Experimental quantum Byzantine agreement on a three-user quantum network with integrated photonics

Abstract

Quantum communication networks are crucial for both secure communication and cryptographic networked tasks. Building quantum communication networks in a scalable and cost-effective way is essential for their widespread adoption. Here, we establish a complete polarization entanglement–based fully connected network, which features an ultrabright integrated Bragg reflection waveguide quantum source, managed by an untrusted service provider, and a streamlined polarization analysis module, which requires only one single-photon detector for each user. We perform a continuously working quantum entanglement distribution and create correlated bit strings between users. Within the framework of one-time universal hashing, we provide the experimental implementation of source-independent quantum digital signatures using imperfect keys circumventing the necessity for private amplification. We further beat the 1/3 fault tolerance bound in the Byzantine agreement, achieving unconditional security without relying on sophisticated techniques. Our results offer an affordable and practical route for addressing consensus challenges within the emerging quantum network landscape.

The quantum Byzantine agreement with imperfect keys is demonstrated in a fully and simultaneously connected quantum network.

INTRODUCTION

Quantum communication (1–6) is one of the most mature quantum technologies. It enables the generation of secure keys between distant parties, even under the surveillance of an eavesdropper with unlimited computing power. A quantum link comprises fiber or free-space optical channels, along with a specific type of communication protocol. For example, quantum teleportation allows the transmission of fragile quantum information between remote parties using previously shared entanglement and classical communication (7). Quantum secure direct communication, another important branch of quantum communication, has offered opportunities for directly sending secret information over secure quantum channels (8–10). Quantum key distribution (QKD) is the fastest growing fields in quantum communication and has been implemented on a great variety of platforms, such as long-distance fiber (11, 12) and free-space links (13, 14). Scaling the standard two-user protocols to many users is essential for its large-scale adoption (15–17). Up to this point, several QKD networks have undergone trials with trusted nodes (18–20) or passive/active switching (21–24) at the cost of sacrificing security or functionality. In theory, quantum repeaters (25, 26) have the potential to facilitate a global network, but the technology is still in its early stages. Recently, a fully and simultaneously connected quantum network architecture has been proposed without relying on trusted nodes (27), which enables widespread connectivity with security guaranteed by the laws of quantum physics. Several notable entanglement-based multiuser networks were reported, showing great promise for forming scalable quantum networks (28–34).

As quantum networks approach maturity, various networked tasks have emerged, such as quantum digital signatures (QDS) (35–39), quantum e-commerce (40), secret sharing (41–43), secure anonymous protocols (44, 45), and quantum Byzantine agreement (QBA) (46–53). Among them, QBA, a quantum approach for handling the Byzantine generals problem, can effectively achieve a consensus despite the presence of malicious players (54). QBA is equipped to manage decentralized communication and computation tasks in upcoming quantum networks, applicable to various aspects of daily life like blockchain, distributed storage, distributed computation, and electronic voting (55). In general, it offers information-theoretic security and superior fault tolerance performance compared to classical Byzantine agreement (CBA). There are two fundamental differences between QBA and CBA protocols. One is the security loopholes of public-key encryption methods used in CBA (56–58), which is under the threat of quantum computation (59, 60). The other lies in the 1/3 fault tolerance bound for CBA protocols, which requires a minimum of 3f+1 players to tolerate f malicious players (61, 62). Consequently, the three-party consensus problem is unsolvable for CBA even if the authentication classical channel is used (63). The first quantum solution to the three-party consensus was proposed in 2001 (46), with an experimental demonstration using a four-photon entangled state in 2008 (49). Several relevant QBA protocols using some special entangled states or qudits were subsequently reported (47, 48, 50, 51). Although these protocols offer levels of security unattainable through classical means, they deviate from Lamport’s two original Byzantine conditions by using additional assumptions. For example, the unavoidable occurrence of unreliable measurement results leads to a certain probability of failure and thus needs to be discarded. The main reason is that they do not fully use the correlation to protect the unforgeability and nonrepudiation of information. Moreover, these protocols suffer from low efficiency as they require multipartite entanglement and entanglement swapping, which are unscalable and remain largely impractical due to the probabilistic nature of a spontaneous parametric down-conversion (SPDC) source. In addition, they are limited to reaching only a one-bit message consensus. Fortunately, QDS (36, 38, 64) is a potential tool to overcome all these obstacles by establishing a multiparty correlation among users. QDS can protect data integrity, authenticity, and nonrepudiation with information-theoretic security. Nonetheless, there are still three main challenges of contemporary QDS related to the complexity and cost of their implementations. First, the well-known single-bit QDS protocols have a low signature rate, rendering them impractical for signing long messages. Second, most schemes require perfect keys with complete secrecy, which often entails substantial computational overhead and results in considerable delays in performing privacy amplification procedures. Third, the high demand for system manufacturability and accessibility for consumers in the network often leads to difficulty in their practical deployment.

