Breaking Rate-Distance Limitation of Measurement-Device-Independent Quantum Secret Sharing

Currently most progresses on quantum secret sharing suffer from rate-distance bound, and thus the key rates are limited. In addition to the limited key rate, the technical difficulty and the corresponding cost together prevent large-scale deployment. Furthermore, the performance of most existing protocols is analyzed in the asymptotic regime without considering participant attacks. Here we report a measurement-device-independent quantum secret sharing protocol with improved key rate and transmission distance. Based on spatial multiplexing, our protocol shows it can break rate-distance bounds over network under at least ten communication parties. Compared with other protocols, our work improves the secret key rate by more than two orders of magnitude and has a longer transmission distance. We analyze the security of our protocol in the composable framework considering participant attacks and evaluate its performance in the finite-size regime. In addition, we investigate applying our protocol to digital signatures where the signature rate is improved more than $10^7$ times compared with existing protocols. We anticipate that our quantum secret sharing protocol will provide a solid future for multiparty applications on the quantum network.


I. INTRODUCTION
A network with quantum resources has benefits in both computing enabled by quantum computation [1][2][3][4][5][6] and secure communication enabled by quantum key distribution [7,8].Apart from quantum key distribution, in the realm of quantum communication quantum secret sharing (QSS) [9][10][11][12][13] is also important in constructing a secure quantum network with network applications ranging from secure money transfer to multiparty quantum computation.
Secret sharing is a key cryptographic primitive underlying a secure network.Secret sharing was first conceived independently by Blakely [14] and Shamir [15].It takes both the reliability and secrecy of information into account with practical applications ranging from the management of cryptographic keys, decentralized voting, to a component for secure multiparty computation.In secret sharing, a designated party, called the dealer, divides the secret into shares and distributes them to each player in a way that only authorized subsets of players can reconstruct the secret while all other subsets gain nothing whatsoever.The dealer can select a threshold size for authorized subsets.For instance, in an (n, k) − threshold scheme, any k (k ≤ n) of n players can collaborate to recover the secret, while any subset with less than k players remains ignorant.
Classical secret sharing is vulnerable and no longer secure in the face of eavesdroppers equipped with quantum computers.
Fortunately, such threats can be overcome by resorting to quantum technology.One can apply quantum key distribution links sharing secure keys between two legitimate users [16][17][18][19][20][21][22][23][24] to establish point-to-point secret keys, which restricts the efficiency in a fully connected quantum network.Alternatively, multipartite entangled states-particularly the Greenberger-Horne-Zeilinger (GHZ) entangled states [25,26]-can be used to realize QSS for achieving an advantage over the repetitive use of quantum key distribution links [27].The first QSS protocol was proposed by Hillery et al. using GHZ state for three participants [9].This QSS protocol is not secure in the face of participant attacks [28].After this protocol, progresses in QSS with multipartite entanglement have been made both in protocols [29][30][31] and experiments [32][33][34] in the past two decades.The problem is directly preparing and distributing multipartite states are challenging in practice and limit key rates and transmission distance.Therefore, the protocol to distribute postselected GHZ entanglement was proposed to avoid the requirement of entanglement preparation beforehand [35].Although the measurement-deviceindependent (MDI) protocol needs no entanglement resource, with the increasing number of users, the protocol is limited since the efficiency decays exponentially.In addition, the security of QSS protocol in [35] is not completely analyzed due to the ignorance of participant attacks.To conclude, currently most QSS protocols suffer from decaying transmission efficiency and incomplete security analysis, and thus they are still unpractical for large-scale deployment and application.
To fill the gap of existing protocols, we propose an efficient and practical MDI-QSS protocol based on MDI quantum communication protocols [18,19,35] and spatial multiplexing and adaptive operation used in allphotonic quantum repeater [36] and adaptive MDI quantum key distribution [37].The results show that our QSS protocol enhances the key rate as the twin-field quantum key distribution does [20,38,39].In terms of security, our protocol is immune to all detection-side attacks which is important for practical quantum communication [40,41].To be specific, the transmission efficiency of our protocol remains unchanged when the number of communication parties increases.Our QSS protocol can break rate-distance bounds [42] over network under at least ten communication parties when equipped with the GHZ analyzer composed of linear optical elements [43].Compared with other protocols, our work improves the secret key rate by more than two orders of magnitude and has a longer transmission distance within an experimentally feasible parameter regime.On the other hand, we analyze the security of our protocol in the composable framework considering participant attacks.Based on the security analysis, we also evaluate the performance of our protocol in the finite-size regime.Furthermore, we explore applying our QSS protocol as a subroutine to digital signatures, which is a vital primitive in protecting the integrity of data against forgery.The digital signatures with our MDI-QSS outperform other quantum counterparts of digital signatures with more than 10 7 times enhancement in signature rate.We believe our protocol manifests the potential to be an important building block for quantum networks.

