Differential phase shift quantum secret sharing using a twin field

Jie Gu; Xiao-Yu Cao; Hua-Lei Yin; Hua-Lei Yin; Zeng-Bing Chen; Zeng-Bing Chen

doi:10.1364/OE.417856

1. Introduction

Secret sharing is one of basic communication missions in classical cryptography. It aims to split a message into several parts in such a way that no unauthorized subset is sufficient to reconstruct the original message [1]. Since it feathers in secure collaborative activities, secret sharing constitutes a major cryptographic mission for multiparty communication, including controlling missiles [2].

All schemes of classical secret sharing can only be proved secure based on mathematical complexity. Thus, with the emergence of quantum computing algorithm [3], secret sharing is also forced to step into the information-theoretically secure era with laws of quantum mechanics, which is called quantum secret sharing (QSS). The first quantum secret sharing protocol was proposed in 1999 using three-photon entangled Greenberger-Horne-Zeilinger (GHZ) state for three participants [4]. Based on multipartite quantum entanglement, improved quantum secret sharing protocols [5–10] and experimental demonstrations [11–14] have been presented in the past 20 years. Nevertheless, difficulties in preparing and transmitting GHZ states constrains the secret key rate and stability of QSS systems, making it far from practical implementation. Therefore, several protocols in the prepare-and-measure scenario were proposed to circumvent preparations of multipartite entangled states, such as protocols using post-selected multipartite entanglement state [15], Bell states [16,17], continuous variable [18,19], single-qubit scheme [20–23], d-level scheme [24,25] and differential phase shift scheme [26]. Unfortunately, a majority of prepare-and-measure protocols [20–26] is vulnerable to the Trojan horse attacks [27,28]. Furthermore, in particular, all proposed QSS protocols will confront the linear rate-distance limitation [29–31] where the key rate scales with total channel transmittance. This linear rate-distance limitation constricts the key rate and transmission distance of QSS.

Consequently, although QSS has received a lot of attention and achieved a lot of research results, a practical and high efficiency protocol is still missing. In this paper, we present a QSS protocol inspired by the idea of twin-field [32–34] and differential phase shift [35] quantum key distribution. Secure against individual attacks, our protocol will break the linear rate-distance limitation. Besides, in contrast to the previous differential phase shift QSS [26], our protocol realizes that the final key rate can be increased by three orders of magnitude in a 300-km-long fiber and secure against Trojan horse attacks. Additionally, in our protocol, senders only utilize weak coherent laser sources to generate signal pulses. Simultaneously, the phase stabilization method will be employed, which has been widely developed in twin-field quantum key distribution [36–38]. With simple apparatus requirements, our protocol will lower the threshold of experimental and practical implementations.

2. Protocol description

To introduce our protocol, we plot in Fig. 1 the configuration of our quantum secret sharing protocol under experimental setup. In Fig. 1, Charlie, the dealer [12], holds a full key for ciphering while Alice and Bob each hold a partial key for deciphering. In grey areas locate devices held by three participants which are all secure against any eavesdropping. Our protocol employs weak coherent states instead of single-photon states. It features a simple setup where senders basically require weak coherent light sources to generate pulse trains. Furthermore, the dealer utilizes an asymmetric Mach-Zehnder interferometer to measure, with the phase stabilization method [36–38]. The explicit description of our protocol is presented step by step as follows: we denote the sequence of time slots after combination of pulses in two paths as $j$, for $j \in \{1,2,3,\ldots ,2N\}$ where $N$ is the total number of pulses sent by Alice (or Bob) and We set that $k$ is an integer ranging from $1$ to $N$.

Fig. 1. Configuration of our quantum secret sharing protocol. Weak coherent pulse sources (Laser); phase modulator (PM); signal attenuator (Att); polarization control (PC); beam splitter (BS); detector (D1, D2); In Charlie’s measurement area, two pulse trains are first been polarization-modulated by polarization controls to correct their polarization for interference.

Download Full Size | PDF

1. Preparation. Alice (Bob) sends a weak coherent pulse train to Charlie where each pulse is randomly phase-modulated by $\{0, \pi \}$, respectively. The period of the pulse train is $2T$, as shown in Fig. 1 and the average photon number of each pulse is $\mu$, where $\mu$ is set less than one photon. Alice (Bob) records their logic bits of each time slot as 0 (1) when her (his) modulated phase is $0~(\pi )$.

