Differential phase shift quantum secret sharing using twin field

Quantum secret sharing (QSS) is essential for multiparty quantum communication, which is one of cornerstones in the future quantum internet. However, a linear rate-distance limitation severely constrains the secure key rate and transmission distance of QSS. Here, we present a practical QSS protocol among three participants based on the differential phase shift scheme and twin field ideas for the solution of high-efficiency multiparty communication task. In contrast to formerly proposed differential phase shift QSS protocol, our protocol can break the linear rate-distance bound, theoretically improving the secret key rate by three orders of magnitude in a 300-km-long fiber. Furthermore, the new protocol is secure against Trojan horse attacks that cannot be resisted by previous differential phase shift QSS.


I. INTRODUCTION
Secret sharing is one of basic communication missions in classical cryptography. It aims to split a message into several parts in such a way that no unauthorized subset is sufficient to reconstruct the original message [1]. Since it feathers in secure collaborative activities, secret sharing constitutes a major cryptographic mission for multiparty communication, including controlling missiles [2].
All schemes of classical secret sharing can only be proved secure based on mathematical complexity. Thus, with the emergence of quantum computing algorithm [3], secret sharing is also forced to step into the informationtheoretically secure era with laws of quantum mechanics, which is called quantum secret sharing (QSS). The first quantum secret sharing protocol was proposed in 1999 using three-photon entangled Greenberger-Horne-Zeilinger (GHZ) state for three participants [4]. Based on multipartite quantum entanglement, improved quantum secret sharing protocols [5][6][7][8][9][10] and experimental demonstrations [11][12][13][14] have been presented in the past 20 years. Nevertheless, difficulties in preparing and transmitting GHZ states constrains the secret key rate and stability of QSS systems, making it far from practical implementation. Therefore, several protocols in the prepare-and-measure scenario were proposed to circumvent preparations of multipartite entangled states, such as protocols using post-selected multipartite entanglement state [15], Bell states [16,17], continuous variable [18,19], single-qubit scheme [20][21][22][23], d-level scheme [24,25] and differential phase shift scheme [26]. Unfortunately, a majority of prepare-and-measure protocols [20][21][22][23][24][25][26] is vulnerable to the Trojan horse attacks [27,28]. Furthermore, in particular, all proposed QSS protocols will confront the linear rate-distance limitation [29][30][31]. This limitation constricts the key rate and transmission distance of QSS. * hlyin@nju.edu.cn † zbchen@nju.edu.cn Consequently, although QSS has received a lot of attention and achieved a lot of research results, a practical and high efficiency protocol is still missing. In this paper, we present a QSS protocol inspired by the idea of twin-field [32][33][34] and differential phase shift [35] quantum key distribution. Secure against individual attacks, our protocol will break the linear Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound [30]. Besides, in contrast to the previous differential phase shift QSS [26], our protocol realizes that the final key rate can be increased by three orders of magnitude in a 300-km-long fiber and secure against Trojan horse attacks. Additionally, in our protocol, senders only utilize weak coherent laser sources to generate signal pulses. Simultaneously, the phase stabilization method will be employed, which has been widely developed in twin-field quantum key distribution [36][37][38]. With simple apparatus requirements, our protocol will lower the threshold of experimental and practical implementations.

II. PROTOCOL DESCRIPTION
To introduce our protocol, we plot in Fig. 1 the configuration of our quantum secret sharing protocol under experimental setup. In Fig. 1, Charlie, the dealer [12], holds a full key for ciphering while Alice and Bob each hold a partial key for deciphering. In grey areas locate devices held by three participants which are all secure against any eavesdropping. Our protocol employs weak coherent states instead of single-photon states. It features a simple setup where senders basically require weak coherent light sources to generate pulse trains. Furthermore, the dealer utilizes an asymmetric Mach-Zehnder interferometer to measure, with the phase stabilization method [36][37][38]. The explicit description of our protocol is presented step by step as follows: we denote the sequence of time slots after combination of pulses in two paths as j, for j ∈ {1, 2, 3, ..., 2N } where N is the total number of pulses sent by Alice (or Bob) and We set that k is an integer ranging from 1 to N .
1. Preparation. Alice (Bob) sends a weak coher- ent pulse train to Charlie where each pulse is randomly phase-modulated by {0, π}, respectively. The period of the pulse train is 2T , as shown in Fig.1 and the intensity of each pulse is µ, which also represents the average photon number of each number. µ is set less than one photon per pulse. Alice (Bob) records their logic bits of each time slot as 0 (1) when her (his) modulated phase is 0 (π).

