Resource State Structure for Controlled Quantum Key Distribution

EPJ manuscript No. (will be inserted by the editor)

Resource state structure for controlled quantum key distribution

Arpan Das1,2,a, Sumit Nandi1,2,b, Sk Sazim3,c, and Pankaj Agrawal1,2,d 1 Institute of Physics, Sachivalaya Marg, Bhubaneswar 751005, Odisha, India. 2 Homi Bhabha National Institute, Training School Complex, Anushakti Nagar, Mumbai 400085, India. 3 Harish-Chandra Research Institute, HBNI, Allahabad 211019, India.

Received: date / Revised version: date

Abstract. Quantum entanglement plays a pivotal role in many communication protocols, like secret sharing and quantum cryptography. We consider a scenario where more than two parties are involved in a protocol and share a multipartite entangled state. In particular, we considered the protocol of Controlled Quantum Key Distribution (CoQKD), introduced in the Ref. Chin. Phys. Lett. 20, 183-185 (2003), where, two parties, Alice and Bob establish a key with the cooperation of other parties. Other parties control/supervise whether Alice and Bob can establish the key, its security and key rate. We discuss the case of three parties in detail and ﬁnd suitable resource states. We discuss the controlling power of the third party, Charlie. We also examine the usefulness of the new resource states for generating conference key and for cooperative teleportation. We ﬁnd that recently introduced Bell inequalities can be useful to establish the security of the conference key. We also generalize the scenario to more than three parties.

PACS. XX.XX.XX No PACS code given

1 Introduction the two parties may be dishonest, ii) one of the two parties may be compromised by some eavesdropper, iii) the Quantum entanglement is an exquisite resource behind communication may be done only under some supervision. many quantum information processing protocols. In par- In this protocol, the controller/supervisor determines the ticular, usefulness of entanglement as a resource in cryp- state that Alice and Bob can share. This state can be a tography was demonstrated by Ekert [1] in a protocol product state, a partially entangled state, or a maximally which was an extension of the seminal BB84 scheme [2]. entangled state. The nature of this state will determine if Since then, many variants of this protocol have been pro- a key can be established or not, and the key rate and secu- posed using bipartite and multipartite entanglement [3]. rity. This protocol is different from MDI-QKD protocols In the Ekert’s protocol, Alice and Bob share a set of Bell [6,7], where the third party (say Charlie) is an untrusted states and make measurement in three bases each. Of party. Alice and Bob send two photons to Charlie and he these, two bases are common. There are nine combina- projects the joint state onto a Bell state. Whereas, in Con- tions of bases, among which two combinations give corre- trolled QKD, Charlie’s measurement is the first step of the lated results and are used to establish the secret key. Four protocol. The collapsed state between Alice and Bob after combinations of bases are used to establish the security the measurement of Charlie is used by them to establish using the violation of Bell-CHSH inequality [4] and the the secure key. In the next section, we illustrate various rest are discarded. We consider a variant of this protocol features of this protocol using three-qubit GHZ states. We arXiv:1903.10163v2 [quant-ph] 5 May 2020 using multipartite states. then find all three-qubit resource states that would allow In a multiparty case, we shall consider two scenarios. In the generation of a perfect key with optimal key rate, and the first scenario, a key is established between two parties, then generalize to more than three parties. We also discuss say Alice and Bob, with other parties controlling this key the security of the protocol using Bell-CHSH inequality. generation. This protocol of Controlled QKD (CoQKD) has also been discussed in the Ref. ([5]). In the second scenario, a secret key is established among all the parties. In the second scenario, the key, that is established For the first scenario, need for control may arise for a num- among all parties, is known as conference key. In a con- ber of different reasons. Some of them could be: i) one of ference key, all parties share a common key that they can use for secret communication with one another. Using the a Email:[email protected] new resource state (called NMM-state), introduced for Co- b Email:[email protected] QKD, we give a protocol to establish a conference key. We c Email:[email protected] use our recently introduced Bell inequalities [8,9] to estab- d Email:[email protected] lish the security of this conference key protocol. 2 Arpan Das et al.: Resource state structure for controlled quantum key distribution

These resource states can be thought of as task-oriented √1 (|000i + |111i). If the controller Charlie performs mea- 2 maximally entangled states (TMESs) [10], where task is surement on his qubit in Hadamard basis, then the col- maximal Co-QKD, i.e. the generation of a perfect secret lapsed state between Alice and Bob is a Bell state: |ψ±i = key with optimal key rate. We also show how these states √1 (|00i±|11i). After the measurement, Charlie announces 2 can be generated from product states by using suitable his choice of basis publicly. Then following the Ekert’s pro- multinary unitary operators. It turns out that these re- tocol, Alice and Bob can establish a perfect secret key with source states have the structure that makes them suitable optimal key rate between them, i. e. without any Quan- for cooperative quantum teleportation protocol also. We tum Bit Error rate (QBER) . After establishing the key, discuss some aspects of this protocol using new resource Alice and Bob both report the key rate to Charlie. If it states. is not optimal, then Charlie knows that there has been a The paper is organized as follows. In Sections2,3,4 cheating. Moreover, without the measurement performed and5, we cover the three-qubit scenario in detail. Speciﬁ- by Charlie, Alice and Bob can not establish a key, as their cally, in the section2, we introduce the CoQKD protocol. qubits are in maximally mixed state. So, Charlie also su- In the section3, we propose the structure of three-qubit pervises the starting of the key generation process, which resource states suitable for maximal CoQKD. Then, we allows him to control the whole process. If Charlie makes discuss the CoQKD protocol using these resource states a measurement in a basis other than the Hadamard basis, in the section4. In the section5, we show the generation of shared state between Alice and Bob is not a Bell state, but the conference key by these resource states. In the section a partially entangled state. With this state, perfect key 6, we explore further for the suitable structure of states generation with optimal key rate would not be obtained. useful in CoQKD beyond three qubits. We discuss how If the key rate reported to Charlie is less than the opti- these new resource states are also suitable for cooperative mal w.r.t the shared state between Alice and Bob, Charlie teleportation in the section7. In the section8, we identify knows that there is a cheating involved and that run of these resource states as TMESs. Lastly, we conclude in key making is discarded. Therefore, for a particular basis the section9.

