Conference key agreement with single-photon interference

As anticipated in the introduction, our CKA scheme is an extension of the original bipartite TF-QKD protocol [24], Protocol 1 to a scenario with N users who want to establish a secret conference key. The parties distill the secret key by sending optical pulses to an untrusted node and by performing suitable measurements on a qubit they hold. In order to keep the notation symmetric, the N parties involved in the multipartite QKD protocol are named: ${\mathrm{Alice}}_{1},{\mathrm{Alice}}_{2}$, ..., Alice_N. The protocol is composed of L rounds, each round is characterized by the following eight steps (see figure 1):

• (i)  
  Every party (Alice_i) prepares an optical pulse a_i in an entangled state with a qubit A_i, given by:

  $$\begin{eqnarray}&&| \phi {\rangle }_{{A}_{i}{a}_{i}}=\sqrt{q}| 0{\rangle }_{{A}_{i}}| 0{\rangle }_{{a}_{i}}+\sqrt{1-q}| 1{\rangle }_{{A}_{i}}| 1{\rangle }_{{a}_{i}}\quad \forall i\in \{1,2,\ldots ,N\},\end{eqnarray} \tag{ 1.1 }$$

  where $0\leqslant q\leqslant 1,| 0{\rangle }_{{a}_{i}}$ is the vacuum state, $| 1{\rangle }_{{a}_{i}}$ is the single-photon state, and $\{| 0{\rangle }_{{A}_{i}},| 1{\rangle }_{{A}_{i}}\}$ is the computational basis of qubit A_i.
• (ii)  
  Every party sends her optical pulse a_i to the untrusted node via optical channels characterized by transmittance t, in a synchronized manner.
• (iii)  
  The central node applies a Bell-multiport beam splitter [43–48] with M input and output ports¹ to the incoming pulses and features a threshold detector D_i at each output port (i = 1, ..., M). The action of the multiport beam splitter is defined by the unitary transformation given in figure 1.
• (iv)  
  The central node announces the measurement outcome k_i for every detector D_i, with k_i = 0 and k_i = 1 corresponding to a no-click and a click event, respectively. The round gets discarded if ${\sum }_{i=1}^{M}{k}_{i}\ne 1$, i.e. whenever single-photon interference did not occur in the central node. The probability that only detector D_j clicked is p_j.
• (v)  
  According to a preshared secret key of $L\cdot h({p}_{\mathrm{PE}})$ bits² , the round is classified as a parameter-estimation (PE) round with probability p_PE or as a key-generation (KG) round with probability $1-{p}_{\mathrm{PE}}$. There are on average $m={{Mp}}_{j}{{Lp}}_{\mathrm{PE}}$ PE rounds that do not get discarded.

  • (a)  
    In case of a PE round, every party measures her qubit in the Z-basis and then announces the measurement outcome to compute the frequency: ${Q}_{Z}^{m}=(1+\langle {Z}^{\otimes N}{\rangle }_{m})/2$.
  • (b)  
    In case of a KG round, conditioned on detector D_j clicking, Alice_i measures her qubit in the basis of the operator ${O}_{{XY}}({\varphi }_{i})=\cos {\varphi }_{i}X+\sin {\varphi }_{i}Y$ (where X and Y are the Pauli operators), with ${\varphi }_{i}=\arg ({U}_{{ij}})$ (U_ij is given in figure 1). The parties announce m randomly chosen measurement results in order to estimate the quantum bit error rate (QBER) by computing the frequency: ${Q}_{{A}_{1}{A}_{i}}^{m}=(1-\langle {O}_{{XY}}({\varphi }_{1}){O}_{{XY}}({\varphi }_{i}){\rangle }_{m})/2$, i.e. the frequency of discordant outcomes.
• (vi)  
  The secret key shared by the N users is extracted from the remaining $n={{Mp}}_{j}L-2m$ raw key bits of the KG rounds.
• (vii)  
  ${\mathrm{Alice}}_{1}$ broadcasts the error correction information that every other party uses to correct her raw key to ${\mathrm{Alice}}_{1}$'s raw key.
• (viii)  
  ${\mathrm{Alice}}_{1}$ broadcasts a suitable two-universal hash function and every party applies it to her key for privacy amplification.

Remarks. Note that the quantity ${Q}_{Z}^{m}$ is the frequency of the outcome +1 when the parties measure the operator ${Z}^{\otimes N}$. By making an analogy with the bipartite scenario, one can view ${Q}_{Z}^{m}$ as an estimation of the phase-error rate between ${\mathrm{Alice}}_{1}$ and the other $N-1$ parties (when the phase-error rate is defined as in [24]).

Zoom In Zoom Out Reset image size

Since the Bell-multiport beam splitter redirects each incoming photon with equal probability to each potential output port, the probability of having a click in only one specific detector is the same for all detectors, i.e. p_j reads the same for j = 1, ..., M. For this reason, the total probability of having exactly one click in any detector is given by ${{Mp}}_{j}$.

In an honest implementation of the protocol, where the parties' state preparation and the operations of the central node are carried out as described above, the state of the qubits A₁, ..., A_N from which the parties distill a secret key is approximately a W-class state of N qubits [42], as we show in section 2. Therefore, the protocol here introduced represents an alternative to other multipartite QKD protocols [34–38] where the entanglement resource used to generate the key is, instead, a noisy version of the GHZ state of N qubits. Moreover, the W-class state used by the CKA is an entangled state which is post-selected after the interference of one single photon at the multiport beam splitter. Thus the resulting key rate scales linearly with the transmittance t of one of the quantum channels linking the parties to the central node. This is in contrast to the other mentioned multipartite QKD protocols [34–38], where the distribution of an N-qubit GHZ state (e.g. encoded in orthogonal polarizations of a photon) would lead to a key rate which scales with t^N (with t being the transmittance of the link between one party and the node distributing the GHZ state). This makes our CKA much more suited to high-loss scenarios than previously proposed multipartite QKD protocols.

As mentioned at the end of section 1, the entanglement resource exploited to distill the secret key is a noisy W-class state of N qubits [42], which is post-selected after single-photon interference occurred in the central node. In fact, the optimization of the CKA key rate (section 4) over the parameter q weighting the initial superposition of the qubit-photon state always yields values of q close to 1. This means that the quantum signal sent by the parties is strongly unbalanced towards the vacuum. Thus the events in which one of the detectors clicks are mainly caused by the arrival and detection of one photon. However, because of the balanced superposition generated by the multiport beam splitter, the detected photon could be sent by any party with equal probability. Since the photon is initially entangled to the qubit in state $| 1\rangle$, the qubits' state conditioned on the detection is a coherent superposition of states in which one qubit is in state $| 1\rangle$ and all the others are in state $| 0\rangle$, that is the mentioned W-class state. A secret conference key can then be extracted by proper measurements performed on such a state.

Let us start by considering the simplistic scenario in which the parties share the N-partite W state:

$$\begin{eqnarray}&&| W{\rangle }_{N}=\displaystyle \frac{1}{\sqrt{N}}\left[| 00...01\rangle +| 00...10\rangle \,+...+\,| 10...00\rangle \right].\end{eqnarray} \tag{ 2.1 }$$

It has been proven [35] that the parties cannot extract perfectly correlated outcomes in any set of local measurement bases (for N ≥ 3). Indeed, the only N-qubit state achieving that and yielding uniformly distributed random measurement outcomes is the GHZ state. Nevertheless, the N-partite W state can still be used to extract a secret conference key. The key bits are given by the outcomes of the X-basis measurements performed by the N parties on their respective qubit. The expected QBER between any two parties is given by $1/2-1/N$, which amounts to subtracting the fraction $h(1/2-1/N)$ from the secret key rate due to error correction (h(x) is the binary entropy). On the other hand, the eavesdropper's knowledge about the key can be estimated via the phase-error rate Q_Z (as defined in section 1, more details in appendix A), which turns out to be zero on the W state. This is crucial for having a non-zero key rate even when the number of parties is large. The resulting asymptotic key rate, when the parties share an N-partite W state, is given by $1-h(1/2-1/N)$.

Our CKA is constructed following the same philosophy. The only difference is that the conditional state shared by the parties after the detector's click is not exactly the W state given by (2.1), but rather a noisy W-class state (the full expression is given in appendix B). Indeed, the multiport beam splitter introduces complex phases in the balanced superposition of states shared by the parties, that depend on which detector clicked. For this reason, we require the parties to adjust their KG measurements in the X, Y plane in order to remove such phases and obtain the same QBER ($1/2-1/N$) they would observe by measuring in the X-basis had they shared the standard W state (2.1). However, the adjusted KG measurements do not commute with the operations performed in the untrusted node and prevent the CKA from being recast as an MDI prepare-and-measure scheme, opposed to its bipartite version [24]. Consequently, the multipartite scheme presented here is more challenging to implement than its bipartite counterpart, i.e. the TF-QKD protocol. In particular, it cannot be reformulated as a scheme where the parties prepare coherent states and send them to node C for measurement. Nonetheless, the operations that the parties are required to perform seem to be within technological reach [49, 50]. In particular, the qubit system could be realized by a nitrogen-vacancy electron spin, whose coherence time has recently reached the order of seconds [51]. The entanglement between the electron spin and the photon's Fock state would then be generated via selective optical pulses and coherent rotations [49], which would entangle the electron spin with the presence or absence of a photon.

The protocol presented in section 1 can be effectively regarded as an N-partite QKD protocol solely characterized by the unknown quantum state ${\rho }_{{A}_{1}{A}_{2}...{A}_{N}}^{{{Mp}}_{j}L}$, which is the global state of the parties' qubits in all the rounds that were not discarded³ . In this way we allow the eavesdropper, who is in total control of the untrusted node, to perform any kind of operation (coherent attacks) on the whole set of signals sent by the parties in the different rounds. As described above, in each round the parties perform trusted measurements on the state ${\rho }_{{A}_{1}{A}_{2}...{A}_{N}}^{{{Mp}}_{j}L}$, according to the preshared key they hold. The security of such a multipartite QKD protocol can be proven thanks to the finite-key analysis developed in [37]. In particular, since ${\mathrm{Alice}}_{1}$ (who holds the key to which all the other parties correct their raw key) measures her qubit only in the two mutually unbiased bases Z and X, the protocol's security proof follows analogous lines to the one of the N-BB84 protocol presented in [37]. The security is guaranteed even when the state preparation and the measurement devices of the other parties (${\mathrm{Alice}}_{2},\ldots ,{\mathrm{Alice}}_{N}$) are not trusted (a detailed proof is given in appendix A).

Theorem 1. The CKA in section 1, with the optimal 1-way error-correction protocol (which is ${\varepsilon }_{\mathrm{EC}}$-fully secure and $2(N-1){\varepsilon }_{\mathrm{PE}}\,$-robust) and where the secret key generated by two-universal hashing has length

$$\begin{eqnarray}\begin{array}{rcl}{\ell }(N) & = & n\left[1-h\left({Q}_{Z}^{m}+\gamma (n,m,{Q}_{Z}^{m},{\varepsilon }_{z}\right)-\mathop{\max }\limits_{i}h\left({Q}_{{A}_{1}{A}_{i}}^{m}+\gamma (n,m,{Q}_{{A}_{1}{A}_{i}}^{m},{\varepsilon }_{x}\right)\right]-{\mathrm{log}}_{2}\displaystyle \frac{2(N-1)}{{\varepsilon }_{\mathrm{EC}}}\\ & & -2{\mathrm{log}}_{2}\displaystyle \frac{1-2(N-1){\varepsilon }_{\mathrm{PE}}}{2\,{\varepsilon }_{\mathrm{PA}}},\end{array}\end{eqnarray} \tag{ 3.1 }$$

is ${\varepsilon }_{\mathrm{tot}}$-secure with ${\varepsilon }_{\mathrm{tot}}=2{\varepsilon }_{\mathrm{PE}}+{\varepsilon }_{\mathrm{EC}}+{\varepsilon }_{\mathrm{PA}}$, where ${\varepsilon }_{\mathrm{PE}}$ is defined as:

$$\begin{eqnarray}&&{\varepsilon }_{\mathrm{PE}}\equiv \sqrt{(N-1){\varepsilon }_{x}+{\varepsilon }_{z}}\end{eqnarray} \tag{ 3.2 }$$

and $\gamma (n,m,{{\rm{\Lambda }}}_{m},\varepsilon )$ is the positive root of the following equation:

$$\begin{eqnarray}&&\mathrm{ln}\displaystyle \left(\genfrac{}{}{0em}{}{n({{\rm{\Lambda }}}_{m}+\gamma )+m{{\rm{\Lambda }}}_{m}}{m{{\rm{\Lambda }}}_{m}}\right)+\mathrm{ln}\displaystyle \left(\genfrac{}{}{0em}{}{(n+m)(1-{{\rm{\Lambda }}}_{m})-n\gamma }{m(1-{{\rm{\Lambda }}}_{m})}\right)=\mathrm{ln}\displaystyle \left(\genfrac{}{}{0em}{}{n+m}{m}\right)+\mathrm{ln}\varepsilon .\end{eqnarray} \tag{ 3.3 }$$

$L\cdot h({p}_{\mathrm{PE}})$

In the asymptotic regime ($L\to \infty$), the finite-size effects are not present and the secret key rate (r = ℓ/L) reads:

$$\begin{eqnarray}&&r(N)={{Mp}}_{j}\left[1-h({Q}_{Z})-\mathop{\max }\limits_{i\in \{1,\ldots ,N\}}h({Q}_{{A}_{1}{A}_{i}})\right],\end{eqnarray} \tag{ 3.4 }$$

where Q_Z and ${Q}_{{A}_{1}{A}_{i}}$ are the probabilities correspondent to the frequencies defined in section 1.

