Continuous-variable ramp quantum secret sharing with Gaussian states and operations

Our aim is to formulate continuous-variable quantum secret sharing as a continuous-variable ramp quantum secret sharing protocol, provide a certification procedure for it and explain the criteria for the certification. Here we introduce a technique for certifying continuous-variable ramp quantum secret-sharing schemes in the framework of quantum interactive-proof systems. We devise pseudocodes in order to represent the sequence of steps taken to solve the certification problem. Furthermore, we derive the expression for quantum mutual information between the quantum secret extracted by any multi-player structure and the share held by the referee corresponding to the Tyc-Rowe-Sanders continuous-variable quantum secret-sharing scheme. We solve by converting the Tyc-Rowe-Sanders position representation for the state into a Wigner function from which the covariance matrix can be found, then insert the covariance matrix into the standard formula for continuous-variable quantum mutual information to obtain quantum mutual information in terms of squeezing. Our quantum mutual information result quantifies the leakage of the ramp quantum secret-sharing schemes.


Introduction
Secret sharing (SS) is an information theoretically secure cryptographic protocol that is applicable to online auctions, electronic voting, shared electronic banking and cooperative activation in the classical domain [1], and distributed quantum computing in the quantum regime [2]. Ramp classical [3,4] and quantum [5,6] secretsharing (SS) schemes were proposed to reduce the communication complexity by the sacrifice of security conditions. Continuous-variable quantum secret sharing (CV QSS) [7,8,9] has been formulated in the framework of discrete-variable quantum SS schemes [10], which does not accommodate the quantum-information leakage inherent in continuous representations of quantum information. Our aim is to formulate CV QSS as a continuous-variable (CV) ramp quantum secret sharing (RQSS) protocol and introduce a technique to certify the protocol.
In order to reach our aims, we introduce four advances in our work. We develop the quantum mutual-information approach to the continuous-variable regime for arXiv:1904.09506v1 [quant-ph] 20 Apr 2019 evaluating the security of CV QSS schemes. We derive quantum mutual information between referee and any multi-player structure corresponding to the Tyc-Rowe-Sanders (TRS03) CV QSS scheme [7]. Furthermore, we introduce a certification technique for CV QSS in the framework of quantum-interactive proofs [11,12,13] and demonstrating the necessity of it being a RQSS scheme. Also we give an upper bound for the failure probability in terms of the number of experimental runs from which the referee knows how many rounds are required to have sufficient information.
We focus on the "quantum-quantum" (QQ) SS schemes [10] (in which the secret is a quantum state and communication occurs over quantum channels) because the "classical quantum" (CQ) SS schemes (which is for sharing a classical message over quantum channels) [14,15], can be simulated by QKD and classical secret sharing [16]. The QQ case was extended to CV regime by Tyc and Sanders [8] and has been realized experimentally for three players, any two of whom are authorized to extract the secret state [9,17]. Importantly, TRS03 later showed that the continuousvariable quantum state sharing could be extended to a (k, n) threshold scheme (a class of QSS schemes in which the authorized structure consists of all groups of k or more players while there are n players in total [10]), without a corresponding scale up in quantum resources.
Whereas conditional entropy is employed for evaluating the security of CC schemes, quantum mutual information is needed for the quantum case [18]. Quantum mutual information has been used as a means to evaluate the secrecy condition of Cleve-Gottesman-Lo QSS in the (2, 3) case [18]. TRS03 characterized the quality of secret extraction for their scheme by calculating the fidelity in terms of squeezing parameter between the original and the extracted secret for an arbitrary coherent state as the secret. However, fidelity is not a distance measure [19].
Hence, we develop the alternative and more meaningful quantum mutualinformation approach for evaluating the CV QSS security. Restricting to Gaussian states and operations allows all the calculation to be performed within the convenient framework of the semidirect product which is the continuous-variable Clifford group, with Sp (2n, R) the symplectic group and HW(2n, R) the Heisenberg-Weyl group for n modes [20]. This representation makes calculations tractable but ignores potentially powerful non-Gaussian operations [21].
Our paper is organized as follows. In §2, we briefly review the theoretical background on continuous-variable quantum information with Gaussian states and Gaussian operations, mutual information and discrete-variable ramp quantum SS protocols. We detail our approach in §3. The mathematical results are presented in §4. We conclude with a discussion of our results in §5.

Background
This section provides the required context to tackle the problem which is solved in this paper. We begin the section by theoretical background on continuous-variable quantum information with Gaussian states and Gaussian operations. Then we discuss quantum mutual information, which is a necessary tool for defining and evaluating quantum SS schemes. Finally, we discuss basic results of RQSS schemes.

