Introduction

In recent years, quantum communication has made significant breakthroughs, in particular, quantum key distribution (QKD)1,2,3 ensures secure communication between legitimate parties based on the principles of quantum mechanics. The invention of QKD provides an effective approach to solve the point-to-point security key distribution between two users. Inspired by the idea of QKD and classical cryptography protocols4,5,6, the quantum secret sharing (QSS)7, and conference key agreement (CKA)8 using multiparticle Greenberger-Horne-Zeilinger (GHZ) entangled states were proposed. The QSS combines quantum cryptography with classical secret sharing and uses quantum state as a secret encoding carrier. The secret message is divided into n pieces and distributed to n players in an appropriate way7. For a (k, n) threshold protocol, if no less than k players combine their pieces of information together, the secret message can be recovered4. QSS can protect secret message from the eavesdroppers and dishonest players, and has important applications in key management, identity authentication, remote voting, and quantum sealed-bid auction. The task of CKA is to establish a common secret key among n players. All players can encrypt the public messages and decrypt the encrypted public messages broadcasted by other players, whereas the eavesdroppers cannot obtain any public messages broadcasted by the players8.

At present, a variety of QSS and CKA protocols have been proposed. They follow mainly two different paths: the multipartite entangled states based protocols and the bipartite QKD based protocols. The first path employs quantum correlations of genuine multipartite quantum resources, require no explicit QKD process, and may offer specific advantages over the latter. The latter can use mature security proofs and technology of QKD, and could bring operational advantages such as it can switch between different protocols by configuring only the classical post-processing program and no modification of hardware devices are required. Depending on the quantum resources employed, the discrete variable QSS including the entangled state QSS7,9,10,11,12,13, the single qubit QSS14,15,16, the single qudit QSS17,18,19, and the post-selected multipartite entanglement state QSS20 have been investigated. The continuous variable QSS with the entangled state21,22,23,24 and coherent state25,26,27,28 were also presented. Furthermore, CKA with multipartite entangled state (known as quantum conference key agreement (QCKA)29)8,29,30,31,32,33,34, three party QKD35, and measurement-device-independent (MDI) type20,36,37,38 have been reported.

The above works significantly improve the feasibility of QSS and CKA. However, there are still key limitations in security and practicability. For instance, the single qubit QSS protocol is vulnerable to Trojan horse attacks39,40 where an eavesdropper can send a signal to the player’s station and unambiguously determine the private information by measuring the output signals. The QSS7,9,10,11,12,13 and CKA8,29,30,31,32,33,34 based on the GHZ entangled state are appealing. For certain CKA networks with bottlenecks31, the GHZ resource state can be distributed in a single use of the network for the multipartite entanglement protocol, despite the complicated quantum network coding with two-qubit gates failure rates and channel noises below certain threshold are required. Nevertheless, the practical applications of GHZ-like states are quite limited due to the difficulty of generation, manipulation, and distribution of multi-partite entangled states with very large dimension at present20,33,41. The post-selection GHZ entangled state QSS and CKA alleviate this issue20,37. However, the implementation of this scheme requires the intervention of multiple players, which increases the complexity of the experiment. Continuous variable QSS (CV-QSS) based on coherent states has good compatibility with telecom techniques25,26,27,28. Unfortunately, most of coherent-state CV-QSS protocols require that all players have to prepare their own laser sources, and the phase of all players’ independent lasers should be strictly locked, which adds considerable complexity and cost to the system. On the other hand, the superposition of channel excess noises from other players severely reduces the secret key rate due to the joint measurement by the dealer25,26,28. Furthermore, most of the existing QSS and CKA require dedicated hardware devices and many QSS are (n, n) schemes.

To solve above problems, in this paper we propose a practical, scalable, and verifiable (k, n) threshold CV-QSS protocol based on the bipartite QKD approach. In contrast to previous works with continuous variable regime, our protocol does not require each player preparing a laser source and phase locking of the overall lasers. Furthermore, the dealer can use a single heterodyne detector to extract the information of multiple players thanks to the proposed multiple sideband modulation approach, and the evaluation of the channel parameters for each player is independent. These significantly reduce the complexity and cost of QSS network system and increase the secret key rate and transmission distance. The proposed QSS scheme is versatile and flexible. It can switch between QSS and CKA just by switching the classical post-processing program and no modification of hardware devices are required. We perform strict security analysis for Trojan horse attacks and the untrusted sources intensity fluctuation and noise. The protocol is proved to be secure against eavesdroppers on the quantum channel and dishonest players. We experimentally demonstrate the QSS and CKA protocols with five-party over long-distance single-mode fiber, and investigate the excess noise variations versus the number of the players and fiber length.

Results

The QSS protocol

The sketch of the QSS protocol is shown in Fig. 1, the dealer prepares a number of laser sources of different wavelengths and sends them to adjacent players. For each laser source, the players implement independent Gaussian modulation to encode their key information in different sidebands42 of the light field and subsequently send the modulated light field to the next player. Then the signal fields with different wavelengths are multiplexed via the add/drop multiplexer (ADM) and sent to the dealer through a common quantum channel. The dealer demultiplexs the relieved signal fields via a demultiplexer (DEMUX) and measures them separately via heterodetection. The detailed steps are as follows.

Fig. 1: The QSS protocol.
figure 1

M modulator, ADM add/drop multiplexer, DEMUX demultiplexer. The dealer prepares a number of coherent laser source that passes through each player in sequence, and all players implement independent Gaussian modulation to encode the information in different sidebands of the laser field, then the signal fields with different wavelengths are multiplexed via ADM. After transmission, the dealer demultiplexs the signals of different players and extracts the corresponding sideband information in terms of the encoding rules of the players separately by heterodyne detection.

Full size image

Step 1. The dealer prepares n laser sources of different wavelength λi, \(i\in \left\{1,2,\ldots ,n\right\}\). The first player P11 modulates the laser λ1 and prepares a coherent state \(\left\vert {X}_{{\lambda }_{1}{f}_{1}}+{{{\rm{i}}}}{P}_{{\lambda }_{1}{f}_{1}}\right\rangle\) with weak modulation at sideband frequency f1 of the light field and sends the modulated light field to the neighboring player P12.

Step 2. The second player P12 prepares the coherent state \(\left\vert {X}_{{\lambda }_{1}{f}_{2}}+{{{\rm{i}}}}{P}_{{\lambda }_{1}{f}_{2}}\right\rangle\) on sideband f2. Above procedure is repeated until the P1pth player prepares the coherent state \(\left\vert {X}_{{\lambda }_{1}{f}_{p}}+{{{\rm{i}}}}{P}_{{\lambda }_{1}{f}_{p}}\right\rangle\) and sends the modulated signal fields into the common quantum channel.

Step 3. For other laser source λi, the corresponding players implement the same procedure as above to encode their information in different sidebands of the light field and add the modulated signal fields into the common quantum channel via ADM.

Step 4. After the quantum states of all players reach the dealer through a common quantum channel, the dealer uses a demultiplexer to separate the received quantum states and measures them using heterodyne detection. The measurement results (raw data) are denoted by \(\big\{{X}_{{\lambda }_{i}{f}_{j}}^{{{{\rm{m}}}}},{P}_{{\lambda }_{i}{f}_{j}}^{{{{\rm{m}}}}}\big\}\), \(j\in \left\{1,2,\ldots ,p,\ldots ,q\right\}\).

Step 5. Repeat the above steps until enough raw keys are accumulated.