In this section we provide plots of the secret key rate—number of secret key bits per round—achieved by the CKA both with finite-key effects (3.1) and in the asymptotic regime (3.4), as a function of the loss in one of the channels linking a party to the central node, measured in dB ($-10{\mathrm{log}}_{10}t$). We assume that the protocol is honestly implemented as described in section 1 and we account for a dark count probability of ${p}_{d}={10}^{-9}$ in every detector (which can be attained with superconducting nanowire single photon detectors [29]) and for a polarization and a phase misalignment between ${\mathrm{Alice}}_{1}$ and each other party of 2%. The relevant error rates and probabilities for this configuration are given in appendix B. The plots are optimized over the parameter q of the initial superposition between the two qubit-photon states, unless otherwise stated. The finite-key plots are further optimized over the probability p_PE of performing a PE round and over the security parameters ${\varepsilon }_{x},{\varepsilon }_{z},{\varepsilon }_{\mathrm{EC}}$ and ε_PA, constrained by a fixed total security parameter of ε_tot = 10⁻⁸.

In order to assess the performance of our CKA with an untrusted node, we consider the situation in which the central node is removed and the N parties are linked by a star network, where the transmittance of the link between any two parties is t². For this configuration, we consider the conference key rate generated by the following strategy and compare it to our CKA key rate. One selected party performs the best possible bipartite QKD scheme with every other party in the network, i.e. N − 1 times. Because of the network symmetry, every bipartite secret key has the same length and its asymptotic rate is upper bounded by the Pirandola–Laurenza–Ottaviani–Banchi bound [33] given by: $-{\mathrm{log}}_{2}(1-{t}^{2})$. Then, the selected party encodes the final conference key by using the keys she/he established singularly with each other party. Hence, the conference key length is equal to the bipartite keys' lengths, but the total number of rounds⁴ needed to establish the conference key is given by the number of rounds performed by a pair of parties, multiplied by the number of bipartite schemes (N − 1). Thus the conference key rate achieved by this strategy is upper bounded by:

$$\begin{eqnarray}&&{r}_{\mathrm{direct}}(N)=\displaystyle \frac{-{\mathrm{log}}_{2}(1-{t}^{2})}{N-1}.\end{eqnarray} \tag{ 4.1 }$$

We will refer to (4.1) as the direct-transmission bound, even though we emphasize that it only upper bounds the achievable conference key rate when the strategy we just described is employed. Indeed, we do not claim that this strategy yields the highest possible conference key rate for the considered network configuration. In this section we show that our CKA provides an advantage, in terms of performance, with respect to the above strategy (4.1).

4.1. Asymptotic regime

In figure 2 we plot the asymptotic key rate of the CKA (equation (3.4), solid and dotted lines) as a function of the loss in one of the quantum channels, for different number parties establishing the secret conference key. In particular, the solid lines are obtained by fixing M = N, i.e. the number of input (output) ports of the beam splitter is given by the number of parties taking part to the protocol. The dotted lines are instead obtained by fixing the number of ports to M = 10. Finally, the dashed lines represent the direct-transmission bound (4.1) for the correspondent number of parties.

Zoom In Zoom Out Reset image size

We observe that the CKA key rate can surpass the direct-transmission bound for sufficiently high losses. This is expected since the CKA key rate basically scales linearly with the transmittance t of the quantum channel linking one party to the central node, while the direct-transmission rate scales linearly with the transmittance (t²) of the whole channel linking two parties [33]. We note, however, that the performance advantage of the CKA with respect to the direct-transmission bound decreases for increasing number of parties. This is due to the fact that an increase of the number of parties is more detrimental for the CKA rate as it severely affects the QBER⁵ , than for the direct-transmission bound, where it simply increases the total number of rounds dividing the key length. Moreover, the presence of dark counts in the detectors prevents the CKA from outperforming the direct-transmission bound if the number of parties is too large (see the N = 9 case in figure 2). Indeed, they are the cause of the sudden drop of the key rate at high losses, i.e. where the probability of detecting one photon becomes comparable to the probability of having a dark count. Moreover, their effect increases with the number of parties since the key rate optimization yields a lower probability of having a single click in one of the detectors, when more parties are involved. Note, however, that while the CKA rate accounts for devices' imperfections (e.g. dark counts), the direct-transmission bound is attained only in the ideal scenario of no imperfections.

From figure 2 we also deduce that performing the CKA with a higher number of ports in the beam splitter (dotted lines, where M = 10) is advantageous at low losses and disadvantageous at high losses. The advantage of having more output ports is that the probability that two photons arrive at the same detector diminishes (this is an error source in our CKA). However, these errors could only occur if there is a non-negligible probability that two photons arrive at the central node, i.e. when the losses are low. At the same time, the presence of more output ports—and thus detectors—increases the chances of a dark count. And the negative effect of dark counts on the performance becomes tangible when their probability is comparable to the probability of having a click in a detector, i.e. at high losses.

Another relevant scenario for assessing the CKA performance in comparison to the iteration of bipartite protocols could be the following. The parties are given the same CKA experimental setup but they are now allowed to use it in pairs (or larger subgroups) in consecutive runs, effectively performing the original TF-QKD protocol [24], Protocol 1 between one selected party and every other party. The different established keys are then used to encode the final conference key, similarly to the direct-transmission scenario. This strategy can then be compared to the case where the parties choose to use the CKA setup all at once, thus performing a truly multipartite QKD scheme. A detailed analysis of this comparison in the asymptotic regime is given in appendix C. It turns out that, depending on the loss and on the state preparation, it is still advantageous to perform a multipartite protocol instead of iteratively executing bipartite protocols, on the CKA experimental setup.

4.2. Finite-key effects

In figure 3(a) we plot the finite-key conference rate (equation (3.1) divided by L) as a function of the number of rounds L, for different fixed values of the loss (20 and 30 dB, solid and dotted–dashed lines) and different number of parties. We stress the fact that we normalize the key length to the total number of rounds (L), i.e. we also take into account the rounds that get discarded due to double-clicks or no click in the detectors. The horizontal dashed lines correspond to the value of the direct-transmission bound (4.1) for the various combinations of losses and number of parties. We observe that the number of rounds leading to a non-zero key rate is in general higher than other multipartite schemes (see for example [37]). This is caused by the fact that the CKA devised here relies on single-photon interference events, which are only a fraction of all the events occurring in an experiment run. A considerable amount of rounds gets thus discarded, but still contributes to the rounds' count. Nevertheless, the number of rounds needed for a non-zero key rate is comparable to other bipartite TF-QKD protocols [56, 57]. On the other hand, the advantage of relying on single-photon interference in a multipartite scenario is the excellent scaling of the protocol's key rate with respect to losses, which allows it to overcome the asymptotic direct-transmission bound (dashed lines) even with a finite number of rounds.

Zoom In Zoom Out Reset image size

In figure 3(b) we instead plot the minimum number of rounds (L_min) such that the finite-key rate (ℓ/L) does not decrease more than 90% with respect to its asymptotic value r (3.4), i.e.: ${\ell }({L}_{\min })/{L}_{\min }\geqslant r/10$. The threshold L_min is plotted as a function of the number of parties (N) and for fixed values of the loss. We observe that L_min increases both with the number of parties and with the loss. The reason is that, in both cases, the fraction of the total number of rounds that gets discarded increases. This has a negative effect both on the asymptotic rate and on the finite-key rate, however the effect on the latter is greater, thus requiring a larger number of rounds L_min to maintain the finite-key rate within 90% range of the asymptotic one. Indeed, a larger fraction of discarded rounds decreases the prefactor ${{Mp}}_{j}$ in both the finite- and the asymptotic-key rates, but it additionally decreases the number of rounds used for PE in the finite-key regime. This causes larger statistical fluctuations and thus a smaller finite-key rate.

In this work we introduced a new multipartite QKD protocol that exploits for the first time the correlations derived from an N-partite W state [42] to establish a secret conference key among the N users. In an honest implementation of the protocol, the W state is post-selected thanks to the interference of a single photon in a central node, extending the idea of the bipartite TF QKD protocol devised in [24] to the multipartite scenario. Hence the resulting key rate scales linearly with the transmittance of one of the quantum channels linking the parties to the central node, making the protocol particularly suited for conference keys established in high-loss scenarios.

We prove the protocol's security in the finite-key regime by considering the most adversarial situation possible, i.e. coherent attacks are allowed by the eavesdropper. In order to achieve this, we rely on previous results on the finite-key security of multipartite QKD schemes derived in [37] and employ the entropic uncertainty relation [58].

We provide simulations of the conference key rate both in the finite- and in the asymptotic-key regime. We compare the performance of our CKA to that achieved by performing bipartite QKD schemes between one party and each of the others and then using the established keys to encode the conference key. In particular, we analyze the cases where the bipartite schemes are performed with the same setup used for the CKA (in appendix C) and in the direct-transmission scenario (i.e. the central node is removed and the optimal bipartite QKD scheme is performed). We show that, in both cases, the execution of a truly multipartite scheme could be advantageous even when finite-key effects are accounted for.

Although the feasibility of the proposed CKA requires further investigation, with this work we demonstrate that, in principle, multipartite QKD does not necessarily need a GHZ-class state as its entanglement resource and that it can be implemented even in high-loss scenarios.

We thank Marcos Curty, Daniel Miller and Hua-Lei Yin for helpful discussions. This project has received funding from the European Union's Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No. 675662.

In order to prove the security of our CKA in the finite-key scenario, we start from the general security statement given in [37, theorem 1]. The resulting secret key length is thus determined by the amount of information the eavesdropper has about the secret key and by the information the parties leak during the classical post-processing. The former is quantified by the min-entropy ${H}_{\min }^{\varepsilon }({\rho }_{{XE}}^{n}| E)$, where ${\rho }_{{XE}}^{n}$ is the classical-quantum state of ${\mathrm{Alice}}_{1}$'s raw key and the eavesdropper's quantum system E which is partially correlated to it. Since the eavesdropper's system is unknown, one cannot directly compute the mentioned min-entropy. Nevertheless, it can be bounded by means of the uncertainty relation [58] for smooth-entropies as follows:

$$\begin{eqnarray}&&{H}_{\min }^{\varepsilon }({\rho }_{{XE}}^{n}| E)\geqslant n-{H}_{\max }^{\varepsilon }({\rho }_{{Z}_{1}...{Z}_{N}}^{n}| {Z}_{2}...{Z}_{N}),\end{eqnarray} \tag{ A.1 }$$

where the max-entropy on the rhs quantifies the uncertainty of Alice₁'s Z-measurement results when the Z-outcomes of the remaining N − 1 parties are known, if all parties would measure Z in the n rounds yielding the raw-key. The max-entropy can be upper bounded via the phase-error rate Qⁿ_Z—as defined in section 1—of the n raw-key rounds. We get:

$$\begin{eqnarray}&&{H}_{\min }^{\varepsilon }({\rho }_{{XE}}^{n}| E)\geqslant n-n\,h({Q}_{Z}^{n}),\end{eqnarray} \tag{ A.2 }$$

where $h(\cdot )$ is the binary entropy function: $h(x)=-x{\mathrm{log}}_{2}(x)-(1-x){\mathrm{log}}_{2}(1-x)$. Finally, since the parties do not directly observe the phase-error rate Qⁿ_Z of the n rounds producing the raw key, this can be inferred through the theory of random sampling without replacement. In particular, the phase-error rate of the raw key (Qⁿ_Z) can be upper bounded with high probability, once the observed phase-error rate (${Q}_{Z}^{m}$) is known. For this, we make use of the following tail inequality [56, lemma 1] which features a tighter bound with respect to the Serfling inequality.

