## Abstract

Continuous-variable quantum secret sharing (CVQSS) allows a legitimate user, i.e., the dealer, to share a string of secret keys with multiple distant users. These users cannot individually recover the dealer’s secret key unless they work cooperatively. Although the theoretical security proof of CVQSS has been well established, its practical security and implementation still face challenges. In this paper, we suggest a practical scheme for CVQSS using plug-and-play (P&P) configuration and dual-phase-modulated coherent state (DPMCS). The proposed scheme, called P&P DPM-based CVQSS, waives the necessity that each user has to prepare respective coherent states with their own lasers, thereby eliminating synchronous loopholes caused by different lasers and reducing the complexity of deployment of the user’s stations. Moreover, the local oscillator (LO) can be generated locally by the dealer so that the whole CVQSS system could be naturally immune to all LO-aimed attacks. We derive the security bounds for P&P DPM-based CVQSS by properly making most of the existing security analysis techniques of continuous-variable quantum key distribution (CVQKD). In addition, an experimental concept of P&P DPM-based CVQSS is also presented, which can be deemed a guideline for future implementation.

© 2022 Optica Publishing Group under the terms of the Optica Open Access Publishing Agreement

## 1. Introduction

With the rapid development of quantum communications, continuous-variable quantum key distribution (CVQKD) has already been theoretically proven to be unconditionally secure [1–3]. It provides an elegant way to realize point-to-point secret key distribution over an insecure quantum channel. However, the two-party CVQKD system may struggle to meet the specific requirement of multiple users. Imagine that a legitimate user (dealer) aims to share a secret key with multiple (at least two) remote users through an insecure quantum channel. The dealer knows some of them cannot be fully trusted, and so decides to divide the secret key into several parts and individually sends each user a portion. Meaning that collaboration is necessary to obtain the whole secret key.

This scenario is commonly encountered in today’s politics, business, and the military. To satisfy the growing demand of sharing a secret key with multiple users, quantum secret sharing (QSS) is proposed [4]. In general, QSS stems from a classic cryptographic primitive called secret sharing, in which a dealer wants to share a message $M$ to $n$ users in such a way that at least $k\leq n$ users must cooperate to obtain the correct message. This is called a $(k,n)$-threshold secret sharing. QSS allows multiple distant users to share a string of secret keys with the dealer by using quantum information techniques. For this scenario, each of the users holds a different part of information of the secret key, so that one cannot individually decode the encrypted message by the knowledge of their secret key unless they work cooperatively.

In recent years, QSS has made great progress in the realm of quantum communication. Several theoretical studies and proof-of-principle experimental demonstrations have been conducted, such as post-selected entanglement state [5], bound entanglement state [6], single-qubit scheme [7], d-level scheme [8], differential-phase-shift scheme [9–11]. Nevertheless, there is a relatively small body of literature about the continuous-variable QSS (CVQSS). In comparison to the works mentioned above, CVQSS has significant practical applications because its signal source is simple to prepare and resistant to losses. However, when compared to two-party CVQKD [12], the CVQSS protocol generally includes more participants, resulting in a more complicated security analysis. Even so, the security of CVQSS is closely related to that of CVQKD [13]. The first security proof of CVQSS against both eavesdroppers and dishonest users was discussed in Ref. [14]. Most recently, Ref. [15] showed that the CVQSS protocol could be theoretically realized by exploiting weak coherent states, Ref. [16] and Ref. [17] subsequently extended this idea to thermal states and discretely-modulated coherent states, which made a great impact on the CVQSS development. However, the existing works mainly concentrated on the theoretic schemes of the CVQSS (simply shown in Fig. 1), which are quite impractical when considering their experimental implementations. First of all, it requires that every user prepares a laser device in advance at their own station, this would be costly and inconvenient for individual users. Secondly, the synchronization issue of signals is hard to address when lots of different lasers are involved. Thirdly, the whole CVQSS system is vulnerable to the local oscillator (LO)-aimed attacks since each user must transmit LO to the dealer respectively through the insecure quantum channel.

These implementation difficulties of the CVQSS system are expected to be resolved by adopting the P&P configuration, which has already demonstrated its experimental feasibility in the two-party CVQKD system [18]. However, to share Gaussian keys, multiple users have to symmetrically modulate their respective incoming signal with Gaussian distribution, which is usually implemented by exploiting a phase modulator (PM) and an amplitude modulator (AM). Unfortunately, most current AMs, especially LiNbO$_3$ modulators, are polarization-sensitive and behave like a polarizer, so that part of the light cannot be transmitted if its orientation is not precisely aligned in P&P configuration [19], resulting in performance reduction.