Step 6. The dealer and each player independently evaluate the channel parameters including the quantum channel transmittance and excess noise \(\left\{{T}_{{\lambda }_{i}{f}_{j}},{\varepsilon }_{{\lambda }_{i}{f}_{j}}\right\}\) by using the same procedure as that of the continuous variable QKD (CV-QKD)43,44,45,46. Based on the channel parameters, the key rates between the dealer and each player can be estimated. If all of them are positive, the dealer selects the lowest key rate \({K}_{\min }\) among all players as the key rate of the QSS, that means the QSS works at the rate of the worst performing player. Then using the data reconciliation and privacy amplification, the secure keys \(\left\{{S}_{{\lambda }_{i}{f}_{j}}\right\}\) are distilled.

Step 7. For a (k, n) threshold QSS, the dealer randomly selects a k − 1 power polynomial \(f\left({S}_{{\lambda }_{i}{f}_{j}}\right)\) in the finite field Z, where \(f\left({S}_{{\lambda }_{i}{f}_{j}}\right)=S+{a}_{1}{S}_{{\lambda }_{i}{f}_{j}}^{1}+{a}_{2}{S}_{{\lambda }_{i}{f}_{j}}^{2}+\cdots +{a}_{k-2}{S}_{{\lambda }_{i}{f}_{j}}^{k-2}+{a}_{k-1}{S}_{{\lambda }_{i}{f}_{j}}^{k-1}\). Here, the polynomial coefficients \(\left\{S,{a}_{1},{a}_{2},\cdots \,,{a}_{k-1}\right\}\in Z\) and S is the sharing secret key. The dealer calculates \(\left\{{S}_{{\lambda }_{i}{f}_{j}},f\left({S}_{{\lambda }_{i}{f}_{j}}\right)\right\}\), and selects a Hash function \(H\left({S}_{{\lambda }_{i}{f}_{j}}\right)\) to calculate the authentication tag \(\left\{H\left({S}_{{\lambda }_{i}{f}_{j}}\right)\right\}\). Next, the dealer sends \(f({S}_{{}_{{\lambda }_{i}{f}_{j}}})\), the Hash function, and the authentication tags to each player through the authenticated classical channel.

Step 8. Each player know \(f\left({S}_{{\lambda }_{i}{f}_{j}}\right)\) and the authentication tags of all players. If k players want to reconstruct the sharing secret keys, they use the Hash function to calculate the authentication tags \(\left\{{H}^{{\prime} }\left({S}_{1}\right),{H}^{{\prime} }({S}_{2}),\cdots \,,{H}^{{\prime} }\left({S}_{k}\right)\right\}\) and compare them with those sent by the dealer. By checking the consistency of the authentication tag, the dishonest players can be discovered. After verification, the sharing secret key S can be calculated directly using the Lagrange interpolation formula:

$$S=\mathop{\sum }\limits_{h=1}^{k}f\left({S}_{h}\right)\mathop{\prod }\limits_{l=1.l\ne h}^{k}\frac{{S}_{l}}{{S}_{l}-{S}_{h}}.$$
(1)

Although above procedures are classical, we take each distributed key \({S}_{{\lambda }_{i}{f}_{j}}\) as a independent variable of a polynomial \(f\left({S}_{{\lambda }_{i}{f}_{j}}\right)\) and combine it with a Hash function, which makes our scheme secure against eavesdroppers and dishonest players in both the quantum distribution stage and the key reconstruction stage.

The CKA protocol

For actual application scenarios, a quantum network should not support only a single protocol. On the premise of not changing the underlying architecture, it is desired that the network can support multiple protocols which can be conveniently switched according to the needs of the players. Such a network structure is flexible and versatile20,27,37.

Our experimental system is flexible and versatile and can be used to implement CKA without modifying any hardware devices, one only need to switch the corresponding post-processing procedure. Below we present the implementation process of CKA in detail.

Step 1. By utilizing the same quantum stage as that of the QSS scheme, the dealer establishs different quantum keys \(\left\{{S}_{{\lambda }_{i}{f}_{j}}\right\}\) with all players. The dealer selects the lowest secret key rate \({K}_{\min }\) among all players, that means the CKA works at the key rate of the worst performing player.

Step 2. The dealer prepares a common secret key Sc, which are encrypted using the player’s quantum secret key \({S}_{{\lambda }_{i}{f}_{j}}\), \({S}_{{{{\rm{e}}}}}={S}_{{\lambda }_{i}{f}_{j}}\oplus {S}_{{{{\rm{c}}}}}\), and then sent to the designated players through the authenticated classical channel. Next the players decrypt the encrypted keys with their own quantum secret key and recover the common secret key \({S}_{{{{\rm{c}}}}}={S}_{{{{\rm{e}}}}}\oplus {S}_{{\lambda }_{i}{f}_{j}}\)31.

Our CKA scheme has following advantages. Quantum state preparation: it only requires off-the-shelf telecom components such as commercial narrow linewidth lasers, amplitude and phase modulators, thus the state preparation process is simple and low-cost. Scalability: it can be conveniently extended to plenty of players on the order of hundreds (see “Discussion” section for the details).

Security analysis

For the presented QSS scheme, similar to the theoretical framework of plug-and-play QKD39, the transmission of the laser source from the dealer to the players can be controlled by Eve. In this case, Eve may performs potential attacks. Therefore, the practical security of the protocols under the conditions of Trojan horse attacks, untrusted source intensity fluctuation, and untrusted source noise should be analyzed. (See “Methods” section for the detailed theoretical analysis).

On the basis of the practical security analysis of QSS scheme, we derive the secret key rate in this part. The lower bound of the asymptotic secret key rate of the QSS and CKA protocols against collective attack are given by47,48

$$K=\beta {I}_{{{{\rm{AB}}}}}-{\chi }_{{{{\rm{BE}}}}},$$
(2)

where β is the reconciliation efficiency, IAB is the Shannon mutual information between the player and dealer, and χBE is the maximum information available to the dishonest players and eavesdroppers conditioned on dealer’s measurement.

The channel added noise referred to the channel input is given by

$${\chi }_{{{{\rm{line}}}}}=\frac{1}{{T}_{2}}-1+{\varepsilon }_{1},$$
(3)

where 1/T2 − 1 is introduced by the quantum channel loss, T2 denotes the effective channel transmittance, and ε1 denotes the effective excess noise. The detection noise referred to the dealer’s input is expressed by

$${\chi }_{{{{\rm{het}}}}}=\frac{\left[1\,{{\mbox{+}}}\,\left(1-\eta \right)+2{\upsilon }_{{{{\rm{el}}}}}\right]}{\eta },$$
(4)

where η and υel denote the detector efficiency and the detector electronic noise, respectively. The total noise referred to the channel input is

$${\chi }_{{{{\rm{tot}}}}}={\chi }_{{{{\rm{line}}}}}+\frac{{\chi }_{{{{\rm{het}}}}}}{{T}_{2}}.$$
(5)