Lemma 1. [56]. Let ${{ \mathcal X }}_{n+m}$ be a random binary string of $n+m$ bits, ${{ \mathcal X }}_{m}$ be a random sample (without replacement) of m entries from the string ${{ \mathcal X }}_{n+m}$ and ${{ \mathcal X }}_{n}$ be the remaining bit string. Upon calling ${{\rm{\Lambda }}}_{m}$ and ${{\rm{\Lambda }}}_{n}$ the frequencies of bit value 1 in string ${{ \mathcal X }}_{m}$ and ${{ \mathcal X }}_{n}$, respectively, for any $\varepsilon \gt 0$ it holds:

$$\begin{eqnarray}&&\Pr [{{\rm{\Lambda }}}_{n}\leqslant {{\rm{\Lambda }}}_{m}+\gamma (n,m,{{\rm{\Lambda }}}_{m},\varepsilon )]\gt 1-\varepsilon ,\end{eqnarray} \tag{ A.3 }$$

where $\gamma (n,m,{{\rm{\Lambda }}}_{m},\varepsilon )$ is the positive root of the following equation:

$$\begin{eqnarray}&&\mathrm{ln}\displaystyle \left(\genfrac{}{}{0em}{}{n({{\rm{\Lambda }}}_{m}+\gamma )+m{{\rm{\Lambda }}}_{m}}{m{{\rm{\Lambda }}}_{m}}\right)+\mathrm{ln}\displaystyle \left(\genfrac{}{}{0em}{}{(n+m)(1-{{\rm{\Lambda }}}_{m})-n\gamma }{m(1-{{\rm{\Lambda }}}_{m})}\right)=\mathrm{ln}\displaystyle \left(\genfrac{}{}{0em}{}{n+m}{m}\right)+\mathrm{ln}\varepsilon .\end{eqnarray} \tag{ A.4 }$$

$$\begin{eqnarray}&&{H}_{\min }^{\varepsilon }({\rho }_{{XE}}^{n}| E)\geqslant n-n\,h\left({Q}_{Z}^{m}+\gamma (n,m,{Q}_{Z}^{m},{\varepsilon }_{z}\right).\end{eqnarray} \tag{ A.5 }$$

The remaining part of the secret key length that needs to be estimated is the error-correction information sent through the classical public channel, and thus leaked to the eavesdropper. Since we consider a one-way scheme where ${\mathrm{Alice}}_{1}$ broadcasts the same error-correction information to all the parties through the public channel, the information gained by the eavesdropper is bounded by the binary entropy of the worst QBER between ${\mathrm{Alice}}_{1}$ and any other party, by means of [37, theorem 2].

Putting these considerations together, we obtain the security statement given in theorem 1.

We remark that the only requirements needed for the security proof to hold are that ${\mathrm{Alice}}_{1}$ is actually measuring qubits and that her measurement device is working as expected (i.e. it measures in the X and Z basis) [58, 59]. This means that we do not need to trust the measurement devices of the other parties (as long as they are memoryless), nor their state preparation (including ${\mathrm{Alice}}_{1}$'s).

In this section we compute the QBER (${Q}_{{A}_{1}{A}_{k}}$), the phase-error rate (Q_Z) and the probability that a given detector clicked (p_j), assuming that the protocol is implemented as described in section 1. We also account for a dark count probability p_d in each detector and we consider the specific scenario in which there are a polarization and a phase misalignment of angles θ and ϕ, respectively, between Alice₁ and each other party. In the simulations of section 4 we set: p_d = 10⁻⁹ and $\theta =\phi =\arcsin \sqrt{0.02}$. For simplicity, we assume that the input signals of the N parties enter the first N ports of the M-port beam splitter. Nevertheless, the results in terms of achieved key rate are independent of which input ports are used, thanks to the balanced redistribution of the input photons to the output ports of the considered Bell-multiport beam splitter (see figure 1). We remark that the expressions derived here together with the asymptotic key rate given in (3.4) reproduce those of the original TF-QKD protocol [24, Protocol 1] in the case of two parties (N = 2) with a balanced 2-port beam splitter (M = 2).

We first derive the QBER, the phase-error rate and the probability p_j assuming no dark counts in the detectors, i.e. every click is caused by the arrival of one or more photons. In the last Subsection we use the derived expressions to obtain analogous quantities, with the assumption that every detector has a probability p_d of clicking conditioned on no photon arriving.

B.1. Qubits' state conditioned on one click

According to the protocol, the global state of the parties' qubits and signals, before sending the signals to the central node, reads:

$$\begin{eqnarray}&&| {{\rm{\Phi }}}_{1}\rangle =\underset{k=1}{\overset{N}{\displaystyle \bigotimes }}| \phi {\rangle }_{{A}_{k}{a}_{k}}=\underset{k=1}{\overset{N}{\displaystyle \bigotimes }}\left(\sqrt{q}| 0{\rangle }_{{A}_{k}}| 0{\rangle }_{{a}_{k}}+\sqrt{1-q}{{\rm{e}}}^{{\rm{i}}{\phi }_{k}}| 1{\rangle }_{{A}_{k}}{a}_{k}^{\dagger }| 0{\rangle }_{{a}_{k}}\right),\end{eqnarray} \tag{ B.1 }$$

where the phase mismatch ϕ_k is defined as zero if k = 1 and as ϕ if $k\ne 1$, which means that every other party has the same phase mismatch with respect to Alice₁. The signals a_k are then sent to the central node through lossy optical channels, which are modeled as beam splitters with transmittance t. The global state after the transmission of the signals to the untrusted relay reads:

$$\begin{eqnarray}\begin{array}{rcl}| {{\rm{\Phi }}}_{2}\rangle & = & \underset{k=1}{\overset{N}{\displaystyle \bigotimes }}\left[\sqrt{q}| 0{\rangle }_{{A}_{k}}| 0\rangle +\sqrt{1-q}{{\rm{e}}}^{{\rm{i}}{\phi }_{k}}| 1{\rangle }_{{A}_{k}}(\sqrt{t}\,{a}_{k}^{\dagger }+\sqrt{1-t}\,{l}_{k}^{\dagger })| 0\rangle \right]\\ & = & \displaystyle \sum _{g(\vec{b})=0}^{{2}^{N}-1}{q}^{\tfrac{N-| \vec{b}| }{2}}{\left(1-q\right)}^{\tfrac{| \vec{b}| }{2}}| \vec{b}{\rangle }_{{A}_{1}...{A}_{N}}{\otimes }_{k=1}^{N}{{\rm{e}}}^{{\rm{i}}{b}_{k}{\phi }_{k}}{\left(\sqrt{t}{a}_{k}^{\dagger }+\sqrt{1-t}{l}_{k}^{\dagger }\right)}^{{b}_{k}}| 0\rangle ,\end{array}\end{eqnarray} \tag{ B.2 }$$

where ${l}_{k}^{\dagger }$ is the creation operator of the lost photon in channel $k,\vec{b}$ is a N-bit vector that runs from 0 to ${2}^{N}-1$ in binary notation (covering all the possible combinations of qubit states) and $| \vec{b}|$ is the Hamming weight of vector $\vec{b}$. From now on, we denote as $g(\cdot )$ the bijective function that takes as input a binary vector and outputs the correspondent decimal number.

We assume now that the polarization of the photons sent by ${\mathrm{Alice}}_{2},...{\mathrm{Alice}}_{N}$ is rotated by an angle θ with respect to Alice₁'s signal:

$$\begin{eqnarray}&&| {{\rm{\Phi }}}_{3}\rangle =\displaystyle \sum _{g(\vec{b})=0}^{{2}^{N}-1}{q}^{\tfrac{N-| \vec{b}| }{2}}{\left(1-q\right)}^{\tfrac{| \vec{b}| }{2}}| \vec{b}{\rangle }_{{A}_{1}...{A}_{N}}{\otimes }_{k=1}^{N}{{\rm{e}}}^{{\rm{i}}{b}_{k}{\phi }_{k}}{\left(\sqrt{t}\cos {\theta }_{k}{a}_{k,{\rm{P}}}^{\dagger }-\sqrt{t}\sin {\theta }_{k}{a}_{k,{{\rm{P}}}_{\perp }}^{\dagger }+\sqrt{1-t}{l}_{k}^{\dagger }\right)}^{{b}_{k}}| 0\rangle ,\end{eqnarray} \tag{ B.3 }$$

where θ_k is defined as zero if k = 1 and as θ if $k\ne 1$, while the subscripts ${}_{{\rm{P}}}$ and ${}_{{{\rm{P}}}_{\perp }}$ indicate the polarization of ${\mathrm{Alice}}_{1}$'s signal and its orthogonal direction, respectively.

Finally, the global state after the application of the Bell-multiport beam splitter on the incoming signals (its action on the incoming creation operators is reported in figure 1) is:

$$\begin{eqnarray}\begin{array}{rcl}| {{\rm{\Phi }}}_{4}\rangle & = & \displaystyle \sum _{g(\vec{b})=0}^{{2}^{N}-1}{q}^{\tfrac{N-| \vec{b}| }{2}}{\left(1-q\right)}^{\tfrac{| \vec{b}| }{2}}| \vec{b}{\rangle }_{{A}_{1}...{A}_{N}}\\ & & \otimes \displaystyle \prod _{k=1}^{N}{{\rm{e}}}^{{\rm{i}}{b}_{k}{\phi }_{k}}{\left(\sqrt{t}\cos {\theta }_{k}\displaystyle \sum _{j=1}^{M}{U}_{{kj}}{\sigma }_{j,{\rm{P}}}^{\dagger }-\sqrt{t}\sin {\theta }_{k}\displaystyle \sum _{j=1}^{M}{U}_{{kj}}{\sigma }_{j,{{\rm{P}}}_{\perp }}^{\dagger }+\sqrt{1-t}{l}_{k}^{\dagger }\right)}^{{b}_{k}}| 0\rangle ,\end{array}\end{eqnarray} \tag{ B.4 }$$

where ${\sigma }_{j,{\rm{P}}}^{\dagger }$ and ${\sigma }_{j,{{\rm{P}}}_{\perp }}^{\dagger }$ are the creation operators of the output signals in the two orthogonal polarizations and U_kj is reported in figure 1. At this point, every output signal is measured in the respective threshold detector. Since the detectors do not distinguish the polarization of the output signals, we will use the subscript ${}_{{\sigma }_{j}}$ to indicate the combined Hilbert space of the signals exiting port j, when there is no ambiguity.

We are now ready to compute the conditional state of the qubits ${A}_{1},\ldots ,{A}_{N}$ when only detector D_j clicked:

$$\begin{eqnarray}&&{p}_{j}{\rho }_{{A}_{1}...{A}_{N}}^{j}={\mathrm{Tr}}_{\displaystyle \genfrac{}{}{0em}{}{{\sigma }_{1},\ldots ,{\sigma }_{M}}{{l}_{1},\ldots ,{l}_{N}}}\left[({\mathrm{id}}_{{\sigma }_{j}}-{P}_{| 0{\rangle }_{{\sigma }_{j}}}){\otimes }_{i\ne j}{P}_{| 0{\rangle }_{{\sigma }_{i}}}| {{\rm{\Phi }}}_{4}\rangle \langle {{\rm{\Phi }}}_{4}| ({\mathrm{id}}_{{\sigma }_{j}}-{P}_{| 0{\rangle }_{{\sigma }_{j}}}){\otimes }_{i\ne j}{P}_{| 0{\rangle }_{{\sigma }_{i}}}\right],\end{eqnarray} \tag{ B.5 }$$

where p_j is the probability that only detector D_j clicked, ${\rho }_{{A}_{1}...{A}_{N}}^{j}$ is the normalized conditional state of the qubits and ${P}_{| 0{\rangle }_{{\sigma }_{j}}}$ is the projector on the vacuum state of output signal j. In order to compute (B.5), we start by calculating the following quantity:

$$\begin{eqnarray}&&\begin{array}{l}({\mathrm{id}}_{{\sigma }_{j}}-{P}_{| 0{\rangle }_{{\sigma }_{j}}}){\otimes }_{i\ne j}{P}_{| 0{\rangle }_{{\sigma }_{i}}}| {{\rm{\Phi }}}_{4}\rangle =\displaystyle \sum _{g(\vec{b})=1}^{{2}^{N}-1}{q}^{\tfrac{N-| \vec{b}| }{2}}{\left(1-q\right)}^{\tfrac{| \vec{b}| }{2}}| \vec{b}{\rangle }_{{A}_{1}...{A}_{N}}\\ \quad \otimes \,({\mathrm{id}}_{{\sigma }_{j}}-{P}_{| 0{\rangle }_{{\sigma }_{j}}}){\otimes }_{i\ne j}{P}_{| 0{\rangle }_{{\sigma }_{i}}}\displaystyle \prod _{k=1}^{N}{{\rm{e}}}^{{\rm{i}}{b}_{k}{\phi }_{k}}{\left[\sqrt{t}{U}_{{kj}}\left(\cos {\theta }_{k}{\sigma }_{j,{\rm{P}}}^{\dagger }-\sin {\theta }_{k}{\sigma }_{j,{{\rm{P}}}_{\perp }}^{\dagger }\right)+\sqrt{1-t}{l}_{k}^{\dagger }\right]}^{{b}_{k}}| 0\rangle \\ \quad \equiv \,\displaystyle \sum _{g(\vec{b})=1}^{{2}^{N}-1}{q}^{\tfrac{N-| \vec{b}| }{2}}{\left(1-q\right)}^{\tfrac{| \vec{b}| }{2}}| \vec{b}{\rangle }_{{A}_{1}...{A}_{N}}\otimes ({\mathrm{id}}_{{\sigma }_{j}}-{P}_{| 0{\rangle }_{{\sigma }_{j}}}){\otimes }_{i\ne j}{P}_{| 0{\rangle }_{{\sigma }_{i}}}| \psi {\rangle }_{{\sigma }_{j},l},\end{array}\end{eqnarray} \tag{ B.6 }$$

