N 1 , Alice performs the steps of the column marked N 1 in Tab. 1, and similarly for Charlie if N c = N n .Note that Alice and/or Charlie then also hold just one qubit.
As a small example, consider a network with only five nodes, where P = {N a , N b , N c } = {N 2 , N 4 , N 5 } and thus P = {N 1 , N 3 }.Note that N n = N c .All nodes except the first apply Z to their qubit ω i based on the outcome bit o i−1 they received.Any node other than N a , N c or the first or last node performs step 2a.: they apply a CZ gate and then measure σ τ i x , sending the outcome o i to the next node.To disguise that they are not performing this step, N 1 and N a apply Z to their τ i based on randomly drawn bit o i and send it to the next node.Moreover, they apply H to τ i .Since N c is the last node, they only perform step 1.

Anonymous extraction of GHZ states
After the n network nodes have created L network states as presented in Protocol 1, each of these states is used to anonymously establish a |GHZ 3 ⟩ state between Alice, Bob and Charlie via Protocol 2 for GHZ extraction, as visualized in Fig. 2.
All N i perform the following steps consecutively: Receive bit β i−1 and compute Draw a uniformly random bit m i .If i ∈ P: apply C i .
Protocol 2 is divided into three steps as well; some nodes only execute a subset of the steps and for Step 2 there are again two different options; this is reflected in Tab. 2. After a given amount of time for everyone to measure their qubit, all nodes broadcast their measurement outcome m i .The participants P then perform local unitary corrections on their own qubits based on the number of nodes between Alice, Bob and Charlie as well as the collection of measurement outcomes {m i } i∈ P , resulting in L GHZ 3 states shared between them.These corrections can be found in App.A and consist of Clifford operations only.Importantly, the corrections invoked by the measurement outcomes can be accounted for in post-processing, so that all actions of the protocol can be carried out simultaneously; this ensures no quantum memories are necessary.The final steps that enable secure anonymous conference key agreement are explained in the next section.
Similarly to the previous one, Protocol 2 is phrased under the assumption that neither Alice nor Charlie are at the 'ends' of N .If indeed N a = N 1 , Alice performs the steps of the column marked N 1 in Tab. 1, and similarly for Charlie if N c = N n .Note that Alice and/or Charlie then also hold just one qubit.
Consider again the example where P = {N a , N b , N c } = {N 2 , N 4 , N 5 }, P = {N 1 , N 3 } and N n = N c .To start Protocol 2, N 1 draws uniformly random bits β 1 and m 1 .They send β 1 to N 2 .Here, N 2 is a participant and therefore does not measure their qubit after calculating β 2 = β 1 ⊕ 1.Instead they apply C 2 , draw the bit m 2 uniformly and send β 2 to N 3 .The following node N 3 is again not a participant.It flips the received bit, measures it, and records the result as m 3 before sending β 3 to N 4 .The node N 4 now acts as the first participant N 2 : apply C 4 , compute β 4 , draw m 4 and send β 4 to N 5 .This last participant N 5 is now in a special position at the end of the network, which allows them to skip the last step and just to apply C 5 , to compute β 5 and to draw m 5 .

Measurements and post-processing
The participants now use a fraction p of the L GHZ 3 states to check for eavesdropping and the rest to generate conference keys.Using L • h 2 (p) bits of the pre-shared key -where is the binary entropy of p -Alice, Bob, and Charlie coordinate their measurements to be in either the σ z -basis (for KeyGen rounds) or σ x -basis (for Verification rounds).During the latter, ⟨m⟩ := L • p states are measured to estimate the σ x -basis error rate that is the relative number of erroneous (i.e.odd-parity) measurements.Every party announces a uniformly random bit after every KeyGen and every Verification roundwith the exception of Bob and Charlie who announce their measurement outcome after each Verification round; this allows Alice to calculate Q m X .When Alice determines that Q m X is above a predetermined tolerance threshold Q tol , she sets her abort bit to 1 to abort the protocol.
The other ⟨k⟩ := L − ⟨m⟩ = L • (1 − p) states are used to generate conference keys by Alice, Bob, and Charlie measuring in the σ z -basis.This results in k bits of raw key for each participant which is then post-processed with error correction and privacy amplification.
To perform error correction, Alice applies a publicly known error-correcting code to her raw key and encrypts the resulting error syndrome with a one-time pad using a portion of the pre-shared key.Alice now announces the encrypted syndrome, while everyone else announces a string of random bits of the same length.Bob and Charlie decrypt Alice's error syndrome using their pre-shared key and then perform error correction on their respective keys using the publicly known error-correcting code.
To verify the error correction, all participants apply a hash function h EC to their corrected key; Alice announces her outcome after encrypting it with a one-time pad using part of the pre-shared key, while everyone else announces a uniformly random bit string instead.Bob and Charlie now both decrypt Alice's announced output and verify the error correction by comparing their output of h EC with Alice's.If either Bob or Charlie find a discrepancy, they abort by setting their abort bit to 1; this ensures that the key they share is correct.
To potentially abort the protocol, the participants each announce their abort bit, which is 1 if and only if they want to abort, while the non-participants all announce random bits.The participants encrypt again by one-time padding their bit each with a separate single bit of the pre-shared key, using another 3 bits in total.
Finally, the participants perform privacy amplification to remove any correlation between the key and a potential eavesdropper, thereby reducing the length of the key.To this end, they apply another hash function h PA ; after subtracting the necessary key to replenish the pre-shared key for communication in subsequent rounds, this results results in a secure and correct key s of length ℓ (see App. B) shared by Alice, Bob, and Charlie if the protocol was not aborted.

