Secure Quantum Secret Sharing without Signal Disturbance Monitoring

Quantum secret sharing (QSS) is an essential primitive for the future quantum internet, which promises secure multiparty communication. However, developing a large-scale QSS network is a huge challenge due to the channel loss and the requirement of multiphoton interference or high-fidelity multipartite entanglement distribution. Here, we propose a three-user QSS protocol without monitoring signal disturbance, which is capable of ensuring the unconditional security. The final key rate of our protocol can be demonstrated to break the Pirandola-Laurenza-Ottaviani-Banchi bound of quantum channel and its simulated transmission distance can approach over 600 km using current techniques. Our results pave the way to realizing high-rate and large-scale QSS networks.


I. INTRODUCTION
Quantum internet holds numerous advantages over the classical internet in distributing, sharing and processing information [1,2]. Quantum internet consists of quantum networks for quantum computing and quantum communication, with quantum computing offering high calculation speeds [3,4] and quantum communication providing robust security [5][6][7][8]. In the realm of quantum communication, besides quantum key distribution which has been well developed on the way to practical applications recently [9][10][11][12][13][14], quantum secret sharing (QSS) is another cryptographic primitive used for multiparty quantum communication in quantum internet.
Secret sharing aims to split a secret message of one user, called dealer, into several parts and distribute them to other users, called players, with one player receiving one part [15,16]. In secret sharing, it is supposed to guarantee that any unauthorized subset of players cannot reconstruct the message. Only a few players cooperate together can they recover the original secret message. Therefore, classical secret sharing plays a fundamental role in modern information society with applications such as secure multiparty computation, blockchain, cloud storage and computing. Compared with classical secret sharing, QSS will further provide unconditional security based on laws of quantum mechanics [17]. The first QSS protocol was proposed in 1999 where three participants share classical information using the threeparticle Greenberger-Horne-Zeilinger (GHZ) state [18]. Then, a simplified QSS protocol with two-particle entangled states [19] was proposed. In the past few decades, QSS has been widely researched in theory [20][21][22][23][24][25][26].
Despite that QSS has achieved significant advances, only a little bit of proof-of-principle experimental demonstrations have been conducted including GHZ state [27,28], single-photon state [29], graph state [30,31] and bound entanglement state [32].There are reasons in many aspects. First, the entangled state, especially multipar- * hlyin@nju.edu.cn † zbchen@nju.edu.cn tite entangled state, is still hard to be generated, manipulated and distributed with high-brightness, high-fidelity and long-distance [33]. Although one can utilize the postselected entanglement state [22] to circumvent the above issues, it still needs valuable multiphoton interference, which only results in low secure key rate. Second, it is not a trivial task to extract secure key with perfect privacy [22,24]. Besides, QSS is a multiparty protocol that has at least three users and one cannot assume all participants are honest, which is the biggest problem to design a secure protocol. For example, the original three-user QSS protocol based on GHZ state is not secure if one of the player is dishonest [34]. In recent years, the scheme with sequential transmission of single qudit [23,29,35] have tried to remove the GHZ state requirement. However, it is shown that security of single-qudit schemes have drawbacks and remains to further debate [36,37]. More seriously, single-qudit schemes are vulnerable to Trojan horse attacks [38].
Twin-field quantum key distribution [39] and its variants [40][41][42][43][44][45][46][47] can extract the secret key that surpasses the Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound [48] by introducing an intermediate station to perform single-photon-type interference. Recently, using twin field theory [39], one differential-phase-shift QSS has been proposed to provide security against individual attacks [49], followed by analysis of finite-key effects and the asymmetric regime [50]. Here, we present an unconditionally secure three-user QSS protocol without signal disturbance monitoring for outside and inside attackers. Our new QSS scheme is the first realistic extended application with the encoding technique that spreads quantum information coherently over hundreds of laser pulses [7]. The natures of high noise tolerance and irrelevance to signal disturbance still remain in this QSS protocol, which allows to generate secure key even the bit error rate is up close to 50% for outside adversaries. Our protocol only requires weak coherent sources and single photon detectors. Numerical simulations show that it can be theoretically implemented over 600 km using recently developed techniques in practical quantum key distribution [51][52][53][54][55][56][57][58].

