Sharing classical secrets with continuous-variable entanglement: Composable security and network coding advantage

Secret sharing is a multi-party cryptographic primitive that can be applied to a network of partially distrustful parties for encrypting data that is both sensitive (it must remain secure) and important (it must not be lost or destroyed). When sharing classical secrets (as opposed to quantum states), one can distinguish between protocols that leverage bi-partite quantum key distribution (QKD) and those that exploit multi-partite entanglement. The latter class are known to be vulnerable to so-called participant attacks and, while progress has been made recently, there is currently no analysis that quantifies their performance in the composable, finite-size regime which has become the gold standard for QKD security. Given this - and the fact that distributing multi-partite entanglement is typically challenging - one might well ask: Is there any virtue in pursuing multi-partite entanglement based schemes? Here, we answer this question in the affirmative for a class of secret sharing protocols based on continuous variable graph states. We establish security in a composable framework and identify a network topology, specifically a bottleneck network of lossy channels, and parameter regimes within the reach of present day experiments for which a multi-partite scheme outperforms the corresponding QKD based method in the asymptotic and finite-size setting. Finally, we establish experimental parameters where the multi-partite schemes outperform any possible QKD based protocol. This one of the first concrete compelling examples of multi-partite entangled resources achieving a genuine advantage over point-to-point protocols for quantum communication and represents a rigorous, operational benchmark to assess the usefulness of such resources.


I. INTRODUCTION
The desire to reliably store important information seems at odds with the desire to keep that information secret.A reasonable strategy to achieve reliability would be to generate many redundant copies of the information.However, this strategy clearly increases danger of a security breach as each copy is a new target for unauthorised access.An elegant solution to this quandary is given by secret sharing.These are protocols in which the secret is divided into pieces or shares by a dealer and distributed amongst several players such that some authorised subsets can perfectly reconstruct the secret but all other subsets gain no information whatsoever.The set of authorised subsets of a scheme is called the access structure.
In such a scheme, any unauthorised set of shares may be destroyed without the secret being lost and any unauthorised set may be hacked without any information being leaked.Secret sharing can be used in many practical situations to ensure that only a sufficiently large collection of agents can authorise some action, with examples ranging from approving an expense account to ordering a military strike.Other applications include managing cryptographic keys, decentralised voting and as a primitive for secure multi-party computation.In the most common form of access structure, the dealer selects a threshold size for authorised subsets.An (n, k)-threshold scheme involves n players of which any k players can collaborate to reconstruct the secret, whilst any (k − 1) subset remains totally ignorant.
The concept of secret sharing has been independently conceived in a classical setting by Blakley [1] and Shamir [2].* nathan.walk@gmail.comHowever, these schemes assume that the only information received by any player is their intended share and thus they cannot be proved secure against the possibility that members of an unauthorised set are eavesdropping upon an authorised set.This problem can be solved using techniques from quantum cryptography.In the first place one could simply establish quantum key distribution (QKD) links between the dealer and each player in parallel [3].Once secret key has been established then Shamir's scheme can be safely implemented [4].The security of such schemes then follows immediately from QKD security proofs, and such schemes have already seen experimental implementation [5,6].We will refer to these schemes of bi-partite quantum secret sharing as bQSS.
An alternative method, due to Hillery, Buzek and Berthiaume, is for the dealer (Alice) to create a multi-partite entangled state distributed amongst the players [4].This proposal utilised GHZ states to implement an (n, n)-threshold scheme and an extensive body of follow up work has since appeared [7][8][9][10].A particularly interesting variant has been the work of Schmid et al. which does not require multi-partite entanglement, but instead transmits a quantum state between all participants who each perform a random operation [11].These should not be confused with the protocols, sometimes called quantum state sharing, where the secret to be shared is a quantum state [12,13].Crucially, almost immediately following the original HBB paper, it has been pointed out that these protocols are vulnerable to so-called participant attacks [7,8] and the security of these schemes could not be rigorously established.Subsequently, several works [14][15][16][17] have identified graph states [18] as a valuable resource for secret sharing (with classical and quantum secrets) which allow for more general (n, k)-threshold schemes and highlight an elegant connection arXiv:2104.10659v2[quant-ph] 25 Feb 2022 between secret sharing and error correction codes.This setting is conceptually interesting.At the same time, it has become more technologically plausible.Substantial theoretical progress has also been made on how to distribute graph states in multi-partite quantum networks [19,20].Whilst these proposals have comprehensively answered the questions of how secrets can be successfully reconstructed by the authorised subsets, the security analysis against dishonest parties remained unsatisfactory because the problem of participant attacks remained unsolved.
In contrast to QKD where the dishonest party is completely shut out of the parameter estimation process, secret sharing typically includes all players in the certification procedure.This opens up loopholes regarding the order in which information (measurement bases and outcomes) is announced that can be exploited by dishonest players to avoid detection.Thus, while many experimental implementations have appeared [11,[21][22][23][24][25][26][27][28][29][30][31][32], they have all only been analysed either under various assumptions (e.g., perfect state transmission, asymptotically many rounds or in some cases specific eavesdropping strategies) or restrictions upon the players and the eavesdropper and none were shown to be secure against arbitrary participant attacks.We note that some works on sharing entangled quantum states do rigorously address the participant attack [33,34], but only by utilising a pre-existing secret sharing protocol for classical strings.This is reasonable when the goal is to leverage the security of classical bQSS to ultimately share a quantum state, but would be redundant for sharing classical secrets which is our primary concern here.
The problem has finally been resolved, at least in the asymptotic limit of infinitely long key exchange, first by Kogias et al. [35] in the context of continuous-variable (CV) graph states [36][37][38][39] and later by Williams et al. [40] for discrete-variable (DV) GHZ states, where the latter also has carried out a proof-of-principle demonstration.Using different methods, both works manage to reduce the problem to essentially a minimisation over bi-partite scenarios where tools from QKD analysis can be applied, but without leaving any room for participant attacks.Follow up works has extended [40] to the CV regime [41] and included a finite statisticalanalysis under the assumption of Gaussian collective attacks [42].Importantly, none of these works give any instances where a genuinely multi-partite approach results in any improvement in performance, in fact in Ref. [35] it is shown that their multi-partite entangled protocol is strictly inferior to bQSS over the networks they consider.
This gives rise to a most pressing situation: The vision of quantum networks [43][44][45][46], with notions of a quantum internet in mind, seems to suggest that a wealth of new multipartite protocols based on multi-partite entanglement opens up.Yet, at the same time it seems excessively difficult to identify schemes that actually obtain an advantage based on the availability of multi-partite entangled states under realistic conditions.This obstacle is largely overcome here.
In the following, we will first explain the differing analyses of Refs.[35] and [40], and quantitatively improve upon the rates calculated in the former work.We then lift the analysis to consider arbitrary attacks in the composable, finite-size regime.Composable security is a particularly stringent notion of security in which the protocol remains secure even if arbitrarily composed with other instances of the same or other protocols.To be in the finite-size regime also seems a practical necessity given that asymptotic settings usually refer to extremely long sequences of key exchange.
Finally, we turn to the main contribution of this paper, which is to evaluate performance over bottleneck networks of lossy channels and demonstrate a genuine quantitative advantage for protocols exploiting multi-partite entanglement in CV graph states.In the limit of asymptotic key rates, we show an unconditional advantage, in the sense of outperforming the so-called PLOB bound which represents the ultimate limit on point-to-point QKD protocols [47].For large but finite squeezing the multi-partite scheme can outperform the PLOB bound for a transmission radius of up to 4km of optical fibre.We model a realistic multi-partite experiment and find that even in the composable, finite-size regime an advantage exists over a CVQKD scheme with the same resources.This represents -once again -a rare concrete example of a multi-partite entanglement advantage for quantum cryptography over realistic networks.