II. QUANTUM SECRET SHARING PROTOCOL
Here we consider an n-party QSS protocol where the ith user is denoted by A i (i = 1, ..., n).We designate A 1 as the dealer dividing and distributing the secret among n − 1 players (A 2 , ..., A n ) and consider an (n − 1, n − 1)threshold QSS protocol.The schematic diagram of our QSS protocol is shown in Fig. 1.
Before transmitting quantum signals, the dealer A 1 establishes a bipartite key with each player to authenticate the classical channel and a joint key as a seed for privacy amplification.
(i) Each user generates M single-photon states that are randomly selected from eigenstates of the Z and X basis.For instance, one selects from {|H⟩, |V ⟩, (|H⟩ + |V ⟩)/ √ 2, (|H⟩ − |V ⟩)/ √ 2} when using polarization encoding.He then transmits the M single-photon states to the central relay simultaneously using spatial multiplexing.The spatial multiplexing can be realized by using techniques in fiber optical communication like multi-core fiber, multi-mode fiber, mode-division multiplexing, and fiber bundles.
(ii) The central relay performs QND measurements to confirm the arrival of single-photon states from (A 1 , ..., A n ).
(iii) After the QND measurements, the confirmed photons from every user form a group and are routed to the GHZ analyzer via optical switches.The central relay then performs GHZ projection measurement on the group.Each user should successfully transmit at least one single photon through QND measurements.Otherwise, this trial is considered to be failed.
(iv) The central relay announces the group information and the GHZ projection results.Each A i keeps information of states that are successfully projected onto the GHZ state and discards the rest.
(v) All n−1 players (A 2 , ..., A n ) announce their preparing bases for the remaining trials in any order.If the preparing bases of all n−1 players or any single player corresponding to the complementary subset of the remaining n − 2 players are consistent with the dealer's choice, this round is kept.
(vi) The process is repeated until m rounds in the X basis have been kept for key generation and k rounds in the Z basis have been kept for parameter estimation.Then the dealer calculates the correlation between himself and each single player.If the correlations are below a certain level, the protocol aborts.
(vii) If the correlation test passes, the dealer obtains the raw key and proceeds with error correction leaking a maximum of leak EC bits of information.To verify the correctness, all n parties compute and compare a hash of length log 2 (1/ϵ c ) bits by applying a random universal 2 hash function to the raw keys.The protocol aborts if the hash of A 1 does not coincide with that of n − 1 players.If the error correction passes, the dealer conducts privacy amplification using universal 2 hashing and obtains the final keys.

