## Abstract

Quantum secret sharing (QSS) and conference key agreement (CKA) provide efficient encryption approaches for realizing multi-party secure communication, which are essential components of quantum networks. In this work, a practical, scalable, verifiable (*k*, *n*) threshold continuous variable QSS protocol secure against eavesdroppers and dishonest players are proposed and demonstrated. The protocol does not require preparing the laser source by each player and phase locking of independent lasers. The parameter evaluation and key extraction can be accomplished by only the dealer and the corresponding player. By using the multiple sideband modulation, a single heterodyne detector can extract the information of multiple players. The practical security of the system is considered. The system is versatile, it can support the CKA protocol by only modifying the classic post-processing and requiring no changes to the underlying hardware architecture. By implementing the QSS and CKA protocols with five parties over 25 km (55 km) single-mode fibers, a key rate of 0.0061 (7.14 × 10^{−4}) bits per pulse is observed. The results significantly reduces the system complexity and paves the way for the practical applications of QSS and CKA with efficient utilization of resources and telecom technologies.

## Introduction

In recent years, quantum communication has made significant breakthroughs, in particular, quantum key distribution (QKD)^{1,2,3} ensures secure communication between legitimate parties based on the principles of quantum mechanics. The invention of QKD provides an effective approach to solve the point-to-point security key distribution between two users. Inspired by the idea of QKD and classical cryptography protocols^{4,5,6}, the quantum secret sharing (QSS)^{7}, and conference key agreement (CKA)^{8} using multiparticle Greenberger-Horne-Zeilinger (GHZ) entangled states were proposed. The QSS combines quantum cryptography with classical secret sharing and uses quantum state as a secret encoding carrier. The secret message is divided into *n* pieces and distributed to *n* players in an appropriate way^{7}. For a (*k*, *n*) threshold protocol, if no less than *k* players combine their pieces of information together, the secret message can be recovered^{4}. QSS can protect secret message from the eavesdroppers and dishonest players, and has important applications in key management, identity authentication, remote voting, and quantum sealed-bid auction. The task of CKA is to establish a common secret key among *n* players. All players can encrypt the public messages and decrypt the encrypted public messages broadcasted by other players, whereas the eavesdroppers cannot obtain any public messages broadcasted by the players^{8}.

At present, a variety of QSS and CKA protocols have been proposed. They follow mainly two different paths: the multipartite entangled states based protocols and the bipartite QKD based protocols. The first path employs quantum correlations of genuine multipartite quantum resources, require no explicit QKD process, and may offer specific advantages over the latter. The latter can use mature security proofs and technology of QKD, and could bring operational advantages such as it can switch between different protocols by configuring only the classical post-processing program and no modification of hardware devices are required. Depending on the quantum resources employed, the discrete variable QSS including the entangled state QSS^{7,9,10,11,12,13}, the single qubit QSS^{14,15,16}, the single qudit QSS^{17,18,19}, and the post-selected multipartite entanglement state QSS^{20} have been investigated. The continuous variable QSS with the entangled state^{21,22,23,24} and coherent state^{25,26,27,28} were also presented. Furthermore, CKA with multipartite entangled state (known as quantum conference key agreement (QCKA)^{29})^{8,29,30,31,32,33,34}, three party QKD^{35}, and measurement-device-independent (MDI) type^{20,36,37,38} have been reported.

The above works significantly improve the feasibility of QSS and CKA. However, there are still key limitations in security and practicability. For instance, the single qubit QSS protocol is vulnerable to Trojan horse attacks^{39,40} where an eavesdropper can send a signal to the player’s station and unambiguously determine the private information by measuring the output signals. The QSS^{7,9,10,11,12,13} and CKA^{8,29,30,31,32,33,34} based on the GHZ entangled state are appealing. For certain CKA networks with bottlenecks^{31}, the GHZ resource state can be distributed in a single use of the network for the multipartite entanglement protocol, despite the complicated quantum network coding with two-qubit gates failure rates and channel noises below certain threshold are required. Nevertheless, the practical applications of GHZ-like states are quite limited due to the difficulty of generation, manipulation, and distribution of multi-partite entangled states with very large dimension at present^{20,33,41}. The post-selection GHZ entangled state QSS and CKA alleviate this issue^{20,37}. However, the implementation of this scheme requires the intervention of multiple players, which increases the complexity of the experiment. Continuous variable QSS (CV-QSS) based on coherent states has good compatibility with telecom techniques^{25,26,27,28}. Unfortunately, most of coherent-state CV-QSS protocols require that all players have to prepare their own laser sources, and the phase of all players’ independent lasers should be strictly locked, which adds considerable complexity and cost to the system. On the other hand, the superposition of channel excess noises from other players severely reduces the secret key rate due to the joint measurement by the dealer^{25,26,28}. Furthermore, most of the existing QSS and CKA require dedicated hardware devices and many QSS are (*n*, *n*) schemes.

To solve above problems, in this paper we propose a practical, scalable, and verifiable (*k*, *n*) threshold CV-QSS protocol based on the bipartite QKD approach. In contrast to previous works with continuous variable regime, our protocol does not require each player preparing a laser source and phase locking of the overall lasers. Furthermore, the dealer can use a single heterodyne detector to extract the information of multiple players thanks to the proposed multiple sideband modulation approach, and the evaluation of the channel parameters for each player is independent. These significantly reduce the complexity and cost of QSS network system and increase the secret key rate and transmission distance. The proposed QSS scheme is versatile and flexible. It can switch between QSS and CKA just by switching the classical post-processing program and no modification of hardware devices are required. We perform strict security analysis for Trojan horse attacks and the untrusted sources intensity fluctuation and noise. The protocol is proved to be secure against eavesdroppers on the quantum channel and dishonest players. We experimentally demonstrate the QSS and CKA protocols with five-party over long-distance single-mode fiber, and investigate the excess noise variations versus the number of the players and fiber length.

## Results

### The QSS protocol

The sketch of the QSS protocol is shown in Fig. 1, the dealer prepares a number of laser sources of different wavelengths and sends them to adjacent players. For each laser source, the players implement independent Gaussian modulation to encode their key information in different sidebands^{42} of the light field and subsequently send the modulated light field to the next player. Then the signal fields with different wavelengths are multiplexed via the add/drop multiplexer (ADM) and sent to the dealer through a common quantum channel. The dealer demultiplexs the relieved signal fields via a demultiplexer (DEMUX) and measures them separately via heterodetection. The detailed steps are as follows.

