Multiparty Quantum Key Agreement
- MQKA is a quantum cryptographic protocol where multiple parties collectively contribute private inputs (often via XOR operations) to produce a shared, secure key.
- It leverages various quantum resources—Bell, GHZ, cluster, and high-dimensional states—and employs decoy states and entanglement properties to detect eavesdropping.
- Architectural designs such as ring, complete graph, and star critically impact channel complexity, latency, and resistance to insider collusion.
Multiparty quantum key agreement (MQKA) is a class of quantum cryptographic protocols in which mutually distrustful parties establish a shared secret key such that all honest parties output the same key, the key is information-theoretically secret from external adversaries, and no proper subset of participants can unilaterally determine, predict, or significantly bias the outcome. In the strong formulation used across the MQKA literature, each participant contributes a private string, and the final key is typically an XOR such as (Mouaji et al., 3 Mar 2026). Within this broader landscape, quantum conference key agreement is the archetypal single-group setting in which one set of parties shares one common key, whereas the full MQKA design space additionally emphasizes fairness, collusion resistance, and the privacy of individual contributions (Amer et al., 2022).
1. Formal task and security objectives
MQKA is distinct from quantum key distribution in a structural sense. In QKD, one party, or a distinguished pair, effectively establishes or distributes the key; fairness is not the central security requirement. In MQKA, by contrast, all participants are intended to be peer entities whose private inputs collectively determine the final key. This difference is explicit in early strong formulations of QKA and MQKA, where the final shared key is defined as a symmetric function of all private strings, for example in the three-party case or in the -party case (Shukla et al., 2013).
The security objectives are correspondingly stronger than in bipartite QKD. Correctness requires that all honest parties output the same key. Secrecy requires that an external eavesdropper obtain negligible information about that key. Fairness requires that no non-trivial subset can determine the final key alone or force it to a chosen value. Several works additionally elevate two further properties to first-class status: privacy of the individual sub-secrets, so that participants learn only the final key and not each other’s private inputs, and simultaneity, so that no participant recovers the final key earlier than the others and then exploits that temporal asymmetry (Huang et al., 2013); (Liu et al., 2020).
This problem setting is also more demanding than classical multiparty key agreement. Classical schemes are normally grounded in computational assumptions, whereas MQKA is formulated as an information-theoretic primitive based on quantum mechanics. That shift does not, by itself, solve the fairness problem. A recurring theme in the literature is that secrecy against external Eve is comparatively straightforward to engineer with decoys and disturbance tests, while fairness against internal adversaries and colluding participants is the technically harder requirement (Abulkasim et al., 2020).
2. Architectural, physical, and trust-model structure
A 2026 review argues that MQKA is best understood along three orthogonal but coupled axes: network architecture, quantum resources, and security model (Mouaji et al., 3 Mar 2026).
| Axis | Representative options | Consequences |
|---|---|---|
| Network architecture | circle, complete graph, tree, star, hybrid | channel complexity, latency, collusion surface |
| Quantum resources | Bell, GHZ, W, Dicke, cluster/graph, qudits, CV, twin-field | robustness, key density, implementation burden |
| Security model | device-dependent, MDI, DI/semi-DI, semi-quantum | trust assumptions and side-channel exposure |
Architecturally, circle-type or traveling-mode MQKA uses a ring , with a traveling sequence that accumulates local encodings. Its attraction is low channel complexity, typically , but it is precisely this serial flow of quantum information that creates strong positional asymmetries and collusion opportunities. Complete-graph-type MQKA uses pairwise exchanges across all pairs, with quantum links, but spreads information sufficiently broadly that small coalitions lose the visibility they enjoy in ring protocols. Tree-type and star-type constructions reduce channel count back toward but introduce privileged structural locations such as roots or hubs, which must then be protected by protocol design or trust assumptions (Liu et al., 2016); (Mouaji et al., 3 Mar 2026).
At the resource level, Bell states and GHZ states dominate early discrete-variable designs. Bell states are natural for pairwise or ring protocols; GHZ states are natural for star, tree, and multicast-style schemes. W states and Dicke states are attractive because of greater loss robustness, whereas cluster and graph states support measurement-based or structurally richer protocols. High-dimensional qudit GHZ states alter both rate and noise tolerance, and continuous-variable as well as twin-field resources are motivated by long-distance network deployment (Amer et al., 2022); (Mouaji et al., 3 Mar 2026).