Continuous-variable quantum information with Gaussian states and Gaussian operations
In this subsection, we begin by introducing Gaussian states [22] and some of their important properties. Then we explain the Gaussian preserving maps, which preserve the Gaussian property of quantum states. Finally, we discuss continuousvariable quantum secret sharing based on TRS03 CV QSS scheme.
2.1.1. Gaussian states A continuous-variable quantum state is an continuously parameterized element of Hilbert space described by observables with continuous eigenspectra. Typically, a continuous-variable quantum state is described by n bosonic modes, associated with a tensor-product Hilbert space i.e., square integrable complex-valued functions over R N and a vector of quadrature operatorsx := (q 1 ,p 1 , ...,q n ,p n ) for denoting transpose. The vectorx satisfies the commutation relation known as the symplectic form. An arbitrary continuous-variable quantum state is characterized by a density operator where S(H ) is the set of positive semidefinite trace-class operators. These positive trace-class operators can be represented by the Wigner function [23] for being the the Wigner characteristic function and being the Weyl operator. Wigner functions are particularly useful for calculating expectation values of symmetrically ordered functionsq andp denoted by S q bpd , with S denoting symmetric ordering, and with expectation value Thus far, we have the Wigner representation for any state; now we restrict to Gaussian states. A Gaussian state is defined to be a state whose Wigner representation is Gaussian. A Gaussian state can be completely characterized by its first moment x = tr xρ and covariance matrix V . The covariance matrix entries are with {, } the anticommutator. The symplectic manipulation of a Gaussian state's covariance matrix can be used to express its fundamental properties. By definition, a 2n × 2n real-valued matrix S is called symplectic if it preserves the symplectic form of Eq. (3); i.e., SΩS = Ω. (11) According to the Williamson theorem [24], each covariance matrix V has a corresponding symplectic transformation S satisfying with symplectic spectrum defined by the vector ν := (ν 1 , . . . , ν n ) (13) unique to each V and satisfying As an example, a two-mode Gaussian state has covariance matrix Continuous-variable ramp quantum secret sharing with Gaussian states and operations 5 The symplectic spectrum is [25] where As Gaussian states are easy to describe mathematically, a large class of transformations acting on such states are easy to characterize as well. In the next section, we discuss this class of transformations called Gaussian preserving maps.
where S (10) is the matrix representation of the symplectic group. The most general form of a Gaussian map in terms of its action on the statistical momentsx and V is A special class of Gaussian maps are linear canonical point transformations, for which the positions and momenta transform separately and do not mix [26]. For single-mode squeezing we have the infinite-dimensional unitary representation [27] S and for two-mode squeezing we have the infinite-dimensional unitary representation A two-mode squeezed vacuum (TMSV) state is mathematically represented as [27] |ζ TMSV := S 2 (ζ) |0 , ζ ∈ C.
In the next section, we explain TRS03 continuous-variable quantum SS scheme in which the Gaussian maps are used for encoding and decoding.

Continuous-variable quantum secret sharing
In this subsection, we explain the TRS03 CV QSS scheme. In a (k, 2k − 1)-threshold scheme, the dealer possesses a pure secret state |ψ ∈ H and encodes the quantum secret into an entangled state of 2k − 1 modes of the electromagnetic field by combining it with 2k − 2 ancillary states. The dealer then distributes them among the n players, each of whom receive one share, and at least k players must combine their shares in an active interferometer to extract the secret state. Let H (2k−1) be the tensor product of 2k − 1 copies of H (1) and each player owns one of these copies. Let us define F 2k−1 as the real linear space of coordinate functions for R 2k−1 . Then a system of Euclidean coordinates is equivalent to choosing an orthonormal basis of coordinate functions such that with x i the i th coordinate of x (24), and f i · f j = δ ij . Initially, the dealer starts with an unentangled tensor product |Ψ = |ψ ⊗ |φ a ⊗ · · · ⊗ |φ a k−1 ⊗ |φ 1/a ⊗ · · · ⊗ |φ 1/a where |ψ is the secret state and Let us write this state as where The dealer then performs the encoding using a linear canonical point transformation Continuous-variable ramp quantum secret sharing with Gaussian states and operations 7 The corresponding unitary transformation then maps the state |Ψ to The dealer, however, has to choose {g i } such that any k players are able to disentangle the secret state but that fewer is unable to do so. For this purpose, in the case of sufficiently large a, only the orthogonal projection ι i of each vector g i into the space spanned by the vectors { f 1 , . . . , f 2k−1 } is important. The vectors {g i } then must be chosen such that any k vectors from the set { f 1 , ι 1 , . . . , ι 2k−1 } are linearly independent. This linear independence condition guarantees that any k players are able to extract the secret. For convenience, let us express F 2k−1 ∈ R 2k−1 as a direct sum of three mutually orthogonal subspaces where X is the one-dimensional space spanned by f 1 and Y and Z are k − 1dimensional spaces spanned by { f 2 , . . . , f k } and { f k+1 , . . . , f 2k−1 }, respectively. Now let us relabel {x i } coordinates as (x, y i , z i ) coordinates with The wavefunction Ψ is then Without loss of generality, the first k players collaborate to retrieve the quantum secret. The players then make the linear coordinate transformation assuming ξ i = g i for all i > k. For convenience, let us define a decomposition for every vector ξ i as a sum of three mutually orthogonal vectors, each of which belongs to subspaces X, Y and Z Equivalently, we can write In the case that the vectors g i are chosen in such a way that any k vectors from the set { f 1 , ι 1 , . . . , ι 2k−1 } are linearly independent, the players can design the transformation g i → ξ i such that where i ∈ {1, . . . , k − 1}. Then transformation (39) extracts the secret for sufficiently large values of parameter a.