Analysis of the protocol
Our nearest neighbour state preparation ensures that no central server is needed to provision resources.First, the parties create the linear cluster state by exchanging Bell pairs with their nearest neighbours, performing an entangling operation between their two qubits and subsequently measuring one.The non-participants then measure their remaining qubit in order to establish a GHZ 3 state between the participants. 2The resulting corrections to obtain the GHZ 3 are non-trivial only for Alice and Charlie: The correction for Alice depends only on the number of non-participants between Alice and Bob and the measurement outcomes {m i } b−1 i=a+1 of these nodes, while the correction for Charlie can be constructed by analogy.Importantly, the part of the correction that depends on the measurement results generates only Pauli corrections, so all these corrections can be considered as postprocessing of KeyGen and Verification rounds of Alice and Charlie; this means that the participants do not have to wait for announcements from non-participants before performing their measurements.

Anonymity of the protocol
The definition of anonymity is taken from [17].The protocol is defined to be ε an -anonymous if, for any choice of participants, it is at most ε an -close (in trace distance) to any state with a desired property.This property, adapted to our attack model, loosely states that the reduced state for any subset G ⊂ N that does not contain the participants, is independent of the choice of participants P. For the rigorous definition and more details, see App. C.
The alternating σ x -σ y measurement pattern of Step 2a in Protocol 2 only works when Alice and Charlie are at the respective ends of the linear cluster state.It is for this reason that we designed our extraction of the GHZ state to effectively only use the middle state |L m ⟩.Since all non-participants perform steps that are independent of the position of Alice, Bob, and Charlie, the nodes {N 1 , . . ., N a−1 } and {N c+1 , . . ., N n } generate the linear cluster states |L l ⟩ and |L r ⟩ as a byproduct.Alice and Charlie not performing the Bell projection creates the tri-separable network state |N ⟩ := |L l ⟩ ⊗ |L m ⟩ ⊗ |L r ⟩ .While this could make their actions distinguishable from those of all other nodes, it is easy to see that the reduced quantum state of each node N i is maximally mixed -even given all announced measurement results.In particular, this means that the reduced state of each node does not contain information about the identity of any other node in the network.
For noiseless scenarios, these announced measurement results {o i | N i ∈ N \{N a , N c , N 1 } are all uniformly random and uncorrelated -see App.C for a proof.To mask their identity, the other three nodes therefore announce uniformly random bits o a , o c and o 1 .For noisy scenarios, the announced measurement bits remain uniformly random, if there is no noise bias in the σ x or σ y basis, as for e.g.depolarizing noise.If there were such a bias, it could however reveal some information about the participants' identities, as the announced measurement results would be distinguishable from the uniformly random announcements of the participants.This can be avoided if the latter introduce some bias to their source of randomness, and hence mimic the non-uniformity of the announced measurement results of the non-participants; see Sec. 4 for more discussion.Furthermore, the neighbours tothe-right of the participants are not aware that the latter announce randomly chosen bits and will therefore perform Z corrections conditioned on them (i.e.Step 1 in Protocol 1); hence Step 2b of the protocol works as "anti-correction" performed by N a , N c and N 1 on their part of the Bell pair.
Similar to Protocol 1, during Protocol 2 all non-participants P (except N 1 and N n ) measure and announce their outcomes {m i | N i ∈ P, i / ∈ {1, n}}, which are uniformly random and uncorrelated -see App.C for a proof.To hide their identity, the participants P as well as N 1 and N n announce a uniformly randomly drawn bit (in case of biased noise, the same considerations and solution as in Protocol 1 apply).
In approaches where anonymity is of no concern, an error syndrome can be announced publicly.However, this syndrome might not be uniformly random and could potentially disclose Alice's identity.Hence Alice one-time-pad encrypts the error syndrome so that her communication is indistinguishable from all other parties; the same reasoning applies to all other communication of the post-processing (i.e. the verification and abort), too.