2. Measurement and reconciliation. Before the former beam splitter, the pulse train that Bob sends will be postponed for the time $T$. Then Charlie measures the phase difference of adjacent pulses with an $T$ time delayed Mach-Zehnder interferometer. He records which detector clicks and the corresponding detection time slot. His logic bits will be 0 (1) when D1 (D2) clicks. For double clicks, Charlie randomly chooses a logic bit out of 0 or 1. Then, Charlie discloses the photon detection time. With time information, Alice, Bob and Charlie form their own raw key for the next procedure.

3. Parameter estimation. Charlie randomly chooses recorded detection times and requires Alice and Bob to alternatively announce their classical bits in the chosen time slots through an authenticated classical channel. According to their correlation of bits, Charlie will get the quantum bit error rate (QBER). Then Charlie will make a decision whether they discard all their bits and restart the whole QSS at Step $1$.

4. Post-processing. Alice, Bob and Charlie conduct classical error correction and privacy amplification to distill the final full key and partial keys.

As shown in Fig. 2, we demonstrate the bit correlation among Alice, Bob and Charlie. We denote $S_{k}^{X} \in \{0,1\} ~(X\in \{A, B, C\})$ as a classical bit, whose superscript denotes who holds this bit and whose subscript denotes its sequence in the combined pulse train. At Step $1$, when ignoring the global phase of each pulse, we easily find weak coherent states sent by Alice (Bob) can be written as ${\bigotimes} _{k=1}^{N}|e^{iS_{2k-1}^{A}\pi }\sqrt {\mu }\rangle ~\left ({\bigotimes} _{k=1}^{N}|e^{iS_{2k}^{B}\pi }\sqrt {\mu }\rangle \right )$. Alice (Bob) holds $N$ logic bits denoted by $\{ S_{2k-1}^{A} \}~ \left (\{ S_{2k}^{B} \} \right )$. With an asymmetric interferometer, we can conclude correlation between three participants as:

(1)$$\begin{aligned} & 1 \oplus {S}_{2k-1}^{C} = S_{2k-1}^{A} \oplus S_{2k}^{B},\\ & S_{2k}^{C} = S_{2k}^{B} \oplus S_{2k+1}^{A}.\\ \end{aligned}$$

Fig. 2. Interference measurement at Charlie’s site. After acted by the former beam splitter, pulse trains from Alice and Bob with the period of 2T will be transformed into pulse trains with the period of T in two paths, respectively. In both paths, pulses at odd time slots are from Alice and pulses at even time slots are from Bob. Phases of pulses from Alice in the long path will be modulated by $\pi$. Then, pulses from two paths will interfere with each other after the delay of time T in the long path. Every pulse from Alice (Bob) will interference with both the former and the later pulses from Bob (Alice).

Download Full Size | PDF

For example, under the circumstance that $j = 2k$, when the modulated phases in one time slot imposed by Alice and Bob are {0, 0} or {$\pi$, $\pi$}, the differential phase is 0 and D1 clicks. When Alice’s and Bob’s modulation phases are {0, $\pi$} or {$\pi$, 0}, the differential phase is $\pi$ and D2 will click. Thus, Charlie’s logic bits are the exclusive OR of Alice’s and Bob’s logic bits. When $j = 2k-1$, to achieve the same correlation, Charlie should bit-flip his corresponding classical bit. Evidently, here Alice and Bob will know Charlie’s key bits only by cooperation.

3. Security analysis

The security of our protocol against eavesdropping is discussed in this section. First, we will build an equivalence between our protocol and differential phase shift QSS in [26]. Then, under the equivalence, both an external eavesdropper and an internal eavesdropper are considered using the conclusion in differential phase shift quantum key distribution [39].