To solve the issues, we suggest a practical CVQSS (called P&P DPM-based CVQSS) scheme that combines P&P configuration with a dual-phase modulation (DPM) strategy. Differing from the conventional CVQSS protocol in which each user must prepare the coherent state locally and send it to the dealer, the P&P configuration allows the dealer to generate the coherent state at his (or her) own station and then transmit it to the user for modulation. After that, the modulated states are sent back to the dealer to perform heterodyne detection. Our scheme waives the necessity that each user has to prepare a laser respectively, resulting in a lower cost of deployment. Moreover, with the P&P configuration, a real LO can be locally generated from the same laser at the dealer’s side, which not only resolves the synchronization issue of different lasers but also avoids all LO-aimed attacks from potential eavesdroppers. To ease the reduction of practical performance from the polarization-sensitive AM, a polarization-insensitive DPM strategy is adopted for each user. We also show that the DPM strategy is equivalent to the symmetrically Gaussian-modulated strategy and has better experimental feasibility in P&P configuration. We then derive the security bounds of P&P DPM-based CVQSS against both eavesdroppers and dishonest users, we further consider its secret key rate in both finite-size regime and composable framework. Finally, an experimental concept of the proposed program is presented, which can be considered as a guideline for future implementation.

This paper is structured as follows. In section 2, we describe in detail the proposed P&P DPM-based CVQSS scheme. Security analysis of the proposed scheme is then presented in section 3. We show the performance analysis and discussion of P&P DPM-based CVQSS in section 4, and we draw a conclusion in section 5.

## 2. Design of P&P DPM-based CVQSS

By taking advantage of the P&P configuration and DPM strategy, the proposed CVQSS scheme can solve many practical issues in terms of practical implementation. In what follows, we give a detailed description of the proposed P&P DPM-based CVQSS.

The schematic diagram of the P&P DPM-based CVQSS scheme is shown in Fig. 2. The dealer generates light pulses with his (or her) own laser and transmits them to remote users. All users will then use the DPM strategy to encode the incoming signals and subsequently send them to the next one. Finally, the mixed signals are sent back to the dealer and measured with the heterodyne detector. The detailed procedure is shown below.

*Step 1.* The quantum signal generated by the dealer’ laser is first transmitted to the farthest user (user 1) through the quantum channel without performing any modulation. For each quantum transmission, user 1 modulates the incoming quantum signal to a DPMCS $|{x_1+ip_1}\rangle$ with the DPM strategy (details of this modulation strategy are provided in the next section). The DPMCS is then transmitted to the next nearest neighbor.

*Step 2.* After passing through the BS, the DPMCS travels to the station of user 2. User 2 also independently modulates the incoming DPMCS using the DPM strategy. Finally, the mixed quantum state is sent to the quantum channel and continues its journey to the adjacent user.

*Step 3.* The similar operation is then repeated by all other users. By carefully controlling the modulation variance and knowing the reflectivity of the BS, a displacement of $(x_j,p_j)$ is introduced by each user. Thus, the signal state received by the dealer can be given by $|{\sum _{j=1}^{n}\sqrt {T_j}x_j + i \sum _{j=1}^{n}\sqrt {T_j}p_j}\rangle$, where $T_j$ represents the total channel transmittance experienced by the signal transmitted from the *j*th user to the dealer. After that, the dealer measures the amplitude and phase quadratures of the incoming signal state using a heterodyne detector and thus obtains the measurement results $\{x_d,p_d\}$.

*Step 4.* After generating enough raw data by repeating the above steps many times, the quantum transmission phase of the scheme is completed. To obtain the final secret key, the dealer and users need to proceed with classical processing procedures as follows.

*Step 5.* The dealer and all users randomly announce a set of related data to estimate the channel transmittance $\{T_1,T_2,\dots,T_n\}$. After that, all users and the dealer remove these disclosed data from raw data.

*Step 6.* Assuming that user 1 is honest and the rest of the users are dishonest. The dealer further selects a new set of raw data and requires all users, except user 1, to announce their corresponding values. According to the disclosed data, the dealer displaces his measurement results of the set to $x_R = x_d - \sum _{k=2}^{n}\sqrt {T_j}x_j$, and $p_R = p_d - \sum _{k=2}^{n}\sqrt {T_j}p_j$. Now the situation is similar to the two-party CVQKD system since a point-to-point communication channel has been established. Therefore, according to $\{x_R,p_R\}$ and raw data of the honest user, the lower bound of the secret key $R_1$ (between the dealer and honest user) can be estimated by utilizing classical data processing procedures of CVQKD [20]. After this step, all users and the dealer discard these disclosed data.

*Step 7.* Step 6 is repeated $n$ times. The dealer chooses a different user as the honest user in each run so that the dealer obtains $n$ secret key rates $\{R_1,R_2,\dots,R_n\}$. Note that to guarantee the security of the proposed scheme in the most pessimistic scenario where the eavesdropper and $n-1$ users launch the collaborative attacks, the dealer should choose the minimum of $\{R_1,R_2,\dots,R_n\}$ as the final secret key rate $R$ of P&P DPM-based CVQSS.

*Step 8.* If the value of $R$ is positive, the dealer can share different secret keys $\{K_1,K_2,\dots,K_n\}$ with each user using the rest of the undisclosed data.

