Improving Continuous Variable Quantum Secret Sharing with Weak Coherent States

.


Introduction
Secret sharing is a branch of cryptography [1], in which the dealer distributes a secret to all participants and only legitimate participants can reconstruct the shared secret in the cooperation fashion. The dealer distributes a secret message s to n participants which at least t ≤ n participants combine to recover the secret. It is known as a (t, n)-threshold scheme [2][3][4][5][6][7][8][9]. Quantum secret sharing (QSS) is an extension of classical secret sharing via quantum states. Compared with the classical secret sharing, QSS protocols can achieve unconditional security based on the quantum no-cloning theorem and the Heisenberg uncertainty principle [10].
Quantum secret sharing (QSS) can be categorized into discrete variable QSS (DVQSS) [11][12][13][14] and continuous variable QSS (CVQSS) [15][16][17][18][19][20][21][22] based on the carriers used. In DVQSS, the discrete variable quantum states are used for the secret sharing, in which it carries information via weak laser pulses or the single photons. Owing to the low channel capacity and the difficulty of the preparation of single photons, it is difficult to implement in practices. In order to avoid these shortages, the continuous variable quantum states, such as coherent states and squeezed states, can be used for the information carriers, resulting in the CVQSS. Coherent states can be generated and operated by linear optical components and squeezed states can be generated from them through non-linear interactions. Furthermore, both of them increase the channel capacity.
In the traditional QSS schemes, most of them are (n, n)-threshold schemes, in which only all the n participants work together can recover the secret message from dealer, but any part of participants are impossible to restore the secret. For example, Cleve et al. proposed an initial (t, n) threshold DVQSS protocol in theoretics [11]. Correspondingly, the CVQSS was proposed with its interferometric realization that depends on infinite squeezing [23]. After that, the (2,3) threshold scheme was designed using entangled system [16]. Thereafter, the (n, n)-threshold protocol was dished with weak coherent state [24]. However, most of QSS protocols are based on squeezed states which are difficult to prepare in the laboratory, compared with coherent states. Moreover, all participants have equal ability to recover the initial secret from the dealer in traditional (t, n) threshold schemes. They cannot satisfy the practical conditions which needs some specifically designated participants to share message and accomplish tasks in a large group.
Currently, the Gaussian modulated coherent state (GMCS) has been elegantly applied in continuous variable quantum cryptography [25][26][27]. The Gaussian modulation encodes the key information by modulating the quadratures the amplitude X and the phase P of few-photon coherent states with a centered Gaussian distribution, where X and P quadratures can be measured by a heterodyne detector or homodyne detector [28][29][30][31]. The GMCS-involved scheme has been proved to be secure against collective attacks and coherent attacks. Motivated by the elegant characteristics of the GMCS-involved system, we suggest an approach for establishing the GMCS-based CVQSS system. An improved (t, n) threshold scheme will be proposed with weak coherent states. The main feature is that, instead of all participants have equal ability to recover the secret, it requires specially designated participants for the secret sharing. Each participant imports the locally prepared GMCS into a circulating optical mode with a beam splitter, which can be implemented with current optical technologies. Compared with modulating quantum state of the passing-through photon, this can make our protocol flexible and avoid obstruction from the eavesdroppers in the quantum state preparation.
The paper is organized as follows. In Section 2, we present the GMCS-involved (t, n) scheme for the CVQSS system. In Section 3, we demonstrate the security analysis of the proposed CVQSS scheme. In Section 4, performance analysis are shown with numerical simulation results of practical parameters. Finally, the conclusions are drawn in Section 5.