3.1 Equivalence

In Fig. 3 we reduce our scheme to differential phase shift QSS, which is shown in Fig. 3(a). The laser source at Alice’s site generates a bunch of weak coherent states, which are all phase-modulated with $\phi _{j}^{A'} \in \{0, \pi \}$, where we also set the intensity of each pulse as $\mu$ and the global phase is ignored. Here we also use $j\in \{1,2,3,\ldots \}$ to number the time slots of each pulse. When reaching Bob’s site, some of photons will be split to reveal whether Alice is a malicious participant [26]. The remaining photons will be phase-modulated again by Bob with $\phi _{j}^{B'} \in \{0, \pi \}$. Before transmitted to Charlie, weak coherent states will be $|{e^{i(\phi _{j}^{A'}+\phi _{j}^{B'})}\sqrt {\mu '}}\rangle$. If the differential phase is 0 ($\pi$), Charlie will record the classical bit as 0 (1) and the corresponding detection time slot. We easily derive correlations between phase modulation and Charlie’s detection results. For $i \in \{1,2,3,\ldots \}$, $S_{j}^{C'}\pi = |(\phi _{j}^{A'}-\phi _{j+1}^{A'}+(\phi _{j}^{B'}-\phi _{j+1}^{B'})|$, where $S$ also denotes the logic bits. The correlation of classical bits in Fig. 3(a) is $S_{j}^{C'}\pi = S_{j}^{A'} \oplus S_{j+1}^{A'} \oplus S_{j}^{B'} \oplus S_{j+1}^{B'}$.

Fig. 3. Configuration of equivalence between differential phase shift QSS and our protocol. (a) We present a typical setup of differential phase shift QSS. (b) With some special rules, differential phase shift QSS will be equivalent to our protocol. (c) For clearly revealing the relationship, we also plot the setup of our protocol.

Download Full Size | PDF

As an intermediate step, a special rule is added for our equivalence where Alice will only modulate phases of the corresponding pulses if $j=2k-1$ and Bob will only phase-modulate the corresponding pulses if $j=2k$. The configuration of this rule is shown in Fig. 3(b). Then, we will derive the correlation as the following form:

(2)$$\begin{aligned} & S_{2k-1}^{C'} = S_{2k-1}^{A'} \oplus S_{2k}^{B'},\\ & S_{2k}^{C'} = S_{2k}^{B'}\oplus S_{2k+1}^{A'},\\ \end{aligned}$$

which is the same correlation after Charlie bit-flips his logic bits when $j=2k-1$ in our protocol. From Fig. 3(a) to Fig. 3(b), equivalence can be built since in differential phase shift QSS, we only care about differential phases $\phi _{j}^{A'}-\phi _{j+1}^{A'}~(\phi _{j}^{B'}-\phi _{j+1}^{B'})$ of Alice (Bob) and the whole scheme stays unchanged with the phase of one pulse $\phi _{j+1}^{A'}~(\phi _{j}^{B'})$ fixed. Moreover, since in Fig. 3(b), pulses at even time slots will not carry any information before reaching Bob’s site, it will introduce no differences that Bob sends pulses at even time slots, which is equivalent to our protocol. Then equivalence between Fig. 3(b) to Fig. 3(c) can be built. Our protocol is equivalent to differential phase shift QSS.

Besides, in Fig. 3(a), phases of Alice’s pulses will be modulated by Bob, with pulses passing through Bob’s site. In [27,28], we know this kind of schemes is not able to prevent powerful Trojan horse attacks and our protocol will fix the security flaw, obviously.

3.2 External eavesdropping

First, we easily derive that beam-splitting attacks and intercept-resend attacks by Eve will fail [35]. Then, as for a general individual attack, here we can assume that Eve will conduct the same attack in differential phase shift QSS [26]. Therefore, information leakage to Eve is given by a fraction $2\mu (1-\eta )$ of the sifted key after reconciliation in Step 2, related to the intensity of each pulse $\mu$ and the transmittance $\eta$ [39].

3.3 Internal eavesdropping

Here we have to be wary of malicious Alice or Bob. Without loss of generality, we let Bob be the malicious participant.

When discussing Bob’s eavesdropping, we know he wants to know Charlie’s key and also has to know Alice’s bits to pass the test-bit checking in Step 4 since Alice and Bob alternatively announce their test bits, introducing a fraction of ${1}/{2}$ of error rates. The configuration for Bob’s individual attacks is shown in Fig. 4. He splits part of photons in Alice’s signal to be measured after Charlie discloses his detection time. Besides, in the presence of channel noise Bob can potentially attack the rest of pulse trains by a beam-splitting attack. Bob can also entangle every photon transmitted to Charlie with an independent probe to eavesdrop information. To sum up, there are two parts of the eavesdropping strategy which have to be addressed. The first is how much information can be extracted from the split photons and the beam-splitting attacks. The other is information leakage to Bob by his probe states.

Fig. 4. Configuration of eavesdropping by malicious Bob. We describe the attacking strategy of malicious Bob. (a) We present a specific individual attack as discussed in [26] where Bob will also send a pulse train with 2T period without phase-modulation. (b) A general individual attack by Bob is presented.