III. SECURITY ANALYSIS
The security analysis of QSS is quite complex due to the existence of inner malicious parties exploiting the order of announcing the measurement bases and outcomes [27].The original QSS protocol [9] consider this problem and can be completely broken [28,44].In Ref. [44], the dishonest player (say Charlie) intercepts all the GHZ photons from the dealer and establishes Bell entanglement between himself and the other player.Once Charlie obtains the knowledge of other players' measurement bases, he can learn their measurement outcomes as well through Bell entanglement.Furthermore, Charlie can ensure the round will be kept if the dealer chooses the same basis as him and recreates the dealer's information.As a result, the whole protocol is broken while Charlie remains undetected.Qin et al. provided a general result of the necessary and sufficient conditions under which Charlie can attain all the information without being detected [28].
To address the participant attacks, Kogias et al. proposed to treat the measurements announced by the players as an input or output of an uncharacterized measuring device and the dealer as a trusted party with trusted devices.Then the security of QSS can be connected with one-sided device-independent quantum key distribution which has been proven unconditionally secure [31].Similarly, Refs.[45][46][47][48] applied the security proof of standard quantum key distribution with trusted devices in both discrete and continuous variable QSS.Walk et al. stated the essential part of the security proof in Ref. [31] was excluding the potential malicious parties from parameter estimation [27].As a comparison, in Ref. [45], the dealer randomly selects a set of potential malicious parties and includes them in parameter estimation.However, the potential malicious parties are forced to make announcements first.In our QSS protocol, we follow Refs.[27,31] as shown in (v) and (vi) of our protocol to prevent dishonest participants.
We introduce some useful definitions in the following description.In general, the dealer's final key S can be quantum mechanically correlated with a quantum state held by the adversary, and such a state is described by the classical-quantum state where the sum is over all possible strings and ρ S E,Uj is the joint state of the eavesdropper and the jth untrusted subset given S. In our work, we consider a general adversary which is able to perform any operations permitted by quantum laws rather than a specific adversary model performing concrete attacks.By untrusted subset, we mean the subset formed by any n − 2 players.Thus we have n−1 untrusted subsets in total in our QSS protocol.p(S) is the probability of the state |S⟩⟨S|⊗ρ S E,Uj presenting in the ρ S,EUj .Ideally, a QSS protocol is secure if it is correct and secret.The correctness means the dealer's bit strings S are identical to the bit strings S player recreated from all n − 1 players, i. e. S = S player .The secrecy requires ρ S,EUj = S 1 |S| |S⟩⟨S| ⊗ σ EUj , which means the joint system of the eavesdropper and the jth untrusted subset is decoupled from the dealer.However, these two conditions can never be met perfectly.In practice, we call a QSS protocol ϵ c -correct if We call a QSS protocol ϵ s -secret if where D(•, •) is the trace distance and p pass is the probability that the protocol does not abort.The maximization is over all n − 1 untrusted subsets since the dealer must take worst-case estimates for the secrecy.A QSS protocol is called ϵ sec -secure with Similar to quantum key distribution [49], the extractable amount of key l for a ϵ c -correct and ϵ s -secret QSS is where H ϵ min (X|EU j ) is the conditional smooth minentropy characterizing the average probability that the eavesdropper and dishonest parties guess the dealer's raw key X correctly using optimal strategy and leak EC is the amount of information leakage of error correction.ϵ and ε are positive constants proportional to ϵ s .For a realistic scenario, the computable key length of QSS is where µ(λ, ϵ) = , with k j (< k) being the number of parameter estimation rounds between the dealer and the complementary single player of the jth untrusted subset, λ being the error rate observed in parameter estimation, A = max{m, k j }, and is the marginal error of the correlation test.q is a constant that quantifies the complementary of the two preparing bases.We give a full proof and analysis of the extractable key length in Appendix A.

IV. PERFORMANCE
In this section, we evaluate the performance of our QSS protocol.We introduce a benchmark used in our investigation and analyze the performance of our protocol under both the asymptotic and finite-size regime.In the end, we utilize our QSS as a key generation solution to an essential cryptographic primitive-digital signatures and investigate the signature rate of signing a document.