Here, we counter the above challenges by implementing an efficient one-time universal hashing (OTUH) QDS protocol (39) on a cost-effective source-independent quantum network. By exploiting OTUH-QDS without perfect keys, we experimentally beat the limitation of 1/3 fault tolerance bound and security loopholes of CBA, indicating the quantum advantage in resolving consensus problems. This is possible owing to several recent advances. It was previously shown (65) that imperfect quantum keys with partial information leakage can be used for digital signatures and authentication without compromising security while having orders of magnitude improvement on signature rate compared with conventional single-bit schemes. Moreover, practical implementation of QBA not only requires a decentralized protocol design but also necessitates experimental equipment without additional trustworthiness assumptions. Intriguingly, the low-complexity fully connected quantum network architecture is an excellent experimental solution to decentralized protocols (27), resulting in practical QBA within a strict information-theoretic secure framework. It can use an untrusted entanglement source to establish simultaneous communication between one node and all other nodes, which is different from proof-of-principle experimental demonstrations using pairwise BB84 QKD (66). The last advance is the development of scalable architecture and integrated hardware for the creation of broadband bipartite entanglement, which is compatible with complementary metal-oxide semiconductor processes (31–34). AlGaAs semiconductor material is an outstanding platform due to its strong second-order nonlinearities, reconfigurability, and small birefringence enabling the generation of polarization-entangled states without requiring additional walk-off compensation or interferometric schemes. Moreover, as a direct bandgap III-V compound semiconductor, AlGaAs is well suited for lasing, which paves the way for developing monolithic integration of quantum light source (67). Integrating these ideas, we implement the protocols using an integrated AlGaAs Bragg reflection waveguide (BRW) quantum source managed by an untrusted service provider and a time-multiplexed decoding module, composed of two unbalanced polarization maintaining interferometers (UPMIs) and a single-photon detector (SPD), held by each end user. Our monolithic source maintains polarization entanglement fidelity exceeding 94.6% across a 26-nm bandwidth, with a high brightness of 45.6 MHz/mW. Our complete entanglement distribution experiment proves the viability of practical and affordable quantum networks and identifies pathways for solving practical quantum cryptography tasks without trusted nodes. It will be of interest to a more accessible quantum internet.

RESULTS

Before demonstrating the three-user QBA, we briefly review the protocol developed in (66). For a strict Byzantine agreement, there are two necessary interactive consistency (IC) Byzantine conditions (68). The first is that all loyal lieutenants obey the same order (IC₁), and the second is that every loyal lieutenant obeys the order of the commanding general if the commanding general is loyal (IC₂). Only when both conditions are satisfied can the system reach a consensus. As shown in Fig. 1A, we define Alice as commanding general, Bob as lieutenant 1, and Charlie as lieutenant 2. The main process includes three steps.

Fig. 1. Implementation of three-party QBA.

(A) The Byzantine generals must coordinate together to launch an attack that can overcome enemy defenses. It can be turned into a “commanding general–lieutenants” model, where the commanding general is randomly selected from among all the Byzantine generals and the others become lieutenants to reach a consensus on the commanding general’s order. (B) Alice is loyal. The loyal lieutenant, Bob, can deduce the correct message m₁ from Alice, which satisfies IC₂. (C) Alice is disloyal. The loyal lieutenants, Bob and Charlie, can independently deduce the consistent output message Δ, which satisfies IC₁.

1) Alice as the signer, Bob as the forwarder, and Charlie as the verifier, they perform OTUH-QDS (see the Supplementary Materials) on the message Alice wants to send. If the signing is successful, Bob and Charlie add this valid message m₁ to their own lists L_B and L_C, respectively.