The mutual information IAB is calculated directly from the dealer’s measured quadratures variance \({V}_{{{{\rm{B}}}}}={T}_{2}\eta \left(V\,{{\mbox{+}}}\,{\xi }_{{{{\rm{E}}}}}\,{{\mbox{+}}}\,{\chi }_{{{{\rm{tot}}}}}\right)\), where V = VM + 1, VM denotes the effective modulated variance and the conditional variance \({V}_{\left.{{{\rm{B}}}}\right\vert {{{\rm{A}}}}}={T}_{2}\eta \left(1+{\xi }_{{{{\rm{E}}}}}+{\chi }_{{{{\rm{tot}}}}}\right)\)

$${I}_{{{{\rm{AB}}}}}={\log }_{2}\frac{{V}_{{{{\rm{B}}}}}}{{V}_{\left.{{{\rm{B}}}}\right\vert {{{\rm{A}}}}}}={\log }_{2}\frac{\left(V\,{{\mbox{+}}}\,{\xi }_{{{{\rm{E}}}}}\,{{\mbox{+}}}\,{\chi }_{{{{\rm{tot}}}}}\right)}{\left(1+{\xi }_{{{{\rm{E}}}}}+{\chi }_{{{{\rm{tot}}}}}\right)},$$
(6)

where ξE denotes the untrusted source noise added by Eve. Eve’s access information is up bounded by the Holevo quantity

$${\chi }_{{{{\rm{BE}}}}}=S\left({\rho }_{{{{{\rm{E}}}}}_{0}{{{\rm{E}}}}}\right)-\int\,d{m}_{{{{{\rm{B}}}}}_{1}}p\left({m}_{{{{{\rm{B}}}}}_{1}}\right)S\left({\rho }_{{{{{\rm{E}}}}}_{0}{{{\rm{E}}}}}^{{m}_{{{{{\rm{B}}}}}_{1}}}\right),$$
(7)

where \(p({m}_{{{{{\rm{B}}}}}_{{{{\rm{1}}}}}})\) is the probability density of the dealer’s measurement outcomes \({m}_{{{{{\rm{B}}}}}_{1}}\). \({\rho }_{{{{\rm{E}}}}}^{{m}_{{{{{\rm{B}}}}}_{1}}}\) is the quantum state of Eve and dishonest players conditioned on the dealer’s measurement result. S(.) denotes the von Neumann entropy. To calculate Eve’s accessible information, we know that Eve’s system can purifiy the system AE0B (Fig. 2), \(S\left({\rho }_{{{{{\rm{E}}}}}_{0}{{{\rm{E}}}}}\right)\,{{\mbox{=}}}\,S\left({\rho }_{{{{\rm{AB}}}}}\right)\), and the system AE0EFG is pure after the dealer’s heterodyne measurement, so that \(S\left({\rho }_{{\rm{E}}_{0}{\rm{E}}}^{{m}_{{\rm{B}}_{\rm{1}}}}\right)=S \left({\rho }_{\rm{AFG}}^{{m}_{{\rm{B}}_{\rm{1}}}}\right)\), where \(S \left({\rho }_{\rm{AFG}}^{{m}_{{\rm{B}}_{\rm{1}}}}\right)\) is independent of \({m}_{{{{{\rm{B}}}}}_{{{{\rm{1}}}}}}\) for the Gaussian modulated Gaussian states protocol. Now, Eq. (7) can be rewritten as

$${\chi }_{\rm{BE}}=S\left({\rho }_{\rm{AB}}\right)-S\left({\rho }_{\rm{AFG}}^{{m}_{{\rm{B}}_{\rm{1}}}}\right).$$
(8)
Fig. 2: PM and EB schemes of the QSS protocol with untrusted coherent source.
figure 2

a The PM scheme. b The equivalent EB scheme. Eve may introduce noises at the sidebands where the player encoding key information by modulating the laser in the PM scheme. In the equivalent EB scheme, a three-mode entangled state \({\rho }_{{{{{\rm{AE}}}}}_{0}{{{{\rm{B}}}}}_{0}}\) is generated with the mode E0 controlled by Eve.

Full size image

The covariance matrix of the Gaussian state ρAB

$${\gamma }_{{{{\rm{AB}}}}}=\left[\begin{array}{cc}VI&\sqrt{{T}_{2}\left({V}^{2}-1\right)}{\sigma }_{{{{\rm{z}}}}}\\ \sqrt{{T}_{2}\left({V}^{2}-1\right)}{\sigma }_{{{{\rm{z}}}}}&{T}_{2}\left(V+{\xi }_{{{{\rm{E}}}}}\,{{\mbox{+}}}\,{\chi }_{{{{\rm{line}}}}}\right)I\\ \end{array}\right],$$
(9)

where \(I\,{{\mbox{=}}}\,\left[\begin{array}{cc}1&0\\ 0&1\\ \end{array}\right]\) and \({\sigma }_{{{{\rm{z}}}}}=\left[\begin{array}{cc}1&0\\ 0&-1\\ \end{array}\right]\).

The symplectic eigenvalues of γAB have the form

$${\lambda }_{1,2}^{2}\,{{\mbox{=}}}\,\frac{1}{2}\left[A\pm \sqrt{{A}^{2}-4B}\right],$$
(10)

where

$$\begin{array}{l}A={V}^{2}-2{T}_{2}\left({V}^{2}-1\right)+{{T}_{2}}^{2}{\left(V+{\xi }_{{{{\rm{E}}}}}+{\chi }_{{{{\rm{line}}}}}\right)}^{2},\\ B={{T}_{2}}^{2}{\left[V\left({\xi }_{{{{\rm{E}}}}}+{\chi }_{{{{\rm{line}}}}}\right)+1\right]}^{2}.\end{array}$$
(11)

The symplectic eigenvalues of \({\gamma}_{{\mathrm{AFG}}}^{{{m}_{{\mathrm{B}}_{\mathrm{1}}}}}\) have the form

$${\lambda }_{3,4}^{2}\,{{\mbox{=}}}\,\frac{1}{2}\left[C\pm \sqrt{{C}^{2}-4D}\right],{\lambda }_{5}=1,$$
(12)

where

$$\begin{array}{l}C\,{{\mbox{=}}}\,\frac{1}{{\left[{T}_{2}\left(V+{\xi }_{{{{\rm{E}}}}}+{\chi }_{{{{\rm{tot}}}}}\right)\right]}^{2}}\left\{A{{\chi }_{{{{\rm{het}}}}}}^{2}+B+1+2{\chi }_{{{{\rm{het}}}}}\right.\\ \left.\qquad\times\, [V\sqrt{B}+{T}_{2}(V+{\xi }_{{{{\rm{E}}}}}+{\chi }_{{{{\rm{line}}}}})]+2{T}_{2}\left({V}^{2}-1\right)\right\},\\ D={\left(\frac{V+\sqrt{B}{\chi }_{{{{\rm{het}}}}}}{{T}_{2}\left(V+{\xi }_{{{{\rm{E}}}}}+{\chi }_{{{{\rm{tot}}}}}\right)}\right)}^{2}.\end{array}$$
(13)

The Holevo quantity χBE is given by

$$\begin{array}{ll}{\chi }_{{{{\rm{BE}}}}}=G\left(\frac{{\lambda }_{1}-1}{2}\right)+G\left(\frac{{\lambda }_{2}-1}{2}\right)\\ \qquad\quad-G\left(\frac{{\lambda }_{3}-1}{2}\right)-G\left(\frac{{\lambda }_{4}-1}{2}\right),\end{array}$$
(14)

where \(G\left(x\right)=\left(x+1\right){\log }_{2}\left(x+1\right)-x{\log }_{2}x\).

Using Eqs. (2), (6), and (10)–14), we can calculate the lower bound of the secret key rate.

