1. Introduction

Quantum key distribution (QKD) exploits the “no cloning theorem” of quantum mechanics in order to provide a means of establishing a secret key shared between two or more remote locations [1,2]. QKD systems typically comprise a sender, Alice, and a receiver, Bob, linked by two communication channels: one for quantum information; and one for classical information. While the classical communication can be executed over any authenticated public channel, the quantum communication often requires a dedicated link between Alice and Bob, and more importantly, between any two out of N parties wishing to establish a shared key.

For a large number of parties, this point to point connection requirement quickly leads to an unwieldy number of quantum links (O(N ²) for N parties), as in Fig. (1). Moreover, if full connectivity is required, then almost every party would need to be capable of both emitting and detecting single photons. Other multi-user QKD network geometries such as branching, star and loop structures have been proposed in part to reduce this requirement [3, 4].

 

Fig. 1 N parties p with N(N − 1)/2 quantum channels (dashed black line) with a classical channel (solid red line). Any two nodes can perform QKD independently of the remaining N − 2 parties. Squares must be able to detect or emit single qubits.

Download Full Size | PDF

Efforts to consolidate resources and to extend QKD to multiple parties have led to multi-qubit and single-qubit quantum secret sharing (QSS) techniques [5–9]. In multi-qubit QSS, an N-qubit state is distributed to N parties, each of whom performs a measurement on his or her respective qubit. In single-qubit QSS [10, 11], as in Fig. (2), each party performs an operation on a single qubit in sequence. In both cases, all parties share one bit of information about the measurement or operation performed. In roughly half of the cases, these steps yield deterministic results. In such a case any set of N − 1 participants can meet and use their secret information to determine the secret information of the Nth party. Such a set is called an authorized set, while any set of less than N-1 nodes can’t generate the secret and is called an unauthorized set [12, 13].

 

Fig. 2 N parties p on a shared quantum channel (dashed black line) with a classical channel (solid red line). Any two nodes can build a secret key with collaboration from the remaining N − 2 parties.

Download Full Size | PDF

Here we pause to note a significant difference between QKD and QSS. The secret information created by QSS is known by more than two parties for N > 3. In other words the authorized set contains more parties than just Alice and Bob. Thus Alice and Bob can not truly use QSS generated keys to securely encrypt information as other participants will also possess, or be able to possess, the same keys. By modifying the classical communication procedures of a single-qubit QSS protocol, we develop a novel protocol that overcomes this challenge and allows for the creation of truly secret two party keys regardless of the number of active nodes on the network or the relative positions of Alice and Bob. Moreover, our protocol closes the security loopholes associated with single-photon QSS. [14, 17]. Thus we are able to combine the respective strengths of QKD and QSS.

2. Review of single-qubit QSS

We begin with a more detailed review of single-qubit QSS. The process begins with a qubit prepared in a known state, such as

Next, all parties reveal partial information about their phase shifts to the Nth party which, in turn, determines whether or not these choices lead to a deterministic measurement result, i.e., whether Σ_jϕ_j is an integer multiple of π [5]. Specifically, every party reveals whether their respective phase shift ϕ_i for a given qubit was in the basis set {0, π} or in the basis set {π/2, 3π/2}. From these disclosures, it can be determined by the Nth party which runs led to a deterministic measurement result, and the rest can be discarded. The Nth party then announces publicly which bits to discard and which to keep.

From the retained results, any authorized set of N − 1 parties can infer the specific phase choice ϕ_i, i.e. the secret information of the remaining ith party, if and only if they collaborate in a secret meeting and reveal to each other their exact phase choices, i.e. their secret information. For the Nth party (the one performing the measurement), the measurement result is the secret information.

