Quantum secret sharing using weak coherent states
Warren P. Grice, Bing Qi

TL;DR
This paper introduces a continuous variable quantum secret sharing protocol using coherent states, which is scalable, immune to Trojan horse attacks, and secure under high channel loss conditions.
Contribution
It proposes a novel continuous variable QSS scheme with practical laser sources, demonstrating unconditional security and scalability unlike previous entanglement-based protocols.
Findings
Protocol is immune to Trojan horse attacks.
Secure under high channel loss conditions.
Scalable to many players with minimal additional loss.
Abstract
Secret sharing allows a trusted party (the dealer) to distribute a secret to a group of players, who can only access the secret cooperatively. Quantum secret sharing (QSS) protocols could provide unconditional security based on fundamental laws in physics. While the general security proof has been established recently in an entanglement-based QSS protocol, the tolerable channel loss is unfortunately rather small. Here we propose a continuous variable QSS protocol using conventional laser sources and homodyne detectors. In this protocol, a Gaussian-modulated coherent state (GMCS) prepared by one player passes through the secure stations of the other players sequentially, and each of the other players injects a locally prepared, independent GMCS into the circulating optical mode. Finally, the dealer measures both the amplitude and phase quadratures of the receiving optical mode using…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Quantum secret sharing using weak coherent states
Warren P. Grice
Current address: Qubitekk, LLC, Vista, California 92081, USA.
Quantum Information Science Group, Computational Sciences and Engineering Division, Oak Ridge National Laboratory, Oak Ridge, TN 37831, USA
Bing Qi
Quantum Information Science Group, Computational Sciences and Engineering Division, Oak Ridge National Laboratory, Oak Ridge, TN 37831, USA
Department of Physics and Astronomy, The University of Tennessee, Knoxville, TN 37996, USA
Abstract
Secret sharing allows a trusted party (the dealer) to distribute a secret to a group of players, who can only access the secret cooperatively. Quantum secret sharing (QSS) protocols could provide unconditional security based on fundamental laws in physics. While the general security proof has been established recently in an entanglement-based QSS protocol, the tolerable channel loss is unfortunately rather small. Here we propose a continuous variable QSS protocol using conventional laser sources and homodyne detectors. In this protocol, a Gaussian-modulated coherent state (GMCS) prepared by one player passes through the secure stations of the other players sequentially, and each of the other players injects a locally prepared, independent GMCS into the circulating optical mode. Finally, the dealer measures both the amplitude and the phase quadratures of the receiving optical mode using double homodyne detectors. Collectively, the players can use their encoded random numbers to estimate the measurement results of the dealer and further generate a shared key. We prove the unconditional security of the proposed protocol against both eavesdroppers and dishonest players in the presence of high channel loss, and discuss various practical issues. 111This manuscript has been authored by UT-Battelle, LLC under Contract No. DE-AC05-00OR22725 with the U.S. Department of Energy. The United States Government retains and the publisher, by accepting the article for publication, acknowledges that the United States Government retains a non-exclusive, paid-up, irrevocable, world-wide license to publish or reproduce the published form of this manuscript, or allow others to do so, for United States Government purposes. The Department of Energy will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-access-plan).
pacs:
03.67.Dd
I Introduction
Secret sharing is a cryptographic primitive with important practical applications Shamir79 ; Blakley79 . In this protocol, a dealer distributes a secret message to players in such a way that at least players have to work together to decode the message. This is called a threshold scheme. In this paper, we will focus on the threshold secret sharing protocol, which means all the players have to work together to decode the dealer’s message.
If the dealer shares an independent secure key (i=1,2..n) with each player and the length of each key is the same as that of the message, then a threshold scheme can be implemented as follows. The dealer first generates a new key where “” denotes addition modulo 2, then encodes message using and broadcasts the encrypted message . Obviously, only when the players work together can they determine and thus decode from .
The security of the above scheme relies on the security of each individual key. Two-party quantum key distribution (QKD) protocols can be employed to generate unconditional secure keys through insecure channels Gisin02 ; Scarani09 ; Lo14 ; Diamanti16 . The dealer could establish a QKD link with each of the players and generate individual keys before running the secure sharing protocol. However, such an implementation is rather inefficient for large . Various quantum secret sharing (QSS) protocols Hillery99 ; Karlsson99 ; Tittel01 ; Xiao04 ; Chen05 ; Lance04 ; Zhou18 have been proposed aiming at achieving both proven security and high efficiency.
