ArticlePDF Available

Experimental demonstration of quantum secret sharing


Abstract and Figures

We present a setup for quantum secret sharing based on energy-time entanglement. In opposition to known implementations using three particle Greenberger-Horne-Zeilinger (GHZ) states, our idea takes advantage of only two entangled photons created via parametric down conversion. However, the system comprising the pump plus the two down-converted photons bare the same quantum correlation and can be used to mimic three entangled qubits. The relatively high coincidence count rates found in our setup enable for the first time an application of a quantum communication protocol based on more than two qubits.
Content may be subject to copyright.
Experimental demonstration of quantum secret sharing
W. Tittel, H. Zbinden, and N. Gisin
Group of Applied Physics, University of Geneva, CH-1211, Geneva 4, Switzerland
Received 23 June 2000; published 6 March 2001
We present a setup for quantum secret sharing based on energy-time entanglement. In opposition to known
implementations using three particle Greenberger-Horne-Zeilinger GHZstates, our idea takes advantage of
only two entangled photons created via parametric down conversion. However, the system comprising the
pump plus the two down-converted photons bare the same quantum correlation and can be used to mimic three
entangled qubits. The relatively high coincidence count rates found in our setup enable for the first time an
application of a quantum communication protocol based on more than two qubits.
DOI: 10.1103/PhysRevA.63.042301 PACS numbers: 03.67.Hk, 03.67.Dd
Entangled particles play the major role both as candidates
for tests of fundamental physics 1–4as well as in the
whole field of quantum communication 5. Until recently,
most work has been focused on two-particle correlations. For
a couple of years, however, the interest in multi-particle
entanglement—which we identify in this article with
n2—is growing rapidly. From the fundamental side, par-
ticles in so-called GHZ states enable new tests of nonlocality
6. From the side of quantum communication, more and
more ideas for applications 7like quantum secret sharing
QSS兲关8–11emerge. However, a major problem still is the
lack of multi-photon sources. Nonlinear effects that enable
one to ‘‘split’’ a pump photon into more than two entangled
photons have extremely low efficiency, and experiments still
lie in the future. Recently Bouwmeester et al. could demon-
strate a different approach where they started with two pairs
of entangled photons and transformed them via a clever mea-
surement into three photons in a GHZ state and a fourth
independant trigger photon 12. In this article we demon-
strate the feasibility of QSS using what we term pseudo-
GHZ states. In opposition to ‘‘true’’ GHZ states, our states
do not consist of three down-converted photons but only of
two down-converted ones plus the pump photon. However,
and essential for QSS, they bare the necessary GHZ quantum
correlation. Moreover, thanks to much higher coincidence
count rates, they enable us for the first time to realize a
multi-particle application of quantum communication.
The outline of this article is the following: After a short
review of GHZ states Sec. IIA, we will explain the QSS
protocol Sec. IIB—first based on GHZ states and then us-
ing pseudo-GHZ states. Section III is dedicated to the experi-
mental setup Sec. IIIAand to the results Sec. IIIB.A
brief discussion concerning some interesting security aspects
and its relation to the maximum transmission distance is fi-
nally given in Sec. IV, followed by a short conclusion.
A. GHZ states
Entangled states of more than two qubits, so-called GHZ
states, can be described in the form
3), 1
are orthogonal states in an arbitrary Hil-
bert space and the indices label the particles in this case
three. As shown by Greenberger, Horne, and Zeilinger in
1989 6, the attempt to find a local model able to reproduce
the quantum correlations faces an inconsistency. In the
multi-particle case, the contradiction occurs already when
trying to describe the perfect correlations. Thus, demonstrat-
ing these correlations directly shows that nature cannot be
described by local theories. However, since it will never be
possible to experimentally demonstrate perfect correlations,
the question arises whether there is some kind of threshold,
similar to the one given by Bell inequalities for two-particle
correlations 1, that enables one to separate the ‘‘nonlocal’’
from the ‘‘local’’ region. Indeed, the generalized Bell in-
equality for the three-particle case 13,
with E(
) the expectation value for a correlation mea-
surement with analyzer settings
, can be violated by
quantum mechanics, the maximal value being
qm4. 3
For instance, finding a correlation function of the form
) with visibility Vabove 50%
shows that the correlations under test cannot be described by
a local theory. Note that this value is much lower than in the
two-particle case where the threshold visibility is 71%.
B. Quantum secret sharing
Quantum secret sharing 8–10is an expansion of the
‘‘traditional’’ quantum key distribution to more than two
parties. In this new application of quantum communication, a
sender, usually called Alice, distributes a secret key to two
other parties, Bob and Charlie, in a way that neither Bob nor
Charlie alone have any information about the key, but that
together they have full information. Moreover, an eavesdrop-
1050-2947/2001/634/0423016/$20.00 ©2001 The American Physical Society63 042301-1
per trying to get some information about the key creates
errors in the transmission data and thus reveals her presence.
The motivation for secret sharing is to guarantee that Bob
and Charlie must cooperate—one of them might be
dishonest—in order to do some task, one might think for
instance of accessing classified information.
1. QSS using GHZ states
As pointed out by Z
˙ukowski et al. 8and by Hillery
et al. 9, this protocol can be realized using GHZ states.