Download Full Size | PDF

For photon-splitting attacks, malicious Bob only requires to measure differential phases of adjacent pulses $\Delta \phi =\phi _{i}^{A'}-\phi _{i+1}^{A'}$ generated by Alice based on Charlie’s detection times. However, without phase reference, malicious Bob in our protocol has to measure the exact phases $\phi _{i}^{A}$ Alice modulates. In that case, we assume malicious Bob will adopt the following attacking strategy in Fig. 4(a). To obtain Alice phase-modulation information, Bob applies the same weak laser source to interfere with Alice’s pulses, just like what will happen in Charlie’s site. Without phase modulation on his eavesdropping pulses, he will get the exact phase information of Alice. Without loss of generality, intensity of Bob’s eavesdropping pulses is also $\mu$. Here, we just offer an explicit individual attack as an example.

Then errors induced by split photons is considered as follows. Probability that Bob knows Alice’s bit corresponding to Charlie’s bit is $2\mu$, and the bit error rate is $(1-2\mu )/{2}$. $\beta$ is the upper bound for the allowable rate of Bob’s photon-splitting attacks [39]. Provided that the total system error rate is $E_{\mu }$, $\beta$ is given by

(3)$$\beta\left(\frac{1-2\mu}{2}\right)\frac{1}{2}=E_\mu,$$

where ${1}/{2}$ means that Alice and Bob disclose their key bits used for test-checking alternatively and then a bit error is revealed when Bob discloses his bit first. For the remaining photons of Alice’ signal, Bob conducts a beam-splitting attack utilizing the transmission loss from Alice to Charlie. Provided that the transmittance from Alice to Charlie is $\eta$, Bob stores $(1-\eta )$ of Alice’s pulse train and makes his own pulse train without phase modulation interfere with it pulse by pulse after Charlie discloses the photon detection time. This beam-splitting attack gives Bob partial information with a ratio of $2\mu (1-\eta )(1-\beta )$. Then, Bob obtains $2\mu \beta + 2\mu (1-\beta )(1-\eta )$ of Charlie’s key in total.

In Fig. 4(b), we also consider general individual attacks by Bob. Based on the equivalence between our protocol and differential phase shift QSS, here individual attacks for eavesdropping differential phases stays unchanged in the case where one of two phases is fixed. Then Bob conducts general individual attacks as carried out by Eve in differential phase shift quantum key distribution [39], where the fraction Bob obtains about Charlie’s bits is $2\mu$. As demonstrated in [26], general individual attacks are more powerful than eavesdropping depicted in Fig. 4(a). Here we just consider general individual attacks by malicious Bob.

For probe states of Bob, we will directly obtain total information leakage to Bob in Section 4 when deriving the final key rate of our protocol.

4. Final key rate

In the above analysis, we obtain that the probability information leakage to Eve and malicious Bob is $2\mu (1-\eta )$ and $2\mu$.

We discover that information leakage to external Eve is slightly lower than that to malicious Bob. For simplicity, we can just consider information leakage in our protocol to be $2\mu$. The final key rate of our protocol is

(4)$$R_\textrm{QSS} = Q_{\mu}[ -(1-2\mu)\log_2(P_\textrm{co}) - f(E_{\mu})h(E_{\mu}) ],$$

where $Q_{\mu } = 1-(1-2p_\textrm {d})e^{-\mu \eta }$ is the gain of the whole system for Charlie’s detections. $h(x)=-x\log _{2}(x)-(1-x)\log _{2}(1-x)$ is Shannon entropy and $f(E_\mu )$ is the error correction efficiency. $P_\textrm {co}$ is the upper bound of collision probability when considering individual attacks, which can be concluded as $P_\textrm {co} = 1-E_{\mu }^2-{(1-6E_{\mu })^2}/{2}$[40]. For two detectors used by Charlie, we derive total dark count rate as $2p_\textrm {d}$ and the error rate of background $e_0 = {1}/{2}$. The total gain and the total error rate with an intensity of $\mu$ is given by $Q_\mu = 1 - (1-2p_\textrm {d})e^{-\mu \eta }$ and $E_{\mu }Q_{\mu } = e_\textrm {d} Q_\mu + \left (\frac {1}{2}-e_\textrm {d}\right ) 2p_\textrm {d} e^{-\mu \eta }$, where $e_\textrm {d}$ is the misalignment error rate of detectors.