Security and performance of the protocol
Following [1], we define the protocol to be ε c -correct if the probability that the generated keys are the same for all participants is greater than 1−ε c .Similarly, we define the protocol to be ε s -secret if the output state is ε s -close (in trace distance) to an ideal state where the key is uniformly random and uncorrelated.The protocol is then called (ε c + ε s )-secure.For more details and the rigorous definition, see App.B.
In principle, all resulting GHZ 3 states could be used for key generation by each participant measuring in the σ z basis.However, to ensure secrecy of the key, it is of utmost importance that the states are verified, which is achieved by having all participants measure their qubit in the σ x basis instead.Crucially, the Verification rounds are selected such that potentially malicious non-participants do not learn of their selection.This is achieved by coordinating the Verification rounds in advance between Alice, Bob, and Charlie using secret communication.There are m = L • p Verification rounds and we therefore need L • h 2 (p) bits to coordinate their choices.As the k bits of the raw conference key resulting from the L • (1 − p) KeyGen rounds are neither perfectly correlated nor secret, error correction and privacy amplification are required.
Error correction.To make the key ε c -correct they use a publicly known error-correcting code (e.g., a low-density parity-check code as in Ref. [25]) with an error syndrome of length ) is the maximum pairwise σ zbasis error rate between Alice and Bob or Alice and Charlie; it is estimated in advance and thus regarded as a given parameter.Since the error syndrome is one-time padded, the participants use up l EC of the pre-shared key.To verify the error correction, the participants apply a hash function h EC , which is drawn from a family of two universal hash functions using a seed s hEC .This seed is sourced from the pre-shared key 3 and has length k − log 2 (ε c ) − 1, which ensures an ε c -correct key.The output of the hash function h EC is a bitstring of length log 2 ( 2 εc ); the same amount is used from the pre-shared key to encrypt the outcome using one-time pad before Alice announces it.
Privacy amplification.Privacy amplification works in a similar fashion: Alice, Bob and Charlie apply a hash function h PA drawn from a family of two-universal hash functions using a seed s hPA of length k + l PA − 1 sourced from the pre-shared key 3 , where is the length of the output of the hash function.
Here, µ is a statistical correction and ε s is the security parameter, while ε > 0 is a free parameter (see App. B for details).Note that in other approaches [6], privacy amplification also affects the l EC -parity bits that are transmitted during error correction.Since these have been encrypted with the pre-shared key in our approach, no leakage is possible and thus no privacy amplification is needed for these bits.
Finally, the unencrypted announcement of the -not uniformly randomabort bits could reveal the identities of the participants.This is solved by all participants encrypting their abort bits with one-time pads; each participant uses a single bit of their pre-shared key to hide the correlation of the abort bits.In order to obtain an accurate key rate, we need to replenish the pre-shared key used as a one-time pad in the various communications: coordinating the verification rounds, the error correction's syndrome and its verification, and the three bits for the abort communication, obtaining the secret key length ℓ (see App. B).Dividing by the number of rounds L, we obtain the key rate r := l/L with where µ εs−ε 2 is a statistical correction (see App. B) and ε > 0 is a free parameter.Note that for fixed ε s > 0 and ε c > 0 and given Q tol , Q z and L, one can optimise over p and ε.In the asymptotic limit (i.e.L → ∞), not only the L-dependent terms of Eq. (3.2) vanish, but so do p and µ.We refer to Tab. 3 for a representation of the performance of the protocol in terms of the required number L of network states for a fixed key length ℓ, while Fig. 3 contains the achievable finite key rate r as a function of L.

Discussion
In this work, we have investigated how to anonymously establish a secret key between three participants in a line of nearest-neighbour quantum nodes.We find that by sharing maximally entangled pairs that are then projected into linear cluster states, a secret key can be obtained without revealing the identity of the participants.This contrasts with previous approaches to anonymous conference key agreement [16,17], which directly distribute large GHZ states that are not only error-prone but also rely on a central server.
Although in this work we explicitly show how the three-partite GHZ state is generated using linear cluster states, this is in fact equivalent to performing Bell-state projections, as is for example common in quantum repeater schemes.There are other ways to extract Finite key rate r Q m x = 0.120 Finite key rate r per total number of rounds L smaller GHZ states from Bell pairs [26], however, these might not be as straightforward to perform anonymously.We also note that our method of generating the linear cluster state connecting the three participants, is not unique: in fact, any scheme that anonymously generates a linear cluster state from Alice to Charlie can be used, and from there, our proposed method for generating the conference key can be further applied.
With respect to non-trusted participants, if they were allowed to collaborate with an adversary who controls the entanglement sources and does not care about protocol termination, a trivial attack would be to distribute an eigenstate of a to-be-measured observable to one or more of the parties.Since participants and non-participants behave differently and the protocol contains announcements, albeit encrypted ones, the attacker would, at least probabilistically, learn the roles of the parties in the protocol.This attack can in principle be circumvented by first performing randomized verification of the shared entanglement as in Ref. [15,16]; however, this would require access to sufficiently good quantum memories and/or would drastically decrease the keyrate.In the absence of such countermeasures, anonymity can only be guaranteed against the non-trusted participants assuming they cannot collaborate with an all powerful eavesdropper.However, we emphasise that the security, as opposed to the anonymity, does hold in a fully adversarial model where all non-trusted participants and the eavesdropper collaborate (see Appendix B).
As mentioned in Section 3.1, the measurement outcomes that are announced throughout the protocol could, in the presence of noise, be distinguishable from the chosen (uniformly random) announced bits of the nodes that do not perform a measurement; this would be detrimental to their anonymity, even if the non-trusted participants are not collaborating with an eavesdropper, since they could potentially learn about noise characteristics in the network via measurements announced in the current (or previous) runs of the protocol.To mitigate this risk, these nodes can add a bias to their random announcements that is consistent with the noise of their detectors.If they want to mimic the exact bias that their detectors have, they could -in an adjusted protocol -postpone all announcements until all L rounds of measurements have taken place.Such a protocol would be modified such that N 1 and the participants can secretly estimate their bias, by performing additional measurements in the bases that they would have had to perform if it wasn't for their special role.After all measurements have taken place everyone can then announce their (potentially fabricated) bits.Since these secret measurements are in place of the actual measurements that need to be performed, the corresponding round cannot be used for either verification or key generation.As such, this approach would slightly diminish the keyrate.
We now briefly discuss the prospects for implementation of these protocols via multipartite photonic entanglement.The dominant cause of noise is typically presence of higherorder photon events for parametric down conversion (PDC) photon sources [18,27,25,28,29] and photon distinguishability for solid state sources [30,31,32], although other effects such as detector dark-counts and misalignment also contribute.Furthermore, for practical implementations it is important that the generated photons are at telecom wavelengths compatible with low loss transmission over optical fibre, which renders some multi-partite entanglement sources unsuitable.
Regardless of the source of the noise, for the ACKA protocol the only quantity that ultimately matters are the measured QBER's in the X and Z bases.In that sense our results in Fig. 3 already provide a detailed description of the tradeoff between the total tolerable noise and block size.An implementation of our ACKA protocol has already been carried out demonstrating positive asymptotic keyrates, albeit at non-telecom wavelengths [28].Comparison with other experiment results shows that for moderate block-sizes the required noise thresholds are well within those that have already been demonstrated in state-of-the-art PDC sources deployed through optical fibre at telecom wavelengths for 4 and 6 photon entangled states [25,29] showing that proof-of-principle demonstrations of this protocol are within the reach of present-day technology.Nevertheless, the observed rates are quite low due to losses, and these would only become more severe with increasing transmission distance and number of parties.This observation, coupled with previous work on the increasingly demanding noise thresholds for large scale multi-partite CKA [1,5,6,7], suggest that a robust, large-scale implementation would require more sophisticated networks incorporating quantum repeaters or error-correction protocols [2,3,4].
We leave the generalization of our protocol to more than three participants as an open question: the extraction of larger GHZ states (i.e. more than three qubits) from linear cluster states is possible (see Ref. [33,34]).However, the size of the larger GHZ state is bounded from above by roughly half of the number of nodes between Alice and Charlie [33].In addition, the specific measurement bases used to extract the state may depend on the position of the participants, so particular care must be taken to prevent identity leakage in this way.Finally, closed-form expressions for post-processing corrections in this generalized form are not straightforward either -and obtaining them remains an open question.Our work contributes to the growing body of multi-partite quantum cryptographic schemes that live up to stringent security requirements in protocols that go beyond point-to-point protocols.It is the hope that this work further stimulates theoretical and experimental research towards understanding notions of secure quantum communication in multi-partite settings.
col.We thank Federico Grasselli for carefully reading an early version of the manuscript and providing valuable feedback.J. de Jong and A. Pappa acknowledge support from the Emmy Noether DFG grant No. 418294583.F. H. acknowledges support from the German Academic Scholarship Foundation and J. E. from the BMBF (Q.Link.X and QR.X), J. E. and A. P. also acknowledge support from the Einstein Research Unit on Quantum Devices, for which this is an inter-node project.