II. SECURITY OF SECRET SHARING
The idea of sharing a classical secret with quantum technology is to distribute a random key that has precisely the desired access structure, and then encrypt that actual secret via a one-time pad encoding.In fact, like standard QKD, this protocol technically carries out key expansion rather than distribution since a small amount of pre-shared key must already exist to authenticate any public communication and to carry out privacy amplification.Consider an (n, k)-threshold scheme where, in each round of the protocol, a multi-partite entangled state is shared between n players (B 1 , . . ., B n ) and a dealer, Alice, who measures her part of the state in one of two conjugate bases.Measurements in one basis will be used to form a secret key while the others will be publicly disclosed and used for certification.Typically this is done asymmetrically with p, the probability for a certification round, satisfying p ≤ 1 2 .To process her measurement outcomes into a secret key with the desired access structure, Alice must determine two parameters: On the one hand, this is the amount of privacy amplification required such that the key appears random to any (k − 1)subset who might be in league with the eavesdropper.On the other hand, this is the amount of error reconciliation information she must transmit to ensure any authorised k-party subset can reconstruct the secret key.To this end, we need to define the following sets: The set of all players (Bobs) the set of all authorised or trusted subsets of k players T = {T 1 , T 2 , . . ., T ( n k ) where, e.g., and so on; the set of all unauthorised or untrusted subsets of (k − 1) players U = {U 1 , U 2 , . . ., U ( n k−1 ) } where, e.g., and so on.To determine the extractable key, Alice must take worst case estimates for the secrecy over the n k−1 unauthorised subsets and for the correctness over the n k authorised subsets (Fig. 1).
Moreover, Alice must do this in a way that prevents any participant attacks, which typically exploit the order in which certification information (measurement bases and outcomes) is announced by the players.This is the critical point where the security of most previous multi-partite schemes can be completely broken.Note that in QKD protocols, the measurement bases can in principle be established beforehand for an L round scheme at the cost of ∼ Lh 2 (p) extra bits of pre-shared key where h 2 is the binary entropy function.However, such a scheme is a priori forbidden for a secret sharing scheme as it is crucial that the potentially dishonest players do not know ahead of time which rounds will be used for certification.
< l a t e x i t s h a 1 _ b a s e 6 4 = " Y P q 0 5 H j 9 p u 8 O G 3 1. Security analysis for an (n, n − 1)-threshold scheme.The performance of the scheme is assessed by taking the worse case values of the failure parameters (see Definition 1) for both secrecy s and the correctness c.For a general (n, k)-scheme, s is maximised with respect to all for the n k−1 possible unauthorised subsets of players who might be collaborating with the eavesdropper and c is maximised with respect to the n k authorised subsets who may wish to later collaborate to reconstruct the secret.
For example, the original HBB protocol attempts to certify a GHZ-state scheme by having the players randomly switch between measuring in the Pauli X or Y basis and then verifying that measurement combinations corresponding to GHZ stabilisers behave as expected [4].However, if measurement bases are announced first and a dishonest player (Bob) knows that he will be the last to make an announcement, he can cheat perfectly as follows [7].In the transmission phase Bob intercepts all of the GHZ photons sent by Alice and instead establishes bi-partite maximally entangled states between himself and the other players.Once all other players announce their measurement basis, Bob measures his maximally entangled pairs and also immediately learns all other players measurement outcomes.Finally, he can use his knowledge announced bases to ensure the round is only kept if Alice measures in a basis of Bob's choosing.For example, if all other players announce the X basis, Bob knows if he also announces X then the round will only be kept if Alice also measures X since only that choice corresponds to a GHZ stabiliser.Bob now measures his intercepted GHZ particles and perfectly learns Alice's X measurement outcome and, along with his knowledge of the other players outcomes, can calculate what he should announce in order to perfectly recreate the GHZ correlations.Thus, the scheme is completely broken but Bob remains undetected.Other attacks are also possible if measurement outcomes rather than bases are announced first [7].
Two solutions to this problem have emerged.One strategy is to test each potential unauthorised subset by simply excluding all players in that subset from the certification process [35].The other is to have the dealer randomly select an unauthorised subset that is included in the certification test but forced to make all their announcements first.This essentially reduces each test to a QKD protocol with an untrusted source [40].One way to enforce this ordering would be to instruct members of the complementary set C j to withhold their announcements until they have received that rounds results from the corresponding U j .Note that the protocol of Ref. [40] therefore comes with additional classical communication overheads.
The two strategies cannot easily be compared in general.Whilst the technique of Ref. [35] is simpler, it will always obtain lower correlations between Alice and any given subset as it does not make use of the announced results from untrusted parties.For example, while this method has been shown to predict positive rates for CV graph states it always results in a zero key rate if applied to the original HBB protocol.This stems from the fact that, for a GHZ state, tracing out even a single party results in completely uncorrelated noise in either the Pauli X or Y bases of the other participants.
On the other hand, the proof of Ref. [40] can be applied to an HBB-type protocol but requires n k−1 different data sets for parameter estimation (one for each U j announcing first), meaning that much more data must be sacrificed for certification.Moreover, this latter protocol stipulates that the bases be chosen symmetrically (i.e., p = 1/2) which halves the achievable rate and it is also necessary to acquire certification measurements in both bases, further driving down performance.We will show later that these restrictions are indeed mandatory for security to be maintained.
For a general protocol with arbitrary players and including finite-size effects it is possible that there are instances where the approach of Ref. [40] could prove superior.However, for the case we will consider in Section 2, namely three parties utilising a bottleneck network, the reduction of the key rate by a factor of 1/2 already precludes any possible advantage for the multi-partite entangled scheme.Therefore, we will instead use the protocol of Ref. [35] as our starting point for the remainder of this work.Further discussion of the security, potential drawbacks and applications for the work of Williams et al. can be found in Appendix D.
Protocol 1 (Entanglement-based secret sharing) An (n, k, m, t, p)-protocol for entanglement-based secret sharing involves the following steps: 1.The dealer (Alice) establishes sets of pre-shared keys: a bi-partite key with each player to authenticate classical communication channels and a joint key that satisfies the intended (n, k)-threshold access structure as a seed for privacy amplification.
2. An (n + 1)-partite entangled state is distributed amongst players and the dealer (Alice) through untrusted quantum channels.
3. Alice measures her part of the state in one of two noncommuting bases, X and P with probability p and 1 − p respectively.We will denote the key generation measurement X and the certification measurement P.
4. If the players are honest they also randomly choose between the measuring X and P on their systems according to the same probability.If they are dishonest, nothing is assumed about their actions at this point.We denote the i th authorised set of k players as T i , the j th unauthorised subset of k − 1 players as U j and the corresponding complementary subset of n − k + 1 players as C j .
5. Following Ref. [35], all players announce their measurement bases for all rounds in any order.If the announced values of any of the T i or C j are consistent with Alice's measurement choice this round is kept.Depending upon the correlation measure to be employed, Alice may only designate P measurements for disclosure, or she may also select a random subset of her X basis rounds.This process is repeated until Alice has designated m rounds to be used for key generation and t rounds for parameter estimation.Using this single parameter estimation data-set Alice computes a correlation measure between herself and each complementary subset, C j .In any given computation Alice simply ignores all announcements from any player in the corresponding unauthorised set U j .If the correlations are below a certain level, the protocol aborts.Depending upon protocol specifics there may also be other checks carried out (e.g. an energy test or a decoy state analysis) which, if failed, will also cause the protocol to abort.
6.If the test passes, this results in correlated variables (X A , X Bi ) which describe the measurements of Alice and each of the authorised subsets.Alice proceeds with error reconciliation which leaks a maximum of EC bits of information and privacy amplification utilising twouniversal hashing.The correctness of error reconciliation is verified with a check that involves announcing a further hash of length log 2 c bits computed with a pre-shared seed.If this check also does not abort this results in a final keys of length l (S A , S Bi ) for Alice and each authorised subset.
We can now formally state our definitions for secret sharing in the composably secure framework established for QKD [48][49][50].Let p pass be the probability that the protocol does not abort and define the joint state (conditioned on passing) between the register of Alice's final key and the j th untrusted subset in collaboration with the eavesdropper as the classicalquantum state, where the sum is over all possible l-bit strings that could make up the key and ρ s A E,Uj is the state of Eve and the j th unauthorised subset given a certain value of the key.
Definition 1 (Notions of secret sharing schemes) A secret sharing scheme as defined in Protocol 1 that outputs a state of the form (4) is and where D(•, •) is the trace distance and τ S A is the uniform (i.e., maximally mixed) state over S A .
A protocol is ideal if it satisfies c = s = 0, and it is called sec -secure if sec = c + s .This means that there is no device or procedure that can distinguish between the actual protocol and an ideal protocol with probability higher than sec .
If we define i EC as the amount of error correction needed for the i th authorised subset it can be shown using results from the QKD literature [49,51], that a key of length that is c -correct and s -secret against the j th unauthorised subset where H min (X A |E, U j ) is the conditional smooth min-entropy evaluated over the state given in (4) and and 1 are positive constants proportional to s which can be optimised over.The necessary results have also been proven for infinite-dimensional systems which we require here [52,53].
Considering Definition 1, the extractable amount of key for secure secret sharing is then A standard figure of merit for a cryptographic protocol is the secure fraction l/L -the ratio of secure output bits to the number of attempted channel or network uses.The choice of error reconciliation code fixes i EC with respect to c so the major remaining task is lower bounding H min (X A |E, U j ) for a given s from the data gathered during parameter estimation.This is the crucial step where a mistake could create vulnerabilities to participant attacks.A commonly used tool for this task is an entropic uncertainty relation for the observables X A and P A .
Without loss of generality, the overall state can taken to be pure (ρ AUj Cj E = Ψ AUj Cj E Ψ AUj Cj E ).In this case, it has been shown that the following entropic uncertainty relation holds for the m-round state used for key generation [52,53], where the constant q(X A , P A ) quantifies the complementarity of the two measurement bases and we have added superscripts to Alice's variables to emphasise that we are referring to the m-rounds to be used for key generation.This result would appear to immediately solve our problem in that it can be rearranged to lower bound the quantity of interest, H min (X m A |EU j ), in terms of correlations between Alice and the trusted subset C j .Importantly however, relations like this are counterfactual in that they describe two hypothetical situations (Alice measuring either X A or P A ) only one of which can actually happen.Thus we do not directly have access to the correlations between P m A and C j that appear in (9), as all m of these rounds are in fact measured by Alice in the X A basis.
Instead, we have the strings P tj A and P tj Cj arising from the t rounds announced during parameter estimation.Note that, in general, we will have t j < t.This is because any one of the t total parameter estimation rounds might only be useful for estimating correlations with the complementary subset C j but not with some other subset C k .Crucially, provided that the parameter estimation rounds were truly selected at random, then this is a standard problem in random sampling without replacement.We can apply the result of Serfling [54] to bound the correlations would have been counterfactually observed between P m A and P m Cj , given the actually observed correlations between P tj A and P tj Cj .It is then possible to bound the min-entropy [52,53].However, this is only valid for genuinely random sampling and it is precisely this condition that is violated by the participant attacks outlined previously where parameter estimation process involves all players simultaneously, including the potentially dishonest ones.Recall that in the example participant attack on the HBB protocol, dishonest Bob learns the measurement bases of the other players before making his own announcement.He could then choose his announced basis to deterministically ensure that this particular round will only be kept if Alice measured in a particular basis.If the certification measurement is fixed to be P A , this means dishonest Bob can control the sampling procedure such that the correlations between P tj A and P tj Cj are not valid as a fair sample to estimate those between the counterfactual P m A and P m Cj .Note that this loophole would still exist even dishonest Bob was forced to announce first if it was still the case that all certification measurements made in the P A basis.This is why in the protocol of Williams et al., which includes all players in the certification step, it is mandatory that bases be chosen symmetrically and a random subset of each basis is used to certify the secrecy of the other.
In the Protocol 1, whether a round is kept for any fixed value of j is determined solely by the bases of Alice and the complementary set C j so this problem is automatically avoided and the relation in ( 9) can be successfully utilised.Specifically, it can be shown that if a correlation measured defined for two m- Up until this point, these arguments can be applied to either a DV or CV realisation of Protocol 1.However, there are still several issues that need to be dealt with in order to evaluate the secure fraction for a realistic CV protocol where the conjugate bases are approximate quadrature measurements made via homodyne detection.Two primary issues are that real quadrature measurements have a finite resolution (δ X , δ P ) and a finite range The first problem can be dealt with evaluating the complementarity constant in (9) for a coarse-grained observable that accounts for the finite resolution and the second by introducing an additional test to the protocol where the dealer taps off a small portion of the their incoming light with a beam-splitter of transmission η and makes an estimate of the input energy, either via heterodyne [53] or direct [55] detection.The protocol is aborted if too large a value is observed, which ensures that the energy of the input state is appropriate for the range of the detectors being used.Following previous CVQKD literature [52,53] shown that, given a correlation threshold d j 0 passed by the set C j and an energy threshold α, an ( s + c )-secure secret string can be extracted of length, where and µ is a complicated constant that depends upon the thresholds (d 0 , α), block sizes (m, t), security parameters ( s , c ) and detection parameters (δ X,P , M X,P , η).A full security proof is given in Appendix B. The entropic uncertainty relation in ( 9) is presently the only known technique for the composable finite-size analysis of homodyne based protocols, but it is known not to be tight in typical QKD scenarios [53,56,57] leading to overly pessimistic predictions.We can also calculate simpler, idealised rates in the limit of infinitely many rounds and perfect detection and information reconciliation.Here, it has been shown that so-called collective attacks -where the malicious parties act in an i.i.d.(independent and identically distributed) manner -are optimal [58].We first evaluate the secure fraction in (8) directly where the min-entropy limits to the von Neumann entropy via the asymptotic equi-partition theorem is the conditional von Neumann entropy of X A given the quantum system E, U j with H(X) = − x p(x) log 2 p(x) and S(ρ) = −tr (ρ log 2 ρ) the Shannon and von Neumann entropies, respectively.Then, with perfect error reconciliation, we have that the amount of leaked information during reconciliation with a trusted subset becomes i EC = mH(X A |X Ti ).Finally, in the asymptotic limit only a negligible amount of data needs to be sacrificed for parameter estimation so we have that p → 1 and thus m → L. In this limit, we recover the expected asymptotic formulas where in the third line we have rewritten the key rate in terms of the mutual information and the Holevo quantity These asymptotic results have been derived in Ref. [35], however, the manner in which they go on to bound these quantities is unnecessarily pessimistic.This is because they also utilise an entropic uncertainty relation for ideal quadrature measurements following the results for one-sided device independent (1sDI) CVQKD in Ref. [56].The authors of Ref. [35] go on to describe the 1sDI nature of their proof as being crucial for protection against participant attacks.However, as we have explained above the essential ingredient in their security proof is actually that there is always some part of the parameter estimation process where each possible untrusted subset is excluded.Within a given check, it is perfectly safe to assume that the trusted parties have well characterised devices and therefore a 1sDI protocol is not mandatory.Instead, in the asymptotic regime, where collective attacks are known to be optimal [58], we are free to use the results from Refs.[59,60] based on Gaussian extremality to obtain tighter rates.Note that to apply these methods it is necessary to reconstruct an entire covariance matrix rather than just a correlation measure.

