Differential Phase Shift Quantum Secret Sharing Using a Twin Field with Asymmetric Source Intensities

As an essential application of quantum mechanics in classical cryptography, quantum secret sharing has become an indispensable component of quantum internet. Recently, a differential phase shift quantum secret sharing protocol using a twin field has been proposed to break the linear rate-distance boundary. However, this original protocol has a poor performance over channels with asymmetric transmittances. To make it more practical, we present a differential phase shift quantum secret sharing protocol with asymmetric source intensities and give the security proof of our protocol against individual attacks. Taking finite-key effects into account, our asymmetric protocol can theoretically obtain the key rate two orders of magnitude higher than that of the original protocol when the difference in length between Alice’s channel and Bob’s is fixed at 14 km. Moreover, our protocol can provide a high key rate even when the difference is quite large and has great robustness against finite-key effects. Therefore, our work is meaningful for the real-life applications of quantum secret sharing.


Introduction
Secret sharing is a cryptographic protocol in which a dealer splits a secret into several parts and distributes them among various players. The secret can be recovered only when a sufficient number of players (authorized subsets) cooperate to share their parts of the secret. The classical secret sharing scheme was first introduced independently by Shamir [1] and Blakley [2] in 1979, followed by plenty of variations [3]. However, all existing classical secret sharing schemes are not perfectly secure from eavesdropping attacks [4].
As the combination of classical secret sharing and quantum mechanics, quantum secret sharing (QSS) is more secure due to the excellent properties of quantum theory and has become one of the most attractive research topics in the quantum cryptography. In 1999, Hillery et al. [5] firstly proposed a protocol of QSS using a three-photon Greenberger-Horne-Zeilinger (GHZ) state. Afterwards, this protocol was generalized into an arbitrary number of parties based on multi-particle entanglement states [6], and later to multiparticle d-dimensional entanglement states [7]. From then on, much theoretical [8][9][10][11][12][13][14][15] and experimental [16][17][18][19] attention has focused on QSS using multi-particle entangled states. However, it is a tremendous challenge to prepare a multiparty entanglement state with high fidelity and efficiency, which makes particle entanglement-based QSS unscalable. To circumvent the problems, differential phase shift QSS scheme using coherent light [20], similar to those used in quantum key distribution (QKD) [21][22][23][24][25][26], has been proposed and implemented.
Nevertheless, the linear rate-distance limitation constricts the key rate and transmission distance of QSS [27,28]. Recently, to exceed the linear bound and further enhance the practical performance of QSS, a differential phase shift quantum secret sharing (DPSQSS) protocol [29] using a twin field (TF) [30] has been proposed. Unfortunately, this protocol suffers from low key rate and short transmission distance over channels with different transmittances, which constrains its application in a practical network setting.
Here, we propose an asymmetric differential phase shift quantum secret sharing protocol using twin field [30][31][32][33][34][35][36][37][38][39][40][41][42][43][44] ideas and give the security proof of this protocol against individual attacks. The key point of our method is that Alice and Bob can adjust their source intensities independently to effectively compensate for channel asymmetry. The numerical results show that our protocol is robust against finite-key effects [45][46][47][48] and can theoretically provide a two orders of magnitude higher key rate than the original protocol with the length difference between Alice's channel and Bob's fixed at 14 km. Furthermore, our protocol still obtains a high key rate when the difference in length is fixed at 50,100 km, whereas no keys are obtained with the same difference in the original protocol. Therefore, our work represents a further step along the progress of practical QSS.