*Step 9.* Finally, a new key $K = K_1\oplus K_2\oplus \dots \oplus K_n$ is generated to encode the message $M$. The dealer now can broadcast the encrypted message $E = M \oplus K$ to all users. Obviously, all users have to work together to decode the message. Any group of $n-1$ (or fewer) users cannot deduce the final secure key from knowledge of the disclosed information.

In a conventional CVQSS system, to circumvent eavesdroppers from interfering with the preparation process of quantum states at the user side and launching the Trojan horse attacks (see more details in section 4.), each user has to locally prepare coherent states and inject them into a spatiotemporal mode using a beam splitter. However, the deployment of the laser at each users’ side may result in several issues. Firstly, the synchronization of different lasers is a troublesome problem, which requires a complicated procedure to recover the difference of signals. Besides, the cost of deploying lasers is expensive for each user. To solve the above issues, our scheme eliminates the requirement that a laser has to be adopted at each users’ station. This is because the quantum signal is generated by the dealer, while each user only needs to modulate the received states instead of generating them. Therefore, the synchronization issue of the signal can be readily solved since there is only one laser, and meanwhile, the deployment at users’ stations becomes easier.

So far, in the CVQSS system, the security proofs against both dishonest users and potential eavesdroppers have not been well developed. Fortunately, as mentioned in step $6$, the structure of our scheme is similar to two-party CVQKD. Thus, the security of the proposed scheme can relate to that of two-party CVQKD. Let us imagine the following scenario: Multiple users are working together to generate a secret key, but we do not know how many users are honest. In the most pessimistic situation, only one of the multiple users (named Bob) is honest (this assumption is necessary, the proposed scheme is meaningless if all users are dishonest). The dealer requests $n-1$ users to announce their corresponding values while Bob holds his private data and obtains the disclosed data of all other users. Therefore, Bob could recover the secret key while the $n-1$ users cannot pick up the information via the information of the revealed data. This can be treated as the familiar CVQKD problem where two legitimate users (Bob and the dealer) attempt to establish a common secret key against attacks from all dishonest users and potential eavesdroppers. Therefore, it is reasonable to say that the security proofs of the CVQKD system can be perfectly applied to P&P DPM-based CVQSS scheme. This suggests that the secret key rate $R_j$ can be evaluated using well-established security proofs of CVQKD. It is important to note that the dealer should choose the smallest one among $\{R_1,R_2,\dots,R_n\}$ as the final secret key rate of the P&P DPM-based CVQSS scheme. This step is crucial as it ensures our scheme against collaborative attacks launched by the potential eavesdropper and all dishonest users.

## 3. Security analysis of P&P DPM-based CVQSS scheme

In the case of P&P configuration, the initial optical light transmitted from the dealer to the first user (assuming it is honest) is vulnerable to attack. In fact, the source is equivalent to being controlled by Eve. In this section, we follow a security model similar to that in [18] and [21], utilizing a third party (Fred) who introduces the noise with a practical phase-insensitive amplifier to characterize the imperfect source. In what follows, we first describe the physical model presented in [18] that is also valid for the P&P DPM-based CVQSS scheme. We then show the theoretical equivalence of the DPM strategy and the Gaussian modulation strategy in a P&P configuration. Finally, we derive the calculation of the secret key rate for the proposed P&P DPM-based CVQSS scheme.

#### 3.1 Model description

In a practical P&P DPM-based CVQSS system, the coherent source transmitted from the dealer to the first user before modulation may become noisy and inevitably increase the excess noise (via intervening in the coherent source). Since the noise cannot be reduced by increasing the variance of the initial source and then attenuating the state, we introduce a phase-insensitive amplifier (PIA) with gain $g$ $(g \geqslant 1)$ and an idle input of $(X_I, P_I)$ to characterize the imperfect source noise. Therefore, the imperfect source can be viewed as a combination of a PIA and an ideal coherent source with quadratures of $(\delta X_s,\delta P_s)$ which satisfy $\langle ({\delta X_s})^{2}\rangle =\langle ({\delta P_s})^{2}\rangle = 1$. Note that we only consider the most pessimistic scenario in which only one user is honest. The prepare-and-measure (PM) version of our proposed scheme is depicted in Fig. 3.

The quadratures $(\delta X_D,\delta P_D)$ of the imperfect coherent state transmitted from the dealer to Bob can be expressed as

Figure 4 shows an entanglement-based (EB) version of the proposed scheme that is equivalent to the PM version and provides a more convenient security analysis [22,23]. Fred prepares a three-mode entanglement state $|{\Psi _{ABF}}\rangle$. The quadratures $(X^{\prime },P^{\prime })$ and $(X,P)$ indicate the state (mode $B$) held by Bob and the state (mode $A_0$) transmitted to the dealer, which satisfy

In the PM version, a detection-added noise induced by an imperfect heterodyne detector can be defined as $\chi _{h} = [(2-\eta )+2\upsilon _{el}] / \eta$, where $\eta$ is the detector’s efficiency and $\upsilon _{el}$ is noise due to detector electronics. In the EB version, the imperfect detector is modeled by a beam splitter with transmission $\eta$ and coupled with an Einstein-Podolsky-Rosen (EPR) state $\rho _{GG_0}$ of variance $\upsilon _d$. The variance $\upsilon _d$ is chosen to make the detection-added noise of the EB version equal $\eta \chi _h$, which can be described as $\upsilon _d = \eta (\chi _h - 1) / (1-\eta )$. Therefore, when we suppose that the EPR source and Bob’s detection are both hidden in the black box, the eavesdropper cannot determine which version is used (PM version or EB version).