The security of QSS is deeply connected to that of QKD. Nevertheless, in contrast to a point-to-point two-party QKD protocol, a QSS protocol typically involves more participants and some of them might be dishonest. This allows additional hacking strategies and makes the security analysis of a QSS protocol more demanding than that of QKD. The application of continuous variable (CV) QKD techniques to analyze CV-QSS security was first proposed in Lau2013 . More recently, the security proof of CV-QSS against both eavesdroppers in the channels and dishonest players appeared Kogias17 . Like most other QSS protocols, the protocol studied in Kogias17 is based on multiparty quantum entanglement which may be difficult to implement with today’s technology when is large. Furthermore, the tolerable channel losses presented in Kogias17 are quite small.
On another front, to ease the implementation difficulties, single qubit sequential QSS protocols have been proposed and experimentally demonstrated Schmid05 . The basic idea is shown in Fig.1. A single photon prepared in an initial polarization state propagates from party to party sequentially. Each party independently applies a random BB84-type BB84 polarization rotation on the same photon. Finally, the last recipient performs a polarization measurement. In half of the cases, the combination of the basis choices by all the parties results in a deterministic measurement result at the last recipient. These instances could be used to implement secret sharing when equipped with an appropriate postprocessing procedure. We remark that a similar design has been proposed and demonstrated in multiuser QKD Phoenix95 ; Grice15 .
While the above scheme can significantly improve the feasibility of QSS, its general security is still under debate He07 ; Schmid07 ; He10 . Furthermore such a design is vulnerable to Trojan-horse attacks where a malicious eavesdropper could send in multiphoton signals to the polarization rotation device of the targeted party and unambiguously determine the corresponding polarization rotation by measuring the output signals. We remark that in the context of QKD, a similar problem has been investigated in the so-called “plug-and-play” design Muller97 , where Bob sends a strong unmodulated laser pulse to Alice through an insecure channel, who in turn encodes information and sends it back to Bob after attenuating it to the single-photon level. Since the laser pulses from Bob to Alice are strong classical signals, the security issue due to the bidirectional feature of Alice’s system could be mitigated by characterizing the light pulses received by Alice using conventional photodetectors zhao08 ; zhao10 . However, it is more difficult to apply the same countermeasures in the case of single qubit sequential QSS, where the attacker can use a weaker probe signal. This is not only because the QSS design does not employ an attenuator (as in the plug-and-play design), but also because the attacker can make use of both ports of the QSS device rather than probing and detecting via a single port.
In this paper, we will address both the security and the practicability of QSS. We propose a CV sequential QSS protocol based on conventional laser sources and homodyne detectors. The main idea is instead of modulating the quantum state of a “passing through” photon, each player injects a locally prepared quantum state into a circulating optical mode using a beam splitter. This prevents the eavesdroppers to access or interfere the quantum state preparation process and makes our scheme resilient to Trojan horse attacks. By choosing an appropriate beam splitting ratio, the additional loss introduced by each player’s system can be extremely small, making the protocol extendable to a large number of players. Furthermore, by extending the ideas introduced in Kogias17 , we prove the general security of the proposed protocol against both eavesdroppers and dishonest players in the presence of high channel loss.
This paper is organized as follows: In Section II, we present details of the proposed QSS scheme and provide a general security proof. In Section III, we conduct numerical simulations based on practical system parameters to show its feasibility. In Section IV, we discuss various implementation issues and possible extensions.