Measurement and reconciliation.
Before the former beam splitter, the pulse train that Bob sends will be postponed for the time T . Then Charlie measures the phase difference of adjacent pulses with an T time delayed Mach-Zehnder interferometer. He records which detector clicks and the corresponding detection time slot.
His logic bits will be 0 (1) when D1 (D2) clicks. For double clicks, Charlie randomly chooses a logic bit out of 0 or 1. Then, Charlie discloses the photon detection time. With time information, Alice, Bob and Charlie form their own raw key for the next procedure.
3. Parameter estimation. Charlie randomly chooses recorded detection times and requires Alice and Bob to alternatively announce their classical bits in the chosen time slots through an authenticated classical channel. According to their correlation of bits, Charlie will get the quantum bit error rate (QBER). Then Charlie will make a decision whether they discard all their bits and restart the whole QSS at Step 1.
4. Post-processing. Alice, Bob and Charlie conduct classical error correction and privacy amplification to distill the final full key and partial keys.
As shown in Fig. 2, we demonstrate the bit correlation among Alice, Bob and Charlie. We denote S X k ∈ {0, 1} (X ∈ {A, B, C}) as a classical bit, whose superscript denotes who holds this bit and whose subscript denotes its sequence in the combined pulse train. At Step 1, when ignoring the global phase of each pulse, we easily find weak coherent states sent by Alice (Bob) can be written as Interference measurement at Charlie's site.
After acted by the former beam splitter, pulse trains from Alice and Bob with the period of 2T will be transformed into pulse trains with the period of T in two paths, respectively. In both paths, pulses at odd time slots are from Alice and pulses at even time slots are from Bob.
Phases of pulses from Alice in the long path will be modulated by π. Then, pulses from two paths will interfere with each other after the delay of time T in the long path. Every pulse from Alice (Bob) will interference with both the former and the later pulses from Bob (Alice).
With an asymmetric interferometer, we can conclude correlation between three participants as: For example, under the circumstance that j = 2k, when the modulated phases in one time slot imposed by Alice and Bob are {0, 0} or {π, π}, the differential phase is 0 and D1 clicks. When Alice's and Bob's modulation phases are {0, π} or {π, 0}, the differential phase is π and D2 will click. Thus, Charlie's logic bits are the exclusive OR of Alice's and Bob's logic bits. When j = 2k − 1, to achieve the same correlation, Charlie should bit-flip his corresponding classical bit. Evidently, here Alice and Bob will know Charlie's key bits only by cooperation.

III. SECURITY ANALYSIS
The security of our protocol against eavesdropping is discussed in this section. First, we will build an equivalence between our protocol and differential phase shift QSS in [26]. Then, under the equivalence, both an external eavesdropper and an internal eavesdropper are considered using the conclusion in differential phase shift quantum key distribution [39].