Modulation

In our experiment, the weak modulation method is adopted to prepare the coherent states at the sideband modes. Before the modulation, the complex amplitude of a single frequency laser has the form

$$\alpha (t)={\alpha }_{0}{{{{\rm{e}}}}}^{{{{\rm{i}}}}2\pi {f}_{0}t},$$
(15)

where α0 and f0 are the amplitude and frequency of the laser. When the laser is weakly modulated at frequency fj, the sidemode of the modulated laser is given by

$${\alpha }^{{\prime} }(t)={\alpha }_{0}({M}_{{{{\rm{x}}}}}+{{{\rm{i}}}}{M}_{{{{\rm{p}}}}})\left[{{{{\rm{e}}}}}^{{{{\rm{i}}}}2\pi ({f}_{0}+{f}_{j})t}+{{{{\rm{e}}}}}^{{{{\rm{i}}}}2\pi ({f}_{0}-{f}_{j})t}\right],$$
(16)

where Mx 1 and Mp 1 denote the amplitude and phase modulation depths respectively. Because the average photon number of the carrier satisfies \({\left\vert {\alpha }_{0}\right\vert }^{2}\gg 1\), even if a very weak modulation can faithfully prepare a coherent state with mean photon number of a few photons at the sidemode. From Eq. (16), the sidemode states can be written as

$$\vert {\phi }_{{f}_{j}}\rangle ={\left\vert X+{{{\rm{i}}}}P\right\rangle }_{\pm {f}_{j}}{\left\vert 0\right\rangle }_{f\ne \pm {f}_{j}},$$
(17)

where X = Mxα0, P = Mpα0. Therefore, under the condition of large \(\left\vert {\alpha }_{0}\right\vert\) and small modulation depths, we can conveniently prepare sidemode coherent states by modulating the amplitude and phase of the laser field.

Carrier phase evaluation

In our experiment, the quantum signals and local oscillators (LO) are transmitted through two different long-distance fibers to simulate the local local oscillator (LLO) scheme. In this case, there exists fast phase drifts between the quantum signals and LO. At present, several phase recovered schemes have been proposed that mainly using the pilot-aided feedforward data recovery scheme. The basic idea of the pilot-sequence scheme is to use adjacent pilot pulses to estimate the middle signal’s phase drift49. The pilot-multiplexed scheme divides the phase drift into the fast drift and the slow drift parts, and one can implement two remapping procedures to compensate them separately50.

In our scheme, we use a simple method to estimate the phase of the signals. As shown in Fig. 3, the quantum signals are generated by modulating the carrier of the lasers and they have fixed phase relations. Although the player’s quantum signals are not generated at the same time, the quantum signals and the carrier pass through the same optical path and are subject to the same phase evolution51,52. Therefore, all the quantum signals for each laser have the same phase and we can infer the phase of the quantum signals by evaluating the phase of the carrier.

Fig. 3: Distribution of quantum signals and carrier signals in frequency domain.
figure 3

The player’s quantum signals are generated by modulating the carrier of the lasers, thus the carrier and signals have the same phase. The phase of the signals can be determined by estimating the phase of the carrier.

Full size image

Experimental results

We demonstrated the proof-of-principle experiment of the proposed QSS and CKA protocols over different long-distance fiber links (see Fig. 4). The experimental parameters are shown in Table 1. To investigate the effect of different multiplexing methods on the player’s excess noises, we measured the excess noises under different scenarios, only a single player, two players with sideband multiplexing, and four players with both the dense wavelength division multiplexing and sideband multiplexing. The results are shown in Fig. 5.

Fig. 4: Experimental setup for QSS and CKA.
figure 4

VOA variable optical attenuator, BS beam splitter, PM phase modulator, AM amplitude modulator, PD photoelectric detector, PC polarization controller, PBS polarizing beam splitter, OH optical hybrid, BHD balanced homodyne detector.

Full size image
Table 1 The experimental parameters of the QSS and CKA system.
Full size table
Fig. 5: Experimental excess noises of player 1 and player 2.
figure 5

a, b The excess noise of player 1 under different multiplexing methods for total transmission distance of 22 km and 52 km. The blue pentagrams represent the excess noise where of player 1 only player 1 encodes the information. The red triangles represent the excess noise of player 1 when both players 1 and 2 encode their information at different sidebands. The black squares represent the excess noise of player 1 when players 1, 2, 3, and 4 encode their information at different sidebands and wavelengths. c, d The excess noises of player 2 under different multiplexing methods for total transmission distance of 20 km and 50 km. The blue pentagrams represent the excess noise of player 2 where only player 2 encodes the information. The red triangles represent the excess noise of player 2 when both players 2 and 1 encoded their information at different sidebands. The black squares represent the excess noise of player 2 when players 2, 1, 3, and 4 encode their information at different sidebands and wavelengths.

Full size image

In Fig. 5a, the average values of the excess noise of player 1 at total transmission distance of 22 km under three cases are 0.00847 (only player 1 encoding the information), 0.0102 (both player 1 and player 2 encoding the information), and 0.0098 (all players 1–4 encoding the information), respectively. We can see that the frequency multiplexing has a slight influence on the excess noise. It is due to that the frequency multiplexing causes a little crosstalk during the modulation and demodulation of the quantum signals. For the dense wavelength division multiplexing of the quantum signals, the player’s excess noise has negligible impact on each other. Above phenomenon is also confirmed by the similar results observed in Fig. 5b–d.

The experimental secret key rates of the QSS (CKA) system are shown in Fig. 6. The black line represents the Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound53. The two purple rhombus, black triangles, blue pentagrams, and red squares correspond to the secret key rate of the players 1, 2, 3, and 4 at single-mode fiber links of (22 km, 52 km), (20 km, 50 km), (25 km, 55 km), and (20 km, 50 km), respectively. The blue and red curves represent the simulated secret key rates for the players 1, 3 and the players 2, 4, respectively. Due to the channel loss of the players 1 and 3 is larger than that of the players 2 and 4 (the players 2 and 4 are regarded as eavesdroppers from the viewpoint of the player of 1 and 3), the key rate of the players 1 and 3 are lower. After all players estimate their key rate with the dealer, the lowest key rate of all the players is set as the key rate for the QSS (CKA) system. In our case, the key rate of the QSS (CKA) at 25 and 55 km fiber links are 0.0061 and 7.14 × 10−4 bits per pulse, respectively, which are determined by the key rate of players 3 and 1.

Fig. 6: Secret key rates of QSS (CKA).
figure 6

The black line is the PLOB bound. The two purple rhombus, black triangles, blue pentagrams, and red squares corresponds to the secret key rate of the players 1, 2, 3, and 4 at single-mode fiber links of (22 km, 52 km), (20 km, 50 km), (25 km, 55 km), and (20 km, 50 km), respectively. The blue and red curves represent the simulated secret key rates for players 1, 3 and players 2, 4, respectively. The key rate of the QSS (CKA) at 25 and 55 km fiber links are 0.0061 and 7.14 × 10−4 bits per pulse.

Full size image

Discussion

On the basis of our presented scheme, in this section we discuss the possible construction of a network topology for metropolitan QSS and CKA network.

In our proof of principle experiment, we employ the fiber-based components such as amplitude and phase modulators, optical filter, beam-splitters. These fiber pigtailed components have relative large insertion losses, which are detrimental to the performance of the QSS and CKA protocols. In fact, the players can employ free space optical devices at their stations, which can significantly reduce the adverse insertion losses and increase the player amount.

Table 2 shows the typical losses of state of the art optical devices that are required in our protocol. From the loss values, we can estimate the total insertion losses (d) for each player’s station is around 1.35 dB. Using the estimated loss, we propose a possible network topology for metropolitan QSS and CKA network, as shown in Fig. 7. The metropolitan network consists of a backbone network and multiple access networks. The backbone network have m access points, which enables the end players to connect to the network. The upper limit value of the channel loss for each access network is assumed to be D. The construction process of the metropolitan network is as follows.

Table 2 The insertion loss of the optical devices.
Full size table
Fig. 7: The schematic diagram of the QSS and CKA network topology.
figure 7

The metropolitan network is composed of the access network and the backbone network.

Full size image

Step 1. The fiber distance between the farthest player and the dealer in each access network is defined as L, and the therefore channel linear loss is 0.2L for standard single-mode fiber.