#### 3.2 Dual-phase modulation

Till now, we have established the security analysis model of our proposed P&P DPM-based CVQSS scheme. However, one thing needs to be addressed before we derive the calculations of the secret key rate.

Currently, almost all reported CVQSS schemes are based on Gaussian modulation as it offers a feasible experiment approach and a succinct mathematical description [24]. As shown in Fig. 1, each user uses an AM and a PM to symmetrically prepare his (or her) Gaussian coherent state. Actually, this modulation strategy is feasible in one-way configuration but is not suitable in P&P configuration. This is because the majority of AMs, in particular, the extensively used LiNbO$_3$ modulators, are sensitive to polarization and feature a polarizer, which means the portion of the light cannot be transmitted if its orientation is not aligned precisely [18]. To address this practical issue, we adopt the DPM strategy in *Step 1.* to eliminate the disadvantages of AMs in P&P configuration. As illustrated in Fig. 2, we thoroughly waive AMs and replace AM with PM and Faraday mirror (FM) at the users’ side. It allows us to absent the need for considering its practical problem when we implement the experiment. DPM is different from Gaussian modulation so that we have to prove that it can be equivalent to Gaussian modulation when considering the calculations of the secret key rate.

In general, the Jones matrix of a Faraday mirror can be given by [25]

Equation (15) demonstrates the Gaussian modulation strategy can be experimentally implemented by two polarization-independent PMs. This means that the modulation strategy of the DPMCS is equivalent to that of the GMCS. What’s more, in the P&P configuration, the DPM strategy provides a more convenient implementation compared to the Gaussian modulation strategy.

#### 3.3 Calculation of the secret key rate

We now derive the calculation for the secret key rate of the proposed CVQSS scheme based on the above-established physical model. Let $L$ be the transmission distance of quantum channel between the dealer (Alice) and the farthest user (Bob). Assuming that all of the other $n-1$ users are evenly distributed among them and each user introduces the same amount of excess noise $\xi _0$. We have discussed the choice of final secret key rate $R$ that should be the smallest secret key rate of two-party CVQKD between the dealer and each user. Clearly, the minimum secret key rate is the one between the dealer and Bob. However, it is important to note that the final secret key should be evaluated using realistic data in practice. As mentioned above, the secret key rate of CVQSS can be estimated by utilizing the security analysis of CVQKD. For simplicity, we only consider the secret key rate and tolerable excess noise for collaborative attacks when Alice performs heterodyne detection. Therefore, the lower bound of the asymptotic secret key rate of P&P DPM-based CVQSS can be calculated as

where ${I}_{AB}$ is the Shannon information shared between Alice and Bob; $\beta$ is the efficiency of the reverse reconciliation algorithm [26]; $\chi _{BE}$ is the maximum information available to the dishonest users and Eve on Alice’s key. The channel transmittance of the ${j}$th user can be described as where $\alpha$ is the loss coefficient of optical fibers and $l_j = \frac {n-j+1}{n}L$ is the channel distance between the dealer and the ${j}$th user. The excess noise introduced by the ${j}$th user referred to the channel input, is described as [15] so that the total channel-added noise referred to the channel input, can be described as Thus, the overall noise referred to the channel input can be expressed as We now can calculate the Shannon mutual information ${I}_{AB}$ between Alice and Bob, which is derived from Alice’s measured variance $V_A = \eta T_1 (V + \xi _s + \chi _{tot})$ and the conditional variance $V_{A|B} = \eta T_1 (1+\xi _s + \chi _{tot})$, that is## 4. Performance analysis and discussion

In this section, we evaluate the performance of the proposed P&P DPM-based CVQSS scheme under realistic system parameters. The parameters $V_B$, $\upsilon _{el}$, $\eta$, $\beta$, and $V_I$ are fixed in the simulations. We set the loss coefficient of optical fibers to $\alpha = 0.2$ dB/km, the modulation variance to $V_B$ = 4, the electronic noise and the detection efficiency of the heterodyne detector to $\upsilon _{el} = 0.05$ and $\eta = 0.6$, the reconciliation efficiency to $\beta = 0.98$, and the noise variance and gain of the PIA to $V_I = 1$ and $g = 1.01$. For simplicity, it is assumed that the modulation variance $V_B$ is the same for each user, but we should point out that the optimal modulation variance should vary with each user. In other words, optimizing the modulation variance individually for each user contributes to high performance in our scheme. As depicted in Fig. 5, we show the asymptotic secret key rate of the P&P DPM-based CVQSS scheme with different excess noise and the number of users. We observe that the effect of the number of users on the system performance may have a different scale for different excess noise, but the essence is the same. In other words, they indicate a definite trend: the transmission distance decreases as the number of users continually increases. Especially, in Fig. 5(a), when the number of users reaches 20, the transmittance distance is reduced to less than 10 km. Therefore, it is not a surprise that the maximal transmission distance of our scheme is achieved in the situation when only two users work together in the CVQSS system. Moreover, we indicate the performance of the proposed scheme can be further improved by controlling the excess noise for a given value of the number of users. To further confirm the relationship between the number of users and the performance of our scheme, we illustrate the relationship between the tolerable excess noise $\xi _0$ and transmission distance with different numbers of users in Fig. 6(a). We observe that the resistance to noise continues to decline as the number of users increases. This is because the noise introduced by untrusted users increases with the number of users.