Appendices
The appendix consists of three parts.Part A contains an explanation of the corrections that the participants have to perform on their qubits due to the network layout and the measurement results of the non-participants.Part B contains a restatement of the protocol, the definition of security, and the proof of security for the protocol.Finally, part C deals with the anonymity of the protocol, showing in particular that the announcements of the measurement do not reveal any information about the identity of the participants or nonparticipants.

A Corrections for Alice, Bob and Charlie during Protocol 2
Alice and Charlie need to perform a correction to obtain the GHZ 3 state with Bob, whereas Bob never has to perform a non-trivial rotation.The corrections for Alice and Charlie are structurally similar; we first introduce those for Alice.In order to achieve this, we define the following quantities.
• δ ab := b − a − 1, the number of non-participants between Alice and Bob.
• p ab := δ ab mod 4, the mod-four value of δ ab , the integer number of groups of four that fit between Alice and Bob.
For Charlie, δ cb , g cb and p cb are defined in a similar fashion.We refer to Fig. 4 for two potential configurations of the network that exemplifies these definitions.Alice now performs the following correction steps: 1. Apply a configuration correction C ab depending on p ab and g ab , as shown in Tab. 4, picking the left (brown, β a = 1) or right (green, β a = 0) table.
2. Divide all the measurement outcomes {m i } b−1 a+1 into a set {m i } a+1+p ab a+1 and a set {m i } b−1 a+2+p ab -where it is to be understood that if p ab = 0, the first set is empty.
3. From the outcomes in the first set, they calculate the bits k x and k z using Tab. 4.

4.
From the outcomes in the second out of every pair of four select the measurement outcomes as described in Tab. 5 and add them all together to calculate l x and l z , respectively (e.g. if β a = 1, Alice selects every odd element of the second set to calculate l x , and every second, third and fourth out of four to calculate l z ).

5.
They apply an X operation on their qubit if and only if k x ⊕ l x = 1.
6.They apply a Z operation on their qubit if and only if k z ⊕ l z = 1.
Table 4: Local corrections that Alice needs to perform to obtain the GHZ state with Bob and Charlie after the non-participants measured their qubits.The left table shows the corrections if the nonparticipant a + 1 after Alice measured in the σ x -basis (β a = 1), the right table the corrections if it was in the σ y -basis (β a = 0).The C ab column contains the configuration correction which only depends on the number of non-participants δ ab between Alice and Bob -note that g ab := ⌊δ ab /4⌋.The k x column contains the measurement outcomes that add to k x , which induce together with l x a correction X kx⊕lx ; similarly the k z column contains the measurement outcomes that create k z .
Table 5: Selection of measurement outcomes out of every pair of four from the second set to calculate l x and l z , respectively.For example, when δ ab = 7 and Note that all three corrections (i.e. the configuration correction, the X correction and the Z correction) can be contracted into a single Clifford operation.However, since the measurement-outcome dependent corrections are only Pauli operators, they will at most flip the measurement outcomes for Alice in the subsequent steps of the protocol -and need not be physically implemented.This also means that the participants can perform their KeyGen or Verification measurements before the measurement outcomes of the non-participants are announced.By having all nodes {N a+1 , . . ., N b−1 } perform their measurements and Alice subsequently perform the aforementioned corrections, the linear cluster state is contracted towards a |L a,b,b+1,...,c−1,c ⟩ linear cluster state.Hence, Charlie can perform the same steps (while using the measurement outcomes {m c−1 , m c−2 , . . ., m b+1 }, δ bc := c − b − 1 and its redefined derivatives) to contract the state towards a three-partite linear cluster state |L a,b,c ⟩.Two final H gates for Alice and Charlie result in the desired GHZ 3 state between Alice, Bob and Charlie.