2) Alice as the signer, Charlie as the forwarder, and Bob as the verifier (Bob and Charlie exchange the role in QDS), they perform OTUH-QDS on Alice’s message again. If the signing is successful, Bob and Charlie add this valid message m₂ to their own lists L_B and L_C, respectively.

3) Bob and Charlie will output m_B(C) = majority(m₁, m₂) (see the Supplementary Materials) as their own final decisions.

To demonstrate OTUH-QDS and three-user QBA, we need to generate correlated keys between each user with the source-independent security, where entangled photon pairs are generated by an untrusted provider (69). We refrain from presumptions regarding the light source within the protocol, allowing the adversary to produce any state desired. However, it is essential to presume perfect Z and X bases measurements for all participants. As participants randomly select one basis for measurement, any flaws of light source inevitably result in heightened error rates, which are inherently detectable via error rate estimation. Consequently, the protocol is deemed source-independent (14, 70), thereby circumventing the vulnerabilities inherent in traditional prepare-and-measure protocols. The scheme of our experimental setup is shown in Fig. 2 and includes four parts: quantum server (A) and polarization analysis module (PAM) with a detector for each user (B to D). The server is composed of an AlGaAs BRW source to prepare bipartite polarization-entangled states and a wavelength allocation unit. Owing to the dispersion and nonlinear properties of the source, the temporal walk-off between orthogonally polarized photons is so small that no compensation is required to obtain the polarization-entangled state $\mid {\mathrm{\Psi }}^{+}\rangle =\frac{1}{\sqrt{2}}\left(\mid \mathrm{H}\rangle \mid \mathrm{V}\rangle +\mid \mathrm{V}\rangle \mid \mathrm{H}\rangle \right)$ , positioning it as a promising candidate for the implementation of quantum networks. The generated photon pairs can be separated into different channels using standard telecom dense wavelength division multiplexing (DWDM) filters and shared between users receiving wavelength-correlated channels due to energy conservation during the SPDC process (27). Ultimately, we selected three pairs of channels ({CH19, CH20}, {CH18, CH21}, and {CH16, CH23}) to incorporate into our network architecture, with each user (that is Alice, Bob, and Charlie) receiving two channels.

Fig. 2. Experimental setup, which is mainly composed of four parts.

(A) Quantum server. A 780.9-nm continuous laser is coupled into fiber and split by a 1:99 BS, where 1% of the light is injected into the optical spectrum analyzer (OSA) to monitor the laser wavelength. The remaining light is polarized and coupled into the BRW source to directly generate broadband polarization-entangled photon pairs. The inset shows the scanning electron microscopy image of the fabricated BRW sample. The source is mounted on a copper plate whose temperature is stabilized by a temperature controller. After passing through the long-pass filters, three bipartite states are selected and distributed to form a three-user fully connected network. (B to D) Decoding module for three users, including PAM and one detector. (E) In the PAM, each user implements basis choice by nested unbalanced interferometers and transfers polarization to photon arrival time with a single detector. Abbreviations of components: LS, laser source; WDM, wavelength division multiplexer; PC, polarization controller; PD, power detector; LPF, long-pass filter; PBS, polarization BS; HWP, half-wave plate; QWP, quarter-wave plate; PMF, polarization-maintaining fiber; SMF, single-mode fiber; SPD, single-photon detector.