II The protocol and its security
Inspired by the single qubit sequential QSS protocol Schmid05 and the Gaussian-modulated coherent-state (GMCS) QKD GMCSQKD , we propose a CV-QSS protocol. As shown in Fig.2, players and the dealer are connected by a single communication channel such as a telecom fiber. For each quantum transmission, the first player at one end of the link prepares a coherent state and sends it to the adjacent player . Here and are independent Gaussian random numbers with zero mean and a variance of , where is the modulation variance chosen by , and = 1/4 denotes the shot-noise variance. The above coherent state passes through a highly asymmetric beam splitter (with a transmittance ) located within the secure station of , and continues its journey to the next player. In the mean time locally prepares an independent GMCS and couples it into the same spatiotemporal mode as the signal from via the second input port of the beam splitter. By carefully controlling the modulation variances and having knowledge of the reflectivity of the asymmetric beam splitter, can introduce phase-space displacements of . All the other players perform similar operations. At the end, the quantum state that arrives at the dealer can be described by , where is the overall transmittance (including losses due to the channel and the beam splitters) experienced by the quantum signal from the player. The dealer measures both the amplitude and the phase quadratures of the received optical mode by performing double homodyne detection. Intuitively, if all the players collaborate with each other and share the encoded Gaussian random numbers, they can acquire a good estimation of the dealer’s measurement results. This allows the dealer to generate a secure key which can only be known by the whole group of players and not by any subset of them. The dealer can further use the above key to implement the threshold secret sharing protocol.
The QSS protocol is summarized as below:
Quantum stage
The first player draws a pair of Gaussian random numbers , prepares a coherent state and sends it to the adjacent player. 2. 2.
Using a highly asymmetric beam splitter, each player down the link injects a locally prepared GMCS into the same spatiotemporal mode as the signal from . 3. 3.
The dealer measures the amplitude and phase quadratures of the received optical mode by performing double homodyne detection. The measurement results are kept as raw data. 4. 4.
The above procedure is repeated many times to generate enough raw data. This completes the quantum stage of the protocol.
Classical post-processing stage 5. 5.
The dealer randomly selects a subset of the raw data and requests all the players to announce the corresponding Gaussian random numbers. Combined with the corresponding measurement results, the channel transmittance can be determined note1 . All the parties discard the disclosed data. 6. 6.
The dealer assumes is honest and all the other players are dishonest. 7. 7.
The dealer randomly selects a subset of remaining raw data and requests all the players except to announce their corresponding raw data. 8. 8.
The dealer displaces the measurement results of the subset in step 7 using . From and ’s raw data for the same subset, the dealer and estimate a lower bound of secure key rate (in unit of bits per pulse) of two-party QKD following the standard postprocessing procedures in the GMCS QKD GMCSQKD ; Diamanti15 . All the parties discard the disclosed data. 9. 9.
Steps 6-8 are repeated time. In each run, a different player is selected as the honest player. At the end, the dealer has secure key rates . 10. 10.
The dealer determines the secure key rate of the QSS protocol as the minimum of , and generates the final secure key from undisclosed data using the reverse reconciliation scheme developed in GMCS QKD GMCSQKD ; Diamanti15 . Note that, in reverse reconciliation, classical information goes from the dealer to the players. Accordingly, this process can be accomplished without the cooperation of the players. The dealer can implement a QSS protocol by using the final secure key to encrypt the message to be shared. Collaboratively, the players can recover the final secure key (thus the dealer’s message) using their Gaussian random numbers and the classical information announced by the dealer. Any group of (or fewer) players can only gain an exponentially small amount of information about the final secure key.
The data reconciliation procedure in the last step of the protocol is the same as that in the standard GMCS QKD (see Diamanti15 and references therein). Note that in the above protocol, we have implicitly assumed that all the parties share a phase reference. We will discuss how to establish such a phase reference in Section 4.
The security analysis of a QSS protocol is typically more involved than that of QKD. The general security proof against both eavesdroppers in the channels and dishonest players only appeared recently Kogias17 . In Kogias17 , the dealer prepares a multiparty continuous-variable entangled state, keeps one mode and distributes the other modes to the players. Homodyne detection is carried out by each party on the corresponding mode. One important idea in Kogias17 is to treat the measurement results announced by the players as input or output from uncharacterized devices while the dealer and the corresponding device are assumed to be trusted. This allows them to apply the tools developed in one-sided device-independent QKD Tomamichel11 ; Walk16 to the security analysis of QSS protocol. Nevertheless, the tolerable channel losses presented in Kogias17 are quite small.