TF-DPSQSS Protocol with Asymmetric Source Intensities
The schematic diagram of our asymmetric protocol is shown in Figure 1, where Alice and Bob have partial keys for deciphering, and Charlie has a full key for ciphering. The two senders, Alice and Bob, independently prepare two trains of weak coherent pulses whose intensities are different and phases are randomly modulated to be 0 or π. The coherent pulses are sent through the quantum channels and received by the trusted third party, Charlie, who measures them using an unbalanced interferometer. The details of the protocol are shown as follows. Figure 1. Configuration of our quantum secret sharing protocol.Weak coherent pulse sources (Laser); phase modulator (PM); signal attenuator (Att); transmittance of channels between Alice (Bob) and Charlie (η a , η b ); polarization control (PC); beam splitter (BS); single photon detector (D1, D2). In Charlie's measurement area, two pulse trains are first polarization-modulated by polarization controls to correct their polarization for interference. Then, Charlie divides each incoming pulse into two paths and recombines them by a 50:50 beam splitter, where the path-length difference is set equal to the time T. Detectors are placed at the two outputs of the recombining beam splitter. At the detectors, the partial wave functions of two senders' pulses that are in the same time slots interfere with each other.
Preparation: Alice (Bob) prepares a weak coherent pulse train and phase-modulates each pulse randomly by 0 or π. The coherent states can be denoted as |ψ a = Then, she (he) sends out the coherent state pulse whose period is 2T to Charlie with an average photon number less than one per pulse. Alice (Bob) records her (his) logic bits of each time slot as "0" ("1") when her (his) modulated phase is 0 (π). We denote the sequence of detection events time slots as n ∈ {1, 2, 3, . . . , 2N}, where N is the total number of pulses sent by Alice (Bob). The phase shift φ a n φ b n ∈ {0, π} is the phase induced by the phase modulator on pulse n ignoring the global phase, and intensities µ a , µ b are corresponding to Alice and Bob, respectively. Measurement: As illustrated in Figure 1, while measuring the signal, Charlie records the photon detection time and which detector clicks. When the detection event time slots are corresponding to the time 2kT, detector 1 will click for 0 phase difference between the two senders' pulses and detector 2 will click for π phase difference. When the detection event time slots are corresponding to the time (2k + 1)T, detector 1 will click for π phase difference and detector 2 will click for 0 phase difference. Note that if both detectors click, Charlie randomly chooses one detector click to record. Here, a photon is detected occasionally and randomly because the received signal power is smaller than one photon per pulse.
Using the above setup, Charlie creates their key shown in Table 1. "0" means that the modulated phases in one time slot imposed by Alice and Bob are {0, 0} or {π, π}, and "1" means that the modulated phases in one time slot imposed by Alice and Bob are {0, π} or {π, 0}. Thus, Charlie's bits are exclusive OR of Alice's and Bob's bits. That is, Alice and Bob know Charlie's key bits only when they cooperate, and the QSS operation is accomplished.

Detector 1
Detector 2 Parameter estimation: Charlie randomly chooses recorded detection times and Alice and Bob alternatively disclose her or their test bit first in the chosen time slots through a public channel. Then, Charlie will get the quantum bit error rate (QBER) and make a decision whether they discard all their bits and restart the whole QSS at Step 1 (preparation).
Postprocessing: After calculating the QBER, Alice, Bob, and Charlie will conduct classical error correction and privacy amplification to distill the final full key and partial keys.

Proof of Security
In this section, we will discuss the security of our protocol against eavesdropping. Because of the equivalence [29] between our asymmetric protocol and differential phase shift QSS, we can apply the conclusion in differential phase shift quantum key distribution [25] to the analysis of both an external eavesdropper and an internal eavesdropper in our protocol.

External Eavesdropping
Firstly, Eve cannot obtain full key information by beam-splitting attacks and interceptresend attacks, which will result in bit errors in the secret key [22]. As for a general individual attack, based on the assumption that Eve will conduct the same attack in differential phase shift QSS [20], we can derive that information leakage to Eve is given by a fraction µ a (1 − η a ) + µ b (1 − η b ) of the sifted key [25].

Internal Eavesdropping
QSS protocols have to prohibit Alice or Bob from knowing Charlie's key by herself or himself. Firstly, we assume that Bob is the malicious one. In this case, we have equivalence configuration [29] shown in Figure 2a. Bob wants to know Charlie's key by himself, and also needs to know Alice's modulation phase to pass the test-bit checking among Alice, Bob, and Charlie after the creation of the raw key. A configuration for Bob to do so is shown in Figure 2b. He conducts general individual attacks as carried out by Eve in differential phase shift quantum key distribution [25], where the fraction Bob obtains about Charlie's bits is 2µ a . Similarly, when Alice is the malicious one, the probability that Alice knows Bob's differential phase corresponding to Charlie's bit is 2µ b . From the above discussion, we denote µ max = max{µ a , µ b } as the maximum intensity, then 2µ max is the maximum ratio of information that a malicious one can obtain from the internal eavesdropping. In conclusion, we find that the probability information leakage to Eve and malicious Bob (Alice) is µ a (1 − η a ) + µ b (1 − η b ) and 2µ a (2µ b ). We discover that information leakage to external Eve is slightly lower than that to malicious Bob (Alice). For simplicity, we can just consider information leakage in our protocol to be 2µ max .