where the effect of the projectors is to select the outcome signal σ_j and to remove the case $g(\vec{b})=0$, since it would correspond to a vacuum state for the outcome signal σ_j. We now focus on rewriting the following term:

$$\begin{eqnarray}&&\begin{array}{l}| \psi {\rangle }_{{\sigma }_{j},l}=\displaystyle \prod _{k=1}^{N}{{\rm{e}}}^{{\rm{i}}{b}_{k}{\phi }_{k}}{\left[\sqrt{t}{U}_{{kj}}\left(\cos {\theta }_{k}{\sigma }_{j,{\rm{P}}}^{\dagger }-\sin {\theta }_{k}{\sigma }_{j,{{\rm{P}}}_{\perp }}^{\dagger }\right)+\sqrt{1-t}{l}_{k}^{\dagger }\right]}^{{b}_{k}}| 0\rangle \\ \quad =\,{{\rm{e}}}^{{\rm{i}}(| \vec{b}| -{b}_{1})\phi }\displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{d})=0\,{\rm{s}}.{\rm{t}}.}{\vec{d}\wedge \vec{b}=\vec{d}}}^{{2}^{N}-1}\displaystyle \prod _{k=1}^{N}{\left[\sqrt{t}{U}_{{kj}}\left(\cos {\theta }_{k}{\sigma }_{j,{\rm{P}}}^{\dagger }-\sin {\theta }_{k}{\sigma }_{j,{{\rm{P}}}_{\perp }}^{\dagger }\right)\right]}^{{d}_{k}}{\left(\sqrt{1-t}{l}_{k}^{\dagger }\right)}^{{\left(\vec{b}\oplus \vec{d}\right)}_{k}}| 0\rangle \end{array}\end{eqnarray} \tag{ B.7 }$$

$$\begin{eqnarray}&&\begin{array}{l}=\,{{\rm{e}}}^{{\rm{i}}(| \vec{b}| -{b}_{1})\phi }\displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{d})=0\,{\rm{s}}.{\rm{t}}.}{\vec{d}\wedge \vec{b}=\vec{d}}}^{{2}^{N}-1}{{\rm{e}}}^{{\rm{i}}\displaystyle \frac{2\pi }{M}(j-1)\displaystyle \sum _{k=1}^{N}{d}_{k}(k-1)}{\left(\sqrt{\displaystyle \frac{t}{M}}\right)}^{| \vec{d}| }{\left(\sqrt{1-t}\right)}^{| \vec{b}\oplus \vec{d}| }\\ \quad \times \,\displaystyle \prod _{k=1}^{N}{\left(\cos {\theta }_{k}{\sigma }_{j,{\rm{P}}}^{\dagger }-\sin {\theta }_{k}{\sigma }_{j,{{\rm{P}}}_{\perp }}^{\dagger }\right)}^{{d}_{k}}| 0\rangle \otimes | \vec{b}\oplus \vec{d}{\rangle }_{{l}_{1},\ldots ,{l}_{N}},\end{array}\end{eqnarray} \tag{ B.8 }$$

where we expanded the product in the first line of (B.7) by introducing a sum over the binary vector $\vec{d}$. The sum runs over all the N-bit vectors $\vec{d}$ for which d_k = 0 whenever b_k = 0, for all k –the condition ${d}_{k}\wedge {b}_{k}={d}_{k}\,\forall \,k$. This is to make sure that the kth factor in the first line does not contribute to the expanded product in the second line whenever b_k = 0. The remaining bits of $\vec{d}$ that are not affected by the mentioned condition, can be either 1 or 0. If d_k = 1 we intend that, for this particular term in the sum, the contribution of the kth factor in the first line of (B.7) is given by its first addend ($\sqrt{t}\,{U}_{{kj}}(...)$). While if d_k = 0 and b_k = 1, we mean that the contribution is coming from the second addend ($\sqrt{1-t}\,{l}_{k}^{\dagger }$). The exponents in the second line of (B.7) are chosen according to these rules. Finally, (B.8) is obtained by using the definition of U_kj from figure 1 and by applying the creation operators on the vacuum. We now expand the remaining product in (B.8) with the same technique and obtain the following expression:

$$\begin{eqnarray}\begin{array}{rcl}| \psi {\rangle }_{{\sigma }_{j},l} & = & {{\rm{e}}}^{{\rm{i}}(| \vec{b}| -{b}_{1})\phi }\displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{d})=0\,{\rm{s}}.{\rm{t}}.}{\vec{d}\wedge \vec{b}=\vec{d}}}^{{2}^{N}-1}{{\rm{e}}}^{{\rm{i}}\displaystyle \frac{2\pi }{M}(j-1)\displaystyle \sum _{k=1}^{N}{d}_{k}(k-1)}{\left(\sqrt{\displaystyle \frac{t}{M}}\right)}^{| \vec{d}| }{\left(\sqrt{1-t}\right)}^{| \vec{b}\oplus \vec{d}| }\\ & & \times \displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{f})=0\,{\rm{s}}.{\rm{t}}.}{\vec{f}\wedge \vec{d}=\vec{f}}}^{{2}^{N}-1}\displaystyle \prod _{k=1}^{N}{\left({\rm{\cos }}{\theta }_{k}\right)}^{{f}_{k}}{\left(-{\rm{\sin }}{\theta }_{k}\right)}^{{\left(\vec{d}\oplus \vec{f}\right)}_{k}}\sqrt{| \vec{f}| !}\sqrt{| \vec{d}\oplus \vec{f}| !}\,| | \vec{f}| {\rangle }_{{\sigma }_{j},{\rm{P}}}\otimes | | \vec{d}\oplus \vec{f}| {\rangle }_{{\sigma }_{j},{{\rm{P}}}_{\perp }}\otimes | \vec{b}\oplus \vec{d}{\rangle }_{{l}_{1},\ldots ,{l}_{N}}\\ & = & {{\rm{e}}}^{{\rm{i}}(| \vec{b}| -{b}_{1})\phi }\displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{d})=0\,{\rm{s}}.{\rm{t}}.}{\vec{d}\wedge \vec{b}=\vec{d}}}^{{2}^{N}-1}{{\rm{e}}}^{{\rm{i}}\displaystyle \frac{2\pi }{M}(j-1)\displaystyle \sum _{k=1}^{N}{d}_{k}(k-1)}{\left(\sqrt{\displaystyle \frac{t}{M}}\right)}^{| \vec{d}| }{\left(\sqrt{1-t}\right)}^{| \vec{b}\oplus \vec{d}| }\\ & & \times \displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{f})=0\,{\rm{s}}.{\rm{t}}.}{\vec{f}\wedge \vec{d}=\vec{f}}}^{{2}^{N}-1}{\left({\rm{\cos }}\theta \right)}^{| \vec{f}| -{f}_{1}}{\left(-{\rm{\sin }}\theta \right)}^{| \vec{d}\oplus \vec{f}| }{\delta }_{{\left(\vec{d}\oplus \vec{f}\right)}_{1},0}\sqrt{| \vec{f}| !}\sqrt{| \vec{d}\oplus \vec{f}| !}\,| | \vec{f}| {\rangle }_{{\sigma }_{j},{\rm{P}}}\\ & & \otimes | | \vec{d}\oplus \vec{f}| {\rangle }_{{\sigma }_{j},{{\rm{P}}}_{\perp }}\otimes | \vec{b}\oplus \vec{d}{\rangle }_{{l}_{1},\ldots ,{l}_{N}}.\end{array}\end{eqnarray} \tag{ B.9 }$$

We now substitute (B.9) back into (B.6) and note that the effect of the projectors $({\mathrm{id}}_{{\sigma }_{j}}-{P}_{| 0{\rangle }_{{\sigma }_{j}}}){\otimes }_{i\ne j}{P}_{| 0{\rangle }_{{\sigma }_{i}}}$ is to remove the case $g(\vec{d})=0$ from (B.9). Hence we get:

$$\begin{eqnarray}&&\begin{array}{l}({\mathrm{id}}_{{\sigma }_{j}}-{P}_{| 0{\rangle }_{{\sigma }_{j}}}){\otimes }_{{\rm{i}}\ne j}{P}_{| 0{\rangle }_{{\sigma }_{{\rm{i}}}}}| {{\rm{\Phi }}}_{4}\rangle \\ =\,\displaystyle \sum _{g(\vec{b})=1}^{{2}^{N}-1}{q}^{\tfrac{N-| \vec{b}| }{2}}{\left(1-q\right)}^{\tfrac{| \vec{b}| }{2}}{{\rm{e}}}^{{\rm{i}}(| \vec{b}| -{b}_{1})\phi }| \vec{b}{\rangle }_{{A}_{1}...{A}_{N}}\otimes \displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{d})=1\,{\rm{s}}.{\rm{t}}.}{\vec{d}\wedge \vec{b}=\vec{d}}}^{{2}^{N}-1}{{\rm{e}}}^{{\rm{i}}\displaystyle \frac{2\pi }{M}(j-1)\displaystyle \sum _{k=1}^{N}{d}_{k}(k-1)}{\left(\sqrt{\displaystyle \frac{t}{M}}\right)}^{| \vec{d}| }{\left(\sqrt{1-t}\right)}^{| \vec{b}\oplus \vec{d}| }\\ \ \times \,\displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{f})=0:{f}_{1}={d}_{1}}{\vec{f}\wedge \vec{d}=\vec{f}}}^{{2}^{N}-1}{\left(\cos \theta \right)}^{| \vec{f}| -{f}_{1}}{\left(-\sin \theta \right)}^{| \vec{d}\oplus \vec{f}| }\sqrt{| \vec{f}| !}\sqrt{| \vec{d}\oplus \vec{f}| !}\,| | \vec{f}| {\rangle }_{{\sigma }_{j},{\rm{P}}}\otimes | | \vec{d}\oplus \vec{f}| {\rangle }_{{\sigma }_{j},{{\rm{P}}}_{\perp }}\otimes | \vec{b}\oplus \vec{d}{\rangle }_{{l}_{1},\ldots ,{l}_{N}}.\end{array}\end{eqnarray} \tag{ B.10 }$$

By substituting (B.10) into (B.5) we finally get the state of the qubits conditioned on D_j clicking:

$$\begin{eqnarray}\begin{array}{rcl}{p}_{j}{\rho }_{{A}_{1}...{A}_{N}}^{j} & = & \displaystyle \sum _{g(\vec{b}),g(\vec{b^{\prime} })=1}^{{2}^{N}-1}{q}^{N-\tfrac{| \vec{b}| +| \vec{b^{\prime} }| }{2}}{\left(1-q\right)}^{\tfrac{| \vec{b}| +| \vec{b^{\prime} }| }{2}}{{\rm{e}}}^{{\rm{i}}[| \vec{b}| -| \vec{b^{\prime} }| -({b}_{1}-{b}_{1}^{{\prime} })]\phi }| \vec{b}\rangle \langle \vec{b^{\prime} }| \\ & & \times \displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{d}),g(\vec{d^{\prime} })=1:\,\vec{d}\wedge \vec{b}=\vec{d}}{\vec{d^{\prime} }\wedge \vec{b^{\prime} }=\vec{d^{\prime} }}}^{{2}^{N}-1}{{\rm{e}}}^{{\rm{i}}\displaystyle \frac{2\pi }{M}(j-1)\displaystyle \sum _{k=1}^{N}(k-1)({d}_{k}-{d}_{k}^{{\prime} })}{\left(\sqrt{\displaystyle \frac{t}{M}}\right)}^{| \vec{d}| +| \vec{d^{\prime} }| }{\left(\sqrt{1-t}\right)}^{| \vec{b}\oplus \vec{d}| +| \vec{b^{\prime} }\oplus \vec{d^{\prime} }| }\\ & & \times \displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{f})=0:{f}_{1}={d}_{1}}{\vec{f}\wedge \vec{d}=\vec{f}}}^{{2}^{N}-1}\displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{f^{\prime} })=0:{f}_{1}^{{\prime} }={d}_{1}^{{\prime} }}{\vec{f^{\prime} }\wedge \vec{d^{\prime} }=\vec{f^{\prime} }}}^{{2}^{N}-1}{\left(\cos \theta \right)}^{| \vec{f}| +| \vec{f^{\prime} }| -{f}_{1}-{f}_{1}^{{\prime} }}{\left(-\sin \theta \right)}^{| \vec{d}\oplus \vec{f}| +| \vec{d^{\prime} }\oplus \vec{f^{\prime} }| }\\ & & \times \sqrt{| \vec{f}| !\,| \vec{f^{\prime} }| !\,| \vec{d}\oplus \vec{f}| !\,| \vec{d^{\prime} }\oplus \vec{f^{\prime} }| !}\,{\delta }_{| \vec{f}| ,| \vec{f^{\prime} }| }\,{\delta }_{| \vec{d}\oplus \vec{f}| ,| \vec{d^{\prime} }\oplus \vec{f^{\prime} }| }\,{\delta }_{\vec{b}\oplus \vec{d},\vec{b^{\prime} }\oplus \vec{d^{\prime} }}.\end{array}\end{eqnarray} \tag{ B.11 }$$