III. NETWORK CODING ADVANTAGE IN BOTTLENECK NETWORKS
Recent work has seen a substantial interest in notions of network coding and multi-partite entanglement for quantum communication, aimed at understanding in what way multipartite schemes may outperform point-to-point schemes.Indeed, important steps have been taken, in particular on how multi-partite states can be distributed and manipulated [19,[61][62][63][64].This is largely motivated by recent experimental and technological developments [65,66] that render ideas of quantum networks and the quantum internet plausible [43,67].At the same time, it seems less clear how to arrive at a setting in which there is a genuine quantifiable network coding advantage over point-to-point schemes.
In this section, we make an affirmative claim of a network coding advantage in a CV bottleneck network.At the heart of the protocol devised is the concept of a CV graph state, the continuous variable analog of a graph state.In the canonical construction (see Appendix A) each node of the graph is intialised in a squeezed vacuum state and each edge corresponds to an entangling gate that also requires active squeezing.The first work to show a concrete performance enhancement when using multi-partite entanglement for cryptography [62] has focused on conference key agreement (CKA) sometimes called NQKD [68].In a CKA protocol all players are assumed to be honest the goal is for the dealer establish a key that can be reconstructed by each player individually.In Ref. [62], the authors have considered a network featuring a bottleneck where the dealer, Alice, is separated from the other players, by a central hub H, with the ability to carry out entangling gates.Each player is connected to H by a quantum channel.
For the case of perfect channels, a bi-partite scheme for either CKA or QSS would require n network uses to conduct a QKD protocol with each Bob, but for a multi-partite entanglement based scheme only one use would be necessary.In Ref. [62] the authors analysed a GHZ state protocol and found an entanglement advantage persisted in the presence of depolarising noise in both the channels and entangling gates provided the noise was sufficiently small.However, this work considered the rather unrealistic case of perfect state transmission, i.e., for lossless channels.
Here, we will consider CV QSS over a bottleneck network for the simplest non-trivial scenario with n = 2 Bobs (Fig. 2).To map out the ultimate limits to performance advantage in this scenario we first present asymptotic key rates using finite squeezing for the graph states but with all other parameters being ideal.The links are modelled as pure loss channels which are an excellent first approximation to a fibre optic network.
There are several considerations that are specific to the fact that this is CV protocol.The first is that there are two different ways for the entangled state to be distributed across the bottleneck network, although both only require a single network use.The hub can simply create an entangled state and send one mode to each player (Hub-Out) or, alternatively, one player could create a two-mode graph state and send one half to H where it will be entangled with a third mode and then distributed amongst the remaining players (player-in).For a DV protocol, a pure loss channel only effects the probability of photon arrival and the two methods would yield identical states with the same transmission probabilities.However, for the CV case the entangling gates do not commute with the lossy channels and a different entangled state is distributed depending upon which network coding method is employed.Note that the method where the initial entangled state is created at the central hub substantially more practical as it can be achieved using only offline squeezing.In other words, the required entangled state can be made beginning with three squeezed vacuum modes that are passed through an appropriate linear optical unitary.
The second CV specific point is that, for similar reasons, with a player-in strategy it matters whether the player who initially transmits the state is the dealer (who is the reference player in the sense it is their measurements that will make up the secret key) or one of the Bob's.This is essentially the same asymmetry observed in CVQKD where one finds different keyrates for so-called direct and reverse reconciliation [69].A similar effect occurs even with a Hub-Out strategy if the hub prepares an asymmetric graph state (e.g., a line graph as opposed to a fully symmetric graph).Third, for a fixed, finite amount of available squeezing there is in fact a whole family of CV graph states where the squeezing is divided between the initial squeezed vacuum states and the CPHASE gates that create the graph state.This should be optimised over for a given secret sharing protocol.Lastly, CV graph states generally have asymmetric quadrature correlations and therefore it is crucial to make an optimal choice for which quadrature is encoded with the key and which is used as the check.This optimal choice is dictated by the correlation structure of the graph state (see Appendix C 1 for a detailed explanation) Since offline squeezing is much more practical with present technology, here we will only consider a Hub-Out strategy, where a three-mode line graph is created to implement a (2, 2)-threshold scheme over a bottleneck network of lossy fibre-optical channels.For the squeezing resource we will assume an initial available squeezing of 15dB corresponding to the state of the art values for measured vacuum squeezing [70].The term measured squeezing refers to the fact that the actual squeezing generated by state of the art nonlinear processes is typically much higher (>20dB) but due to system losses the real output is a slightly mixed state which produces a smaller measured squeezing.We model this setup in detail later, but for now, we approximate the output as a pure state but with a degree of squeezing limited to the measured value.Given a maximum initial, offline squeezing value, one can use the Bloch-Messiah decomposition to construct a family of approximate graph states where the is a freedom to divide this squeezing 'budget' between the entangling gates and the initial squeezed vacuum states that would appear in the equivalent canonical construction.For all key rates plotted here we will optimise over this choice (see Appendix C 1 for details).
For simplicity, we will consider a symmetric network with the players situated at an identical distance from the central hub such that T A = T 1 = T 2 = T .In Fig. 3, we plot the secret sharing rate given by Eq. ( 13) as a function of the distance in kilometres, d, which is related to the transmission via T = 10 −.02d .A multi-partite entangled strategy also enjoys a qualitative advantage over any QKD based implementation in that the dealer, can in fact be chosen after the quantum states have been distributed.However, the choice of dealer will effect the performance.For a three mode line graph there are two possible configurations depending on whether the dealer possesses the middle mode or one of the edge modes (due to the symmetry of our network the two edge-modes are result in identical rates).Interestingly, we see that for all transmissions it is favourable for the dealer to be sent the middle node in the chain.
Turning to the comparison with bQSS, we can straightforwardly compute a benchmark [71] by evaluating the secret sharing rate for a scheme based upon a bi-partite CVQKD protocol between the dealer and each player with the same squeezing resources, and then dividing by the number of additional network uses required.The asymptotic rate of an (n, n)-scheme over the same symmetric bottleneck network is then Note that we can compute the key rate for more than one Gaussian CVQKD protocol.The two natural choices are: (i) the optimal protocol where Alice sends Gaussian modulated squeezed states (or equivalently homodynes one half of a two-mode squeezed vacuum) and the Bobs homodyne detect; the protocol where Alice sends Gaussian modulated coherent states and the Bob's homodyne detect.This latter protocol is less loss tolerant, but requires no squeezing and is thus very cheap, robust and often favoured in field implementations so we also include it as a comparison.All key rates are computed in Appendix C 1.In Fig. 3, it can be seen that graph state secret sharing Secret key (bits/network use) Comparison of secret sharing rates as a function of transmission radius for a symmetric lossy bottleneck network between entanglement based protocols (solid lines), the corresponding CVQKD based protocol based on squeezed states (dashed yellow) coherent states (dashed purple) or the best possible bi-partite point-to-point protocol (dashed black).The maximum available squeezing is 15dB and the graph state generation process is optimised with respect to this limit.
achieves a higher secure rate for short distances, outperforming the corresponding squeezed state bQSS protocol up until a transmission radius of over 3 km and the coherent state protocol till 7 km (meaning the parties could be as far away as 7 and 14 km respectively).For an even more dramatic illustration of the potential benefits of multi-partite entanglement, This represents the maximum possible rate for any QKD based secret sharing protocol over the same network, even including unlimited squeezing or input energy.Remarkably, an entanglement based protocol with finite squeezing can outperform even this benchmark for a transmission radius of up to approximately 2.5km.The relative performance of the multi-partite protocol, being superior for low environmental degradation but inferior for higher transmission losses, is consistent with previous work [62] and can be understood as follows.For bQSS schemes, there is only ever one channel in use for a single QKD protocol, which is then leveraged into the full QSS protocol.In the multi-partite, the malicious parties can collect information from all channels simultaneously, which leads to much worse performance as the loss of the individual network links grows higher.This is why the multi-partite advantage vanishes when the loss is above a certain threshold.
We further investigate the parameter regimes where our multi-partite strategy enjoys and advantage over the various bi-partite benchmarks in Fig. 4 by mapping out the contours of squeezing and transmission radius for which the key rates coincide.Firstly, these curves show that for this bottleneck scenario, QSS protocols are only superior for intra-city net- For the network given in Fig. 2 our entanglement based protocol outperforms an optimal, infinite energy bi-partite QKD based protocol for all values of initial squeezing and transmission radius above the solid black line.The advantage region compared to a squeezed (dashed red) and coherent (dashed blue) state CVQKD protocol with the same energy/squeezing resources is also shown.
works with a radii of 3-6km.On the other hand, whilst beating the ultimate PLOB limit requires at least 12.5 dB of squeezing or more, values of around 6dB are sufficient to to surpass the comparable CVQKD protocols based on squeezed or coherent states up to radii of 2 km and 4 km respectively.Crucially, protocols utilising Gaussian CV entanglement are deterministic and run at the same raw clocks speed as standard CVQKD methods.This means that these advantages will directly hold in terms of secret bits per second.This is in contrast with most optical DV GHZ experiments where the non-deterministic nature of the state creation process means that generation rates fall substantially as the number of parties grows beyond the bi-partite case.This means that for current DV implementations that an advantage "per channel use" will not necessarily manifest as an advantage "per time".Motivated by this potential for a real advantage with current CV systems we now analyse an implementation with realistic, present-day devices in a composable, finite-size setting.
Firstly, we will consider imperfect reconciliation efficiency such the amount of information leakage becomes IR = H(X A ) − βI(X A : X B ) where β ≤ 1 quantifies the fraction ideal Shannon-limited mutual information achieved by a given error-correction code.Secondly, for homodyne protocols the only known composable security proofs rely on entropic uncertainty relations that, as mentioned before, are provably not tight.Thirdly, real fiber optic channels are not exactly pure loss channels, and instead exhibit a small amount of excess thermal noise.Finally, as well as accounting for the finite dynamic range and detector resolution we also model realistic imperfections in the state generation including cavity escape losses, finite detector efficiency and losses coupling into the transmission fiber.All values are taken from reported experi-mental demonstrations and a full description of the model can be found in Appendix A 4.
To make a fair comparison with a bQSS protocol, we also compute the composable finite-size CVQKD key rate for an implementation with the same level of available squeezing and experimental imperfections.It is important to emphasise that, even when fairly allocating resources in this way, it is not immediately obvious that the multi-partite advantage will survive.A CVQKD protocol can be made more efficient (it is possible to avoid losing rounds due to basis mismatch via pre-shared key) and even with identical noise levels for squeezers, fibre-couplers etc, a QKD based implementation uses less devices in total and hence introduces less noise.A detailed explanation of the comparisons and calculation of the QKD-based secret fraction is given in Appendix C 2. Lastly, although it is arguably unfair to compare these finite-sized results to the asymptotic PLOB bound, we nevertheless include it as an instructive upper bound the best performance possible for bQSS.As well as infinite communication rounds, the standard PLOB bound holds in the limit of perfect devices.To make a fairer comparison and more accurately highlight the advantage of multi-partite entanglement, we make one modification towards realism in the PLOB bound by setting the loss equal to the total effective loss in the realistic implementation.In other words, in Fig. 5 we have assumed that the losses from fibre coupling, squeezing cavity and detectors are unavoidable and the PLOB bound is evaluated via Eq.( 17) but with a transmission of η f (T η d η s ) 2 instead of T 2 .This still corresponds to a protocol with perfect reconciliation efficiency, detector range and resolution, an absence of any excess noise and infinite encoding energy and so can be taken to be an optimistic upper bound for the performance of a bQSS scheme.
In Fig. 5, we find that a realistic, finite-size, multi-partite secret sharing scheme can no longer surpass the PLOB bound.This is perhaps unsuprising as the PLOB bound is an inherently asymptotic result.The loss of performance due to finitesize effects in our secret sharing protocol in comparison to standard QKD is discussed in more detail in Appendix C.However, when making the more reasonable comparison to the equivalent realistic bQSS protocol, we see that for sufficiently large block sizes of m = 10 12 there is a quantitative advantage for a transmission radius of up to 2.5 km.A lesser advantage persists for shorter block sizes, but we see that for m = 10 9 the advantage is much smaller and the region is only up to around 1.5 km.
The fact that we first reduced the security of our multipartite protocol to a minimisation over bipartite protocols is critical here.The Gaussian extremality results have only been proven to hold in a bipartite setting, so it has been crucial that we first made this reduction and in order to apply them.
ting.This protocol is secure against general quantum attacks, including participant attacks.When applied to the original secret sharing scheme the proof never certifies a positive key rate but a CV scheme based on Gaussian graph states shows robust performance.Moreover, we showed that for the specific example of a (2, 2) scheme implemented over a three-party bottleneck fibre-optic network, the multi-partite scheme exhibits superior performance for intra-city transmission distances.
In the limit of a large number of communication rounds, this scheme outperforms not only a bi-partite protocol based upon a CVQKD protocol with the same squeezing resources, but even surpasses implementation-agnostic and overly optimistic bounds.Indeed, it even outperforms the PLOB bound which represents the ultimate limit for any point-to-point private communication.Perhaps most importantly, we show that an advantage persists even in the finite-sized regime for a implementation modelled on existing, state-of-the-art squeezing experiments.It is worth noting that in the advantage regime the key rates are also always greater than 1 bit per channel use, therefore automatically also outperforming recent advances in so-called twin-field QKD [75] which can also break the PLOB bound.A demonstration of this proposal, which should be possible with present day technology, would represent a watershed demonstration of a quantitative advantage for multi-partite entanglement based quantum communication using realistic channels.
There are several avenues for future research opened up by this work.Perhaps the most pressing open question is a thorough investigation of how this scheme scales to larger numbers of players over more complicated network topologies (e.g., a butterfly network).Also, for reasons of practicality, in this work we focused only on implementations using offline squeezing but preliminary results suggest that performance could be improved in inline squeezing resources were to become readily available.There is also an in-principle qualitative advantage to entanglement based secret sharing, which is that the identity of the dealer can be chosen after state distribution, albeit at the price of reduced performance.A further interesting direction is the extent to which other quantum coding techniques such as local complementation [19] can be used to ameliorate this problem and fully exploit this added flexibility [76].
Whilst our results indicate implementations with near term technology will only be feasible over metropolitan distances, in future, sophisticated quantum networks [44] that include repeater stations [77][78][79][80] or ones building on fault-tolerant protocols [81,82] may render a multi-partite advantage achievable over much longer distances.
Although this proof fails to give positive key rates when applied to the original HBB proposal with GHZ states, variants of this scheme could still demonstrate useful performance via our proof method [83].On a broader perspective, it is the hope that this work stimulates further studies of protocols making use of multi-partite entangled resources that achieve a genuine advantage over point-to-point protocols, providing further perspective to the field of quantum communication beyond point-to-point schemes.
In this section, we will review the formalism of bosonic Gaussian states as it is needed to describe the protocols considered here and also detail the noise models used.