Mathematical Calculation with Asymmetric Channels
Based on the asymmetric protocol description, Charlie generates their classical bits according to the phase differences between Alice and Bob in the same time slot. To obtain the secure key rate, we apply the same denotations in previous sections that Alice and Bob send pulses with intensities µ a , µ b , and the distance between Alice (Bob) and Charlie is l a (l b ). In our scheme, the channel transmittance between Alice (Bob) and Charlie is η a = η d × 10 −αl a /10 (η b = η d × 10 −αl b /10 ), where η d is the detection efficiency of Charlie's detectors and α is the attenuation coefficient of the ultra-low fiber. In addition, let us suppose that p d is the dark count rate of one detector. For two detectors used by Charlie, we derive the total dark count rate as 2p d and the error rate of background e 0 = 1 2 . In Charlie's laboratory, after the BS (see Figure 1), the optical intensities received by detector 1 and detector 2 are given by cos θ) 2 , where θ denotes the relative phase between Alice's and Bob's weak coherent states. In our asymmetric protocol, we have θ ∈ {0, π}. Thus, the detection probability of each detector is: The gain of the whole system for Charlie's detections can be calculated by Q µ = Q 1 (1 − Q 2 ) + Q 2 (1 − Q 1 ) + Q 1 Q 2 and the error rate of the total gain can be derived by where e d is the misalignment error rate of detectors.

Finite-Key Analysis Method for Our Protocol
Considering the finite-key effects, let n µ = NQ µ be the observed number of bits, where N is the number of optical pulses sent by Alice and Bob. By using the random sampling without replacement [47], one can calculate the upper bound of hypothetically observed error rate associated with E µ with a failure probability RS : where k is the number of bits in the chosen time slots at Step 3 (parameter estimation). In the following, we assume the protocol is -secure [49] where the maximum failure probability of practical protocol is . According to universally composable security [50], where represents the accuracy of estimating the smooth min-entropy. In addition, EC corresponds to the probability that error correction fails and PA is the probability that privacy amplification fails.
Then we obtain the key rate formula in finite-sized key region, which reads Here, f e is the error correction efficiency and h( is Shannon entropy. P co is the upper bound of collision probability when considering individual attacks, which can be concluded as

Results of Simulation
We use the genetic algorithm to run the numerical simulations, and the key rate is optimized over the free parameters. Here, we set RS = = EC = PA = 10 −10 and utilize experimental parameters listed in Table 2. Figure 3 shows how the key rate varies with transmission distance between Alice and Bob when their channels have the same transmittance, where the total pulses are set as N = 10 12 , N = 10 10 , N = 10 8 , respectively. We can find that our protocol shows great robustness against finite-key effects. In Figure 4, we plot the results of our asymmetric protocol when the total pulses are set N = 10 12 , where the difference in length between Alice's channel and Bob's is fixed at 10 km, 50 km, and 100 km, respectively.  Table 2, we simulate results in the case that l a = l b , where N = 10 12 , N = 10 10 , and N = 10 8 .  Table 2, we simulate results in the case that N = 10 12 , where l b − l a = 10, 50, 100 km.
When the original TF-DPSQSS [29] protocol is applied to the asymmetric channels, a high system error rate will arise since different channel transmittances will lead to the poor performance of interference at the beam splitter. Figure 5 presents numerical results of our asymmetric protocols and the original TF-DPSQSS [29] protocol with the difference in length between two channels fixed at 10 km and 14 km. We can see clearly from Figure 5 that our asymmetric protocol improves the secret key rate by two orders of magnitude when l b − l a = 14 km. Moreover, no keys are obtained with difference fixed at 50,100 km in the original protocol, whereas Figure 4 shows that our protocol still provides a high key rate when the difference is large. It means that in the asymmetric channels, the performance of the asymmetric protocol is much better than that of the original protocol, especially when channels are extremely asymmetric.  Table 2, we compare the simulation results of the original TF-DPSQSS [29] protocol and our asymmetric protocol with N = 10 12 , where the difference in length between Alice's and Bob's channels is fixed at 10 km, 14 km.

Conclusions
In summary, we propose a differential phase shift quantum secret sharing protocol over asymmetric channels and give the security proof of our protocol against individual attacks. Moreover, we extend the asymptotic key rate of TF-DPSQSS [29] to finite-key region. Through implementing free parameter optimization on the numerical simulations, we demonstrate that our asymmetric protocol can dramatically improve the key generation rate and the transmission distance compared with the original TF-DPSQSS [29] protocol. As we have shown before, when the difference in length between Alice's channel and Bob's is fixed at 14 km, the key rate of the asymmetric protocol is two orders of magnitude higher than the original TF-DPSQSS [29] protocol. Furthermore, our protocol obtains a high key rate when the difference is large. In addition, it is convenient and efficient to implement by allowing Alice and Bob to set asymmetric intensities independently, especially in a network setting. Due to the remarkable performance of our asymmetric protocol, it can be applied directly to the QSS experiments over asymmetric channels and represents a further step towards practical application of QSS.