To intuitively illustrate the performance of the entangled source, we measured the interference curves as a function of the half-wave plate (HWP) angle in Z and X bases as shown in Fig. 3A. This measurement was conducted directly after demultiplexing but before multiplexing correlated channels to each user. The visibility of the fringe is defined as V = (CC_max − CC_min)/(CC_max + CC_min), where CC_max and CC_min are the maximum and minimum of the coincidence counts within a coincidence window of 300 ps. The fitting results show that all the raw visibilities are above 0.9, which is greater than the classical bound ( $\sqrt{2}/2$ ), required for the violation of the Clauser-Horne-Shimony-Holt form of the Bell’s inequality. The lower bound on entanglement fidelity can be calculated by the averaged visibilities in Z (HV) and X (AD) bases (71), where H represents the horizontal polarization and V the vertical, and $\mid \mathrm{D}\rangle =\frac{1}{\sqrt{2}}\left(\mid \mathrm{H}\rangle +\mid \mathrm{V}\rangle \right)$ and $\mid \mathrm{A}\rangle =\frac{1}{\sqrt{2}}\left(\mid \mathrm{H}\rangle -\mid \mathrm{V}\rangle \right)$ . All the fidelities can exceed 0.945 over the range. The visibility drop for large detuning with degeneracy wavelength is because of the effect of the occurrence of birefringence in the modes. To further confirm the quality of entanglement, we then perform quantum state tomography of the polarization entanglement for the frequency-correlated pairs used in the network. The photons are projected into the bases $\mid \mathrm{H}\rangle /\mid \mathrm{V}\rangle ,\mid \mathrm{D}\rangle /\mid \mathrm{A}\rangle ,\text{and}\mid \mathrm{R}\rangle /\mid \mathrm{L}\rangle$, where $\mid \mathrm{R}\rangle =\frac{1}{\sqrt{2}}\left(\mid \mathrm{H}\rangle +i\mid \mathrm{V}\rangle \right)$ and $\mid \mathrm{L}\rangle =\frac{1}{\sqrt{2}}\left(\mid \mathrm{H}\rangle -i\mid \mathrm{V}\rangle \right)$ . After coincidence measurements in nine different settings, the fidelity to the Bell state $\mid {\mathrm{\Psi }}^{+}\rangle =\frac{1}{\sqrt{2}}\left(\mid \mathrm{H}\rangle \mid \mathrm{V}\rangle +\mid \mathrm{V}\rangle \mid \mathrm{H}\rangle \right)$ is estimated. Figure 3B displays the reconstructed density matrix of the states, showing good agreement between the maximally entangled and measured quantum states with fidelities of 98.87 ± 0.06%, 98.94 ± 0.05%, and 99.03 ± 0.04%, respectively. The maximum matrix elements of the imaginary part are smaller than 0.077. After verifying that the source can provide high-quality entanglement, we multiplexed and sent two channels to each of the three users.

Fig. 3. Characterization of the BRW source.

(A) Interference curves in Z and X bases for seven different channels. The points are experimental data, and the curves are fits. The reconstructed density matrix ρ of the polarization entanglement states used in the network are shown in (B). Column heights and colors represent the absolute values ∣ρ∣ and phases ∣ arg (ρ)∣, respectively. The uncertainties in the fidelities extracted from these density matrices are calculated using a Monte Carlo routine, assuming Poissonian errors.

To demonstrate that the bipartite states were created simultaneously in paired channels, we independently compensated all channels in two mutually unbiased bases from the source to the measurement module. Meanwhile, the multiplexing was implemented to direct two channels to each user. We connect Alice via a 3.022-km fiber spool and Bob and Charlie with 4.025- and 4.024-km spools, respectively. As shown in Fig. 2E, the PAM is composed of nested UPMIs (see the Supplementary Materials), in which we randomly chose the measurement basis by a 50:50 beam splitter (BS) and projected the photons to X (up) or Z (down) bases with different delays. Furthermore, entangled photon pairs were identified by their arrival time. We can consequently obtain the number of coincidence counts in 16 configurations in one data accumulation for each channel pair. Figure 4A shows the time-correlation histograms for the three links with a data accumulation time of 20 min. The simultaneous projection measurements on the Z and X bases are indicated by the marked 16 coincidence combinations between each pair. The four error terms ∣HH〉, ∣VV〉, ∣DA〉, and ∣AD〉 are almost submerged in accidental counts owing to the high degree of entanglement and manual optimization of the polarization. With the nonclassical correlation counts measured in HV and DA bases, we calculated the lower bound on the Bell-state fidelities as 91.92 ± 0.57% (Alice and Bob), 92.54 ± 0.46% (Alice and Charlie), and 91.17 ± 0.74% (Bob and Charlie). These results show that we have successfully shared entanglement in all channels.

Fig. 4. Experimental results.

(A) Temporal cross-correlation histograms among three two-user links with 20 min of real-time data. The lower coincidence counts in the X basis are mainly due to the additional coupling losses in the analysis module. (B). Long-term performance of the network. The average QBER = (QBER_x + QBER_z)/2 and sifted key rate in bits per minute (bpm) are measured for more than 68 hours.