2 CoQKD Protocol

In this section, we illustrate the CoQKD protocol using three-qubit GHZ state. The goal of this protocol is to establish a secret key between two parties with the involvement of the other parties. As discusses earlier, there could be multiple reasons for the involvement of other parties. One of the parties with the final secret key is not trustworthy, and wants to disrupt the key creation. Specifically, Fig. 1. CoQKD: Charlie supervises and controls the secret key in the key forming procedure, the dishonest party can de- between Alice and Bob. liberately make false statements in the public declaration rounds and affect the secret key. Moreover, he/she can be compromised by an external attacker, such that they two of Charlie, Alice and Bob can establish a perfect secret collaborate to act dishonestly. If there is a supervisor who key with optimal key rate, as the collapsed state between can control the shared entangled state between the two Alice and Bob is a maximally entangled state. The key is parties and supervises the key generation then a party can- made according to the Ekert’s protocol where the secu- not cheat or be compromised by any external eavesdrop- rity is certified by the violation of CHSH [4] inequality. If per. Specifically, the supervisor knows exactly which state Charlie performs the measurement in a general basis, the the two parties are sharing and what the optimal key rate secret key rate is not optimal. In this case we introduce should be. If the parties report the controller/supervisor a a modified version of Ekert’s protocol, where security is smaller key rate than the optimal, then there is a cheating guaranteed by the violation of CHSH inequality. Security involved and that run of the key generation is discarded. aspects and key rate are discussed in more detail in the The supervisor is also a controller. All the parties share section 4. a multipartite entangled state and the controller does a Advantage of this protocol is that Charlie can detect measurement on his/her system to initiate the key gener- if there is a cheating involved in the establishment of the ation process. There may be more than one controller and secret key and also he can control the optimal key rate one controller may have more than one qubit in his/her and QBER between Alice and Bob. possession. In this section, we have seen that for CoQKD, GHZ In this protocol, there are N (N ≥ 3) parties, among state can be used to establish a perfect key with optimal which N − 2 parties control the secret key generation by key rate. Therefore, we say that GHZ state is suitable for two remaining parties, say Alice and Bob. To illustrate the maximal CoQKD. The next question we ask – are there protocol clearly, we consider a simple scenario of three other three-qubit states that may be suitable for maximal parties who share a three-qubit GHZ state, |GHZi = CoQKD? In the case of GHZ state, all three qubits are Arpan Das et al.: Resource state structure for controlled quantum key distribution 3 maximally mixed. In the next section, we prove that the the following state, states, with two maximally mixed marginals, are suitable p + − for maximal CoQKD. For a three-qubit pure state, when |Φi = 1/2 |0i |φ i + |1i (I ⊗ U) |φ i , (1) the first qubit is non-maximally mixed and the other two where, |φ+i = √1 (|00i + |11i) and |φ−i = √1 (|00i − |11i). of the qubits are maximally mixed, we call such a state 2 2 NMM-state, |NMMi. Similarly, there are MMN or MNM Obviously, for each measurement outcome for Charlie, the states. These are one parameter classes of states. For a reduced state between Alice and Bob is a Bell state or its specific value of the parameter, these states becomes the LU equivalent state. For this state the qubits of Alice and GHZ-state. The GHZ state can be thought of as MMM- Bob both have entropy one and the qubit of Charlie has state, |MMMi because its all marginals are maximally entropy less than one if, U is not identity. If U = I, then all mixed. We show that, apart from the GHZ-state, the other the qubits have entropy one and it is just LU equivalent to three classes, i.e. NMM, MNM, and MMN states are also the conventional GHZ-state. Therefore, the state has the suitable for maximal CoQKD. entropy structure as stated in the proposition. To com- Next, we extend these protocols to four-qubit states. plete the proof, we show that any state with above entropy For four qubits, there exist MMNN-states, MMMN-states, structure is suitable for maximal CoQKD. To show this or MMMM-states (like GHZ-state, or cluster state) for we use the results of Refs. [11,12], which provide details CoQKD. Two cases may arise, where each party has one about the local unitary equivalence of multipartite states. qubit each, or one of the parties have more than one qubit. Firstly they showed that for three qubits if all the single qubit reduced density matrices are maximally mixed, We discuss this and the further generalizations in subse- p + − quent sections. then they are LU equivalent to 1/2 |0i |φ i+|1i |φ i , which is again LU equivalent to GHZ-state. This proves our first case, where all the qubits have entropy one. Next case is, when only two qubits have entropy one each. Now, 3 Resource state structure for three qubits any three-qubit pure state can be written in a Schmidt de- composition between 1-23 bipartition [13] as √ p As discussed above, to establish a perfect secret key with |ψi = p |0iC |ψ0iAB + 1 − p |1iC |ψ1iAB , (2) optimal key rate between two parties namely Alice and where, |ψ i and |ψ i both are normalized and hψ | ψ i = Bob, they must share a Bell state. So, for a controlled 0 1 0 1 0. We assume that Charlie holds the first qubit; Alice and scheme what we need is that after all the measurements Bob hold second and third qubit respectively. One can performed by the controlling parties, the reduced state choose different parametrization of these two orthonormal between last two parties is a Bell state. Therefore, the states, such that total number of parameters of the state question we ask is: What kind of three-qubit states have |ψi is five. One simple parametrization is the LPS [14] this particular feature? Answer to this question is in the scheme. Now we wish this state to have maximally mixed proposition below. reduced density matrices for A and B. This makes the structure to be LU equivalent to, Proposition-1 : The necessary and sufficient condi- √ tion for a resource state to be suitable for maximal Co- + p − |NMMi = p |0iC |φ iAB + 1 − p |1iC |φ iAB , (3) QKD protocol is that either all three single qubits are maximally mixed or only two of the qubits are maximally mixed with p 6= 1/2, as only Bell states and its LU equivalent and the non-maximally mixed qubit is with the controlling states have both single qubit reduced density matrix max- party. imally mixed. The last step is to show that Eq. (1) and Eq. (3) are LU equivalent. We again use the results of Proof.– To prove the above statement we proceed in the Ref. [11,12]. For two non-generic three-qubit states two steps. First we argue that for a successful and max- with two single qubit reduced density matrices maximally imal CoQKD a specific structure of state is needed and mixed are LU equivalent, if the third qubit has same en- this structure has the entropy distributions as mentioned tropy for the both the states. Therefore, Eq. (1) and Eq. in the proposition. This is the necessary condition. Sec- (3) are LU equivalent if we can show that for every p we ondly, to prove the sufficiency, we show that any state can choose a unitary U, such that the qubit with Charlie with the above entropy structure is LU equivalent to the has the same entropy for both the states in Eq. (1) and specific state useful for maximal CoQKD. The proof is as Eq. (3). We can take a very simple one parameter unitary, √ √ follows. a 1 − a U = √ √ . (4) For a successful establishment of a perfect key between − 1 − a a Alice and Bob with optimal key rate, they have to share a Bell state. That means after Charlie performs the mea- Applying this unitary to Eq. (1) and then tracing out Al- surement, the collapsed state between Alice and Bob has ice and Bob, we calculate the entropy of reduced√ density to be local unitary (LU) equivalent to a Bell state. With- matrix for Charlie and find that for p = 1/2(1− a), Char- out loss of generality, we take that Charlie is performing lie’s qubit has same entropy for both states Eq. (1) and measurement in the {|0i, |1i} basis. Then the suitable Eq. (3) and hence they are LU equivalent. This completes state for a successful controlled QKD is LU equivalent to our proof. 4 Arpan Das et al.: Resource state structure for controlled quantum key distribution