A. Asymptotic performance of MDI-QSS
In the asymptotic limit, we follow the key rate formula presented in [35].To be specific, Fu et al. proposed the secret key rate of MDI-QSS for the first time [18,19,35,37,[50][51][52][53]] where Q X is the gain of the X basis, the probability of successful GHZ state projection when preparing a single photon in the X basis, and is the binary Shannon entropy function.f is the inefficiency of error correction.The gain Q X is defined as the efficiency of successfully generating postselected GHZ entanglement when preparing a single photon in the X basis.Specifically, we have M , where N is the average number of successful GHZ projection formed by photons using M multiplexing.If we denote the total efficiency of both GHZ projection and the channel from any ith user to the central node as η tot , and M multiplexing is used, then N ∼ M η tot .Therefore, we have Q X ∼ η tot .The approximate relation can be converted to an equation Q X = η tot under the asymptotic limit (M → ∞).We prove this equation when n = 3 in Appendix C. To guarantee that more than one entanglement is generated on average, the multiplexing number should satisfy In this simulation, we use efficiency η sps to describe the probability of the single photon source generating single photons and set η sps = 0.9 [54].We consider the GHZ analyzer based on linear optical elements [43] capable of identifying two of the n-particle GHZ states.We present the detailed working of the analyzer in Appendix B. Photons travel through optical fiber channels whose transmittance is determined by √ η channel = exp − l latt , where the attenuation distance l att = 27.14 km and l is the distance from any ith user to the GHZ analyzer.QND measurements are required to confirm the arrival FIG. 2. Key rates of our QSS and direct transmission bounds.We show key rates of our protocol and corresponding bounds under different numbers of communication parties (n = 3, 10 from top to bottom).In the figure, key rates of our protocol and bounds are plotted with solid and dash-dotted lines, respectively.The fiber transmission distance denotes the distance between any ith party and the central relay.
of photons and the success probability of QND measurements is denoted by p QND .To simplify the simulation, we consider a QND measurement for a single photon based on quantum teleportation [55] with ideal parameters where we have p QND = 1/2.The active feedforward technique is needed to direct the arrived photons to the GHZ analyzer via optical switches.We assume the active feedforward costs time τ a = 67 ns [56], which is equivalent to a lossy channel with the transmittance η a = exp(−τ a c/l att ), where c = 2.0 × 10 8 ms −1 is the speed of light in an optical fiber.Single photon detectors in the GHZ analyzer are characterized by an efficiency of η d = 0.93 and a dark count rate of p d = 1 × 10 −9 [57], by which we can estimate the success probability of GHZ projection in the X(Z) basis Q GHZ X(Z) .Based on the aforementioned assumption on experiment parameters, we analytically estimate the gain with See Appendix D for the concrete process of estimation of the marginal bit error rates and phase error rate.Before analyzing the performance of our protocols, we discuss the limitations on quantum communication over network and provide a benchmark for our protocol.
A general methodology allowing to upperbound the two-way capacities of an arbitrary quantum channel with a computable single-letter quantity was devised in [42], which determines the fundamental rate-loss tradeoff affecting any quantum key distribution protocol.In this way, for the lossy channel, they proved that the twoway quantum capacity and the secret-key capacity are − log 2 (1 − η), which is the maximum rate achievable by FIG. 3. Comparison of key rates of QSS from our work, original MDI-QSS [35], continuous variable (CV) QSS [46], and twin-field (TF) differential phase shifting (DPS) QSS [12].We plot the key rates of the protocols when n = 3. Different colored lines are used to denote different protocols.The fiber transmission distance denotes the distance between any ith party and the central relay.
any optical implementation of point-to-point quantum key distribution.This bound sets the limits of point-topoint quantum communications and provides precise and general benchmarks for quantum repeaters.For quantum communications over network scenarios, bounds have also been established under different scenarios [58,59].
In [60], the methodology used in [42] is extended to a more complex communication scenario including quantum broadcast channel, quantum multiple-access channel, and all-in-all quantum communication, where multiple senders and/or receivers are involved.Later, Das et al. provided a unifying framework to upperbound the key rates of both bipartite and conference settings with different scenarios including broadcast, multiple access, interference channels, and more general network scenarios [61].
In our work, to investigate the performance of our protocol, we consider a rate benchmark in a case where the untrusted central node is removed and all n users are linked by a star network similar to that in Ref. [62].In such a scenario, a selected user performs quantum key distribution with other users n − 1 times to establish bipartite secret keys with the same length due to the network symmetry.According to the secret-key capacity, the asymptotic rate is − log 2 (1 − η) with √ η being the transmittance between any ith user and the central node.The selected user can XOR all n − 1 key strings to conduct secret sharing.The final key length is equal to the keys' lengths obtained using quantum key distribution.Therefore, in this scenario, the key rate is bounded by . We call this bound the direct transmis-sion bound.It should be noted that the above scenario does not necessarily yield the highest key rate in secret sharing.
In Fig. 2, we plot the key rates of our QSS as well as direct transmission bounds with different numbers of communication parties.We present key rates and bounds with n = 3, 10 users from top to bottom using solid and dash-dotted lines respectively.Our protocol breaks the direct transmission bounds because of the spatial multiplexing and adaptive operations.A polynomial scaling of efficiency with distance can be realized for at least ten users over the network while the bounds attenuate greatly as n increases.
To further investigate the performance of our work, we evaluate the key rate of our protocol and that of other preceding QSS protocols over a quantum network under the same experimental parameters.In Fig. 3, we plot the key rate of our QSS protocol, original MDI-QSS [35], continuous variable (CV) QSS [46], and twin-field (TF) differential phase shifting (DPS) QSS [12] with n = 3.We can directly conclude from Fig. 3 our work can achieve a longer transmission distance of more than 300 km and increase the secret key rate by at least two orders of magnitude at long distances compared with other QSS protocols.Though TF DPS QSS achieves a similar transmission distance and slope to our work, the TF DPS QSS protocol only works with three communication users and cannot be easily and directly extended to scenarios when n is more than three.The CV QSS protocol can reach no more than 140 km.One can observe that CV QSS outperforms our work at shorter distances because CV protocols adopt the coherent state as information carrier which is more robust to channel loss.As a result, the signals can always be detected, which means the gain of CV protocol is always unity.The CV QSS protocol is asymmetric where the dealer measures the Gaussian signals from the users while our QSS is symmetric in the quantum phase of the protocol.Therefore, the CV QSS is not as flexible as our QSS to deploy in the quantum network.