It is interesting to note that single-qubit QKD is equivalent to single-qubit QSS for the case N = 2. That is, Alice prepares qubits and applies one of the four phase shifts ϕ_a, while Bob applies one of two phase shifts ϕ_b ∈ {0, π/2}. They share their basis choices, but keep some information private: namely Alice’s specific phase choice and Bob’s measurement result. Once they determine which results to retain, they can implement the QSS protocol to establish a secret key. Alice, for example, constitutes the authorized set of N − 1 parties. By collaborating with all members of that set (just herself), she can infer Bob’s measurement result. Likewise, Bob is an authorized set of N − 1 parties and can infer Alice’s phase choice.

3. Secret key distribution via QSS

When N > 2, QSS is not equivalent to QKD. The primary difference is that Alice and Bob cannot infer the other’s private information without additional information from the remaining N − 2 parties. However, it is possible for any two parties to establish a secret key known only to them, as long as they both have the cooperation of the other N − 2 parties. Our new protocol accomplishes this in the following manner: two parties, Alice and Bob, announce that they wish to establish a shared secret key. Alice and Bob need not be the emitter and/or detector of the qubits, they can be any of the N parties.

The quantum transmission stage in our protocol is the same as that in the single-qubit QSS protocol, but the classical communication procedures are quite different. More specifically, in our protocol, before Alice and Bob disclose any information, all the other N-2 parties are required to publicly disclose exactly which of the four phases ϕ_i they imparted and the measurement result for the cases in which the receiver is not among the N-2. For the runs in which Σ_jϕ_j = nπ with n ∈ ℤ, Alice and Bob can each use this additional information to infer the other’s private information, while an eavesdropper can not. In effect, Alice and Bob are both able to independently collaborate with the other N − 2 parties to form an authorized set and create identical secret keys known only to them. This protocol is broken into steps below, in which p ₁ emits a single qubit at a time and p_N measures the qubits. The parties p_i apply their randomly selected phase ϕ_i sequentially to a set of M bits.

Unlike standard QKD, in N > 2 QSS Alice and Bob’s secret information will not necessarily match, even if a deterministic measurement result has been acquired. The total phase chosen by the other N − 2 parties can introduce a deterministic bit flip on any given qubit. To establish a shared key, Alice and Bob must agree who will perform the bit flip operation if needed. We set the arbitrary convention in step 10 that the party closer to the source performs the bit flip operation (i.e. Alice always calculates Bobs secret data; if Bob is the detector (p_k = p_N) then the secret data are the measurement outcomes). We note the 0/1 convention in step 8 is also chosen arbitrarily.

However, the order of the steps is not arbitrary. As was shown by [14], there exists a QSS vulnerability based on a dishonest participant being able to create and use an entangled state to gain information about the secret bits without being detected. Our modified protocol is not susceptible to such an attack as is shown in Appendix B.

We now describe the algorithm in full detail.

4. Experiments on a three-party system

We experimentally evaluated the feasibility of our proposed scheme to distribute secure keys between two parties in a three-party QSS system. Our experimental setup is based on a polarization-insensitive phase modulation unit and a commercial QKD system. Compared with a recent QSS demonstration [11], our design is simpler and more efficient.

The polarization insensitive phase modulation unit (p ₂) is placed anywhere along a 16m optical link between the ”Alice” and ”Bob” units of a commercial Clavis² plug and play QKD system from ID Quantique. Because Alice and Bob in our protocol may not necessarily be the sender and receiver, we hereafter refer to the commercial ”Alice” and ”Bob” units as p ₁ and p ₃ (or p_N). Details of the commercial QKD system can be found in [15]. A classical pulse originating at p ₃ is divided by a polarization dependent asymmetric interferometer into states labeled as |0〉 and |1〉 correspondingly. The pulse pair reflects off a Faraday mirror [15] and is heavily attenuated by p ₁ to the single photon level before being returned to p ₃. The intermediate parties apply their phase shifts only during the transit from p ₁ to p_N.