We use the Kronecker deltas to reduce the sums over $\vec{d},\vec{d^{\prime} },\vec{f}$ and $\vec{f^{\prime} }$. The third delta fixes the value of $\vec{d^{\prime} }$: $\vec{d^{\prime} }=\vec{b}\oplus \vec{b^{\prime} }\oplus \vec{d}$. The fixed value of $\vec{d^{\prime} }$ combined with the other constraints on this vector imply additional constraints on $\vec{d}$. In particular, $\vec{d^{\prime} }\ne 0$ implies $\vec{d}\ne \vec{b}\oplus \vec{b^{\prime} }$ while $\vec{d^{\prime} }\wedge \vec{b^{\prime} }=\vec{d^{\prime} }$ implies $\vec{b^{\prime} }\wedge (\vec{b}\oplus \vec{d})\,=\vec{b}\oplus \vec{d}$. Finally the first two deltas imply $| \vec{d}| =| \vec{d^{\prime} }|$, which combined with the third delta yields $| \vec{b}| =| \vec{b^{\prime} }|$. Putting everything together allows to simplify (B.11) as follows:

$$\begin{eqnarray}&&\begin{array}{l}{p}_{j}{\rho }_{{A}_{1}...{A}_{N}}^{j}=\displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{b}),g(\vec{b^{\prime} })=1}{| \vec{b^{\prime} }| =| \vec{b}| }}^{{2}^{N}-1}{q}^{N-| \vec{b}| }{\left(1-q\right)}^{| \vec{b}| }{{\rm{e}}}^{{\rm{i}}[({b}_{1}^{{\prime} }-{b}_{1})]\phi }| \vec{b}\rangle \langle \vec{b^{\prime} }| \displaystyle \sum _{\vec{d}\in { \mathcal D }(\vec{b},\vec{b^{\prime} })}{{\rm{e}}}^{{\rm{i}}\displaystyle \frac{2\pi }{M}(j-1)\displaystyle \sum _{k=1}^{N}(k-1)({d}_{k}-{b}_{k}\oplus {d}_{k}\oplus {b}_{k}^{{\prime} })}\\ \quad \times \,{\left(\displaystyle \frac{t}{M}\right)}^{| \vec{d}| }{\left(1-t\right)}^{| \vec{b}| -| \vec{d}| }\displaystyle \sum _{\vec{f}\in { \mathcal F }(\vec{d})}^{{2}^{N}-1}\displaystyle \sum _{\vec{f^{\prime} }\in { \mathcal F }^{\prime} (\vec{f},\vec{d},\vec{b},\vec{b^{\prime} })}^{{2}^{N}-1}| \vec{f}| !\,(| \vec{d}| -| \vec{f}| )!{\left(\cos \theta \right)}^{2| \vec{f}| -{d}_{1}-{d}_{1}\oplus {b}_{1}\oplus {b}_{1}^{{\prime} }}{\left(\sin \theta \right)}^{2(| \vec{d}| -| \vec{f}| )},\end{array}\end{eqnarray} \tag{ B.12 }$$

where the sets of binary vectors ${ \mathcal D }(\vec{b},\vec{b^{\prime} }),{ \mathcal F }(\vec{d})$ and ${ \mathcal F }^{\prime} (\vec{f},\vec{d},\vec{b},\vec{b^{\prime} })$ are defined as follows:

$$\begin{eqnarray}&&{ \mathcal D }(\vec{b},\vec{b^{\prime} })=\{\vec{d}\in {g}^{-1}([1,{2}^{N}-1]):\vec{d}\wedge \vec{b}=\vec{d},\,\vec{d}\ne \vec{b}\oplus \vec{b^{\prime} },(\vec{b}\oplus \vec{d})\wedge \vec{b^{\prime} }=\vec{b}\oplus \vec{d}\}\end{eqnarray} \tag{ B.13 }$$

$$\begin{eqnarray}&&{ \mathcal F }(\vec{d})=\{\vec{f}\in {g}^{-1}([0,{2}^{N}-1]):\vec{f}\wedge \vec{d}=\vec{f},\,{f}_{1}={d}_{1}\}\end{eqnarray} \tag{ B.14 }$$

$$\begin{eqnarray}&&{ \mathcal F }^{\prime} (\vec{f},\vec{d},\vec{b},\vec{b^{\prime} })=\{\vec{f^{\prime} }\in {g}^{-1}([0,{2}^{N}-1]):\vec{f^{\prime} }\wedge (\vec{b}\oplus \vec{d}\oplus \vec{b^{\prime} })=\vec{f^{\prime} },\,{f}_{1}^{{\prime} }={b}_{1}\oplus {d}_{1}\oplus {b}_{1}^{{\prime} },\,| \vec{f^{\prime} }| =| \vec{f}| \}.\end{eqnarray} \tag{ B.15 }$$

We can now sum over the vectors $\vec{f^{\prime} }$ since no term depends on them in (B.12):

$$\begin{eqnarray}\begin{array}{rcl}{p}_{j}{\rho }_{{A}_{1}...{A}_{N}}^{j} & = & \displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{b}),g(\vec{b^{\prime} })=1}{| \vec{b^{\prime} }| =| \vec{b}| }}^{{2}^{N}-1}{q}^{N-| \vec{b}| }{\left(1-q\right)}^{| \vec{b}| }{{\rm{e}}}^{{\rm{i}}[({b}_{1}^{{\prime} }-{b}_{1})]\phi }| \vec{b}\rangle \langle \vec{b^{\prime} }| \\ & & \times \displaystyle \sum _{\vec{d}\in { \mathcal D }(\vec{b},\vec{b^{\prime} })}{{\rm{e}}}^{{\rm{i}}\displaystyle \frac{2\pi }{M}(j-1){\displaystyle \sum }_{k=1}^{N}(k-1)({d}_{k}-{b}_{k}\oplus {d}_{k}\oplus {b}_{k}^{{\prime} })}{\left(\displaystyle \frac{t}{M}\right)}^{| \vec{d}| }{\left(1-t\right)}^{| \vec{b}| -| \vec{d}| }\\ & & \times \displaystyle \sum _{\vec{f}\in { \mathcal F }(\vec{d})}^{{2}^{N}-1}{\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{b}\oplus \vec{d}\oplus \vec{b^{\prime} }| -{b}_{1}\oplus {d}_{1}\oplus {b}_{1}^{{\prime} }}{| \vec{f}| -{b}_{1}\oplus {d}_{1}\oplus {b}_{1}^{{\prime} }}\right)}^{* }| \vec{f}| !\,(| \vec{d}| -| \vec{f}| )!{\left(\cos \theta \right)}^{2| \vec{f}| -{d}_{1}-{d}_{1}\oplus {b}_{1}\oplus {b}_{1}^{{\prime} }}{\left(\sin \theta \right)}^{2(| \vec{d}| -| \vec{f}| )},\end{array}\end{eqnarray} \tag{ B.16 }$$

where the asterisk on the binomial coefficient means that it is defined as zero if $| \vec{f}| =0$ and ${b}_{1}\oplus {d}_{1}\oplus {b}_{1}^{{\prime} }=1$. Finally, since every term just depends on $| \vec{f}|$, we can sum over all the vectors $\vec{f}$ with equal Hamming weight and obtain the final expression for the conditional state of the qubits when detector D_j clicked:

$$\begin{eqnarray}\begin{array}{rcl}{p}_{j}{\rho }_{{A}_{1}...{A}_{N}}^{j} & = & \displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{b}),g(\vec{b^{\prime} })=1}{| \vec{b^{\prime} }| =| \vec{b}| }}^{{2}^{N}-1}{q}^{N-| \vec{b}| }{\left(1-q\right)}^{| \vec{b}| }{{\rm{e}}}^{{\rm{i}}[({b}_{1}^{{\prime} }-{b}_{1})]\phi }| \vec{b}\rangle \langle \vec{b^{\prime} }| \\ & & \times \displaystyle \sum _{\vec{d}\in { \mathcal D }(\vec{b},\vec{b^{\prime} })}{{\rm{e}}}^{{\rm{i}}\displaystyle \frac{2\pi }{M}(j-1)\displaystyle \sum _{k=1}^{N}(k-1)({d}_{k}-{b}_{k}\oplus {d}_{k}\oplus {b}_{k}^{{\prime} })}{\left(\displaystyle \frac{t}{M}\right)}^{| \vec{d}| }{\left(1-t\right)}^{| \vec{b}| -| \vec{d}| }\\ & & \times \displaystyle \sum _{m={d}_{1}}^{| \vec{d}| }\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| -{d}_{1}}{m-{d}_{1}}\right){\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{b}\oplus \vec{d}\oplus \vec{b^{\prime} }| -{b}_{1}\oplus {d}_{1}\oplus {b}_{1}^{{\prime} }}{m-{b}_{1}\oplus {d}_{1}\oplus {b}_{1}^{{\prime} }}\right)}^{* }\\ & & \times m!\,(| \vec{d}| -m)!{\left(\cos \theta \right)}^{2m-{d}_{1}-{d}_{1}\oplus {b}_{1}\oplus {b}_{1}^{{\prime} }}{\left(\sin \theta \right)}^{2(| \vec{d}| -m)}.\end{array}\end{eqnarray} \tag{ B.17 }$$

B.2. Probability of exactly one click

We can now compute the probability p_j of having just one click in detector D_j by simply computing the trace of both sides in (B.17):

$$\begin{eqnarray}\begin{array}{rcl}{p}_{j} & = & \displaystyle \sum _{g(\vec{b})=1}^{{2}^{N}-1}{q}^{N-| \vec{b}| }{\left(1-q\right)}^{| \vec{b}| }\displaystyle \sum _{g(\vec{d})=1:\,\vec{d}\wedge \vec{b}=\vec{d}}^{{2}^{N}-1}{\left(\displaystyle \frac{t}{M}\right)}^{| \vec{d}| }{\left(1-t\right)}^{| \vec{b}| -| \vec{d}| }\\ & & \times \displaystyle \sum _{m={d}_{1}}^{| \vec{d}| }{\left[\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| -{d}_{1}}{m-{d}_{1}}\right)\right]}^{2}m!\,(| \vec{d}| -m)!{\left(\cos \theta \right)}^{2(m-{d}_{1})}{\left(\sin \theta \right)}^{2(| \vec{d}| -m)}.\end{array}\end{eqnarray} \tag{ B.18 }$$