Step 2. Since the insertion loss of the player’s station is greater than that of the ADM, the backbone network should configure the access nodes as many as possible in order to maximize the number of the players in the metropolitan network. The number of access nodes can be given by

$$m=\frac{D-0.2L-{{{\rm{AWG}}}}}{{{{\rm{ADM}}}}},$$
(18)

where AWG and ADM denote the insertion loss of the AWG and ADM.

Step 3. The number of the players in the yth access network counting from receiver is expressed as

$${n}_{y}=\frac{D-0.2L-y{{{\rm{ADM}}}}-{{{\rm{AWG}}}}}{d}+1,$$
(19)

where \(y\in \left\{1,2,\ldots ,m\right\}\).

Step 4. The maximum number of the players in the metropolitan network is

$$N=1+\mathop{\sum }\limits_{y=1}^{m}{n}_{y}.$$
(20)

Notice that, given the fiber distance L between the farthest players of the access networks and the dealer, the position of the players in each access network is unrestricted. The span between two adjacent access points can also be freely configured as needed.

Based on the construction method mentioned above, we simulate the maximum number of the players at different transmission distances in Fig. 8. The black and blue dots represent the results of theoretical simulations under D = 20 dB and 30 dB. The red and black curves are the fitting curves. The network exhibits a nonlinear dependence between the transmission distance and number of the players. When the channel loss limit is set to 20 dB, we can see that the secure QSS and CKA among 180 (53) players are feasible within a metropolitan area over 20 km (50 km). If the channel loss limit increases to 30 dB, the number of the players can improve to 651 (307) accordingly. In our protocols, adding or removing users is straightforward and can be realized by inserting or removing the encoding devices of the target users, and the overall network architecture remains almost unchanged.

Fig. 8: The number of the players versus the transmisssion distance.
figure 8

The black squares and blue rhombus are the simulated number of the players. The red and black curve is the fitting according to the simulated values. Given the channel loss limits of 20 dB and 30 dB, we find that the secure QSS and CKA among 180 (53) and 651 (307) players are feasible over a metropolitan area over 20 km (50 km).

Full size image

In conclusion, we have proposed and demonstrated a practical, scalable, verifiable (k, n) threshold continuous variable QSS and CKA protocol. Our protocol effectively eliminates the need of preparing laser source by each player, phase locking of all players’ independent lasers, and excess noises superposition. Furthermore, a single heterodyne detector can be used to extract the information of multiple players by using the multiple sideband modulation approach. We strictly analyzed the practical security for the proposed QSS system under Trojan horse attack, untrusted sources intensity fluctuating, and noisy untrusted sources. The proposed system is flexible and versatile, it can realize both the QSS and CKA tasks by just switching the post-processing program. We experimentally investigated the effects of the quantum channel multiplexing of multiple players on the excess noises of the system, and verified the five-party QSS and CKA quantum communication protocols. A secure key rate of 0.0061 (7.14 × 10−4) bits per pulse are achieved over 25 (55) km standard single-mode fiber. Our results provide a feasible solutions for practical quantum private communication network with current telecom technology.

In our current proof of principle experiment, the sideband frequencies that encoding the key information are 7 MHz and 9 MHz, respectively, and the system clock rate is 250 kHz. In principle, the sideband offset can be set to higher frequencies, which are only limited by the bandwidth of the modulator and heterodyne detector that currently reaches above 20 GHz. In this case, one can use a higher system clock rate, for example, above GHz. Moreover, our network system uses Gaussian modulation to encode the information, other modulation formats such as discrete modulation can also be employed54,55,56,57. It is possible that the proposed sideband encoding method can be applied to other QKD schemes, for example, Twin-Field QKD (TF-QKD), which can effectively beating the PLOB bound and achieve a much longer communication distance51,52,58,59,60,61.

Methods

Experimental setup

The schematic of the experimental setup is shown in Fig. 4. Two continuous wave single-frequency lasers with different wavelengths (1553.78 nm and 1549.26 nm) were prepared by the dealer. A small portion of the lasers are employed as the signals and the rest are acted as the LO fields. The 1553.78 nm and 1549.26 nm signals are sent to player 1 and player 3, respectively. The players 1 and 3 independently generate two sets of Gaussian random numbers at a repetition rate of 250 kHz, and mix them with a 7 MHz sine signals. Then the mixed signals are loaded on the phase and amplitude waveguide modulators to modulate two conjugate quadrature components of the signal fields. The optical filters at the input port of the players’ station limit the wavelength range of Eve’s Trojan horse attacks. To counter against the untrusted source intensity fluctuation attack, a small portion of the incoming signal beams is split and monitored by a photodetector (PD). The PD after the amplitude modulators (AM) monitors the modulation variance in real time by detecting the intensity of the modulated laser beam. Combine with the optical filter together, they can resist the Trojan horse attacks.

The modulated signal beams are sent to the players 2 and 4 through a 2 km and 5 km single-mode fiber (SMF-28e), respectively. After correcting the state of the polarization by the polarization controller (PC), the players 2 and 4 encode their secret key information at the 9 MHz sideband of the signal beams. By using the ADM, two signal beams are coupled into a 50 km single-mode fiber. The two LO beams are sent to the dealer though 52 km and 55 km single-mode fiber, respectively. At the dealer’s station, the signal beams are decoupled by the ADM and measured by heterodyne detection. To this end, two 90 optical hybrid (Kylia) and four balanced homodyne detectors are employed to measure both the amplitude and phase quadrature of the incoming signals. The outputs of the detectors are mixed with 7 MHz and 9 MHz sine waveforms, respectively, and then filtered by two 500 kHz low pass filters. The dealer identifies and extracts the key information of each player in terms of the corresponding wavelengths and sidebands on which the players encoding their key information.

Security proof under Trojan horse attacks

Due to the bidirectional feature of the QSS scheme, the Trojan horse attack should be considered. As shown in Fig. 9a, Eve can use a beam splitter with transmittance of S0 to couple her probe laser at wavelength of λ0 with the laser at wavelength of λi, \(i\in \left\{1,2,\ldots ,n\right\}\) sent by the dealer and send them to the player. The probe laser will carry the key information after being modulated by the modulators of the players. Just at the outside of the player’s station, Eve uses a dichroic beam splitter (DBS) to separate the probe laser to obtain the key information.

Fig. 9: Schematic diagram of the Trojan horse attack model.
figure 9

a Eve uses a beam splitter to inject her probe light at wavelength of λ0 into the player’s station. After being modulated by the player, the probe light is separated by a DBS at outside of the station. Then Eve can acquire the key information by measuring the probe beam. b We can assume λ0 = λi, and replace the DBS with beam splitter S2 with transmittance \({S}_{2}={I}_{{\lambda }_{i}}/({I}_{{\lambda }_{i}}+{I}_{{\lambda }_{0}})\) at \({I}_{{\lambda }_{0}}\). c The Trojan horse attack is equivalent to decrease the transmittance of the untrusted quantum channel from T to T1 = TS2.