The phase modulator at p ₂ is realized using the set-up shown in Fig. 3. The combination of polarization elements ensures that the light passing through the phase modulator is correctly polarized, regardless of the input. p ₁ and p ₂ each apply phase shifts from the set {0, π/2, π, 3π/2} to the |0〉 in the pair and p ₃ applies a phase shift of either 0 or π/2 to the |1〉 state. Bob then interferometrically combines the pulse pair and detects the outgoing direction of the photon.

 

Fig. 3 Schematic of 3-party experimental system highlighting the operation of the Charlie unit. A 95/5 tap coupler (C) sends light from a heralding classical pulse to a detector (D) in order to synchronize the activation of the single photon phase modulator (PM). The polarization beam splitter (PBS) and Faraday rotators (FR) align the polarization with the primary access of the PM.

Download Full Size | PDF

To investigate the viability of two-party secret key generation in this system we set all three parties to apply a known sequence of phase shifts to a transmitted stream of weak coherent pulses. A total of 832, 968 photon detections were captured over 640 seconds. By examining the phase shift assignments of all of the parties corresponding to the detection outcomes, we can analyze the visibility of two-party secret key generation in the proposed scheme. For the deterministic cases the average number of detections for the maxima and minima were 25, 626 with a Relative Standard Error (RSE) of 2.5% and 315 with an RSE of 11.4%, respectively. By simply dividing the averages for the maxima and minima cases we can get a very rough estimate of the QBER of ≈1.2%, while the average visibility was 97.5%. This estimate is the same for any pair of communicating nodes as the hardware performs identically regardless of the classical communication that distills the keys. A detailed analysis of the minimum threshold for the quantum bit error rate has not been performed. The specific attacks discussed here and in the appendices are considered sufficient to demonstrate security.

If p ₃ and p ₂ want to establish a secret key, then they will publicly announce only their basis choices after p ₁ supplies complete information about her phase shift sequence ϕ_a. Table 1 shows the detector counts (D1 and D2) at p ₃ when p ₁ applies a constant phase shift of ϕ_a = 0. The determinism criteria Σ_jϕ_j = nπ is then only satisfied when p ₃ and p ₂ apply a phase in the same basis, (i.e totaling 0, π or 2π). It is clear from Table 1 that the photo-detection is indeed overwhelmingly deterministic given such a condition. The particular detector D1 or D2 (p ₃’s secret information) is correlated with p ₂’s secret phase shift, so p ₂ and p ₃ can surmise each others secret data but p ₁ can not.

Table 1. Brief Experimental Results

View Table | View all tables in this article

As noted above, the experimental phase shifts for p ₁ and p ₂ (ϕ ₁ & ϕ ₂) are on the |0〉 state of the pulse pair and p ₃’s phase shift (ϕ ₃) is acting in the same “direction” on the |1〉 state. This is a minor effect and will not be discussed further but it can be seen in Table 1 and Appendix A. For instance, the case of ϕ ₃ = ϕ ₂ = 0 and ϕ ₃ = ϕ ₂ = π/2 both appear overwhelmingly on detector D2 because both result in a relative phase difference between the pulse pairs of 0 rather than 0 and π respectively as one might assume.

Let us return to the example of p ₂ and p ₃ building a key, as considered above, and assume that all three phases were zero, ∑_j ϕ_j = 0, for a given qubit. From Table 1 we can see that detector D2 should have fired on p ₃’s measurement. p ₃ reports his phase only as 0 or π/2 (i.e. in the right or left side of the table) and p ₂ reports only that his phase was in the set {0, π}. Thus all other parties including p ₁ and Eve can tell that the qubit resulted in a deterministic outcome and thus a secret bit. However, p ₁ and Eve are left to guess blindly between two mutually exclusive and equally likely deterministic outcomes (the left two columns of Table 1). This is no different than randomly guessing the secret key bits. The example here is for the case N=3 but scales trivially to arbitrary N and for any two participants.

