Source-independent quantum secret sharing with entangled photon pair networks

Yi-Ran Xiao Zhao-Ying Jia National Laboratory of Solid State Microstructures and School of Physics, Collaborative Innovation Center of Advanced Microstructures, Nanjing University, Nanjing 210093, China. Department of Physics and Beijing Key Laboratory of Opto-Electronic Functional Materials and Micro-Nano Devices, Key Laboratory of Quantum State Construction and Manipulation (Ministry of Education), Renmin University of China, Beijing 100872, China. Yu-Chen Song Big Data Center, Ministry of Emergency Management, Beijing 100013, China Yu Bao National Laboratory of Solid State Microstructures and School of Physics, Collaborative Innovation Center of Advanced Microstructures, Nanjing University, Nanjing 210093, China. Department of Physics and Beijing Key Laboratory of Opto-Electronic Functional Materials and Micro-Nano Devices, Key Laboratory of Quantum State Construction and Manipulation (Ministry of Education), Renmin University of China, Beijing 100872, China. Yao Fu Beijing National Laboratory for Condensed Matter Physics and Institute of Physics, Chinese Academy of Sciences, Beijing 100190, China Hua-Lei Yin [email protected] Department of Physics and Beijing Key Laboratory of Opto-Electronic Functional Materials and Micro-Nano Devices, Key Laboratory of Quantum State Construction and Manipulation (Ministry of Education), Renmin University of China, Beijing 100872, China. Zeng-Bing Chen National Laboratory of Solid State Microstructures and School of Physics, Collaborative Innovation Center of Advanced Microstructures, Nanjing University, Nanjing 210093, China.

(July 23, 2024)

Abstract

The large-scale deployment of quantum secret sharing (QSS) in quantum networks is currently challenging due to the requirements for the generation and distribution of multipartite entanglement states. Here we present an efficient source-independent QSS protocol utilizing entangled photon pairs in quantum networks. Through the post-matching method, which means the measurement events in the same basis are matched, the key rate is almost independent of the number of participants. In addition, the unconditional security of our QSS against internal and external eavesdroppers can be proved by introducing an equivalent virtual protocol. Our protocol has great performance and technical advantages in future quantum networks.

I introduction

Building a global quantum network would constitute a significant breakthrough in science and technology, as it would extend the benefits of quantum entanglement and quantum state distribution to multiple distant communicating parties worldwide [1]. With the emergence of quantum technologies, such a network can have numerous applications, including quantum key distribution [2, 3, 4], quantum conference key agreement [5, 6], quantum secret sharing (QSS) [7, 8, 9], quantum digital signatures [10], quantum voting [11] and quantum secure direct communication [12, 13, 14]. QSS promises the unconditional security and plays a crucial role in protecting secret information, such as secure operations of multiparty computation [15], creating joint checking accounts containing quantum money [16] and so on.

Since the first QSS protocol introduced by Hillery et al. [7] in 1999, which utilizes three-photon Greenberger-Horne-Zeilinger (GHZ) state, this protocol has been generalized into plenty of variations based on entanglement states [17], graph state [18, 19], bound entanglement state [20] and $d$ -dimensional entanglement states [21]. In recent decades, significant theoretical [22, 23, 24, 25] and experimental [26, 27, 28, 29] efforts have been directed toward QSS, making it as one of the most captivating research topics in the quantum cryptography. Nevertheless, the scheme that distributes multipartite or high-dimensional entanglement resources among multiple participants renders the aforementioned works impractical due to the limited efficiency and low key rates. Additionally, adding or removing participants requires changing the dimensionality of the system, which makes complex alterations of the source necessary. Therefore, a practical and highly efficient QSS protocol for quantum networks is still missing.

Here, we propose an efficient source-independent QSS protocol utilizing entangled photon pairs, which can achieve data correlation through the post-matching technique [30] and classical XOR operations. Based on the fully connected quantum network architecture [31, 32, 33], which employs a single entangled photon pair source and wavelength-division multiplexing to distribute bipartite entangled states to multiple users, our scheme can be scaled in multiparty scenarios without changing the entanglement source and the hardware of network users. The unconditional security of our protocol is proved by introducing an equivalent virtual protocol which utilizes the quantum operations and multiparty entanglement purification [34, 35] to obtain the almost pure entangled GHZ states among all QSS participants. To address the internal participant attacks [36, 37], we utilize the method in refs. [38, 39], where the dealer calculates the correlations with each single player to defend against the internal malicious participants. The simulation results show that our protocol has a significant advantage of key rate across any number of participants compared with the QSS protocol which directly distributes the GHZ states. We believe that our protocol has great potential to serve as a fundamental cryptographic protocol for large-scale quantum networks.

II protocol description

The schematic of our protocol in the fully connected quantum network is shown in Fig. 1. In our protocol, the entangled photon pair source generates polarization-entangled photon pairs, i.e., Bell states $\ket{\phi^{+}}=\left(\ket{HH}+\ket{VV}\right)/\sqrt{2}$ , where $\ket{H}$ ( $\ket{V}$ ) represents horizontal (vertical) polarization states. The diagonal and anti-diagonal polarization states are denoted as $\ket{+}=\left(\ket{H}+\ket{V}\right)/\sqrt{2}$ and $\ket{-}=\left(\ket{H}-\ket{V}\right)/\sqrt{2}$ , respectively. The network provider distributes the bipartite entangled states between all $N$ network users through the fully connected quantum network architecture [31, 32, 33]. Among the all $N$ network users, $n$ ( $n\leq N$ ) network users who implement the QSS protocol are denoted as QSS participants, which include one dealer $A$ and $n-1$ players $B_{i}$ ( $i=1,\cdots,n-1$ ). All $n$ QSS participants utilize the bipartite entanglement between the dealer $A$ and each player $B_{i}$ to generate the QSS keys. The steps are as follows:

1.

Distribution. The network provider prepares broadband polarization-entangled photon pairs with a single entangled photon pair source. The spectrum of photon pairs is separated into $N(N-1)$ distinct wavelength channels through a wavelength demultiplexer, and the entangled photon pairs can only be observed in correlated wavelength channels. Then each set of $N-1$ different channels is combined into a single-mode fiber through a wavelength multiplexer and distributed to each network user. Therefore, every network user shares bipartite photon pairs with any other users [31, 32, 33].
2.

Measurement. All QSS participants perform measurements on their own photons in the diagonal polarization basis, i.e., $X$ -basis with probability $p_{x}$ and the rectilinear polarization basis, i.e., $Z$ -basis with probability $p_{z}=1-p_{x}$ . The measurement results from $\ket{+}$ and $\ket{H}$ are recorded as logic bit 0, and the measurement results from $\ket{-}$ and $\ket{V}$ are are recorded as logic bit 1.

Post-matching. All QSS participants broadcast their basis choices through the classical channels, and the events that the dealer $A$ and any one of the players $B_{i}$ select the same basis are regarded as matching events. The $X$ -basis ( $Z$ -basis) measurement outcomes of matching events are denoted as $a_{i,j}^{X}$ ( $a_{i,j}^{Z}$ ) for the dealer $A$ and $b_{i,j}^{X}$ ( $b_{i,j}^{Z}$ ) for each player $B_{i}$ , where $j$ represents the round of matching events. Without considering noise, the classical bits $a_{i,j}^{X}$ ( $a_{i,j}^{Z}$ ) and $b_{i,j}^{X}$ ( $b_{i,j}^{Z}$ ), which are both obtained from the Bell states $\ket{\phi^{+}}$ , should be equal.

Then the dealer $A$ performs XOR operations on her classical bits. For the $Z$ -basis,

c_{i,j}^{Z}=a_{1,j}^{Z}\oplus a_{i,j}^{Z},

(1)

and for the $X$ -basis,

\tilde{a}_{1,j}^{X}=a_{1,j}^{X}\oplus a_{2,j}^{X}\oplus\cdots\oplus a_{n-1,j}^% {X}.