Mutual information
Here we review the key notions of mutual information, which is the method for quantifying information security and defining quantum secret sharing. We begin by presenting salient facts about Shannon and von Neumann entropy followed by requisite knowledge concerning classical and quantum mutual information. Finally, in this subsection, we discuss the security for discrete quantum secret sharing as our aim is to analyze security for continuous-variable quantum secret sharing.

Shannon and von Neumann entropy
Here we review Shannon and von Neumann entropy as these notions of entropy underpin the formulation of classical and quantum mutual information. This subsubsection also helps to elucidate the compact notation we use throughout this paper.
Shannon entropy. Let Z be a statistical ensemble defined by a classical random variable z and its associated probability distribution {p j } = {p 1 , . . . , p n }, which can be expressed as a probability vector p = (p 1 , . . . , p n ) . The logarithm of this vector (always using base 2 here) is log p := (log p j ).
Using the Hadamard (elementwise) product a • b := (a i b i ) [28] for vectors and the sum of such elements a b := ∑ i a i b i , the Shannon entropy is Thus, H Sh yields the number of bits per letter needed to completely specify Z in the asymptotic limit of infinitely long strings [29]. Shannon entropy is thus a measure for the uncertainty of z or it indicates how much information each letter in the string that uses the alphabet Z carries.

Von Neumann entropy
In the same vein, the information content of a quantum state ρ (5) can be quantified by determining how many qubits are needed to represent state ρ in the asymptotic limit of an infinite ensemble of physical systems. This quantum-information content, known as the von Neumann entropy [30], amounts to computing a classical Shannon entropy (41) for spec ρ a vector comprising eigenvalues of the state ρ.
These entropy expressions are used in the formulae for mutual information.
Convenient notation for states in entropy formulae A convenient notation for entropy, which is independent of being classical or quantum, uses a label for the classical or quantum state. Rather than specify the state as p classically or ρ quantumly, we label the state by a capital letter such as A and B, with these labels commensurate with the usual Alice-and-Bob nomenclature in cryptology [32].
Conditional entropy. Labelling the joint state held by A and B as AB, the conditional entropy is abstractly expressed as for any valid formula for entropy, whether classical (41) or quantum (42).
Classical conditional entropy. The classical conditional entropy [33] is obtained from Eq. (45) by replacing for p A the distribution held by A. Similarly, we replace and H (A|B) quantifies the correlation between A and B as the reduction of the number of bits per letter needed to specify A given B is known.
Quantum conditional entropy. The quantum conditional entropy [19] is obtained from Eq. (45) by replacing for ρ A the quantum state held by A. Similarly, we replace and Although classical conditional entropy is always positive, for evaluatingquantum conditional entropy can be negative [34].

Classical and quantum mutual information
We explain classical mutual information [33] and quantum mutual information [19], first as an abstract concept regardless of whether classical or quantum information is chosen. Then we explain each of classical and quantum mutual information. Quantum mutual information is vital for evaluating security for secret sharing.
Mutual information. Labelling the joint state held by A and B as AB, mutual information is abstractly expressed as for any valid formula for entropy, whether classical (41) or quantum (42). Classical mutual information [19] is obtained from Eq. (52) by replacing as discussed in ¶2.2.1. Classical mutual information quantifies the correlation between two statistical ensembles A and B as the reduction of the number of bits per letter needed to specify one of the variables given the other variable is known.
Quantum mutual information. The quantum mutual information [19] is obtained from Eq. (52) by replacing for ρ A the quantum state held by A. Similarly, we replace and Quantum mutual information is always positive and quantifies the total correlations contained in the bipartite state ρ AB . Quantum mutual information is employed to define and evaluate the security of quantum secret-sharing schemes (QSS).
Relation between conditional entropy and mutual information. The relation between conditional entropy and mutual information is for any valid formula for entropy, whether classical (41) or quantum (42). The relation between classical mutual information and classical conditional entropy is obtained from Eq. (58) by replacing The relation between quantum mutual information and quantum conditional entropy is obtained from Eq. (58) by replacing