II. PROTOCOL DESCRIPTION
The schematic of QSS that how to overcome the PLOB bound is shown in Fig. 1. Our QSS protocol has a readiness for building a star network, where two symmetric remote players, Alice and Bob are connected to the central dealer, Charlie. Charlie implements an interference measurement on the two laser pulses sent by Alice and Bob, which will reveal that the corresponding phases are equal or different between Alice and Bob and thus forms the bit value correlation as for QSS. The raw key rate scales with the square-root O( √ η) of the total channel transmittance (between Alice and Bob) due to the single-photon-type interference of Charlie. The photon detected by Charlie can be considered from twin fields coming from both Alice and Bob, respectively. In order to resist attacks of a dishonest player or the outside eavesdropper, Charlie introduces two random numbers r ∈ {1, . . . , L − 1} and b ∈ {0, 1} to post-selected the effective bit as raw key.
No one can access the random numbers r, b in advance, which indicates that the leaked information is ignorable. To be precise, our QSS protocol is inspired by the recently developed round-robin differential phase-shift quantum key distribution [7] and twin-field quantum key distribution [39]. Here, we name this protocol as roundrobin (RR) QSS, which proceeds as follows: (i) For each train, Alice and Bob independently and randomly generate bit strings {s jA } and {s iB } with j A , i B ∈ {1, 2, . . . , L} and s jA , s iB ∈ {0, 1}. They both send a train of L laser pulses to Charlie simultaneously, with each pulse randomly added a phase shift 0 or π according to their random bits. The corresponding quantum states of Alice and Bob can be represented as and where |e isj A π µ/L jA designates the j A th laser pulse of Alice and µ is the total intensity of L optical pulses.
(ii) Charlie will let the received two laser pulse trains interfere after he implements a random operation on Alice's laser pulses. The random operation is that Charlie changes the arrival time of Alice's pulse train related to that of Bob's with which means that the j A = i B + (−1) b rth laser pulse of Alice and i B th laser pulse of Bob will interfere.
(iii) Let one and only one photon click from interference measurements and no other click in the whole pulse train denote an effective detection event. Charlie records his raw key bit X C as 0 and 1 for the phase difference with 0 and π given by an effective detected event.
(iv) Charlie announces j A and i B to Alice and Bob through the authenticated classical channel when the effective detection event is acquired from the superposed j A and i B pulses.
(v) Alice and Bob record X A = s jA and X B = s iB as their raw key bits.
(vi) All users (Alice, Bob and Charlie) exploit the error correction, error verification and privacy amplification of multiparty scheme to obtain the secure key.

III. SECURITY ANALYSIS
In order to provide an intuitive understanding of the proposed RRQSS protocol, we demonstrate its security by considering two equivalent cases shown in Fig. 2, which is the generalization of the security proof method of round-robin differential phase-shift quantum key distribution [7]. Here, we assume that the interference measurement and location measurement can discriminate the detection signal exactly coming from a single photon. Another assumption we have to make is that the devices used by players and the dealer are perfect and leak no more information to eavesdroppers. These assumptions are similar to those in the round-robin differential phase-shift quantum key distribution [7] and the first assumption can be solved by using the detector-decoy method [8]. Charlie announces a successful detection when one and only one photon is clicked in both Fig. 2a and Fig. 2b.