Assume three photons in a GHZ state of the form 1with
being different modes of the particles Fig. 1.
After combining the modes at beamsplitters located at Al-
ice’s, Bob’s and Charlie’s, respectively, the probability to
find the three photons in any combination of output ports
depends on the settings
of the phase shifters:
兲兲 4
with i,j,k⫽⫾1 labeling the different output ports. Before
every measurement, Alice, Bob and Charlie choose ran-
domly one out of two phase values (0,
/2). After a sufficient
number of runs, they publicly identify the cases where all
detected a photon. All three then announce the phases chosen
and single out the cases where the sum adds up either to 0 or
. Note that the probability function Eq. 4兲兴 yields 1/4
for these cases. Denoting lcos(
)⫽⫾1 and using
Pi,j,k1/4, Eq. 4leads to
ijkl1. 5
At this point, each of them knows two out of the values
i,j,k,l. If now Bob and Charlie get together and join their
knowledge, they know three of the four parameters and can
thus determine the last one, which is also known to Alice.
Identifying ‘‘1’’ with bit value ‘‘0’’ and ‘‘1’’ with ‘‘1,’’
the correlated sequences of parameter values can then be
turned into a secret key.
2. QSS using pseudo-GHZ states
We now explain how to implement quantum secret shar-
ing using our source see Fig. 2. The idea is based on a
recently developed novel source for quantum communica-
tion, creating entangled photons in energy-time Bell states
14,15. A short light pulse emitted at time t0enters an in-
terferometer having a path length difference which is large
compared to the duration of the pulse. The pulse is thus split
FIG. 1. Schematics for quantum secret sharing using GHZ
states. Note that in a real implementation, the source would be part
of Alice setup and not of a fourth, independent party.
FIG. 2. Principle setup for quantum secret
sharing using energy-time entangled pseudo-
GHZ states. Here shown is a fiber optical realiza-
into two pulses of smaller, equal amplitude, following each
other with a fixed phase relation. The light is then focused
into a nonlinear crystal where some of the pump photons are
downconverted into photon pairs. The pump energy is as-
sumed to be such that the possibility to create more than one
pair from one initial pump pulse can be neglected. This first
part of the setup is located at Alice’s. The downconverted
photons are then separated and sent to Bob and Charlie, re-
spectively. Both of them are in possession of a similar inter-
ferometer as Alice, introducing exactly the same difference
of travel times. The two possibilities for the photons to pass
through any device lead to three time differences between
emission of the pump pulse at Alice’s and detection of the
photons at Bob’s and Charlie’s, as well as between the de-
tection of one downconverted photon at Bob’s and the cor-
related one at Charlie’s Fig. 2. Looking for example at the
possible time differences between detection at Bob’s and
emission of the pump pulse (tBt0), we find three different
terms. The first one is due to ‘‘pump pulse traveled via the
short arm and Bob’s photon traveled via the short arm’’ to
which we refer as
B. Please note that this notation
considers the pump pulse as being a single photon now
termed ‘‘Alice’s photon’’, stressing the fact that only one
pump photon is annihilated to create one photon pair. More-
over, the fact that this state is not a product state is taken into
account by separating the two kets by ‘‘,’’. The second time
difference is either due to
B, and the
third one to
B. Similar time spectra arise when look-
ing at the time differences between emission at Alice’s and
detection at Charlie’s (tCt0), as well as between the detec-
tions at Bob’s and Charlie’s (tCtB). Selecting now only
processes leading to the central peaks 16, we find two pos-
sibilities. If both of them are indistinguishable, the process is
described by
C), 6
with phases
in the different interferometers. The
maximally entangled state 6is similar to the GHZ state
given in Eq. 1, the difference being that the three photons
do not exist at the same time remember the ‘‘,’’. Therefore,
our state is obviously of no significance concerning GHZ-
type tests of nonlocality. To stress this difference, we call it
pseudo-GHZ state. However, the probability function de-
scribing the triple coincidences Eq. 4兲兴—in our case be-
tween emission of a pump pulse and detection at Bob’s and
Charlie’s—is the same as the one originating from a true
GHZ state, therefore allowing QSS. To avoid the complica-
tion of switching the pump laser randomly between one of
the two input ports—equivalent to detecting a photon in one
or the other output port—we let Alice choose between one of
four phase values
/2). To map the choice of
phases on the initial scheme where the information of Alice,
Bob, and Charlie is given by a phase setting and a detector
label, we assign a different notation to characterize Alice
phases Table I. Using this convention, we can implement
the same protocol as given above, the advantage being the
fact that our setup circumvents creation and coincidence de-
tection of triple photons. Indeed, the emission of the bright
pump pulse can be considered as detection of a photon with
100% efficiency, and only photon-pair generation is neces-
sary. This leads to much higher triple coincidence rates, en-
abling the demonstration of a multi-qubit application of
quantum communication. Note as well that the same setup
can also be used for two-party quantum key distribution
based energy-time Bell states 15.