Step 1. The dealer prepares n laser sources of different wavelength *λ*_{i}, \(i\in \left\{1,2,\ldots ,n\right\}\). The first player *P*_{11} modulates the laser *λ*_{1} and prepares a coherent state \(\left\vert {X}_{{\lambda }_{1}{f}_{1}}+{{{\rm{i}}}}{P}_{{\lambda }_{1}{f}_{1}}\right\rangle\) with weak modulation at sideband frequency *f*_{1} of the light field and sends the modulated light field to the neighboring player *P*_{12}.

Step 2. The second player *P*_{12} prepares the coherent state \(\left\vert {X}_{{\lambda }_{1}{f}_{2}}+{{{\rm{i}}}}{P}_{{\lambda }_{1}{f}_{2}}\right\rangle\) on sideband *f*_{2}. Above procedure is repeated until the *P*_{1p}th player prepares the coherent state \(\left\vert {X}_{{\lambda }_{1}{f}_{p}}+{{{\rm{i}}}}{P}_{{\lambda }_{1}{f}_{p}}\right\rangle\) and sends the modulated signal fields into the common quantum channel.

Step 3. For other laser source *λ*_{i}, the corresponding players implement the same procedure as above to encode their information in different sidebands of the light field and add the modulated signal fields into the common quantum channel via ADM.

Step 4. After the quantum states of all players reach the dealer through a common quantum channel, the dealer uses a demultiplexer to separate the received quantum states and measures them using heterodyne detection. The measurement results (raw data) are denoted by \(\big\{{X}_{{\lambda }_{i}{f}_{j}}^{{{{\rm{m}}}}},{P}_{{\lambda }_{i}{f}_{j}}^{{{{\rm{m}}}}}\big\}\), \(j\in \left\{1,2,\ldots ,p,\ldots ,q\right\}\).

Step 5. Repeat the above steps until enough raw keys are accumulated.

Step 6. The dealer and each player independently evaluate the channel parameters including the quantum channel transmittance and excess noise \(\left\{{T}_{{\lambda }_{i}{f}_{j}},{\varepsilon }_{{\lambda }_{i}{f}_{j}}\right\}\) by using the same procedure as that of the continuous variable QKD (CV-QKD)^{43,44,45,46}. Based on the channel parameters, the key rates between the dealer and each player can be estimated. If all of them are positive, the dealer selects the lowest key rate \({K}_{\min }\) among all players as the key rate of the QSS, that means the QSS works at the rate of the worst performing player. Then using the data reconciliation and privacy amplification, the secure keys \(\left\{{S}_{{\lambda }_{i}{f}_{j}}\right\}\) are distilled.

Step 7. For a (*k*, *n*) threshold QSS, the dealer randomly selects a *k* − 1 power polynomial \(f\left({S}_{{\lambda }_{i}{f}_{j}}\right)\) in the finite field *Z*, where \(f\left({S}_{{\lambda }_{i}{f}_{j}}\right)=S+{a}_{1}{S}_{{\lambda }_{i}{f}_{j}}^{1}+{a}_{2}{S}_{{\lambda }_{i}{f}_{j}}^{2}+\cdots +{a}_{k-2}{S}_{{\lambda }_{i}{f}_{j}}^{k-2}+{a}_{k-1}{S}_{{\lambda }_{i}{f}_{j}}^{k-1}\). Here, the polynomial coefficients \(\left\{S,{a}_{1},{a}_{2},\cdots \,,{a}_{k-1}\right\}\in Z\) and *S* is the sharing secret key. The dealer calculates \(\left\{{S}_{{\lambda }_{i}{f}_{j}},f\left({S}_{{\lambda }_{i}{f}_{j}}\right)\right\}\), and selects a Hash function \(H\left({S}_{{\lambda }_{i}{f}_{j}}\right)\) to calculate the authentication tag \(\left\{H\left({S}_{{\lambda }_{i}{f}_{j}}\right)\right\}\). Next, the dealer sends \(f({S}_{{}_{{\lambda }_{i}{f}_{j}}})\), the Hash function, and the authentication tags to each player through the authenticated classical channel.

Step 8. Each player know \(f\left({S}_{{\lambda }_{i}{f}_{j}}\right)\) and the authentication tags of all players. If *k* players want to reconstruct the sharing secret keys, they use the Hash function to calculate the authentication tags \(\left\{{H}^{{\prime} }\left({S}_{1}\right),{H}^{{\prime} }({S}_{2}),\cdots \,,{H}^{{\prime} }\left({S}_{k}\right)\right\}\) and compare them with those sent by the dealer. By checking the consistency of the authentication tag, the dishonest players can be discovered. After verification, the sharing secret key *S* can be calculated directly using the Lagrange interpolation formula:

Although above procedures are classical, we take each distributed key \({S}_{{\lambda }_{i}{f}_{j}}\) as a independent variable of a polynomial \(f\left({S}_{{\lambda }_{i}{f}_{j}}\right)\) and combine it with a Hash function, which makes our scheme secure against eavesdroppers and dishonest players in both the quantum distribution stage and the key reconstruction stage.

### The CKA protocol

For actual application scenarios, a quantum network should not support only a single protocol. On the premise of not changing the underlying architecture, it is desired that the network can support multiple protocols which can be conveniently switched according to the needs of the players. Such a network structure is flexible and versatile^{20,27,37}.

Our experimental system is flexible and versatile and can be used to implement CKA without modifying any hardware devices, one only need to switch the corresponding post-processing procedure. Below we present the implementation process of CKA in detail.

Step 1. By utilizing the same quantum stage as that of the QSS scheme, the dealer establishs different quantum keys \(\left\{{S}_{{\lambda }_{i}{f}_{j}}\right\}\) with all players. The dealer selects the lowest secret key rate \({K}_{\min }\) among all players, that means the CKA works at the key rate of the worst performing player.

Step 2. The dealer prepares a common secret key *S*_{c}, which are encrypted using the player’s quantum secret key \({S}_{{\lambda }_{i}{f}_{j}}\), \({S}_{{{{\rm{e}}}}}={S}_{{\lambda }_{i}{f}_{j}}\oplus {S}_{{{{\rm{c}}}}}\), and then sent to the designated players through the authenticated classical channel. Next the players decrypt the encrypted keys with their own quantum secret key and recover the common secret key \({S}_{{{{\rm{c}}}}}={S}_{{{{\rm{e}}}}}\oplus {S}_{{\lambda }_{i}{f}_{j}}\)^{31}.