Here, we set that the channel transmittance between Alice and Charlie is the same as that between Bob and Charlie. The total distance between Alice and Bob is $L$ to present our transmission rate. In that scheme, transmittance $\eta$ becomes $\eta _\textrm {d} \times 10^{-{\alpha L}/{20}}$, where $\eta _\textrm {d}$ is detection efficiency of Charlie’s detectors. Therefore, distance between Alice and Charlie is ${L}/{2}$ so as to break the linear rate-distance limit of the channel, where formulas of the linear bound and the repeaterless bound is $\eta _\textrm {linear}=\eta _\textrm {d}\times 10^{-{\alpha L}/{10}}$ and $\eta _\textrm {repeaterless}=\eta _\textrm {d}\times 10^{-{\alpha L}/{20}}$. We optimize our transmission rate over the free parameter $\mu$ according to distance and utilize parameters shown in Table 1.

Table 1. Simulation parameters. $\eta _\textrm {d}$ and $p_\textrm {d}$ are the detection efficiency and dark count rate. $\alpha$ is the attenuation coefficient of the ultra-low fiber. $f$ is the error correction efficiency.

View Table

For the intensity $\mu$, we utilize the genetic algorithm to obtain its optimal value under a certain distance. We present our simulation result in Fig. 5. Evidently, when the misalignment rate $e_\textrm {d}$ is lower than 5.2%, our protocol will break the linear bound [31]. Therefore, theoretical transmission rate of our protocol will reach a level of 600 km. For comparison with differential phase shift QSS, we also plot results of our protocol and results in differential phase shift QSS [26]. With the same $e_\textrm {d}$ as $2.0\%$, we can see clearly from Fig. 6 that our protocol is much better, increasing the final key rate by about three orders of magnitude in a 300-km-long fiber.

Fig. 5. Quantum secret sharing key rate vs Transmission distance. Quantum secret sharing key rate using the experimental parameters. We define the misalignment rate $e_\textrm {d}$=2$\%$, $4\%$, 5.2$\%$ to compare their key rates with the linear bound and the repeaterless bound.

Download Full Size | PDF

Fig. 6. Comparison between our protocol and DPS-QSS in Ref. [26].

Download Full Size | PDF

5. Conclusion

In summary, we have presented a quantum secret sharing protocol with three participants which is secure against individual attacks. The key rate of our protocol will break the linear rate-distance limitation, whose theoretical transmission distance will approach 600 km. Compared with the former differential phase shift QSS, our protocol can improve the final key rate by about three orders of magnitude in a 300-km-long fiber and can be secure against Trojan horse attacks. Different from Ref. [26], it is an interesting work to design the QSS with more users. A full security analysis considering collective attacks and general coherent attacks allowed by quantum mechanics will be the future work. We believe that our protocol will promote the commercialization of quantum secret sharing and will be of wide use to future quantum networks.

Funding

National Natural Science Foundation of China (61801420); Key Research and Development Program of Guangdong Province (2020B0303040001); Fundamental Research Funds for the Central Universities.

Disclosures

The authors declare no conflicts of interest.

Data availability

Data underlying the results presented in this paper are not publicly available at this time but may be obtained from the authors upon reasonable request.

References

1. A. Shamir, “How to share a secret,” Commun. ACM 22(11), 612–613 (1979). [CrossRef]

2. G. J. Simmons, “Prepositioned shared secret and/or shared control schemes,” in Workshop on the Theory and Application of of Cryptographic Techniques, (Springer, 1989), pp. 436–467.

3. P. W. Shor, “Algorithms for quantum computation: discrete logarithms and factoring,” in Proceedings 35th annual symposium on foundations of computer science, (Ieee, 1994), pp. 124–134.