In this paper, we follow a security proof strategy similar to that in Kogias17 by connecting the security of QSS with that of the underlying two-party QKD. In our CV-QSS protocol, the dealer needs to generate a secure key from the measurement results using reverse reconciliation. The question is at what rate the secure key can be generated (the lower bound of the secure key rate) such that only when all the players work together, can they recover the dealer’s secure key, while any group of (or fewer) players can only gain an exponentially small amount of information. The above problem can be connected to QKD as follows: Imagine that the dealer requests a group of players to publicly announce their Gaussian random numbers while the last player (Alice) keeps her data private. In this case Alice (who holds the complete information of the players) should be able to recover the secure key while the players do not have sufficient information for key recovery. This is equivalent to a two-party QKD problem where two honest users (Alice and the dealer) try to generate a secure key against all the other players (and potential eavesdroppers in the channel). So the secure key rate of QSS is the same as that of QKD and can be calculated using standard security proofs of QKD (see more details in the next paragraph). Since Alice is assumed to be honest in the above picture, it is reasonable to assume the device controlled by her is also trusted. This suggests that we can use the standard security proof of QKD with trusted devices to evaluate the secure key rate. Since the secure key of QSS should be secure against any group of players, the dealer needs to repeat the above procedure times: the dealer evaluates potential secure key rates of QKD with each individual player (by assuming all the other players are dishonest) and chooses the smallest one among them as the secure key rate for QSS (steps 6-9 in the protocol). This guarantees the security against the collaborating attacks between the eavesdropper and any (or fewer) players. By employing the security proof of standard QKD, a highly efficient, loss-tolerant QSS can be achieved. Note that we have adopted a similar security proof strategy in a recent entanglement based QSS demonstration Williams2019 .
Next we discuss how to evaluate the secure key rate of QKD between the dealer and a chosen player given that all the other players are dishonest. Here, we use a security argument similar to the one used in Qi15 . As specified in steps 7-8 of the protocol, after the dealer has decided which player to conduct QKD with, he (or she) requests all the other players to announce encoded random numbers for a randomly chosen subset of the raw data. The dealer then displaces the corresponding measurement results using and estimates a lower bound for the QKD key rate with the player chosen above. Since the displacement operation commutes with homodyne detection, instead of displacing the measurement results, the dealer could perform phase-space displacements before double homodyne detection. We can further assume this virtual displacement operation is performed by the players outside the dealer’s secure station without weakening the security of the protocol. In this picture, the actual protocol has been reduced to the standard QKD where all the operations by the other players (and potential eavesdroppers) are conducted in the channel before the two QKD users start the postprocessing process. Thus the standard security proof of the GMCS QKD can be applied. Note that the above security analysis covers the cases when the players do not execute the protocol honestly.
Note that in this paper, we have assumed that the dealer performs homodyne detection while the players prepare quantum states. In this scenario, the homodyne detector can be trusted and this allows us to apply the standard security proof of CV-QKD. Furthermore, we can apply the trusted detector noise model by assuming that both the detector efficiency and the detector noise are well calibrated and out of the adversary’s control. This approach can typically lead to a better QKD performance and has been widely adopted in long-distance CV-QKD experiments GMCSQKD ; Lodewyck07 ; Qi07 ; Jouguet13 ; Huang16 ; ZLC17 . We will discuss other possible arrangements in Section 4.
To evaluate the performance of the proposed QSS protocol, in the next section we conduct numerical simulations based on realistic system parameters.
III Numerical simulations
We assume that the quantum channel is telecom fiber with an attenuation coefficient of . Numerical simulations are conducted based on a specific configuration: the fiber length between the dealer (Bob) and the farthest player (Alice) is . All the other players are distributed between them with equal separation. According to step 10 in the protocol, the secure key rate of the QSS protocol is the smallest secure key rate of two-party QKD evaluated between the dealer and each player. Given that each player introduces the same amount of excess noise (defined as in the shot-noise unit), the smallest QKD key rate under normal operation will be the one between Alice and Bob. This is the key rate we will evaluate below. Note that to implement the proposed protocol in practice, the dealer should evaluate a secure key rate with each player using experimental data, and choose the smallest one as the secure key rate for QSS.
The asymptotic secure key rate of two-party GMCS QKD, in the case of reverse reconciliation, is given by Refs. Lodewyck07 ; Fossier09
[TABLE]
where is the Shannon mutual information between Alice and Bob; is the efficiency of the reconciliation algorithm; is the Holevo bound between Eve (including external eavesdroppers and the other players) and Bob. and can be determined from the channel loss, observed noises, and other QKD system parameters. Note that all the noise terms in this paper are defined in shot-noise units.