4 Controlled QKD protocol with NMM-state With these partially entangled states Eqs. (10,11), Al- ice and Bob initiate an entanglement based QKD pro- In this section, we discuss controlled QKD using NMM- tocol like in Ref. [1]. Let us recall what happens in the state. Since NMM-state reduces to GHZ-state (MMM- original protocol. The original protocol [1,15] involves a 1 state), when p = 2 , our this discussion is more general. maximally entangled state, namely a Bell state. In the From Eq. (3), it is evident that if Charlie makes the mea- absence of an eavesdropper, e.g. Eve, the protocol is rem- surement in {|0i , |1i} basis then the collapsed state be- iniscent of the BB84 protocol. Two parties hold one qubit tween Alice and Bob is a maximally entangled state. But each and agree on two sets of basis states in which they if Charlie chooses an arbitrary basis then the collapsed measure their own qubits randomly. After the measure- state may be anything, i.e., separable, partially entangled ment step, they announce their choices of the bases. Data or maximally entangled. This shows the controlling power is kept, if the bases match, otherwise data is discarded. of Charlie. Let us consider the arbitrary measurement ba- In half of the cases, Alice and Bob get perfectly corre- sis scenario. We take the general basis as, lated results and they can construct a secure key. The |0i + n |1i −n∗ |0i + |1i secure key rate is 1/2 in this scenario. But often in a |+ni = , |−ni = , (5) practical situation, the perfect correlation is not obtained, p 2 p 2 1 + |n| 1 + |n| which indicates noise in the entanglement channel or im- where n ∈ C and 0 ≤ |n|2 ≤ 1. We consider Eq. (3) as perfect measurement or possibly Eve’s intervention. Alice the initial state as it covers both GHZ and NMM states. and Bob use a part of the matched data to determine the Specifically, for p = 1/2, the state is nothing but a LU Quantum Bit Error Rate (QBER) and the remaining part equivalent to conventional GHZ-state. Inverting Eq. (5), is used to build secure key after error correction and pri- we get, vacy amplification. To know Eve’s presence, in the Ekert’s original protocol, Alice and Bob use one extra set of ba- |+ i − n |− i n∗ |+ i + |− i |0i = n n , |1i = n n . (6) sis states to measure that helps in testing the violation p1 + |n|2 p1 + |n|2 of Bell-CHSH inequality. If it is maximally violated then there is no eavesdropper’s attack. Non-maximal violation Putting these in Eq. (3) we get, would indicate a non-zero QBER. In this protocol, with √ + ∗p − one extra measurement each by Alice and Bob, the key |NMMi = |+ni [N p |φ i + Nn 1 − p |φ i] rate changes from 1/2 to 2/9. As the resource state in √ + p − + |−ni [−Nn p |φ i + N 1 − p |φ i], (7) our case is a non-maximally entangled state, we always get a non-maximal violation. So, we have to rearrange p where N = 1/ 1 + |n|2. When Charlie makes a measure- the protocol a bit. In the original protocol Alice and Bob ment, the collapsed state between Alice and Bob can be choose three measurement settings each, say, (A1,A2,A3) one of the following two states, and (B1,B2,B3) respectively, giving rise to nine combinations of measurement√ operators. Alice’s the settings are : A = σ , A = 1/ 2(σ + σ ) and A = σ . Whereas, 1 √ + ∗p − 1 x 2 x y 3 √y |ψ+iAB = √ N p |φ i + Nn 1 − p |φ i , (8) Bob’s measurement settings are : B = 1/ 2(σ + σ ), p+ √ 1 x y B2 = σy and B3 = 1/ 2(−σx + σy). Two combinations 1 p − √ + |ψ−i = √ N 1 − p |φ i − Nn p |φ i , (9) used to make the secret key are (A ,B ) and (A ,B ), AB p 2 1 3 2 − because of perfect correlations in these two settings. Four 2 2 2 combinations e.g (A ,B ), (A ,B ), (A ,B ) and (A ,B ) with probabilities p+ = N p + N |n| (1 − p) and p− = 1 1 1 3 3 1 3 3 N 2p|n|2 + N 2(1 − p) corresponding to measurement out- are required to test the Bell violation. These particular measurement settings give the maximal violation for a comes |+ni and |−ni respectively. It is clear from the structure of the collapsed state that this state can be sep- Bell state. Remaining combinations of the measurements arable, partially entangled or maximally entangled. As an are discarded. √ √ example, when, p = n∗ 1 − p, the collapsed state |ψ i √ √ + is separable. When p 6= n∗ 1 − p, state is partially en- Security of the key : Let us now consider our case tangled, and when n = 0, the collapsed state is maximally of NMM-state, and see how Bell-CHSH inequality can entangled. be used for the security of key generation. In our case, We rewrite the states in Eq. (8) and Eq. (9) as we have to choose the measurement settings according to the structure of the resource state. It is well known [16, |ψ+iAB = N1(|00i + n1 |11i) (10) 17] that given a non-maximally entangled two-qubit pure |ψ−i = N2(|00i + n2 |11i), (11) state, we can always specify the measurement settings for AB which Bell-CHSH [4] inequality is optimally violated. The where, we define, steps in security analysis are following: First Charlie an- √ √ √ √ nounces the choice of n, which is taken to be a real num- N p + n∗ 1 − p) p − n∗ 1 − p 1 = √ , n = √ , ber, and also the outcome of his measurement. Knowing 1 √ ∗ N 2p+ p + n 1 − p n, Alice and Bob know the collapsed state between them, √ √ √ √ N2 1 − p − n p) − 1 − p − n p which is either N1 |00i + N1n1 |11i or N2 |00i + N2n2 |11i. = √ , n2 = √ √ . (12) Suppose, the collapsed state is N |00i + Nn |11i. Then, N 2p− 1 − p − n p Arpan Das et al.: Resource state structure for controlled quantum key distribution 5

Alice and Bob choose the following three measurement states correspond to n = 0, in which case the collapsed settings each, giving rise to nine combinations. states are Bell states, leading to perfectly correlated measurement outcomes. In more general scenario, i.e., when A1 = σz,A2 = cos θσz + sin θσx,A3 = σx the state is not a Bell state, there exists error rate even in