(2)

After performing XOR operations, the dealer $A$ broadcasts $c_{i,j}^{Z}$ through classical channel, and each player $B_{i}$ also conduct XOR operations $\tilde{b}_{i,j}^{Z}=c_{i,j}^{Z}\oplus b_{i,j}^{Z}$ . The value of $\tilde{b}_{i,j}^{Z}$ is equal to $a_{1,j}^{Z}$ since $a_{i,j}^{Z}=b_{i,j}^{Z}$ and self-inverse of XOR. Owing to the above XOR operations , correlations are established among the classical bits of all participants:

	$\displaystyle\tilde{a}_{1,j}^{X}=b_{1,j}^{X}\oplus b_{2,j}^{X}\oplus\cdots% \oplus b_{n-1,j}^{X},$		(3)
	$\displaystyle a_{1,j}^{Z}=\tilde{b}_{1,j}^{Z}=\tilde{b}_{2,j}^{Z}=\cdots=% \tilde{b}_{n-1,j}^{Z},$		(4)

which are equivalent to the GHZ states shared among $n$ participants.

4.

Parameter estimation. After above processing, the classical bits are denoted as $\mathcal{X}=\{\mathcal{X}_{A},\mathcal{X}_{B_{1}},\cdot\cdot\\ \cdots,\mathcal{X}_{B_{n-1}}\}$ and $\mathcal{Z}=\{\mathcal{Z}_{A},\mathcal{Z}_{B_{1}},\cdots,\mathcal{Z}_{B_{n-1}}\}$ for the $X$ - and $Z$ -bases respectively, where $\mathcal{X}_{A}$ ( $\mathcal{Z}_{A}$ ) represents the classical bit string $\{\tilde{a}_{1,j}^{X}\}$ ( $\{a_{1,j}^{Z}\}$ ) of the dealer $A$ and $\mathcal{X}_{B_{i}}$ ( $\mathcal{Z}_{B_{i}}$ ) represents the classical bit string $\{b_{i,j}^{X}\}$ ( $\{\tilde{b}_{i,j}^{Z}\}$ ) of each player $B_{i}$ . To conduct parameter estimation, the dealer $A$ would designate the classical bits in $\mathcal{Z}$ for disclosure. Above steps are repeated until at least $m$ rounds are kept for key generation and $k$ rounds are kept for parameter estimation. The dealer $A$ and each single player $B_{i}$ then utilize the classical bits in $\mathcal{Z}$ to calculate the correlation between them. Based on the correlations, the dealer $A$ decides whether the protocol is aborted or not.

Figure 1: The schematic of our QSS protocol in quantum network. The network provider (red box) uses a single entangled photon pair source to distribute bipartite entangled states between all network users (yellow box) through wavelength-division multiplexing [31, 32, 33]. Some of the network users implement the QSS protocol, thus they are denoted as QSS participants, including the dealer and the players. The QSS participants (orange box) utilize the bipartite entanglement to generate secure keys with the post-matching technique [30] and classical XOR operations.
5.

Post processing. If the protocol is not aborted, QSS participants will obtain the correlated raw keys which are equivalent to the noisy GHZ states. All participants proceeds with the error correction, which will leak at most $\mathrm{leak}_{\mathrm{EC}}$ bits of information. To test the correctness, all QSS participants compute and compare a hash of length $\log_{2}(1/\epsilon_{\mathrm{c}})$ bits by employing a random universal₂ hash function on the raw keys. If passing the correctness test, all participants perform privacy amplification using universal₂ hashing, which will extract $l$ bits final keys.

To prove the security of our QSS protocol, we introduce an equivalent virtual protocol, which can be transformed into the actual protocol above. In the virtual protocol, the Bell states kept in quantum memories of the dealer $A$ and each player $B_{i}$ are correspond to the measurement results of entangled photon pairs stored in classical memories. The quantum operations conducted on the qubits in quantum memories to generate noisy GHZ states are equivalent to the classical XOR operations performed on classical bits. Parameter estimations in both the actual and virtual protocols are conducted only between the dealer $A$ and each single player $B_{i}$ to exclude the effects of potential dishonest participants [38, 39]. Multiparty entanglement purification [34, 35] is performed on noisy GHZ states to distill nearly pure GHZ states, which can be converted into classical post-processing (classical error correction and privacy amplification) [40, 41]. Due to the above-mentioned equivalence between the two protocols, all participants in the actual protocol can obtain unconditionally secure QSS keys against both the internal and external eavesdroppers, including the internal participant attacks [36, 37]. The detailed virtual protocol and security analysis are shown in the Appendix B.

Refer to caption — Figure 2: Comparison of our $n$ -party protocol and the QSS protocol with GHZ state distribution. The key rates of our work (solid lines) and the QSS protocol with GHZ state distribution (dotted lines) are plotted with the different numbers of participants ( $n$ = 3, 4, 5). The fiber transmission distance denotes the distance between the network provider and one participant.

III numerical simulation

Based on the actual protocol description above, all QSS participants generate secret keys utilizing the measurement results of nearly perfect GHZ states in the $X$ -basis. Therefore, we can give the following key rate in the case of asymptotic limit [9, 25]:

R_{\mathrm{QSS}}=Q^{X}\left[1-\mathop{\max}\limits_{i}h\left(E^{Z}_{AB_{i}}% \right)-f_{e}h\left(E^{X}\right)\right],

(5)

where $Q^{X}$ is the gain of the $X$ -basis, i.e., the probability that both the dealer $A$ and each player $B_{i}$ receive and measure photons in the $X$ -basis. $E^{X}$ is the bit error rate in the $X$ -basis. $E^{Z}_{AB_{i}}$ is the marginal error rate between the dealer $A$ and any single player $B_{i}$ in correlation test. $h(x)=-x\log_{2}(x)-(1-x)\log_{2}(1-x)$ is the binary Shannon entropy function and $f_{e}$ is the error correction inefficiency. The detailed analysis for the gain and error rate is given in the Appendix C.

To show the performance of our protocol, we consider a QSS protocol based on GHZ states distribution, which also utilizes measurement results in the $X$ -basis for key generation and the $Z$ -basis for parameter estimation, and compare the key rate with our work in asymptotic limit. For simplicity, we assume that the GHZ source of the network provider is a perfect source which distributes one pure GHZ state at a time, and the transmission distances from the network provider to all participants are equal. For all participants, the detection efficiency and dark count rate of photon detectors are set as $\eta_{d}=90\%$ and $p_{d}=10^{-5}$ , and the misalignment error rate is $e_{d}=0.01$ . The attenuation coefficient of channels and the error correction inefficiency are fixed as $\alpha=0.2$ and $f_{e}=1.22$ , respectively. The asymptotic key rate is the same as the Eq. (5), except for the gain (see the Appendix C).

For comparison, we also assume that the entangled photon pair source of the network provider in our protocol is a perfect source, and utilize the same simulation parameters. Figure 2 shows that the key rate of our work is almost independent of the number of participants and has a significant advantage compared with the QSS protocol based on GHZ states distribution. Let $\eta$ ( $\eta<1$ ) be the probability that one participant receives a photon, owing to the Bell state distribution and the post-matching technique [30], the gain is increased from $\mathcal{O}\left(\eta^{n}\right)$ to $\mathcal{O}\left(\eta^{2}\right)$ for $n$ QSS participants (see the Appendix C), thus the high efficiency and robustness of our protocol can be achieved.