In order to obtain an easier expression to compute, we distinguish the cases: ${b}_{1}=0,{b}_{1}=1$ and the special case $\vec{b}=100...0$:

$$\begin{eqnarray}\begin{array}{rcl}{p}_{j} & = & \displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{b})=2}{{b}_{1}=0}}^{{2}^{N}-1}{q}^{N-| \vec{b}| }{\left(1-q\right)}^{| \vec{b}| }\displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{d})=2:\,\vec{d}\wedge \vec{b}=\vec{d}}{{d}_{1}=0}}^{{2}^{N}-1}{\left(\displaystyle \frac{t}{M}\right)}^{| \vec{d}| }{\left(1-t\right)}^{| \vec{b}| -| \vec{d}| }\\ & & \times \displaystyle \sum _{m=0}^{| \vec{d}| }{\left[\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| }{m}\right)\right]}^{2}m!(| \vec{d}| -m)!{\left(\cos \theta \right)}^{2m}{\left(\sin \theta \right)}^{2(| \vec{d}| -m)}\\ & & +{q}^{N-1}(1-q)\left(\displaystyle \frac{t}{M}\right)\quad \quad {\rm{(this}}\,{\rm{term}}\,{\rm{comes}}\,{\rm{from:}}\ \vec{b}=100...0,\vec{d}=100...0)\\ & & +\displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{b})=3}{{b}_{1}=1}}^{{2}^{N}-1}{q}^{N-| \vec{b}| }{\left(1-q\right)}^{| \vec{b}| }\\ & & \times \left[\displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{d})=1:\,\vec{d}\wedge \vec{b}=\vec{d}}{{d}_{1}=1}}^{{2}^{N}-1}{\left(\displaystyle \frac{t}{M}\right)}^{| \vec{d}| }{\left(1-t\right)}^{| \vec{b}| -| \vec{d}| }\displaystyle \sum _{m=1}^{| \vec{d}| }{\left[\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| -1}{m-1}\right)\right]}^{2}m!(| \vec{d}| -m)!{\left(\cos \theta \right)}^{2(m-1)}{\left(\sin \theta \right)}^{2(| \vec{d}| -m)}\right.\\ & & \left.+\displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{d})=2:\,\vec{d}\wedge \vec{b}=\vec{d}}{{d}_{1}=0}}^{{2}^{N}-1}{\left(\displaystyle \frac{t}{M}\right)}^{| \vec{d}| }{\left(1-t\right)}^{| \vec{b}| -| \vec{d}| }\displaystyle \sum _{m=0}^{| \vec{d}| }{\left[\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| }{m}\right)\right]}^{2}m!(| \vec{d}| -m)!{\left(\cos \theta \right)}^{2m}{\left(\sin \theta \right)}^{2(| \vec{d}| -m)}\right].\end{array}\end{eqnarray} \tag{ B.19 }$$

We can now partially sum over the vectors $\vec{d}$ since the terms in the sums only depend on the Hamming weight of these vectors:

$$\begin{eqnarray}\begin{array}{rcl}{p}_{j} & = & \displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{b})=2}{{b}_{1}=0}}^{{2}^{N}-1}{q}^{N-| \vec{b}| }{\left(1-q\right)}^{| \vec{b}| }\displaystyle \sum _{| \vec{d}| =1}^{| \vec{b}| }\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{b}| }{| \vec{d}| }\right){\left(\displaystyle \frac{t}{M}\right)}^{| \vec{d}| }{\left(1-t\right)}^{| \vec{b}| -| \vec{d}| }\\ & & \times \displaystyle \sum _{m=0}^{| \vec{d}| }{\left[\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| }{m}\right)\right]}^{2}m!(| \vec{d}| -m)!{\left(\cos \theta \right)}^{2m}{\left(\sin \theta \right)}^{2(| \vec{d}| -m)}\,+{q}^{N-1}(1-q)\left(\displaystyle \frac{t}{M}\right)\\ & & +\displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{b})=3}{{b}_{1}=1}}^{{2}^{N}-1}{q}^{N-| \vec{b}| }{\left(1-q\right)}^{| \vec{b}| }\\ & & \times \left[\displaystyle \sum _{| \vec{d}| =1}^{| \vec{b}| }\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{b}| -1}{| \vec{d}| -1}\right){\left(\displaystyle \frac{t}{M}\right)}^{| \vec{d}| }{\left(1-t\right)}^{| \vec{b}| -| \vec{d}| }\displaystyle \sum _{m=1}^{| \vec{d}| }{\left[\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| -1}{m-1}\right)\right]}^{2}m!(| \vec{d}| -m)!{\left(\cos \theta \right)}^{2(m-1)}{\left(\sin \theta \right)}^{2(| \vec{d}| -m)}\right.\\ & & \left.+\displaystyle \sum _{| \vec{d}| =1}^{| \vec{b}| -1}\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{b}| -1}{| \vec{d}| }\right){\left(\displaystyle \frac{t}{M}\right)}^{| \vec{d}| }{\left(1-t\right)}^{| \vec{b}| -| \vec{d}| }\displaystyle \sum _{m=0}^{| \vec{d}| }{\left[\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| }{m}\right)\right]}^{2}m!(| \vec{d}| -m)!{\left(\cos \theta \right)}^{2m}{\left(\sin \theta \right)}^{2(| \vec{d}| -m)}\right].\end{array}\end{eqnarray} \tag{ B.20 }$$

By employing the following identity:

$$\begin{eqnarray}&&\begin{array}{l}\displaystyle \sum _{m=0}^{| \vec{d}| }{\left[\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| }{m}\right)\right]}^{2}m!(| \vec{d}| -m)!{\left(\cos \theta \right)}^{2m}{\left(\sin \theta \right)}^{2(| \vec{d}| -m)}=| \vec{d}| !\,\displaystyle \sum _{m=0}^{| \vec{d}| }\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| }{m}\right){\left(\cos \theta \right)}^{2m}{\left(\sin \theta \right)}^{2(| \vec{d}| -m)}\\ \quad =\,| \vec{d}| !{\left({\sin }^{2}\theta +{\cos }^{2}\theta \right)}^{| \vec{d}| }=| \vec{d}| !,\end{array}\end{eqnarray} \tag{ B.21 }$$

both in the second and last row of (B.20), we get the following expression:

$$\begin{eqnarray}\begin{array}{rcl}{p}_{j} & = & \displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{b})=2}{{b}_{1}=0}}^{{2}^{N}-1}{q}^{N-| \vec{b}| }{\left(1-q\right)}^{| \vec{b}| }\displaystyle \sum _{l=1}^{| \vec{b}| }\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{b}| }{l}\right){\left(\displaystyle \frac{t}{M}\right)}^{l}{\left(1-t\right)}^{| \vec{b}| -l}l!\,+\,{q}^{N-1}(1-q)\left(\displaystyle \frac{t}{M}\right)+\displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{b})=3}{{b}_{1}=1}}^{{2}^{N}-1}{q}^{N-| \vec{b}| }{\left(1-q\right)}^{| \vec{b}| }\\ & & \times \left[\displaystyle \sum _{l=0}^{| \vec{b}| -1}\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{b}| -1}{l}\right){\left(\displaystyle \frac{t}{M}\right)}^{l+1}{\left(1-t\right)}^{| \vec{b}| -l-1}\displaystyle \sum _{m=0}^{l}{\left[\displaystyle \left(\genfrac{}{}{0em}{}{l}{m}\right)\right]}^{2}(m+1)!(l-m)!{\left(\cos \theta \right)}^{2m}{\left(\sin \theta \right)}^{2(l-m)}\right.\\ & & \left.+\displaystyle \sum _{l=1}^{| \vec{b}| -1}\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{b}| -1}{l}\right){\left(\displaystyle \frac{t}{M}\right)}^{l}{\left(1-t\right)}^{| \vec{b}| -l}l!\right].\end{array}\end{eqnarray} \tag{ B.22 }$$

The remaining sum over m can be similarly simplified as follows:

$$\begin{eqnarray}&&\displaystyle \sum _{m=0}^{l}{\left[\displaystyle \left(\genfrac{}{}{0em}{}{l}{m}\right)\right]}^{2}(m+1)!(l-m)!{\left(\cos \theta \right)}^{2m}{\left(\sin \theta \right)}^{2(l-m)}=l!\left(1+l{\cos }^{2}\theta \right).\end{eqnarray} \tag{ B.23 }$$

By substituting (B.23) into (B.22) and by partially summing over vectors $\vec{b}$ we obtain the final expression for the probability that only detector D_j clicks:

$$\begin{eqnarray}\begin{array}{rcl}{p}_{j} & = & {{Nq}}^{N-1}(1-q)\left(\displaystyle \frac{t}{M}\right)\,+\,\displaystyle \sum _{r=2}^{N-1}\displaystyle \left(\genfrac{}{}{0em}{}{N-1}{r}\right){q}^{N-r}{\left(1-q\right)}^{r}\displaystyle \sum _{l=1}^{r}\displaystyle \left(\genfrac{}{}{0em}{}{r}{l}\right){\left(\displaystyle \frac{t}{M}\right)}^{l}{\left(1-t\right)}^{r-l}l!\\ & & +\displaystyle \sum _{r=2}^{N}\displaystyle \left(\genfrac{}{}{0em}{}{N-1}{r-1}\right){q}^{N-r}{\left(1-q\right)}^{r}\left[\displaystyle \sum _{l=1}^{r}\displaystyle \left(\genfrac{}{}{0em}{}{r-1}{l-1}\right){\left(\displaystyle \frac{t}{M}\right)}^{l}{\left(1-t\right)}^{r-l}(l-1)!({\sin }^{2}\theta +l{\cos }^{2}\theta )\right.\\ & & \left.+\displaystyle \sum _{l=1}^{r-1}\displaystyle \left(\genfrac{}{}{0em}{}{r-1}{l}\right){\left(\displaystyle \frac{t}{M}\right)}^{l}{\left(1-t\right)}^{r-l}l!\right].\end{array}\end{eqnarray} \tag{ B.24 }$$

We observe that the probability p_j that only detector D_j clicks is independent of the particular detector because of the symmetric action of the multiport beam splitter.

B.3. QBER

Starting from the conditional state (B.17), we can compute the QBER between Alice₁ and Alice_k's outcomes when they measure their qubit in the eigenbasis of the operator ${O}_{{XY}}({\varphi }_{1})$ and ${O}_{{XY}}({\varphi }_{k})$, respectively, with ${O}_{{XY}}(\varphi )=\cos (\varphi )X+\sin (\varphi )Y$ (X and Y are the Pauli operators). The operator O_XY(φ) has eigenvalues λ = ± 1 and correspondent eigenvectors: $| \lambda {\rangle }_{\varphi }=\tfrac{1}{\sqrt{2}}(| 0\rangle +\lambda {{\rm{e}}}^{{\rm{i}}\varphi }| 1\rangle )$.

To start with, we compute the following quantity:

$$\begin{eqnarray}&&\langle \vec{b^{\prime} }| {P}_{| +1{\rangle }_{{\varphi }_{1}}}^{{A}_{1}}\otimes {P}_{| -1{\rangle }_{{\varphi }_{k}}}^{{A}_{k}}| \vec{b}\rangle =\displaystyle \frac{1}{4}\left({{\rm{e}}}^{{b}_{1}^{{\prime} }{\rm{i}}{\varphi }_{1}}\right)\left({\left(-1\right)}^{{b}_{k}^{{\prime} }}{{\rm{e}}}^{{b}_{k}^{{\prime} }{\rm{i}}{\varphi }_{k}}\right)\left({{\rm{e}}}^{-{b}_{1}{\rm{i}}{\varphi }_{1}}\right)\left({\left(-1\right)}^{{b}_{k}}{{\rm{e}}}^{-{b}_{k}{\rm{i}}{\varphi }_{k}}\right)\,\displaystyle \prod _{l\ne 1,k}{\delta }_{{b}_{l},{b}_{l}^{{\prime} }}\,\end{eqnarray} \tag{ B.25 }$$

and we insert it into the probability that Alice₁ measured the outcome +1 and Alice_k measured the outcome −1, when D_j clicked:

$$\begin{eqnarray}&&\begin{array}{l}\mathrm{Tr}\left[{P}_{| +1{\rangle }_{{\varphi }_{1}}}^{{A}_{1}}\otimes {P}_{| -1{\rangle }_{{\varphi }_{k}}}^{{A}_{k}}{\rho }_{{A}_{1},\ldots ,{A}_{N}}^{j}\right]=\displaystyle \frac{1}{{p}_{j}}\displaystyle \sum _{g(\vec{b})=1}^{{2}^{N}-1}\displaystyle \sum _{\vec{b^{\prime} }\in { \mathcal Q }(\vec{b})}\displaystyle \frac{{\left(-1\right)}^{{b}_{k}+{b}_{k}^{{\prime} }}}{4}{{\rm{e}}}^{{\rm{i}}({b}_{1}^{{\prime} }-{b}_{1})({\varphi }_{1}+\phi )}{{\rm{e}}}^{({b}_{k}^{{\prime} }-{b}_{k}){\rm{i}}{\varphi }_{k}}{q}^{N-| \vec{b}| }{\left(1-q\right)}^{| \vec{b}| }\\ \quad \times \,\displaystyle \sum _{\vec{d}\in { \mathcal D }(\vec{b},\vec{b^{\prime} })}{\left(\displaystyle \frac{t}{M}\right)}^{| \vec{d}| }{\left(1-t\right)}^{| \vec{b}| -| \vec{d}| }{{\rm{e}}}^{{\rm{i}}\displaystyle \frac{2\pi }{M}(j-1)(k-1)({d}_{k}-{b}_{k}\oplus {b}_{k}^{{\prime} }\oplus {d}_{k})}\\ \quad \times \,\displaystyle \sum _{m={d}_{1}}^{| \vec{d}| }\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| -{d}_{1}}{m-{d}_{1}}\right){\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{b}\oplus \vec{d}\oplus \vec{b^{\prime} }| -{b}_{1}\oplus {d}_{1}\oplus {b}_{1}^{{\prime} }}{m-{b}_{1}\oplus {d}_{1}\oplus {b}_{1}^{{\prime} }}\right)}^{* }m!\,(| \vec{d}| -m)!{\left(\cos \theta \right)}^{2m-{d}_{1}-{d}_{1}\oplus {b}_{1}\oplus {b}_{1}^{{\prime} }}{\left(\sin \theta \right)}^{2(| \vec{d}| -m)},\end{array}\end{eqnarray} \tag{ B.26 }$$