B1 = cos θσz + sin θσx,B2 = σx,B3 = cos θσz − sin θσx, the absence of any eavesdropper. Interestingly, Charlie can control QBER by choosing appropriate measurement ba- √ where, cos θ = 1/ 1 + 4n2N 4. Like before, the combina- sis states. Now, with information about QBER, Alice and Bob can employ some error correcting protocols to distill a tion (A2,B1) and (A3,B2) can be used to generate the se- secure key. Having calculated the QBER, next thing is to cret key and the combination (A1,B1), (A1,B3), (A3,B1) determine the key rate. In the absence of Eve and with no and (A3,B3) can give the optimal Bell violation, which is √ QBER, the sifted key rate is 1/2. But the final key rate de- 2 1 + 4n2N 4. Remaining results are thrown√ out. So, if the Bell violation is less than the optimal value 2 1 + 4n2N 4, pends on the practical implementation of the protocol and Eve’s presence is detected. hence on QBER. So, a more reasonable quantity to use is the relative key rate which is determined by the difference QBER and key rate : Let us now find optimal key between Bob’s and eavesdropper Eve’s information about rate without worrying about security. Then, Alice and Bob sifted key [15,18,19]. The relative key rate is defined as, would make measurement in only two independent bases. r = Rfin/Rsif = I(A, B) − I(A, E) (for symmetric indi- In the case of a partially entangled state, we have nonzero vidual attacks), where Rfin, Rsif are the final and sifted QBER because we cannot have perfect correlations in two key rate respectively and I(A, B) is the mutual informa- different measurement bases. As stated, in this scenario, tion between Alice and Bob, and similarly, I(A, E) is the Alice and Bob measure with two different choices of basis mutual information between Alice and Eve. In our case, states. We assume that they have agreed to measure with we are neglecting the presence of Eve. So, we have [15,18, the projectors P and P where 19], r = 1 + Q log2 Q + (1 − Q) log2(1 − Q), where Q is the 0/1 ± QBER. After the conclusion of the protocol, Alice and Bob inform Charlie about the key rate and QBER. If there is P = M † M ,P = M † M (13) 0/1 0/1 0/1 ± ± ± a discrepancy between the expected QBER (and key rate) and reported QBER (and key rate), then Charlie knows and M0 = |0ih0|, M1 = |1ih1|, M± = |±nih±n|. Here, that there is cheating and that run of secret key making is QBER is defined as the probability that they would obtain rejected. Moreover, without Charlie’s measurement Alice different outcomes even if the measurement basis states and Bob cannot establish a key, as their qubits are in max- are same, i.e., imally mixed states. So, the whole key making process is initiated and supervised by a controller/supervisor, Char- QBER = Tr(P0 ⊗ P1ρ) + Tr(P1 ⊗ P0ρ) + lie, and thus making the protocol secure and trustworthy. Tr(P+ ⊗ P−ρ) + Tr(P− ⊗ P+ρ), (14) Remarks.– In the above, we see that if, the reduced den- where ρ = |ψihψ|. Now plugging |ψ+iAB into the above sity matrices of Alice and Bob have entropy one from the equation we find the expression for QBER: beginning, then by making a measurement in a right basis, Charlie can reduce the state between Alice and Bob n2(1 − p) QBER = . (15) to a maximally entangled state. So, the question arises 2n2(1 − p) + p that, if the qubits held by Alice and Bob do not have entropy one (i.e., maximally mixed) but less than one from We have plotted it with Charlie’s measurement parameter the beginning, can a measurement by Charlie make them n. It shows that error rate vanishes if measurement basis maximally mixed? In the following, we show that this is not possible. To show this, we start with the state of the form of Eq. (3). But this time Charlie makes a measure- 0.4 ment on a qubit, which has entropy one. Then we show that it is not possible to increase the entropy of the qubit, 0.3 which has entropy less than one. Considering the state in Eq. (3), let us say, Charlie makes a measurement on the second qubit in the general basis as given in Eq. (5). In 0.2

QBER p =0.2 terms of this basis, we can write the state as, p =0.3 √ 0.1 h√ ∗√ p =0.4 |NMMi = N/ 2 p |00i + n p |01i p =0.5 p p i 0.0 + 1 − p |10i − n∗ 1 − p |11i |+i 0.0 0.2 0.4 0.6 0.8 1.0 √ h √ √ n +N/ 2 − n p |00i + p |01i Fig. 2. QBER with control power of Charlie. Lower one cor- i −np1 − p |10i − p1 − p |11i |−i . (16) responds to GHZ-state for which QBER is least of all. 6 Arpan Das et al.: Resource state structure for controlled quantum key distribution