Preliminaries
Although Gaussian states are supported on infinite dimensional Hilbert spaces, they can be completely described by a finite number of parameters, namely their first and second moments.Similarly, Gaussian operations can be compactly captured by symplectic transformations.For a detailed discussion the reader should consult Refs.[84,85].
A bosonic system can be described in terms of appropriate creation and annihilation operators.For an N mode system it can be convenient to group these into vectors with the creation operators being the Hermitian conjugates of these operators.Such systems can equivalently represented by the quadrature operators defined by âk := 1 2 (x k + ip k ) for k = 1, . . ., N , or equivalently which for an N -mode system we can write as Note that by choosing these particular pre-factors linking the quadrature operators to the annihilation and creation operators we are setting = 2, which corresponds to [x, p] = 2i and will ensure that the vacuum variance is normalised to 1.The symplectic form associated with the ordering defined by (A3 is One can also use a different operator ordering convention and define a vector of quadrature operators, where The symplectic form reflecting the canonical commutation relations takes in this convention the form The two conventions are naturally related by an appropriate permutation operation.For most of this work we will use the convention in (A3) however sometimes it can be more convenient to adopt (A5) and it will be made clear when this is done.
An arbitrary N -mode Gaussian state ρ can be completely specified by a vector of first moments, the displacements in phase space, and a covariance matrix (CM) that captures the second moments.This covariance matrix Γ has entries Covariance matrices of multi-partite systems, which we will label with subscripts, can be written a convenient block form.For example, an arbitrary tri-partite system of a state ρA,B,C can be written as Tracing out a subsystem simply corresponds to discarding the appropriate part of the total CM and considering a principle sub-matrix, so that, for example, the CM of the reduced state ρA,C = tr B (ρ A,B,C ) is given by Measuring out a quantum subsystem via a homodyne detection is given by the appropriate Schur complement [86][87][88].In the above situation if, instead of being traced out, the mode B is measured in the x quadrature, the conditional CM is given by where MP denotes the Moore-Penrose matrix inverse, is the total correlation matrix between B and the joint A, C system and X = diag(1, 0) (for a p measurement we would instead use P = diag(0, 1)).The conditional first moment is given by where m = diag(x B , 0) is the measurement vector where the non-zero entries are Bob's measurement outcomes (in this case in the x quadrature).The analogous result holds for conditioning on a p measurement.
An arbitrary Gaussian unitary can be compactly represented by matrix from the real symplectic group S ∈ Sp(2N, R) so a real matrix satisfying and a vector d ∈ R 2N that together define a corresponding affine transformations of the first moments and a symplectic transformation of the CM given by The specific Gaussian operations we will require for our calculations are single mode squeezing operations in the x quadrature with squeezing parameter r > 0 and a beam-splitter with transmissivity T ∈ [0, 1] where I 2 is the 2 × 2 identity matrix.Finally, we require a two mode entangling gate sometimes called a CPHASE gate or a CZ gate by analogy with qubit systems.A CZ gate gate of strength g is described by the symplectic matrix For one and two mode operations acting on larger systems multi-mode systems we will use subscripts to denote the target modes, and the necessary padding with identity matrices defined implicitly as appropriate, e.g., a single mode squeezing on mode A of a joint A, B system would give rise to where 0 is a 2 × 2 matrix of zeroes.Similarly, a beam-splitter operation between modes A and B of a three mode system would be written as

CV graph states
Equipped with this framework, we can state the definition of CV graph states [36][37][38] as continuous analogues of graph states [18,89] as instances of stabilizer states.At the heart of the concept of a CV graph state is an adjacency matrix of a weighted graph having zero entries for pairs of modes that are not connected and a positive value for pairs modes that are connected.By convention, each mode is initialised in psqueezed vacuum state and the adjacency matrix of a weighted graph captures the interaction pattern.The role of the adjacency matrix in state generation is most apparent if we switch to the ordering convention of Eq. (A5).The symplectic transformation implementing an imperfect CV graph state in this convention is where r parameterises the initial squeezing and the tilde is to emphasise that this matrix is written in a different ordering convention.It takes a moment of thought that these matrices satisfy S ∈ Sp(2N, R).These are imperfect CV graph states [38,39], and become infinite energy improper quantum states in the limit r → ∞.Such imperfect CV graph states are at the heart of our formalism.Another useful way to conceptualise CV graph states are via their nullifiers which are collection of N multi-mode observables defined uniquely for a given adjacency matrix by the equations, where we are again using the definitions in Eq. (A5).One way to understand the correlation structure of these graph states is to think that the original squeezing is now distributed in a nonlocal observable made up of quadratures from the various nodes of the graph state.The perfect graph state arising from infinite squeezing therefore results in maximum correlation and it is straightforward to show that [37,38] lim This will become useful later when choosing the optimal secret sharing strategy.ii)

CZ
iii) FIG. 6. i) Graphical representation of a tri-partite line graph.ii) Canonical generation method, where each graph vertex is initialised in a squeezed vacuum state and the each edge is created via a CZ gate.iii) Practical generation via offline squeezing.Here the squeezers, S , will generally be stronger than those appearing in the canonical construction in ii).
The canonical method to realise a given graph state (Fig. 6.(ii)) is to implement a CZ gate for each edge in the graph.The weight of each edge corresponds to the strength, g, of the entangling gate as per Eq.(A18).Note that a perfect graph state emerges by taking the infinite squeezing limit in the initial squeezed vacuum states as distinct from the taking the limit of infinite weight of the entangling gates.Taking the limit g → ∞ in the CZ gates would not correspond to a perfect graph state.The tri-partite line graph we will be using can therefore be written Finally, a more practical construction is to prepare the graph state via offline squeezing [36].This is done via the Bloch-Messiah decomposition which allows an arbitrary Gaussian unitary to be decomposed into a passive, linear-optical interferometer followed by a single-mode squeezing operations and a second passive interferometer [90,91].When starting from vacuum state, as we are here, the first interferometer can be ignored and an arbitrary graph state can be prepared as per Fig. 6.(iii) by a layer of single-mode squeezers and a final passive unitary.The squeezers in the Bloch-Messiah composition will necessarily be stronger than the initial squeezers in the canonical construction since they must also incorporate the squeezing that would go into generating the CZ operations.Following Ref. [91], we obtain the following decomposition for the graph state given by (A25), where and L is the symplectic transform of the passive interferometer.This can be obtained by essentially carrying out a series of singular value and eigenvalue decompositions of the symplectic transform describing the canonical generation of the target graph state.These can be readily obtained via a mathematical software package and it can also vbe checked that these procedures satisfy G Bloch • G Bloch = G L • G L as required.To further simplify experimental implementation this linear optical unitary can further be simplified into a network of beamsplitters and phase shifters via the Reck [92] or Clements [93] decomposition.