The security-model axis controls which implementation assumptions are in scope. Device-dependent MQKA trusts state preparation and measurement devices. Measurement-device-independent variants move trust away from detectors or central relays. Device-independent and semi-device-independent variants aim to certify secrecy and, potentially, fairness through nonlocal correlations or restricted device models. Semi-quantum variants allow some parties only limited operations such as reflection or fixed-basis processing, expanding the range of plausible network participants but complicating the security analysis (Mouaji et al., 3 Mar 2026).
3. Representative protocol families and constructions
The literature contains several recurring construction paradigms. They differ less in the abstract goal than in how they realize symmetric contribution, eavesdropping detection, and internal-security enforcement.
| Construction | Core mechanism | Representative paper |
|---|---|---|
| Orthogonal-state MQKA | Bell states, Bell decoys, 0 and 1 encodings, Bell measurements | (Shukla et al., 2013) |
| GHZ-multicast MQKA | rotating leader/followers on GHZ states, MQSDC-derived multicast | (Zeng et al., 2016) |
| 2-resistant circular MQKA | 3 sub-circles per initiator, shortened travel paths | (Sun et al., 2016) |
| Verifiable cluster-state MQKA | six-qubit cluster states, retained subsequences, TDC, homomorphic hash | (Liu et al., 2020) |
| Authenticated optical-ring MQKA | identity hashing with Grover-like 4 and 5 operators | (Gao et al., 2021) |
| High-dimensional QCKA | 6-dimensional GHZ states, Fourier-basis sum tests, finite-key proof | (Amer et al., 2022) |
The orthogonal-state-based program answers a foundational question that earlier MQKA protocols had largely left unchallenged: whether non-orthogonal states are necessary. A three-party protocol based entirely on Bell states shows that they are not. Each party prepares Bell pairs, keeps a home sequence, and sends the traveling halves around a ring. Encodings are performed in two rounds, first with 7 and then with 8. Eavesdropping detection is done only through Bell-state decoys and Bell measurements; no basis randomization is required. The final Bell measurement allows each user to infer the others’ bits and compute 9. The security principle is monogamy of entanglement rather than BB84-style conjugate coding (Shukla et al., 2013).
A different line derives MQKA from multiparty quantum secure direct communication. In a GHZ-based multicast protocol, one participant in each round acts as leader and the others as followers. Followers encode one bit using 0 or 1, while the leader uses one of four Pauli operations, with the logical interpretation depending on the parity of 2. The leader performs the GHZ measurement and publishes the outcome; from that outcome and their own operation, all parties can reconstruct the XOR contribution for that GHZ state. Leadership rotates over the key string. The explicit motivation is to replace unicast-style 3 message exchange by multicast with linear growth in transmissions, decoys, and delay (Zeng et al., 2016).
A more explicitly fairness-oriented circular construction splits the ring into 4 sub-circles. Each participant 5 prepares 6 entangled resources 7, and each travel sequence traverses only a sub-circle of length 8 rather than the full ring. The protocol is designed so that a coalition of at most 9 dishonest participants may still recover information only when all encodings are already completed, thereby destroying the key-flipping stage of the standard collusion attack. For 0, the construction effectively reduces to complete-graph-type MQKA (Sun et al., 2016).
Several later protocols add explicit verification or authentication layers. One six-qubit-cluster-state scheme introduces a verifiable distributor who retains subsequences 1, distributes the other subsequences with decoys, and is itself tested by 2- and 3-basis correlation checks before the protocol proceeds. Aggregate keys 4 and 5 are extracted from cluster-basis measurements, and a trusted design combiner checks homomorphic hash relations before releasing the final key 6, thereby enforcing correctness and simultaneity (Liu et al., 2020). Another protocol, tailored to an optical-ring quantum communication network, embeds identity authentication into the quantum operations themselves. Users and a semi-trusted third party compute keyed hashes 7, and Grover-like operators 8 and 9 are used so that incorrect identity information disrupts the parity structure of the two-qubit carriers and becomes detectable (Gao et al., 2021).