Having established high-quality bipartite states, we proceed to perform the BBM92 protocol (69) to establish keys between each user in the network. Figure 4B displays the evolution of the averaged quantum bit error rate (QBER) and sifted key rates per minute in more than 68 hours of testing. Steep spikes in the QBER and key rates are mainly caused by room temperature variations, which result in disturbances to the fiber coupling efficiency. The QBERs in Z and X bases are 3.42 and 4.76% (Alice and Bob), 3.40 and 3.67% (Alice and Charlie), and 3.60 and 5.43% (Bob and Charlie), respectively (see the Supplementary Materials). The corresponding averaged sifted key rates are 459.54, 628.35, and 293.07 bits per minute. After key sifting, three users reconcile their keys and adopt low-density parity-check codes for error correction. The scheme was optimized for graphics processing unit (GPU) utilization and implemented on a workstation equipped with an Intel Xeon Gold 6226R central processing unit @2.9 GHz, NVIDIA GeForce RTX 3090 GPU, and 64-gigabyte RAM (random-access memory). By leveraging the high parallelism advantage of the GPU, the deployed reconciliation scheme achieved an average throughput exceeding 80 Mbps. The average correction efficiencies are 1.1648, 1.1627, and 1.1468, respectively (see the Supplementary Materials).

Last, let us show the practical implementation of our three-user QBA. The requirement of the theory is to construct multiparty correlation of these three players to generate correlated quantum keys for three-party QDS in steps 1 and 2 of QBA. As shown in Fig. 5A, the secret keys of Alice, Bob, and Charlie in the two steps are generated by our three-user source-independent quantum network and satisfy the relationship $X_A^{1\left(2\right)}=X_B^{1\left(2\right)}\oplus X_C^{1\left(2\right)}$ and $Y_A^{1\left(2\right)}=Y_B^{1\left(2\right)}\oplus Y_C^{1\left(2\right)}$ . $X_A^{1\left(2\right)}$ and $Y_A^{1\left(2\right)}$ are used for one-time pad to encrypt the hash function and digest by Alice. $X_B^{1\left(2\right)}$ and $Y_B^{1\left(2\right)}$ are owned by Bob, and $X_C^{1\left(2\right)}$ and $Y_C^{1\left(2\right)}$ are owned by Charlie. We consider the two situations in detail: (a) Alice is loyal, and (b) Alice is disloyal.

Fig. 5. The process of our QBA when Alice is loyal.

(A) Key generation. Through our source-independent entangled network, Alice shares four key strings $X_B^1$ , $X_B^2$ , $Y_B^1$ , and $Y_B^2$ with Bob and four key strings $X_C^1$ , $X_C^2$ , $Y_C^1$ , and $Y_C^2$ with Charlie, respectively. Alice obtains his key strings $X_A^1$ , $X_A^2$ , $Y_A^1$ , and $Y_A^2$ by XORing operation. (B) Schematic of step 1. Alice generates Dig_B through a generalized division hash function decided by an irreciduble polynomial and encrypt the digest and polynomial by $X_A^1$ and $Y_A^1$ through one-time pad (OTP). Alice sends m₁ as well as Sig_B and p₁ to Bob. Bob then sends m₁, Sig_B, p₁, and his keys $X_B^1$ and $Y_B^1$ to Charlie. Thereafter, Charlie sends his keys $X_C^1$ and $Y_C^1$ to Bob. Bob and Charlie independently recover Alice’s keys to verify the signature. (C) Schematic of step 2. Similar to step 1, Alice performs OTUH-QDS to sign m₁ by $X_A^2$ and $Y_A^2$ to Charlie. (D) Detailed schematic of QBA when Alice is loyal. The hash function is h(M) = M(x)x⁶⁴ mod p_ai(x) (64), where i ∈ {1,2} represents different steps, p_ai(x) is a randomly selected irreducible polynomial of order 64 in GF(256), and the coefficients of M(x) correspond to every char (ASCII) of the message to be signed. The digest is Dig = h(M), and the signature is $\mathit{Si}{g}_{B\left(C\right)}=Di{g}_{B\left(c\right)}\oplus X_A^{1\left(2\right)}$ and $p_{1\left(2\right)}=p_{a_{1\left(2\right)}}\oplus Y_A^{1\left(2\right)}$.