In our scheme, the parameter $g$ is a significant parameter that is closely related to the security bound to the imperfect source. It is essential to analyze the effect of different imperfect source scenarios on system performance in practice. As illustrated in Fig. 6(b), it is clear that imperfect coherent sources have a slight effect on the performance of the proposed scheme. This is actually to be expected: if the state transmitted from the dealer to the first user becomes noisy as a result of Fred’s intervention, the maximum transmission distance will be reduced.

The performance we analyzed above builds upon an assumption that users and the dealer exchange an infinite number of signals. However, the practical security of CVQSS implementation cannot be guaranteed if the finite-size effect is not taken into consideration. Therefore, the analysis of the impact of the finite-size regime is necessary for the proposed P&P DPM-based CVQSS scheme. Figure 7(a) demonstrates the performance of the P&P DPM-based CVQSS scheme with the different number of users in the finite-size regime. It is clear that the performance in the finite-size scenario is always lower than that in the asymptotic regime. For example, when the number of users $n = 2$, the maximal transmission distance in the asymptotic regime (with the excess noise $\xi _0 = 0.001$) reaches more than 140 km, but that in the finite-size scenario (with the block lengths $N = 10^{12}$) is reduced to less than 130 km. Moreover, as the data-block length reduces, so does the secret key rate of the proposed scheme. In other words, the data block length has a significant effect on the performance of the proposed scheme. In addition, the Piradola-Laurenza-Ottaviani-Banchi (PLOB) bound is plotted in Figs. 5 and 7(a), which denotes the ultimate limit of repeater-less communication [27]. In contrast, we can clearly observe that both the asymptotic secret key rate and finite-size secret key rate of the proposed scheme cannot exceed the PLOB bound, even if the number of users is minimal. Detailed calculation of the finite-size secret key rate can be found in appendix A.

Figure 7(b) depicts the composable secret key rate for different numbers of users and transmission distance. It is clear that the secret key rate in the composable security framework is more pessimistic than that obtained in the finite-size regime. For example, when the number of users $n = 15$, the block length $N = 10^{12}$, and the transmission distance is 60 km, the secret key rate in the finite-size scenario is positive but becomes negative in the composable security framework. This is also to be expected as composable security is the most rigorous theoretical security analysis for CVQKD systems, which takes into account the probability of failure at each step [28]. Furthermore, the data block length also plays a significant role in the performance of the P&P DPM-based CVQSS system, and the composable key rate approaches the asymptotic value if $N$ is large enough. Detailed calculation of the composable secret key rate of the scheme is presented in Appendix B.

In addition, the security analysis against Trojan-horse attacks [29–31] is important for practical P&P DPM-based CVQSS. In the P&P architecture, Eve can freely replace these pulses that enter the apparatus of the users with her bright pulses. By carefully analyzing the output signals, Eve could determine knowledge of the corresponding device at the station of the target party. We point out that a monitoring detector and the wavelength filter in P&P configuration are the most effective countermeasures for the Trojan-horse attacks [32–35]. Besides, the recent work [36] has demonstrated that the isolators can be added at the input and output of the target party to counter Trojan-horse attacks by laying two fiber links in the plug-and-play configuration. It is important reference for future experimental implementation.

The experimental configuration of a proof-of-principle based on the P&P DPM-based CVQSS scheme is shown in Fig. 8. At the dealer’s side, a range of strong pulses output from a continuous-wave laser is divided into two parts by a BS, with an intensity ratio of 99:1. One fraction (1%, gray line) of which is transformed into a pulse train by a AM, whereas the other fraction (99%, red line) is used as a locally generated LO for heterodyne detection. The small portion of the optical pulses then are attenuated by an attenuator and sent to the farthest user. At the users’ side, the optical pulses are separated into two branches. A fraction of the optical pulses is used to monitor the incoming pulses, which is a crucial countermeasure against the phase-remapping attacks [37], the pulse-shape attacks [38], and the Trojan-horse attacks. In addition, the filter is placed after the monitoring detector to filter out the illegitimate signal. The optical pulses of the other branch are modulated by two PMs to achieve Gaussian modulation, followed by an attenuator to control to optimize the modulation variance $V_B$. The other PD monitors the modulation variance in real-time by detecting the modulation signal. It is important to note that the delay line at the dual-phase modulation paths is used to compensate for the difference in the fiber length. At the dealer’s side, the incoming signal pulses are transmitted through a polarization controller (PC), which provides a maximal polarization overlap between the signal pulses and the LO for maximal interference. A 90$^{\circ }$ optical hybrid (90$^{\circ }$ OH) is used to interfere with the incoming signal pulses and the LO, and its four outputs are detected by two balanced detectors for heterodyne detection.