In addition, we investigate the key rate in a realistic case, where the finite resource and the realistic entangled photon source are taken into consideration. In finite key regime, based on the method of composable security in refs. [42, 39, 25] and the statistical fluctuation analysis of random sampling without replacement in ref. [43], we can give the following length $l$ of secure key:

\begin{split}l=&m\left[q-\mathop{\max}\limits_{i}h\left(E^{Z}_{AB_{i}}+\lambda% \left(E^{Z}_{AB_{i}},\epsilon\right)\right)\right]\\ &-\mathrm{leak}_{\mathrm{EC}}-\log_{2}\frac{1}{4\epsilon_{\mathrm{c}}\left(% \epsilon^{\prime}\right)^{2}},\end{split}

(6)

where

\begin{split}\lambda\left(E^{Z}_{AB_{i}},\epsilon\right)=\frac{\frac{\left(1-2% E^{Z}_{AB_{i}}\right)AG}{m+k_{i}}+\sqrt{\frac{A^{2}G^{2}}{\left(m+k_{i}\right)% ^{2}}+4E^{Z}_{AB_{i}}\left(1-E^{Z}_{AB_{i}}\right)G}}{2+2\frac{A^{2}G}{\left(m% +k_{i}\right)^{2}}},\end{split}

$k_{i}$ ( $k_{i}\leq k$ ) is the number of correlation test rounds between the dealer $A$ and the $i$ th player $B_{i}$ and $E^{Z}_{AB_{i}}$ is the marginal error rate observed in correlation test. $A=\max\{m,k_{i}\}$ and $G=\frac{m+k_{i}}{mk_{i}}\ln\frac{m+k_{i}}{2\pi mk_{i}E^{Z}_{AB_{i}}\left(1-E^{% Z}_{AB_{i}}\right)\epsilon^{2}}$ . $q$ quantifies the complementarity of the two measurement bases, i.e., the $X$ - and $Z$ -bases. We fix $\epsilon_{\mathrm{c}}=3\epsilon=3\epsilon^{\prime}=10^{-10}$ , $p_{x}=0.9$ and the average number of photon pairs generated per pulse $\mu=0.04$ , and assume that the information leakage $\mathrm{leak}_{\mathrm{EC}}=mf_{e}h\left(E^{X}\right)$ , where $E^{X}$ is the total error rate in the $X$ -basis. The other simulation parameters are the same as that in asymptotic limit. According to the results in Fig. 3, the transmission distance of our QSS protocol is over 130km, 110km and 80km for $n=4,6,8$ , respectively, making it suitable for the metropolitan quantum network. The simulation also shows that the finite key rate of our work decreases as the number of participants $n$ increases, owing to the fact that more participants lead to a higher error rate.

IV discussion

In conclusion, we present an efficient multiparty QSS protocol with entangled photon pair source. Note that our QSS protocol is naturally source-independent since it is entanglement-based [44, 45]. Through the post-matching technique [30] and classical XOR operations, the GHZ-state correlation can be established among the measurement results of entangled photon pairs in our protocol. Thus, under the architecture of the fully connected quantum networks [31, 32, 33], our scheme can be easily extended without any hardware modifications for the network provider and all network users, which is highly versatile and suitable for the metropolitan network. By introducing an equivalent virtual protocol, we prove the unconditional security of our QSS protocol against the internal and external eavesdroppers. The simulation results show that the key rate of our protocol is nearly independent of the number of participants and has a significant advantage compared to the QSS protocol that directly distributes GHZ states. The robustness and high efficiency are due to the gain improving from $\mathcal{O}\left(\eta^{n}\right)$ to $\mathcal{O}\left(\eta^{2}\right)$ and the use of marginal error rate in $Z$ -basis to estimate the phase error rate (see the Appendix C). Moreover, our protocol can be readily implemented with current quantum key distribution devices and entanglement sources. Therefore, combined with the high efficiency quantum cryptographic protocol, for example, the efficient quantum digital signatures protocol [46], our protocol enable numerous potential applications to be realized, such as quantum Byzantine agreement [47, 48] and quantum e-commerce [49] in quantum networks. We anticipate that our work will serve the infrastructure of large-scale deployment for quantum networks.

Acknowledgments

We gratefully acknowledge the supports from the National Natural Science Foundation of China (No. 12274223); Program for Innovative Talents and Entrepreneurs in Jiangsu (No. JSSCRC2021484).

Appendix A Post-matching method

To describe the post-matching technique [30] in our source-independent quantum secret sharing (QSS) protocol in more detail, we present the specific steps below.

1.

After measuring the photons in $X$ -basis and $Z$ -basis with corresponding probability, all QSS participants broadcast their basis choices. The measurement events that the dealer $A$ and any one of the players $B_{i}$ select the same basis are regarded as matching events $M_{i,k}^{S}$ , where $S\in\{X,Z\}$ represents the measurement basis, $i$ represents the event between the dealer $A$ and the players $B_{i}$ , $k$ represents the round of measurement events.
2.

The matching events $M_{i,k}^{S}$ in the same measurement basis are matched in sequence, and the measurement results in different bases are categorized into different groups. Therefore, the raw data $\{a_{i,j}^{S}\}$ can be obtained for the dealer $A$ and $\{b_{i,j}^{S}\}$ are obtained for the player $B_{i}$ , where $j$ represents the round of matching events.

Here, we provide a post-matching example in three-party case, which includes the dealer $A$ and the players $B_{1}$ and $B_{2}$ , to clarify the process above. As shown in Fig. 4, the matching events between the dealer $A$ and the player $B_{1}$ are $\{M_{1,1}^{X},M_{1,3}^{X},M_{1,7}^{Z},M_{1,9}^{X},M_{1,10}^{Z},\cdots\}$ , and the matching events between the dealer $A$ and the player $B_{2}$ are $\{M_{2,2}^{Z},M_{2,5}^{X},M_{2,6}^{X},M_{2,8}^{X},M_{2,10}^{Z},\cdots\}$ . Then the events $M_{1,1}^{X}$ and $M_{2,5}^{X}$ are matched, and the raw data $a_{1,1}^{X},a_{2,1}^{X}$ are obtained for dealer $A$ and $b_{1,1}^{X}$ ( $b_{2,1}^{X}$ ) is for the player $B_{1}$ ( $B_{2}$ ). Similarly, the other events are matched in sequence and the raw data can be obtained for all participants.

Appendix B Security analysis

B.1 Virtual protocol

To prove the security of our QSS protocol, we introduce a virtual protocol, in which the QSS participants establish entanglement of GHZ state among multiple Bell states by controlled-NOT (CNOT) operations, which are shown in Fig. 5, and obtain almost pure Greenberger-Horne-Zeilinger (GHZ) state through the entanglement purification. The details of the virtual protocol are as follows:

1.

The entanglement source of the network provider generates $n-1$ Bell states $\ket{\phi^{+}}=\left(\ket{00}+\ket{11}\right)/\sqrt{2}$ , and each state contains one virtual qubit $a_{i}$ kept in quantum memory of the dealer $A$ and the other virtual qubit $b_{i}$ is sent to each player $B_{i}$ respectively. After receiving the virtual qubits, all players store their own qubits in quantum memory for the following operations.
2.

The dealer $A$ first uses virtual qubit $a_{1}$ as the control bit to perform multiple CNOT operations on her remaining virtual qubits $a_{i}$ ( $i=2,3,\cdots,n-1$ ). After the local CNOT operations, the dealer $A$ and each player $B_{i}$ perform a non-local CNOT operation with virtual qubit $a_{i}$ as control qubit and virtual qubit $b_{i}$ as target qubit, except for the player $B_{1}$ . After the processing above, the virtual qubits of all parties $\{a_{1},b_{1},b_{2},\cdots,b_{n-1}\}$ are transformed into an $n$ -party GHZ state $\ket{\Phi^{+}_{n}}=\frac{1}{\sqrt{2}}\left(\ket{0}^{\otimes n}+\ket{1}^{% \otimes n}\right)$ . The detailed evolution of quantum operations is shown in Appendix B.2.
3.