Our CKA scheme has following advantages. Quantum state preparation: it only requires off-the-shelf telecom components such as commercial narrow linewidth lasers, amplitude and phase modulators, thus the state preparation process is simple and low-cost. Scalability: it can be conveniently extended to plenty of players on the order of hundreds (see “Discussion” section for the details).

### Security analysis

For the presented QSS scheme, similar to the theoretical framework of plug-and-play QKD^{39}, the transmission of the laser source from the dealer to the players can be controlled by Eve. In this case, Eve may performs potential attacks. Therefore, the practical security of the protocols under the conditions of Trojan horse attacks, untrusted source intensity fluctuation, and untrusted source noise should be analyzed. (See “Methods” section for the detailed theoretical analysis).

On the basis of the practical security analysis of QSS scheme, we derive the secret key rate in this part. The lower bound of the asymptotic secret key rate of the QSS and CKA protocols against collective attack are given by^{47,48}

where *β* is the reconciliation efficiency, *I*_{AB} is the Shannon mutual information between the player and dealer, and *χ*_{BE} is the maximum information available to the dishonest players and eavesdroppers conditioned on dealer’s measurement.

The channel added noise referred to the channel input is given by

where 1/*T*_{2} − 1 is introduced by the quantum channel loss, *T*_{2} denotes the effective channel transmittance, and *ε*_{1} denotes the effective excess noise. The detection noise referred to the dealer’s input is expressed by

where *η* and *υ*_{el} denote the detector efficiency and the detector electronic noise, respectively. The total noise referred to the channel input is

The mutual information *I*_{AB} is calculated directly from the dealer’s measured quadratures variance \({V}_{{{{\rm{B}}}}}={T}_{2}\eta \left(V\,{{\mbox{+}}}\,{\xi }_{{{{\rm{E}}}}}\,{{\mbox{+}}}\,{\chi }_{{{{\rm{tot}}}}}\right)\), where *V* = *V*_{M} + 1, *V*_{M} denotes the effective modulated variance and the conditional variance \({V}_{\left.{{{\rm{B}}}}\right\vert {{{\rm{A}}}}}={T}_{2}\eta \left(1+{\xi }_{{{{\rm{E}}}}}+{\chi }_{{{{\rm{tot}}}}}\right)\)

where *ξ*_{E} denotes the untrusted source noise added by Eve. Eve’s access information is up bounded by the Holevo quantity

where \(p({m}_{{{{{\rm{B}}}}}_{{{{\rm{1}}}}}})\) is the probability density of the dealer’s measurement outcomes \({m}_{{{{{\rm{B}}}}}_{1}}\). \({\rho }_{{{{\rm{E}}}}}^{{m}_{{{{{\rm{B}}}}}_{1}}}\) is the quantum state of Eve and dishonest players conditioned on the dealer’s measurement result. *S*(.) denotes the von Neumann entropy. To calculate Eve’s accessible information, we know that Eve’s system can purifiy the system AE_{0}B (Fig. 2), \(S\left({\rho }_{{{{{\rm{E}}}}}_{0}{{{\rm{E}}}}}\right)\,{{\mbox{=}}}\,S\left({\rho }_{{{{\rm{AB}}}}}\right)\), and the system AE_{0}EFG is pure after the dealer’s heterodyne measurement, so that \(S\left({\rho }_{{\rm{E}}_{0}{\rm{E}}}^{{m}_{{\rm{B}}_{\rm{1}}}}\right)=S \left({\rho }_{\rm{AFG}}^{{m}_{{\rm{B}}_{\rm{1}}}}\right)\), where \(S \left({\rho }_{\rm{AFG}}^{{m}_{{\rm{B}}_{\rm{1}}}}\right)\) is independent of \({m}_{{{{{\rm{B}}}}}_{{{{\rm{1}}}}}}\) for the Gaussian modulated Gaussian states protocol. Now, Eq. (7) can be rewritten as

The covariance matrix of the Gaussian state *ρ*_{AB}

where \(I\,{{\mbox{=}}}\,\left[\begin{array}{cc}1&0\\ 0&1\\ \end{array}\right]\) and \({\sigma }_{{{{\rm{z}}}}}=\left[\begin{array}{cc}1&0\\ 0&-1\\ \end{array}\right]\).

The symplectic eigenvalues of *γ*_{AB} have the form

where

The symplectic eigenvalues of \({\gamma}_{{\mathrm{AFG}}}^{{{m}_{{\mathrm{B}}_{\mathrm{1}}}}}\) have the form

where

The Holevo quantity *χ*_{BE} is given by

where \(G\left(x\right)=\left(x+1\right){\log }_{2}\left(x+1\right)-x{\log }_{2}x\).

Using Eqs. (2), (6), and (10)–14), we can calculate the lower bound of the secret key rate.

### Modulation

In our experiment, the weak modulation method is adopted to prepare the coherent states at the sideband modes. Before the modulation, the complex amplitude of a single frequency laser has the form

where *α*_{0} and *f*_{0} are the amplitude and frequency of the laser. When the laser is weakly modulated at frequency *f*_{j}, the sidemode of the modulated laser is given by

where *M*_{x} ≪ 1 and *M*_{p} ≪ 1 denote the amplitude and phase modulation depths respectively. Because the average photon number of the carrier satisfies \({\left\vert {\alpha }_{0}\right\vert }^{2}\gg 1\), even if a very weak modulation can faithfully prepare a coherent state with mean photon number of a few photons at the sidemode. From Eq. (16), the sidemode states can be written as

where *X* = *M*_{x}*α*_{0}, *P* = *M*_{p}*α*_{0}. Therefore, under the condition of large \(\left\vert {\alpha }_{0}\right\vert\) and small modulation depths, we can conveniently prepare sidemode coherent states by modulating the amplitude and phase of the laser field.

### Carrier phase evaluation

In our experiment, the quantum signals and local oscillators (LO) are transmitted through two different long-distance fibers to simulate the local local oscillator (LLO) scheme. In this case, there exists fast phase drifts between the quantum signals and LO. At present, several phase recovered schemes have been proposed that mainly using the pilot-aided feedforward data recovery scheme. The basic idea of the pilot-sequence scheme is to use adjacent pilot pulses to estimate the middle signal’s phase drift^{49}. The pilot-multiplexed scheme divides the phase drift into the fast drift and the slow drift parts, and one can implement two remapping procedures to compensate them separately^{50}.