Like in two-party quantum cryptography, the security of
quantum secret sharing using GHZ states is given by the fact
that the measurements are made in noncommuting bases
9,10,17. An eavesdropper, including a dishonest Alice, Bob
or Charlie, is thus forced to guess about the bases that will be
chosen. The fact that she will guess wrong in half of the
cases then leads to detectable errors in the transmission data
which reveal her presence. However, as discussed in 10,
the order of releasing the public information to verify the
security of the transmitted data is important in the three-party
case, where one must face the situation of an internal eaves-
One might question the security of our setup, the weak
point being the channel leading from Alice’s interferometer
to the crystal. Here, the light is classical and the phase could
be measured without modifying the system. However, since
this part is controlled by Alice and the parts physically ac-
cessible to an eavesdropper carry only quantum systems, our
realization does not incorporate any loophole. Note as well
that in the schemes presented in Figs. 1 and 2, not only Alice
but any of the three can force the two others to collaborate.
However, it is not clear yet whether Alice’s special position
of having access to the source might give her an advantage
concerning internal eavesdropping. In this case, the symme-
try for key distribution might be broken. Being beyond the
scope of this article, problems arising from external and in-
ternal eavesdropping are certainly worth further theoretical
A. Experimental setup
To generate the short pump pulse, we use a pulsed diode
laser Pico-Quant PDL 800, emitting 600 ps FWHM
pulses of 655 nm wavelength at a repetition frequency of 80
MHz. The small amount of also emitted infrared light is
prevented from entering the subsequent setup by means of a
dispersive prism. After passing a polarizing beamsplitter
PBSserving as optical isolator, the pump is focused into a
single mode fiber and guided into a fiber-optical Michelson
interferometer made of a 3 dB fiber coupler and chemically
deposited silver end mirrors. The path-length difference cor-
responds to a difference of travel time of 1.2 ns, splitting
TABLE I. Mapping of the four possible phases
at Alice’s on
two phase values
and the parameter i.
/2 0
the pump pulse into two well separated pulses. The tempera-
ture of the whole interferometer is maintained stable. To
change the phase difference, we elongate the fiber of the long
arm by means of a piezo-electric actuator. Three polarization
controllers enable us to control the evolution of the polariza-
tion state within the different parts of the interferometer. By
these means, we ensure that the evolutions of polarization in
the long and the short arm are identical. Besides, the light
being back-reflected is prevented from impinging onto the
laser diode by means of the PBS. Finally, the horizontally
polarized light leaving the interferometer by the second out-
put fiber is focused into a 4312 mm KNBO3crystal,
cut and oriented in order to ensure colinear, degenerate
phasematching, hence creating photon pairs at 1310 nm
wavelength. Behind the crystal, the red pump light is ab-
sorbed by a filter RG1000, and the photon pairs are focused
into a fiber coupler, separating them in half of the cases. The
average pump power before the crystal is 1 mW, and the
energy per pulse is—remember that each initial pump pulse
is now split into two—6 pJ. To characterize the perfor-
mance of our source, we connect the coupler’s output fibers
to single-photon counters—passively quenched germanium
avalanche photodiodes, operated in Geiger-mode and cooled
to 77 K. They feature quantum efficiencies of 5% at dark
count rates of 30 kHz. We find net single-photon rates of 20
and 27 KHz, respectively, leading to 420 coincidences per
second ina1nscoincidence window.
The down-converted photons are finally guided into fiber
optical Michelson interferometers, located at Bob’s and
Charlie’s, respectively. The interferometers, consisting of a 3
dB fiber coupler and Faraday mirrors, have been described in
detail in 18. To access the second output port, usually co-
inciding with the input port for this kind of interferometer,
we implement three-port optical circulators. The interferom-
eters incorporate equal path length differences, and the travel
time difference is the same as the one introduced by the
interferometer acting on the pump pulse. To control their
phases, the temperature of Alice and Bob’s interferometers
can be varied or can be maintained stable.
The output ports are connected to single-photon counters,
operated as discussed before. Due to 6 dB additional losses
in each interferometer, the single-photon detection rates drop
to 4–7 kHz. The electrical output from each detector is fed
into a fast AND gate, together with a signal, coincident with
the emission of a pump pulse. We condition the detection at
Bob’s and Charlie’s on the central peaks (
A, and
B, respectively. Look-
ing at coincident detections between two AND gates—
equivalent to triple coincidences—we finally select only the
interfering processes for detection.
B. Results
To demonstrate the feasibility of quantum secret sharing,
we verify whether the quantum correlations are correctly de-
scribed by the sinusoidal function given in Eq. 4. Linearly
changing the phase in Alice’s as well as in Bob’sinterfer-
ometer we observe sinusoidal fringes in the triple coinci-
dence rates see Fig. 3. Maximum count rates are around
800 in 50 s and minimum ones around 35. Visibilities are in
between 89.3% and 94.5% for the different detector combi-
nations, leading to a mean visibility of 92.20.8% and a
quantum bit error rate RQBER—the ratio of errors to detected
events—of (3.90.4)%. The RQBER can directly be obtained
from the visibility: RQBER(1V)/2. Figure 4 shows the
same results, now taking into account that Alice may have
chosen a phase value larger than
/2 and that the mapping
given in Table I applies. In these cases, the new global phase
/2 and the value for ichanges from 1to
1. Figure 4 depicts the modified data around
l⫽⫹1); the similarfigure for
i.e., l⫽⫺1) is not
shown here. For better presentation, the data is divided into
two graphs, one focusing on the detector combinations show-
ing constructive interference, the other one on the combina-
tions showing destructive interference. If, e.g., Bob and
Charlie both detect a photon in the ‘‘’’-labeled detectors in
the case
0i.e., j,k,l⫽⫹1), they know that Alice value
imust be 1 as well since this is the only detector combi-
nation showing constructive interference.