After repeating two steps above for sufficient times, all participants share a set of noisy $n$ -party GHZ states. Then a random subset of GHZ states is selected by the dealer $A$ and measured in the $Z$ -basis for parameter estimation. The dealer $A$ and each single player $B_{i}$ utilize the measurement outcomes above to calculate the correlation between them, and the protocol aborts if the correlations are below a certain level.
4.

If the correlation test passes, the entanglement purification is performed among all noisy GHZ states to distillate approximately pure GHZ states. The dealer $A$ and all $n-1$ players $B_{i}$ ( $i=1,2,\cdots,n-1$ ) perform measurement in the $X$ -basis on the GHZ states and utilize the outcomes to generate the final key for QSS.

The quantum operations above performed on the virtual qubits are corresponding to the XOR operations performed on the classical bits in the actual protocol, where the local CNOT operations are equivalent to the XOR operations conducted by the dealer $A$ on her measurement outcomes in the $X$ - and $Z$ -bases, and the non-local CNOT operations correspond to the broadcast of the dealer $A$ and XOR operations conducted by all players. The details of correspondence are shown in Appendix B.2. Entanglement purification in the virtual protocol can be converted into the quantum error correction [40], and the security of quantum communication protocols can be proved utilizing Calderbank-Shor-Steane (CSS) code [41]. Then the property of CSS code allows for the transformation of quantum error correction into classical post-processing, which leads to the bit error correction (phase error correction) can be regarded as the classical error correction (privacy amplification) in the actual protocol. Parameter estimations in both the virtual protocol and actual protocol are conducted only between the dealer $A$ and each single player $B_{i}$ to exclude the effects of potential dishonest parties. Following the Refs. [38, 39], parameter estimation performed between the dealer and each complementary party (single player in our protocol) corresponding to unauthorized subset can against internal participant attacks [36, 37], which has been proven as a loophole in the security of original QSS protocol [7].

Therefore, the virtual protocol is equivalent to our actual protocol, which indicates that all participants in the actual protocol can share the classical bits with the correlation of almost pure GHZ state. Owing to the monogamy of entanglement [50], the information leaked to eavesdropper is negligible and all parties can obtain an information-theoretically secure key by sharing almost perfect GHZ states in the virtual protocol. Therefore, our actual protocol can also avoid the risk of information leakage and obtain a secure key for QSS.

B.2 Quantum operations and classical XOR operations

The schematic diagram of quantum operations that generating $n$ -party GHZ state is shown in Fig. 5. Here we represent the Bell state distributed between the dealer $A$ and the player $B_{i}$ in $\sigma_{z}$ representation:

\ket{\phi^{+}}_{a_{i}b_{i}}=\frac{1}{\sqrt{2}}\left(\ket{00}_{a_{i}b_{i}}+\ket% {11}_{a_{i}b_{i}}\right)=\frac{1}{\sqrt{2}}\sum_{z_{i}=0}^{1}\ket{z_{i}z_{i}}_% {a_{i}b_{i}},

(7)

where $a_{i}$ and $b_{i}$ denote qubits belong to the dealer $A$ and the player $B_{i}$ respectively. After the distribution of Bell states, the quantum state among all $n$ participants can be denoted as

\begin{split}\ket{\Psi}&=\ket{\phi^{+}}_{a_{1}b_{1}}\ket{\phi^{+}}_{a_{2}b_{2}% }\cdots\ket{\phi^{+}}_{a_{n-1}b_{n-1}}\\ &=\frac{1}{2^{(n-1)/2}}\left(\sum_{z_{1}=0}^{1}\ket{z_{1}z_{1}}_{a_{1}b_{1}}% \right)\left(\sum_{z_{2}=0}^{1}\ket{z_{2}z_{2}}_{a_{2}b_{2}}\right)\cdots\left% (\sum_{z_{n-1}=0}^{1}\ket{z_{n-1}z_{n-1}}_{a_{n-1}b_{n-1}}\right)\\ &=\frac{1}{2^{(n-1)/2}}\sum_{\begin{subarray}{c}\{z_{i}\}\\ z_{i}\in[0,1]\end{subarray}}\ket{z_{1}z_{1}z_{2}z_{2}\cdots z_{n-1}z_{n-1}}_{a% _{1}b_{1}a_{2}b_{2}\cdots a_{n-1}b_{n-1}},\end{split}

(8)

where the summation symbol in the third line of Eq. (8) represents the sum over all possible values of the sequence $\{z_{i}|i=1,2,\cdots,n-1\}$ . According to the action of CNOT operation $\ket{c}\ket{t}\rightarrow\ket{c}\ket{t\oplus c}$ , the dealer $A$ first performs local CNOT operations on her virtual qubits

\ket{z_{1}}_{a_{1}}\ket{z_{i}}_{a_{i}}\rightarrow\ket{z_{1}}_{a_{1}}\ket{z_{i}% \oplus z_{1}}_{a_{i}},

(9)

and then conducts non-local CNOT operations with each player $B_{i}$ , except for $B_{1}$

\ket{z_{i}\oplus z_{1}}_{a_{i}}\ket{z_{i}}_{b_{i}}\rightarrow\ket{z_{i}\oplus z% _{1}}_{a_{i}}\ket{z_{i}\oplus z_{i}\oplus z_{1}}_{b_{i}}=\ket{z_{i}\oplus z_{1% }}_{a_{i}}\ket{z_{1}}_{b_{i}}

(10)

Therefore, the quantum state among $n$ parties goes to

\begin{split}\ket{\Psi}\xrightarrow[\mathrm{CNOT}]{\mathrm{Local}}&\frac{1}{2^% {(n-1)/2}}\sum_{\begin{subarray}{c}\{z_{i}\}\\ z_{i}\in[0,1]\end{subarray}}\ket{z_{1}z_{1}(z_{2}\oplus z_{1})z_{2}\cdots(z_{n% -1}\oplus z_{1})z_{n-1}}_{a_{1}b_{1}a_{2}b_{2}\cdots a_{n-1}b_{n-1}}\\ \xrightarrow[\mathrm{CNOT}]{\mathrm{Non-local}}&\frac{1}{2^{(n-1)/2}}\sum_{% \begin{subarray}{c}\{z_{i}\}\\ z_{i}\in[0,1]\end{subarray}}\ket{z_{1}z_{1}(z_{2}\oplus z_{1})z_{1}\cdots(z_{n% -1}\oplus z_{1})z_{1}}_{a_{1}b_{1}a_{2}b_{2}\cdots a_{n-1}b_{n-1}}\\ =&\frac{1}{2^{(n-1)/2}}\sum_{\begin{subarray}{c}\{z_{i}\}\\ z_{i}\in[0,1]\end{subarray}}\ket{z_{1}}^{\otimes n}_{a_{1}b_{1}b_{2}\cdots b_{% n-1}}\ket{(z_{2}\oplus z_{1})\cdots(z_{n-1}\oplus z_{1})}_{a_{2}\cdots a_{n-1}% }\\ =&\frac{1}{2^{(n-1)/2}}\sum_{\begin{subarray}{c}\{z_{i}|i\neq 1\}\\ z_{i}\in[0,1]\end{subarray}}\left(\ket{0}^{\otimes n}_{a_{1}b_{1}b_{2}\cdots b% _{n-1}}\ket{z_{2}\cdots z_{n-1}}_{a_{2}\cdots a_{n-1}}+\ket{1}^{\otimes n}_{a_% {1}b_{1}b_{2}\cdots b_{n-1}}\ket{\bar{z}_{2}\cdots\bar{z}_{n-1}}_{a_{2}\cdots a% _{n-1}}\right),\end{split}