In our scheme, we use a simple method to estimate the phase of the signals. As shown in Fig. 3, the quantum signals are generated by modulating the carrier of the lasers and they have fixed phase relations. Although the player’s quantum signals are not generated at the same time, the quantum signals and the carrier pass through the same optical path and are subject to the same phase evolution^{51,52}. Therefore, all the quantum signals for each laser have the same phase and we can infer the phase of the quantum signals by evaluating the phase of the carrier.

### Experimental results

We demonstrated the proof-of-principle experiment of the proposed QSS and CKA protocols over different long-distance fiber links (see Fig. 4). The experimental parameters are shown in Table 1. To investigate the effect of different multiplexing methods on the player’s excess noises, we measured the excess noises under different scenarios, only a single player, two players with sideband multiplexing, and four players with both the dense wavelength division multiplexing and sideband multiplexing. The results are shown in Fig. 5.

In Fig. 5a, the average values of the excess noise of player 1 at total transmission distance of 22 km under three cases are 0.00847 (only player 1 encoding the information), 0.0102 (both player 1 and player 2 encoding the information), and 0.0098 (all players 1–4 encoding the information), respectively. We can see that the frequency multiplexing has a slight influence on the excess noise. It is due to that the frequency multiplexing causes a little crosstalk during the modulation and demodulation of the quantum signals. For the dense wavelength division multiplexing of the quantum signals, the player’s excess noise has negligible impact on each other. Above phenomenon is also confirmed by the similar results observed in Fig. 5b–d.

The experimental secret key rates of the QSS (CKA) system are shown in Fig. 6. The black line represents the Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound^{53}. The two purple rhombus, black triangles, blue pentagrams, and red squares correspond to the secret key rate of the players 1, 2, 3, and 4 at single-mode fiber links of (22 km, 52 km), (20 km, 50 km), (25 km, 55 km), and (20 km, 50 km), respectively. The blue and red curves represent the simulated secret key rates for the players 1, 3 and the players 2, 4, respectively. Due to the channel loss of the players 1 and 3 is larger than that of the players 2 and 4 (the players 2 and 4 are regarded as eavesdroppers from the viewpoint of the player of 1 and 3), the key rate of the players 1 and 3 are lower. After all players estimate their key rate with the dealer, the lowest key rate of all the players is set as the key rate for the QSS (CKA) system. In our case, the key rate of the QSS (CKA) at 25 and 55 km fiber links are 0.0061 and 7.14 × 10^{−4} bits per pulse, respectively, which are determined by the key rate of players 3 and 1.

## Discussion

On the basis of our presented scheme, in this section we discuss the possible construction of a network topology for metropolitan QSS and CKA network.

In our proof of principle experiment, we employ the fiber-based components such as amplitude and phase modulators, optical filter, beam-splitters. These fiber pigtailed components have relative large insertion losses, which are detrimental to the performance of the QSS and CKA protocols. In fact, the players can employ free space optical devices at their stations, which can significantly reduce the adverse insertion losses and increase the player amount.

Table 2 shows the typical losses of state of the art optical devices that are required in our protocol. From the loss values, we can estimate the total insertion losses (*d*) for each player’s station is around 1.35 dB. Using the estimated loss, we propose a possible network topology for metropolitan QSS and CKA network, as shown in Fig. 7. The metropolitan network consists of a backbone network and multiple access networks. The backbone network have *m* access points, which enables the end players to connect to the network. The upper limit value of the channel loss for each access network is assumed to be *D*. The construction process of the metropolitan network is as follows.

Step 1. The fiber distance between the farthest player and the dealer in each access network is defined as *L*, and the therefore channel linear loss is 0.2*L* for standard single-mode fiber.

Step 2. Since the insertion loss of the player’s station is greater than that of the ADM, the backbone network should configure the access nodes as many as possible in order to maximize the number of the players in the metropolitan network. The number of access nodes can be given by

where AWG and ADM denote the insertion loss of the AWG and ADM.

Step 3. The number of the players in the *y*th access network counting from receiver is expressed as

where \(y\in \left\{1,2,\ldots ,m\right\}\).

Step 4. The maximum number of the players in the metropolitan network is

Notice that, given the fiber distance *L* between the farthest players of the access networks and the dealer, the position of the players in each access network is unrestricted. The span between two adjacent access points can also be freely configured as needed.

Based on the construction method mentioned above, we simulate the maximum number of the players at different transmission distances in Fig. 8. The black and blue dots represent the results of theoretical simulations under *D* = 20 dB and 30 dB. The red and black curves are the fitting curves. The network exhibits a nonlinear dependence between the transmission distance and number of the players. When the channel loss limit is set to 20 dB, we can see that the secure QSS and CKA among 180 (53) players are feasible within a metropolitan area over 20 km (50 km). If the channel loss limit increases to 30 dB, the number of the players can improve to 651 (307) accordingly. In our protocols, adding or removing users is straightforward and can be realized by inserting or removing the encoding devices of the target users, and the overall network architecture remains almost unchanged.

In conclusion, we have proposed and demonstrated a practical, scalable, verifiable (*k*, *n*) threshold continuous variable QSS and CKA protocol. Our protocol effectively eliminates the need of preparing laser source by each player, phase locking of all players’ independent lasers, and excess noises superposition. Furthermore, a single heterodyne detector can be used to extract the information of multiple players by using the multiple sideband modulation approach. We strictly analyzed the practical security for the proposed QSS system under Trojan horse attack, untrusted sources intensity fluctuating, and noisy untrusted sources. The proposed system is flexible and versatile, it can realize both the QSS and CKA tasks by just switching the post-processing program. We experimentally investigated the effects of the quantum channel multiplexing of multiple players on the excess noises of the system, and verified the five-party QSS and CKA quantum communication protocols. A secure key rate of 0.0061 (7.14 × 10^{−4}) bits per pulse are achieved over 25 (55) km standard single-mode fiber. Our results provide a feasible solutions for practical quantum private communication network with current telecom technology.

In our current proof of principle experiment, the sideband frequencies that encoding the key information are 7 MHz and 9 MHz, respectively, and the system clock rate is 250 kHz. In principle, the sideband offset can be set to higher frequencies, which are only limited by the bandwidth of the modulator and heterodyne detector that currently reaches above 20 GHz. In this case, one can use a higher system clock rate, for example, above GHz. Moreover, our network system uses Gaussian modulation to encode the information, other modulation formats such as discrete modulation can also be employed^{54,55,56,57}. It is possible that the proposed sideband encoding method can be applied to other QKD schemes, for example, Twin-Field QKD (TF-QKD), which can effectively beating the PLOB bound and achieve a much longer communication distance^{51,52,58,59,60,61}.