From an experimental implementation perspective, there are several remarkable advantages to our scheme. First of all, benefiting from the P&P configuration, the CVQSS system can against LO-aimed attacks such as wavelength attacks [39,40], saturation attacks [41], calibration attacks [42], and LO fluctuation attacks [43]. This is because we eliminate the need to propagate LO through the insecure quantum channel. Moreover, the quantum signal can be generated at the dealer’s side which makes the synchronization problem in the multiple laser case no longer a practical issue. Furthermore, the waiver of the respective laser at the side of each user enables low-cost and simpler experimental implementation. This is very important for the commercialization of the CVQSS technique. Thirdly, each user adopts a polarization-insensitive DPM strategy, which mitigates the practical performance reduction caused by polarization-sensitive AM.

## 5. Conclusion

CVQSS is known to be an effective solution for the secret sharing of multiple distant users. However, in a conventional CVQSS system, the requirement of a laser for each user adds technological complexity and cost of deployment to the system. In this paper, we overcome these drawbacks by implementing a P&P configuration where the quantum signal for modulation and the real LO for detection are generated in the same laser. Besides, we avoid all LO-aimed attacks by eliminating the need of transmitting the LO through the insecure quantum channel. Moreover, we theoretically prove the security against both eavesdroppers and dishonest users. Our analysis and simulation take into account a variety of practical imperfections, such as untrusted sources, excess noise introduced by dishonest users, the finite-size effect, and the composable security. Our work proves the feasibility of such a practical realization of the CVQSS framework. We expect that this research will be a significant step toward the development of practical CVQSS networks. Finally, we provide an experimental concept for implementing the P&P DPM-based CVQSS system, which we hope will be useful for the experimental study of the technique.

## Appendix A. Secret key rate of P&P DPM-based CVQSS in finite-size regime

For the proposed P&P DPM-based CVQSS scheme, the finite-size secret key rate can be calculated as [44]

where $h$ represents the number of signals used to share the key between Bob and Alice, and $N$ denotes the total exchanged signals. The remaining signals $m = N - h$ are used for parameter estimation. $\epsilon _{PE}$ is the failure probability of parameter estimation. The function $\Delta (h)$ is related to the security of privacy amplification, which can be described as## Appendix B. Secret key rate of P&P DPM-based CVQSS in composable security

We provide here the calculation for the composable security key rate of the P&P DPM-based CVQSS scheme. The composable secret key rate of the scheme against collaborative attacks can be written as [28]

## Funding

National Natural Science Foundation of China (62101180, 61871407); State Key Laboratory of High Performance Computing, National University of Defense Technology (202101-25); Fundamental Research Funds for the Central Universities (531118010371).

## Disclosures

The authors declare no conflicts of interest.

## Data availability

Data underlying the results presented in this paper are not publicly available at this time but may be obtained from the authors upon reasonable request.

## References

**1. **S. Pirandola, U. L. Andersen, L. Banchi, M. Berta, D. Bunandar, R. Colbeck, D. Englund, T. Gehring, C. Lupo, C. Ottaviani, J. L. Pereira, M. Razavi, J. S. Shaari, M. Tomamichel, V. C. Usenko, G. Vallone, P. Villoresi, and P. Wallden, “Advances in quantum cryptography,” Adv. Opt. Photonics **12**(4), 1012–1236 (2020). [CrossRef]

**2. **Q. Liao, G. Xiao, H. Zhong, and Y. Guo, “Multi-label learning for improving discretely-modulated continuous-variable quantum key distribution,” New J. Phys. **22**(8), 083086 (2020). [CrossRef]

**3. **Z. Chen, Y. Zhang, G. Wang, Z. Li, and H. Guo, “Composable security analysis of continuous-variable measurement-device-independent quantum key distribution with squeezed states for coherent attacks,” Phys. Rev. A **98**(1), 012314 (2018). [CrossRef]

**4. **M. Hillery, V. Bužek, and A. Berthiaume, “Quantum secret sharing,” Phys. Rev. A **59**(3), 1829–1834 (1999). [CrossRef]

**5. **Y. Fu, H.-L. Yin, T.-Y. Chen, and Z.-B. Chen, “Long-distance measurement-device-independent multiparty quantum communication,” Phys. Rev. Lett. **114**(9), 090501 (2015). [CrossRef]

**6. **Y. Zhou, J. Yu, Z. Yan, X. Jia, J. Zhang, C. Xie, and K. Peng, “Quantum secret sharing among four players using multipartite bound entanglement of an optical field,” Phys. Rev. Lett. **121**(15), 150502 (2018). [CrossRef]