(11)

where $\bar{z}_{i}$ represents the negation of $z_{i}$ . The value of $\bar{z}_{i}$ at $z_{i}=0$ ( $z_{i}=1$ ) is the same as the value of $z_{i}$ at $z_{i}=1$ ( $z_{i}=0$ ), therefore the summation of all possible values of sequence $\{\bar{z}_{i}|i\neq 1\}$ is equal to that of sequence $\{z_{i}|i\neq 1\}$ , which gives the quantum state as

\begin{split}\ket{\Psi}\xrightarrow[\mathrm{operations}]{\mathrm{Quantum}}&% \frac{1}{2^{(n-1)/2}}\sum_{\begin{subarray}{c}\{z_{i}|i\neq 1\}\\ z_{i}\in[0,1]\end{subarray}}\ket{z_{2}\cdots z_{n-1}}_{a_{2}\cdots a_{n-1}}% \left(\ket{0}^{\otimes n}+\ket{1}^{\otimes n}\right)_{a_{1}b_{1}b_{2}\cdots b_% {n-1}}\\ =&\frac{1}{2^{(n-1)/2}}\left(\ket{0}+\ket{1}\right)_{a_{2}}\cdots\left(\ket{0}% +\ket{1}\right)_{a_{n-1}}\left(\ket{0}^{\otimes n}+\ket{1}^{\otimes n}\right)_% {a_{1}b_{1}b_{2}\cdots b_{n-1}}.\end{split}

(12)

Then an $n$ -party GHZ state is established among the subsystem $\{a_{1}b_{1}b_{2}\cdots b_{n-1}\}$ of all participants

\ket{\Phi^{+}_{n}}=\frac{1}{\sqrt{2}}\left(\ket{0}^{\otimes n}+\ket{1}^{% \otimes n}\right)_{a_{1}b_{1}b_{2}\cdots b_{n-1}}.

(13)

The process of GHZ states generation above should be achieved by quantum memories and multiple quantum gates with high fidelity, which are far from practical application. Therefore, in the actual protocol, we utilize the classical XOR operations to achieve the correlation of GHZ state among the measurement results in the $X$ - and $Z$ -bases. The corresponding relationship between the quantum operations and classical operations is shown below.

We first recall the action of CNOT operation in the $Z$ - and $X$ -bases. For the $Z$ -basis, the action of CNOT operation is flipping target qubit according to control qubit, i.e., $\ket{c}\ket{t}\rightarrow\ket{c}\ket{t\oplus c}$ . However, for the $X$ -basis, the CNOT behavior is changed: target qubit is not flipped, while control qubit is flipped if the state of target qubit is $\ket{-}=(\ket{0}-\ket{1})/\sqrt{2}$ and remains unchanged if the state of target qubit is $\ket{+}=(\ket{0}+\ket{1})/\sqrt{2}$ , i.e., $\ket{c}\ket{t}\rightarrow\ket{c\oplus t}\ket{t}$ .

Therefore, the local CNOT operations performed by the dealer $A$ corresponds to the following classical XOR operations. Note that the following operations are conducted on the same round of matching events, thus we neglect the index $j$ , which represents the round of matching events. For the $Z$ -basis, the measurement results $a_{i}^{Z}$ ( $i=2,3,\cdots,n-1$ ) are replaced with $c_{i}^{Z}=a_{1}^{Z}\oplus a_{i}^{Z}$ but $a_{1}^{Z}$ remains unchanged. For the $X$ -basis, $a_{1}^{X}$ is changed into $\tilde{a}_{1}^{X}=a_{1}^{X}\oplus a_{2}^{X}\oplus\cdots\oplus a_{n-1}^{X}$ and the other bits are not changed. The non-local CNOT operations between the dealer $A$ and each player $B_{i}$ can also be transformed into the classical process below. For the $Z$ -basis, the dealer $A$ broadcasts $c_{i}^{Z}$ and each player $B_{i}$ decides whether the measurement results $b_{i}^{Z}$ is flipped or not according to $c_{i}^{Z}$ , which means $b_{i}^{Z}$ is changed into $\tilde{b}_{i}^{Z}=c_{i}^{Z}\oplus b_{i}^{Z}$ . Note that $c_{1}^{Z}=a_{1}^{Z}\oplus a_{1}^{Z}=0$ , i.e., $\tilde{b}_{1}^{Z}=b_{1}^{Z}$ , which corresponds that the virtual qubit $b_{1}$ is unchanged under the non-local CNOT operations. For the $X$ -basis, however, the target qubits remains unchanged, which indicates that no classical operations are performed on $b_{i}^{X}$ . Here, we should note that the equivalence between the CNOT operations and classical XOR operations shown above is in the noiseless case. However, multiparty entanglement purification [34, 35] can distill nearly perfect GHZ states from noisy GHZ states, which means the errors during the distribution and CNOT operations can be nearly corrected, and the entanglement purification can be converted into thetran classical error correction and privacy amplification due to the property of CSS code. Therefore, the virtual protocol is equivalent to the actual protocol in the noisy case.

To clarify the process of XOR operations above, we utilize the case of three parties $\{A,B_{1},B_{2}\}$ as an example and list all possible measurement results in the $Z$ - and $X$ -bases without noise. For the $Z$ -basis, the process of XOR operations is shown in Fig. 6 (a). In the third table, the correlation of classical bits $\{a_{1}^{Z},\tilde{b}_{1}^{Z},\tilde{b}_{2}^{Z}\}$ is $a_{1}^{Z}=\tilde{b}_{1}^{Z}=\tilde{b}_{2}^{Z}$ , which is the same as GHZ-state correlation in the $Z$ -basis. For the $X$ -basis, the process is listed in Fig. 6 (b), where the final correlation of classical bits $\{\tilde{a}_{1}^{X},b_{1}^{X},b_{2}^{X}\}$ is $\tilde{a}_{1}^{X}=b_{1}^{X}\oplus b_{2}^{X}$ , which is the same as GHZ state correlation in the $X$ -basis. Clearly, the classical XOR operations are corresponding to the quantum CNOT operations and can implement GHZ-state correlation among the classical bits of all QSS participants.

Appendix C Analysis of the gain and the error rate

C.1 Theoretical analysis

According to ref. [51], the gain and error rate of bipartite entanglement distribution between the dealer $A$ and each player $B_{i}$ are given as

Q_{\mu}=1-\frac{1-Y_{0A}}{\left(1+\eta_{A}\frac{\mu}{2}\right)^{2}}-\frac{1-Y_% {0B_{i}}}{\left(1+\eta_{B_{i}}\frac{\mu}{2}\right)^{2}}+\frac{(1-Y_{0A})(1-Y_{% 0B_{i}})}{\left(1+\eta_{A}\frac{\mu}{2}+\eta_{B_{i}}\frac{\mu}{2}-\eta_{A}\eta% _{B_{i}}\frac{\mu}{2}\right)^{2}},

(14)

E_{\mu}^{X(Z)}Q_{\mu}=e_{0}Q_{\mu}-\frac{2\left(e_{0}-e_{d}^{X(Z)}\right)\eta_% {A}\eta_{B_{i}}\frac{\mu}{2}\left(1+\frac{\mu}{2}\right)}{\left(1+\eta_{A}% \frac{\mu}{2}\right)\left(1+\eta_{B_{i}}\frac{\mu}{2}\right)\left(1+\eta_{A}% \frac{\mu}{2}+\eta_{B_{i}}\frac{\mu}{2}-\eta_{A}\eta_{B_{i}}\frac{\mu}{2}% \right)},

(15)

where $Y_{0A(B_{i})}$ is the background count rates, which quantifies the contribution of vacuum states, i.e., the dark count rate $p_{d}$ in our simulation. $e_{0}=1/2$ is the error rate of random noises, $e_{d}^{X}$ ( $e_{d}^{Z}$ ) is the misalignment error rate of the $X$ -basis ( $Z$ -basis), $\mu$ is the average number of photon pairs generated per pulse and $\eta_{A(B_{i})}=\eta_{dA(B_{i})}\cdot 10^{-\alpha L_{A(B_{i})}/10}$ , where $L_{A(B_{i})}$ is the transmission distance between the network provider and the dealer $A$ (the player $B_{i}$ ).