Full size image

To deal with this attack, we insert a 50-GHz narrow-band optical filter (0.4 nm bandwidth) into the player’s input port, thereby limiting Eve’s probe laser wavelength to \(\left\vert {\lambda }_{0}\,{{\mbox{-}}}\,{\lambda }_{i}\right\vert \le 0.2\) nm. A beam splitter with transmittance of S1 is added after the modulator to monitor the modulated light fields. The measured light intensity is given by

$${I}_{{{{\rm{m}}}}}={\eta }_{{\lambda }_{i}}{I}_{{\lambda }_{i}}+{\eta }_{{\lambda }_{0}}{I}_{{\lambda }_{0}}+{I}_{{{{\rm{el}}}}},$$
(21)

where \({\eta }_{{\lambda }_{i}}\) and \({\eta }_{{\lambda }_{0}}\) are the total detection efficiency of the player and Eve, respectively, including the modulator’s loss, split ratio of beam splitter, and the photodiode’s quantum efficiency. \({I}_{{\lambda }_{i}}\) and \({I}_{{\lambda }_{0}}\) are the light intensity of the player and Eve respectively, and Iel is the electronic noise of the monitoring detector. Since a weak electro-optic modulation is employed, the modulation variance is proportional to the light intensity of the modulated laser. The modulation variance of the player and Eve can be expressed as

$${V}_{{{{\rm{A}}}}}={M}_{{\lambda }_{i}}{I}_{{\lambda }_{i}},{{\mbox{}}}{V}_{{\lambda }_{0}}={M}_{{\lambda }_{0}}{I}_{{\lambda }_{0}},$$
(22)

where \({M}_{{\lambda }_{i}}\) and \({M}_{{\lambda }_{0}}\) are the modulation coefficients of the electro-optic modulators. Substituting Eq. (22) into Eq. (21) we get

$${I}_{{{{\rm{m}}}}}=\frac{{\eta }_{{\lambda }_{i}}{V}_{{{{\rm{A}}}}}}{{M}_{{\lambda }_{i}}}+\frac{{\eta }_{{\lambda }_{0}}{V}_{{\lambda }_{0}}}{{M}_{{\lambda }_{0}}}+{I}_{{{{\rm{el}}}}}.$$
(23)

Considering that the wavelength of the probe light is very close to the wavelength of the dealer’ laser λ0 ≈ λi, we have

$$\frac{{\eta }_{{\lambda }_{0}}}{{M}_{{\lambda }_{0}}}\approx \frac{{\eta }_{{\lambda }_{i}}}{{M}_{{\lambda }_{i}}}=R.$$
(24)

Eq. (23) can be simplified to

$${I}_{{{{\rm{m}}}}}\approx R({V}_{{{{\rm{A}}}}}+{V}_{{\lambda }_{0}})+{I}_{{{{\rm{el}}}}}.$$
(25)

Therefore, by measuring the partial light intensity of the modulated laser, the overall variance \({V}_{{{{\rm{M}}}}}={V}_{{{{\rm{A}}}}}+{V}_{{\lambda }_{0}}\) of the modulated light fields can be monitored.

Note that the effect of the Trojan horse attack has nothing to do with the specific value of λ0 given that the average photon number of the probe light remains unchanged. Without loss of generality, we can choose λ0 = λi, therefore \({V}_{{\lambda }_{0}}\,{{\mbox{=}}}\,{V}_{{\lambda }_{i}}\), \({V}_{{{{\rm{M}}}}}={V}_{{{{\rm{A}}}}}+{V}_{{\lambda }_{i}}\) and replace the DBS of Eve with a beam splitter of transmittance S2 as shown in Fig. 9b. Eq. (25) can be rewritten as

$${I}_{{{{\rm{m}}}}}=R{V}_{{{{\rm{M}}}}}+{I}_{{{{\rm{el}}}}}.$$
(26)

Therefore, the Trojan horse attack of the eavesdropper is equivalent to the increase of the attenuation of the untrusted quantum channel (Fig. 9c), i.e. T1 = TS2, where T is the original channel transmittance and \({S}_{2}={I}_{{\lambda }_{i}}/({I}_{{\lambda }_{i}}+{I}_{{\lambda }_{0}})\). Since the quantum key distribution protocol is information-theoretical secure for untrusted quantum channel, the Trojan horse attack is discoverable and ineffective.

The measurement of the modulated laser intensity is an average of plenty of measurement data in one data block (>106). In this case, the effect of the electronic noise can be ignored. Eq. (26) can be rewritten as

$$\langle {I}_{{{{\rm{m}}}}}\rangle \approx R{V}_{{{{\rm{M}}}}}.$$
(27)

To defeat Eve’s Trojan horse attack, we can estimate the channel transmittance and excess noise using the player’s and dealer’s data, and the monitored VM,

$${T}_{1}=\frac{{\langle {X}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}}{X}_{{{{{\rm{B}}}}}_{{{{\rm{1}}}}}}^{{{{\rm{m}}}}}\rangle }^{2}}{\eta {V}_{{{{\rm{A}}}}}{V}_{{{{\rm{M}}}}}}=\frac{T{V}_{{{{\rm{A}}}}}}{{V}_{{{{\rm{M}}}}}},$$
(28)
$$\varepsilon =\frac{{V}_{{{{\rm{B}}}}}-1-{\upsilon }_{{{{\rm{el}}}}}}{\eta {T}_{1}}-{V}_{{{{\rm{M}}}}},$$
(29)

where \({V}_{{{{\rm{B}}}}}=\langle {{X}_{{{{{\rm{B}}}}}_{{{{\rm{1}}}}}}^{{{{\rm{m}}}}}}^{2}\rangle\) is the variance of the quadratures measured by dealer. η and υel are the efficiency and electronic noise of homodyne detector, respectively.

Security proof under untrusted source intensity fluctuations

Since the laser source is untrusted, Eve can also perform source intensity fluctuation attacks62. Supposes that the dealer plans to prepare a signal pulse with intensity \({I}_{{\lambda }_{i}}\), however, he actually prepares a pulse with the intensity of \({I}_{{\lambda }_{i}}\left(1\,{{\mbox{+}}}\,\sigma \right)\), where σ is the intensity fluctuation caused by the instability of the laser source with mean value zero and variance Vσ. The intensity of the signal pulse received by the player is \({I}_{{\lambda }_{i}}\left(1+\sigma +\,\varphi \right)\), where φ is the intensity fluctuation caused by Eve’s intensity fluctuation attack with mean value zero and variance Vφ. The actual coherent state that encoding the Gaussian random variables \(({X}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}},{P}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}})\) of the player is given by

$$\left\vert {X}_{{{{{\rm{A}}}}}_{{{{\rm{2}}}}}}+{{{\rm{i}}}}{P}_{{{{{\rm{A}}}}}_{{{{\rm{2}}}}}}\right\rangle =\left\vert \sqrt{\left(1+\sigma +\varphi \right)}{X}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}}+{{{\rm{i}}}}\sqrt{\left(1+\sigma +\varphi \right)}{P}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}}\right\rangle .$$
(30)

To deal with Eve’s source intensity fluctuation attack, we added a photodetector at the player’s input port to monitor the intensity of each light pulse and the measured signal is

$${I}_{{{{\rm{m}}}}}={I}_{{\lambda }_{i}}+{I}_{{{{\rm{el}}}}},$$
(31)

where Iel is the electronic noise of the detector. The measured intensity fluctuation of the light pulse relative to the average light intensity is expressed as

$$\delta {I}_{{{{\rm{m}}}}}=\delta {I}_{{\lambda }_{i}}+\delta {I}_{{{{\rm{el}}}}},$$
(32)

where \(\delta {I}_{{\lambda }_{i}}\) and δIel are the light pulse fluctuation and electronic noise fluctuation relative to the average light intensity and they satisfy \(\delta {I}_{{\lambda }_{i}}=\sigma +\varphi\), \(\left\langle \delta {I}_{{\lambda }_{i}}\right\rangle \,{{\mbox{=}}}\,0\), \(\left\langle {\delta {I}_{{\lambda }_{i}}}^{2}\right\rangle \,{{\mbox{=}}}\,{V}_{{\lambda }_{i}}\), \(\left\langle \delta {I}_{{{{\rm{el}}}}}\right\rangle \,{{\mbox{=}}}\,0\), and \(\left\langle {\delta {I}_{{{{\rm{el}}}}}}^{2}\right\rangle ={V}_{{{{\rm{el}}}}}\). Considering the source intensity fluctuation, the prepared coherent states can be rewritten as

$$\left\vert {X}_{{{{{\rm{A}}}}}_{{{{\rm{2}}}}}}+{{{\rm{i}}}}{P}_{{{{{\rm{A}}}}}_{{{{\rm{2}}}}}}\right\rangle =\left\vert \sqrt{\left(1\,{{\mbox{+}}}\,\delta {I}_{{\lambda }_{i}}\right)}{X}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}}\,{{\mbox{+}}}\,{{{\rm{i}}}}\sqrt{\left(1\,{{\mbox{+}}}\,\delta {I}_{{\lambda }_{i}}\right)}{P}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}}\right\rangle .$$
(33)