## Methods

### Experimental setup

The schematic of the experimental setup is shown in Fig. 4. Two continuous wave single-frequency lasers with different wavelengths (1553.78 nm and 1549.26 nm) were prepared by the dealer. A small portion of the lasers are employed as the signals and the rest are acted as the LO fields. The 1553.78 nm and 1549.26 nm signals are sent to player 1 and player 3, respectively. The players 1 and 3 independently generate two sets of Gaussian random numbers at a repetition rate of 250 kHz, and mix them with a 7 MHz sine signals. Then the mixed signals are loaded on the phase and amplitude waveguide modulators to modulate two conjugate quadrature components of the signal fields. The optical filters at the input port of the players’ station limit the wavelength range of Eve’s Trojan horse attacks. To counter against the untrusted source intensity fluctuation attack, a small portion of the incoming signal beams is split and monitored by a photodetector (PD). The PD after the amplitude modulators (AM) monitors the modulation variance in real time by detecting the intensity of the modulated laser beam. Combine with the optical filter together, they can resist the Trojan horse attacks.

The modulated signal beams are sent to the players 2 and 4 through a 2 km and 5 km single-mode fiber (SMF-28e), respectively. After correcting the state of the polarization by the polarization controller (PC), the players 2 and 4 encode their secret key information at the 9 MHz sideband of the signal beams. By using the ADM, two signal beams are coupled into a 50 km single-mode fiber. The two LO beams are sent to the dealer though 52 km and 55 km single-mode fiber, respectively. At the dealer’s station, the signal beams are decoupled by the ADM and measured by heterodyne detection. To this end, two 90^{∘} optical hybrid (Kylia) and four balanced homodyne detectors are employed to measure both the amplitude and phase quadrature of the incoming signals. The outputs of the detectors are mixed with 7 MHz and 9 MHz sine waveforms, respectively, and then filtered by two 500 kHz low pass filters. The dealer identifies and extracts the key information of each player in terms of the corresponding wavelengths and sidebands on which the players encoding their key information.

### Security proof under Trojan horse attacks

Due to the bidirectional feature of the QSS scheme, the Trojan horse attack should be considered. As shown in Fig. 9a, Eve can use a beam splitter with transmittance of *S*_{0} to couple her probe laser at wavelength of *λ*_{0} with the laser at wavelength of *λ*_{i}, \(i\in \left\{1,2,\ldots ,n\right\}\) sent by the dealer and send them to the player. The probe laser will carry the key information after being modulated by the modulators of the players. Just at the outside of the player’s station, Eve uses a dichroic beam splitter (DBS) to separate the probe laser to obtain the key information.

To deal with this attack, we insert a 50-GHz narrow-band optical filter (0.4 nm bandwidth) into the player’s input port, thereby limiting Eve’s probe laser wavelength to \(\left\vert {\lambda }_{0}\,{{\mbox{-}}}\,{\lambda }_{i}\right\vert \le 0.2\) nm. A beam splitter with transmittance of *S*_{1} is added after the modulator to monitor the modulated light fields. The measured light intensity is given by

where \({\eta }_{{\lambda }_{i}}\) and \({\eta }_{{\lambda }_{0}}\) are the total detection efficiency of the player and Eve, respectively, including the modulator’s loss, split ratio of beam splitter, and the photodiode’s quantum efficiency. \({I}_{{\lambda }_{i}}\) and \({I}_{{\lambda }_{0}}\) are the light intensity of the player and Eve respectively, and *I*_{el} is the electronic noise of the monitoring detector. Since a weak electro-optic modulation is employed, the modulation variance is proportional to the light intensity of the modulated laser. The modulation variance of the player and Eve can be expressed as

where \({M}_{{\lambda }_{i}}\) and \({M}_{{\lambda }_{0}}\) are the modulation coefficients of the electro-optic modulators. Substituting Eq. (22) into Eq. (21) we get

Considering that the wavelength of the probe light is very close to the wavelength of the dealer’ laser *λ*_{0} ≈ *λ*_{i}, we have

Eq. (23) can be simplified to

Therefore, by measuring the partial light intensity of the modulated laser, the overall variance \({V}_{{{{\rm{M}}}}}={V}_{{{{\rm{A}}}}}+{V}_{{\lambda }_{0}}\) of the modulated light fields can be monitored.

Note that the effect of the Trojan horse attack has nothing to do with the specific value of *λ*_{0} given that the average photon number of the probe light remains unchanged. Without loss of generality, we can choose *λ*_{0} = *λ*_{i}, therefore \({V}_{{\lambda }_{0}}\,{{\mbox{=}}}\,{V}_{{\lambda }_{i}}\), \({V}_{{{{\rm{M}}}}}={V}_{{{{\rm{A}}}}}+{V}_{{\lambda }_{i}}\) and replace the DBS of Eve with a beam splitter of transmittance *S*_{2} as shown in Fig. 9b. Eq. (25) can be rewritten as

Therefore, the Trojan horse attack of the eavesdropper is equivalent to the increase of the attenuation of the untrusted quantum channel (Fig. 9c), i.e. *T*_{1} = *T**S*_{2}, where *T* is the original channel transmittance and \({S}_{2}={I}_{{\lambda }_{i}}/({I}_{{\lambda }_{i}}+{I}_{{\lambda }_{0}})\). Since the quantum key distribution protocol is information-theoretical secure for untrusted quantum channel, the Trojan horse attack is discoverable and ineffective.

The measurement of the modulated laser intensity is an average of plenty of measurement data in one data block (>10^{6}). In this case, the effect of the electronic noise can be ignored. Eq. (26) can be rewritten as

To defeat Eve’s Trojan horse attack, we can estimate the channel transmittance and excess noise using the player’s and dealer’s data, and the monitored *V*_{M},

where \({V}_{{{{\rm{B}}}}}=\langle {{X}_{{{{{\rm{B}}}}}_{{{{\rm{1}}}}}}^{{{{\rm{m}}}}}}^{2}\rangle\) is the variance of the quadratures measured by dealer. *η* and *υ*_{el} are the efficiency and electronic noise of homodyne detector, respectively.