A.1 Calculating the corrections
Using the stabiliser formalism, it is straightforward to show that, starting from a linear cluster state |L a,a+1,...,c−1,c ⟩, a measurement on node N a+1 in the σ x -or σ z -basis results in |L a,a+2,...,c−1,c ⟩ up to a local correction C a+1 ab for Alice, where this correction depends on both the measurement basis β a+1 and outcome m a+1 as where P z := R z π 2 is a half-rotation around the Z-axis and P x is defined similarly.Note that either identity (i.e. the Z-or X-based rotation) can be used.
A series of multiple measurements then introduces a concatenation of these corrections, where the corrections are performed in order from N a+1 to N b−1 .They do not necessarily commute, but by using the X-and Z-based correction interchangeably (and thus cancelling out the H operations), and using the identity Z m i P x = P x X m i Z m i (and likewise for P z ) one can group all the corrections that are not measurement outcome based together as the first corrections; allows to partition the complete correction into a correction and an outcome-based correction.
Specifically, for the alternating pattern of σ x and σ y measurements, each group of four consecutive measurements together introduces only Pauli corrections.For example, for any group of four consecutive nodes {N 1 , N 2 , N 3 , N 4 } (note that these labels resemble any set of four consecutive nodes) these corrections are Up to an irrelevant global phase, all these operators commute with each other.Therefore, starting from the last measured node (i.e.N b−1 ) an integer multiple of four can be 'stitched together'.Since there are g ab := ⌊δ ab /4⌋ of such groups, the correction becomes where l x is defined as and l z is defined as The corrections for the measurements of the nodes N a+1 , . . ., N a+p ab (i.e. the first p ab measurements) are then also grouped together; by splitting them into a measurementoutcome dependent and -independent part, they can be written as X kx Z kz C ab , where C ab , k x and k z can be read from Tab. 4. Note that the X g ab or Z g ab in Tab. 4 is technically not part of the correction here, but that they will commute with X kx Z kz and hence the total correction that Alice needs to perform becomes (where now C ab is as in Tab.4): where = here indicates 'up to an (irrelevant) global phase'.Since these corrections only consider nodes between Alice and Bob, and since there are actions that Bob needs to perform, the corrections for Charlie work in a similar fashion and can be seen separately from these.

B Protocol statement and security proof
We now state the protocol and proof the security of the generated key.Note that we have omitted the network state generation (i.e.Protocol 1) as it does not affect security. Input: • Desired secrecy parameter ε s > 0, which determines a correlation threshold Q tol , and correctness parameter ε c > 0.
• A random string s b of length L • h 2 (p) secretly pre-shared between the participants to randomly choose m out of the L cluster states to be measured in the σ x -basis for parameter estimation where p = m/L, leaving k := L − m measurements in the σ z -basis for key generation.
• An estimate of the expected bit error rate Q z in the σ z -basis between Alice and Bob and Alice and Charlie.The worst of these will be used to select an error-correcting code that requires an error syndrome of length ℓ EC := k • h 2 (Q z ) to be announced.
• A pre-shared secret random string s EC of length ℓ EC to be used to one-time pad the error reconciliation announcements, another pre-shared string s hEC of length ℓ hEC := log 2 (2/ε c ) to one-time pad the error correction verification announcements, and three bits of pre-shared key to communicate aborting by the participants.
• Two pre-shared random strings, s h and s hEC , of lengths k + ℓ PA − 1 and k + ℓ hEC − 1 respectively to be used as the seeds for hashing, where ℓ PA is the output of the privacy amplification hashing as defined below.The string s h is used for privacyamplification of the private key, while s hEC is used to verify the error correction step has succeeded.Note that unlike the previous seeds, these can be used indefinitely and need not be replenished after each run of the protocol.

Output:
A key of length ℓ shared anonymously between Alice, Bob and Charlie that is ε s -secret and ε c -correct.
i.If N i ∈ P, they measure the operator σ i x or σ i y if β i = 0 or β i = 1, respectively.They broadcast the measurement outcome m i .ii.If N i ∈ P, they announce a uniform randomly drawn bit m i .(b) Node N i sends bit β i to neighbour N i+1 , except for node N n .
2. The participants perform corrections on their qubits to rotate the post-measurement state to the desired GHZ state.
(a) Alice and Charlie apply their configuration corrections C a and C c , respectively (cf.Tab. 4).
(b) Alice (i = a) and Charlie (i = c) both calculate their parameters l i x , k i x and l i z , k i z from the measurement outcomes of the non-participants (cf.Tabs. 4 and 5) and each apply X lx⊕kx and Z lz⊕kz to their qubit.
(c) Alice and Charlie each apply a Hadamard operation H to their qubit to obtain the final desired GHZ state.
3. Using the pre-shared string s b , the participants coordinate their measurements of all L GHZ states into m Verification rounds (i.e.σ x -basis) and k KeyGen rounds (i.e.σ zbasis).Everyone announces after each measurement a random bit m i , except for Bob and Charlie, who announce their measurement outcomes for the Verification rounds.
4. Alice, who can locate Bob's and Charlie's measurement outcomes from the Verification rounds, estimates the σ x -basis error rate ).If this is above the tolerance Q tol , she aborts by setting her abort bit to 1.