Notice that the fluctuations of the optical pulses cannot be accurately determined due to the electronic noise of the detector. To guarantee the security of the protocol, the player revises the data from \(({X}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}},{P}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}})\) to

$$\begin{array}{l}{X}_{{{{{\rm{A}}}}}_{{{{\rm{3}}}}}}=\left(1+\delta {I}_{{{{\rm{m}}}}}+{I}_{{{{\rm{el}}}}}^{\max }\right){X}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}},\\ {P}_{{{{{\rm{A}}}}}_{{{{\rm{3}}}}}}=\left(1+\delta {I}_{{{{\rm{m}}}}}+{I}_{{{{\rm{el}}}}}^{\max }\right){P}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}},\end{array}$$
(34)

where \({I}_{{{{\rm{el}}}}}^{\max }\) is the maximum of the electronic noise of the monitoring detector. In this case, the channel loss and excess noise will be overestimated by the dealer and players.

The channel transmittance can be

$$\begin{array}{lll}{T}_{2}\,=\,\frac{{\left\langle {X}_{{{{{\rm{A}}}}}_{{{{\rm{3}}}}}}{X}_{{{{{\rm{B}}}}}_{{{{\rm{2}}}}}}^{{{{\rm{m}}}}}\right\rangle }^{2}}{{\left\langle 1+\delta {I}_{{{{\rm{m}}}}}+{I}_{{{{\rm{el}}}}}^{\max }\right\rangle }^{2}\eta {V}_{{{{\rm{A}}}}}{V}_{{{{\rm{M}}}}}}\\ \quad\,\,=\,\frac{{\left\langle \sqrt{1+\delta {I}_{{\lambda }_{i}}}\right\rangle }^{2}T{V}_{{{{\rm{A}}}}}}{{\left\langle \sqrt{1+\delta {I}_{{{{\rm{m}}}}}+{I}_{{{{\rm{el}}}}}^{\max }}\right\rangle }^{2}{V}_{{{{\rm{M}}}}}},\end{array}$$
(35)

where \({X}_{{{{{\rm{B}}}}}_{{{{\rm{2}}}}}}^{{{{\rm{m}}}}}=\sqrt{1+\delta {I}_{{\lambda }_{i}}}{X}_{{{{{\rm{B}}}}}_{{{{\rm{1}}}}}}^{{{{\rm{m}}}}}\).

By using Taylor expansion, we can obtain

$$\sqrt{1+\delta {I}_{{\lambda }_{i}}}\approx 1+\frac{\delta {I}_{{\lambda }_{i}}}{2}-\frac{{\delta {I}_{{\lambda }_{i}}}^{2}}{8},$$
(36)
$$\sqrt{1+\delta {I}_{{{{\rm{m}}}}}+{I}_{{{{\rm{el}}}}}^{\max }}\approx 1+\frac{\delta {I}_{{{{\rm{m}}}}}+{I}_{{{{\rm{el}}}}}^{\max }}{2}-\frac{{(\delta {I}_{{{{\rm{m}}}}}+{I}_{{{{\rm{el}}}}}^{\max })}^{2}}{8}.$$
(37)

Inserting Eqs. (36) and (37) into Eq. (35), we have

$${T}_{2}=\frac{{(8-{V}_{{\lambda }_{i}})}^{2}T{V}_{{{{\rm{A}}}}}}{{(8+4{I}_{{{{\rm{el}}}}}^{\max }-{V}_{{\lambda }_{i}}-{V}_{{{{\rm{el}}}}})}^{2}{V}_{{{{\rm{M}}}}}}.$$
(38)

Using the expression of T2, the excess noise ε1 is written as

$${\varepsilon }_{1}=\frac{({V}_{{{{\rm{B}}}}}-1-{\upsilon }_{{{{\rm{el}}}}})}{\eta {T}_{2}}-\left(1+{I}_{{{{\rm{el}}}}}^{\max }\right){V}_{{{{\rm{M}}}}},$$
(39)

The fluctuation variance \({V}_{{\lambda }_{i}}\) of the light pulse intensity cannot be directly measured. We measure the total variance \(\left\langle \delta {{I}_{{{{\rm{m}}}}}}^{2}\right\rangle ={V}_{{\lambda }_{i}}+{V}_{{{{\rm{el}}}}}\) of the fluctuation of the laser and the electronic noise, and then subtract the electronic noise variance Vel to obtain \({V}_{{\lambda }_{i}}\).

Security proof under untrusted source noises

In addition to the potential Trojan horse attack and untrusted source intensity fluctuation attack, Eve can also perform source noise attacks. In the following, we present the prepare-and-measurement (PM) scheme and the equivalent entanglement-based (EB) scheme. In Fig. 2a, a PM scheme is shown. The dealer prepares a coherent state source and its sidemode quantum state is \(\left\vert {X}_{{{{\rm{N}}}}}\,{{\mbox{+}}}\,{{{\rm{i}}}}{P}_{{{{\rm{N}}}}}\right\rangle\) with \(\left\langle \delta {{X}_{{{{\rm{N}}}}}}^{2}\right\rangle \,{{\mbox{=}}}\,\left\langle \delta {{P}_{{{{\rm{N}}}}}}^{2}\right\rangle =1\) (shot noise units, SNU). Eve introduces Gaussian noise \(\left\{\delta {X}_{{{{\rm{E}}}}},\delta {P}_{{{{\rm{E}}}}}\right\}\) on the sidemodes where the players encoding the key information by modulating the laser, and the noise satisfies \(\left\langle \delta {{X}_{{{{\rm{E}}}}}}^{2}\right\rangle \,{{\mbox{=}}}\,\left\langle \delta {{P}_{{{{\rm{E}}}}}}^{2}\right\rangle ={\xi }_{{{{\rm{E}}}}}\). The untrusted source received by the player can be expressed as

$$\left\vert \delta {X}_{{{{\rm{I}}}}}\,{{\mbox{+}}}\,{{{\rm{i}}}}\delta {P}_{{{{\rm{I}}}}}\right\rangle =\left\vert \delta {X}_{{{{\rm{N}}}}}+\delta {X}_{{{{\rm{E}}}}}+{{{\rm{i}}}}\left(\delta {P}_{{{{\rm{N}}}}}+\delta {P}_{{{{\rm{E}}}}}\right)\right\rangle .$$
(40)

After encoding the key information onto the source, the quantum state of the player is given by

$$\left\vert {X}_{{{{\rm{PM}}}}}\,{{\mbox{+}}}\,{{{\rm{i}}}}{P}_{{{{\rm{PM}}}}}\right\rangle =\left\vert \delta {X}_{{{{\rm{I}}}}}+{X}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}}+{{{\rm{i}}}}\left(\delta {P}_{{{{\rm{I}}}}}+{P}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}}\right)\right\rangle .$$
(41)