The GMCS-Involved (t, n) Scheme for CVQSS
Enlightened by the characteristics of the GMCS-involved quantum key distribution (QKD) [19] and the topological structure of the (n, n)-threshold scheme using weak coherent states [24], we propose an improved (t, n) threshold scheme for the practical CVQSS.
As shown in Figure 1, all participants and the dealer are linked by a single fibre-based quantum channel for transmission. The first participant B 1 generates Gaussian random numbers and modulates actively the output of a local laser using phase and amplitude modulators to prepare a coherent state |x 1 + ip 1 . Here, two variables x 1 and p 1 are independent Gaussian random numbers with zero mean and a variance of V 1 N 0 , where N 0 is the shot-noise variance, and V 1 represents the modulation variance determined by B 1 . Then, the coherent state |x 1 + ip 1 is sent to the adjacent participant and passes through a highly asymmetric beam splitter of B 2 . Meanwhile, B 2 prepares the other GMCS and couples it into the spatiotemporal mode as the same as B 1 by using the second beam splitter. B 2 could realize phase-space displacements of {x 2 , p 2 } by adjusting the modulation variances and the reflectivity of the asymmetric beam splitter. The remaining participants execute the similar procedure. Finally, the quantum state of dealer can be expressed as | ∑ n j=1 T j x j + i ∑ n j=1 T j p j , where T j is the channel transmittance from the jth participant to the dealer. The dealer achieves {x h , p h } by measuring the amplitude and phase quadratures of the end quantum state via double homodyne detection.  Figure 1. The state preparation of participants and the dealer. L is laser, M represents modulator, BS is beam splitter, DHD expresses double homodyne detector, and {x j , p j } are independent Gaussian random numbers retained by the j th participant B j with j ∈ {1, 2, · · · , n}. Stage 1. Preparation Processing : 1. The first participant B 1 generates the coherent state |x 1 + ip 1 based on its Gaussian random numbers {x 1 , p 1 }, laser and modulator, and sends it to the next participant B 2 . 2. Each of the remained participants couples the locally prepared GMCS into the spatiotemporal mode at the same time as B 1 by using the highly asymmetric beam splitter. 3. The dealer obtains {x h , p h } by measuring the amplitude and phase quadratures of the received quantum state via double homodyne detection. The resulting {x h , p h } is saved as raw data. 4. Repeat above steps until the dealer gets enough raw data. 5. A subset of the raw data is randomly chose and the dealer demands all the participants to publish the corresponding Gaussian random numbers. Combined with the corresponding measurement results, the transmittance {T 1 , T 2 , · · · , T n } can be achieved [32]. All participants abandon the disclosed data. 6. The dealer randomly chooses a subset of remaining raw data after step 5. The dealer presumes each participant except B m is dishonest and demands them to publish their corresponding Gaussian random numbers. 7. The dealer replaces the measurement result by In this case, {x F , p F } and the raw data of B m are same subsets. Therefore, the dealer and B m can gain a lower bound of secure key rate R m of the GMCS-based quantum croptography. 8. Repeat the step 7 for n times. Finally, the dealer gets secure key rates {R 1 , R 2 , · · · , R n } [18].
Stage 2. Implementation Processing : 1. Legitimate t participants are sorted by an agreed rule using C lj for l ∈ {1, 2, · · · , t} and j ∈ {1, 2, · · · , n}. 2. Supposing that the sequence of t participants is shown in Figure 2, the dealer randomly chooses a subset of the remained raw data and demands all participants except C 12 to publish the corresponding Gaussian random numbers. The dealer obtains {x 12 1 , p 12 1 } with T j x j and p 12 1 T j p j . 3. Repeat the step 2 for t times. Each of subset {x lj l , p lj l } of the dealer is the same as {x j , p j } of B j , for l ∈ {1, 2, · · · , t} and j ∈ {1, 2, · · · , n}.
4. The dealer emerges the secure key S from raw data. Distribution of the secure key S can be described as follows 5. The polynomial prepared by the dealer can be expressed as The dealer calculates f (x) and obtains The dealer recodes the f (x lj l ) by Pauli operation. Simultaneously, it prepares some decoy particles and randomly inserts them to the coding sequence. The dealer remembers the initial state and position of each decoy particles. The dealer selects the secure key rate R of the proposed protocol as the minimum of {R 1j 1 , R 2j 2 , · · · , R tj t }, R lj l = R j [18] and sends them to all the participants according to the sequence of C lj . After affirming C lj has received the coding sequence, the dealer announces the initially inserted state and position of each decoy particles to C lj . Then {x j , f (x lj l )} becomes the private key of C lj . 7. Legitimate participants restore the secret S by the Lagrange interpolation. where with x lj l equal to x j for k, l ∈ {1, 2, · · · , t} and j ∈ {1, 2, · · · , n}.
Here, procedures of the GMCS-involved CVQSS is introduced in detail. Legitimate participants can share message from the dealer based on it. Furthermore, the security is a critical factor for a QSS scheme. The security analysis of QSS is typically more involved than that of QKD. The general security proof against eavesdroppers in the channels and dishonest participants who have only appeared recently. However, dishonest participants have more superiorities to undermine the secret sharing than eavesdroppers from outside. Consequently, the following security analysis primarily focuses on both eavesdroppers and dishonest participants.
The data-processing of legitimate t participants and the dealer. L is laser, M represents modulator, BS is beam splitter, DHD expresses double homodyne detector, {x j , p j } are independent Gaussian random numbers retained by participant B j , {x j , f (x lj l )} is the private key of C lj , l ∈ {1, 2, · · · , t}, j ∈ {1, 2, 3, · · · , n}.

Security Analysis
In the following, we consider the security of the GMC-involved CVQSS against intercept-andresend attack, collective attack, dishonest participants attack and entangle attack.