Alice computes the necessary information for error correction -the error syndrome
of length ℓ EC -and then one-time pad encrypts this information with the string s EC .All other players announce uniform random strings of length ℓ EC .
6. Bob and Charlie use their copies of s EC to obtain l EC and correct their k σ z measurement strings, i.e. their raw key.Alice, Bob and Charlie then hash their string using the seed s hEC .Alice encrypts her output using her copy of s hEC .Using their copy, Bob and Charlie each decrypt Alice's hash outcome and compare it to their own; if they do not align, they abort by setting their abort bit to 1.
7. Alice, Bob and Charlie, using another three bits of the pre-shared key, encrypt their abort bit -which is equal to 1 if and only if they want to abort -and announce it, while all other parties announce uniformly random bits instead.If any participants announced a 1, everyone aborts (meaning they will not use the generated key).
8. Finally, the participants hash their measurement results with the seed s hPA to produce the final key s of length However, to fairly evaluate performance the parties should replenish their stock of secret-shared key so as to be able to perform subsequent CKA protocols.Subtracting off the non-reusable shared randomness results in a string of length ℓ that is available for applications.
We now prove the security of our protocol in the scope of an even more general adversary model than the one introduced in the main text, so that we can resort to a powerful machinery that has been developed in the literature [35,36] and we can build on the strategy of proof laid out in Ref. [6]; the security of our protocol within our adversary model then follows readily.However, there are some variations to the tools necessary to preserve the anonymity of the participants which is key to the present work.We briefly explain some critical quantities and definitions.Let ρ S A S B S C E ′ be the joint classical-quantum state between the final keys of the participants and an eavesdropper conditioned on passing all checks.Note that the eavesdroppers system, E ′ = ER, is made up of a quantum system, E, that completely purifies the pre-measurement state ρ ABC (and is, therefore, assumed to include system of the non-participating player) and a classical register R that contains all of the information announced during the protocol.A protocol is called ε rob -robust if it passes the correlation and the error correction checks with probability 1 − ε rob .Defining a uniformly distributed state as with S the set of possible secret keys we have the following definition [6].
Definition 1 (Approximate robustness and secrecy) A CKA protocol that is and ε s -secret if Turning first to multi-partite error correction we have the following statement.
Theorem 1 (Theorem 2 in Ref. [6]) Given a probability distribution P X A ,B 1 ,B 2 ,...,B N , between Alice and n other players there exists a one-way error-correction protocol for all n players that is: ε c -correct, and 2(n − 1)ε ′ -robust on P X A ,B 1 ,B 2 ,...,Bn , and has leakage In terms of secrecy the critical results are leftover hashing against quantum sideinformation, an entropic uncertainty relation for smoothed min-and max-entropies, applied to our protocol, states the following.
Lemma 1 (Leftover hashing against quantum side information in Refs.[37,35]) Let ε ′ ≥ 0 and ρ Z A E be a classical-quantum state where Z A is defined over a discrete-valued and finite alphabet, E is a quantum system and R is a register containing the classical information learnt by Eve during information reconciliation.If Alice applies a hash function, drawn at random from a family of two-universal hash functions that maps ρ Z A E to ρ S A E and generates a string of length ℓ, then where H ε ′ min (Z A |ER) is the conditional smooth min-entropy of the raw measurement data given Eve's quantum system and the leakage of the information reconciliation.
This leads to the following corollary.
Corollary 1 (Secret string extraction) For an ε rob -robust protocol an ε s -secret string of length can be extracted for any ε s , ε, ε ′ ≥ 0 such that where H ε ′ min (Z A |ER) is the conditional smooth min-entropy of the raw measurement data given Eve's quantum system and the information reconciliation leakage conditioned on the protocol not aborting.
Proof: Note that if we choose then the right hand side of ( 9) is equal to ε/(1 − ε rob ) + 2ε ′ .Comparing with (7) in Definition 1 we see we want this expression to satisfy ε/(1 − ε rob ) + 2ε ′ ≤ ε s /(1 − ε rob ) so our security condition is satisfied for any ε s ≥ ε + 2(1 − ε rob )ε ′ which is true for any ε s ≥ ε + 2ε ′ where we used that (1 − ε rob ) ≤ 1.Noting further that log 2 (1 − ε rob ) ≤ 0 yields (10).This means that, provided the constraint in ( 11) is satisfied, the positive constant ε can be optimised over.Typically this makes little difference to the final performance and and they are commonly chosen as ε = ε s /2.Now we see that the problem has condensed to determining Eve's conditional smooth min-entropy for Z k A (in the following we will suppress the k superscript), the variable describing the outcome of Alice's σ z measurements on the k key-generating qubits.To begin with, consider the situation before any information reconciliation is exchanged (there is no register R) so we simply have H min (Z A |E). Since Eve's state is taken to include that of all the non-participating players we can assume without loss of generality that there is an overall pure tripartite state between Alice, the remaining participants (which we denote B i ), and Eve.The required bound for this situation has been derived by applying an entropic uncertainty relation [37] for the smoothed min-and max-entropies specialised to the case of observables made up of the k-fold tensor product of either σ z and σ x measurements, (i.e. the observables where we have used the data processing inequality, , in the second line.Naively, this bound cannot be evaluated since it is counterfactual, i.e. the k qubits are always measured in the σ z -basis so we have no direct access to H ε max (X A |X B i ), which is the conditional max-entropy of the participants given their Pauli measurements if Alice had instead measured in the σ x in these k rounds.However, since the parameter estimation and key generation rounds were selected at random then it has been shown that Serfling's bound can be applied to statistically bound the σ x correlation that would have been observed in the k key generation rounds based upon those that were actually observed in the parameter estimation rounds.This is expressed in the following result.
Lemma 2 (Lemma 3 in Ref. [35]) Let k be the number of key generation rounds, m be the number of parameter estimation rounds, d 0 a threshold on the number of errors that can be observed during parameter estimation without the protocol aborting and ε ′ > 0.
Putting all of these results together we can prove the following security statement.
Theorem 2 (Security statement) If the anonymous CKA protocol defined above proceeds without aborting an (max i∈{B,C} ℓ i EC , ε c ) error correction protocol and a two-universal hashing are successfully applied then an (ε s + ε c )-secure key of length can be anonymously extracted.
Proof: At the conclusion of the protocol we can immediately apply Corollary 1 to the k round classical-quantum state for positive constants satisfying Now, because all of the communication involved in error reconciliation is one-time padded to ensure anonymity we have that where in the third line we have also used that H ε 1 max (X|Y ) < H ε 2 max (X|Y ) for ε 1 > ε 2 .This string is guaranteed to be ε s -secret and, by Theorem 1, if the error correction process did not abort then the string is also ε c -correct.However, this is not a fair representation of the performance of the protocol, since we had to use up the reservoir of pre-shared key for the basis choices and for one-time padding the error reconciliation information.Thus, to get the length of useable key we need to calculate how much remains after we have replenished the pre-shared strings necessary for the next protocol implementation.Subtracting off the seed for basis choices, Lh 2 (p), and the length of the error correction information and verification, ℓ EC and ℓ hEC and the 3 bits for the abort step, gives (15).