FIG. 3. Result of the measurement when changing the global
by varying the phase
in Alice interferometer. The
different mean values are due to nonequal quantum efficiencies of
the single photon detectors.
FIG. 4. Interpreting the obtained results for QSS corresponding
to Table I. The figure shows the data around
0i.e., l⫽⫹1).
If, e.g., Bob and Charlie both detect a photon in the ‘‘’’-labeled
detectors in this case, they know that Alice value imust be 1as
Like in all experimental quantum key distribution, the
RQBER is nonzero, even in the absence of any eavesdropping.
The observed 4% can be divided into two different parts. The
first one—the so-called RQBER
opt —originates from nonperfect
localization of the pump pulse, limited resolution of the
single-photon detectors and nonperfect interference. Note
that the number of errors is due to wrongly arriving photons
at Alice’s and Bob’s. Therefore, it decreases with transmis-
sion losses—at the same rate as does the number of trans-
mitted photons. Hence, these errors do not engender an in-
crease of the RQBER with distance. The other part—the
acc —is caused by wrong counts from accidentally corre-
lated counts at the single-photon counters. In opposition to
the errors mentioned before, these errors are independent of
losses, since, in our experiment, they are mostly due to con-
stantdetector noise. Therefore, the RQBER
acc increases linearly
with losses. However, since it causes only 10% of the total
RQBER in our laboratory demonstration, the RQBER will in-
crease only at a small rate. From our results we can estimate
the RQBER as a function of losses of the quantum channel:
opt 1
acc 07
with RQBER
opt 3.6%, and RQBER
acc (0)0.4% being the detector
induced RQBER as measured in the lab. Lcharacterizes the
additional losses during transmission, where L0 denotes
no losses and L1 means that all photons have been ab-
Let us briefly elaborate on the obtained visibilities with
respect to the critical visibility that can still be tolerated. Its
value is given by the point where the information that might
have been obtained by an eavesdropper cannot be made ar-
bitrarily small using classical error correction and privacy
amplification any more. In case of two-party quantum key
distribution using the Bennett-Brassard 1984 BB84proto-
col 19, it corresponds exactly to a violation of two-particle
Bell inequalities 17. In the three-party case, the critical vis-
ibility in the context of external eavesdropping is not known
yet. However, it is reasonable to assume a similar connec-
tion. Therefore, we compare our mean visibilitiy to the value
given by generalized Bell inequality Eq. 2兲兴, even if our
setup does not incorporate GHZ-type nonlocality 20: The
found visibility of 92.20.8% is more than 50 standard de-
viations (
) higher than the the threshold visibility of 50%
for the three-particle case. Moreover, it is more than 25
above 71%, the value given by standard two-particleBell
inequalities—possibly important in the context of internal
eavesdroping by one of the legitimated users. Within this
respect, it is also interesting to calculate Sexp : We find
Sexp3.69, well above S3
2Eq. 2兲兴. Therefore, the per-
formance of our source is good enough to detect any eaves-
dropping and to ensure secure key distribution. Moreover,
the bit-rate of 15 Hz underlines its potential for real ap-
plications. To compare our coincidence rate to an experiment
using true GHZ states 12, Bouwmeester et al. found one
GHZ state per 150 s. However, in order to really implement
our setup for quantum secret sharing, an active phase stabi-
lization compensating small interferometric drifts in Alice’s
interferometer as well as fast phase modulators still have to
be incorporated 21.
Let us finally comment on the possibility to extend our
experiment to longer distances. As discussed before, the
maximum achievable distance is likely to be limited either
by a minimum visibility of V50%, hence a RQBER of 25%
external eavesdropping,orbyVmin71%, hence a RQBER
of 15% internal eavesdropping. From Eq. 7,wefind
that losses of 96%, equivalent to 14 dB, or 98% 17 dB,
respectively, can still be tolerated. Using the typical fiber
attenuation of 0.35 dB/km at a wavelength of 1310 nm, this
translates into a respective maximum transmission distance
of 40 km in case of internal eavesdropping, or 50 km in case
of external eavesdropping. Finally, taking into account that
phase modulators, typically featuring losses of 3 dB, must
still be implemented, we find a maximum span of 30–40 km.
In conclusion, we demonstrated the feasibility of quantum
secret sharing using energy-time entangled pseudo-GHZ
states in a laboratory experiment. We found bit-rates of
around 15 Hz and quantum bit error rates of 4%, low enough
to ensure secure key distribution. The advantage of our
scheme is the fact that neither triple-photon generation nor
coincidence detection of three photons is necessary, enabling
for the first time an application of a multi-particle quantum
communication protocol. Moreover, since energy time en-
tanglement can be preserved over long distances 3, our
results are very encouraging for realizations of quantum se-
cret sharing over tens of kilometers.