The channel transmittance of the player is given by
[TABLE]
where is the fiber length between the dealer and the player. Here without compromising the practicability, we have assumed that the transmittance of the beam splitter at each player’s station is .
The excess noise contributed by the player, when referred to the channel input, is given by
[TABLE]
Note that the excess noise is defined as the additional noise above the vacuum noise associated with non-unity channel transmittance. Under normal operation (no eavesdroppers in the channel), the excess noise is mainly due to system imperfections, such as detector noise, errors in quantum state preparation, background light, etc. In (3), is defined as the variance of the excess noise from each player. Since the secure key rate given below is estimated using noises referred to the channel input (at Alice), we calculate the excess noise from the player by dividing by the transmittance from Alice to the player .
In the case of conjugate homodyne detection, the noise added by Bob’s detector (referred to Bob’s input) is given by Fossier09
[TABLE]
where and are the efficiency and noise variance of Bob’s detector.
The channel-added noise referred to the channel input is given by
[TABLE]
where the term represents vacuum noise due to the channel loss.
The overall noise referred to the channel input is given by
[TABLE]
Since both quadratures can be used to generate the secure key, the mutual information between Alice and Bob is given by
[TABLE]
where , and is Alice’s modulation variance.
To estimate , we adopt the realistic noise model where loss and noise of Bob’s detector are assumed to be trusted and cannot be accessed by the eavesdropper GMCSQKD ; Lodewyck07 ; Qi07 ; Jouguet13 ; Huang16 ; ZLC17 . Under this model, is given by Ref. Lodewyck07
[TABLE]
where .
[TABLE]
where
[TABLE]
[TABLE]
[TABLE]
where
[TABLE]
[TABLE]
[TABLE]
Simulation parameters are summarized as follows: dB/km, , , , and . The modulation variance is numerically optimized at different fiber lengths. Note that in (1), when increases, both the mutual information and Eve’s information will increase. In the ideal case (no excess noise and the efficiency of the reconciliation algorithm ), a larger modulation variance always leads to a higher secure key rate, so the optimal value of would be infinite. When we take into account system imperfections and non-unity reconciliation efficiency, can increase faster than when is above a certain value. This leads to a finite optimal modulation variance. It is a common practice to numerically search for the optimal value of . In this paper, for simplicity, we assume all the players use the same . The secure key rate could be further improved by optimizing the modulation variance for each player separately.
In Fig.3 we present the relations of the secure key rate and the fiber length at different numbers of players n=2, 5, 10, and 20. As shown in Fig.3, the QSS protocol can be conducted over tens of kilometers of telecom fiber with a moderate number of players. The performance can be further improved by reducing the excess noise contributed by each player. Fig.4 shows the simulation results when and n=10, 20, 50, and 100: the QSS protocol can be conducted over km with 100 players.
IV Discussion
Comparing with the previous single qubit sequential QSS scheme Schmid05 , the CV-QSS proposed here is naturally resilient to Trojan horse attacks: the encoding modulators within the secure stations cannot be reached by the probing signals from external players or the eavesdropper. Furthermore, by using highly asymmetric beam splitters, the additional loss introduced by each player can be extremely small. This opens the door to large-scale implementations. As in the case of single qubit sequential QSS which can be easily changed into a configurable multiuser QKD network Grice15 , it should be straightforward to implement CV-QKD based on the proposed CV-QSS design. Below we will address a few practical issues.
In Section 2, we have implicitly assumed that all the participants share a phase reference. This allows them to prepare quantum states and perform homodyne detection in the same reference frame. One immediate question is how to establish such a phase reference in practice. One possible solution is the pilot-aided phase recovery scheme proposed in CV-QKD Qi15 ; Soh15 ; Qi17 . The basic idea is that the first player generates a classical phase reference pulse using the same laser for quantum state generation. After applying a suitable multiplexing scheme (time, frequency, polarization, or a combination of them), the phase reference pulse propagates through the same optical path as the quantum signal. Each player down the link (and also the dealer) splits out a suitable portion of the phase reference pulse and interferes it with the local laser. This allows each player (and the dealer) to determine the phase difference between the local phase frame and that of the first player. After the quantum transmission stage, the players and the dealer first correct the raw data by performing rotation ; , then they proceed with the remaining steps of the protocol. This phase recovery scheme has been successfully demonstrated in CV-QKD Qi15 ; Soh15 ; Wang17 ; Kleis17 .