### Security proof under untrusted source intensity fluctuations

Since the laser source is untrusted, Eve can also perform source intensity fluctuation attacks^{62}. Supposes that the dealer plans to prepare a signal pulse with intensity \({I}_{{\lambda }_{i}}\), however, he actually prepares a pulse with the intensity of \({I}_{{\lambda }_{i}}\left(1\,{{\mbox{+}}}\,\sigma \right)\), where *σ* is the intensity fluctuation caused by the instability of the laser source with mean value zero and variance *V*_{σ}. The intensity of the signal pulse received by the player is \({I}_{{\lambda }_{i}}\left(1+\sigma +\,\varphi \right)\), where *φ* is the intensity fluctuation caused by Eve’s intensity fluctuation attack with mean value zero and variance *V*_{φ}. The actual coherent state that encoding the Gaussian random variables \(({X}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}},{P}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}})\) of the player is given by

To deal with Eve’s source intensity fluctuation attack, we added a photodetector at the player’s input port to monitor the intensity of each light pulse and the measured signal is

where *I*_{el} is the electronic noise of the detector. The measured intensity fluctuation of the light pulse relative to the average light intensity is expressed as

where \(\delta {I}_{{\lambda }_{i}}\) and *δ**I*_{el} are the light pulse fluctuation and electronic noise fluctuation relative to the average light intensity and they satisfy \(\delta {I}_{{\lambda }_{i}}=\sigma +\varphi\), \(\left\langle \delta {I}_{{\lambda }_{i}}\right\rangle \,{{\mbox{=}}}\,0\), \(\left\langle {\delta {I}_{{\lambda }_{i}}}^{2}\right\rangle \,{{\mbox{=}}}\,{V}_{{\lambda }_{i}}\), \(\left\langle \delta {I}_{{{{\rm{el}}}}}\right\rangle \,{{\mbox{=}}}\,0\), and \(\left\langle {\delta {I}_{{{{\rm{el}}}}}}^{2}\right\rangle ={V}_{{{{\rm{el}}}}}\). Considering the source intensity fluctuation, the prepared coherent states can be rewritten as

Notice that the fluctuations of the optical pulses cannot be accurately determined due to the electronic noise of the detector. To guarantee the security of the protocol, the player revises the data from \(({X}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}},{P}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}})\) to

where \({I}_{{{{\rm{el}}}}}^{\max }\) is the maximum of the electronic noise of the monitoring detector. In this case, the channel loss and excess noise will be overestimated by the dealer and players.

The channel transmittance can be

where \({X}_{{{{{\rm{B}}}}}_{{{{\rm{2}}}}}}^{{{{\rm{m}}}}}=\sqrt{1+\delta {I}_{{\lambda }_{i}}}{X}_{{{{{\rm{B}}}}}_{{{{\rm{1}}}}}}^{{{{\rm{m}}}}}\).

By using Taylor expansion, we can obtain

Inserting Eqs. (36) and (37) into Eq. (35), we have

Using the expression of *T*_{2}, the excess noise *ε*_{1} is written as

The fluctuation variance \({V}_{{\lambda }_{i}}\) of the light pulse intensity cannot be directly measured. We measure the total variance \(\left\langle \delta {{I}_{{{{\rm{m}}}}}}^{2}\right\rangle ={V}_{{\lambda }_{i}}+{V}_{{{{\rm{el}}}}}\) of the fluctuation of the laser and the electronic noise, and then subtract the electronic noise variance *V*_{el} to obtain \({V}_{{\lambda }_{i}}\).

### Security proof under untrusted source noises

In addition to the potential Trojan horse attack and untrusted source intensity fluctuation attack, Eve can also perform source noise attacks. In the following, we present the prepare-and-measurement (PM) scheme and the equivalent entanglement-based (EB) scheme. In Fig. 2a, a PM scheme is shown. The dealer prepares a coherent state source and its sidemode quantum state is \(\left\vert {X}_{{{{\rm{N}}}}}\,{{\mbox{+}}}\,{{{\rm{i}}}}{P}_{{{{\rm{N}}}}}\right\rangle\) with \(\left\langle \delta {{X}_{{{{\rm{N}}}}}}^{2}\right\rangle \,{{\mbox{=}}}\,\left\langle \delta {{P}_{{{{\rm{N}}}}}}^{2}\right\rangle =1\) (shot noise units, SNU). Eve introduces Gaussian noise \(\left\{\delta {X}_{{{{\rm{E}}}}},\delta {P}_{{{{\rm{E}}}}}\right\}\) on the sidemodes where the players encoding the key information by modulating the laser, and the noise satisfies \(\left\langle \delta {{X}_{{{{\rm{E}}}}}}^{2}\right\rangle \,{{\mbox{=}}}\,\left\langle \delta {{P}_{{{{\rm{E}}}}}}^{2}\right\rangle ={\xi }_{{{{\rm{E}}}}}\). The untrusted source received by the player can be expressed as

After encoding the key information onto the source, the quantum state of the player is given by

The variance of the quadratures for the quantum state is given by

where *V* = *V*_{A}+1. The conditional variance of *X*_{PM} (*P*_{PM}) given \({X}_{{{{{\rm{A}}}}}_{{{{\rm{1}}}}}}\) or *δ**X*_{E} are

The equivalent EB scheme of the QSS protocol is shown in Fig. 2b, a three-mode Gaussian entangled state \({\rho }_{{{{{\rm{AE}}}}}_{0}{{{{\rm{B}}}}}_{0}}\) is generated and the mode E_{0} controlled by Eve. For mode *A*\(\left({X}_{{{{\rm{A}}}}},{P}_{{{{\rm{A}}}}}\right)\), mode E_{0}\(({X}_{{{{{\rm{E}}}}}_{{{{\rm{0}}}}}},{P}_{{{{{\rm{E}}}}}_{{{{\rm{0}}}}}})\), and mode B_{0}\(\left({X}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}},{P}_{{{{{\rm{B}}}}}_{{{{\rm{0}}}}}}\right)\), we assume the following realtions are satisfied

The covariance matrix \({\gamma }_{{{{{\rm{AE}}}}}_{0}{{{{\rm{B}}}}}_{0}}\) charactering the state \({\rho }_{{{{{\rm{AE}}}}}_{0}{{{{\rm{B}}}}}_{0}}\) has the form

where *c* → + *∞* is a large real number.