where ${ \mathcal Q }(\vec{b})$ is a set of at most 2 binary vectors, defined as: ${ \mathcal Q }(\vec{b})=\{\vec{b},\overline{{b}_{1}}{b}_{2}...\overline{{b}_{k}}...{b}_{N}{\rm{(iff}}\ {b}_{1}\oplus {b}_{k}=1)\}$ ⁶ . This means that the sum over $\vec{b^{\prime} }$ is reduced to just one term, namely $\vec{b^{\prime} }=\vec{b}$, plus the possibility of a second term in which $\vec{b^{\prime} }$ differs from $\vec{b}$ in position 1 and k, as long as the bits of vector $\vec{b}$ differ from each other in those positions. Now we compute the sum over $\vec{b^{\prime} }$ as follows:

$$\begin{eqnarray}&&\begin{array}{l}\mathrm{Tr}\left[{P}_{| +1{\rangle }_{{\varphi }_{1}}}^{{A}_{1}}\otimes {P}_{| -1{\rangle }_{{\varphi }_{k}}}^{{A}_{k}}{\rho }_{{A}_{1},\ldots ,{A}_{N}}^{j}\right]=\displaystyle \frac{1}{{p}_{j}}\left\{\displaystyle \sum _{g(\vec{b})=1}^{{2}^{N}-1}\displaystyle \frac{{q}^{N-| \vec{b}| }{\left(1-q\right)}^{| \vec{b}| }}{4}\displaystyle \sum _{g(\vec{d})=1:\,\vec{d}\wedge \vec{b}=\vec{d}}^{{2}^{N}-1}{\left(\displaystyle \frac{t}{M}\right)}^{| \vec{d}| }{\left(1-t\right)}^{| \vec{b}| -| \vec{d}| }\right.\\ \quad \times \,\displaystyle \sum _{m={d}_{1}}^{| \vec{d}| }{\left[\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| -{d}_{1}}{m-{d}_{1}}\right)\right]}^{2}m!\,(| \vec{d}| -m)!{\left(\cos \theta \right)}^{2(m-{d}_{1})}{\left(\sin \theta \right)}^{2(| \vec{d}| -m)}\\ \quad -\,\displaystyle \sum _{g(\vec{b})=1:\,{b}_{1}\oplus {b}_{k}=1}^{{2}^{N}-1}\displaystyle \frac{{q}^{N-| \vec{b}| }{\left(1-q\right)}^{| \vec{b}| }}{4}{e}^{{\rm{i}}{\left(-1\right)}^{{b}_{1}}({\varphi }_{1}+\phi )+{\rm{i}}{\left(-1\right)}^{{b}_{k}}{\varphi }_{k}+{\rm{i}}\displaystyle \frac{2\pi }{M}(j-1)(k-1){\left(-1\right)}^{{b}_{k}\oplus 1}}\\ \quad \times \,\displaystyle \sum _{\vec{d}\in { \mathcal D }(\vec{b},\overline{{b}_{1}}{b}_{2}...\overline{{b}_{k}}...{b}_{N})}{\left(\displaystyle \frac{t}{M}\right)}^{| \vec{d}| }{\left(1-t\right)}^{| \vec{b}| -| \vec{d}| }\\ \quad \left.\times \,\displaystyle \sum _{m={b}_{1}}^{| \vec{d}| }\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| -{b}_{1}}{m-{b}_{1}}\right){\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| -\overline{{b}_{1}}}{m-\overline{{b}_{1}}}\right)}^{* }m!(| \vec{d}| -m)!{\left(\cos \theta \right)}^{2m-1}{\left(\sin \theta \right)}^{2(| \vec{d}| -m)}\right\},\end{array}\end{eqnarray} \tag{ B.27 }$$

where the set ${ \mathcal D }(\vec{b},\overline{{b}_{1}}{b}_{2}...\overline{{b}_{k}}...{b}_{N})$ simplifies to: ${ \mathcal D }(\vec{b},\overline{{b}_{1}}{b}_{2}...\overline{{b}_{k}}...{b}_{N})=\{\vec{d}\in {g}^{-1}([1,{2}^{N}-1]):\vec{d}\wedge \vec{b}=\vec{d},{d}_{1}={b}_{1},\,{d}_{k}={b}_{k}\}$. We notice that the first addend in (B.27) is proportional to p_j (B.18):

$$\begin{eqnarray}&&\begin{array}{l}\mathrm{Tr}\left[{P}_{| +1{\rangle }_{{\varphi }_{1}}}^{{A}_{1}}\otimes {P}_{| -1{\rangle }_{{\varphi }_{k}}}^{{A}_{k}}{\rho }_{{A}_{1},\ldots ,{A}_{N}}^{j}\right]\\ \quad =\,\displaystyle \frac{1}{4}-\displaystyle \frac{1}{4{p}_{j}}\displaystyle \sum _{g(\vec{b})=1:\,{b}_{1}\oplus {b}_{k}=1}^{{2}^{N}-1}{q}^{N-| \vec{b}| }{\left(1-q\right)}^{| \vec{b}| }{{\rm{e}}}^{{\rm{i}}{\left(-1\right)}^{{b}_{1}}({\varphi }_{1}+\phi )+{\rm{i}}{\left(-1\right)}^{{b}_{k}}{\varphi }_{k}+{\rm{i}}\displaystyle \frac{2\pi }{M}(j-1)(k-1){\left(-1\right)}^{{b}_{k}\oplus 1}}\\ \displaystyle \sum _{\vec{d}\in { \mathcal D }(\vec{b},\overline{{b}_{1}}{b}_{2}...\overline{{b}_{k}}...{b}_{N})}{\left(\displaystyle \frac{t}{M}\right)}^{| \vec{d}| }{\left(1-t\right)}^{| \vec{b}| -| \vec{d}| }\displaystyle \sum _{m={b}_{1}}^{| \vec{d}| }\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| -{b}_{1}}{m-{b}_{1}}\right){\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| -\overline{{b}_{1}}}{m-\overline{{b}_{1}}}\right)}^{* }m!(| \vec{d}| -m)!{\left(\cos \theta \right)}^{2m-1}{\left(\sin \theta \right)}^{2(| \vec{d}| -m)}.\end{array}\end{eqnarray} \tag{ B.28 }$$

Finally, we split the sums over $\vec{b}$ in the two sub-cases: b₁ = 1, b_k = 0 and b₁ = 0, b_k = 1 and we notice that the two contributions differ only in the exponential term. By summing the two contributions, the exponential factor produces a cosine function and one gets:

$$\begin{eqnarray}&&\begin{array}{l}\mathrm{Tr}\left[{P}_{| +1{\rangle }_{{\varphi }_{1}}}^{{A}_{1}}\otimes {P}_{| -1{\rangle }_{{\varphi }_{k}}}^{{A}_{k}}{\rho }_{{A}_{1},\ldots ,{A}_{N}}^{j}\right]=\displaystyle \frac{1}{4}-\displaystyle \frac{2\cos \left[\left({\varphi }_{1}+\phi -{\varphi }_{k})+\tfrac{2\pi }{M}(j-1)(k-1\right)\right]}{4{p}_{j}}\\ \qquad \times \,\displaystyle \sum _{| \vec{b}| =1}^{N-1}\displaystyle \left(\genfrac{}{}{0em}{}{N-2}{| \vec{b}| -1}\right){q}^{N-| \vec{b}| }{\left(1-q\right)}^{| \vec{b}| }\displaystyle \sum _{| \vec{d}| =1}^{| \vec{b}| }\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{b}| -1}{| \vec{d}| -1}\right){\left(\displaystyle \frac{t}{M}\right)}^{| \vec{d}| }{\left(1-t\right)}^{| \vec{b}| -| \vec{d}| }\\ \qquad \times \,\displaystyle \sum _{m=1}^{| \vec{d}| }\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| }{m}\right)\displaystyle \left(\genfrac{}{}{0em}{}{| \vec{d}| -1}{m-1}\right)m!(| \vec{d}| -m)!{\left(\cos \theta \right)}^{2m-1}{\left(\sin \theta \right)}^{2(| \vec{d}| -m)}\\ \quad =\,\displaystyle \frac{1}{4}-\displaystyle \frac{\cos \left[\left({\varphi }_{1}+\phi -{\varphi }_{k})+\tfrac{2\pi }{M}(j-1)(k-1\right)\right]}{2{p}_{j}}\\ \times \displaystyle \sum _{r=0}^{N-2}\displaystyle \left(\genfrac{}{}{0em}{}{N-2}{r}\right){q}^{N-r-1}{\left(1-q\right)}^{r+1}\displaystyle \sum _{l=0}^{r}\displaystyle \left(\genfrac{}{}{0em}{}{r}{l}\right){\left(\displaystyle \frac{t}{M}\right)}^{l+1}{\left(1-t\right)}^{r-l}(l+1)!\displaystyle \sum _{m=0}^{l}\displaystyle \left(\genfrac{}{}{0em}{}{l}{m}\right){\left(\cos \theta \right)}^{2m+1}{\left(\sin \theta \right)}^{2(l-m)}\\ \quad =\,\displaystyle \frac{1}{4}-\displaystyle \frac{1}{2{p}_{j}}\cos \left[\left({\varphi }_{1}+\phi -{\varphi }_{k})+\displaystyle \frac{2\pi }{M}(j-1)(k-1\right)\right]\cos \theta \\ \qquad \times \,\displaystyle \sum _{r=0}^{N-2}\displaystyle \left(\genfrac{}{}{0em}{}{N-2}{r}\right){q}^{N-r-1}{\left(1-q\right)}^{r+1}\displaystyle \sum _{l=0}^{r}\displaystyle \left(\genfrac{}{}{0em}{}{r}{l}\right){\left(\displaystyle \frac{t}{M}\right)}^{l+1}{\left(1-t\right)}^{r-l}(l+1)!\end{array}\end{eqnarray} \tag{ B.29 }$$

In a similar fashion, one computes the probability of A₁ measuring the outcome −1 and A_k measuring the outcome +1 and obtains an identical expression to (B.29). In conclusion, the QBER conditioned on D_j clicking is given by twice the probability given in (B.29).

By fixing the angles φ₁ and φ_k as mentioned in the protocol's description: φ₁ = 0 and ${\varphi }_{k}=\arg ({U}_{{kj}})\,=\tfrac{2\pi }{M}(k-1)(j-1)$ we minimize the QBER and thus increase the secret key rate. This requires Alice_k to adjust her measurement depending on which detector clicked, implying that such measurement does not commute with the operations performed by node C. On the other hand, the QBER is now minimal and reads the same regardless of which couple (A₁, A_k) one considers or which detector D_j clicks:

$$\begin{eqnarray}&&{Q}_{{A}_{1}{A}_{k}}=\displaystyle \frac{1}{2}-\displaystyle \frac{1}{{p}_{j}}\cos \phi \cos \theta \displaystyle \sum _{r=0}^{N-2}\displaystyle \left(\genfrac{}{}{0em}{}{N-2}{r}\right){q}^{N-r-1}{\left(1-q\right)}^{r+1}\displaystyle \sum _{l=0}^{r}\displaystyle \left(\genfrac{}{}{0em}{}{r}{l}\right)(l+1)!{\left(\displaystyle \frac{t}{M}\right)}^{l+1}{\left(1-t\right)}^{r-l},\end{eqnarray} \tag{ B.30 }$$

where p_j is given in (B.24).