A parallel development treats quantum conference key agreement as a high-dimensional special case within MQKA. A 0-dimensional GHZ state
1
is distributed, and the parties choose between computational-basis key rounds and Fourier-basis test rounds. In the ideal Fourier-basis case the outcomes satisfy
2
which becomes the parameter-estimation statistic in the finite-key proof (Amer et al., 2022).
4. Fairness failures, collusion attacks, and recurrent loopholes
The MQKA literature is unusual in that protocol design and cryptanalysis have developed in near lockstep. Several schemes advertised as fair and efficient were later shown to fail precisely on fairness.
A central early critique concerns single-particle circular MQKA. In one such protocol, each participant prepares payload qubits in 3 or 4, neighboring participants encode via 5 or 6, and the originator finally measures to recover the XOR of others’ bits. The cryptanalysis shows two distinct failures. First, the two participants adjacent to an honest party can recover that party’s sub-secret by preparing all payload qubits in 7, letting the honest party encode, and then measuring in the computational basis. Second, a coalition of dishonest participants can fully determine the final shared key by learning the honest participants’ sub-secrets and choosing their own effective contributions accordingly. The key lesson is explicit: decoy states protect only the channel, not the privacy of sub-secrets or fairness against insiders (Huang et al., 2013).
This insight was generalized into a structural classification of MQKA protocols into complete-graph-type, circle-type, and tree-type. Circle-type protocols, in which each participant’s travel sequence goes once around the full ring and returns, were shown to share a common loophole. Two dishonest participants at specific positions can exchange or share the retained halves of entangled states, recover XORs of the honest participants’ keys in mid-protocol, and then alter their own later encodings so that the final key becomes any chosen value. In even-8 rings, the attack positions satisfy 9; in odd-0 rings, 1 or 2. Tree-type protocols avoid that exact geometry but were shown to remain unfair under “detection bits chosen” attacks. Complete-graph-type protocols were identified as structurally more resistant because there is no single circular choke point (Liu et al., 2016).
A later collusive-attack analysis sharpened the mechanism further. In many circular protocols, two dishonest participants separated by exactly one honest participant can replace genuine sequences with counterfeit ones, allow the honest middle participant to encode on the counterfeit carrier, and then measure to read out that participant’s key. Local decoy checks do not reveal the substitution, because the colluders themselves prepare and verify the decoys honestly. On this basis, a general secure circular-type model was proposed in which a semi-honest server randomly selects payload qubits for internal consistency tests, forcing senders to reveal the unitaries applied to those positions and preventing fake/genuine sequence divergence (Abulkasim et al., 2020).
The same pattern reappears in protocols based on non-maximally entangled cluster states. A 2020 cryptanalysis shows that in Li et al.’s cluster-state MQKA, colluding participants can access their own originally prepared particles after others have encoded on them, perform the intended final POVM early, recover the relevant subkeys, and then inject fake encodings so that the final key becomes an arbitrary 3. An improved countermeasure replaces the cluster-state carrier by single photons and adds random 4 or 5 operations after key encoding so that premature measurement is no longer directly interpretable (Gu et al., 2020).
Across these attacks, a common misconception is corrected. Eavesdropping detection and correctness do not imply fairness. High qubit efficiency does not imply security. A protocol can remain perfectly capable of detecting outsider interference while being fundamentally unable to prevent insiders from learning sub-secrets or fixing the final key (Huang et al., 2013).
5. Verification, authentication, anonymity, and composable security
Because fairness failures in MQKA are usually internal rather than external, later protocols increasingly add explicit verification, authentication, or trusted-combiner layers. These mechanisms do not all solve the same problem, but they represent a shift from raw encoding schemes toward protocol-level enforcement.
One strategy is orthogonal-state verification via entanglement monogamy. In the Bell-state MQKA framework, decoy Bell states are inserted repeatedly and checked by Bell measurements. The claim is not merely that disturbances reveal Eve, but that maximally entangled Bell correlations together with monogamy prevent a third system from remaining significantly entangled without causing detectable errors (Shukla et al., 2013).
A second strategy is payload-integrity testing with a semi-honest server. In the secure circular-type model, the server randomly samples actual payload qubits rather than auxiliary decoys, asks the sender to announce the corresponding 6 operations, and asks the receiver to measure in the original bases recorded by the server. The counterfeit-sequence attack then fails because the forged payload cannot simultaneously match the server’s original state description and the sender’s declared operation history (Abulkasim et al., 2020).