**7. **C. Schmid, P. Trojek, M. Bourennane, C. Kurtsiefer, M. Żukowski, and H. Weinfurter, “Experimental single qubit quantum secret sharing,” Phys. Rev. Lett. **95**(23), 230505 (2005). [CrossRef]

**8. **A. Tavakoli, I. Herbauts, M. Żukowski, and M. Bourennane, “Secret sharing with a single *d*-level quantum system,” Phys. Rev. A **92**(3), 030302 (2015). [CrossRef]

**9. **J. Gu, Y.-M. Xie, W.-B. Liu, Y. Fu, H.-L. Yin, and Z.-B. Chen, “Secure quantum secret sharing without signal disturbance monitoring,” Opt. Express **29**(20), 32244–32255 (2021). [CrossRef]

**10. **J. Gu, X.-Y. Cao, H.-L. Yin, and Z.-B. Chen, “Differential phase shift quantum secret sharing using a twin field,” Opt. Express **29**(6), 9165–9173 (2021). [CrossRef]

**11. **Z.-Y. Jia, J. Gu, B.-H. Li, H.-L. Yin, and Z.-B. Chen, “Differential phase shift quantum secret sharing using a twin field with asymmetric source intensities,” Entropy **23**(6), 716 (2021). [CrossRef]

**12. **Q. Liao, G. Xiao, C.-G. Xu, Y. Xu, and Y. Guo, “Discretely modulated continuous-variable quantum key distribution with an untrusted entanglement source,” Phys. Rev. A **102**(3), 032604 (2020). [CrossRef]

**13. **H.-K. Lau and C. Weedbrook, “Quantum secret sharing with continuous-variable cluster states,” Phys. Rev. A **88**(4), 042313 (2013). [CrossRef]

**14. **I. Kogias, Y. Xiang, Q. He, and G. Adesso, “Unconditional security of entanglement-based continuous-variable quantum secret sharing,” Phys. Rev. A **95**(1), 012315 (2017). [CrossRef]

**15. **W. P. Grice and B. Qi, “Quantum secret sharing using weak coherent states,” Phys. Rev. A **100**(2), 022339 (2019). [CrossRef]

**16. **X. Wu, Y. Wang, and D. Huang, “Passive continuous-variable quantum secret sharing using a thermal source,” Phys. Rev. A **101**(2), 022301 (2020). [CrossRef]

**17. **Q. Liao, H. Liu, L. Zhu, and Y. Guo, “Quantum secret sharing using discretely modulated coherent states,” Phys. Rev. A **103**(3), 032410 (2021). [CrossRef]

**18. **D. Huang, P. Huang, T. Wang, H. Li, Y. Zhou, and G. Zeng, “Continuous-variable quantum key distribution based on a plug-and-play dual-phase-modulated coherent-states protocol,” Phys. Rev. A **94**(3), 032305 (2016). [CrossRef]

**19. **Q. Liao, Y. Wang, D. Huang, and Y. Guo, “Dual-phase-modulated plug-and-play measurement-device-independent continuous-variable quantum key distribution,” Opt. Express **26**(16), 19907–19920 (2018). [CrossRef]

**20. **S. Fossier, E. Diamanti, T. Debuisschert, R. Tualle-Brouri, and P. Grangier, “Improvement of continuous-variable quantum key distribution systems by using optical preamplifiers,” J. Phys. B: At., Mol. Opt. Phys. **42**(11), 114014 (2009). [CrossRef]

**21. **P. Huang, G.-Q. He, and G.-H. Zeng, “Bound on noise of coherent source for secure continuous-variable quantum key distribution,” Int. J. Theor. Phys. **52**(5), 1572–1582 (2013). [CrossRef]

**22. **J. Lodewyck, M. Bloch, R. García-Patrón, S. Fossier, E. Karpov, E. Diamanti, T. Debuisschert, N. J. Cerf, R. Tualle-Brouri, S. W. McLaughlin, and P. Grangier, “Quantum key distribution over 25 km with an all-fiber continuous-variable system,” Phys. Rev. A **76**(4), 042305 (2007). [CrossRef]

**23. **F. Grosshans, N. J. Cerf, J. Wenger, R. Tualle-Brouri, and P. Grangier, “Virtual entanglement and reconciliation protocols for quantum cryptography with continuous variables,” Quantum Info. Comput. **3**(7), 535–552 (2003). [CrossRef]

**24. **C. Weedbrook, S. Pirandola, R. García-Patrón, N. J. Cerf, T. C. Ralph, J. H. Shapiro, and S. Lloyd, “Gaussian quantum information,” Rev. Mod. Phys. **84**(2), 621–669 (2012). [CrossRef]

**25. **X.-F. Mo, B. Zhu, Z.-F. Han, Y.-Z. Gui, and G.-C. Guo, “Faraday–michelson system for quantum cryptography,” Opt. Lett. **30**(19), 2632–2634 (2005). [CrossRef]