4. M. Hillery, V. Bužek, and A. Berthiaume, “Quantum secret sharing,” Phys. Rev. A 59(3), 1829–1834 (1999). [CrossRef]

5. L. Xiao, G. L. Long, F.-G. Deng, and J.-W. Pan, “Efficient multiparty quantum-secret-sharing schemes,” Phys. Rev. A 69(5), 052307 (2004). [CrossRef]

6. D. Markham and B. C. Sanders, “Graph states for quantum secret sharing,” Phys. Rev. A 78(4), 042309 (2008). [CrossRef]

7. I. Kogias, Y. Xiang, Q. He, and G. Adesso, “Unconditional security of entanglement-based continuous-variable quantum secret sharing,” Phys. Rev. A 95(1), 012315 (2017). [CrossRef]

8. H. Qin, W. K. S. Tang, and R. Tso, “Hierarchical quantum secret sharing based on special high-dimensional entangled state,” IEEE J. Sel. Top. Quantum Electron. 26(3), 1–6 (2020). [CrossRef]

9. Y. Kang, Y. Guo, and Y. Feng, “Quantum secret sharing based on continuous-variable ghz states,” Int. J. Theor. Phys. 59(8), 2308–2320 (2020). [CrossRef]

10. M. Moreno, S. Brito, R. V. Nery, and R. Chaves, “Device-independent secret sharing and a stronger form of bell nonlocality,” Phys. Rev. A 101(5), 052339 (2020). [CrossRef]

11. Y.-A. Chen, A.-N. Zhang, Z. Zhao, X.-Q. Zhou, C.-Y. Lu, C.-Z. Peng, T. Yang, and J.-W. Pan, “Experimental quantum secret sharing and third-man quantum cryptography,” Phys. Rev. Lett. 95(20), 200502 (2005). [CrossRef]

12. S. Gaertner, C. Kurtsiefer, M. Bourennane, and H. Weinfurter, “Experimental demonstration of four-party quantum secret sharing,” Phys. Rev. Lett. 98(2), 020503 (2007). [CrossRef]

13. B. Bell, D. Markham, D. Herrera-Martí, A. Marin, W. Wadsworth, J. Rarity, and M. Tame, “Experimental demonstration of graph-state quantum secret sharing,” Nat. Commun. 5(1), 5480 (2014). [CrossRef]

14. Y. Zhou, J. Yu, Z. Yan, X. Jia, J. Zhang, C. Xie, and K. Peng, “Quantum secret sharing among four players using multipartite bound entanglement of an optical field,” Phys. Rev. Lett. 121(15), 150502 (2018). [CrossRef]

15. Y. Fu, H.-L. Yin, T.-Y. Chen, and Z.-B. Chen, “Long-distance measurement-device-independent multiparty quantum communication,” Phys. Rev. Lett. 114(9), 090501 (2015). [CrossRef]

16. A. Karlsson, M. Koashi, and N. Imoto, “Quantum entanglement for secret sharing and secret splitting,” Phys. Rev. A 59(1), 162–168 (1999). [CrossRef]

17. Y. Sun, Q. yan Wen, F. Gao, X. bo Chen, and F. chen Zhu, “Multiparty quantum secret sharing based on bell measurement,” Opt. Commun. 282(17), 3647–3651 (2009). [CrossRef]

18. W. P. Grice and B. Qi, “Quantum secret sharing using weak coherent states,” Phys. Rev. A 100(2), 022339 (2019). [CrossRef]

19. X. Wu, Y. Wang, and D. Huang, “Passive continuous-variable quantum secret sharing using a thermal source,” Phys. Rev. A 101(2), 022301 (2020). [CrossRef]

20. C. Schmid, P. Trojek, M. Bourennane, C. Kurtsiefer, M. Żukowski, and H. Weinfurter, “Experimental single qubit quantum secret sharing,” Phys. Rev. Lett. 95(23), 230505 (2005). [CrossRef]

21. J. Bogdanski, N. Rafiei, and M. Bourennane, “Experimental quantum secret sharing using telecommunication fiber,” Phys. Rev. A 78(6), 062307 (2008). [CrossRef]

22. J. Pinnell, I. Nape, M. de Oliveira, N. TabeBordbar, and A. Forbes, “Experimental demonstration of 11-dimensional 10-party quantum secret sharing,” Laser Photonics Rev. 14(9), 2000012 (2020). [CrossRef]

23. M. de Oliveira, I. Nape, J. Pinnell, N. TabeBordbar, and A. Forbes, “Experimental high-dimensional quantum secret sharing with spin-orbit-structured photons,” Phys. Rev. A 101(4), 042303 (2020). [CrossRef]

24. V. Karimipour and M. Asoudeh, “Quantum secret sharing and random hopping: using single states instead of entanglement,” Phys. Rev. A 92(3), 030301 (2015). [CrossRef]