Bottleneck networks
We now turn to bottleneck quantum communication networks.Indeed, using the tools in the previous section we can now fully describe a secret sharing protocol using Gaussian graph states over Gaussian channels which are excellent model for fibre-optic transmission.For the purposes of the discussion in this section it is sufficient consider the case where the sources/detectors are ideal and the only decoherence comes from the lossy channels themselves.This means the total system will be made up of six modes all initialised in the vacuum state.Three modes will be for the tri-partite graph state and three additional modes V A , V B , V C that will model the corresponding loss channels.
When communicating over a bottleneck network the first noteworthy point is that there are two, inequivalent, network coding strategies that could be employed (Fig. 7) to distribute a line graph.The first of these, which we previously denoted the player-in strategy, is where one player first makes a twomode graph state which is sent to the hub.There it is entangled with a third mode and then all modes are distributed to the corresponding players.The symplectic matrix representing the distribution of the tri-partite line graph over a lossy, bottleneck network is The second Hub-Out strategy involves the creation of the line graph directly at the hub and then distribution.The symplectic matrix for the line graph in a hub out strategy is Since loss channels and the entangling gates do not commute, these strategies will result in two different states, as can be readily verified by comparing N L and N LH .Practically speaking, there is a significant difference between the two strategies as only in the Hub-Out case can are all three modes in the one location such that we can make use of the simple, offline squeezing preparation method of Fig. 6 (iii).For this reason, we will only consider this strategy for the re-mainder of the work, but it would be interesting to see what, if any, advantages emerge from the player-in strategy enabled by inline squeezing.
When distributing a line graph, there will be two further possibilities, namely whether the player who is to be the dealer is sent one of the edge nodes of the line or the middle node.Both these possibilities were considered in Fig. 3 where we see that the optimal choice is for the dealer to be the middle node.Note that in Eq. (A29) we have uniquely defined Bob as being the recipient of the central node and hence the optimal dealer.It is also worth noting that with the Hub-Out strategy it is equally possible to prepare a triangle graph as it is a line graph, however our investigations show that this is sub-optimal with respect to the properly chosen line graph.

Modelling an experimental implementation
Whereas our initial, idealised calculations assumed perfect state generation, measurement and transmission through pure lossy channels, in this section we model a more realistic implementation based on past experiments in the literature.A summary of the relevant parameters and their values is given in Table .I and a schematic of the setup is sketched in Fig. 8.

Symbol
Value Description η es 0.99 [70] Escape efficiency η f 0.95 [73] Fibre coupling efficiency η d 0.99 [70] Detector efficiency r 2.68 (23.3 dB) [70] Inferred squeezing T 10 −0.02d(km) Fibre-optic transmission ξ 0.002 [74] Excess noise Turning first to the state generation process, we now consider a finite escape efficiency for the squeezing cavities and a finite coupling efficiency into the optical fibre, which are well modelled by beam-splitters of transmission, η es and η f respectively mixing the incoming mode with vacuum modes.For simplicity we are taking each squeezer to be identical which means the symmetric loss for the escape efficiency which occurs immediately after squeezing can be commuted through the interferometer in the Bloch Messiah decomposition and combined with the coupling efficiency into a single beamsplitter of transmission η c = η es η f .For our calculations we need to infer the initial pure squeezing in Ref. [70].There a combined total loss of η tot = 0.975 is reported along with an measured squeezing of 15.3 dB or equivalently a measured squeezed quadrature variance of V s = 10 −15.3/10 .We can obtain quadrature variance before the loss by inverting V s = η tot V r +1−η tot and finally we find the inferred squeezing parameter of r = − log(V r )/2 = 2.68 or equivalently 23.3 dB.
Secondly, fibre-optic transmission cannot be completely captured by a pure loss channel.In reality, transmission will induce a small but non-zero excess thermal (and thus Gaussian) noise.This thermal-loss channel can be well modelled < l a t e x i t s h a 1 _ b a s e 6 4 = " c 8 e 6 s B g 3 m r Q U j U W h n x k j g W Z 4 Y T U = " > A A A B 8 X i c b V B N S 8 N A E J 3 U r x q / o h 6 9 L B b B U 0 k 8 q B e x 6 E G P F e w H t q F s t p t 2 6 W Y T

a t e x i t s h a 1 _ b a s e 6 4 = " r M U D 6 U G / m M n h 9 L z N n 9 C 9 e y X P G z k = " >
R e L P S L 5 4 N C p / P x 6 P S q 3 c Z 7 M t a R K h M J Q T r R u + F 5 s g J c o w y n G Y b S Y a Y 0 L 7 p I s N S w W J U A f p 5 N q h e 2 q V t t u R y p Y w 7 k T 9 P Z G S S O t B F N r O i J i e n v f G 4 n 9 e I z G d q y B l I k 4 M C j p d 1 E m 4 a 6 Q 7 f t 1 t M 4 X U 8 I E l h C p m b 3 V p j y h C j Q 0 o a 0 P w 5 1 9 e J N X z g n 9 R 8 M o 2 j W u Y I g O H c A J n 4 M M l F O E W S l A B C v f w B C / w 6 k j n 2 X l z 3 q e t S 8 5 s 5 g D + w P n 4 A W r / k r o = < / l a t e x i t > ⌘ c

< l a t e x i t s h a 1 _ b a s e 6 4 = " r M U D 6 U G / m M n h 9 L z N n 9 C 9 e y X P G z k = " >
R e L P S L 5 4 N C p / P x 6 P S q 3 c Z 7 M t a R K h M J Q T r R u + F 5 s g J c o w y n G Y b S Y a Y 0 L 7 p I s N S w W J U A f p 5 N q h e 2 q V t t u R y p Y w 7 k T 9 P Z G S S O t B F N r O i J i e n v f G 4 n 9 e I z G d q y B l I k 4 M C j p d 1 E m 4 a 6 Q 7 f t 1 t M 4 X U 8 I E l h C p m b 3 V p j y h C j Q 0 o a 0 P w 5 1 9 e J N X z g n 9 R 8 M o 2 j W u Y I g O H c A J n 4 M M l F O E W S l A B C v f w B C / w 6 k j n 2 X l z 3 q e t S 8 5 s 5 g D + w P n 4 A W r / k r o = < / l a t e x i t > ⌘ c

< l a t e x i t s h a 1 _ b a s e 6 4 = " r M U D 6 U G / m M n h 9 L z N n 9 C 9 e y X P G z k = " >
R e L P S L 5 4 N C p / P x 6 P S q 3 c Z 7 M t a R K h M J Q T r R u + F 5 s g J c o w y n G Y b S Y a Y 0 L 7 p I s N S w W J U A f p 5 N q h e 2 q V t t u R y p Y w 7 k T 9 P Z G S S O t B F N r O i J i e n v f G 4 n 9 e I z G d q y B l I k 4 M C j p d 1 E m 4 a 6 Q 7 f t 1 t M 4 X U 8 I E l h C p m b 3 V p j y h C j Q 0 o a 0 P w 5 1 9 e J N X z g n 9 R 8 M o 2 j W u Y I g O H c A J n 4 M M l F O E W S l A B C v f w B C / w 6 k j n 2 X l z 3 q e t S 8 5 s 5 g D + w P n 4 A W r / k r o = < / l a t e x i t > ⌘ c < l a t e x i t s h a 1 _ b a s e 6 4 = " 9 r 7 U 3 W q p 3 r 9 X i w N Y 1 j C q 6 v 0 as a beam-splitter of transmission T that, instead of mixing the incoming mode with vacuum, combines it with a Gaussian thermal state of variance 1 + ξ.Thirdly, the homodyne detectors will have a finite efficiency which can also be modelled by a lossy beam-splitter of transmission η d .Finally, for the purposes of the security proof it is necessary to tap off a small amount of the dealers mode for an energy test.This is done via a another beam-splitter of transmission T e that reflected a small amount of light to a heterodyne detector (simultaneous measurement of both quadratures) whilst the transmitted mode is homodyned.