Intercept-and-Resend Attack
Intercept-and-resend attack has two situations. One is that an eavesdropper, Eve, intercepts quantum information form the dealer and copied it. Then she sends the copied quantum information to legitimate participants. Because of quantum no-cloning theorem, the copied quantum information can not happen for the GMCS-involved CVQSS system. The other is that eavesdroppers intercept quantum information form the dealer and send false quantum information to the legitimate participants rather than copy it. In this case, the GMCS-based (t, n)-threshold scheme protects quantum states by randomly inserting some decoy particles to the coding sequence. Every decoy particle is selected randomly from CV quantum states. Eavesdroppers can not determine the initial state and position of each decoy particles. We assume that the coding sequence has Ω decoy particles. The attack is found with the probability 1 − ( 3 4 ) Ω . For Ω → ∞, the probability will converge to 1 [33].

Collective Attack
Based on the polynomial and Lagrange interpolation, we find that restoring the secret requires t legitimate participants. We assume that the dealer and one of legitimate participants are honest. The rest of participants are illegal user in this secret sharing in the large group. However, t − 1 dishonest legitimate participants can not obtain the secret S by using collective attack, since they cannot carry out collective attack. The above-mentioned situation is similar to GMCS-based quantum cryptography. Suppose that the dealer demands t − 1 legitimate participants to publish their private key while the last participant holds its Gaussian random numbers and f (x) from the dealer. Therefore, the last participant owns all data of legitimate participants to recover the secret key. Since the dealer is honest and attempts to generate a secret key against all the other t − 1 participants. In this case, it is the same as the GMCS-based quantum key distribution (QKD) and the secure key rate of the GMCS-involved CVQSS protocol can be evaluated by standard security proofs of QKD [25][26][27]. Because the secure key of CVQSS ought to secure against any group of t − 1 participants, the dealer needs to select the smallest one among secure key rates of legitimate participants and the dealer. The secure key rate of the GMCS-based QKD can be calculated between the dealer and a selected participant while other t − 1 legitimate participants are dishonest [24,34]. In order to show the performance of the CVQSS protocol, we execute simulations using concrete parameters and analyze the results in the next section.

Dishonest Participants Attack
When dishonest participants try to intercept other legitimate participants information to restore the secret by themselves, they can be seen as eavesdroppers. Because participants except legitimate t participants are illegal user in the large group, it has no effect even through they are dishonest. Next we discuss how to analyze security of the proposed protocol when dishonest participants appear in legitimate t participants and put error private key into the process of recover secret key. Under the circumstances, it occurs two probability, i.e., the polynomial can be restored and the polynomial can not be restored. For the first case, we assume a dishonest participant C lj make {x , j , f (x lj l ) , } as its private key, where f (x lj l ) , Using the Lagrange interpolation, the polynomial can be expressed as where S , is the recovered secret key. After testing and verifying, S , and Z , τ do not satisfy the constraint in Equation (1) for τ ∈ {1, 2, · · · , t}. It seems that the dishonest participant can be found by the legal participants. For the second case, supposing that a dishonest participant The polynomial can be represented as Obviously, the restored polynomial is equal to the primitive polynomial, and S is the secret key from the dealer. However, it does not satisfy the constraint Z l = S mod x * j . By the above-mentioned measurements, we can detect the dishonest participant. If the number of dishonest participant is more than one, they can be detected with more possibility [35][36][37][38].

Entanglement Attack
In this kind of attack, Eve does not change quantum information, but disturbs the channel with entanglement attack. In the preparation stage, the dealer sends f (x lj l ) to legitimate participants based on the sequence of C lj . When Eve does not know it, she can not deal with f (x lj l ) corresponding to C lj . So it is significant to get x j from each legitimate participant for eavesdropping. In the implementation stage, the dealer randomly chooses a subset of the remained raw data and demands all participants except C lj to publish the corresponding Gaussian random numbers. C lj keeps its Gaussian random numbers and gets x j as the private key of C lj . In this case, x j does not need to be transmitted in the fiber channel. Therefore, Eve can not obtain it by attacking the entangled channel.