Classical and quantum secret sharing
In this subsubsection, we explain classical and quantum secret-sharing protocols. We begin by establishing the agents of the protocol namely dealer and players and the structures corresponding to the set of players. Afterwards, we explain classical secret-sharing schemes along with classical secrecy and recoverability conditions corresponding to them. Then we define quantum secret sharing and provide the secrecy and recoverability conditions corresponding to them based on quantum mutual information.
Dealer and players. We establish the agents of the protocol and the structures corresponding to sets of players, who are one kind of agent. Specifically, secret sharing comprises n + 1 agents, namely one dealer D and n players labelled The power set of players is 2 P , which is the set of all subsets of the set of players (63). The role of the dealer is to encode the secret message S ∈ {0, 1} * (classically) or ρ s ∈ S (H ) (5) quantumly, into n shares and distributes them among players in such a way that specific elements of 2 P form the authorized structure A to retrieve the secret message whereas other elements are denied any information about the secret whatsoever. The set of elements that are denied any information is known as the forbidden structure F .
where F is monotonically decreasing and A is monotonically increasing, and Then the set is the access structure on P. Quantumly, the no-cloning theorem implies that the existence of two disjoint authorized group is forbidden [35].
Secret-sharing protocol. Let H be a Hilbert space and let S(H ) be all density operators on a Hilbert space H . In a quantum secret-sharing scheme, the dealer's task is to encrypt a quantum secret ρ s ∈ S (H ) into a composite system of Hilbert spaces each of which is called a share labelled by S 1 , S 2 , . . . , S n . Let be the entire set of shares and be the corresponding Hilbert space. The dealer then distributes the shares among players (63). For a subset A ⊆ N of shares the QSS encoding is which is a completely positive and trace preserving map [5].
The composition map of the encoder W N for a subset X ⊆ N, and the partial trace of the complement N \ X is A QSS scheme is then defined by the quantum operation W N (71) that is reversible with respect to S(H ). The set N is divided into two mutually disjoint structures A and F [5].
The arguments so far are valid in the classical cases, which is verified by replacing the corresponding notions with the classical ones [5].
Classical secrecy and recoverability conditions. Classical secrecy is expressed in terms of conditional entropy but equivalently can be expressed in terms of mutual information. Strictly speaking, conditional entropy is between shares. However, for simplicity, in the literature there is a tendency to refer to conditional entropy between players. Π is a perfect SS scheme on Γ if Quantum secrecy and recoverabiliy conditions. Here we discuss quantum secrecy conditions in terms of quantum mutual information. Strictly speaking, quantum mutual information is between shares. However, for simplicity, in the literature there is a tendency to refer to quantum mutual information between players. We can imagine that the system ρ s is part of a larger system and that this compound system is initially in a pure state |ψ RS . Therefore, In a QSS, if a subset X ∈ 2 P satisfies then ρ X does not contain any information about ρ s [18]. On the other hand, if a subset X satisfies then X contains full information about ρ s [18].
Access structure. Specific subsets of players form the authorized structure to retrieve the message whereas the other subsets, i.e., the forbidden structure are denied any information about the secret whatsoever. We define the QSS access structure as Threshold secret sharing. ((k, n)) threshold QSS schemes are a class of QSS schemes in which the authorized structure comprises all groups of k or more players while there are n players in total (the use of double parentheses distinguishes it from a classical scheme). ((k, n)) quantum threshold schemes exists provided no-cloning theorem is satisfied [35]. Any quantum secret sharing scheme can be reduced to ((k, 2k − 1)) threshold schemes [35]. In QSS schemes, the size of shares allocated to each player must be at least as large as the size of the secret [35,5].