The setup of Fig. 1 is a practical implementation of scheme in Fig. 2a with efficiency 1/2. In the ideal case, the raw key of Charlie in Fig. 2a is been proven that the classical bits of information that can be transmitted by sending the coherent fingerprint state of Eqs. (1) and (2) satisfies O(µ log 2 L) [59,60]. It is much less than the encoding bit information of Alice or Bob for each pulse train with large L. At least one of i B and j A cannot be confirmed due to j A − i B = (−1) b r with random numbers {r, b} before Charlie implements measurement, which means anyone can have only a little knowledge of the raw key X C of Charlie or bit values X A ⊕ X B , including the dishonest player or the outside eavesdropper Eve. In order to access how much the adversary knows about the bit values X A ⊕ X B , we imagine that Charlie exploits the alternative choice with the location measurement in Fig. 2b. Charlie directly acquires i B or j A using the location measurement (i B or j A ). Then, he exploits random numbers {r, b} to generate the other index satisfying j A − i B = (−1) b r. To be more specific, Charlie's interference measurement is characterized by a set of projection measurement operatorŝ whereP (|ϕ ) = |ϕ ϕ|, k ∈ {1, . . . , d}, k + (−1) b r ∈ {1, . . . , d} and s ∈ {0, 1}. State |k denotes the photon in the kth pulse. For single-photon input stateρ, the probability of output {k, s} is given by Tr(ρÊ r,b k,s )/2, since there exists a filter with efficiency 1/2 [7]. We remark that the stateρ is the joint quantum state between Alice and Bob. Charlie publishes indices {k B , [k B + (−1) b r] A } and acquires X C = s from this output. Therefore, the probability of announcing where p(k) = k|ρ|k is the probability of detecting a photon in the kth pulse. And Charlie's location measurement is characterized by a set of projection measurement operatorsÊ where k ∈ {1, . . . , d}. Thereby, the probability of an- can be given by Obviously, , it means that the published indices {j A , i B } are identical for two figures in Fig. 2. And the knowledge of bit value X A ⊕X B in actual and virtual protocols are equivalent for anyone except for Charlie, which indicates the generation procedure of {j A , i B } is equivalent to the interference measurement in Fig. 2a. Therefore, the adversary have the same knowledge of X A ⊕ X B in Fig. 2a and Fig. 2b since she or he cannot distinguish the choices of measurement by Charlie.
In the RRQSS protocol, at most one player is dishonest. We first demonstrate that the protocol is secure for outside Eve and provide the detailed secret key rate. Then we will verify the security against one dishonest player, Alice or Bob and the corresponding key rate.

A. The outside Eve
First, we consider the case where Alice, Bob and Charlie are all honest and collaborate to generate the secret key with X C = X A ⊕ X B . The outside Eve is an eavesdropper, who tries to attack the knowledge of X A ⊕ X B . Obviously, this RRQSS protocol is similar with the round-robin differential phase-shift quantum key distribution [7] if we consider Alice and Bob as a single user. In order to calculate the secret key rate, we employ the source-replacement scheme [7]. We assume that Alice prepares an entangled state between L virtual qubit and L optical pulses instead of a train of coherent state, where |s jA A is the eigenstate of the Z basis in the j A th virtual qubit of Alice. Similarly, Bob generates an entangled state between L virtual qubit and L optical pulses, where |s iB B is the eigenstate of the Z basis in the i B th virtual qubit of Bob. Note that the source-replacement scheme does not change security. Since the L optical pulses sent by Alice or Bob are identical to those in the actual scheme if Alice and Bob measure the virtual qubit in the Z basis before sending optical pulses. The secret key rate per pulse of the RRQSS in the case of the outside Eve is given by where Q is the gain of transmitting L pulse pair trains, e b and e p are the bit and phase error rates of this protocol related to error correction and privacy amplification, respectively. A bit error is defined as X A ⊕ X B = X C . Specifically, the average gain Q and bit error rate e b of each train can be written as and where √ η = η d ×10 −αD/20 is the efficiency between Alice (Bob) and Charlie. D is the total distance among Alice, Bob and Charlie. Let ν be the total photon number in a train of optical pulses with total intensity µ. Then, the probability of finding more than ν th photons in a train of optical pulses can be written as where ν th is an integer constant chosen in this protocol. Considering a fictitious situation in Fig. 2b, Alice and Bob respectively deliver these virtual qubits to Charlie with a secure manner. Charlie simply applies a controlled-NOT operation to the i B th and j A th virtual qubits, with the i B th (j A th) virtual qubit as the control and the j A th (i B th) virtual qubit as the target given i B (j A ), b and r. The bit value X A ⊕ X B = s iB ⊕ s jA becomes the outcome of Z-basis measurement on the j A th (i B th) target virtual qubit. Let |± be the eigenstates of X-basis. Note that the controlled-NOT operation will not affect the X-basis eigenstate of the target virtual qubit [7]. If the target virtual qubit is fixed to state |+ , there is no knowledge of the measurement outcome on the Z-basis acquired by Eve. The phase error rate is defined as the probability of finding the target virtual qubit in state |− [61]. From the Eqs. (8) and (9), one can find out that the virtual qubit will be state |+ (|− ) for even (odd) number photons in each optical pulse. Therefore, the probability of a phase error is bounded by ν th /(L−1) when the number of photons in this train is no more than ν th . Note that the target virtual qubit is randomly selected from L − 1 virtual qubits. The phase error rate of the RR-QSS protocol for the outside Eve can be given by The first term of Eq. (14) corresponds to the fraction of a sifted key that the number of contained photons in a train pulses (both for honest Alice and honest Bob) are larger than ν th and should be regarded as a phase error in the worst-case scenario. The performance of our protocol and single-qubit QSS is measured in terms of the key rate per pulse R. With parameters in Table. I, the key rates of our protocol against outside and inside eavesdropping are optimized with µ, ν th and L and the key rate in [29] is optimized with µ, together with the assumption of weak coherent light source and asymptotic condition of infinite decoy states.