The player performs a heterodyne detection on mode A and the measurement results are given by

The player uses the measurement results \(\left({X}_{{{{\rm{A}}}}}^{{{{\rm{m}}}}},{P}_{{{{\rm{A}}}}}^{{{{\rm{m}}}}}\right)\) to estimate the mode B_{0},

From Eq. (48), we have

The conditional variances can be expressed as

From Eqs. (48) and (49), mode B_{0} is projected onto states with variable mean values of (\({X}_{{{{{\rm{B}}}}}_{0}}^{{\prime} }\),\({P}_{{{{{\rm{B}}}}}_{0}}^{{\prime} }\)) and corresponding variance of *V*_{A} conditioned on the player’s measurement. The uncertainty on the inferred values of mode B_{0} for the player (Eq. (50)) coincides with the noisy coherent state in the PM scheme (Eq. (43)). Furthermore, from Eq. (51), the uncertainty on the inferred values of mode B_{0} for Eve is identical to that in the PM scheme (Eq. (44)). Therefore, the EB scheme is equivalent to the PM scheme.

## Data availability

The data that support the findings of this study are available from the corresponding author upon reasonable request.

## Code availability

The underlying code developed for this study is not publicly available but may be made available on reasonable request from the corresponding author.

## References

Xu, F., Ma, X., Zhang, Q., Lo, H.-K. & Pan, J.-W. Secure quantum key distribution with realistic devices.

*Rev. Mod. Phys.***92**, 025002 (2020).Pirandola, S. et al. Advances in quantum cryptography.

*Adv. Opt. Photon.***12**, 1012–1236 (2020).Portmann, C. & Renner, R. Security in quantum cryptography.

*Rev. Mod. Phys.***94**, 025008 (2022).Shamir, A. How to share a secret.

*Commun. ACM***22**, 612–613 (1979).Blakley, G. R. Safeguarding cryptographic keys.

*Proc. Natl Comput. Conf.***48**, 313–317 (1979).Chiou, G.-H. & Chen, W.-T. Secure broadcasting using the secure lock.

*IEEE Trans. Softw. Eng.***15**, 929 (1989).Hillery, M., Bužek, V. & Berthiaume, A. Quantum secret sharing.

*Phys. Rev. A***59**, 1829 (1999).Bose, S., Vedral, V. & Knight, P. L. Multiparticle generalization of entanglement swapping.

*Phys. Rev. A***57**, 822 (1998).Tittel, W., Zbinden, H. & Gisin, N. Experimental demonstration of quantum secret sharing.

*Phys. Rev. A***63**, 042301 (2001).Chen, Y.-A. et al. Experimental quantum secret sharing and third-man quantum cryptography.

*Phys. Rev. Lett.***95**, 200502 (2005).Gaertner, S., Kurtsiefer, C., Bourennane, M. & Weinfurter, H. Experimental demonstration of four-party quantum secret sharing.

*Phys. Rev. Lett.***98**, 020503 (2007).Bell, B. A. et al. Experimental demonstration of graph-state quantum secret sharing.

*Nat. Commun.***5**, 5480 (2014).Lu, H. et al. Secret sharing of a quantum state.

*Phys. Rev. Lett.***117**, 030501 (2016).Schmid, C. et al. Experimental single qubit quantum secret sharing.

*Phys. Rev. Lett.***95**, 230505 (2005).Bogdanski, J., Rafiei, N. & Bourennane, M. Experimental quantum secret sharing using telecommunication fiber.

*Phys. Rev. A***78**, 062307 (2008).Ma, H. Q., Wei, K. J. & Yang, J. H. Experimental single qubit quantum secret sharing in a fiber network configuration.

*Opt. Lett.***38**, 4494–4497 (2013).Yu, I.-C., Lin, F.-L. & Huang, C.-Y. Quantum secret sharing with multilevel mutually (un)biased bases.

*Phys. Rev. A***78**, 012344 (2008).Smania, M., Elhassan, A. M., Tavakoli, A. & Bourennane, M. Experimental quantum multiparty communication protocols.

*npj Quant. Inf.***2**, 16010 (2016).Pinnell, J., Nape, I., Oliveira, M., TabeBordbar, N. & Forbes, A. Experimental demonstration of 11-dimensional 10-party quantum secret sharing.

*Laser Photon. Rev.***14**, 2000012 (2020).Fu, Y., Yin, H. L., Chen, T. Y. & Chen, Z. B. Long-distance measurement-device-independent multiparty quantum communication.

*Phys. Rev. Lett.***114**, 090501 (2015).Lance, A. M., Symul, T., Bowen, W. P., Sanders, B. C. & Lam, P. K. Tripartite quantum state sharing.

*Phys. Rev. Lett.***92**, 177903 (2004).Kogias, I., Xiang, Y., He, Q. & Adesso, G. Unconditional security of entanglement-based continuous-variable quantum secret sharing.

*Phys. Rev. A***95**, 012315 (2017).Zhou, Y. et al. Quantum secret sharing among four players using multipartite bound entanglement of an optical field.

*Phys. Rev. Lett.***121**, 150502 (2018).Walk, N. & Eisert, J. Sharing classical secrets with continuous-variable entanglement: composable security and network coding advantage.

*PRX Quant.***2**, 040339 (2021).Grice, W. P. & Qi, B. Quantum secret sharing using weak coherent states.

*Phys. Rev. A***100**, 022339 (2019).Wu, X., Wang, Y. & Huang, D. Passive continuous-variable quantum secret sharing using a thermal source.

*Phys. Rev. A***101**, 022301 (2020).Richter, S. et al. Agile and versatile quantum communication: signatures and secrets.

*Phys. Rev. X***11**, 011038 (2021).Liao, Q. et al. Practical continuous-variable quantum secret sharing using plug-and-play dual-phase modulation.

*Opt. Express***30**, 3876–3892 (2022).Murta, G., Grasselli, F., Kampermann, H. & Bruß, D. Quantum conference key agreement: a review.

*Adv. Quant. Technol.***3**, 2000025 (2020).Chen, K. & Lo, H.-K. Conference key agreement and quantum sharing of classical secrets with noisy GHZ states.

*Quant. Inf. Comput.***7**, 689 (2007).Epping, M., Kampermann, H., macchiavello, C. & Bruß, D. Multi-partite entanglement can speed up quantum key distribution in networks.

*New J. Phys.***19**, 093012 (2017).Hahn, F., de Jong, J. & Pappa, A. Anonymous quantum conference key agreement.