Although fully sifted, error corrected and privacy amplified secret keys were not generated for this demonstration, we have observed 650 bit/s key generation rates between p ₁ and p ₃ in runs where p ₂ applies a static phase shift of zero. The low rate of key generation is due to the large 8 dB of transmission losses caused by the prototype p ₂ unit. We expect to be able to reduce this loss in future versions currently under construction.

5. QKD vs QSS

Our modified QSS protocol for secret key distribution has several advantages over standard QKD systems. First and foremost is the number of parties that can distribute independent secret keys on a single quantum channel. For N parties, our method is significantly less expensive in terms of the number of single photon emitters and detectors (1 set of each for each node). More significantly, the number and length of dark fiber that must be installed or leased is much less when compared to N fully connected parties with standard point to point QKD systems (N(N − 1)/2 QKD systems). In addition, our method does not require any modification to the network architecture of standard single-qubit QSS. Rather, it changes the classical communication protocols on top of this network. Therefore we have the ability to perform QSS as well as the ability to distribute two-party secret keys.

One disadvantage of our protocol is that only two parties on the channel can generate secret keys at a given time, the other parties must either wait or interrupt the current pair to start generating keys. However, changing the two main participants amounts only to a change in the classical communication protocols. Another potential disadvantage is that an adversary, as well as all other participants, will know when Alice and Bob are building new keys. Also, as Alice and Bob require the assistance of every member of the remaining N − 2 nodes, a denial of service attack can be completed by blocking the classical communication from a single participating node. A conventional QKD setup also suffers from the denial of service attack: an eavesdropper can simply cut the quantum channel to stop the QKD process.

6. Security

After all N-2 parties besides Alice and Bob announce their phases, our protocol reduces in principle to the BB84 protocol and the standard security proof can be applied. However, non-traditional attacks are possible in the cases in which Alice and Bob are at the intermediate nodes rather than the endpoints. In this section, we discuss several attack strategies and show that our protocol is inherently secure against eavesdropping and QSS cheating attacks, with stronger security than traditional QSS.

First, we point out that the disclosure of the phase-shift information from the N − 2 parties does not provide any useful information to an adversary. Recall that it is possible to infer the secret information of one party if and only if the other N − 1 parties collaborate. Hence, any disclosures made by fewer than N − 1 parties do not contain enough information by themselves to compromise either Alice’s or Bob’s secret information.

This can been seen in the following manner. The final state of the qubits after being acted on by all parties is given in Eq. (2), which can be rewritten as

The final state of the qubit just before Bob’s measurement can be rewritten as,

Equation(5) is now the state produced by the phase encoded BB84 QKD protocol and the security proof reduces to the same in the event that Alice and Bob are the first and last nodes. [1, 18, 19]. The standard security proofs can be applied to the cases in which Eve is located between Alice and Bob. That is, any eavesdropping attempts necessarily introduce errors that will be evident to Alice and Bob. Eve could, instead, attempt to eavesdrop either between p ₁ and Alice or between Bob and p_N (for the cases in which Alice and/or Bob are located at intermediate points. But this type of attack is fruitless, since the protocol does not require the state to be secret in these regions. In fact, Eve (along with everyone else) can infer the exact state in these regions based on the information revealed by the N-2 parties who are not Alice and Bob.

A more sophisticated attack involves the use of entangled states to gain an advantage in single-qubit QSS, as described in [14, 17] and modified in [10, 23]. In those attacks, a cheating node p_k can gain an information advantage in the cases that all upstream nodes (all p_j, j < k) or all downstream nodes (all p_j, j > k) report their basis choices before p_k. As shown in Appendix B, however, the protocol presented here is immune to such attacks because of the order in which the nodes reveal their respective phase information and because, unlike QSS, all nodes except Alice and Bob are required to reveal not only basis information, but also the exact phase settings.