25. A. Tavakoli, I. Herbauts, M. Żukowski, and M. Bourennane, “Secret sharing with a single d-level quantum system,” Phys. Rev. A 92(3), 030302 (2015). [CrossRef]

26. K. Inoue, T. Ohashi, T. Kukita, K. Watanabe, S. Hayashi, T. Honjo, and H. Takesue, “Differential-phase-shift quantum secret sharing,” Opt. Express 16(20), 15469–15476 (2008). [CrossRef]

27. N. Gisin, S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy, “Trojan-horse attacks on quantum-key-distribution systems,” Phys. Rev. A 73(2), 022320 (2006). [CrossRef]

28. N. Jain, E. Anisimova, I. Khan, V. Makarov, C. Marquardt, and G. Leuchs, “Trojan-horse attacks threaten the security of practical quantum cryptography,” New J. Phys. 16(12), 123030 (2014). [CrossRef]

29. M. Takeoka, S. Guha, and M. M. Wilde, “Fundamental rate-loss tradeoff for optical quantum key distribution,” Nat. Commun. 5(1), 5235 (2014). [CrossRef]

30. S. Pirandola, R. Laurenza, C. Ottaviani, and L. Banchi, “Fundamental limits of repeaterless quantum communications,” Nat. Commun. 8(1), 15043 (2017). [CrossRef]

31. S. Das, S. Bäuml, M. Winczewski, and K. Horodecki, “Universal limitations on quantum key distribution over a network,” arXiv preprint arXiv:1912.03646 (2019).

32. M. Lucamarini, Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Overcoming the rate–distance limit of quantum key distribution without quantum repeaters,” Nature 557(7705), 400–403 (2018). [CrossRef]

33. M. Curty, K. Azuma, and H.-K. Lo, “Simple security proof of twin-field type quantum key distribution protocol,” npj Quantum Inf. 5(1), 64 (2019). [CrossRef]

34. H.-L. Yin and Z.-B. Chen, “Finite-key analysis for twin-field quantum key distribution with composable security,” Sci. Rep. 9(1), 17113 (2019). [CrossRef]

35. K. Inoue, E. Waks, and Y. Yamamoto, “Differential-phase-shift quantum key distribution using coherent light,” Phys. Rev. A 68(2), 022317 (2003). [CrossRef]

36. Y. Liu, Z.-W. Yu, W. Zhang, J.-Y. Guan, J.-P. Chen, C. Zhang, X.-L. Hu, H. Li, C. Jiang, J. Lin, T.-Y. Chen, L. You, Z. Wang, X.-B. Wang, Q. Zhang, and J.-W. Pan, “Experimental twin-field quantum key distribution through sending or not sending,” Phys. Rev. Lett. 123(10), 100505 (2019). [CrossRef]

37. M. Minder, M. Pittaluga, G. Roberts, M. Lucamarini, J. Dynes, Z. Yuan, and A. Shields, “Experimental quantum key distribution beyond the repeaterless secret key capacity,” Nat. Photonics 13(5), 334–338 (2019). [CrossRef]

38. X.-T. Fang, P. Zeng, H. Liu, M. Zou, W. Wu, Y.-L. Tang, Y.-J. Sheng, Y. Xiang, W. Zhang, H. Li, Z. Wang, L. You, M.-J. Li, H. Chen, Y.-A. Chen, Q. Zhang, C.-Z. Peng, X. Ma, T.-Y. Chen, and J.-W. Pan, “Implementation of quantum key distribution surpassing the linear rate-transmittance bound,” Nat. Photonics 14(7), 422–425 (2020). [CrossRef]

39. E. Waks, H. Takesue, and Y. Yamamoto, “Security of differential-phase-shift quantum key distribution against individual attacks,” Phys. Rev. A 73(1), 012344 (2006). [CrossRef]

40. N. Lütkenhaus, “Estimates for practical quantum cryptography,” Phys. Rev. A 59(5), 3301–3319 (1999). [CrossRef]

$η_{d}$	$p_{d}$	$α$	$f$
$56 %$	$10^{- 8}$	0.167	1.16

Differential phase shift quantum secret sharing using a twin field

Abstract

1. Introduction

2. Protocol description

3. Security analysis

3.1 Equivalence

3.2 External eavesdropping

3.3 Internal eavesdropping

4. Final key rate

5. Conclusion

Funding

Disclosures

Data availability

References

Data availability

Cited By

Figures (6)

Tables (1)

Equations (4)

Optics Express