By utilizing the post-matching technique [30], the gain of our protocol is the probability that both the dealer $A$ and each player $B_{i}$ receive and measure photons in the $X$ -basis, which is $Q^{X}=p_{x}^{2}Q_{\mu}$ , where $p_{x}$ is the probability that measuring photons in the $X$ -basis. In the asymptotic limit of biased scheme [52], we have $Q^{X}\approx Q_{\mu}$ . For the situation of perfect entangled photon pair source, which distributes one pure quantum state at a time, the gain and bipartite error rate are given as

Q^{X}=Y_{1}=\left[1-(1-Y_{0A})(1-\eta_{A})\right]\left[1-(1-Y_{0B_{i}})(1-\eta% _{B_{i}})\right],

(16)

E_{\mu}^{X(Z)}=e_{0}-\frac{\left(e_{0}-e_{d}^{X(Z)}\right)\eta_{A}\eta_{B_{i}}% }{Y_{1}},

(17)

where $Y_{1}$ is the yield for one photon pair, i.e., the probability of a coincidence detection event when the source emits one photon pair [51]. Additionally, the gain for the QSS protocol based on perfect GHZ state source is

Q^{X}_{\mathrm{GHZ}}=\left[1-(1-Y_{0A})(1-\eta_{A})\right]\cdot\prod_{i=1}^{n-% 1}\left[1-(1-Y_{0B_{i}})(1-\eta_{B_{i}})\right].

(18)

To analyze the marginal error rate in the $Z$ -basis and the total error rate in the $X$ -basis, we utilize the case of $n=3$ as an example and generalize the conclusions to the case of multiple parties. Here we list the measurement results and corresponding probabilities when the dealer $A$ obtains both logic 0 from the Bell states shared with the players $B_{1}$ and $B_{2}$ in the $Z$ - and $X$ -bases. For the other cases, where the dealer $A$ obtains logic $(0,1),(1,0),(1,1)$ in two bases, we should derive the same results. In order to align with the real situation, we assume that the classical operations performed with classical computer do not introduce any errors.

For the $Z$ -basis, only the discordant classical bits between the dealer $A$ and a single player $B_{i}$ contribute to the marginal error rate $E_{AB_{i}}^{Z}$ . Based on the tables in Fig. 7(a), the data in the second row and the fourth row contributes to the marginal error rate between $A$ and $B_{1}$ , which is $E^{Z}_{AB_{1}}=E^{Z}_{\mu}\left(1-E^{Z}_{\mu}\right)+\left(E^{Z}_{\mu}\right)^% {2}=E^{Z}_{\mu}$ . Similarly, the marginal error rate between $A$ and $B_{2}$ is also $E^{Z}_{AB_{2}}=E^{Z}_{\mu}$ , which is contributed by the data in the third row and the fourth row, so the marginal error rate $E_{AB_{i}}^{Z}$ of three parties is $E^{Z}_{\mu}$ . We could consider the conclusion above in another way: due to the classical XOR operations do not introduce any errors, the marginal error rate of generated GHZ state between the dealer $A$ and the player $B_{i}$ can only be introduced by the error rate from bipartite entanglement distribution. Therefore, it is reasonable to generalize the conclusion to the case of $n$ parties, i.e., $E_{AB_{i}}^{Z}=E^{Z}_{\mu}$ holds for different numbers of participants.

For the $X$ -basis, owing to the GHZ-state correlation among classical data, only an odd number of error between the dealer $A$ and the player $B_{i}$ contribute to the total error rate $E^{X}$ . For example, the tables in Fig. 7(b) show that the data in the first row and the fourth row, which denotes no error and both the player $B_{1}$ and $B_{2}$ have errors with the dealer $A$ , satisfy the GHZ-state correlation, i.e., $\tilde{a}_{1}^{X}=b_{1}^{X}\oplus b_{2}^{X}$ . However, the data in the second row and the third row denotes only one player ( $B_{1}$ or $B_{2}$ ) has error with the dealer $A$ and does not satisfy the GHZ-state correlation, so the total error rate is $E^{X}=2E^{X}_{\mu}\left(1-E^{X}_{\mu}\right)$ . We let $C_{n}^{k}=\frac{n!}{k!(n-k)!}$ be the binomial coefficient. The total error rate in the case of $n$ -party should follow the same conclusion, therefore, we give the following total error rate

E^{X}=\sum_{j=0}^{\lfloor n/2\rfloor-1}C_{n-1}^{2j+1}\left(E^{X}_{\mu}\right)^% {2j+1}\left(1-E^{X}_{\mu}\right)^{n-2j-2},

(19)

where $\lfloor n/2\rfloor$ denotes the floor function of $n/2$ , $C_{n-1}^{2j+1}$ indicates that among all $n-1$ players, $2j+1$ players obtain discordant measurement results with the dealer $A$ . Furthermore, the total error rate formula can be simplified as

E^{X}=\frac{1}{2}\left[1-\left(1-2E^{X}_{\mu}\right)^{n-1}\right],

(20)

and the proof is shown in below.

\begin{split}E^{X}&=\sum_{j=0}^{\lfloor n/2\rfloor-1}C_{n-1}^{2j+1}\left(E^{X}% _{\mu}\right)^{2j+1}\left(1-E^{X}_{\mu}\right)^{n-2j-2}\\ &=\sum_{j=0}^{\lfloor n/2\rfloor-1}C_{n-1}^{2j+1}\left(E^{X}_{\mu}\right)^{2j+% 1}\sum_{l=0}^{n-2j-2}C_{n-2j-2}^{l}\left(-E^{X}_{\mu}\right)^{l}\\ &=\sum_{j=0}^{\lfloor n/2\rfloor-1}\sum_{l=0}^{n-2j-2}C_{n-1}^{2j+1}C_{n-2j-2}% ^{l}\left(-1\right)^{l}\left(E^{X}_{\mu}\right)^{l+2j+1}\\ &=\sum_{j=0}^{\lfloor n/2\rfloor-1}\sum_{k=2j+1}^{n-1}C_{n-1}^{2j+1}C_{(n-1)-(% 2j+1)}^{k-(2j+1)}\left(-1\right)^{k-1}\left(E^{X}_{\mu}\right)^{k},\quad(k=l+2% j+1)\\ &=\sum_{j=0}^{\lfloor n/2\rfloor-1}\sum_{k=2j+1}^{n-1}C_{n-1}^{k}C_{k}^{2j+1}% \left(-1\right)^{k-1}\left(E^{X}_{\mu}\right)^{k},\quad\left(C_{m}^{r}C_{m-r}^% {n-r}=C_{m}^{n}C_{n}^{r}\right)\\ \end{split}

(21)

Here we change the order of summation and the range of the summation index, and utilize the properties of binomial coefficients $C_{k}^{1}+C_{k}^{3}+C_{k}^{5}+\cdots=2^{k-1}$ to simplify the formula. Moreover, $\lceil x\rceil$ denotes the ceiling function of $x$ .

\begin{split}E_{X}&=\sum_{j=0}^{\lfloor n/2\rfloor-1}\sum_{k=2j+1}^{n-1}C_{n-1% }^{k}C_{k}^{2j+1}\left(-1\right)^{k-1}\left(E^{X}_{\mu}\right)^{k}\\ &=\sum_{k=1}^{n-1}C_{n-1}^{k}\left(\sum_{j=0}^{\lceil k/2\rceil-1}C_{k}^{2j+1}% \right)\left(-1\right)^{k-1}\left(E^{X}_{\mu}\right)^{k}\\ &=\sum_{k=1}^{n-1}C_{n-1}^{k}2^{k-1}\left(-1\right)^{k-1}\left(E^{X}_{\mu}% \right)^{k}\\ &=-\frac{1}{2}\left[-1+\sum_{k=0}^{n-1}C_{n-1}^{k}\left(-2E^{X}_{\mu}\right)^{% k}\right]\\ &=\frac{1}{2}\left[1-\left(1-2E^{X}_{\mu}\right)^{n-1}\right]\end{split}

(22)

C.2 Simulation results

Table 1: Simulation parameters.

e_{d}

denotes the detector error.