(a) The commanding general Alice is loyal. In step 1, as shown in Fig. 5B, Alice signs his order, m₁, using his keys $X_A^1$ and $Y_A^1$ , and then sends the message and signature Sig_B to Bob. Bob forwards them and his own secret keys $X_B^1$ and $Y_B^1$ to Charlie. After Charlie receives them, Charlie sends his keys $X_C^1$ and $Y_C^1$ to Bob. When and only when both Bob and Charlie verify the signature successfully, the signing is valid, and then Bob and Charlie add this valid message to their lists, L_B and L_C, respectively. In step 2, as shown in Fig. 5C, Charlie and Bob change their roles in QDS and follow the same process as step 1. Note that if malicious Charlie wishes that Bob would not distinguish the two messages, Charlie must forward the incorrect message m₂ instead of m₁ in step 2. However, because of the unforgeability of QDS, Charlie can only forge the message with a negligible probability ε_for. In step 3, loyal Bob outputs his final decision, m_B = majority(m₁, m₁) = m₁, which is consistent with loyal Alice’s order and satisfies IC₂.

Here, we describe the OTUH-QDS without perfect keys in step 1 in detail, which is also used in step 2. Specifically, we use generalized division hash functions to generate the signature, which involve an irreducible polynomial in a Galois field. The security parameter, i.e., the maximum probability that an attack is successfully performed in OTUH-QDS, is determined by the signature length that is usually chosen as the power of two for simplicity of encoding. The polynomial is of order n in GF(2^l), and the signature length is nl. We choose l = 8 and n = 64 so that the length of the hash value, i.e., the signature length is 512 (64 × 8), and thus the probability of forgery in our experiment, is ε_for = 2.93 × 10⁻¹⁶, which is negligible (see the Supplementary Materials).

Alice first generates a random irreducible polynomial in GF(256) of order 64 with p_a1(x) = x⁶⁴ + x⁶³ + 0Ex⁶² + … + 2Bx + 01, where the coefficient, such as 0E and 2B, are elements in GF(256). The digest of m₁, i.e., Dig_B, is generated by performing a generalized division hash function decided by p_a1(x) on m₁. Before being input to the hash function, the command m₁ is encoded into a polynomial m₁(x) by transforming every char into an element in GF(256) according to the American Standard Code for Information Interchange (ASCII) code and mapping every element into the coefficients of the polynomial in turn. The process of hashing is h(m₁) = m₁(x)x⁶⁴ mod p_a1(x). The output is also a polynomial and is then transformed into a string Dig_B consisting of 64 elements in GF(256). Meanwhile, p_a1(x) is also transformed into a string p_a1 consisting of 64 elements in GF(256). Dig_B and p_a1 are encrypted by the imperfect quantum keys through one-time pad to generate $\mathit{Si}{g}_B=\mathit{Di}{g}_B\oplus X_A^1$ and $p_1=p_{a_1}\oplus Y_A^1$.

Alice sends the commanding general’s order m₁ as well as Sig_B and p₁ to Bob. Bob then sends m₁, Sig_B, p₁, and his keys $X_B^1$ and $Y_B^1$ to Charlie. Thereafter, Charlie sends his keys $X_C^1$ and $Y_C^1$ to Bob. After the process above, Bob and Charlie successfully share their keys. They can recover Alice’s keys $X_A^1$ and $Y_A^1$ by exclusive ORing (XORing) $X_B^1$ and $Y_B^1$ and $X_C^1$ and $Y_C^1$ . Bob and Charlie independently check the signature. They will obtain the actual digest by performing the hash function derived by received p₁ and recovered $Y_A^1$ on the received m₁ and obtain the expected digest through recovered $X_A^1$ and received Sig_B. If the actual digest is identical to the expected, the command is valid. The details can be found in Fig. 5D.

(b) Alice is disloyal. This situation is similar to situation (a) above. As shown in Fig. 6, the difference is that Alice signs different messages, m₁ and m₂, in steps 1 and 2, respectively, because he wants to confuse loyal Bob and Charlie to make them output different decisions. However, because of the natural nonrepudiation of OTUH-QDS, loyal Bob and Charlie can confirm that m₁ and m₂ are both signed by Alice, and Alice is disloyal. Thus, they will output the same decision from the same information lists, i.e., Δ = majority(m₁, m₂), where Δ is a predetermined value (see the Supplementary Materials). This satisfies IC₁.