B.4. Phase-error rate

Finally we compute the phase-error rate, defined as the probability that the product of the Z-measurement results of all the parties equals +1 (i.e. the qubit of an even number of parties collapsed in state $| 1\rangle$, which corresponds to the outcome Z = −1):

$$\begin{eqnarray}&&{Q}_{Z}=\Pr \left[\displaystyle \prod _{k=1}^{N}{Z}_{{A}_{k}}=1\right]=\mathrm{Tr}\left[\left(\displaystyle \sum _{\displaystyle \genfrac{}{}{0em}{}{g(\vec{f})=3}{| \vec{f}| \,\mathrm{even}}}^{{2}^{N}-1}{P}_{| \vec{f}\rangle }\right){\rho }_{{A}_{1},\ldots ,{A}_{N}}^{j}\right],\end{eqnarray} \tag{ B.31 }$$

where the quantum state ${\rho }_{{A}_{1},\ldots ,{A}_{N}}^{j}$ conditioned on detector D_j clicking is given in (B.17) and the case $g(\vec{f})=0$ is excluded since $| \vec{0}\rangle$ does not appear in (B.17). By following analogous steps to those presented in appendix B.2 we obtain the following expression for the phase-error rate:

$$\begin{eqnarray}\begin{array}{rcl}{Q}_{Z} & = & \displaystyle \frac{1}{{p}_{j}}\displaystyle \sum _{r=1}^{\left\lfloor \tfrac{N-1}{2}\right\rfloor }\displaystyle \left(\genfrac{}{}{0em}{}{N-1}{2r}\right){q}^{N-2r}{\left(1-q\right)}^{2r}\displaystyle \sum _{l=1}^{2r}\displaystyle \left(\genfrac{}{}{0em}{}{2r}{l}\right){\left(\displaystyle \frac{t}{M}\right)}^{l}{\left(1-t\right)}^{2r-l}l!\\ & & +\displaystyle \frac{1}{{p}_{j}}\displaystyle \sum _{r=1}^{\left\lfloor \tfrac{N}{2}\right\rfloor }\displaystyle \left(\genfrac{}{}{0em}{}{N-1}{2r-1}\right){q}^{N-2r}{\left(1-q\right)}^{2r}\left[\displaystyle \sum _{l=1}^{2r-1}\displaystyle \left(\genfrac{}{}{0em}{}{2r-1}{l}\right){\left(\displaystyle \frac{t}{M}\right)}^{l}{\left(1-t\right)}^{2r-l}l!\right.\\ & & \left.+\displaystyle \sum _{l=1}^{2r}\displaystyle \left(\genfrac{}{}{0em}{}{2r-1}{l-1}\right){\left(\displaystyle \frac{t}{M}\right)}^{l}{\left(1-t\right)}^{2r-l}(l-1)!({\sin }^{2}\theta +l{\cos }^{2}\theta )\right].\end{array}\end{eqnarray} \tag{ B.32 }$$

B.5. Dark counts

So far we computed the quantities ${p}_{j},{Q}_{{A}_{1}{A}_{k}}$ and Q_Z assuming that every click in the detectors is due to the arrival of one or more photons. By naming Ω_ph the event in which one or more photons arrive at detector D_j and no other photon arrives at any other detector, we can formally express the computed quantities as:

$$\begin{eqnarray}&&{p}_{j}=\Pr \left({{\rm{\Omega }}}_{\mathrm{ph}}\right),\end{eqnarray} \tag{ B.33 }$$

$$\begin{eqnarray}&&{Q}_{{A}_{1}{A}_{k}}=\Pr \left({A}_{1}\ne {A}_{k}| {{\rm{\Omega }}}_{\mathrm{ph}}\right),\end{eqnarray} \tag{ B.34 }$$

$$\begin{eqnarray}&&{Q}_{Z}=\Pr \left(\displaystyle \prod _{k=1}^{N}{Z}_{{A}_{k}}=1| {{\rm{\Omega }}}_{\mathrm{ph}}\right).\end{eqnarray} \tag{ B.35 }$$

For the setup presented in section 1 and the channel model described at the beginning of this section, the explicit expressions of (B.33), (B.34) and (B.35) are given in (B.24), (B.30) and (B.32), respectively.

We now assume that every detector is characterized by a probability p_d of clicking conditioned on no photon arriving. We also define Ω_click to be the event in which only detector D_j clicks and ${{\rm{\Omega }}}_{\mathrm{no}\mathrm{ph}}$ to be the event in which no photon arrives at any detector. Then, the error rates ${Q}_{{A}_{1}{A}_{k}}^{\mathrm{dc}}$ and ${Q}_{Z}^{\mathrm{dc}}$ and the probability ${p}_{j}^{\mathrm{dc}}$ that enter the key rate formula and that model the correspondent observed quantities read as follows:

$$\begin{eqnarray}&&{p}_{j}^{\mathrm{dc}}=\Pr \left({{\rm{\Omega }}}_{\mathrm{click}}\right)={p}_{j}{\left(1-{p}_{d}\right)}^{M-1}+{p}_{d}{\left(1-{p}_{d}\right)}^{M-1}\Pr ({{\rm{\Omega }}}_{\mathrm{no}\mathrm{ph}})\end{eqnarray} \tag{ B.36 }$$

$$\begin{eqnarray}\begin{array}{rcl}{Q}_{{A}_{1}{A}_{k}}^{\mathrm{dc}} & = & \Pr \left({A}_{1}\ne {A}_{k}| {{\rm{\Omega }}}_{\mathrm{click}}\right)\\ & = & \displaystyle \frac{1}{{p}_{j}^{\mathrm{dc}}}\left[\Pr \left({A}_{1}\ne {A}_{k}| {{\rm{\Omega }}}_{\mathrm{no}\mathrm{ph}}\right)\Pr \left({{\rm{\Omega }}}_{\mathrm{no}\mathrm{ph}}\right){p}_{d}{\left(1-{p}_{d}\right)}^{M-1}+{Q}_{{A}_{1}{A}_{k}}\,{p}_{j}{\left(1-{p}_{d}\right)}^{M-1}\right]\end{array}\end{eqnarray} \tag{ B.37 }$$

$$\begin{eqnarray}\begin{array}{rcl}{Q}_{Z}^{\mathrm{dc}} & = & \Pr \left(\displaystyle \prod _{k=1}^{N}{Z}_{{A}_{k}}=1| {{\rm{\Omega }}}_{\mathrm{click}}\right)\\ & = & \displaystyle \frac{1}{{p}_{j}^{\mathrm{dc}}}\left[\Pr \left(\displaystyle \prod _{k=1}^{N}{Z}_{{A}_{k}}=1| {{\rm{\Omega }}}_{\mathrm{no}\mathrm{ph}}\right)\Pr \left({{\rm{\Omega }}}_{\mathrm{no}\mathrm{ph}}\right){p}_{d}{\left(1-{p}_{d}\right)}^{M-1}+{Q}_{Z}\,{p}_{j}{\left(1-{p}_{d}\right)}^{M-1}\right],\end{array}\end{eqnarray} \tag{ B.38 }$$

where ${p}_{j},{Q}_{{A}_{1}{A}_{k}}$ and Q_Z are defined in (B.33), (B.34) and (B.35), respectively, while the probabilities related to the arrival of no photon read:

$$\begin{eqnarray}&&\Pr \left({{\rm{\Omega }}}_{\mathrm{no}\mathrm{ph}}\right)={\left(q+(1-q)(1-t\right)}^{N}\end{eqnarray} \tag{ B.39 }$$

$$\begin{eqnarray}&&\Pr \left({A}_{1}\ne {A}_{k}| {{\rm{\Omega }}}_{\mathrm{no}\mathrm{ph}}\right)=\displaystyle \frac{1}{2}\end{eqnarray} \tag{ B.40 }$$

$$\begin{eqnarray}&&\Pr \left(\displaystyle \prod _{k=1}^{N}{Z}_{{A}_{k}}=1| {{\rm{\Omega }}}_{\mathrm{no}\mathrm{ph}}\right)=\displaystyle \frac{1}{\Pr \left({{\rm{\Omega }}}_{\mathrm{no}\mathrm{ph}}\right)}\displaystyle \sum _{l=0}^{\left\lfloor \tfrac{N}{2}\right\rfloor }\displaystyle \left(\genfrac{}{}{0em}{}{N}{2l}\right){q}^{N-2l}{\left(1-q\right)}^{2l}{\left(1-t\right)}^{2l}.\end{eqnarray} \tag{ B.41 }$$

The probabilities (B.39), (B.40) and (B.41) are obtained by following similar steps to those presented in this section and that led to the final expressions for ${p}_{j},{Q}_{{A}_{1}{A}_{k}}$ and Q_Z, respectively. The starting point in this case is the conditional state of the qubits when no photon arrived at any detector:

$$\begin{eqnarray}&&\Pr \left({{\rm{\Omega }}}_{\mathrm{no}\mathrm{ph}}\right){\rho }_{{A}_{1}...{A}_{N}}^{\mathrm{no}\,\mathrm{ph}}={\mathrm{Tr}}_{\displaystyle \genfrac{}{}{0em}{}{{\sigma }_{1},\ldots ,{\sigma }_{M}}{{l}_{1},\ldots ,{l}_{N}}}\left[{\otimes }_{i=1}^{M}{P}_{| 0{\rangle }_{{\sigma }_{i}}}| {{\rm{\Phi }}}_{4}\rangle \langle {{\rm{\Phi }}}_{4}| {\otimes }_{i=1}^{M}{P}_{| 0{\rangle }_{{\sigma }_{i}}}\right].\end{eqnarray} \tag{ B.42 }$$

Although we have shown in section 4 that a truly multipartite QKD scheme can outperform the iterative use of any bipartite QKD scheme in the direct-transmission scenario (i.e. the central node is removed), this does not necessarily hold when one has at hand the CKA experimental setup and uses it to perform bipartite QKD protocols. In other words, it might be possible to outperform the multipartite CKA by iteratively executing its bipartite version (fix N = 2 in equation (3.4)) between one selected party and all the other N − 1 users, and then using the established secret keys to encode the final conference key via one-time pad encryption. In this case the asymptotic conference key rate would be $r(2)/(N-1)$ according to the reasoning given at the beginning of section 4, where r(N) is given in (3.4). More generally, it might be advantageous to group the N parties in subsets of equal cardinality, let them perform the CKA within the subset, and then use the secret keys established in each subset to encode the conference key. Since one selected party must belong to every subset in order to distribute the final conference key to the others in a secure way, there are $(N-1)/d$ subsets of d + 1 users each. In this case the asymptotic conference key rate would read: $d\cdot r(d+1)/(N-1)$. In order to investigate which of these configurations yields the highest asymptotic conference key rate, we optimize the rate with respect to the possible subdivisions of the N parties in groups of equal cardinality (i.e. we maximize it with respect to all the divisors d of N − 1):

$$\begin{eqnarray}&&{r}_{\mathrm{opt}}(N)=\mathop{\max }\limits_{d| N-1}\displaystyle \frac{d}{N-1}r(d+1),\end{eqnarray} \tag{ C.1 }$$

which includes the cases where the parties are iteratively performing bipartite protocols (d = 1) and where the N parties are performing the CKA all at once like in figure 2 ($d=N-1$).

In figure C1(a) we plot the optimized conference key rate for N = 5 parties (equation (C.1), solid lines) as a function of the loss in each quantum channel, for different fixed values of the parameter q and a fixed number of input (output) ports of the beam splitter: M = 5. We also plot the direct transmission bound (4.1) for the same number of parties. The correspondent optimal number of parties within each subset depends on the loss and on the value of q, and it is given in figure C1(b).

Zoom In Zoom Out Reset image size

From figure C1(a) we observe that the resulting key rate, although not being optimized over the parameter q, is similar to the N = 5 key rate in figure 2 for most losses, since we fixed q to values close to the optimal ones. Furthermore, it performs better than the standard CKA with five parties in the high-loss region. Indeed, as already explained in figure 2, the effect of dark counts becomes greater when more parties are performing the CKA at the same time. Thus, allowing for a lower number of parties within each subset increases the maximum tolerated loss.

In figure C1(b) we observe that at low losses it is optimal for the five parties to perform a truly multipartite scheme rather than iteratively performing bipartite protocols. The reason is that in the ideal scenario of extremely low losses ($t\longrightarrow 1$) and q close to 1, there is only one party successfully sending one photon to the central node to be detected. In this case the post-selected state shared by the parties is the W-class state used for establishing the secret key. Of course, there are more chances that this event is going to happen when more parties are involved, thus a multipartite scheme is advantageous with respect to an iteration of bipartite schemes. One can see this also analytically, by showing that the asymptotic rate (3.4) of the CKA performed by N parties all at once can be approximated as follows (when the above assumptions hold):

$$\begin{eqnarray}&&r(N)\simeq {{Nq}}^{N-1}(1-q)t\left[1-h\left(\displaystyle \frac{1}{2}-\displaystyle \frac{1}{N}\right)\right],\end{eqnarray} \tag{ C.2 }$$

while the rate achieved by subdividing the task in N − 1 bipartite schemes is:

$$\begin{eqnarray}&&{r}_{\mathrm{bipartite}}(N)\simeq \displaystyle \frac{2q(1-q)t}{N-1}.\end{eqnarray} \tag{ C.3 }$$

By numerically comparing (C.2) with (C.3) for sufficiently high values of q, one notices that the former results in a higher key rate. When the value of q decreases, the probability that two or more parties send their photon to the central node increases, reducing the key rate. Being such events more likely when more parties are involved, the iterative execution of bipartite schemes is favored. Similarly, increasing the loss transforms the same events—which are more likely with more parties—from neglected events (if they cause double clicks) to harmful events (when some photons get lost in the transmission), thus favoring the iteration of schemes with a low number of parties.