From a practical standpoint, the scheme described here is most susceptible to a Trojan horse attack, whereby Eve probes the Alice or Bob node with her own optical field. Because Eve might have access both before and after the target node, the vulnerability is greater than for conventional QKD. Such an adversary might opt for a wavelength division multiplexing attack by adding a probing photon with a small spectral shift relative to the signal photon immediately before one of the active nodes. Then after the node, Eve would filter out the probe photon and measure its phase change when the basis information is available. The phase change will be approximately the same as the phase change on the com frequency. In principle this type of attack can be defensed by placing random sampling detectors and narrow-band pass filters inside each node along with narrow timing windows to ensure that only one photon in a specific mode goes through the phase modulator while it is active.

This would limit Eve to single-photon Trojan horse attacks, which cannot be used to determine the one-time action of a phase modulator. To see why this is the case, consider a known state |ϕ_EVE〉 = α ₀|0〉 +α ₁|1〉 input to the target phase modulator. Upon modulation, the state becomes one of the following:

We note that the security arguments given in this paper are based on the assumption that a single photon source is employed. In most of experimental implementations, such as the commercial QKD system from IDQ, phase randomized weak coherent sources are used. To improve the performance of such a system, decoy state ideas could be applied [20–22]. This requires the QKD users (which may be determined before the quantum transmission stage) to actively randomize the global phase of the incoming signal [24] and also modulate its intensity. By estimating the QBER and transmission efficiency of each decoy state and the signal state separately, the users can acquire a tighter bound on Eve’s information and achieve a higher secure key rate. Details of the application of decoy state is outside of the scope of this paper.

7. Conclusion

We have described and demonstrated a method for distributing secret keys between any two parties on a given N party, single qubit, quantum channel. This method has several distinct and valuable advantages over standard QSS and highly connected QKD networks. We are able to maintain the hardware and network architecture of standard single-qubit QSS, thus giving us a powerful and diverse set of operations on a single network.

A. Full data set

This appendix contains a full set of data from our experimental implementation of the N = 3 party QSS protocol for QKD. The individual count rates for all possible phase settings are shown in Table 2. Each of the four sections of the table corresponds to Alice applying a constant phase ϕ_a. The deterministic behavior can clearly be seen when Σ_jϕ_j = nπ. D1 and D2 are Bob’s detector counts after the projection into the |±〉 basis and represents his “secret data”. We note again that any two parties could have built keys out of this data set by a simple change of classical communication.

Table 2. Experimental Results

View Table | View all tables in this article

This data can be visualized as in Fig. (4). Here we show data from the left hand side of the first section of Table 2. This shows Bob’s detector counts for the instances when Alice and Bob both applied a zero phase rotation and the two deterministic outcomes are expected to occur when ϕ_c = 0 and ϕ_c = π. Similar figures can be drawn for any subset of the data.

 

Fig. 4 Experimental results for the N=3 party, QSS based secret key distribution. The columns represent the number of detection events on two detectors after the projective measurement to the |±〉 basis. D1(light red) and D2 (dark blue) clearly show the difference between the deterministic Σ_jϕ_j = nπ and random cases Σ_jϕ_j = (n + 1/2)π.

Download Full Size | PDF

The non deterministic cases of ϕ_c = π/2 and ϕ_c = 3π/2 should in theory be evenly distributed between detectors D1 and D2. However since all such instances are discarded during the key distillation this imbalance can be ignored and maximizing the visibility of the deterministic cases (which amounts to minimizing the QBER) takes precedent.

B. Defeating A bell state attack

There exists a cheating protocol proposed by G.P. He [14, 17] that can determine the secret information of a given node in the single qubit QSS protocol as originally proposed and then modified in [10,23]. We note that our modified QSS method for QKD is not susceptible to this type of attack.

In the method of [14], the cheating node Eve prepares a Bell state $|\psi \varphi 〉=\left(|00〉+|11〉\right)/\sqrt{2}$. Eve then keeps the photon she receives from the previous node |χ〉 and sends half of the Bell state |ϕ〉 to the next node. There are then 2 pertinent cases: i) in which all of the nodes upstream, i.e. closer to the qubit source, have announced their basis as either X ∈ {0, π} or Y ∈ {π/2, 3π/2}; and ii) when one or more has not. In the latter case, Eve can not gain any information but also can not be detected in the standard single qubit QSS scheme [10, 14].