C Anonymity in the protocol
This section is concerned with the anonymity of the protocol.We first define anonymity according to the definition presented in [17] and adapt it to the setting of our protocol.Most importantly for our analysis, we need to show that all public communication -the announced measurement results -is independent of the choice of participants.We do this by showing that they are uniformly random and uncorrelated.

C.1 Definition of anonymity
We base our definition of anonymity on [17] (Eqs.B7 and B13) and adapt it to our setting.The definition is given in terms of the relation to an ideal output state of the protocol.
Let σ N |abc be the ideal output state on the entire network, conditioned on a particular choice of participants P = {N a ,N b ,N c }. Let G ⊂ P be a random subset of nodes that does not include the participants and define σ G|abc = tr N \G [σ N |abc ].For all sets G and every other choice of participants P ′ = {N a ′ , N b ′ , N c ′ }, σ N |abc should have the property: This property ensures that the reduced state of any set of non-participants is independent of the choice of participants.
We define a protocol with output state ρ N |abc to be ε an -anonymous, if for every choice of participants P = {N a ,N b ,N c }, we have: where σ P|abc is any state that fulfills property (19).

C.2 Proof of anonymity
In the proposed protocol, the output state ρ P|abc has several registers.The only non-trivial registers that need to be addressed are the ones containing the classical communication of all the measurement outcomes {o i } ∪ {m i }.The reason is that the reduced quantum state of any dishonest party is the maximally mixed state, which is independent of the choice of participants, and therefore trivially fulfills (19).Moreover, all other parties do not hold a quantum register by the end of the protocol.
In the remainder of this section we will show that there are no correlations between any of the announced measurement outcomes {o i } ∪ {m i }, i.e. that the outcome distribution is indistinguishable from that of the uniformly drawn announcements of the nodes N 1 , N a and N c during Protocols 1 and 2. We can then conclude that we have complete anonymity, i.e. our protocol is ε an -anonymous for ε an = 0.
Since the state of the network always remains separable between the tri-partition of the nodes to the left of (and including) Alice, the nodes to the right of (and including) Charlie, and the nodes between (and including) Alice and Charlie, it suffices to show that there are no correlations within the measurement announcements associated with these three separate groups.We show this absence of correlations only for the left set, since the argument applies analogously to the other two sets.We first show this in the case of an honest-but-curious non-participant, followed by the case where a non-participant may actively deviate from the protocol.

C.2.1 Honest-but curious setting
Consider the stabilizer of the network state after all CZ operations have been performed in Step 2a of Protocol 1.It is generated by the following collection of operators: The measurement operator of all measurement outcomes together depends on β 1 as x σ τ 4 x σ ω 5 y σ τ 5 x σ ω 6 x . . .σ where all (σ x -)observables acting on {τ i } a−1 i=2 are associated with the measurements of Protocol 1 (i.e. the outcomes {o i }) and all others are associated with Protocol 2 (i.e. the outcomes {m i }).
It is now our goal to show that all these measurement outcomes are uniformly random, and that there are no correlations between the measurement outcomes associated with any subset S ⊂ Q, where Q = {ω 2 , τ 2 , . . ., ω a−1 , τ a−1 } is the set of qubits measured throughout both Protocol 1 and Protocol 2. Any such S has an associated observable where b(i) ∈ {x, y} indicates the type of support on qubit i as shown in Eq. (22).If M S does not commute with at least one generator of the stabiliser (i.e.any operator from Eq. ( 21)), by Gottesman-Knill simulation, the measurement outcome for M S is uniformly random 0 or 1.If this holds for any S, there cannot be any correlations between any of the measurement outcomes.The uniform randomness of the individual measurement outcomes follows readily for the case when S contains only a single qubit.We now show that any M S indeed always anti-commutes with at least a single generator.Suppose that M S does commute with all generators but is non-trivial.If it has (nontrivial) support on τ a−1 , this is necessarily with σ x .It will then not commute with σ τ a−1 z σ ωa z (the last generator of Eq. ( 21)) and hence cannot have support on τ a−1 .Then, if M S has (non-trivial) support on ω a−1 , with either a σ x or σ y , it will not commute with the generator σ x -thus it cannot have support on ω a−1 either.We can inductively go through the rest of the qubits in Q in reversed order, i.e. from right to left through the observable from Eq. (22).For j ∈ {a − 2, a − 3, . . ., 3, 2}: Suppose M S has non-trivial support on τ j , it is of type σ x .Since M S has by construction no support on any qubit to the right of τ j , it does not commute with the generator σ τ j z σ ω j+1 z -hence M S cannot have support on τ j .
Suppose M S has non-trivial support on ω j , either of type σ x or σ y .Since M S has by construction no support on any qubit to the right of ω j , it does not commute with the generator σ We conclude that there is no M S with non-trivial support on at least a single qubit that does not anti-commute with at least one generator.
From this, we can conclude that there are no correlations possible between any set of measurement outcomes from {o i } and {m i }, and that they are thus uniformly random and uncorrelated.Moreover, it stays uniformly random under any noise that does not add a bias in the used measurement bases (i.e.σ x and σ y ).