Numerical Simulation
In numerical simulations of practical implementations, groups of t legitimate participants from all participants are designated with different values and geographical positions. We assume that the distance of the dealer and the farthest legitimate participant ish and all the other t − 1 participants are randomly distributed. The minimum secure key rate is seen as the secure key rate of the proposed CVQSS system.
Because there exists the excess noise ε for every participant, the farthest legitimate participant is the one that achieves the minimum secure key rate of the dealer. The secret rate can be derived as [31] where κ is the reconciliation efficiency, I AB expresses the Shannon mutual information shared between Alice and Bob, and χ BE represents upper bound information accessible to Eve (including the other t − 1 participants and eavesdropper) on Bob's secret key. The channel transmittance of the l th participant can be defined as where γ is the attenuation coefficient of the quantum channel, ρ l represents the fiber length ratio of the l th participant and the farthest participant to the dealer. In addition, the excess noise of all legitimate t participants is given by [29,39] with T¯h = 10 − γh 10 . Using the channel input from Alice as reference, T l T¯h ε represents the l th participant's excess noise. In this case, the excess noise is connected with the channel transmittance. The channel-added noise can be described as Consequently, the total noise referred to the channel input between Alice and Bob can be given by with χ h = [1 + (1 − η) + 2υ el ]/η, where η is an efficiency and υ denotes the noise owing to detector electronics. Moreover, the mutual information of Alice and Bob is given by where V = V A + 1 and V A is the modulation variance of Alice. The maximum information accessible to Eve on Bob's secret key is the Holevo quantity, which can be derived as where G(x) = (x + 1)log 2 (x + 1) − xlog 2 (x). The symplectic eigenvalues λ 1,2 can be calculated as where Furthermore, the symplectic eigenvalues λ 3,4 can be calculated as with the notations The last symplectic eigenvalue λ 5 is equal to 1. As mentioned above, the channel transmittance of the l th legitimate participant changes with different fiber length to the dealer. Since the secret key rate is relevant to distance between each legitimate participant and the dealer, different kinds of distribution have a great effect on calculating the secure key rate. Because ρ l represents the fiber length ratio of the l th participant and the farthest participant to the dealer, different kinds of distribution can be described by different kinds of ρ l . As shown in Figure 3, we achieve the relation of the secure key rate and the fiber length at different kinds of distribution and identical number of legitimate participants t = 20. In Figure 3, the secret key rates of different kinds distribution of legitimate participants are the same when the fiber length is short. The longer of the fiber length means more influence of different kinds distribution of legitimate participants. Different of secure key rates increases for the same fiber length. In practical implementations, various tasks need different number of legitimate participants to accomplish for the secret sharing. The number of legitimate participants of one task is determined by the dealer, and the possibility of each participant to participate the task is equal. In this case, the relation of the secure key rate and the fiber length at different number of legitimate participants t out of identical all participants n = 25 is shown in Figure 4. For t = 5, the secret key rate decreases with the fiber length increasing. With the number of legitimate participants increasing at the same for n = 25, the secret key rate reduces gradually at the same fiber length. When the number of legitimate participants reaches the upper limit for t = n = 25, the secret key rate is the smallest at the same fiber length. In this case, it becomes the (n, n)-threshold CVQSS scheme. This scheme can be conducted at 4 km with 25 legitimate participants for ε = 0.01. Figure 5 shows the relations of the secret key rate and the fiber length for different numbers of legitimate participants t = 5, 50, 100 and 200 out of identical all participants n = 200. For ε = 0.001, the number of legitimate participants can be determined randomly between 2 and 200. We find that this scheme can be conducted at 10 km with 200 legitimate participants.  Secure key rate(bits/pulse) t=5, n=200 t=50, n=200 t=100, n=200 t=200, n=200 The reconciliation efficiency ranges from 0 when no information was extracted to 1 for a perfect reconciliation scheme. It is connected with the Shannon mutual information shared between Alice and Bob. The relation of the secure key rate and the fiber length at different number of legitimate participants t and reconciliation efficiency out of identical all participants n = 50 is shown in Figure 6. Here, we choose t = {15, 30, 45}, and values of κ are 0.98 and 0.9. The numeral relation can be displayed in Figure 6. It is obviously that by using the higher reconciliation efficiency the secure key rate under the same number of legitimate participants t is increased in comparison to the lower.
The attenuation coefficient has influence on the channel transmittance of all participants. We use a similar analytical approach to illustrate the effect of the attenuation coefficient γ on the secure key rate with different number of legitimate participants t. Figure 7 shows that the higher secure key rate and longer maximum transmission distance can be achieved by tuning the value of parameter γ to be smaller. Secure key rate(bits/pulse) t=15, κ=0.98 t=15, κ=0.9 t=30, κ=0.98 t=30, κ=0.9 t=45, κ=0.98 t=45, κ=0.9

Conclusions
We have suggested an improved approach for the GMCS-involved (t, n) threshold CVQSS. The secret sharing scheme combines weak coherent states with double homodyne detectors, making it available for practical implementations due to the fact that the GMCS can be prepared and modulated with current technologies. Compared with the traditional (t, n) threshold QSS protocols, only the designated participants could recover the original secret using the Lagrange interpolation with their encoded random variables instead of all participants dealing with equal ability. Since each participant imports a locally prepared quantum state into a circulating optical mode, it improves the security of the CVQSS system in practices. We consider the security of the proposed protocol against intercept-and-resend attack, collective attack, dishonest participants attack and entanglement attack. In addition, the proposed protocol could fit particular condition in which it needs some special participants for the secret sharing in a large group.