Ramp quantum secret-sharing scheme
As an extension of (k, n)-threshold SS schemes discussed in ¶2.2.3, ramp secretsharing (RSS) schemes were proposed by Blakley-Meadows [3] and Yamamoto [4]. In RSS schemes, the dimension of each share is reduced compared to that of the original system by sacrifice security for admitting the intermediate property for some sets of shares, which are denoted as intermediate sets.
In a (k, L, n) threshold RSS scheme, any k or more players are able to fully reconstruct the secret s, whereas any k − L or less players are denied to obtain any information of it. Furthermore, from arbitrary k − j shares for j ∈ {1, . . . , L − 1}, some information of the secret leak out with the size of j L in s. A QSS scheme W N is called perfect if any set X ⊆ N is either authorized or forbidden. Otherwise, W N is a RQSS scheme. The access structure of a RQSS scheme is the list of the forbidden, intermediate, and authorized sets. A set X ⊆ N is called intermediate if W X is neither vanishing nor reversible with respect to D(H ) [5]. Formally, the access structure of the set N is defined by a map where 0, 1 and 2 represent F ,I and A, respectively. Now that we have the essential background, we proceed in the next section to explain our approach to CVRQSS.

Approach
In this section, we introduce a CV RQSS protocol and explain how to certify. We discuss the success criterion of the certification protocol. Furthermore, we specify what the parties need to do to complete the certification.

Continuous-variable ramp quantum secret-sharing protocol with Gaussian states and operations
Here we modify the discrete-variable RQSS protocol discussed in §2.3 into a continuous-variable counterpart. We choose Gaussian states and operations, which are convenient mathematically due to the elegance of techniques based on the semidirect product of the symplectic group and the Heisenberg-Weyl group (1). However, the price paid for this convenience is discarding potentially powerful universal operations [21]. Whereas, in the discrete case, specification of number of players and threshold condition L suffices to determine the cardinality of the three structures, the CV case is more complicated due to squeezing limitations.

Quantum-optical resources
The optical realization comprises displacers that generate Heisenberg-Weyl group elements and single-mode squeezers, passive beam-splitters and phase-shifters that generate the semidirect product of the symplectic group (1). The inputs are vacuum states of light. For the closed disk the dealer's and players' single-mode squeezers (20) have limited squeezing capability corresponding to ζ ∈ D s , with s = s D max for the dealer and s = s P max for the player.

Dealer's task
Here we specify the dealer's task in the RQSS protocol. Dealer's tasks include preparing a quantum secret, choosing an access structure, encoding the quantum secret and distributing shares.
Two-mode squeezed-vacuum source. The dealer prepares a TMSV state (23) drawn randomly from the uncountable set The dealer's task is to encode one mode of this quantum state into an n-mode entangled state by mixing it with n − 1 ancillary states in an n-mode active interferometer. The dealer then sends one share to each of the players in such a way that the elements of power set of players are divided into three predetermined mutually disjoint sets known as authorized, intermediate and forbidden structures.
In order for the dealer to prepare the TMSV randomly, first, he needs to decide the complex two-mode squeezing parameter ζ = se iθ (22), where s is bounded by s D max . The dealer generates two random numbers a, b ∈ [0, 1]. Then the dealer assigns Choosing a useful, feasible access structure. The dealer chooses an access structure Γ based on the desired application. The dealer then runs an algorithm that accepts Γ, covariance matrix of TMSV state V , s D max and s P max as input and yields the encoding transformation or else null as the output. The dealer then performs the encoding transformation and distributes the shares among players.

Players' task
The players' task in any authorized set is to reconstruct the quantum secret. One player is assigned to hold the secret after reconstruction. The aforementioned player forms a structure with other players in the authorized set who perform a Gaussian unitary operation on their shares such that the state of the share belonging to the assigned player become the same as the original secret state. The players in any intermediate set are allowed to partially reconstruct the secret state. Furthermore, the players in a forbidden structure should not gain any information about the quantum secret whatsoever.

Certification protocol
In this subsection we introduce a certification protocol that ascertains whether the RQSS protocol succeeds. The success criterion is discussed in this subsection. We specify what the parties need to do to complete the certification.

Agents and resources
In this subsection, we establish the agents of the certification protocol, namely, the dealer, the players and the referee who serves as skeptical certifier. Furthermore, we specify available resources for each party.
The dealer and players share trusted error-free classical and quantum communication channels between each other, and the referee also shares trusted error-free classical and quantum communication channels with each player and with the dealer. In our continuous-variable setting, the referee possesses singlemode homodyne detectors [22]. Henceforth, we only refer explicitly to homodyne measurement, without loss of generality. The dealer possesses a classical computer to choose the access structure Γ discussed in ¶3.1.2, and the referee possesses a classical computer to run the certification algorithm.

Dealer's encoding and announcement
The dealer chooses an access structure Γ discussed in ¶3.1.2 and announces Γ to the players and to the referee. The dealer encodes shares based on the choice of Γ and the quantum secret, such as a randomly chosen state in the parameter disk (81), and announces this encoding to the players.