By performing a measurement on the qubit Eve receives and one part of the Bell state |ψ〉, |ϕ〉 collapses to U(α)|χ〉. From the measurement outcome she knows whether relative phase rotation α was exactly 0, π, or from the set {π/2, 3π/2}. As such she can report the correct basis, X or Y, and pretend to have acted honestly thus escaping detection.

In the case where all upstream nodes have reported their bases, Eve can gain an advantage. By knowing the initial state of the qubit |+〉 and the bases applied by the preceding nodes she can always measure in the correct basis of the qubit and thus learn exactly the state |χ〉 she received. Eve now measures |ψ〉 in the basis of |±〉 or |0〉 ± i|1〉, and can compare the result to the now known |χ〉 and determine exactly the effective rotation U(α)|χ〉.

Once Eve knows |χ〉 and α, she can effectively perform secret sharing with subsets of the full number of nodes N. The 2 minimum size authorized sets consist of all the upstream nodes including k and all the downstream nodes including k respectively. Given N total nodes and an Eve at position k, these two sets, which we call upstream U and downstream D, have number of elements |U| = k and |D| = N − k + 1. If the secret holding node is in the upstream set, Eve can perform k − 1 secret sharing with the other members of that set. If the secret holding node is in the downstream set Eve can perform N − k secret sharing with the members of that set. Regardless of the relative position of the non-participating node Eve can determine the secret information with significantly less then N − 1 nodes collaboration.

We now show that our modified QKD via QSS method is not susceptible to such an attack. There are three cases of interests, as shown in Fig. 5, with the different possible relative positions of Alice, Bob, and the cheating node Eve.

 

Fig. 5 Three cases of an evil node Eve among an arbitrary number of nodes, N with Alice, A and Bob, B. Using the cheating protocol of [14] the upstream set, U, is contained in the black box and the downstream set, D, is contained in the dashed box. The position of A and B in each set U, D is arbitrary.

Download Full Size | PDF

Here we will make several general assumptions. 1) All of the other nodes (that are not Alice, Bob or Eve) reveal all of their information in arbitrary order. In other words regardless of her position on the network, Eve is allowed to communicate in the most desirable position for an attacker, last. 2) Eve then reveals all of her information. 3) Alice and Bob then reveal their basis information last. Assumption 1) and 2) correspond to step 7, and assumption 3) is step 8 of our algorithm described in the main body.

The method of [14] can be physically implemented successfully by Eve in case i) and the reverse direction method of [17], in which Eve uses the basis of all the downstream nodes, in case iii). These two cases are effectively the same but both are shown for completeness. In these cases Eve’s cheating will not be detected, similar to the QSS description above. However, we note that despite being able to successfully “cheat” Eve gains no usable information. Looking at case i) and iii) in Fig. 5 we see that, in both cases, Alice and Bob are either both in D or both in U respectively.

In case i) Eve can use her information to perform k-1 secret sharing on the upstream set. However, there is no secret information in the upstream set U, since, from assumption 1) above, all the other nodes in that set have publicly declared their exact phase rotation. The downstream set D is of more interest. However Eve can not perform the equivalent N − k secret sharing on this set either. The size of D is |D| = N − k + 1, but there are two nodes in that set that will never reveal their secret information to Eve, namely Alice and Bob (we assume Alice and Bob are trusted nodes, or the scheme is doomed from the start). Thus there are only N − k − 1 nodes in the set that might be willing to assist Eve, less than the N − k that are needed. The same argument can be made for case iii). Thus, in these cases, Eve can gain nothing from the method of cheating in [14, 17], but at least will not be detected.