e n N d Z 6 4 o z n z m C P 3 D e f g A D 9 p F S < / l a t e x i t > T e < l a t e x i t s h a 1 _ b a s e 6 4 = " l J T V H H P L P T D / R j R 1 Z Z w 4 v 8 R w C I A = " >
In total this will be a 13 mode system, 4 of which belong to the players (A, B and C for the protocol and B e for Bob's energy test) and the rest which will be attributed to the malicious parties.All are initialised as vacuum states except for the three modes modelling the thermal loss channel which are initialised in a thermal state with variance 1 + ξ.We will label these thermal modes E A , E B , E C as they are assumed to be purified by the eavesdropper.The 6 vacuum modes that are modelling the various losses will be labelled V 1 , . . ., V 6 .Here we will be taking all detector and coupling efficiencies to be equal.In this notation, the entire realistic model is given by the transform, which is precisely reflecting the circuit shown in Fig. 8.The final covariance matrix is given by with Appendix B: Security analysis for CV secret sharing We will now present the details of how the secret-fraction in Eq. ( 10) is derived.Essentially, we generalise the proof of Ref. [35] to the composable, finite-size setting using CVQKD results [52,94] which make use of entropic uncertainty relations for the conditional quantum smooth min-and maxentropies [53,95] which are defined as follows.Consider the classical-quantum state of the kind describing the raw measurement registry of the dealer, Alice, and a malicious adver-sary Eve, This is the quantum state that is transformed via hashing into the final output described by Eq. ( 4).For such a state the conditional quantum min-entropy is defined as where the supremum is taken over all of Eve's possible measurement strategies, i.e., her possible POVM's described by operators {E x A }.The corresponding conditional maxentropy is defined as, The smooth versions of these quantities are then given by where the supremum and infimum are taken over quantum states that are -close in the purified distance where F (ρ, σ) denotes the standard fidelity between ρ and σ.
We can now state a crucial result in quantum cryptography, the leftover hashing lemma with quantum side-information [51,52,94,96].
Lemma 1 (Leftover hashing lemma) Let ρ X A E be a quantum state of the form (B1) where X A is defined over a a discrete-valued and finite alphabet, E is a finite or infinite dimensional system and R is a register containing the classical information learnt by Eve during information reconciliation.
If Alice applies a hashing function, drawn at random from a family of two-universal hash functions that maps X A to S A and generates a string of length l , then for any > 0 where H min (X A |E, R) is the conditional smooth min-entropy of the raw measurement data given Eve's quantum system and the information reconciliation leakage.
Equipped with these tools, we can undertake the security analysis.First, we formalise the arguments behind Eqs. ( 7) and (8).
Theorem 1 (Security of (n, k)-threshold secret sharing) For an (n, k)-threshold secret sharing protocol as defined in Protocol 1 with trusted and untrusted subsets T i ∈ T and U j ∈ U, respectively, let i EC be the amount of error reconciliation information that would be necessary for the trusted subset T i and set EC = max i i EC .A string of length can be extracted that is (ε s + ε c )-secure according to Definition 1 provided that Proof : The correctness follows straightforwardly from the properties of 2-universal hashing as shown in Refs.[48,49].
In step 6 of Protocol 1, the dealer computes a hash of length − log 2 c chosen uniformly at random from a family of 2universal hashing functions and transmits the output and the chosen hash-function to all players.When any trusted subset T i go to reconstruct the secret they first apply the error correction information, EC , to correct their joint estimate of Alice's string and then use this to evaluate the transmitted hash function.If this is identical to Alice's transmitted hash they proceed otherwise they abort.The necessary correctness is now guaranteed since, by definition, the probability that the twohashes coincide if there was an error (i.e. if the reconstructed string differs from Alice's string) is at most 2 log 2 c ≤ c .In order to actually compute the achievable performance we will ultimately need to quantify how large i EC must be in order for a given subset to successfully correct their string and pass the correctness check with high probability and we will explain this in the next section.However, for the purposes of the security proof, however i EC is chosen, passing the hashing check ensured the c -correctness of the conditional output.Moreover, taking the worst over all T i ensures the correctness holds for all trusted subsets, thereby satisfying the correctness condition in Definition 1.In the worst-case where Eve learns one bit of the key for every bit announced during error reconciliation we have that The secrecy is a straightforward consequence of the leftover hashing lemma.Considering Eq. (B4) and redefining the eavesdropper system to include the j th untrusted subset, U j , we can see that by choosing for some 1 > 0 then the right hand side becomes 1 /p pass + 2 .Choosing = ( s − 1 )/(2p pass ) and substituting in Eq. (B4) gives Putting this together and using the fact that log 2 p pass < 0 means that for the unauthorised subset U j a hashing to a key of length will ensure that If the length is chosen by taking the minimum of H min (X A |E, U j ) over all untrusted subsets then the secrecy condition in Definition 1 is immediately satisfied which completes the proof.
All that remains is to find a way to bound the min-entropy for each U j , whilst avoiding any participant attacks.The key insight is that, for any fixed U j , the cryptographic situation is identical to a QKD protocol where the roles of Eve and Bob are played by U j the corresponding complementary set C j .Security for a realistic CV protocol can then be established via the results of Furrer [94].Protection against participant attacks is now guaranteed since the parameter estimation steps exclude the untrusted subset so there is no opportunity for them to cheat by manipulating the observed statistics as suggested in Ref. [7].For completeness we state the necessary theorem in full and sketch the proof, highlighting the point at which the standard participant attacks would occur in a less careful analysis.For a full proof, we refer the reader to Ref. [94].
Theorem 2 (Adapted from Ref. [94]) For an (n, k, m, t, p) secret sharing protocol as defined in Protocol 1, carried out with coarse-grained quadrature measurements of resolution δ X,P and maximum value M , the conditional smooth minentropy H min (X A |E, U j ) of the subset U j in collaboration with Eve, conditioned on passing a correlation threshold d j 0 with the complementary set C j and an additional (T e , α) is lower bounded by where for the smallest v for which is positive and also holds (if either of these positivity conditions cannot be satisfied, the secret fraction is actually zero).Here N = m + t j , V PE P A and V PE P B are the observed variances of the P measurements used for parameter estimation, V PE d is the vari-ance of their absolute difference |P A − P B | and Proof sketch: For a single fixed U j and corresponding C j , Protocol 1 becomes identical to CVQKD protocol of Ref. [94] if we identify the systems C j := B as single entity, Bob, and U j E := E as a single adversary Eve.We can apply the CVQKD proof which we now sketch.The basic idea is to use an entropic uncertainty relation (EUR) for the smooth minand max-entropies.For realistic measurements with a finite range, the corresponding EUR becomes trivial.However, for a sufficiently tight upper bound on the energy of the incoming state, the resultant smooth min-and max entropies can be rigorously related to those of an ideal, infinite-range, measurement for which there is a useful EUR.Such an upper bound is precisely what is achieved by the additional energy test carried out via heterodyne detection.Statistical deviation bounds can then be applied to turn the observed correlations in the certification basis into a guarantee for the smooth min-entropy of the key generation measurements.
Step 1. Entropic uncertainty relation.A realistic quadrature measurement with a resolution δ and finite detection window [−M, M ] can be represented as a series of projections in the corresponding basis onto intervals with k = 2, . . ., 2M/δ − 1 and where the finite range is captured by the semi-infinite end bins.The measurement X A = {E X A i } is given by measurement operators where the intervals are defined according to Eq. (B18) with resolutions δ X .The measurements P B = {E P B i } etc are defined analogously.We allow δ P and δ X to differ but for simplicity will assume that each quadrature resolution is symmetric for all parties and we will take the range M to be the same for all measurements.
By contrast, an infinite-range measurements ( X, X) with the same resolution would be described by the projections onto the intervals These infinite range measurements can be shown to give rise to the following EUR for a joint state vector |Ψ ABE , where we have made the number of measurements m -and the fact that we are specifically interested in the X measurements that were used to generate a secret key -explicit.For this setup, it has been shown that [53,96] q( X, P) = − log 2 δ X δ P 2π • S (1) 0 n (•, u) the radial prolate spheroidal wave function of the first kind and is related to the complementarity of the .Since q( XA , PA ) is positive, for sufficiently good P correlations between Alice and Bob this will give a useful bound on the conditional min-entropy.Unfortunately, for finite measurements the semi-infinite end bins have significant overlap and we find that q(X A , P A ) ≈ 0 and the EUR becomes trivial.Intuitively, we would expect that for states that have a support lying almost entirely inside the range [−M, M ] in both quadratures that the difference between using a finite or infinite range detector should be operationally negligible for all quantities, including the smoothed entropies.This intuition can be made rigorous if we have a bound on the purification distance, which appears in the definitions in Eq. (B2), between the post-measurement states, that would arise from finite or infinite range measurements.Concretely, given a promise that it can be shown that In combination with Eq. (B21) this yields This is now the kind of relationship we have intended to find, where the entropies of the realistic measurements (X, P) are related to one another and the positive, and hence useful, entropic constant of the infinite-range measurements ( X, P).
Next we require a way to bound ˜ .
Step 2. Energy test.Using a beam-splitter with known transmission T e to mix the incoming state with a trusted vacuum mode it is possible to tap off a small amount of the incoming light for analysis.Our goal is to bound the purified distance between states measured with either finite, or infinite range measurements as per Eq.