Rounds
In this subsubsection, we define 'rounds', which are repetitions of the protocol between the dealer, players and referees. The concept for these rounds is depicted in Fig. 1. First the dealer prepare a suitable two-mode Gaussian state, Figure 1: Two-mode entangled state with one share, or mode, sent directly to the referee and the other share encoded for the players. The referee requests a subset of players to decode their shares and send this result to the referee who decides whether they have succeeded or not. which is the same two-mode Gaussian state for all rounds, and sends one mode to the referee and the other mode into an encoder, which is also unchanging over all rounds. This encoder creates shares that are sent to each player.
After the shares are received by players, the referee requests a subset of players, which can be authorized, forbidden or intermediate, to try to reconstruct the quantum secret and then send their shares to the referee. The referee then performs single-mode homodyne measurements and save the measurement results. Rounds continue until the referee permits the dealer and players to stop.

3.2.4.
Referee's certification strategy The referee's task is to certify the protocol by ascertaining the dealer's announcement that the access structure is the announced Γ. The referee conducts tests by requiring many rounds per instance, with each instance corresponding to testing whether a fixed subset of players is in A, I or F structures determined by Γ. Due to the statistical nature of the test, the referee cannot be 100% sure that the inference is correct; rather the referee makes a decision if the probability of being correct exceeds some threshold value, itself strictly greater than 1/2.
Sufficiency condition. When a sufficiency condition is met to ascertain whether the subset of players are determined to be in a structure compatible with the dealer's announced Γ, the referee instructs the players to stop. If that instance passes the test, the referee announces a new subset of players to test and the rounds repeat until the referee has enough data to pass the sufficiency test. If the instance results in the dealer and players failing, the procedure stops as the team of dealer and players has failed the test. The dealer and players pass only if every instance passes.

Summary of approach
Here we modified the discrete-variable RQSS protocol as the CV counterpart in the case of Gaussian states and operations. Furthermore, we introduced a certification protocol that ascertains whether the RQSS protocol succeeds. Also we discussed the success criterion and we specified what the parties need to do to complete the certification.

Results
In this section we present our main results. Our first result is a CV version of quantum mutual information. This CV quantum mutual information is then used to quantify quantum-information leakage for Gaussian states and operations. Based on this leakage characterization, we introduce a certification test, in the framework of quantum-interactive proofs, and provide a practical test to implement this test.

CV quantum mutual information
In this subsection, we develop the quantum mutual information for the CV RQSS quantum access structures and employ it to quantify quantum-information leakage for Gaussian states and operations. We define I corresponding to CV RQSS protocols based on quantum mutual information.
Let |ψ RS be a pure two-mode Gaussian state and let the quantum secret be ρ s (73). Then and A and F are obtained from Eqs. (76) and (77), respectively. We now calculate mutual information between the referee and any multiplayer structure for TRS03. Specifically, we consider a two-mode entangled state (80) such that one mode is used for the secret and the other mode is used for the reference system. We choose this system because that way the referee can do a sensitive entanglement check to verify that the reconstructed state is entangled with a reference system as it should be. To simplify matters, without loss of generality, we investigate in particular a TMSV with one mode being the quantum secret and the other mode being the reference system.
We solve the quantum mutual information between an extracted secret obtained by any player structure with k elements and the reference system. In order to do so, by using Eq. (5), we transform the density function of the reference system and the extracted secret (A.4) into a Gaussian Wigner function represented by a mean vector and a covariance matrix from which the symplectic eigenvalues (13) are calculated.
The symplectic eigenvalues (13) are inserted into Eq. (44) in order to calculate the local and global von Neumann entropy of the extracted secret and reference system from which the quantum mutual information is solved (52). Figure 2 shows the resultant quantum mutual information versus squeezing parameter in the case of |ζ| = 2. In §4.2 we employ the CV quantum mutual-information approach to introduce a certification technique for CV RQSS schemes.

Certification test for RQSS protocols
In this subsection, we establish our model for certification tests. Specifically, we introduce certification tests for A, F and I, respectively.
RQSS certification for A. Let I A T be a threshold quantum mutual information chosen by the referee. This quantum mutual information quantifies the minimum knowledge that players in an access structure are able to obtain about the secret. Let β > 0 be a maximum failure probability. A test, which receives copies of some X as input, and yields accept or reject, is a test for certifying whether X ∈ A, if, with probability at least 1 − β, it both rejects every ρ X for which These conditions correspond to soundness (84) and completeness (85) [11,12,13].
RQSS certification for F . Let I F T be a threshold quantum mutual information chosen by the referee, which quantifies the maximum knowledge that players in the forbidden structure can obtain about the secret. A test, which receives as input copies of some ρ X , and yields accept or reject, is a certification test for certifying whether X ∈ F , if, with probability at least 1 − β, it both accepts every X for which and rejects a different ρ X for These conditions are completeness (86) and soundness (87).
RQSS certification for I. A test that receives copies of some X as input and yields accept or reject certifies whether X ∈ I if, for a least probability 1 − β, it both rejects every X for or and accepts if Conditions (88) and 89) are soundness and condition (90) is completeness. In the next subsection we employ our certification model to propose a practical test to ascertain RQSS protocols.