The variance of the quadratures for the quantum state is given by

$$\left\langle {{X}_{{{{\rm{PM}}}}}}^{2}\right\rangle =\left\langle {{P}_{{{{\rm{PM}}}}}}^{2}\right\rangle =V+{\xi }_{{{{\rm{E}}}}},$$
(42)

where V = VA+1. The conditional variance of XPM (PPM) given \({X}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}}\) or δXE are

$${V}_{\left.{X}_{{{{\rm{PM}}}}}\right\vert {X}_{{{{{\rm{A}}}}}_{1}}}={V}_{\left.{P}_{{{{\rm{PM}}}}}\right\vert {P}_{{{{{\rm{A}}}}}_{1}}}=1+{\xi }_{{{{\rm{E}}}}},$$
(43)
$${V}_{\left.{X}_{{{{\rm{PM}}}}}\right\vert \delta {X}_{{{{\rm{E}}}}}}={V}_{\left.{P}_{{{{\rm{PM}}}}}\right\vert \delta {P}_{{{{\rm{E}}}}}}=V.$$
(44)

The equivalent EB scheme of the QSS protocol is shown in Fig. 2b, a three-mode Gaussian entangled state \({\rho }_{{{{{\rm{AE}}}}}_{0}{{{{\rm{B}}}}}_{0}}\) is generated and the mode E0 controlled by Eve. For mode A\(\left({X}_{{{{\rm{A}}}}},{P}_{{{{\rm{A}}}}}\right)\), mode E0\(({X}_{{{{{\rm{E}}}}}_{{{{\rm{0}}}}}},{P}_{{{{{\rm{E}}}}}_{{{{\rm{0}}}}}})\), and mode B0\(\left({X}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}},{P}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}\right)\), we assume the following realtions are satisfied

$$\begin{array}{l}\left\langle {{X}_{{{{\rm{A}}}}}}^{2}\right\rangle =\left\langle {{P}_{{{{\rm{A}}}}}}^{2}\right\rangle =V,\\ \left\langle {{X}_{{{{{\rm{E}}}}}_{{{{\rm{0}}}}}}}^{2}\right\rangle =\left\langle {{P}_{{{{{\rm{E}}}}}_{{{{\rm{0}}}}}}}^{2}\right\rangle =1+{\xi }_{{{{\rm{E}}}}},\\ \left\langle {{X}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}}^{2}\right\rangle =\left\langle {{P}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}}^{2}\right\rangle =V\,{{\mbox{+}}}\,{\xi }_{{{{\rm{E}}}}}.\end{array}$$
(45)

The covariance matrix \({\gamma }_{{{{{\rm{AE}}}}}_{0}{{{{\rm{B}}}}}_{0}}\) charactering the state \({\rho }_{{{{{\rm{AE}}}}}_{0}{{{{\rm{B}}}}}_{0}}\) has the form

$$\left[\begin{array}{cccccc}V&0&0&0&\sqrt{{V}^{2}-1}&0\\ 0&V&0&0&0&-\sqrt{{V}^{2}-1}\\ 0&0&c{\xi }_{{{{\rm{E}}}}}&0&\sqrt{c}{\xi }_{{{{\rm{E}}}}}&0\\ 0&0&0&c{\xi }_{{{{\rm{E}}}}}&0&-\sqrt{c}{\xi }_{{{{\rm{E}}}}}\\ \sqrt{{V}^{2}-1}&0&\sqrt{c}{\xi }_{{{{\rm{E}}}}}&0&V+{\xi }_{{{{\rm{E}}}}}&0\\ 0&-\sqrt{{V}^{2}-1}&0&-\sqrt{c}{\xi }_{{{{\rm{E}}}}}&0&V+{\xi }_{{{{\rm{E}}}}}\\ \end{array}\right]$$
(46)

where c → +  is a large real number.

The player performs a heterodyne detection on mode A and the measurement results are given by

$${X}_{{{{\rm{A}}}}}^{{{{\rm{m}}}}}=\frac{1}{\sqrt{2}}\left({X}_{{{{\rm{A}}}}}+\delta {X}_{{{{\rm{N}}}}}\right),{P}_{{{{\rm{A}}}}}^{{{{\rm{m}}}}}=\frac{1}{\sqrt{2}}\left({P}_{{{{\rm{A}}}}}-\delta {P}_{{{{\rm{N}}}}}\right).$$
(47)

The player uses the measurement results \(\left({X}_{{{{\rm{A}}}}}^{{{{\rm{m}}}}},{P}_{{{{\rm{A}}}}}^{{{{\rm{m}}}}}\right)\) to estimate the mode B0,

$$\begin{array}{l}{X}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}^{{\prime} }=\frac{\left\langle {X}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}{X}_{{{{\rm{A}}}}}^{{{{\rm{m}}}}}\right\rangle }{\left\langle {{X}_{{{{\rm{A}}}}}^{{{{\rm{m}}}}}}^{2}\right\rangle }{X}_{{{{\rm{A}}}}}^{{{{\rm{m}}}}}=\sqrt{\frac{2(V-1)}{V+1}}{X}_{{{{\rm{A}}}}}^{{{{\rm{m}}}}},\\ {P}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}^{{\prime} }=\frac{\left\langle {P}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}{P}_{{{{\rm{A}}}}}^{{{{\rm{m}}}}}\right\rangle }{\left\langle {{P}_{{{{\rm{A}}}}}^{{{{\rm{m}}}}}}^{2}\right\rangle }{P}_{{{{\rm{A}}}}}^{{{{\rm{m}}}}}=-\sqrt{\frac{2(V-1)}{V+1}}{P}_{{{{\rm{A}}}}}^{{{{\rm{m}}}}}.\end{array}$$
(48)

From Eq. (48), we have

$$\left\langle {{X}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}^{{\prime} }}^{2}\right\rangle =\left\langle {{P}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}^{{\prime} }}^{2}\right\rangle ={V}_{{{{\rm{A}}}}}.$$
(49)

The conditional variances can be expressed as

$${V}_{\left.{X}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}\right\vert {X}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}^{{\prime} }}={V}_{\left.{P}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}\right\vert {P}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}^{{\prime} }}=\langle {{X}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}}^{2}\rangle -\frac{{\langle {X}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}{X}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}^{{\prime} }\rangle }^{2}}{\langle {{X}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}^{{\prime} }}^{2}\rangle }=1+{\xi }_{{{{\rm{E}}}}},$$
(50)
$${V}_{\left.{X}_{{{{{\rm{B}}}}}_{0}}\right\vert {X}_{{{{{\rm{E}}}}}_{0}}}={V}_{\left.{P}_{{{{{\rm{B}}}}}_{0}}\right\vert {P}_{{{{{\rm{E}}}}}_{0}}}=\left\langle {{X}_{{{{{\rm{B}}}}}_{0}}}^{2}\right\rangle -\frac{{\left\langle {X}_{{{{{\rm{B}}}}}_{0}}{X}_{{{{{\rm{E}}}}}_{0}}\right\rangle }^{2}}{\left\langle {{X}_{{{{{\rm{E}}}}}_{0}}}^{2}\right\rangle }=V.$$
(51)

From Eqs. (48) and (49), mode B0 is projected onto states with variable mean values of (\({X}_{{{{{\rm{B}}}}}_{0}}^{{\prime} }\),\({P}_{{{{{\rm{B}}}}}_{0}}^{{\prime} }\)) and corresponding variance of VA conditioned on the player’s measurement. The uncertainty on the inferred values of mode B0 for the player (Eq. (50)) coincides with the noisy coherent state in the PM scheme (Eq. (43)). Furthermore, from Eq. (51), the uncertainty on the inferred values of mode B0 for Eve is identical to that in the PM scheme (Eq. (44)). Therefore, the EB scheme is equivalent to the PM scheme.