(B24).Unsurprisingly, it turns out this quantity can be bounded as long as we have a restriction on the probability that a detection outside the range [−M, M ] would ever occur during the protocol.Concretely, it can be shown that for a protocol with a total of N rounds that where {|q i | M } denotes the event that the absolute value of a continuous x-quadrature measurement of Alice's i th mode is smaller than M and a corresponding result for P ρ P A BE , ρ PA BE .This probability can be estimated from the tapped off beam.Since we would like to bound the probability for both quadratures it is necessary to perform a heterodyne detection -mixing the tapped of light with a further vacuum mode on a balanced beam-splitter and then measuring the x quadrature on one output and p on the other.We will say that the energy test is passed if, for all rounds, neither quadrature value exceeded some threshold α.Defining p pass as the probability that the test it can then be shown that, conditioned on passing that both P ρ X A E , ρ XA E and P ρ where the function Γ : R + × R + × R + → R + is given by Eq. (B17) Step 3. Statistical bounds on the max-entropy.As mentioned before and EUR describes a counterfactual situation.For example, in our case, Eq. (B25) lower bounds H min (X key A |E), Eve's smooth min-entropy regarding Alice's m key generation measurements, and H −2˜ max (P key A |B), the max-entropy of Bob regarding Alice's measurements if she had instead chosen to measure with P for those rounds.Strictly speaking, we have no direct access to this latter quantity since, by definition, Alice measures with X rather than P for those rounds.What we have instead are the strings P PE A and P PE B arising from the t parameter estimation rounds where Alice and Bob both measured in P.However, provided these rounds were chosen randomly, then these observed correlations can be used to give a rigorous, probabilistic bound on what the correlations between P key A and P key B would have been.These can in turn bound Bob's max-entropy in Eq. (B25).This is the precise point at which the potential for participant attacks formally enters in the security analysis.The situation we find ourselves in is the so-called sampling without replacement scenario and there is an entire machinery of large deviation bounds that use the observed statistics of a randomly chosen sample to probabilistically bound the behaviour of the remaining population.However, all of these results are only valid in the case that the t j parameter estimation rounds were truly chosen at random and constitute a fair sample.In a QKD protocol, or equivalently for a known, fixed untrusted subset of a secret sharing protocol then this condition is automatically satisfied since the probability of a round being used for parameter estimation is determined solely by Alice (equivalently the dealer) and Bob (equivalently the complementary subset) who are trusted by definition.As explained earlier, Theorem 1 shows that by minimising the key rate over all such tests, security of the overall threshold scheme is guaranteed.This is in contrast to the original HBB scheme [4] where every check round is dependent on the basis choice of all players, thereby always including parties who by definition cannot be trusted.Deviation bounds are therefore not valid and security cannot be established.Indeed, it is precisely this problem of malicious participants biasing the parameter estimation statistics that has been exploited in the original works demonstrating attacks that can compromise or completely break the 1.Idealised, asymptotic results In the main text briefly explained how the standard asymptotic key rate arise from the composably finite-sized secret fraction in the limit of infinitely long key exchange and perfect equipment.To recapitulate, starting from Eq. ( 8) we can write the secret fraction for a fixed T i and U j as, + 2 .
In the asymptotic limit, is has been shown that collective eavesdropping attacks are optimal [58], hence we can assume that the state is of the form ρ ⊗m ABE .Then, the asymptotic equipartition theorem for infinite dimensions states that, where the is the conditional von Neumann entropy of Alice's measurement X A given EU j defined in Eq. ( 12).Shannon's noisy coding theorem says that asymptotically, since we are free to assume a i.i.d.structure in the worst case, with ideal error reconciliation we have that A critical point is the value of m, t and t j .If the probability for measuring in the key quadrature is p then, asymptotically, for an (n, n)-threshold protocol we would have that This is because for a valid key generation round we need all three parties to measure in the key basis, and to be a useful parameter estimation round both the dealer and all players in one of the complementary subsets, C j , must have chosen the check basis.For an (n, n) scheme each U j has n − 1 players so each C j consists of just one player.This means that the total number of valid parameter estimation rounds in the probability that the dealer and at least one player both measure in the check basis yielding Thus a total of N = m + t rounds out of the total L rounds are used for either key generation or parameter estimation with the remaining rounds discarded.However, in the asymptotic limit the protocol becomes arbitrarily efficient.In the limit of infinite data then we can still acquire perfect parameter estimation statistics by sacrificing an arbitrarily small proportion of data since for any p in the limit L → ∞ both m and t also tend to infinity.Thus we can take the limit p → 1 which in turn means m → L. Taken together, this gives where in the second line we have used the mutual information and the Holevo quantity to rewrite in the form more commonly found in the CVQKD literature.We can see this analysis is tight since this expression coincides with the asymptotically optimal Devetak-Winter rate [97].The secret sharing rate can then be calculated by taking the worst case for T i and U j , which in fact recovers Eq. ( 13).
To evaluate Eq. (C7), it suffices to recall that, by definition, the joint state vector Ψ ACj Uj E represents a pure quantum state, which means we know that S(E, U j ) = S(A, C j ) and S(E, U j |x A ) = S(C j |x A ). Computing these expressions can be dramatically simplified by first noting that, for ideal measurement devices making perfect quadrature measurements the entire protocol, including the conditional states would be perfectly Gaussian in the absence of an eavesdropper.Secondly, it has been shown that, asymptotically, it is optimal for an eavesdropper that the final state also be Gaussian [59,60].In combination, this with the fact that, asymptotically, it has been shown that the Gaussian attacks are optimal and we can safely assume that the final state is entirely Gaussian.In this case the von Neumann entropy is solely a function of the relevant covariance matrix [84].For an N -mode state on can then write where g : [0, ∞) → [0, ∞) is defined as and where the {λ k } again are the symplectic eigenvalues of the corresponding covariance matrix Γ, which are defined by the (singly counted) eigenvalues of the matrix |iΩΓ|.Note that this is different from the strategy adopted by Ref. [35], where they instead bounded the malicious parties information (or equivalently their conditional entropy) via and EUR for the asymptotic von Neumann entropies and ideal quadrature measurements [53] This approach could be thought of as first applying the finitesize min-and max-entropy EUR of Eq. ( 9) which holds without any assumptions and then taking the asymptotic limit and invoking the asymptotic optimality of collective attacks.However, as explained in the main text, this is unnecessary and will result in pessimistic estimates of the key rate due the looseness of the EUR in the relevant case [57,94].Therefore, in the asymptotic setting the key rates for secret sharing in this work are higher than those found in Ref. [35].Turning to our concrete situation of a (2, 2)-scheme using Hub-Out transmission over a lossy bottleneck network, we can now compute everything given the output CM.For an ideal system, where the only imperfections are the losses from the channel transmission the final CM is given by with N LH given by Eq. (A29).Equivalently, one could take Eq.(A32) in the limit of perfect implementation (η d = η c = T e = 1, ξ = 0).For example, assuming an honest Bob and Alice encoding her key in the x basis, the Holevo information of a dishonest Charlie collaborating with Eve is The CM Γ A,B is simply the appropriate sub-matrix of Eq. (C10) and the conditional CM Γ B|x A can be obtained from Γ A,B via the Schur complements in Eq. (A12).Notice that, in comparison to Eq. (C7), there is now no sum over x A .This is because the conditional CM is independent of the actual value of x A .
For Gaussian distributions the mutual information between Alice's x measurement and Bob's p is given by where V X A and V X A |P B are given by the first entry of Γ A and Γ A|p B respectively.To get the secret sharing rate we have to carry out the same computation for an untrusted Bob and a trusted Charlie and take the minimum to obtain the secret sharing rate.
Although the secret sharing rate must be minimised over the subsets, it is permitted (and indeed essential) to maximise the rate over the choice for which basis is used for key generation and which for certification.One might well ask, in the above calculation, why did we choose to have Bob make his guess of X A by measuring his p quadrature?For that matter, why did we choose to have Alice encode in x?The answer to both lies in the correlation structure of the underlying graph state.This is nicely captured by the nullifiers of the graph state defined in Eq. (A23), which allow us to read off Alice's optimal encoding choice and also Bob and Charlie's correct measurement given Alice's choice.Here the stabilisers are given by Given an encoding choice the nullifiers also immediately define which of the variable players will be correlated with the key generation and check measurements of the dealer.Now that we know how to choose the key generation and certification measurements for a given choice of dealer, we turn to the question of the optimal choice of dealer.It turns out that for this case a positive secret sharing rate can be obtained for any choice of dealer.This is an attractive feature because, in principle, the states could be distributed and measured and the dealer chosen later on.However, assuming that the dealer is know beforehand, there asymmetry of the line graph means that there is an optimal choice.By inspection, for the three qubit line graph and symmetric transmission losses the correlations are identical for whoever is sent one of the two 'ends' of the line graph.However, the participant who receives the middle node observes different correlations.These two possibilities were addressed in Fig. 3 from which we see that the optimal situation is where the dealer is given the middle node of the graph.Due the the alphabetic ordering convention, in our work the middle node is always given to Bob, so from now on make the optimal choice and designate Bob as the dealer.Finally, note that when the dealer is in the middle node then for, by construction, for the case considered here the secret sharing rate is identical regardless of which of the two 'end' players (Alice or Charlie) is untrusted meaning the maximisation of the Holevo information in Eq. ( 13) becomes redundant.However, if the dealer is an end node the correlations are not identical and the maximisation must be checked explicitly.
The final ingredient in evaluating the secret sharing rate is the allocation of squeezing resources.In order to make a fair, finite-squeezing comparison with a CVQKD protocol we will fix a maximum squeezing parameter r max that can be achieved.If we considered making the graph states via the canonical process of implementing CZ gates (which also require squeezing to implement) between already-squeezed states it is unclear how to easily constrain the CZ gain g and the initial squeezing r to satisfy our overall constraint.However, when using the Bloch-Messiah decomposition, which is in any case much more practical, this is straightforward.In this implementation, a canonical graph state of initial squeezing r and CZ gain g is decomposed into a set of single-mode squeezers with parameters r A , r B and r C given by Eq. (A27).Now we simply constrain the largest of these to be less than r max and then optimise Eq. ( 13) over the achievable combinations of effective r and g for each transmission.The optimal choice of 0 ≤ r ≤ r max for the curves in Fig. 3 is shown in Fig. 9.We see that for the this case, with r max ≈ 1.76, the optimal effective r starts at just under half the maximum value and then declines with increasing losses before flattening out.Interestingly, there is a slightly different optimal choice de-pending upon whether the dealer is is the middle (Bob) or the edge (Alice and Charlie) of the graph.Optimal value for the initial squeezing in the equivalent canonical graph state generation method given that the state is actually being created by offline squeezing via the Bloch-Messiah decomposition given in Eq. (A26).The optimal values for the case where the middle node (red) or edge node (blue) are the dealer (corresponding to the curves in Fig. 3) are plotted as a function of transmission distance.
Finally, we turn the the benchmark comparisons.For the PLOB bound we only need the effective transmission between Alice the players (this is the same since the network is symmetric) which is given by T 2 .Substituting this in the result of Ref. [47] and recalling that the rate must be halved since two network uses are required for a single secret sharing round gives Eq. (17).The CVQKD curves in Fig. 3 have been calculated by having the dealer create a two-mode squeezed vacuum state with squeezing given by r max > 0, which is then transmitted through a lossy channel of transmission T 2 again modelled by beam-splitter mixing in a vacuum mode.The evolution for state generation and transmission between Alice Bob (also Charlie since the situation is symmetric) is given by In Fig. 3, we plot two comparison protocols, one where Alice makes a homodyne measurement (equivalently sends squeezed states) and one where she heterodynes (sends coherent states).Explicitly we have, for both protocols and, when Alice homodynes and when Alice heterodynes and introduces an extra unit of shot noise.This CM allows the CVQKD rate of Eq. ( 16) to be straightforwardly evaluated for an RR protocol where Bob switches between quadrature measurements.The conditional variances and symplectic eigenvalues to evaluate the above expressions can be obtained from Alice and Bob's modes of the CM Γ = N QKD ABV • N QKD ABV and applying Eq. (A12) as necessary.Finally, the appropriate PLOB bound is given by Eq. ( 17).