B. Performance of QSS in finite-size regime
We investigate the performance of our QSS protocol in the finite-size regime with the same parameters introduced in the asymptotic scenario.Wse fix ϵ c = 10 −15 corresponding to a realistic hash tag size in practice [63].In our QSS protocol, for simplicity, we assume the information leakage during error correction to be leak EC = f h(E X ), where f = 1.1, h(x) is the binary Shannon entropy, and E X is the error rate in the X basis.Then following Eq.( 5) we can obtain the result in finite-size regime.
In Fig. 4, we plot the secret key rate of our QSS protocol as a function of the distance between any ith user and the central relay.We can view that our QSS can transmit more than 100 km, 60 km, and 30 km when n = 4, 6, 8, QSS rate (bit per pulse) respectively.These transmission distances can cover the intra-and inter-city deployment of the quantum network.On the other hand, with the all-photonic nature of our QSS protocol, our work is feasible and can be implemented with state-of-the-art technology.Combining these two factors, our results are meaningful to the practical deployment of a quantum network.The slope of the curve is observed to differ with different values of n, which stems from the secret key rate here counts the probability of all users choosing the same basis which scales exponentially with n.
In the above two subsections, we investigate our protocol under a model consisting of single photon sources, QND measurements, optical switches, and the GHZ analyzer based on linear optical elements.Our protocol can be improved with other techniques.For instance, our protocol can be improved by utilizing the complete GHZ analyzer which can identify all 2 n GHZ states, such as GHZ state analysis taking into account nonlinear processes [64,65] or entangled-state analysis for hyperentangled photon pairs [66,67].On the other hand, in step (iii) from Sec. II, large-scale optical switches are needed to route the photons into the GHZ analyzer, which may affect the transmittance and cause unwanted loss.Thus, future effort should be made towards realizing the protocol with reduced scale optical switches and one possible way is utilizing a Hadamard linear optical circuit together with single-mode on/off switches [37].Techniques in MDI quantum key distribution [41,68] can be applied in our QSS to further improve practicality.

C. Key Generation Solution For Quantum Digital Signatures
Digital signatures, as an important cryptographic primitive, promise the authenticity, integrity, and nonrepudiation of information processing, which have been applied in various areas such as financial transactions, software distribution, and blockchain.The security of classical digital signatures is based on the complexity of mathematical problems.While the quantum counterpart of digital signatures, called quantum digital signatures (QDSs), guarantees security via the laws of quantum physics.Since the first QDS protocol which is challenging in the experiment, progresses have been made to improve the practicality of QDS [69][70][71].However, the existing protocols suffer from low signature rate and are unpractical when signing multi-bit documents.Yin et al. proposed a QDS protocol capable of signing long documents with information-theoretic unconditional security [72].The QDS protocol builds a perfect bit correlation of three users with an asymmetric key system and realizes an efficient QDS together with completely random universal 2 hash function and one-time pad.Our QSS is capable of generating perfect key correlations between any n users, which naturally fits well in the framework of such QDS protocol.Furthermore, our protocol has great potential and capability of large-scale application of such QDS in the future quantum network.Thus here we investigate the performance of applying our QSS protocol as a subroutine in the key distribution process of [72].
We start with briefly introducing this QDS protocol.For convention, let Alice be the signer with Bob and Charlie as the receiver.Before generating and verifying digital signatures, perfect key correlations X A = X B ⊕X C (Y A = Y B ⊕Y C ) should be realized among Alice, Bob, and Charlie, where X i (Y i ) (i = A, B, C) denotes secret keys held by each user.QSS can achieve such correlations and thus our QSS protocol provides a natural solution to the key generation process.After obtaining the keys, Alice generates digital signatures of an arbitrary document through completely random universal 2 hash function and one-time pad and transfers the signed document to Bob. Bob transmits his key bit strings and the signed document to Charlie.Bob and Charlie verify the digital signatures and if both of them accept the signed document we can say this is a successful signing.For more technical details, Ref. [72] can be referred to.
We investigate the performance of QDS protocol in [72] using our QSS to generate perfect key correlations.It is further compared with the experiment result of QDS protocol with quantum states exchanged forward in [73], which is shown in Tab.I.For the calculation of QDS using our QSS, we assume the order of the irreducible polynomial to be 128 which indicates a security bound about 10 −34 [72] and set the system clock frequency to be 1 MHz.In order to have a direct comparison between the two protocols, in Tab.I we calculate and list the TABLE I. Performance of QDS protocol using our QSS and QDS with quantum states exchanged forward in [73].The performance of the QDS protocols is evaluated by the signature rate of signing a document with the size of 10 6 bits.We assume the system clock frequency to be 1 MHz.NaN means no digital signatures can be generated.The unit of signature rate is times per second (tps).
Distance (km) Signature rate (tps) QDS [72]  signature rate of signing a document with the size of 10 6 bits, which indicates the amount of documents signed per second.From the comparison, we can easily conclude that the QDS protocol with keys generated by our QSS outperforms the QDS in [73] with a better signature rate and longer distance.Our QSS shows great practicality when used in QDS protocol.