Corresponding to two outcomes of Charlie’s measurement, σx σx σx σx σy σy σy σx σy the collapsed state between Alice and Bob is, + + + + + − + + − + − − + − + + − + √ h i − + − − + + − + + |φ+i = p |0i N[|0i + n∗ |1i] − − + − − − − − − h +p1 − p |1i N[|0i − n∗ |1i]], (17) σy σy σx + + − √ h i |φ−i = p |0i N[−n |0i + |1i] + − + − + + h − − − +p1 − p |1i N[−n |0i − |1i]]. (18) Table 1. Correlation and anti-correlation tables. It is evident from the expression that, for the collapsed state to be a Bell state, we must have n = 1 and p = 1/2. This eventually makes the starting state to be a GHZ are measured, one gets perfect correlations. This is be- state. Maximum entropy we can achieve for the qubit held cause the GHZ state is the simultaneous eigenstate of by Bob is what we had from the beginning and that can the stabilizer group containing eight elements, [22] which be attained when n = 1. This shows that we must have are {III,XXX,ZZI,IZZ,ZIZ, −YXY, −YYX,XYY }. atleast two qubits to have entropy one, on which mea- This observation is crucial for the protocol of conference surements are not being done. We can do CoQKD with a QKD, established between Alice, Bob, and Charlie. To partially entangled state, but then key rate would not be start the protocol, first Alice, Bob and Charlie have one optimal. qubit each. These three qubits are in GHZ-state. All three parties make measurement in either σx or σy basis randomly. For the time being, we are not concerned with 5 Conference QKD with NMM-state Eve’s presence. Then all of them publicly announce their measurement basis choices. They keep the data for which all of them measure σx or any two of them measure σy. In the previous section, we discussed the controlled QKD They discard the remaining data. As, their results are now scheme, where one party’s role was to do the measurement perfectly correlated, they can generate a secret key. Out and supervise the establishment of a secret key between of eight set of measurements, they keep four of them to the remaining two parties. In this section, we discuss the generate the key. So, the key rate is 1/2. protocol for establishing a secret key among all three par- Now, we consider the NMM-state. We take the starting ties, also called a conference key, with the NMM-state as √ + √ − form of the state to be |ψi = p |+xi |φ i+ 1 − p |−xi |φ i. a resource state. There are several conference key proto- As expected, we would not get perfect correlations; so cols using multipartite entanglement [20,21,22,23]. we are QBER is not zero. We calculate QBER for this kind of adopting the scheme introduced in the Ref. [21]. We show state. To do that, we write down the correlation and anti- that one can generate conference key using the NMM-state correlation charts for different choices of measurements as with some non-zero QBER. We first illustrate how the pro- shown in Table1. The charts show the possible outcomes tocol works for GHZ-state. Before going to describe the when different combinations of measurements are done. protocol, first we note the following equivalences, without Note that the starting state, |ψi is LU equivalent to the invoking any local unitary, NMM-state. The state has perfect correlations for three σx p + − p measurements. So, QBER is zero for this kind of correla- 1/2 |+xi |φ i + |−xi |φ i = 1/2(|000i + |111i) tion. Also, when σx is measured on the first qubit, it is p − + = 1/2 |+yi |Φ i + |−yi |Φ i straightforward to see that, √ √ p p p |+ i |φ+i + 1 − p |− i |φ−i = where, |+xi = 1/2(|0i+|1i) and |−xi = 1/2(|0i−|1i) x x p p are the eigenstates of σx, |+yi = 1/2(|0i + i |1i) and p/2 |+xi (|+yi |−yi + |−yi |+yi) + (21) |− i = p1/2(|0i − i |1i) are the eigenstates of σ , |Φ+i = p y y (1 − p)/2 |−xi (|+yi |+yi + |−yi |−yi). (22) p1/2(|00i + i |11i) and |Φ−i = p1/2(|00i − i |11i). One can also show that, So, for the the measurements XXX and XYY , we have perfect correlations and hence zero QBER. But, the + p |φ i = 1/2(|+xi |+xi + |−xi |−xi other two measurements do not give perfect correlations. From the chart of correlation and anti-correlation it is = p1/2(|+ i |− i + |− i |+ i). (19) y y y y evident that remaining two cases i.e., YXY and YYX + p |Φ i = 1/2(|+xi |+yi + |−xi |−yi) give same QBER. Let us compute it for the first one. For p the table of YYX, the QBER is given by, = 1/2(|+yi |+xi + |−yi |−xi), (20) T r[(P y ⊗ P y ⊗ P x)ρ] + T r[(P y ⊗ P y ⊗ P x)ρ] and similarly for |φ−i and |Φ−i. Above equations show + + + + − − + T r[(P y ⊗ P y ⊗ P x)ρ] + T r[(P y ⊗ P y ⊗ P x)ρ], that whenever odd number of σx and even number of σy − + − − − + Arpan Das et al.: Resource state structure for controlled quantum key distribution 7

√ √ which comes out to be equal to 1/2( 1 − p − p)2 and dichotomic measurement choices per party. In the follow- same for the other table. The expression of QBER is ob- ing, we show the protocol in which using the inequalities tained from the correlation and anti-correlations charts by introduced in [8], we can detect the presence of Eve. We writing the probability of the combinations of outcomes take any inequality out of the set of six inequalities con- which are opposite to that written in the charts. structed in [8], and see the violation by the NMM-state. we plot the QBER with p and see that as expected, it is We take the following inequality, zero for GHZ-state. We see that the NMM-state is use- I = A1(B1 + B2) + A2(B1 − B2)C1 ≤ 2. (23)

0.5 In the following we show that every NMM-state violates the inequality for the whole parameter range. To show 0.4 this, we choose the following measurement settings,