\eta_{d}

and

p_{d}

are the detection efficiency and dark count rate.

\alpha

is the attenuation coefficient with the

l

kilometers fiber attenuation

10^{-\alpha l/10}

f_{e}

is the error correction inefficiency.

p_{x}

is the probability of

X

-basis measurement.

\epsilon_{\mathrm{c}}

\epsilon

and

\epsilon^{\prime}

are the failure parameters

$e_{d}$	$\eta_{d}$	$p_{d}$	$\alpha$	$f_{e}$	$p_{x}$	$\epsilon_{\mathrm{c}}$	3 $\epsilon$	3 $\epsilon^{\prime}$
0.01	78%	$10^{-7}$	0.16	1.12	0.9	$10^{-10}$	$10^{-10}$	$10^{-10}$

Here, as a supplement for the main text, we utilize another group of parameters which are listed in Table 1 to simulate the key rate of our protocol. Assume that the devices of all participants are the same and the transmission distances from the network provider to all participants are equal. We compare the performance between our protocol and the QSS protocol which directly distributes GHZ states under the perfect source. According to the simulation result in Fig. 8, the key rate of our protocol is almost independent of the number of participants and offers a large advantage over the QSS protocol with GHZ states distribution, which is consistent with the result in the main text. With the help of the Bell state distribution and the post-matching technique [30], the gain of the QSS protocol is improved from $Q^{X}_{\mathrm{GHZ}}\propto\mathcal{O}\left(\eta^{n}\right)$ to $Q^{X}\propto\mathcal{O}\left(\eta^{2}\right)$ , where $\eta=\eta_{A}=\eta_{B_{i}}$ ( $i=1,2,\cdots,n-1$ ), thus the gain $Q^{X}$ of our protocol is independent of the number of participants $n$ . Moreover, to address the internal participant attacks [36, 37], the marginal error rate in the $Z$ -basis is taken into consideration, which is independent of $n$ , however, the total error rate in the $X$ -basis (Eq. 19 or Eq. 20) is related with $n$ . Therefore, the key rate of our protocol is almost independent of the number of participants.

In addition, under the imperfect source, we simulate the key rates in finite-size regime with the different values of $\mu$ , i.e., the average number of photon pairs generated by entangled photon pair source per pulse. Figure 9 shows the finite key rate of our protocol with $\mu=0.03,0.04,0.045,0.05$ . The key rate is almost independent of the number of participants with $\mu=0.03$ , however, with the increase of the value of $\mu$ , the key rate decreases significantly as the number of participants $n=8$ . The main reason is that the multi-photon components in the signal increase with the increase of the average number of photon pairs generated per pulse, leading to a significant rise in the error rate, which results in the key rate decreasing markedly with the increase of the number of participants.