V. CONCLUSION AND OUTLOOK
In this work, we propose an MDI-QSS protocol for quantum network applications.Our QSS can break the rate-distance bound with the GHZ analyzer based on linear optical elements under at least ten network users.By comparing our work with the key rate of recent QSS works, we show the superiority of our work by improving the key rate by more than two orders of magnitude and achieving longer transmission distances.The security of our QSS taking the participant attacks into account is analyzed in the composably secure framework.Based on the security analysis, we provide a computable key length in the finite-size regime.Furthermore, we consider applying QSS to another important cryptographic primitive-QDS.The result shows that QDS with our MDI-QSS protocol as a subroutine possesses significantly higher efficiency compared with preceding QDS.Based on the result of this work, we can anticipate a wide and flexible usage of our work in multiparty applications of the secure quantum network.
Here we remark on possible directions for future work.In conventional quantum repeater protocols [74][75][76][77], quantum memories are necessary to be entangled with photons and to preserve entanglement at least until receiving heralding signals of successful entanglement swapping.Here time multiplexing from quantum memories' preserving entanglement enables the enhancement in transmission efficiency.On the other hand, all-photonic quantum repeater protocol [36], requiring no matter qubit quantum memories and demonstrating polynomial scaling of efficiency with distance, was proposed.The all-photonic scheme utilizes cluster states to realize a polynomial scaling with distance which is in fact a result of spatial multiplexing.Therefore, with such spa-tial multiplexing idea, we can develop other protocols apart from quantum communication with enhanced efficiency.On the other hand, secret sharing can be useful in constructing protocols such as Byzantine consensus and federated learning.Our work can be applied to these protocols as a subroutine for improved efficiency and security against eavesdroppers with quantum computer.In addition, our work can be further developed to give anonymity to users [78] over quantum network for more complex application scenarios.
Proof.In step (vii) of QSS, all n parties compute and compare a hash of length log 2 (1/ϵ c ) by applying a random universal 2 hash function to raw keys X and X player .If the hash value disagrees, the protocol aborts.According to the property of universal 2 hash function [79], the probability that two hash values coinciding-if X and X player are different and the hash function is chosen uniformly at random from the family-is at most 2 ⌈log 2 ϵc⌉ ≤ ϵ c .Therefore, it is guaranteed that Pr(S ̸ = S player ) ≤ Pr(X ̸ = X player ) ≤ ϵ c .
To prove that our QSS protocol is ϵ s -secret, we introduce the Quantum Leftover Hashing Lemma [80].
Lemma 2. If Alice uses a random universal 2 hash function to map the raw key X to the final key S and extracts a string of length l, then for any positive ϵ ) where E is a finite or infinite dimensional system of Eve and E ′ summarizes all information Eve obtained including the classical communication.
Now we can prove the ϵ s -secrecy of our QSS protocol.Theorem 3. The QSS protocol defined in Sec.II is ϵ s -secret if the key length l satisfies with k j (< k) being the number of parameter estimation rounds between the dealer and the complementary single player of the jth untrusted subset, λ being the error rate observed in parameter estimation, A = max{m, k j } and G = m+kj mkj ln m+kj 2πmkj λ(1−λ)ϵ 2 .ϵ and ε are positive constants proportional to ϵ s .Proof.To fit in our QSS protocol, the Eve's system in the Quantum Leftover Hashing Lemma includes both eavesdropper and the jth untrusted party U j .By choosing ϵ = (ϵ s − ε)/(2p pass ) with ε > 0 and we have By taking the maximum over all j, we can reach a ϵ ssecret QSS protocol.Furthermore, using the fact that log 2 p pass < 0, we choose the key length to ensure a ϵ s -secret QSS protocol.Now we present how to obtain key length in Eq. ( 5).During error correction the amount of leak EC + log 2 (1/ϵ c ) bits of information about the dealer's raw key X are revealed and we have [49] All that remains is to lower bound the conditional smooth min-entropy and this can be achieved by using entropic uncertainty relation [81] where C j is the complementary trusted player of untrusted subset U j and q is the preparation quality quantifying the incompatibility of two measurements [49,81].From Eq. (A8), we can lower bound the conditional smooth min-entropy using the smooth maxentropy H ϵ max (Z|C j ) characterizing the correlations between Z and C j .There is only one single player in C j and we can apply the result of quantum key distribution [82] where ϵ = ϵ ′ / √ p pass and λ is error rate observed in parameter estimation, A = max{m, k j } and G = m+kj mkj ln m+kj 2πmkj λ(1−λ)ϵ 2 .In summary, the extractable key length given by Eq. ( 5) guarantees the ϵ s -secrecy of our QSS protocol, which completes the proof.