A. The equivalence
In Fig.3 we reduce our scheme to differential phase shift QSS, which is shown in Fig.3a. The laser source at Alice's site generates a bunch of weak coherent states, which are all phase-modulated with φ A ′ j ∈ {0, π}, where, without loss of generality, we also set µ as the intensity of each pulse and the global phase is ignored. Here we also use j ∈ {1, 2, 3, ...} to number the time slots of each pulse.
When reaching Bob's site, some of photons will be split to reveal whether Alice is a malicious participant [26]. The remaining photons will be phase-modulated again by Bob with φ B ′ j ∈ {0, π}. Before transmitted to Charlie, weak coherent states will be |e i(φ A ′ j +φ B ′ j ) √ µ ′ . If the differential phase is 0 (π), Charlie will record the classical bit as 0 (1) and the corresponding detection time slot. We easily derive correlations between phase modulation and Charlie's detection results. For i ∈ {1, 2, 3, ...}, where S also denotes the logic bits. The correlation of classical bits in Fig. 3a is . As an intermediate step, a special rule is added for our equivalence where Alice will only modulate phases of the corresponding pulses if j = 2k − 1 and Bob will only phase-modulate the corresponding pulses if j = 2k. The configuration of this rule is shown in Fig.3b. Then, we will derive the correlation as the following form: which is the same correlation after Charlie bit-flips his logic bits when j = 2k − 1 in our protocol. From Fig. 3a to Fig. 3b, equivalence can be built since in differential phase shift QSS, we only care about differential phases ) of Alice (Bob) and the whole scheme stays unchanged with the phase of one pulse φ A ′ j+1 (φ B ′ j ) fixed. Moreover, since in Fig. 3b, pulses at even time slots will not carry any information before reaching Bob's site, it will introduce no differences that Bob sends pulses at even time slots, which is equivalent to our protocol. Then equivalence between Fig. 3b to Fig. 3c can be built. Our protocol is equivalent to differential phase shift QSS.
Besides, in Fig.3a, phases of Alice's pulses will be modulated by Bob, with pulses passing through Bob's site. In [27,28], we know this kind of schemes is not able to prevent powerful Trojan horse attacks and our protocol will fix the security flaw, obviously.

B. External eavesdropping
First, we easily derive that beam-splitting attacks and intercept-resend attacks by Eve will fail [35]. Then, as for a general individual attack, here we can assume that Eve will conduct the same attack in differential phase shift QSS [26]. Therefore, information leakage to Eve is given by a fraction 2µ(1 − η) of the sifted key after reconciliation in Step 2, related to the intensity of each pulse µ and the transmittance η [39].

C. Internal eavesdropping
Here we have to be wary of malicious Alice or Bob. Without loss of generality, we let Bob be the malicious (a) We present a specific individual attack as discussed in [26] where Bob will also send a pulse train with 2T period without phase-modulation. (b) A general individual attack by Bob is presented.

participant.
When discussing Bob's eavesdropping, we know he wants to know Charlie's key and also has to know Alice's bits to pass the test-bit checking in Step 4 since Alice and Bob alternatively announce their test bits, introducing a fraction of 1/2 of error rates. The configuration for Bob's individual attacks is shown in Fig. 4. He splits part of photons in Alice's signal to be measured after Charlie discloses his detection time. Besides, in the presence of channel noise Bob can potentially attack the rest of pulse trains by a beam-splitting attack. Bob can also entangle every photon transmitted to Charlie with an independent probe to eavesdrop information. To sum up, there are two parts of the eavesdropping strategy which have to be addressed. The first is how much information can be extracted from the split photons and the beam-splitting attacks. The other is information leakage to Bob by his probe states.
For photon-splitting attacks, malicious Bob only requires to measure differential phases of adjacent pulses ∆φ = φ A ′ i − φ A ′ i+1 generated by Alice based on Charlie's detection times. However, without phase reference, malicious Bob in our protocol has to measure the exact phases φ A i Alice modulates. In that case, we assume malicious Bob will adopt the following attacking strategy in Fig. 4a. To obtain Alice phase-modulation information, Bob applies the same weak laser source to interfere with Alice's pulses, just like what will happen in Charlie's site. Without phase modulation on his eavesdropping pulses, he will get the exact phase information of Alice. Without loss of generality, intensity of Bob's eavesdropping pulses is also µ. Here, we just offer an explicit individual attack as an example.
Then errors induced by split photons is considered as follows. Probability that Bob knows Alice's bit corresponding to Charlie's bit is 2µ, and the bit error rate is (1 − 2µ)/2. β is the upper bound for the allowable rate of Bob's photon-splitting attacks [39]. Provided that the total system error rate is E µ , β is given by where 1/2 means that Alice and Bob disclose their key bits used for test-checking alternatively and then a bit error is revealed when Bob discloses his bit first. For the remaining photons of Alice' signal, Bob conducts a beamsplitting attack utilizing the transmission loss from Alice to Charlie. Provided that the transmittance from Alice to Charlie is η, Bob stores (1 − η) of Alice's pulse train and makes his own pulse train without phase modulation interfere with it pulse by pulse after Charlie discloses the photon detection time. This beam-splitting attack gives Bob partial information with a ratio of 2µ(1 − η)(1 − β). Then, Bob obtains 2µβ + 2µ(1 − β)(1 − η) of Charlie's key in total. In Fig. 4b, we also consider general individual attacks by Bob. Based on the equivalence between our protocol and differential phase shift QSS, here individual attacks for eavesdropping differential phases stays unchanged in the case where one of two phases is fixed. Then Bob conducts general individual attacks as carried out by Eve in differential phase shift quantum key distribution [39], where the fraction Bob obtains about Charlie's bits is 2µ. As demonstrated in [26], general individual attacks are more powerful than eavesdropping depicted in Fig. 4a Here we just consider general individual attacks by malicious Bob. For probe states of Bob, we will directly obtain total information leakage to Bob in the next section when deriving the final key rate of our protocol.