B. The inside Alice or Bob
Then, we consider the case where Alice, Bob and Charlie collaborate to generate the secret key with X C = X A ⊕ X B with one player, Alice or Bob dishonest. The inside eavesdropper tries to attack the knowledge of X A ⊕ X B with the help of the outside Eve.
Here, we first consider Bob to be the adversary. The bit value X B is all known by Bob, which means that he only needs to obtain the information of X A . According to the above security analysis, there are two cases in Fig. 2b where the location measurement generates i B or j A . For the i B click case, the bit value X A ⊕ X B is acquired by directly measuring the target qubit of honest Alice with Z basis. The corresponding phase error rate is e pi B = esrc QB + 1 − esrc QB ν th L−1 . Here, Q B is probability of i B generated in location measurement and e src is calculated using the honest Alice's optical pulses. For the j A click case, one cannot directly measure the phase error on target qubit of dishonest Bob since the intensity and photon number distribution sent by Bob are uncertain. Considering the worst case, Bob will acquire all information about the j A click case. Now we consider Alice to be the adversary. For the j A click case, the phase error rate is e pj A = esrc QA + 1 − esrc QA ν th L−1 . Here, Q A is probability of j A generated in location measurement and e src is calculated by using the honest Bob's optical pulses characteristic. Obviously, we have Q = Q A + Q B . For the i B click case, Alice will obtain all information.
For cases of the inside adversary, no one can know in advance whether the adversary is Alice or Bob. Therefore, the secret key rate per pulse of the RRQSS in the case of the inside adversary can be written as where we haveQ = min{Q A , Q B } and phase error ratê

IV. PERFORMANCE
Here, we display the secret key rate per pulse R of our protocol, assuming that Charlie holds a quantum random number generator to generate r and b in Eq. (3). Without loss of generality, we have the gains Q A = Q B = Q/2 due to the symmetric positions of Alice and Bob. Our protocol only needs two continuous-wave laser to prepare phase-stabilized continuous light with total intensity µ/L and phase 0 or π, which is available to current techniques. At Charlie's site, single-photon detectors are assumed with the same efficiency η d and the dark count p d . We introduce α as the attenuation coefficient of the ultra low-loss fiber and f as the error correction inefficiency. For simplicity, we assume a misalignment error rate e d to generalize the whole systematic error rate in our protocol. Specific value of parameters is listed in Table. I. Additionally, to illustrate that the key rate of our protocol scales with the square-root of the total channel transmittance, the PLOB bound between Alice and Bob is also considered for comparison (R PLOB = − log 2 (1 − η) and η = η d × 10 −αD/10 ). We also consider the key rate of single-qubit QSS [29], which is another practical QSS protocol with several experimental implementations. For simulation, we assume that the weak coherent light source and the asymptotic condition of infinite decoy states are applied in single-qubit QSS. Moreover, we can take a little further step to consider the expected behavior of finite-sized key rate in our protocol using the same idea in round-robin differential phase-shift quantum key distribution [7]. Let N be the number of rounds and first we define the tail distribution for finding more than a successful events in a binomial distribution asf (a; n, p) = k>a p k (1 − p) n−k n!/[k!(n − k)!]. Then the probability of choosing N r 1 from N sifted bits to include all the tagged portion will be 1 − ǫ 1 , where ǫ 1 =f (N r 1 ; N round , e src ) and N round denotes the number of rounds of transmitting L pulses. Here we assume there is no phase error in the chosen N r 1 bits. When considering phase errors in the remaining N ′ bits (N ′ = N (1 − r 1 )), it should be less than N ′ r 2 for a probability 1 − ǫ 2 and ǫ 2 = f (N ′ r 2 ; N ′ , ν th /(L − 1)). With ǫ 1 and ǫ 2 , we can characterize the imperfection in the final key given the bits of information leakage to the eavesdropper. Given s > 0, we let ǫ 1 = ǫ 2 = 2 −s by choosing proper r 1 and r 2 . Then, we have h(ê p ) = r 1 + (1 − r 1 )h(r 2 ) + s/N with s commonly ranging from 70 to 160. With a crude Gaussian approximation of ln[f (a; n, p)] ∼ = −(a− np) 2 /[2np(1 − p)], we have that r 1 ∼ = p 1 + (2ln2)p 1 (s/N ) and r 2 ∼ = p 2 + (2ln2)p 2 (1 − p 2 )(s/N ) where p 1 = e s rc/Q and p 2 = ν th /(L − 1). For N ≫ s, substituting numerics gives h(ê p ) ∼ = h asy (ê p )(1 + 1.98 s/N ) and h asy (ê p ) = p 1 + (1 − p 1 )h(p 2 ).