We would like to thank J.-D. Gautier for technical support
and Picoquant for fast delivery of the laser. Support by the
Swiss FNRS and the European QuCom IST-1999-10033
project is gratefully acknowledged.
1J.S. Bell, Physics Long Island City, N.Y.1, 195 1964.
2A. Aspect, P. Grangier, and G. Roger, Phys. Rev. Lett. 47, 460
3W. Tittel, J. Brendel, H. Zbinden, and N. Gisin, Phys. Rev.
Lett. 81, 3563 1998.
4G. Weihs, T. Jennewein, C. Simon, H. Weinfurter, and A.
Zeilinger, Phys. Rev. Lett. 81, 5039 1998.
5Physics World, March 1998, special issue in quantum commu-
nication. Introduction to Quantum Computation and Informa-
tion, edited by H.K. Lo, S. Popescu, and T. Spiller World
Scientific, Singapore, 1998.
6D.M. Greenberger, M.A. Horne, A. Shimony, and A.
Zeilinger, Am. J. Phys. 58, 1131 1990.
7S. Bose, V. Vedral, and P.L. Knight, Phys. Rev. A 57, 822
8M. Z
˙ukowski, A. Zeilinger, M.A. Horne, and H. Weinfurter,
Acta Phys. Pol. A 93, 187 1998.
9M. Hillery, V. Buzek, and A. Berthiaume, Phys. Rev. A 59,
1829 1999.
10A. Karlsson, M. Koashi, and N. Imoto, Phys. Rev. A 59, 162
11R. Cleve, D. Gottesman, and H.-K. Lo, Phys. Rev. Lett. 83,
648 1999.
12D. Bouwmeester, J.-W. Pan, M. Daniell, H. Weinfurter, and A.
Zeilinger, Phys. Rev. Lett. 82, 1345 1999.
13N.D. Mermin, Phys. Rev. Lett. 65, 1838 1990; D.N. Kly-
shko, Phys. Lett. A 172, 399 1993; N. Gisin and H.
Bechmann-Pasquinucci, ibid. 246,11998.
14J. Brendel, N. Gisin, W. Tittel, and H. Zbinden, Phys. Rev.
Lett. 82, 2594 1999.
15W. Tittel, J. Brendel, H. Zbinden, and N. Gisin, Phys. Rev.
Lett. 84, 4737 2000.
16The desired processes are thus postselected, leading to a de-
crease of count rates. It is in principle possible to create only
the events in the central peaks using switches instead of pas-
sive couplers 14.
17C. Fuchs, N. Gisin, R.B. Griffiths, C.S. Niu, and A. Perez,
Phys. Rev. A 56, 1163 1997; I. Cirac and N. Gisin, Phys.
Lett. A 229,11997.
18W. Tittel, J. Brendel, N. Gisin, and H. Zbinden, Phys. Rev. A
59, 4150 1999.
19C.H. Bennett and G. Brassard, in Proceedings of IEEE
International Conference on Computers, Systems and Signal
Processing, Bangalore, India IEEE, New York, 1984,
p. 175.
20Note that it is only important that the obtained data violates
the Bell inequality and that this criterion applies even to crypto
systems based on single photons. Nonlocality is not an issue in
this context 17!
21Stability is a common problem in all quantum key distribution
schemes, the only exception being A. Muller, T. Herzog, B.
Huttner, W. Tittel, H. Zbinden, and N. Gisin, Appl. Phys. Lett.
70, 793 1997; G. Ribordy, J.-D. Gautier, N. Gisin, O. Guin-
nard, and H. Zbinden, J. Mod. Opt. 47, 517 2000.
... Quantum mechanics provides an elegant solution to the control problems via quantum secret sharing (QSS) [21,22]. Its implementation, which originally required exotic multi-photon Greenberg-Horne-Zeilinger (GHZ) states [23,24], has been substantially simplified through use of pseudo-GHZ states comprising just photon pairs and thus enabled the first QSS demonstration based on time-bin entanglement [25]. Recently, two-photon QSS approach was successfully extended to polarization encoding [26]. ...
... Inspired by the two-photon QSS protocol [25], we propose a simple but profoundly useful upgrade to a conventional entanglement source to have access-control in which a binary pseudo-randomness is introduced. By further introducing the maximally mixed state, we show this enhanced entanglement source can effectively protect DI-QKD from memory attacks at a negligible cost. ...
... Alice's measurement outcome is thus required for Bob and Coy if they want to perform the conventional EB-QKD protocol, and in this sense Alice can be regarded as the QKD controller, which is also known as third-man quantum cryptography [24]. Instead of using genuine three-qubit GHZ state, it is pointed out that the controller need not to actually perform measurements on the state, but locally preparing and randomly distributing four possible twoqubit states [25,26]. Note that the choice of measurement setting of Alice is public information, thus only one bit information is kept secret for each run in the practical implementation. ...
Full-text available
Quantum entanglement has become an essential resource in quantum information processing. Existing works employ entangled quantum states to perform various tasks, while little attention is paid to the control of the resource. In this work, we propose a simple protocol to upgrade an entanglement source with access control through phase randomization at the optical pump. The enhanced source can effectively control all users in utilizing the entanglement resource to implement quantum cryptography. In addition, we show this control can act as a practical countermeasure against memory attack on device-independent quantum key distribution at a negligible cost. To demonstrate the feasibility of our protocol, we implement an experimental setup using just off-the-shelf components and characterize its performance accordingly.