IV. FINAL KEY RATE
In the above analysis, we obtain that the probability information leakage to Eve and malicious Bob is 2µ(1−η) and 2µ.
We discover that information leakage to external Eve is slightly lower than that to malicious Bob. For simplicity, we can just consider information leakage in our protocol to be 2µ. The final key rate of our protocol is is Shannon entropy and f (E µ ) is the error correction efficiency. P co is the upper bound of collision probability when considering individual attacks, which can be concluded as P co = 1−E 2 µ −(1 − 6E µ ) 2 /2 [40]. For two detectors used by Charlie, we derive total dark count rate as 2p d and the error rate of background e 0 = 1/2. The total gain and the total error rate with an intensity of µ is given by where e d is the misalignment error rate of detectors.
Here, we set that the channel transmittance between Alice and Charlie is the same as that between Bob and Charlie. The total distance between Alice and Bob is L to present our transmission rate. In that scheme, transmittance η becomes η d × 10 −αL/20 , where η d is detection efficiency of Charlie's detectors. Therefore, distance between Alice and Charlie is L/2 so as to break the linear PLOB bound and the repeaterless bound between Alice and Bob, where formulas of the PLOB bound and the repeaterless bound is η PLOB = − log 2 (1 − η d × 10 −αL/10 ) and η repeaterless = η d × 10 −αL/20 . We optimize our transmission rate over the free parameter µ according to distance and utilize parameters shown in Table.I For the intensity µ, we utilize Genetic Algorithm to obtain its optimal value under a certain distance. We present our simulation result in Fig.5. Evidently, when the misalignment rate e d is lower than 5.2%, our protocol will break the linear PLOB bound [30]. Therefore, theoretical transmission rate of our protocol will reach a level of 600km. For comparison with differential phase shift QSS, we also plot results of our protocol and results in differential phase shift QSS [26]. With the same e d as 2.0%, we can see clearly from Fig.6 that our protocol is much better, increasing the final key rate by about three orders of magnitude in a 300-km-long fiber.

V. CONCLUSION
In summary, we have presented a quantum secret sharing protocol with three participants which is secure against individual attacks. The key rate of our protocol will break the linear PLOB bound, whose theoretical transmission distance will approach 600 km. Compared with the former differential phase shift QSS, our protocol can improve the final key rate by about three orders of magnitude in a 300-km-long fiber and can be secure against Trojan horse attacks. In addition, our protocol requires simple apparatus setup and make experimental and practical implementations more accessible using current techniques. A full security analysis considering collective attacks and general coherent attacks allowed by quantum mechanics will be the future work. We believe that our protocol will promote the commercialization of quantum secret sharing and will be of wide use to future quantum networks.