0.3 A1 = σz,A2 = σx (24) B1 = cos θσx + sin θσz,B2 = − cos θσx + sin θσz

QBER 0.2 C1 = σx 0.1 These measurement settings are similar to the one used in Ref. [8]. For these measurement settings, the expectation 0.0 √ + √ − value of the state |ψi = p |+xi |φ i + 1 − p |−xi |φ i 0.0 0.1 0.2 0.3 0.4 0.5 is hIi = 4pp(1 − p) cos θ +2 sin θ. Employing the inequal- p ity α sin θ + β cos θ ≤ pα2 + β2, it is evident that, hIi ≤ Fig. 3. Variation of QBER with p 2p1 + 4p(1 − p). This shows that the inequality always gets violated by the NMM-state√ and when p = 1/2 ( i.e. GHZ-state), the violation is 2 2. Therefore, for cos θ = ful for conference QKD scheme, but with some non-zero 1/p1 + 4p(1 − p), the measurement settings we chose is QBER. The security of the secret key in the presence of also the optimal measurement settings for the NMM-state. Eve can be analyzed by estimating her maximal informa- Next, we describe the protocol to detect the presence of tion gain. If Eve has one qubit as a resource, then with Eve. For this, in each round of the protocol, Alice chooses the help of that, she can affect both the channels A − B from three measurement settings, Bob chooses from four or A − C [21], with the assumption of individual attack, measurement settings and Charlie chooses from three mea- i.e. at a time she can affect one channel only. We also as- surement settings as following, sume that all the three parties between whom the secret key is being established are trusted. It is only an out- A1 = σx,A2 = σy,A3 = σz (25) sider like Eve who wants to jeopardize the protocol. We B = σ ,B = σ , note this line of attack can take place if Alice has all the 1 x 2 y three qubits in the beginning. She put these three qubits B3 = cos θσx + sin θσz,B4 = − cos θσx + sin θσz. in GHZ state and then sends one qubit each to Bob and C1 = σx,C2 = σy,C3 = I, Charlie. Estimation of I(A; E) w.r.t I(A; BC) gives the 1 maximal knowledge that Eve can acquire about the pro- where, I is an Identity operator, and cos θ = √ . tocol and if I(A; BC) > I(A; E) then only the all three 1+4p(1−p) So, there are total 36 combinations, out of which four com- partners can go on to make the secret key. This is guaran- binations e.g. (A ,B ,C ), (A ,B ,C ), (A ,B ,C ) and teed from the violation of MABK inequalities. With Eve’s 1 1 1 1 2 2 2 1 2 (A ,B ,C ) are used to make the key as described before. qubit and her maximal power of affecting the protocol, 2 2 1 This gives the key rate of 1/9. Four combinations, e.g. we can construct the total four-qubit state |Ψ i, with ABCE (A ,B ,C ), (A ,B ,C ), (A ,B ,C ) and (A ,B ,C ) ρ and ρ , being the trusted and untrusted part re- 3 3 3 3 4 3 1 3 1 1 4 1 ABC AE are used to check the optimal violation for the inequality spectively. In [21] it was shown that I(A; BC) is greater in Eq. (23), which is 2p1 + 4p(1 − p). So, if the expecta- than I(A; E), only when ρABC violates the MABK [24,25] tion value for the inequality is less than 2p1 + 4p(1 − p), inequality but not ρAE√. In the same way, starting with the √ + − we can surely say that there is Eve’s intervention. Remain- state p |+xi |φ i + 1 − p |−xi |φ i, one can first ana- lyze the maximal attack possible by Eve and determine the ing 28 combinations we throw away for the completion of the protocol. state |ΨABCEi. Then one can go on to check condition for I(A; BC) > I(A; E) in terms of Bell inequality violation. There is a zoo of Bell inequalities [26] in multipartite scenario. One has to choose the optimum Bell inequality for 6 Resource states structure for multipartite this scenario, which can be used most effectively. In this case (N ≥ 4) sense, the inequalities [8,9] previously introduced by some of the present authors are useful, as these inequalities are In this section, we explore the resource state structure violated by all generalized GHZ-states, the property which of four-qubit states that are suitable for maximal Co- is not shown by any correlation Bell inequalities with two QKD, i.e. CoQKD with perfect key and optimal key rate, 8 Arpan Das et al.: Resource state structure for controlled quantum key distribution for some particular measurements performed by the con- with all the single qubit reduced density matrices with trollers. In this multipartite protocol, all the controllers entropy one are suitable resource states for CoQKD. A are independent and they announce their choices of bases nontrivial example is the following state, publicly after making the measurements. In the scenario of four parties, there may arise two situations for CoQKD. 1 h |R1i = √ |0010i + |0100i + |0001i − |0111i+ In the first case, there are four parties and each party has 2 2 one qubit. Second case is when there are three parties and i |1000i + |1100i + |1011i − |1111i , one party (other than the sender and the receiver) has two qubits. We start with the first case. This state has similar entropic structure like the first structure, where |g0i and |g1i are not orthogonal as S(ρ4) ≈ .81 6.1 Case I: Each party has one qubit and S(ρi) = 1 for i = 1, 2, 3. This state is also suitable for controlled QKD. For four-qubits, we see that two Secret key can be established between Alice and Bob, if maximally-mixed single qubit reduced density matrices after the measurements by Charlie and Dennis, they share are the minimum requirement. Therefore, for four-qubits, a Bell state or its LU equivalent state. this criteria is also a necessary and sufficient for successful controlled QKD. Other possible structures are sufficient Proposition-2 : For maximal Controlled QKD, after the conditions. So, we can generalize it for any N-qubit en- measurement by one party say Dennis, the collapsed state tangled state with each one holding a single subsystem. between Alice, Bob and Charlie is LU equivalent to p1/2 |0i |φ+i + |1i (1 ⊗ U) |φ−i . If (1 ⊗ U) |φ−i is or- Proposition : For maximal controlled QKD, using a N- thonormal to |φ+i, then it is LU equivalent to GHZ-state. qubit entangled state, with each party holding one qubit, the necessary and sufficient condition for the resource state Proof : The proof follows from the Proposition-1. There is that it has at least two maximally-mixed single qubits. we showed that most general three-qubit resource state structure, for maximal CoQKD, is such that the state is either LU equivalent to GHZ or LU equivalent to 6.2 Case II: One party has more than one qubit p1/2 |0i |φ−i + |1i (1 ⊗ U) |φ+i , such that (1 ⊗ U) |φ−i is not orthonormal to |φ+i. Similarly, for four qubits, after Let us now consider the second situation, where one party, the measurement by one party, the state must collapse to e.g. Charlie, has two qubits in his possession. We know one of these three-qubit states, that for CoQKD the state must be either NMM (necessary and sufficient) or GHZ (sufficient) along the cut Charlie- (Alice and Bob). Now, Charlie holds two qubits, say first 1 two qubits, and makes measurement in the orthonormal |Φ1i = √ (|0i ⊗ |g0i + |1i ⊗ |g1i ). (26) 2 4 321 4 321 computational basis, {|00i , |01i , |10i , |11i}. We require 1 1 that after the joint measurement, the collapsed state be- |Φ2i = √ (|0i ⊗ |g0i + √ |1i ⊗ |ψi ). (27) 2 4 321 2 4 321 tween Alice and Bob is LU equivalent state to a Bell state. Therefore, the most general structure of the resource state 1 1 0 |Φ3i = √ (|0i ⊗ |ψi + √ |1i ⊗ |ψ i ). (28) is, 2 4 321 2 4 321 1 where, |g0i is conventional GHZ-state and |g1i is LU equiv- |Ψi = (|00i ⊗ |φ1i + |01i ⊗ |φ2i 0 2 alent |g0i, |ψi and |ψ i are the states as mentioned in Eq. (3) with different coefficients p. The subscripts denote the + |10i ⊗ |φ3i + |11i ⊗ |φ4i), (29) order of the qubits which we follow throughout our discus- where, |φ1i, |φ2i, |φ3i and |φ4i are LU equivalent to Bell sion. Notice that, if |g0i is orthogonal to |g1i, then all the single qubit reduced density matrices of the resource state states, though not necessarily orthonormal to each other. |Φ i have entropy one, otherwise, the reduced density ma- All states of the form of Eq. (26), Eq. (27) and Eq. (28) 1 can be recast as Eq. (29) and vice versa. It can be shown trix of the first qubit has entropy less than one, whereas p all other single qubit reduced density matrices have en- very easily, by observing that 1/2(|0i⊗|φ1i+|1i⊗|φ2i) p tropy one. For the state |Φ2i, the single qubit reduced den- and 1/2(|0i ⊗ |φ3i + |1i ⊗ |φ4i) are the NMM states. sity matrices for the last two qubits are maximally mixed, So, |Ψi has the similar structure like |Φ1i, |Φ2i and |Φ3i. whereas the other qubits have reduced density matrices Therefore, the states which are useful for CoQKD as de- with entropy less than one. And similarly the state |Φ3i scribed in the case I, can also be used as a resource in the has also the similar entropy configuration as |Φ2i. There- present case II. fore, given the entropy structures, we cannot distinguish between |Φ2i and |Φ3i. To distinguish them, we need the collapsed states after the measurement by Dennis. 6.3 QBER for the state between Alice and Bob To illustrate the above proposition, we give examples of states which satisfy the above resource structure. Clus- As the structure of the resource states are similar for two ter states [27] which belong to the first category of states scenarios, we can start with any of the above written forms Arpan Das et al.: Resource state structure for controlled quantum key distribution 9 of the resource states. We choose the form of the state to 0.7 be Eq. (29). First we start with the scenario, when each 0.6 party has one qubit with them. In this case there are two 0.5 controllers/supervisors e.g. Charlie and Dennis. As before 0.4 in the three-qubit scenario, collapsed state between Alice 1 and Bob depends upon the measurement basis chosen by Q 0.3 the controllers. 0.2 Without the loss of generality, we consider that Den- Β =0.1 0.1 nis and Charlie choose to measure in the basis given by Β =0.5 Eq. (5). After the measurement by Dennis, the collapsed 0.0 state between Charlie, Alice and Bob corresponding to the 0.0 0.2 0.4 0.6 0.8 1.0 Α outcome |+βi, is given by, |0i (|φ i + β |φ i) + |1i (|φ i + β |φ i) Fig. 4. Variation of QBER with α for different β’s. |Ψ + i = 1 3 2 4 (30) CAB p2(1 + |β|2) where β determines the measurement basis chosen by De- nis. Thus the collapsed state is a partially entangled three- |00i + m |11i m∗ |00i − |11i |χ+ i = , |χ− i = , qubit state. So there is non-vanishing QBER in the proto- m p1 + |m|2 m p1 + |m|2 col. We can find it by using the same procedure as given |01i + m |10i m∗ |01i − |10i in Eq. (14). It is to be noted that there is a collapsed state |ζ+i = , |ζ−i = , (33) m p 2 m p 2 corresponding to the measurement outcome |−βi but the 1 + |m| 1 + |m| analysis is similar to the present case. Now, Charlie would measure in the general basis as before resulting a collapsed Then, the collapsed state between Alice and Bob is state between Alice and Bob. Corresponding to the out- |φ1i + m |φ4i come |+ i, we find that the state is given by, |Ψ + i = √ , (34) α AB 1 + m2 |φ i + α |φ i + β |φ i + αβ |1i |φ i |Ψ + i = 1 2 3 4 , (31) corresponding to the outcome |χ+ i, which occurs with AB p 2 2 m (1 + |α| )(1 + |β| ) probability 1/4. The collapsed state is partially entangled where α is the measurement parameter of Charlie and state and as before we find QBER of the protocol, Charlie obtains the outcome |+αi. Now, the collapsed m2 state between Alice and Bob involves two parameters aris- Q2 = 2 , (35) ing from the measurement basis of Charlie and Dennis. We 1 + m take these two parameters to be real. As the state is not where, we have considered m as real. If Charlie measures maximally entangled there is non-vanishing QBER even in computational basis the collapsed state is a Bell state in the absence of any eavesdropper. When |φ1i, |φ2i, |φ3i which yields a vanishing bit error rate. We plot the QBER and |φ4i are four Bell states, we find the QBER of the in this case with the parameter m in Fig.5. protocol employing the expression of Eq. (14) as given by,