Case ii) is of more interest, as in this scenario there is one and only one of Alice and Bob in each of the sets U and D respectively. It might appear that this case is ideal for such an attack. However, based on assumptions 2) and 3), Eve must always announce not just her basis but her exact phase rotation prior to Alice and Bob revealing any information as in step 7 and 8. Thus, there is always one node both upstream and downstream of Eve that will not reveal its basis, nor will they cheat, when Eve is forced to act. Eve is never in a position to successfully perform the attack and can only attempt to avoid detection [17]. If for some reason Eve did perform this fruitless attack, she would be not only detectable but locatable on the network.

When Eve can not determine the bases of either all of the upstream or all of the downstream nodes, she can only perform a measurement on |χψ〉 to project |ϕ〉 into a valid state and hope to avoid detection. However, recall that from this measurement Eve, gains only partial information about the transformation U(α)|ϕ〉 [14]. As stated above, depending on the measurement outcome, Eve knows if α was 0 or π or in the set {π/2, 3π/2} [14]. Thus Eve can correctly announce her information, as required, only 1/2 of the time. The remaining times Eve must guess between elements of basis Y = {π/2, 3π/2}. Guessing incorrectly causes the final detection of the qubit to flip states (0 ↔ 1), resulting in an increase of the QBER to 25%, and indicating the presence of a cheater.

By recording the location of the errors and the basis of each node for every qubit transmitted, Alice and Bob can not only detect, but also locate a cheating node. The errors induced by Eve attempting to cheat occur only when Eve announces a phase change of {π/2, 3π/2}. By examining the correlations between the announced basis Y of each node for the qubits that were erroneous we can find the cheater. We expect ≈ 50% for honest nodes and ≈ 100% for the cheater ignoring any systematic QBER. Eve can remain hidden by deliberately announcing the wrong basis element in X ∈ {0, π} half of the time. This will cause the QBER to rise to 50% in the presence of an attacker.

Our method is secure against this type of Bell state resource attack, as there is never a scenario in which a cheating node can gain the secret information held by Alice and Bob. Indeed this cheating method actually does not gain Eve any information since all the other nodes will have already publicly announced their secret information.

Acknowledgments

This work is supported by the U.S. Department of Energy under the Cybersecurity for Energy Delivery Systems(CEDS) program.This manuscript has been authored by UT-Battelle, LLC under Contract No. DE-AC05-00OR22725 with the U.S. Department of Energy. The United States Government retains and the publisher, by accepting the article for publication, acknowledges that the United States Government retains a non-exclusive, paid-up, irrevocable, world-wide license to publish or reproduce the published form of this manuscript, or allow others to do so, for United States Government purposes. The Department of Energy will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-access-plan).

References and links

1. C. Bennet and G. Brassard, “Public key distribution and coin tossing,” in Proceedings of IEEE int. Conf. on Computers, Systems and Signal Processing (1984), pp. 175–179.

2. W. Wootters and W. Zurek, “A single quantum cannot be cloned,” Nature 299, 802–803 (1982). [CrossRef]  

3. P. Kumavor, A. Beal, S. Yelin, E. Donkor, and B. Wang, “Comparison of four multi-user quantum key distribution schemes over passive optical networks,” J. Lightwave Technol. 23, 1 (2005). [CrossRef]  

4. S. Phoenix, S. Barnett, P.D. Townsend, and K. Blow, “Multi-user quantum cryptography on optical networks,” J. Mod. Opt. 42, 1155–1163 (1995). [CrossRef]  

5. M. Hillery, V. Bužek, and A. Berthiaume, “Quantum secret sharing,” Phys. Rev. A 59, 1829–1834 (1999). [CrossRef]  

6. L. Xiao, G. L. Long, F. G. Deng, and J. W. Pan, “Efficient multi-party qauntum secret sharing,” Phys. Rev. A. 69, 052307 (2004). [CrossRef]  