Appendix B: GHZ analyzer based on linear optical elements
The GHZ analyzer based on linear optical elements [43], as shown in Fig. 5, is composed of just polarizing beam splitters (PBSs) and half-wave plates (HWPs) and can identify two of the n-particle GHZ states.We now explain how n-particle GHZ state Φ ± 0 = 1/ √ 2(|HHH...H⟩ ± |V V V...V ⟩) evolves in such analyzer.Suppose that n particles of Φ ± 0 enter the GHZ analyzer shown in Fig. 5 each one through mode A i respectively and we express the input state using creation operator as Here a X † Ai (X = H, V ; i = 1, ..., n) represents the creation operator with X polarization from mode A i and |0⟩ is vacuum state.The polarizing beam splitter transmits |H⟩ and reflects |V ⟩ polarization, where a phase of π 2 will be added on the output state.Therefore, we can find how Φ ± 0 evolves right after n photons pass through PBS and before they enter HWP: where i is the imaginary unit and a X † k (X = H, V ; k = 1, ..., n) represents the creation operator with X polarization in M ode k shown in Fig. 5. From Eq. (B2), one can observe n-fold coincidences, which distinguishes Φ ± 0 from other n-particle GHZ states.
Furthermore, after passing through the HWP, we can obtain from which we can identify Φ + 0 and Φ − 0 .Because of the existence of factor (−1) n−1 in Eq. (B3), in the following we will discuss different criteria to identify Φ + 0 and Φ − 0 when n is odd or even.To be specific, when n is odd, Φ + 0 evolves into the following state From Eq. (B4) (Eq.(B5)), we can conclude that only products of creation operators with even (odd) number of V polarization remains, which corresponds to even (odd) number of {D iV } i=1,...,n being clicked.
When n is even, it is evident that different clicks corresponding to Φ + 0 and Φ − 0 exchange compared to clicks when n is odd.
For easier reference, we summarize the aforementioned results in Table II.
Appendix C: The gain under asymptotic limit According to Sec.IV A, we state that under asymptotic limit the gain can be written as In this Appendix, we present a derivation of Eq.C1.
Before the derivation, for simplicity, we denote p QND • √ η channel • η sps • η a as η, which represents the success probability of photon arrive at the GHZ analyzer.We first recall the definition of the gain Q X = N /M and consider the calculation of N .From the definition of N , we have where P n|M is the probability when n groups are successfully projected on GHZ states with M multiplexing and can be expressed as Therefore, we have Appendix D: Estimation of the success probability of GHZ measurement and bit (phase) error rate In this Appendix, we give the calculation of the gain and bit (phase) error rate of our protocol.We start with recalling the classical part of the preceding MDI-QSS [35].After step (iv) of our protocol, {A i } i=1,..,n+1 postselect the events where they prepare the states with the same basis through an authenticated public channel.One should note that when all n + 1 users choose the X basis and the state is projected onto Φ − 0 , A 1 will perform a bit flip on his classical bit.Finally, all users estimate parameters through experiment and extract keys after classical error correction and privacy amplification.In the following we provide an explicit description of the calculation of Q GHZ X(Z) and E Z(X) .We first consider the calculation of Q GHZ Z and E Z .For simplicity, we introduce some notations as follows.x 0 refers to the probability of D iH/V clicking when vacuum state is in the i th mode.
where Q nH (Q nV ) is the success probability of GHZ projection when |HH...H⟩ (|V V...V ⟩) inputs.Now we consider how to estimate Q (n−k)H,kV (k ≥ 1), the sum of the gain when the input state owns k photons in V polarization.We limit k ≤ n/2 since for k > n/2 we have Q (n−k)H,kV = Q kH,(n−k)V due to the symmetry.The calculation of Q (n−k)H,kV can be solved as a counting problem since the gain is different under various input arrangements in the following way.At first, we need to determine the distribution of |V ⟩ photons in n modes.We assume that |V ⟩ photons are fixed and the other |H⟩ photons are inserted into them which is shown in Fig. 6.Such insertion can be finished in two steps.First, determine the number of vacancies where the |H⟩ photons will be inserted into.Then we decide the number of |H⟩ photons in each vacancy and we can get a distribution of input photons.One should note that for the GHZ analyzer used in this paper, choosing the leftmost vacancy in Fig. 6 is the same as choosing the rightmost vacancy.As a result, when two vacancies are chosen at the same time, they should be viewed as a single one vacancy.We denote the number of all possible distributions when there is l vacancies in k photons in |V ⟩ as g k (l) and the corresponding success probability of GHZ projection as f (l).Then we have the following expression: In summary, we present the following expression: According to the definition of errors under Z basis, we have (D7) Now we consider the gain Q GHZ X and phase error rate E X .Due to the equality of density matrix, we can directly conclude that Q GHZ X = Q GHZ Z To estimate the phase error rate, we need to calculate the success probability of projection on Φ + 0 and Φ − 0 respectively.We decompose states prepared X basis into Z basis and aforementioned methods can be used.We summarize the following results according to the evaluation of the states in the GHZ analyzer.
First we consider the situation when there is even number of |−⟩ photons.If n is odd, Q Based on the results above and the definition of error under X basis, we can express the phase error rate as , n is odd.
(D12) Finally using the above equations we can estimate the key rate of our QSS.