Realistic, finite-size results
Turning to evaluating the composable, finite-size secure fraction in Eq. ( 10), we begin by fixing the target secrecy and correctness parameters ( s , c ).Based on our analysis of the asymptotic case we know to designate the middle node as the dealer and that because of the symmetry of the situation we will obtain the same secret fraction when assuming either player is dishonest.For each transmission we will use the optimal choice of the effective r and g found in the asymptotic case for graph state generation.There are several more parameters that can be chosen and (to some extent) optimised over: the detector resolutions (δ X , δ X ), the energy test beamsplitter T e , the positive constants in the security proof ( 1 , µ ) and the probability of any party choosing to measure in the key generation basis p.Initial investigations showed that in the regimes of interest the keyrate is only weakly dependent on most of these parameters, except for the key generation probability p.This is because we are interested in parameters where the multi-partite and bi-partite schemes cross over, which is when both keyrates are still far above zero and with large block sizes N = m + t.

Symbol
In this regime, one can have a p close to one whilst achieving sufficiently large parameter estimation measurements such that any statistical errors are small.This makes the parameters such as 1 , µ and T e less critical.Hence, in our analysis we chose fixed values for all parameters (Table II except for p, which has been optimised over.
Given fixed values of all of the parameters, to evaluate the expected secret fraction we need only compute the expected value of the distance, the second moments, V PE A , V PE B and V d and the amount of reconciliation information EC .Taking Al-ice to be the trusted parties carrying out parameter estimation we have, where the probability distribution for Alice and Bob's discretised measurement outcomes is given by where the integration intervals are defined in Eq. (B18) and Pr(q A , q B ) is the underlying distribution of Alice and Bob's parameter estimation variables.In the absence of an eavesdropper all the first moments vanish so we have dropped them.We have written q A and q B for the parameter estimation variables because, depending on the graph structure, either quadrature could have been designated for parameter estimation depending upon the initial graph structure.In this specific case, the parameter estimation observables are pA and xB .A final point is that the players are free to scale their measurement results to avoid artificially underestimating their correlations.For example, in an asymmetric network where Charlie's channel is twice as lossy as the other players, it is clear that his measurement values will be correspondingly 'damped' and all participants should take this into account.In this present case, given his knowledge of what the communication network should be in the absence of tampering, Bob can determine what scaling factor he should apply to maximise his correlations with Alice.Utilising Eq. (A13) and the fact that prior to measurement all first moments should be zero, a measurement by Alice returning a value p A will project Bob's mode into a Gaussian state with mean vector r B = C A,B (PΓ A P) MP diag(p A , 0) := diag(a p A , 0) (C19) for a constant a > 0. Therefore, if Alice re-scales her measurements by a factor of a, defining q A = ap A , then this new variable will be have a distribution centred about Bob's measurement value and a conditional variance of This leads to a joint probability distribution for this re-scaled variable of.
Pr(q A , x B ) = Pr(x B )Pr(q The expected correlations for a realistic implementation described by the CM given by Eq. (A32).The quantity V X B is given by the first entry of Γ B and direct substitution in Eq. (C19) gives With an explicit form for (q A , x B ) → Pr(q A , x B ), Eq. (C18) can be numerically integrated and the quantities in Eq. (C17) computed.
The last ingredient to evaluate the secret fraction are the block sizes involved and the expected number of network uses required to achieve them.We proceed by first fixing the desired block size for the key generation m.For a given value of p we expect this to take, L = m p 3 (C24) network uses.The expected number of parameter estimation rounds with any player should then be given by This is everything required to compute the smooth minentropy and finally the information leakage during error correction is well approximated by [72,94], where H(X B ) and I(X A : X B ) are the entropy and mutual information of the ideal Gaussian distributed variables.This gives (C27) where we are abusing notation slightly by continuing to use δ X to refer to the resolution in the key generation basis, while explicitly using the fact that the key generation basis is actually made by Bob measuring in the p quadrature.The necessary variances and conditional variances are again given by Eq. (A32).For each transmission the expected secret fraction can now be computed for the fixed parameters of Table II and an optimised value of p which is shown in Fig. 10.Turning to our benchmarks, a fair comparison with a bipartite QKD protocol is obtained by considering an bi-partite CVQKD protocol implemented with the same escape, detector and fibre coupling efficiencies and maximum allowed squeezing of Table I.However, this bQSS scheme will only require two squeezers to make an EPR state rather than the three required for the graph state.The second difference is that we must now consider transmission through the two 'arms' of the network to connect Bob with Alice and Charlie in turn.To maximise the key rate in this situation it is optimal to carry out a reverse reconciliation (RR) protocol [69], where the players (Alice and Charlie) transmit a quantum state to the dealer (Bob) and then try and guess his measurement outcome.Furthermore, previous work on CVQKD with 'entanglement-inthe-middle' has established that this is always inferior to a standard RR protocol [98].In our language, for carrying out CVQKD, the Hub-Out strategy is always inferior.
A realistic protocol with this transmission strategy from Alice to Bob is described by an overall evolution of a 7 mode system (a mode for Alice and Bob, an extra mode, B e , for Bob's energy test, two thermal modes, E A , E B , for the trans-mission through the thermal loss network from Alice to the hub and from the hub to Bob and 4 vacuum modes for the detector and experimental efficiencies for each of Bob and Alice) given by Note that this bi-partite implementation experiences slightly less loss than the multi-partite version because Alice's mode can be directly detected rather than being coupled into an optical fibre.This is why Bob's mode experiences an efficiency of η c = η f η s whereas Alice's experimental efficiency is η s .
Next, we must calculate the block sizes for a given key generation probability, p, which will be optimised over.Here, we see the importance of a finite-size analysis since the QKD protocol has a different, and strictly higher, performance.This is because, in a bi-partite scheme, Bob can take his partner to be trusted and so they can agree ahead of time on a random selection of runs to be used for parameter estimation.This means, for a fixed p and desired m, the total number parameter estimation strings is given by In this sense, the QKD scheme is always more efficient as there are not wasted rounds due to basis mismatch.The penalty for this is that the participants will need to refresh the extra pool of pre-shared key of length h 2 (p)L bits to use for choosing the parameter estimation rounds in the next run of the protocol.This means the length of secret key for the CVQKD protocol is given by With the protocol parameters fixed to be the same as in Table II and given target m, the block sizes are given by Eq. (C29) and all the necessary correlations to compute the expected values of the parameter estimation quantities in Eq. (C17) can be obtained from the first two modes of the global CM Γ = N QKD exp • N QKD exp .These are then used to lower bound the min-entropy via Eq.(B11) and the information leakage in in Eq. (C27) which gives the secret fraction.To make the curves in Fig. 5 the key generation probability has been optimised over and the resulting optimal probability for the CVQKD protocol is shown in Fig. 10.
Finally, to make a fair comparison with the PLOB bound, we set the total transmission to include efficiency of the fibrecoupling.This means the asymptotic PLOB bound becomes Appendix D: Discussion of the Williams et al. protocol In this section, we further discuss the alternative security proof method of Williams et al. [40] for a variant of the original HBB protocol.Here the multi-partite state is a DV GHZ state and the players switch between Pauli X and Y measurements.In this work, the parameter estimation checks now always involve all players, which is precisely how participant attacks entered in the first place.However, in the protocol of Ref. [40] they are thwarted by the introduction of a randomisation in the order of announcements.After all states have been transmitted, the dealer randomly chooses a round to be disclosed for parameter estimation and and randomly picks an untrusted subset to announce first.As long as the players have no way to know which rounds will be used for parameter estimation and whether or not they will have to announce first then there is no way for dishonest players to meddle with the statistics.
Since it is crucial that the players cannot tell a priori whether a round will eventually be used for parameter estimation or key generation, it is essential that there is no predesignated key basis and that basis choices are made with p = 1/2.To see why, consider the case of two players where it has been pre-designated that the dealers Y measurement would be the key and their X basis used as the check.Now, even if a dishonest player is told to announce their basis first, the mere fact that it is a parameter estimation round means they still cheat the test because they know the dealer will be measuring in the X basis.Assuming they have made the same attack as in Ref. [7], they now have both particles of the original GHZ state and also one half of an entangled pair shared with the honest player.First, they can learn the dealers measurement perfectly by measuring their GHZ particles.Secondly, the dishonest player can announce either X (respectively Y ) and then also measure their Bell pair shared with the honest player in that basis.The round will now only be kept if the honest player also measured X (respectively Y ).If it is not discarded, the dishonest player knows what values the dealer and honest player obtained, and can thus announce the correct value themselves.This is why, in Ref. [40], it is stipulated bases are chosen with p = 1/2 and that a portion of each basis is used to certify key generated in the other.As explained in the main text, this means the protocol cannot be made arbitrarily efficient.Whilst the factor of 1/2 removes any possible advantage in a (2, 2)-threshold scenario, for larger n it is possible that this strategy could be effective and possibly even superior.Firstly, the probability that a round is useful remains at 1/2 for arbitrarily many players.Secondly, because all players are involved in the check measurements the correlations observed will be higher than in the strategy pursued here where in a given check the untrusted subset is effectively traced out.
However, the necessary amount of parameter estimation data now scales in the number of players.Each scenario of a given untrusted subset announcing first must be treated as its own QKD protocol.This means for a (n, k)-scheme is will be necessary to acquire n k many parameter estimation data sets.A detailed analysis of the best strategy for a given finite block size and larger number of players is an important question for future work.
max ✏ s < l a t e x i t s h a _ b a s e = " N + i F k n P e X T l p J M d L d / v D I r + o = " > A

1 <
s 7 / 8 I v s L P x W 5 w 8 C k 0 8 c O F w z r 3 c e 0 + Q C K 6 N 4 3 y h 3 N r 6 x u Z W f r u w s 7 u 3 f 1 A 8 P G r q O F W U e T Q W s W o H R D P B J f M M N 4 K 1 E 8 V I F A j W C k a 3 U 7 9 1 z 5 T m s W y Y c c L 8 i A w k D z k l x k p e o 5 e 5 k 1 6 x 5 J S d G f A q c R e k V D m p f / P 3 6 k e t V / z s 9 m O a R k w a K o j W H d d J j J 8 R Z T g V b F L o p p o l h I 7 I g H U s l S R i 2 s 9 m x 0 7 w u V X 6 O I y V L W n w T P 0 9 k Z F I 6 3 E U 2 M 6 I m K F e 9 q b i f 1 4 n N e G N n 3 G Z p I Z J O l 8 U p g K b G E 8 / x 3 2 u G D V i b A m h i t t b M R 0 S R a i x + R R s C O 7 y y 6 u k e V l 2 r 8 p O 3 a Z R h T n y c A p n c A E u X E M F 7 q A G H l D g 8 A B P 8 I w k e k Q v 6 H X e m k O L m W P 4 A / T 2 A 3 k g k i k = < / l a t e x i t > T l a t e x i t s h a 1 _ b a s e 6 4 = " w 5 o length strings (X, Y ) as d(X, Y ) := (1/m) m i=1 |X − Y | i is greater than some threshold, d 0 , then H max (P m A |C j ) can be upper bounded.Using Serfling's bound the observed correlations d(P tj A , P tj Cj ) can be used to estimate a d 0 that would have been satisfied by d(P m A , P m Cj ).The same arguments apply for other quantities obtained during parameter estimation, such as a covariance matrix.

FIG. 4 .
FIG.4.Asymptotic advantage region for entanglement based secret sharing.For the network given in Fig.2our entanglement based protocol outperforms an optimal, infinite energy bi-partite QKD based protocol for all values of initial squeezing and transmission radius above the solid black line.The advantage region compared to a squeezed (dashed red) and coherent (dashed blue) state CVQKD protocol with the same energy/squeezing resources is also shown.

FIG. 7 .
FIG.7.Different strategies for distributing graph states through a bottleneck network.The player-in strategy (left) is a two step process: i) Alice makes a two-mode graph state and transmits one mode to the Hub; ii) the Hub entangles this with a third mode, creating a tri-partite graph state, and sends one mode to Bob and the other to Charlie.In the Hub-Out strategy (right) the hub creates the tri-partite graph state directly and transmits one mode to each player in a single step.Unlike the player-in strategy this method can distribute a triangle graph (top) as well as a line (bottom).

FIG. 8 .
FIG.8.Schematic of realistic experimental implementation.Various imperfections are modelled as loss channels with the ground symbol representing lost modes that will be attributed to the dishonest parties.
FIG.9.Optimal value for the initial squeezing in the equivalent canonical graph state generation method given that the state is actually being created by offline squeezing via the Bloch-Messiah decomposition given in Eq. (A26).The optimal values for the case where the middle node (red) or edge node (blue) are the dealer (corresponding to the curves in Fig.3) are plotted as a function of transmission distance.

FIG. 10 .
FIG.10.Optimal value for the probability of key generation as a function of transmission distance for multi-partite (solid) or bi-partite (dashed) protocols.Optimal curves for block sizes of m = 10 12 (blue) and m = 10 9 (red) are shown.

N
QKD exp = BS B,V3 (η d ) • BS A,V4 (η d ) • BS B,Be (T e ) × BS B,E B (T ) • BS B,E A (T ) • BS B,V2 (η c ) × BS A,V1 (η s ) • BS A,B (1/2) • S A (r max ) × S B (r max ).(C28) FIG.2.A tri-partite quantum communication scenario between a dealer, here player A, and two other players, B1 and B2.This quantum network with a central router H, which is able to produce and entangle qumodes, exemplifies a network with a bottleneck.The CV graph state used in the multi-partite entanglement QSS protocol, can be distributed in a single network use (i.e., each channel transmits a single qumode only), while (n−1) uses of the network are necessary in the bQSS protocol.

TABLE I .
Parameters for realistic experimental model.

)
From this we can immediately read off that the optimal choice for Alice is to encode her key in xA , because it is correlated with variables of Bob and Charlie that are themselves not correlated.To satisfy the structure of a secret sharing protocol, it must the the case that the key is encoded in a variable that is much more correlated with a collaborative, joint variable of an authorised k-subset (here Bob and Charlie together) than it is for any k − 1-subset (in this case, either Bob or Charlie individually).If Alice had chosen to encode in pA then the second nullifier tells us her key would be well correlated with xB .The third nullifer tells us that, since xB is correlated with pC then pA is correlated with pC also.But this is precisely the problem!If xB and pC are correlated then the amount of information that Bob and Charlie have about pA is almost identical to the amount either of them have individually, which makes secret sharing impossible.In contrast, because pB and xC are not correlated then a joint variable based on the combination of Bob and Charlie's measurements will be much more correlated with xA than either would be individually which is exactly what we require.By the same logic if Bob were the dealer he should encode the secret in pB and Charlie should use xC .

TABLE II .
Parameters for realistic experimental model.