... The latter can use mature security proofs and technology of QKD, and could bring operational advantages such as it can switch between different protocols by configuring only the classical post-processing program and no modification of hardware devices are required. Depending on the quantum resources employed, the discrete variable QSS including the entangled state QSS 7,[9][10][11][12][13] , the single qubit QSS [14][15][16] , the single qudit QSS [17][18][19] , and the postselected multipartite entanglement state QSS 20 have been investigated. The continuous variable QSS with the entangled state [21][22][23][24] and coherent state [25][26][27][28] were also presented. ...
... For instance, the single qubit QSS protocol is vulnerable to Trojan horse attacks 39,40 where an eavesdropper can send a signal to the player's station and unambiguously determine the private information by measuring the output signals. The QSS 7,[9][10][11][12][13] and CKA 8,29-34 based on the GHZ entangled state are appealing. For certain CKA networks with bottlenecks 31 , the GHZ resource state can be distributed in a single use of the network for the multipartite entanglement protocol, despite the complicated quantum network coding with two-qubit gates failure rates and channel noises below certain threshold are required. ...
Full-text available
Quantum secret sharing (QSS) and conference key agreement (CKA) provide efficient encryption approaches for realizing multi-party secure communication, which are essential components of quantum networks. In this work, a practical, scalable, verifiable ( k , n ) threshold continuous variable QSS protocol secure against eavesdroppers and dishonest players are proposed and demonstrated. The protocol does not require preparing the laser source by each player and phase locking of independent lasers. The parameter evaluation and key extraction can be accomplished by only the dealer and the corresponding player. By using the multiple sideband modulation, a single heterodyne detector can extract the information of multiple players. The practical security of the system is considered. The system is versatile, it can support the CKA protocol by only modifying the classic post-processing and requiring no changes to the underlying hardware architecture. By implementing the QSS and CKA protocols with five parties over 25 km (55 km) single-mode fibers, a key rate of 0.0061 (7.14 × 10 ⁻⁴ ) bits per pulse is observed. The results significantly reduces the system complexity and paves the way for the practical applications of QSS and CKA with efficient utilization of resources and telecom technologies.
... The first ever quantum cryptographic protocol is the BB84 quantum key distribution (QKD) [4], which generates a shared secret key between two parties, was proposed by Bennett and Brassard in 1984. Some remarkable branches of quantum cryptography are QKD [4][5][6][7][8][9][10][11][12][13][14], quantum secure direct communication (QSDC) [15][16][17][18][19][20][21][22][23][24][25][26][27], quantum secret sharing (QSS) [28][29][30][31][32][33][34][35][36][37][38][39][40][41][42][43][44][45] and quantum key agreement (QKA) [46][47][48][49][50][51]. ...
Full-text available
Quantum secret sharing is a way to share secret messages among several people using the quantum channel with unconditional security. Hillery et al. (Phys Rev A 59(3):1829, 1999) proposed the first quantum secret sharing protocol for three parties by using the 3-qubit GHZ states and a possible generalization of the protocol for four parties by using the 4-qubit GHZ states. Also in the same paper, they proposed a three-party secret-sharing scheme to share quantum states. Later Xiao et al. (Phys Rev A 69(5):052307, 2004) generalized the quantum secret sharing protocol for n parties to share a classical secret message. In this paper, we implement these protocols in IBM simulators as well as real backends and check security against some quantum attacks. Also, we create a noise model and simulate the protocols using the noise model. Finally, we use the zero noise extrapolation method to mitigate errors due to noise.
... While the distribution of multi-photon entangled states is strictly limited to neighboring nodes and comparatively short distances, in a neutral atom quantum network any multi-party entangled state can be shared efficiently across the partners of the network. This enables, e.g., the creation of secure keys between several parties [132][133][134] which in turn form the basis for secret sharing or conference agreement between several parties 135 . Among others, novel schemes with higher efficiency or schemes that are not even possible with only classical communication become feasible, i.e., a scheduling (or Byzantine) agreement [136][137][138] . ...
Full-text available
Quantum networks providing shared entanglement over a mesh of quantum nodes will revolutionize the field of quantum information science by offering novel applications in quantum computation, enhanced precision in networks of sensors and clocks, and efficient quantum communication over large distances. Recent experimental progress with individual neutral atoms demonstrates a high potential for implementing the crucial components of such networks. We highlight latest developments and near-term prospects on how arrays of individually controlled neutral atoms are suited for both efficient remote entanglement generation and large-scale quantum information processing, thereby providing the necessary features for sharing high-fidelity and error-corrected multi-qubit entangled states between the nodes. We describe both the functionality requirements and several examples for advanced, large-scale quantum networks composed of neutral atom processing nodes.
... In the case that Eve imposes as one of the senders, Kai and Lo provide a depolarizing procedure for the ancilla bits held by the eavesdropper. Other quantum cryptographic schemes involving GHZ states are cited in the bibliography 12,13,14,15,16,17 . ...