C.2.2 Dishonest participant
We are now allowing a single non-participant to deviate from the protocol in an arbitrary way.Let the index of this dishonest non-participant be i.To try to force any other node in the network to implicitly reveal their identity, N i can actively perform a different measurement than described, where their outcomes would then be correlated with its (e.g.) direct neighbours.If these correlations then do not exist between their outcomes and the announced outcomes, then they can infer that these announced outcomes are artificial, and therefore that those who have announced them are in fact participants.Let this arbitrary measurement be represented by a 2-qubit POVM µ i := {µ j i }, where without loss of generality j ∈ {1, 2, 3, 4}.
Slightly abusing notation by combining POVM elements and observables, the measurement operator then becomes x σ τ 2 x . . .σ Without loss of generality, the underlying network state is still the same4 as in (21).Likewise, all of the single-qubit measurement operators in M for any node N j̸ =i do not commute with at least one of these generators, indicating that the individual measurement outcomes are uniformly random 0 or 1.
Similar to before, the goal is to show that no choice of µ i can create a measurement operator M S that shows correlations between the qubits of i and any subset S ⊂ Q.It suffices to show that there is no M S with support on any of the qubits in Q \ {τ i , ω i } that commutes with all generators.By the same analysis as in the previous section, M S cannot have any support on the qubits of any N j|j∈{a−1,...,i+1} .Moreover, we can make a similar inductive argument for nodes N j|j∈{2,...,i−1} .Independent of β 1 , if M S has support on ω 2 it will not commute with the generator σ τ 1 x σ ω 2 z .Likewise, if M S has support on τ 2 , it will not commute with the generator σ τ 1 z σ ω 2 x σ τ 2 z .We can inductively go through all qubits from the nodes N j|j∈{2,...,i−1} to show that there exists no M S that has non-trivial support on any qubit of the nodes {2, . . ., i − 1, i + 1, . . ., a − 1} and at the same time commutes with all the generators.We can conclude that, even for a dishonest node N i , there are no correlations in the measurement outcomes announced by the other nodes.

Figure 1 :
Figure 1: Participants P = {N a , N b , N c } and non-participants P are connected by a linear network.The position of Alice, Bob and Charlie are not known by any other node in the network.

Figure 3 :
Figure 3: Finite key rate r as a function of the total number of network states L. Here, Q tol is fixed at various values of Q mx and Q z is fixed at two thirds of this value to simulate white noise.The blue dotted line is the asymptotic key rate for the minimum Q m x shown.Security parameters ε c and ε s have both been fixed at 10 −8 ; the rates are optimised over p and ε.
-hence M S cannot have support on ω j .
From the Bell resources, we create the network state vector |N ⟩ := |L l ⟩⊗|L m ⟩⊗|L r ⟩ , where |L l ⟩, |L m ⟩ and |L r ⟩ -with l, m, r denoting left, middle and right -are linear cluster states on the qubits labelled {τ 1 , τ 2 , ..., τ a−1 , ω a }, {τ a , τ a+1 , ..., τ c−1 , ω c } and {τ c , τ c+1 , ..., τ n−1 , ω n }, respectively (Fig.2top and middle), by performing Protocol 1 for State preparation.Protocol 1 is divided into three steps.Some nodes execute only a subset of the steps and a small selection of nodes execute a variant of Step 2a, listed as Step 2b.These considerations are reflected in Tab. 1, which indicates which nodes perform which steps Bell pairs shared between nodes N i and N i+1 .Qubit τ i (dark gray) of N i and ω i+1 (light gray) of N i+1 are entangled.The three qubits to be part of the GHZ state are colored green, blue and pink.Middle: In Protocol 1, the Bell resources are used to create three linear cluster states via Bell state projection.Alice and Charlie do not perform the projection.Bottom: In Protocol 2 the network states |N ⟩ are transformed into |GHZ 3 ⟩ states between N a , N b and N c .
Protocol 1: State preparation Input.Bell pairs between nodes N i and N i+1 .Goal.Prepare the network state vector |N ⟩.All N i perform the following steps consecutively: 1. Receive o i−1 .If o i−1 = 1 apply Z on ω i .2a. Perform CZ between τ i and ω i .Measure σ τ i x and record measurement outcome bit as o i .2b. Draw uniformly random bit o i .If o i = 1 apply Z on τ i .Apply H on τ i .

Table 1 :
Protocol 1 Overview Not all steps of Protocol 1 are performed by everyone.This table indicates which steps are performed by whom.Note that since N 1 does not perform 1. and N n does not perform 3. there is neither o 0

Table 3 :
tol has been fixed at this value).Here, Q z is fixed at two thirds of Q m x to simulate white noise.The security parameters ε c and ε s have both been fixed at 10 −8 and the rates are optimised over p and ε.
The number of network states L necessary to obtain various secret key lengths ℓ, for different σ x -basis error rates Q m x (Q