β2 α2 0.5 Q = + (32) 1 1 + β2 1 + α2 0.4 There are two parameters in QBER which are controlled by Dennis and Charlie. The behavior of QBER with re- 0.3 2 spect to the measurement parameters are displayed in Fig. Q 0.2 4. We have plotted the QBER with the parameter α, for different values of β’s. From the expression of QBER, it 0.1 is evident that plot with β for different α’s is similar. We can see from Eq. (30) and Eq. (31) that if Dennis and 0.0 Charlie measure in the computational basis the collapsed 0.0 0.2 0.4 0.6 0.8 1.0 states are three-qubit GHZ-state and Bell state respec- m tively. Therefore, we find vanishing QBER which can be Fig. 5. Variation of QBER with the parameter m. seen in the above plot. Next, we consider the second scenario, where there is one controller e.g. Charlie, who holds two qubits. Charlie now can use an entangled basis for the measurement. We show that for the measurement in entangled basis, the 7 Cooperative teleportation collapsed state between Alice and Bob is not a Bell state. For the resource state in Eq. (29), Charlie performs a joint In this section, we discuss the usefulness of the resource measurement using Generalized Bell Basis (GBS), state (3) in cooperative teleportation scheme [28,29,30, 10 Arpan Das et al.: Resource state structure for controlled quantum key distribution

31]. The protocol can be carried out in the same way as 1.0 CoQKD: Charlie makes a measurement on his subsystem and classically communicates his measurement outcome 0.8 to Alice who has the unknown qubit to teleport to Bob. p =0.1 She then makes a joint measurement on the composite sys- 0.6 = tem conditioned on Charlie’s measurement outcome and p 0.2 informs her measurement outcome to Bob who finds a suit- 0.4 p =0.3 able unitary transformation to retrieve the original state. Concurrence p =0.4 In tripartite scenario, the state recast as (3) is suit- 0.2 p =0.5 able for the protocol. In this case, depending on Charlie’s choice of measurement basis i.e. on n, fidelity F of tele- 0.0 1 0.0 0.2 0.4 0.6 0.8 1.0 portation would be determined and for p = 2 , Charlie has full control over the protocol [32]. As the collapsed n state between Alice and Bob is partially entangled in a Fig. 7. Variation of average concurrence with the parameter more general situation, naturally teleportation fidelity is n. no longer unity. It would be interesting to find the behavior of average fidelity with the Charlie’s measurement outcome which is characterized by n. We define average The reason is that for a pure state fidelity is related to fidelity as, 2 the concurrence by the formula F = 3 (1 +C). In our case, Fav = p+F+ + p−F−, (36) 2 average fidelity is Fav = p+F+ + p−F− = 3 (1 + p+C+ + where, F± corresponds to the fidelity of |ψ±i respec- 2 AB p−C−) = 3 (1 + Cav). tively. We calculate fidelity using the√ formula given by Horodecki et al. [33], F ≤ 1 (1 + 1 Tr T †T ), where the el- 2 3 ements of the matrix T is defined as tαβ = Tr (σα ⊗σβ)ρ for a state ρ. We consider the optimal fidelity F = 1 (1 + √ 2 8 TMES for Cooperative communication 1 † 3 Tr T T ). protocols The variation of average fidelity with control parameter n has been displayed in the Fig.(6). It is interesting For multipartite states, there is no unique notion of max- 1.00 imally entangled state like Bell states in two-qubit case. But we can construct a set of states which may be suit- 0.95 able for a particular protocol and those states that can execute the protocol maximally. We have seen that apart 0.90 = p 0.1 from the GHZ state, the state (3) is capable of perform- 0.85 p =0.2 ing controlled QKD as well as cooperative teleportation. p =0.3 Fidelity 0.80 These resource states are suitable for maximal CoQKD, p =0.4 i.e. the protocol can be carried out for perfect key genera- 0.75 p =0.5 tion with optimal key rate, as well as maximal cooperative 0.70 teleportation, i.e. with unit probability and optimal fidelity. Therefore, these states are task-oriented maximally 0.0 0.2 0.4 0.6 0.8 1.0 entangled states (TMESs) as introduced by the authors in n [10]. Fig. 6. Variation of average fidelity with the parameter n In the case of tripartite states, as shown in [10], one should be able obtain a TMES for teleportation by applying a suitable multinary transformation on the product to point out that Charlie has full control over the pro- state of a one-qubit state and a Bell state. We now present tocol when the state is GHZ, i.e., p = 0.5. However, for these transformations for the resource state. It would be other values of p and some range of n, Charlie does not interesting to see how these states can be realized. A sin- have any control as average fidelity remains constant. To gle qubit unitary operation followed by a global unitary understand this behavior we compute concurrence [34] of on a Bell state would suffice to produce this kind of state: the states |ψ+iAB and |ψ−iAB and then average it to find out the average concurrence as, 0 + √ + p − (U12⊗σ3) |0i1 |φ i23 = p |0i1 |φ i23+ 1 − p |1i1 |φ i23 , (38) Cav = p+C+ + p−C−. (37) √ √ pσ0 1 − pσz where, the operator U = √ √ acts We plot the average concurrence with control parameter n 12 − 1 − pσz pσ0 0 0 for some values of p. The nature of Fig.7 is exactly same on first two qubits and σ3 is σ acting on the third qubit. as the nature of Fig.6. σ0 is the 2×2 identity matrix and σz is the Pauli-Z matrix. Arpan Das et al.: Resource state structure for controlled quantum key distribution 11