FIG. 1 .
FIG.1.Schematic diagram of our QSS protocol.In our protocol, each user generates M single-photon states selected from eigenstates of the Z and X basis randomly and transmits all M states to the untrusted central relay through the quantum channel with spatial multiplexing.The untrusted central relay performs QND measurements to confirm the arrival of single-photon states.The confirmed photons are routed to the GHZ analyzer via optical switches and the GHZ projection is performed.Each user keeps the information of states that are successfully projected onto the GHZ state and performs classical postprocessing.

FIG. 6 .
FIG. 6.The arrangement of |V ⟩ photons and possible vacancies.We use blue and orange circles to denote |V ⟩ photons and vacancies.When inserting |H⟩ photons into fixed |V ⟩ photons, we first determine the number of vacancies and then determine the number of |H⟩ in each vacancy.Finally we obtain a distribution of input photon state.

2 − 2 B
representing the probability of n successful GHZ measurements conditioned on existence of l groups.Here C k M = M k .p l|M = 3B l|M (η) M k=l B k|M (η) l|M (η) 3 is the probability of not less than l single photons from all three parties with M multiplexing.By utilizing lB l|M (p) = M pB l−1|M −1 (p) for l > 0 and B k|M (p) = (1 − p)B k|M −1 (p) + pB k−1|M −1 for 0 < k < M [37], considering the asymptotic behavior of the maximum of binomial distribution, we have lim x 1C(E) refers to the probability of correct (erroneous) click when the single photon state is in the ith mode.Here the correct click means D iH(V ) clicks when |H⟩(|V ⟩) is input state and the meaning of erroneous click is D iH(V ) clicks when |V ⟩(|H⟩) inputs.x 2C(E) refers to the probability of correct (erroneous) click when two photons are in the i th mode.It is easy to calculate the probability of successful GHZ projection when n users prepare state with perfect bit correlation in the Z basis, i.e. |HH...H⟩ and |V V...V ⟩.By considering the evolution of |HH...H⟩ and |V V...V ⟩ in the GHZ analyzer shown in Fig. 5, we have

g 1 g 1 (
k (l)f (l), (D2) where g k (1) = n and for l ̸ = n − k − 1)! (n − k − l)! .(D3)In addition, we havef (l) = 2 l (x 2C + x 2E ) l x l 0 (x 1C + x 1E ) n−2l .(D4)Here and in the following we define C n m = m n .We now make a remark on critical situation.When n is even andl = k = n/2, we have − k − 1)! (l − 1)!(n − 2k)! .(D5) the success probability of projection on Φ + 0 ( Φ − 0 ) can be given by Q the situation when there is odd number of |−⟩ photons.If n is odd, Q FIG. 4.Secret key rate of our QSS as a function of distance in finite-size regime.We consider the secret key rate of QSS with n = 4, 6, 8 shown in different colors.In this simulation, we fix the total number of signals to be 10 12 .The fiber transmission distance denotes the distance between any ith party and the central relay.

TABLE II .
Different clicks to identify Φ +