In practice, the above phase recovery scheme cannot be implemented perfectly due to system imperfections. The additional excess noise contributed by each player can be described by , where is the phase noise variance (in units of ) at each player’s station Qi15 . This additional noise should be added into in (3). In Qi182 , a phase noise of was demonstrated experimentally using the scheme proposed in Marie17 . We expect that a phase noise of could be achieved by further improving the system. Fig.5 shows the simulation results for the case of players at three different phase noise levels: . Even in the case of , a reasonable performance can still be achieved.
The CV QSS protocol proposed in this paper is based on the GMCS QKD, which requires each player to generate Gaussian distributed random numbers and to actively modulate the output of a local laser using phase and amplitude modulators. An alternative passive scheme based on a thermal source has been proposed to simplify the state preparation process in CV-QKD Qi18 . Such a scheme can also be applied in the proposed CV-QSS protocol. In this case, at each player’s station, the phase and amplitude measurements can be carried out with high precision on the portion of the state that is transmitted through the asymmetric beam splitter, rather than on the weaker portion coupled into the quantum channel.
As we noted in Section 2, in this paper we assume that the dealer performs the homodyne detection. This arrangement allows us to apply the standard security proof of CV-QKD and employ the trusted detector noise model. Can we allow any participant in Fig.2 to be the dealer? One trivial solution is to let each participant have both source and detector. The one chosen as the dealer performs measurement while the others prepare quantum states. This solution requires modifications in the quantum transmission stage and needs complicated system designs and network re-routing. Can we achieve the same goal by only changing the postprocessing procedures? Imagining that after the quantum stage, in Fig.2 decides to be the dealer. could carry out the remaining steps of the protocol as outlined in Section 2, with help from the other participants. More specifically, needs to estimate the potential QKD key rate with each player under the assumption that all the other players are dishonest. There are cases when the two trusted QKD parties prepared quantum states while the measurement was conducted by a dishonest player, a scenario as in measurement-device-independent (MDI) QKD Lo12 . In these cases, the security proof and key rate formulas developed in CV MDI-QKD Pirandola15 ; Li14 ; Ma14 could be applied directly. We remark that the existing schemes of CV MDI-QKD require a highly efficient homodyne detector and are more sensitive to channel losses. We leave the feasibility of CV-QSS based on CV MDI-QKD for future study.
In summary, we propose a CV-QSS protocol based on practical laser sources and homodyne detectors, which is intrinsically resilient to Trojan horse attacks. By connecting the CV-QSS to CV-QKD, we prove its security against both eavesdroppers and dishonest players in the presence of high channel loss.
This work was performed at Oak Ridge National Laboratory (ORNL), operated by UT-Battelle for the U.S. Department of Energy (DOE) under Contract No. DE-AC05-00OR22725. The authors acknowledge supports from DOE’s Cybersecurity for Energy Delivery Systems Program, Technology Commercialization Fund and ORNL Technology Transfer and Economic Development (Partnerships) Royalty Funds.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1(1) A. Shamir, How to share a secret, Commun. ACM 22 , 612 (1979).
- 2(2) G. R. Blakley, Safeguarding cryptographic keys, in Proceedings of the National Computer Conference (AFIPS Press,1979),Vol. 48, pp. 313–317
- 3(3) N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Quantum cryptography, Rev. Mod. Phys. 74 , 145 (2002).
- 4(4) V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, The security of practical quantum key distribution, Rev. Mod. Phys. 81 , 1301 (2009).
- 5(5) H.-K. Lo, M. Curty, and K. Tamaki, Secure quantum key distribution, Nat. Photon. 8 , 595 (2014).
- 6(6) E. Diamanti, H.-K. Lo, B. Qi, and Z. Yuan, Practical challenges in quantum key distribution, npj Quantum Inf. 2 , 16025 (2016).
- 7(7) M. Hillery, V. Bužek, and A. Berthiaume, Quantum secret sharing, Phys. Rev. A 59 , 1829 (1999).
- 8(8) A. Karlsson, M. Koashi, and N. Imoto, Quantum entanglement for secret sharing and secret splitting, Phys. Rev. A 59 , 162 (1999).