References

Wehner et al. [2018] S. Wehner, D. Elkouss, and R. Hanson, Quantum internet: A vision for the road ahead, Science 362, eaam9288 (2018).
Zhou et al. [2023] L. Zhou, J. Lin, Y.-M. Xie, Y.-S. Lu, Y. Jing, H.-L. Yin, and Z. Yuan, Experimental quantum communication overcomes the rate-loss limit without global phase tracking, Phys. Rev. Lett. 130, 250801 (2023).
Xie et al. [2022] Y.-M. Xie, Y.-S. Lu, C.-X. Weng, X.-Y. Cao, Z.-Y. Jia, Y. Bao, Y. Wang, Y. Fu, H.-L. Yin, and Z.-B. Chen, Breaking the rate-loss bound of quantum key distribution with asynchronous two-photon interference, PRX Quantum 3, 020315 (2022).
Zeng et al. [2022] P. Zeng, H. Zhou, W. Wu, and X. Ma, Mode-pairing quantum key distribution, Nat. Commun. 13, 3903 (2022).
Chen and Lo [2007] K. Chen and H.-K. Lo, Multi-partite quantum cryptographic protocols with noisy GHZ states, Quantum Information & Computation 7, 689 (2007).
Li et al. [2023a] C.-L. Li, Y. Fu, W.-B. Liu, Y.-M. Xie, B.-H. Li, M.-G. Zhou, H.-L. Yin, and Z.-B. Chen, Breaking universal limitations on quantum conference key agreement without quantum memory, Commun. Phys. 6, 122 (2023a).
Hillery et al. [1999] M. Hillery, V. Bužek, and A. Berthiaume, Quantum secret sharing, Phys. Rev. A 59, 1829 (1999).
Cleve et al. [1999] R. Cleve, D. Gottesman, and H.-K. Lo, How to share a quantum secret, Phys. Rev. Lett. 83, 648 (1999).
Fu et al. [2015] Y. Fu, H.-L. Yin, T.-Y. Chen, and Z.-B. Chen, Long-distance measurement-device-independent multiparty quantum communication, Phys. Rev. Lett. 114, 090501 (2015).
Yin et al. [2023] H.-L. Yin, Y. Fu, C.-L. Li, C.-X. Weng, B.-H. Li, J. Gu, Y.-S. Lu, S. Huang, and Z.-B. Chen, Experimental quantum secure network with digital signatures and encryption, Natl. Sci. Rev. 10, nwac228 (2023).
Vaccaro et al. [2007] J. A. Vaccaro, J. Spring, and A. Chefles, Quantum protocols for anonymous voting and surveying, Phys. Rev. A 75, 012333 (2007).
Long and Liu [2002] G. L. Long and X. S. Liu, Theoretically efficient high-capacity quantum-key-distribution scheme, Phys. Rev. A 65, 032302 (2002).
Wen et al. [2007] K. Wen, F. G. Deng, and G. L. Long, Secure reusable base-string in quantum key distribution, arXiv preprint arXiv:0706.3791 (2007).
Zhang et al. [2017] W. Zhang, D.-S. Ding, Y.-B. Sheng, L. Zhou, B.-S. Shi, and G.-C. Guo, Quantum secure direct communication with quantum memory, Phys. Rev. Lett. 118, 220501 (2017).
Gottesman and Chuang [1999] D. Gottesman and I. L. Chuang, Demonstrating the viability of universal quantum computation using teleportation and single-qubit operations, Nature 402, 390 (1999).
Wiesner [1983] S. Wiesner, Conjugate coding, SIGACT News 15, 78 (1983).
Xiao et al. [2004] L. Xiao, G. L. Long, F.-G. Deng, and J.-W. Pan, Efficient multiparty quantum-secret-sharing schemes, Phys. Rev. A 69, 052307 (2004).
Markham and Sanders [2008] D. Markham and B. C. Sanders, Graph states for quantum secret sharing, Phys. Rev. A 78, 042309 (2008).
Cai et al. [2017] Y. Cai, J. Roslund, G. Ferrini, F. Arzani, X. Xu, C. Fabre, and N. Treps, Multimode entanglement in reconfigurable graph states using optical frequency combs, Nat. Commun. 8, 15645 (2017).
Zhou et al. [2018] Y. Zhou, J. Yu, Z. Yan, X. Jia, J. Zhang, C. Xie, and K. Peng, Quantum secret sharing among four players using multipartite bound entanglement of an optical field, Phys. Rev. Lett. 121, 150502 (2018).
Yu et al. [2008] I.-C. Yu, F.-L. Lin, and C.-Y. Huang, Quantum secret sharing with multilevel mutually (un)biased bases, Phys. Rev. A 78, 012344 (2008).
Singh and Srikanth [2005] S. K. Singh and R. Srikanth, Generalized quantum secret sharing, Phys. Rev. A 71, 012328 (2005).
Tavakoli et al. [2015] A. Tavakoli, I. Herbauts, M. Żukowski, and M. Bourennane, Secret sharing with a single $d$ -level quantum system, Phys. Rev. A 92, 030302 (2015).
Gu et al. [2021] J. Gu, X.-Y. Cao, H.-L. Yin, and Z.-B. Chen, Differential phase shift quantum secret sharing using a twin field, Opt. Express 29, 9165 (2021).
Li et al. [2023b] C.-L. Li, Y. Fu, W.-B. Liu, Y.-M. Xie, B.-H. Li, M.-G. Zhou, H.-L. Yin, and Z.-B. Chen, Breaking the rate-distance limitation of measurement-device-independent quantum secret sharing, Phys. Rev. Res. 5, 033077 (2023b).
Gaertner et al. [2007] S. Gaertner, C. Kurtsiefer, M. Bourennane, and H. Weinfurter, Experimental demonstration of four-party quantum secret sharing, Phys. Rev. Lett. 98, 020503 (2007).
Bell et al. [2014] B. Bell, D. Markham, D. Herrera-Martí, A. Marin, W. Wadsworth, J. Rarity, and M. Tame, Experimental demonstration of graph-state quantum secret sharing, Nat. Commun. 5, 1 (2014).
Williams et al. [2019] B. P. Williams, J. M. Lukens, N. A. Peters, B. Qi, and W. P. Grice, Quantum secret sharing with polarization-entangled photon pairs, Phys. Rev. A 99, 062311 (2019).
Shen et al. [2023] A. Shen, X.-Y. Cao, Y. Wang, Y. Fu, J. Gu, W.-B. Liu, C.-X. Weng, H.-L. Yin, and Z.-B. Chen, Experimental quantum secret sharing based on phase encoding of coherent states, Sci. China-Phys. Mech. Astron. 66, 260311 (2023).
Lu et al. [2021] Y.-S. Lu, X.-Y. Cao, C.-X. Weng, J. Gu, Y.-M. Xie, M.-G. Zhou, H.-L. Yin, and Z.-B. Chen, Efficient quantum digital signatures without symmetrization step, Opt. Express 29, 10162 (2021).
Wengerowsky et al. [2018] S. Wengerowsky, S. K. Joshi, F. Steinlechner, H. Hübel, and R. Ursin, An entanglement-based wavelength-multiplexed quantum communication network, Nature 564, 225 (2018).
Joshi et al. [2020] S. K. Joshi, D. Aktas, S. Wengerowsky, M. Lončarić, S. P. Neumann, B. Liu, T. Scheidl, G. C. Lorenzo, Ž. Samec, L. Kling, et al., A trusted node–free eight-user metropolitan quantum communication network, Sci. Adv. 6, eaba0959 (2020).
Liu et al. [2022] X. Liu, J. Liu, R. Xue, H. Wang, H. Li, X. Feng, F. Liu, K. Cui, Z. Wang, L. You, et al., 40-user fully connected entanglement-based quantum key distribution network without trusted node, PhotoniX 3, 1 (2022).
Dür et al. [1999] W. Dür, J. I. Cirac, and R. Tarrach, Separability and distillability of multiparticle quantum systems, Phys. Rev. Lett. 83, 3562 (1999).
Maneva and Smolin [2002] E. N. Maneva and J. A. Smolin, Improved two-party and multi-party purification protocols, Contemporary Mathematics 305, 203 (2002).
Karlsson et al. [1999] A. Karlsson, M. Koashi, and N. Imoto, Quantum entanglement for secret sharing and secret splitting, Phys. Rev. A 59, 162 (1999).
Qin et al. [2007] S.-J. Qin, F. Gao, Q.-Y. Wen, and F.-C. Zhu, Cryptanalysis of the Hillery-Bužek-Berthiaume quantum secret-sharing protocol, Phys. Rev. A 76, 062324 (2007).
Kogias et al. [2017] I. Kogias, Y. Xiang, Q. He, and G. Adesso, Unconditional security of entanglement-based continuous-variable quantum secret sharing, Phys. Rev. A 95, 012315 (2017).
Walk and Eisert [2021] N. Walk and J. Eisert, Sharing classical secrets with continuous-variable entanglement: composable security and network coding advantage, PRX Quantum 2, 040339 (2021).
Bennett et al. [1996] C. H. Bennett, D. P. DiVincenzo, J. A. Smolin, and W. K. Wootters, Mixed-state entanglement and quantum error correction, Phys. Rev. A 54, 3824 (1996).
Shor and Preskill [2000] P. W. Shor and J. Preskill, Simple proof of security of the BB84 quantum key distribution protocol, Phys. Rev. Lett. 85, 441 (2000).
Tomamichel et al. [2012] M. Tomamichel, C. C. W. Lim, N. Gisin, and R. Renner, Tight finite-key analysis for quantum cryptography, Nat. Commun. 3, 634 (2012).
Yin et al. [2020a] H.-L. Yin, M.-G. Zhou, J. Gu, Y.-M. Xie, Y.-S. Lu, and Z.-B. Chen, Tight security bounds for decoy-state quantum key distribution, Sci. Rep. 10, 14312 (2020a).
Koashi and Preskill [2003] M. Koashi and J. Preskill, Secure quantum key distribution with an uncharacterized source, Phys. Rev. Lett. 90, 057902 (2003).
Yin et al. [2020b] J. Yin, Y.-H. Li, S.-K. Liao, M. Yang, Y. Cao, L. Zhang, J.-G. Ren, W.-Q. Cai, W.-Y. Liu, S.-L. Li, et al., Entanglement-based secure quantum cryptography over 1,120 kilometres, Nature 582, 501 (2020b).
Li et al. [2023c] B.-H. Li, Y.-M. Xie, X.-Y. Cao, C.-L. Li, Y. Fu, H.-L. Yin, and Z.-B. Chen, One-time universal hashing quantum digital signatures without perfect keys, Phys. Rev. Appl. 20, 044011 (2023c).
Weng et al. [2023] C.-X. Weng, R.-Q. Gao, Y. Bao, B.-H. Li, W.-B. Liu, Y.-M. Xie, Y.-S. Lu, H.-L. Yin, and Z.-B. Chen, Beating the fault-tolerance bound and security loopholes for Byzantine agreement with a quantum solution, Research 6, 0272 (2023).
Jing et al. [2024] X. Jing, C. Qian, C.-X. Weng, B.-H. Li, Z. Chen, C.-Q. Wang, J. Tang, X.-W. Gu, Y.-C. Kong, T.-S. Chen, et al., Experimental quantum Byzantine agreement on a three-user quantum network with integrated photonics, arXiv preprint arXiv:2403.11441 (2024).
Cao et al. [2024] X.-Y. Cao, B.-H. Li, Y. Wang, Y. Fu, H.-L. Yin, and Z.-B. Chen, Experimental quantum e-commerce, Sci. Adv. 10, eadk3258 (2024).
Terhal [2004] B. M. Terhal, Is entanglement monogamous?, IBM J. Res. Dev. 48, 71 (2004).
Ma et al. [2007] X. Ma, C.-H. F. Fung, and H.-K. Lo, Quantum key distribution with entangled photon sources, Phys. Rev. A 76, 012307 (2007).
Lo et al. [2005] H.-K. Lo, H. F. Chau, and M. Ardehali, Efficient quantum key distribution scheme and a proof of its unconditional security, J. Cryptol. 18, 133 (2005).