*PRX Quant.***1**, 020325 (2020).Proietti, M. et al. Experimental quantum conference key agreement.

*Sci. Adv.***7**, eabe0395 (2021).Qin, Y. et al. Continuous variable quantum conference network with a Greenberger-Horne-Zeilinger entangled state.

*Photon. Res.***11**, 533–540 (2023).Matsumoto, R. Multiparty quantum-key-distribution protocol without use of entanglement.

*Phys. Rev. A***76**, 062316 (2007).Das, S., Bäuml, S., Winczewski, M. & Horodecki, K. Universal limitations on quantum key distribution over a network.

*Phys. Rev. X***11**, 041016 (2021).Wu, Y. et al. Continuous-variable measurement-device-independent multipartite quantum communication.

*Phys. Rev. A***93**, 022325 (2016).Ottaviani, C., Lupo, C., Laurenza, R. & Pirandola, S. Modular network for high-rate quantum conferencing.

*Commun. Phys.***2**, 118 (2019).Muller, A. et al. "Plug and play” systems for quantum cryptography.

*Appl. Phys. Lett.***70**, 793–795 (1997).Lucamarini, M. et al. Practical security bounds against the trojan-horse attack in quantum key distribution.

*Phys. Rev. X***5**, 031030 (2015).Zhao, S. et al. Phase-matching quantum cryptographic conferencing.

*Phys. Rev. Appl.***14**, 024010 (2020).Shen, Y., Zou, H., Tian, L., Chen, P. & Yuan, J. Experimental study on discretely modulated continuous-variable quantum key distribution.

*Phys. Rev. A***82**, 022317 (2010).Jain, N. et al. Practical continuous-variable quantum key distribution with composable security.

*Nat. Commun.***13**, 4740 (2022).Tian, Y. et al. Experimental demonstration of continuous-variable measurement-device-independent quantum key distribution over optical fiber.

*Optica***9**, 492–500 (2022).Zhang, M., Huang, P., Wang, P., Wei, S. & Zeng, G. Experimental free-space continuous-variable quantum key distribution with thermal source.

*Opt. Lett.***48**, 1184–1187 (2023).Chen, Z., Wang, X., Yu, S., Li, Z. & Guo, H. Continuous-mode quantum key distribution with digital signal processing.

*npj Quant. Inf.***9**, 28 (2023).Lodewyck, J. et al. Quantum key distribution over 25 km with an all-fiber continuous-variable system.

*Phys. Rev. A***76**, 042305 (2007).Fossier, S., Diamanti, E., Debuisschert, T., TualleBrouri, R. & Grangier, P. Improvement of continuous-variable quantum key distribution systems by using optical preamplifiers.

*J. Phys. B***42**, 114014 (2009).Qi, B., Lougovski, P., Pooser, R., Grice, W. & Bobrek, M. Generating the local oscillator “locally” in continuous-variable quantum key distribution based on coherent detection.

*Phys. Rev. X***5**, 041009 (2015).Wang, T., Huang, P., Zhou, Y., Liu, W. & Zeng, G. Pilot-multiplexed continuous-variable quantum key distribution with a real local oscillator.

*Phys. Rev. A***97**, 012310 (2018).Pittaluga, M. et al. 600-km repeater-like quantum communications with dual-band stabilization.

*Nat. Photon.***15**, 530–535 (2021).Zhou, L., Lin, J., Jing, Y. & Yuan, Z. Twin-field quantum key distribution without optical frequency dissemination.

*Nat. Commun.***14**, 928 (2023).Pirandola, S., Laurenza, R., Ottaviani, C. & Banchi, L. Fundamental limits of repeaterless quantum communications.

*Nat. Commun.***8**, 15043 (2017).Lin, J., Upadhyaya, T. & Lütkenhaus, N. Asymptotic security analysis of discrete-modulated continuous-variable quantum key distribution.

*Phys. Rev. X***9**, 041064 (2019).Denys, A., Brown, P. & Leverrier, A. Explicit asymptotic secret key rate of continuous-variable quantum key distribution with an arbitrary modulation.

*Quantum***5**, 540 (2021).Pan, Y. et al. Experimental demonstration of high-rate discrete-modulated continuous-variable quantum key distribution system.

*Opt. Lett.***47**, 3307-3310, (2022).Wang, P., Zhang, Y., Lu, Z., Wang, X. & Li, Y. Discrete-modulation continuous-variable quantum key distribution with a high key rate.

*New J. Phys.***25**, 023019 (2023).Lucamarini, M., Yuan, Z. L., Dynes, J. F. & Shields, A. J. Overcoming the rate-distance limit of quantum key distribution without quantum repeaters.

*Nature***557**, 400–403 (2018).Zhong, X., Hu, J., Curty, M., Qian, L. & Lo, H.-K. Proof-of-principle experimental demonstration of twin-feld type quantum key distribution.

*Phys. Rev. Lett.***123**, 100506 (2019).Wang, S. et al. Twin-field quantum key distribution over 830-km fibre.

*Nat. Photon.***16**, 154–161 (2022).Liu, Y. et al. Experimental twin-field quantum key distribution over 1000 km fiber distance.

*Phys. Rev. Lett.***130**, 210801 (2023).Li, C., Qian, L. & Lo, H.-K. Simple security proofs for continuous variable quantum key distribution with intensity fluctuating sources.

*npj Quant. Inf.***7**, 150 (2021).

## Acknowledgements

This work is supported by the National Natural Science Foundation of China (62175138, 62205188); Shanxi 1331KSC; Innovation Program for Quantum Science and Technology (2021ZD0300703).

## Author information

### Authors and Affiliations

### Contributions

Y.L. conceived the research and designed the experiments. S.L. prepared the setup and implemented the experiments. All authors participated in discussions of the results. S.L. and Y.L. prepared the manuscript with assistance from all other co-authors. All authors have given approval for the final version of the manuscript.

### Corresponding author

## Ethics declarations

### Competing interests

The authors declare no competing interests.

## Additional information

**Publisher’s note** Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

## Rights and permissions

**Open Access** This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.

## About this article

### Cite this article

Liu, S., Lu, Z., Wang, P. *et al.* Experimental demonstration of multiparty quantum secret sharing and conference key agreement.
*npj Quantum Inf* **9**, 92 (2023). https://doi.org/10.1038/s41534-023-00763-z

Received:

Accepted:

Published:

DOI: https://doi.org/10.1038/s41534-023-00763-z