Fig. 6. Detailed schematic of QBA when Alice is loyal.

The process is similar to the situation when Alice is loyal, and the difference is that disloyal Alice signs two different messages to disturb the decisions of Bob and Charlie. Here, the time of attack and the plan in m₁ (2:00 p.m. and plan A) and m₂ (3:00 p.m. and plan B) are different.

DISCUSSION

We have demonstrated the three-party QBA with imperfect keys in a fully and simultaneously connected source-independent quantum network powered by a semiconductor chip. We accomplished this by directly producing high-quality broadband polarization-entangled states with exceptional brightness using an integrated AlGaAs BRW quantum source. We realize a three-user entanglement distribution network by multiplexing six correlated DWDM channels. To reduce the financial cost and increase the scalability of such a network, we use a time-multiplexed decoding module. This module integrates two nested UPMIs and an SPD at the expense of a slight increase in noise originating from accidentals. We implemented complete quantum communication with one detector per user in a fully connected quantum network. The combination of a cost-effective decoding module and BRW entangled source is an important step toward an affordable and practical large-scale quantum network. With the help of QKD links in our network, we generate correlated bit strings among three parties and implement OTUH-QDS with imperfect quantum keys. The signature rate can be the order of magnitude improvement owing to directly signing the hash value of long messages and the removal of cumbersome privacy amplification operations without compromising security (65).

Within the framework of OTUH-QDS, we experimentally beat the 1/3 fault tolerance bound of source-independent QBA, which is unable to be achieved with classical resources. That is because OTUH-QDS can provide decentralized multiparty correlation, where all three parties participate in QDS with equal status, to remove the independence of channels with information-theoretic security, while classical digital signature schemes require a trusted third-party for signing, which disobey the decentralization of the Byzantine agreement (see the Supplementary Materials). The above protocols can be used as primitives for practical multiparty quantum cryptography tasks without trusted nodes such as quantum blockchain and quantum consensus problems (60), paving the way for a more accessible quantum internet.

MATERIALS AND METHODS

BRW sample and experimental setup

Here, we consider the properties of biphotons generated from a 7.3-mm nonideal quarter-wavelength BRW in the process of degenerate type II SPDC, i.e., one transverse electric (TE)-polarized pump photon at frequency ω_p is converted into a pair of cross-polarized signal and idler photons at frequency ω_s and ω_i, respectively, with the conservation of energy ω_p = ω_s + ω_i. The structure with a high figure of merit total nonlinearity is designed (see the Supplementary Materials), which contains a core Al_xcGa_{1 − xc}As layer with x_c = 0.17 and a thickness of 230 nm, sandwiched between a six-period Bragg stack composed of alternative 127-nm high (Al_0.28Ga_0.72As) and 622-nm low (Al_0.72Ga_0.28As) index layers. The sample is grown along the [001] crystal axis and etched with a width of 4.8 µm and a depth of 4.15 µm. The waveguide achieves phase matching by using bounded total internal reflection (TIR) modes and quasi-bounded BRW modes. TIR modes are formed between high- and low-index claddings, while BRW modes are guided through transverse Bragg reflections at the interface between core and periodic claddings.

In the experiment, the BRW source is pumped by a fiber-coupled continuous wave laser centered at 780.9 nm. Lens-tapered fibers, which are used for coupling light into and out of the chip, are mounted on high-precision servo motors. We use a 980/1550 DWDM to separate the pump and parametric lights, where the residual pump laser is simultaneously detected by a photodetector and acts as a feedback signal. Thereafter, the hill-climbing algorithm is adopted for real-time optimization of the coupling. The photons are further filtered by a 1500-nm long-pass filter with a high extinction ratio, which can efficiently suppress the effects of broadband photoluminescence. The photon pairs are symmetrically distributed to the degenerated wavelength. We select three pairs of correlated channels by cascaded DWDM filters with 100-GHz spacing to form a fully connected three-user network. The decoding module held by each user consists of a PAM and an InGaAs avalanche detector, implementing a passive basis choice. In the PAM, the Z basis is realized by a UPMI, where the polarization can be distinguished by the relative arrival times of photons in detectors. The X basis works alike except for an HWP set to 22.5° before the UPMI, effectively rotating the polarization by 45°. The Z and X bases with different delays are combined by a coupler (see the Supplementary Materials), and the channel is distinguished by implementing wavelength-dependent time multiplexing. The single-photon detection events are recorded using a field programmable gate array (FPGA)-based time tag unit. Then, the information on photons’ polarization and wavelength can be transferred into their arrival time, and each user will obtain eight peaks in their temporal histogram. We used three free-running SPDs, operated at a detection efficiency of 25% and a dark count rate of 1.7 kHz with a dead time of 10 µs.