With the above assumptions, the performance of our QSS protocol is presented in Figs. 3, 4 and 5 by numerically optimizing the secret key rate over the free parameters µ, ν th and L. As depicted in Fig. 3, besides the key rate of our QSS protocol under inside and outside eavesdropping, we also plot the PLOB bound and the key rate in single-qubit QSS [29] where the misalignment rate e d = 2%. Evidently, our QSS protocol has better performance over single-qubit QSS and can break the PLOB bound for D larger than ∼ 300 km with the final transmission distance approaching over 600 km. In addition, considering impact on the final key rate caused by the misalignment error rate e d , we present the key rate of our QSS protocol with different misalignment rate in Fig.4. Although the misalignment rate e d is more than 6%, the final key rate can also surpass the linear PLOB bound, which shows the high tolerance of errors in our protocol. With e d smaller than 4%, the theoretical transmission distance will approach over 600 km, which is suitable to intercity multiparty quantum communication. Fig. 5 shows that there is little influence the finite-size analysis has on the final key rate of our protocol. When N = 10 4 , the transmission distance will also approach over 600 km.

V. CONCLUSION
In summary, we present a practical QSS protocol containing three users with unconditional security. In-spired by the twin-field quantum key distribution, the key rate scales as O( √ η) rather than O(η), breaking the PLOB bound introduced by capacity of quantum channels [48,62]. Moreover, we propose the security analysis to demonstrate the unconditional security of our protocol under both outside and inside eavesdropping. The key point here is to consider eavesdropping of the inside participant Alice or Bob, which is quite different from the original round-robin quantum key distribution. Namely, the security is irrelevant to the channel we use. In addition, although constricted by the inside eavesdropper, our protocol still shows a long theoretical transmission distance of over 600 km under small misalignment error rate, which reveals the potential for long distance multiparty communication with high efficiency. According to the recent work [63], RRQSS can also be applied in the experimental and practical implementations using the orbital angular momentum degree of freedom. Note that our QSS protocol shares classical bits rather than quantum states [64]. Furthermore, the apparatus settings in our scheme can be directly deployed to realize the third-man quantum cryptography (TQC) [65] where Charlie plays the role of a controller to determine whether to announce his measurement results. If Charlie announces his measurement results, Alice's bits and Bob's bits will build up their own perfect correlations. Then based on the correlations, Alice and Bob will create the secret key and Charlie has no knowledge of the keys which Alice and Bob have created. Namely, in the TQC, Alice and Bob will fail to generate the secret key without the help of the controller, Charlie [27]. The secret key rate of our TQC protocol can be given by the Eq.(10). In our TQC scheme, we have to consider Charlie is an honest participant but he has no knowledge of secret key. Therefore, the practical security of the TQC here is between twin-field [39] and trusted relay [66] quantum key distribution.
Our RRQSS protocol is a first step to extend the application of round-robin method from quantum key distribution [7]. Its security analysis guarantees that our QSS protocol is also independent of any intervention by eavesdroppers and has high tolerance of noise. Future work is necessary to narrow the gap of secret key rate between inside and outside eavesdropping in Fig. 3. Combined with long transmission distance and simple apparatus requirements, we believe our protocol is suitable for secure multiparty communication in the future quantum networks.