9 Conclusion 3. C. H. Bennett, Phys. Rev. Lett. 68, 21 (1992), C. H. Ben- nett, S. J. Wiesner, Phys. Rev. Lett. 69, 2881 (1992), L. We have considered the CoQKD protocol for secret key Goldenberg and L. Vaidman, Phys. Rev. Lett. 75, 1239 generation in a multi-party situation, where a secret key (1995), D. Bruß, Phys. Rev. Lett. 81, 3018 (1998), T. Gao, is established between two parties with the control or su- F. L. Yan and Z. X. Wang, Journal of Physics A, 38, 5761 (2005), A. Ac´ın et al., Phys. Rev. Lett. 98, 230501 (2007). pervision of other parties. The advantage of this protocol 4. J. F. Clauser, M. A. Horne, A. Shimony, and R. A. Holt, is that one or more parties can supervise the secret key Phys. Rev. Lett. 23, 880 (1969). generation, thus reducing the chance of dishonesty. For a 5. H. Chao, X. Peng, and G. G-Can, Chin. Phys. Lett. 20, given multipartite state, it is not always obvious whether 183 (2003). this state can be used for controlled QKD or Cooperative 6. S. Braunstein and S. Pirandola, Phys. Rev. Lett. 108, teleportation. In this paper, we have constructed resource 130502 (2012). states for maximal controlled QKD, i.e. Co-QKD with 7. Hoi-Kwong Lo, Marcos Curty and Bing Qi, Phys. Rev. perfect key generation and optmal key rate. These states Lett. 108, 130503 (2012) are also suitable for maximal cooperative teleportation, 8. A. Das, C. Datta and P. Agrawal, Phys. Lett. A 381, 3928 i.e. teleportation with unit probability and unit fidelity. (2017) The resource states we have discussed are exhaustive for 9. A. Das, C. Datta, P. Agrawal, arXiv : 1809.05727 ( 2018). three-qubit case. The efficiency of the protocols depends 10. P. Agrawal and B. Pradhan, Journal of Physics A 43, 23 on the choice of the measurement basis by the controlling (2010). parties. We have explicitly shown the dependence of the 11. B. Kraus, Phys. Rev. Lett. 104, 020504 (2010). key rate of CoQKD protocol and fidelity of cooperative 12. B. Kraus, Phys. Rev. A 82, 032121 (2010). teleportation with Charlie’s choice of measurement basis. 13. T. A. Brun and O. Cohen, Phys. Lett. A 281, 88 (2001). Efficiency of the protocol (key rate or fidelity) is controlled 14. N. Linden, S. Popescu, Fortsch. Phys. 46, 567 (1998). by Charlie. If he chooses a basis set wisely then the pro- 15. N. Gisin et al., Rev. Mod. Phys. 74, 145 (2002). tocol can be carried out maximally, i.e. optimal key rate 16. R. Horodecki, M. Horodecki and P. Horodecki, Phys. Lett. or fidelity. In this sense, the states we have discussed are A 200, 340 (1995). 17. V. Scarani, Acta Physica Slovaca 62, 347 (2012). TMESs. 18. O. Ahonen, arXiv : 0903.2117 (2009). For arbitrary choice of basis by Charlie, the collapsed 19. V. Scarani et al., Rev. Mod. Phys 81, 1301 (2009). state between Alice and Bob is non-maximally entangled. 20. A. Cabello, arxiv : quant-ph 0009025 (2000). We have discussed security and key rate in this situation 21. V. Scarani and N. Gisin, Phys. Rev. A 65, 012311 (2001). for CoQKD. Apart from CoQKD, we have shown how to 22. K. Chen and H - K Lo, Int. Symp. on Information Theory generate a conference key with the resource state. It turns 1607-11 (2005). out that recently introduced Bell inequalities can be used 23. M. Epping, H. Kampermann, C. Macchiavello, and D. to determine the security of the conference key protocol. Bruß, New Journal of Physics, 19, 093012 (2017). We have also gone beyond three-qubit scenario, and con- 24. N. D. Mermin, Phys. Rev. Lett. 65, 1838 (1990) structed suitable resource states for four-qubit states. We 25. M. Ardehali, Phys. Rev. A 46, 5375 (1992); A. V. Belinskii hope that our discussion would lead to experimental ob- and D. N. Klyshko, Phys. Usp. 36, 653 (1993). servations of these cooperative schemes. 26. N. Brunner et. al., Rev. Mod. Phys. 86, 419 (2015). 27. H. J. Briegel and R. Raussendorf, Phys. Rev. Lett. 86, 910 (2001). P.A. acknowledges the support from the Department of Science 28. C. H. Bennett et al., Phys. Rev. Lett. 70, 1895 (1993). and Technology, India, through the project DST/ICPS/ 29. P. Agrawal et al., European Physical Journal D 69 (2015). QuST/Theme-1/2019. 30. B. Pradhan, P. Agrawal and A. K. Pati, arXiv : 0805.2651 (2008). 31. T. Gao, F. L. Yan, Y. C. Li, Eur. Phys. Lett 84, 50001 Author contribution statement (2008). 32. X. H. Li, S. Ghose, Phys. Rev. A 90, 052305 (2014). 33. R. Horodecki, M. Horodecki, and P. Horodecki, Phys. Lett. Development and construction of the problem have beendone A 222, 21 (1996). by all the authors. A. Das and S. Nandi carriedout most of the 34. W. Wootters, Phys. Rev. Lett. 80, 2245 (1998). calculations. A. Das, S. Nandi, andP. Agrawal examined and checked the results. All theauthors contributed to the prepa- ration of the manuscript.

References

1. A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991). 2. C. H. Bennett, G. Brassard, in Proceedings IEEE Int. Conf. on Computers, Systems and Signal Processing, Ban- galore, India, pp. 175-179.