Full-text available
We propose a new quantum key distribution scheme that is based on the optimum expectation values of maximally entangled Greenberger-Horne-Zeilinger states. Our protocol makes use of the degrees of freedom in continuously variable angles, thereby increasing the security of the key distribution. Outlined are two protocols that distribute a key from Alice to Bob using the above idea, followed by an extension that allows for the same key to be shared with Charlie. We show how this scheme provides for certain detection of any eavesdropper through absolute violation rather than the probabilistic violation used in many protocols.
... Each signal undergoes a distinct physical process and is individually measured at a quantum receiver. This class of QIT protocols encompasses various applications, including quantum metrology based on multipartite entanglement [12,13], distributed quantum sensing [14][15][16][17][18][19], quantum machine learning for distributed data processing [20], and quantum secret sharing [21][22][23][24][25]. ...
Full-text available
Entanglement is a quintessential quantum mechanical phenomenon with no classical equivalent. First discussed by Einstein, Podolsky, and Rosen and formally introduced by Schr\"odinger in 1935, entanglement has grown from a scientific debate to a radically new resource that sparks a technological revolution. This review focuses on the fundamentals and recent advances in entanglement-based quantum information technology (QIT), specifically in photonic systems. Photons are unique quantum information carriers with several advantages, such as their ability to operate at room temperature, their compatibility with existing communication and sensing infrastructures, and the availability of readily accessible optical components. Photons also interface well with other solid-state quantum platforms. We will first provide an overview on entanglement, starting with an introduction to its development from a historical perspective followed by the theory for entanglement generation and the associated representative experiments. We will then dive into the applications of entanglement-based QIT for sensing, imaging, spectroscopy, data processing, and communication. Before closing, we will present an outlook for the architecture of the next-generation entanglement-based QIT and its prospective applications.
... Alternatively, multipartite entangled states can be used to realize QCKA for achieving a genuine advantage over the point-to-point quantum communication protocols 32 . Several experimental works on multipartite quantum communication and distribution of the Greenberger-Horne-Zeilinger (GHZ) entanglement 33,34 have been demonstrated [35][36][37][38][39][40] . Nevertheless, these works remain quite unpractical due to their low key rates and fragility of entanglement resources. ...
Full-text available
Quantum conference key agreement is an important cryptographic primitive for future quantum network. Realizing this primitive requires high-brightness and robust multiphoton entanglement sources, which is challenging in experiment and unpractical in application because of limited transmission distance caused by channel loss. Here we report a measurement-device-independent quantum conference key agreement protocol with enhanced transmission efficiency over lossy channel. With spatial multiplexing nature and adaptive operation, our protocol can break key rate bounds on quantum communication over quantum network without quantum memory. Compared with previous work, our protocol shows superiority in key rate and transmission distance within the state-of-the-art technology. Furthermore, we analyse the security of our protocol in the composable framework and evaluate its performance in the finite-size regime to show practicality. Based on our results, we anticipate that our protocol will play an important role in constructing multipartite quantum network.
The multiparty‐mediated quantum secret sharing (MQSS) protocol proposed by Tsai et al. [ Quantum Inf . Process ., 2022 , 21 , 63] allows n restricted users with limited quantum capabilities to share secret information using a dishonest third party with full quantum capabilities. Although the MQSS protocol allows restricted users to achieve secret sharing with lightweight quantum capabilities, the qubit efficiency of this protocol can be further improved. Therefore, this study proposes a measurement property of the graph state to design an efficient mediated quantum secret‐sharing protocol in the same quantum environment as that of Tsai et al.’s protocol. The proposed MQSS protocol not only inherits the lightweight property of Tsai et al.’s protocol but also improves the qubit efficiency of Tsai et al.’s protocol by times. Security analysis is performed to show that the proposed MQSS protocol can avoid collective, collusion, and Trojan horse attacks. Furthermore, this study uses quantum network simulation software to implement Tsai et al.’s protocol and the proposed protocol to prove the feasibility of the proposed MQSS protocol and show that it is more efficient than Tsai et al.’s protocol.
Full-text available
Quantum conference key agreement (QCKA) allows multiple users to establish a secure key from a shared multi-partite entangled state. In a quantum network, this protocol can be efficiently implemented using a single copy of a N-qubit Greenberger-Horne-Zeilinger (GHZ) state to distil a secure N-user conference key bit, whereas up to N-1 entanglement pairs are consumed in the traditional pair-wise protocol. We demonstrate the advantage provided by GHZ states in a testbed consisting of a photonic six-user quantum network, where four users can distil either a GHZ state or the required number of Bell pairs for QCKA using network routing techniques. In the asymptotic limit, we report a more than two-fold enhancement of the conference key rate when comparing the two protocols. We extrapolate our data set to show that the resource advantage for the GHZ protocol persists when taking into account finite-key effects.
Full-text available
Quantum secret sharing (QSS) is a significant branch of quantum cryptography and can be widely used in various applications. Quantum secret sharing schemes can be developed by utilizing different features of quantum mechanics, and quantum secure direct communication (QSDC) is an effective way to achieve secret sharing using single qubits. The utilization of QSDC offers certain benefits, such as low cost, high security, and great potential for implementation with current technologies. However, the purpose of QSDC is different from that of QSS, which causes some vulnerabilities, such as dishonest participant attacks. We discover two critical factors that affect the security of traditional protocols. Firstly, they skip a few steps from the QSDC protocol to the QSS protocol. Secondly, the participants have different privileges. This can lead to participants with more privileges engaging in potential attack behavior. In light of these issues, this study proposes a new multiparty QSS scheme to address these vulnerabilities. The proposed protocol ensures the independence of each participant and grants them equal privileges. Analysis results demonstrate that it can defend against malicious attackers, retain the advantages of the QSDC protocol, and further reduce transmission costs. It achieves an excellent balance between security and performance.