7. J. Bogdanski, N. Rafiei, and M. Bourennane, “Experimental quantum secret sharing using telecommunication fiber,” Phys. Rev. A. 78, 062307 (2008). [CrossRef]  

8. Z. Zhang, Y. Li, and Z. Man, “Multiparty quantum secret sharing,” Phys. Rev. A. 71, 044301 (2005). [CrossRef]  

9. L. Han, Y. Liu, J. Liu, and Z. Zhang, “Multiparty quantum secret sharing of secure direct communication using single photons,” Optics Commun. 281, 2690 (2008). [CrossRef]  

10. C. Schmid, P. Trojek, M. Bourennane, C. Kurtsiefer, M. Zukowksi, and H. Weinfurter, “Experimental single qubit quantum secret sharing,” Phys. Rev. Lett. 95, 230505 (2005). [CrossRef]   [PubMed]  

11. M. Hai-Qiang, W. Ke-Jin, and Y. Jian-hui, “Experimental single qubit quantum secret sharing in a fiber network configuration,” Opt. Lett. 38, 21 (2013). [CrossRef]  

12. G. Gottesman, “Theory of quantum secret sharing,” Phys. Rev. A. 61, 042311 (2000). [CrossRef]  

13. R. Cleve, D. Gottesman, and H. K. Lo, “How to share a quantum secret,” Phys. Rev. Lett. 82, 648 (1999). [CrossRef]  

14. G. P. He, “Comment on Experimental single qubit quantum secret sharing,” Phys. Rev. Lett. 98, 028901 (2007). [CrossRef]  

15. D. Stucki, M. Legre, F. Buntschu, B. Clausen, N. Felber, N. Gisin, L. Henzen, P. Junod, G. Litzistorf, P. Monbaron, L. Monat, J. B. Page, D. Perroud, G. Ribordy, A. Rochas, S. Robyr, J. Tavares, R. Thew, P. Trinkler, S. Ventura, R. Voirol, N. Walenta, and H. Zbinden, “Long-term performance of the Swiss Quantum quantum key distribution network in a field environment,” New J. Phys. 13, 123001 (2011). [CrossRef]  

16. T. T. Ng, D. Gosal, A. Lamas-Linares, and C. Kurtsiefer, “Sagnac-loop phase shifter with polarization-independent operation,” Rev. Sci. Inst. 82, 013106 (2011). [CrossRef]  

17. G. P. He and Z. D. Wang, “Single qubit quantum secret sharing with improved security,” Quant. Inf. Comput. 10, 28 (2010).

18. A. Ferenczi, V. Narasimhachar, and N. Lutkenhaus, “Security proof of the unbalanced phase-encoded Bennett–Brassard 1984 protocol,” Phys. Rev. A. 86, 042327 (2012). [CrossRef]  

19. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74, 145 (2002). [CrossRef]  

20. W.-Y. Hwang, “Quantum key distribution with high loss: toward global secure communication,” Phys. Rev. Lett. 91, 057901 (2003). [CrossRef]   [PubMed]  

21. H.-K. Lo, X. Ma, and K. Chen, “Decoy state quantum key distribution,” Phys. Rev. Lett. 94, 230504 (2005). [CrossRef]   [PubMed]  

22. X.-B. Wang, “Beating the photon-number-splitting attack in practical quantum cryptography,” Phys. Rev. Lett. 94, 230503 (2005). [CrossRef]   [PubMed]  

23. C. Schmid, P. Trojek, M. Bourennane, C. Kurtsiefer, M. Zukowski, and H. Weinfurter, “Reply to Comment on ’Experimental Single Qubit Quantum Secret Sharing’,” Phys. Rev. Lett. 98, 028902 (2007). [CrossRef]  

24. Y. Zhao, B. Qi, and H.-K. Lo, “Experimental quantum key distribution with active phase randomization”, Appl. Phys. Lett. , 90, 044106 (2007) [CrossRef]