A third strategy is to couple quantum verification with classical integrity checks. The six-qubit-cluster-state protocol employs a verifiable distributor, 7-basis cluster-state tests, additive homomorphic hashes 8, and a trusted design combiner that checks
9
before releasing the final key. In that design, correctness, simultaneity, and classical tamper detection are all tied together (Liu et al., 2020).
Identity authentication addresses a different but practically important gap. In an optical-ring MQKA, identities 0, long-term keys 1, and session nonces are hashed into tags 2, and those tags directly control quantum operations. An impersonator who does not know the relevant 3 cannot preserve the global parity conditions required by the Grover-like search structure, so the protocol’s own test bits reveal the attack (Gao et al., 2021).
Anonymity adds yet another dimension. Anonymous conference key agreement uses GHZ states together with a classical Notification protocol and Anonymous Multiparty Entanglement so that a hidden subset of parties ends up sharing a GHZ state while outsiders, and even the participants themselves to a degree, do not learn the full identity structure. Sender and receiver anonymity are formalized as guess-probability bounds of 4 against an adversary corrupting up to 5 parties, and a GHZ verification test is used to reject states too far from ideal (Hahn et al., 2020).
On the proof-theoretic side, high-dimensional GHZ-based QCKA provides one of the clearest finite-key and composable security analyses within the broader MQKA family. Using quantum sampling, ideal-state reduction, min-entropy bounds, and privacy amplification, it derives a final key length
6
and, under a depolarizing model with additional estimation terms, a more explicit finite-key rate formula (Amer et al., 2022). At the same time, a broad review emphasizes that MQKA still lacks a widely adopted UC-, AC-, or IITM-style composable framework that simultaneously captures secrecy, correctness, fairness, and collusion resistance as a single ideal resource (Mouaji et al., 3 Mar 2026).
6. Experimental status and open problems
MQKA is no longer purely formal. A four-party quantum conference key agreement experiment distributed telecom-wavelength GHZ states across up to 7 km of fibre and implemented the full classical stack of multi-user error correction and privacy amplification. Under finite-key analysis, it established 8 bits of secure key and used them to encrypt and share an image among the four users (2002.01491). In that implementation, the asymptotic key fraction followed
9
and the finite-key rate incorporated statistical fluctuations, error-correction leakage, and the seed cost for basis coordination (2002.01491).
Experimental progress has also reinforced the relevance of multipartite entanglement as a native network primitive rather than merely a theoretical alternative to many pairwise QKD links. The conference-key literature argues that when a network can distribute multipartite entanglement directly, GHZ-based CKA can provide up to an 0 rate advantage over pairwise QKD compositions in constrained settings, because one multipartite resource state can replace multiple bipartite sessions (2002.01491). High-dimensional generalizations further suggest that both per-signal information and tolerable noise increase with 1, and that these gains cannot be reproduced by simply running multiple qubit protocols in parallel (Amer et al., 2022).
Nevertheless, the open-problem landscape remains dominated by fairness and network realism. A recent survey identifies four especially persistent issues: the absence of a standard composable fairness framework; the difficulty of achieving strong fairness against large collusions with only 2 channels; the need for network-native protocol families that match backbone, access, and repeater architectures; and the lack of mature device-independent or semi-device-independent MQKA implementations (Mouaji et al., 3 Mar 2026). That same review frames future work around hybrid-resource protocols, Dicke-state constructions, bosonic-code-encoded logical MQKA, and explicit fairness-aware metrics such as maximal coalition bias and position-dependent advantage (Mouaji et al., 3 Mar 2026).
Taken together, the literature shows that MQKA is not simply “multipartite QKD.” Its defining challenge is the simultaneous treatment of secrecy and strategic symmetry. Protocols based on Bell, GHZ, cluster, and high-dimensional states demonstrate that many physical realizations are possible; cryptanalyses of ring and cluster-state schemes show that decoy-based outsider security is insufficient; and recent work on verification, authentication, anonymity, and finite-key proofs suggests that the field is gradually moving from ad hoc constructions toward a more systematic theory of multiparty quantum cryptographic agreement.