Scalability

One major goal of quantum communication is to establish a network that allows for widespread connectivity, similar to the classical internet but with unconditional security based on the laws of quantum mechanics. In terms of a fully connected network, the capacity is directly proportional to the available bandwidth resource (27). Therefore, a broader polarization-entangled photon source designed with low group birefringence (72), closer-spaced WDM (30), or a combination of WDM and passive beam splitters (28) can extend the network to a larger scale. Intriguingly, multiplexing quantum sources in different spatial modes is also a promising solution to scalability, allowing high efficiency while preserving high fidelity (73). Integrated quantum sources provide an ideal platform for implementing this scheme, which can offer stable and alignment-free operations with mature packaging technique. In the experiment, arrays of BRW samples with similar performance can be fabricated in a photonic foundry (74). By pumping the BRWs simultaneously, we can create k subnets between n users, where each BRW forms a fully connected $\frac{n}{k}$-user subnet using $\frac{n}{k}\left(\frac{n}{k}-1\right)$ wavelength channels. Each subnet can be optimized independently by adjusting the pump power to its optimal level and treated as a single user in a k-user network. To construct the connections between subnets, additional k(k − 1) wavelength channels are required and randomly distributed to all $\frac{n}{k}$ users in a subnet by passive BS. Thereby, the n-user network requires a total of $\frac{n}{k}\left(\frac{n}{k}-1\right)+k\left(k-1\right)$ wavelength channels. After some trivial calculation, the optimal value of k is simply equal to $\sqrt{n}$ . The result is valid only when n, k, and $\sqrt{n}$ are all integers. Furthermore, unlike the scenario of using a single source, the source multiplexing can compensate for the beam splitting–induced losses. The unique advantage of integrating the laser directly within the AlGaAs platform can promote the network architecture in a more efficient and scalable manner (67). After properly designing the propagation delays for photon pairs from different BRWs, the interconnection between any users in a large network can be realized without the need for a trusted node. The net effect of source multiplexing is akin to optionally constructing a two-layer fully connected network and independently controlling each subnet. One drawback of such a quantum network is the increased contribution from accidental counts resulting from the multiplexing of channels onto a single detector. It can be mitigated by shorting the coincidence window or demultiplexing the signal to multiple detectors. A pulsed pump scheme would further reduce the impact of accidental coincidence by specifying the arrival time of each channel at the detector (27).

The scalable source-independent fully connected network architecture is naturally suitable for the decentralized multiparty QBA scenarios. The multiparty QBA protocol can be implemented by treating three-party QDS as a basic unit and introducing a recursive structure to distribute and gather information layer by layer (66). The lieutenants will output the final decision according to the information they gather in different layers. Because the basic unit of a QBA system with more than three players is three-party QDS, the full-connected network architecture can generate multiparty correlation of every three players and thus correlated quantum keys for three-party QDS. In addition, for an N-party system, the communication complexity, defined as the times of performing QDS, of our QBA is $C={\displaystyle \sum _{m=0}^{f-1}}{A}_{N-1}^{2+m}$ , where $A_a^b=\frac{a!}{\left(a-b\right)!}$ is b permutations of a, f is the number of dishonest players, and N is the number of all players (N ≥ 2f + 1). It is evident that, as the number of players grows, the communication complexity exponentially increases. This limitation is attributed to the blockchain trilemma, which demonstrates that a decentralized system cannot achieve a harmonious balance among its essential elements: decentralization, security (fault tolerance), and scalability (75). It is an open challenge to explore if quantum resources can break the blockchain trilemma or facilitate the relaxation of decentralization and security for designing a QBA with polynomial communication complexity.

Supplementary Materials

This PDF file includes:

Sections S1 to S4

Figs. S1 to S11

Tables S1 to S3

References