Practical realization of the certification test
In this subsection, we propose a practical algorithm, for determining if X is in A, I or F . We prove propositions that the algorithm is both sound and complete. Furthermore, we provide a sufficiency test for the referee to know how many runs are required for her to have sufficient information to check if a particular element is in A, I or F .

4.3.1.
Steps for certification Below we provide the steps for certifying RQSS. Before commencing certification, the referee numerically labels each element of the power set and proceeds to test each labelled element of the power set in order according to this labelling. For simplicity, and without loss of generality, we assume that each player holds one share; thus, the number n of modes equals one more than the number of players, hence shares, in the given subset. This extra mode allows a singlemode reference field in addition to the modes held by the players.
The referee conducts a test that requires many rounds (3.2.3) for each power-set element. The test evaluates whether a fixed subset of players is in A, I or F . In order to do so, the referee estimates the quantum mutual information I e (R, S e ) between the reference state ρ R and the extracted secret state ρ S e such that with a failure probability β < 1/2. Algorithm 4 accepts I e (R, S e ) as input and determines the structure of the power-set element. If the test result is consistent with the dealer's announcement that the access structure is the announced Γ, the referee announces a new subset of players to test; otherwise the procedure halts as the team of dealer and players has failed the certification test.
To estimate I e (R; S e ), the referee estimates the expectation values corresponding to each element of the matrices and withx defined in Eq. (3). The first and second modes hold reference and reconstructed secret states, respectively. The referee's result is then used to estimate the covariance matrix (10) of ρ RS e according to [13] This covariance matrix is used to calculate the entropies of ρ S e , ρ R and ρ RS e using Algorithm 1. The resultant entropies are then inserted into the standard formula for quantum mutual information (58). The expectation value of each element of (92) and (93) is calculated by performing multiple homodyne measurements on identical and independent copies of ρ RS e and taking the average of the measurement results. Using Chebyshev's inequality [13], the referee calculates an upper-bound for the estimation error of each expectation value as a function of number of rounds and β. Subsequently, this estimation error is then used to calculate the maximum expectation values' estimation error max of covariance-matrix entries via the standard formula for error propagation. Afterwards she calculates the bound on the estimation error of entropies following Algorithm 2. The estimation error of I e (R; S e ) is bounded by summation of the entropies estimation errors. The rounds continue until the estimation error of I e (R; S e ) is below a prespecified acceptable error.

Input:
T ∈ N Number of trials T copies of the joint state ρ for the reference and players' reconstructed state ∈ R + Error tolerance for estimated QMI TOL ∈ (0,1/2) Failure probability tolerance

Input:
T ∈ N Number of trials for each instance I F T ∈ R + Threshold quantum mutual information for the forbidden structure I A T ∈ R + Threshold quantum mutual information for all authorized structures ∈ R + Estimation error bound of estimated QMI TOL ∈ (0,1/2) Maximum failure probability P ∈ N Cardinality of the set of players Returns J th power set of players structure claimed by the dealer (79) if then Continuous-variable ramp quantum secret sharing with Gaussian states and operations 27 and for N the number of rounds.
Proof. Using Chebyshev's inequality [13], Equations (103) and (104) equivalently are and assuming an independent identically distributed (iid) protocol delivers Let max be the maximum estimation error of estimated covariance matrix, which is calculated in terms of (107) via standard error propagation methods. In the following we give an upper bound on the estimation error of quantum mutual information in terms of max . In order to do so, we introduce some helpful notation and theorems used in our proofs. For any two Gaussian states with corresponding covariance matrices V A and V B , the entropy difference is bounded by [36] for Also holds for any covariance matrix A [37]. Hence, By substituting Eq. (112) into Eq. (110), we obtain the perturbation bound For any Q ∈ {R, P, RP}, let V e,Q and V Q be the estimated and real covariance matrices, respectively. Then Also Furthermore, let us define and ∆I (X) = I (X; R) − I e (X; R) . Thus, Due to the triangle inequality, Therefore, the error bound scales inversely with square root of the number of rounds.
Next we prove the algorithm 4 is both sound and complete. Proof. We show cases (i) and (ii) in sequence. Case (i): We first recall that Also Therefore, As δ − ≥ , we conclude Thus, Algorithm 4 rejects with probability at least 1 − β if X / ∈ A. Proof. We show cases (i) and (ii) in sequence. Case (i): Also Therefore, pr [I e (X; R) ≤ I (X; R) + ] ≥ 1 − β.