Full-text available
We consider the Bennett-Brassard cryptographic scheme, which uses two conjugate quantum bases. An eavesdropper who attempts to obtain information on qubits sent in one of the bases causes a disturbance to qubits sent in the other basis. We derive an upper bound to the accessible information in one basis, for a given error rate in the conjugate basis. Independently fixing the error rates in the conjugate bases, we show that both bounds can be attained simultaneously by an optimal eavesdropping probe. The probe interaction and its subsequent measurement are described explicitly. These results are combined to give an expression for the optimal information an eavesdropper can obtain for a given average disturbance when her interaction and measurements are performed signal by signal. Finally, the relation between quantum cryptography and violations of Bell’s inequalities is discussed.
Full-text available
Some guidelines for the comparison of different quantum key distribution experiments are proposed. An improved 'plug & play' interferometric system allowing fast key exchange is then introduced. Self-alignment and compensation of birefringence remain. Original electronics implementing the BB84 protocol and allowing user-friendly operation is presented. Key creation with 0.1 photon per pulse at a rate of 486 Hz with a 5.4% QBER - corresponding to a net rate of 210Hz - over a 23 Km installed cable was performed.
The premises of the Einstein-Podolsky-Rosen argument for their claim that quantum mechanics is an incomplete theory are inconsistent when applied to three-particle systems in entangled Greenberger-Horne-Zeilinger states. However, thus far there is no experimental confirmation for existence of such states. We propose a technique to obtain Greenberger-Horne-Zeilinger states which rests upon an observation that when a single particle from two independent entangled pairs is detected in a manner such that it is impossible to determine from which pair the single came, the remaining three particles become entangled.
We show how a quantum secret sharing protocol, similar to that of Hillery, Buzek, and Berthiaume (Los Alamos e-print archive quant-ph/9806063), can be implemented using two-particle quantum entanglement, as available experimentally today. We also discuss in some detail how both two- and three-particle protocols must be carefully designed in order to detect eavesdropping or a dishonest participant. We also discuss the extension of a multiparticle entanglement secret sharing and splitting scheme toward a protocol so that m of n persons with m<=n can retrieve the secret.
It is demonstrated that the premisses of the Einstein-Podolsky-Rosen paper are inconsistent when applied to quantum systems consisting of at least three particles. The demonstration reveals that the EPR program contradicts quantum mechanics even for the cases of perfect correlations. By perfect correlations is meant arrangements by which the result of the measurement on one particle can be predicted with certainty given the outcomes of measurements on the other particles of the system. This incompatibility with quantum mechanics is stronger than the one previously revealed for two-particle systems by Bell's inequality, where no contradiction arises at the level of perfect correlations. Both spin-correlation and multiparticle interferometry examples are given of suitable three- and four-particle arrangements, both at the gedanken and at the real experiment level.
We have measured the linear polarization correlation of the photons emitted in a radiative atomic cascade of calcium. A high-efficiency source provided an improved statistical accuracy and an ability to perform new tests. Our results, in excellent agreement with the quantum mechanical predictions, strongly violate the generalized Bell's inequalities, and rule out the whole class of realistic local theories. No significant change in results was observed with source-polarizer separations of up to 6.5 m.
Secret sharing is a procedure for splitting a message into several parts so that no subset of parts is sufficient to read the message, but the entire set is. We show how this procedure can be implemented using Greenberger-Horne-Zeilinger (GHZ) states. In the quantum case the presence of an eavesdropper will introduce errors so that his presence can be detected. We also show how GHZ states can be used to split quantum information into two parts so that both parts are necessary to reconstruct the original qubit. [S1050-2947(99)00803-3].
A concrete optical experiment similar to the one proposed by Greenberger, Horne and Zeilinger (GHZ) and the possibility of obtaining experimental data, directly (without averaging) contradicting the Bell hidden variables theory (HVT) are discussed. The influence of accidental coincidences is considered. The used Heisenberg representation is manifestly local.
First, we present a Bell-type inequality for n qubits, assuming that m out of the n qubits are independent. Quantum mechanics violates this inequality by a ratio that increases exponentially with m. Hence an experiment on n qubits violating this inequality sets a lower bound on the number m of entangled qubits. Next, we propose a definition of maximally entangled states of n qubits. For this purpose we study five different criteria. Four of these criteria are found compatible. For any number n of qubits, they determine an orthogonal basis consisting of maximally entangled states generalizing the Bell states.
An elementary derivation of best eavesdropping strategies for the four state BB84 quantum cryptography protocol is presented, for both incoherent and two-qubit coherent attacks. While coherent attacks do not help Eve to obtain more information, they are more powerful to reveal the whole message sent by Alice. Our results are based on symmetric eavesdropping strategies, which we show to be sufficient to analyze these kind of problems.