**26. **X. Wang, Y.-C. Zhang, Z. Li, B. Xu, S. Yu, and H. Guo, “Efficient rate-adaptive reconciliation for continuous-variable quantum key distribution,” Quantum Info. Comput. **17**(13&14), 1123–1134 (2017). [CrossRef]

**27. **S. Pirandola, R. Laurenza, C. Ottaviani, and L. Banchi, “Fundamental limits of repeaterless quantum communications,” Nat. Commun. **8**(1), 15043 (2017). [CrossRef]

**28. **A. Leverrier, “Composable security proof for continuous-variable quantum key distribution with coherent states,” Phys. Rev. Lett. **114**(7), 070501 (2015). [CrossRef]

**29. **N. Gisin, S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy, “Trojan-horse attacks on quantum-key-distribution systems,” Phys. Rev. A **73**(2), 022320 (2006). [CrossRef]

**30. **N. Jain, B. Stiller, I. Khan, V. Makarov, C. Marquardt, and G. Leuchs, “Risk analysis of trojan-horse attacks on practical quantum key distribution systems,” IEEE J. Sel. Top. Quantum Electron. **21**(3), 168–177 (2015). [CrossRef]

**31. **N. Jain, E. Anisimova, I. Khan, V. Makarov, C. Marquardt, and G. Leuchs, “Trojan-horse attacks threaten the security of practical quantum cryptography,” New J. Phys. **16**(12), 123030 (2014). [CrossRef]

**32. **F. Xu, “Measurement-device-independent quantum communication with an untrusted source,” Phys. Rev. A **92**(1), 012333 (2015). [CrossRef]

**33. **Y. Zhao, B. Qi, and H.-K. Lo, “Quantum key distribution with an unknown and untrusted source,” Phys. Rev. A **77**(5), 052327 (2008). [CrossRef]

**34. **M. Lucamarini, I. Choi, M. B. Ward, J. F. Dynes, Z. L. Yuan, and A. J. Shields, “Practical security bounds against the trojan-horse attack in quantum key distribution,” Phys. Rev. X **5**(3), 031030 (2015). [CrossRef]

**35. **H.-L. Yin, W. Zhu, and Y. Fu, “Phase self-aligned continuous-variable measurement-device-independent quantum key distribution,” Sci. Rep. **9**(1), 49 (2019). [CrossRef]

**36. **R. Valivarthi, S. Etcheverry, J. Aldama, F. Zwiehoff, and V. Pruneri, “Plug-and-play continuous-variable quantum key distribution for metropolitan networks,” Opt. Express **28**(10), 14547–14559 (2020). [CrossRef]

**37. **F. Xu, B. Qi, and H.-K. Lo, “Experimental demonstration of phase-remapping attack in a practical quantum key distribution system,” New J. Phys. **12**(11), 113026 (2010). [CrossRef]

**38. **S.-H. Sun, F. Xu, M.-S. Jiang, X.-C. Ma, H.-K. Lo, and L.-M. Liang, “Effect of source tampering in the security of quantum cryptography,” Phys. Rev. A **92**(2), 022304 (2015). [CrossRef]

**39. **J.-Z. Huang, C. Weedbrook, Z.-Q. Yin, S. Wang, H.-W. Li, W. Chen, G.-C. Guo, and Z.-F. Han, “Quantum hacking of a continuous-variable quantum-key-distribution system using a wavelength attack,” Phys. Rev. A **87**(6), 062329 (2013). [CrossRef]

**40. **X.-C. Ma, S.-H. Sun, M.-S. Jiang, and L.-M. Liang, “Wavelength attack on practical continuous-variable quantum-key-distribution system with a heterodyne protocol,” Phys. Rev. A **87**(5), 052309 (2013). [CrossRef]

**41. **H. Qin, R. Kumar, and R. Alléaume, “Saturation attack on continuous-variable quantum key distribution system,” in * Emerging Technologies in Security and Defence; and Quantum Security II; and Unmanned Sensor Systems X*, vol. 8899E. M. Carapezza, K. L. Lewis, R. C. Hollins, T. J. Merlet, M. T. Gruneisen, M. Dusek, and J. G. Rarity, eds., International Society for Optics and Photonics (SPIE, 2013), pp. 122–128.

**42. **P. Jouguet, S. Kunz-Jacques, and E. Diamanti, “Preventing calibration attacks on the local oscillator in continuous-variable quantum key distribution,” Phys. Rev. A **87**(6), 062313 (2013). [CrossRef]

**43. **X.-C. Ma, S.-H. Sun, M.-S. Jiang, and L.-M. Liang, “Local oscillator fluctuation opens a loophole for eve in practical continuous-variable quantum-key-distribution systems,” Phys. Rev. A **88**(2), 022339 (2013). [CrossRef]

**44. **A. Leverrier, F. Grosshans, and P. Grangier, “Finite-size analysis of a continuous-variable quantum key distribution,” Phys. Rev. A **81**(6), 062343 (2010). [CrossRef]