DISCUSSION
In this section we discuss our results. We have two main results. The first result is a security analysis, which assigns subsets of players to each of the three structures, namely, authorized, intermediate, and forbidden structures. The second result is certification, which is performed by a referee. In our security analysis, we not only determine structures for subset of players, but we also quantify information leakage. For certification we introduce a referee who has limited resources such as finite local oscillator field. We now discuss these two results. We base our approach on TRS03, which divides subsets of players into authorized and forbidden structures. TRS03 do not consider the intermediate structure because their security analysis is based on assuming infinite squeezing, but finite squeezing is responsible for information leakage, which leads us to introduce the intermediate structure based on ramp secret sharing concepts. Ramp quantum secret sharing has been considered before in two cases: discrete-variable threshold ramp quantum secret sharing [5] and entanglement sharing [39]. These analysis did not treat the continuous-variable case, however. In our case, for any amount of finite squeezing, we construct encoding and decoding procedures and thereby assign each subset to the correct structure. Now we describe our result for certification. In our protocol, the dealer supplies the players with the encoded state, and in fact the state would be entangled with another share that goes directly to the referee. The referee identifies which subset of players are to transmit the decoded state to the referee, and the referee can combine this state with any shares that did not go through the players and then performs homodyne detection [40,13]. The referee performs homodyne measurement, and, if the local oscillator strength is infinite, then standard homodyne theory suffices to describe the statistics. We study the particular case of the referee performing tests based on Gaussian states and repeated measurements to allow the referee to estimate accurately the mean and covariance of the resultant state. The referee's procedure is valid even in the case of limited local-oscillator strength.
As our procedure is rather complicated and involves multiple parties, we have augmented our analysis by including pseudocode to explain step-by-step instructions on how to complete the procedure. Our pseudocode analysis makes clear exactly what is required of each party in the procedure. This pseudocode description could be a useful approach for describing future continuous-variable quantum-information protocols.

Conclusions
We have developed continuous-variable quantum mutual information with an external reference system in order to quantify the leakage of information and evaluate the security of continuous-variable quantum secret sharing protocols.
Furthermore, we prove that information leakage arising in the TRS03 scheme monotonically decreases with reduced squeezing. In addition, we introduce a certification process for continuous-variable quantum secret sharing in the framework of quantum-interactive proofs and ramp quantum secret sharing schemes.
Pseudocodes have been introduced in order to represent clearly the sequence of steps taken to solve the certification problem. Subsequently, we provide a practical realization of the certification test using homodyne detection, including a sufficiency condition on the number of experimental runs the referee has to perform. We prove that the statistical error in the referee's estimated quantum mutual information scales with the inverse square root of number of rounds.
Our certification procedure assumes the extracted secret states are iid. In reality, this iid property does not hold due to the environmental noises. Furthermore, in quantum secret sharing schemes, malicious parties might generate highly complicated entanglement among samples to fool the referee. As a future line of research, it is important to extend our certification procedure to the case of samples that are not independent and identically distributed.
Another useful avenue of research would be to analyze the effect of systematic errors in the referee's measurement procedure. As a final remark, we emphasize that our certification approach is applicable to certifying other quantum-information protocols such as summoning of quantum information in space time, quantum error correcting codes and quantum teleportation in the framework of quantuminteractive proof systems.

Appendix A. Calculation of quantum mutual information
The total density operatorρ T of all shares and the reference system after the extraction procedure iŝ ρ T = 1 π R 2n+2 d n xd n x dydy ρ y, x 1 , y , where ρ y, x 1 , y , where v 2 = γ 1 γ 1 for which γ 1 = (γ 11 , γ 12 , . . . , γ 1k−1 ) (38). Also, u 2 = u u where {u i } are the coefficients of the expansion α j = ∑ k−1 i=2 u i β ij for which j = 2, ..., k − 1. Then, by employing Eqs. (6), (7), and (8)  The covariance matrix of the extracted secret and reference system denoted by V S and V R are Also the joint covariance matrix of the extracted secret and reference system is For convenience, let us also define Using Eq. (14), symplectic eigenvalues of V S and V R denoted by ν S and ν R are for which V S and V R are defined in Eq. (A.7). Symplectic eigenvalues of V ρ RS denoted by ν ± is calculated using Eq. (16), therefore,