Verifying the security of a continuous variable quantum communication protocol via quantum metrology

Quantum mechanics offers the possibility of unconditionally secure communication between multiple remote parties. Security proofs for such protocols typically rely on bounding the capacity of the quantum channel in use. In a similar manner, Cram\'er-Rao bounds in quantum metrology place limits on how much information can be extracted from a given quantum state about some unknown parameters of interest. In this work we establish a connection between these two areas. We first demonstrate a three-party sensing protocol, where the attainable precision is dependent on how many parties work together. This protocol is then mapped to a secure access protocol, where only by working together can the parties gain access to some high security asset. Finally, we map the same task to a communication protocol where we demonstrate that a higher mutual information can be achieved when the parties work collaboratively compared to any party working in isolation.

Quantum resources also offer the promise of unconditionally secure communication.This can be done through quantum key distribution (QKD), which involves the sharing of a secret key between two parties in a manner such that no possible malicious evesdropper can access the key.The first such protocol was introduced by Bennett and Brassard in 1984, where information was encoded in the polarisation degree of freedom of photons [23].An entanglement-based QKD protocol was later proposed by Artur Ekert in 1991 [24].Over the subsequent decades, there has been much progress towards QKD networks in various scenarios [25][26][27][28][29][30][31][32].A related area, which also uses the laws of quantum mechanics for its security, is that of secret sharing.This involves the sharing of either classical or quantum information between a number of trusted parties.There has been a great deal of work on the secret sharing of both classical and quantum information using both discrete variable (DV) [33][34][35][36][37] and continuous variable (CV) sys-tems [38][39][40][41][42][43][44][45][46].Secret sharing can be used to ensure that only trusted parties gain access to highly confidential information such as bank accounts or missile launch codes.
In this work we design and implement a variant of conventional secret sharing protocols, allowing only certain sets of trusted parties to access confidential information.We use techniques from quantum metrology to bound the information which can be attained by the untrusted parties.Our protocol involves distributing a quantum state with unknown displacements among three parties.When considering quantum sensing, we will treat the unknown displacements as parameters to be estimated and when considering quantum communication, we will treat the unknown displacements as the secret information encoded in the quantum state.This enables us to draw a direct connection between these two tasks.
The layout of this paper is as follows.In section II A we introduce the preliminary material needed.In sections II B and II C we present our theoretical and experimental results respectively.Finally, we conclude the paper in section III II.RESULTS

A. Preliminary material
A CV quantum state can be described by observables in an infinite dimensional Hilbert space which have a continuous spectrum of possible eigenvalues [47].Gaussian states are those with Gaussian measurement statistics.In our experiments, the variables of interest are the amplitude and phase quadratures of the electromagnetic field, denoted x and p respectively.These quadrature variables are defined in terms of the creation and annihilation operators, denoted â and â † respectively, as x = â + â † and p = −i(â − â † ).As the creation and annihilation opera-FIG.1: Schematic of the experimental set-up for demonstrating metrological tasks with a connection to secure communication.a) Conceptual schematic of the experiment.Highly sensitive information, depicted here as access to a bank account, is shared among three parties in such a manner that only trusted groups of parties can access the information.b) Experimental set-up.The dealer (e.g. the banker in a)) mixes two squeezed states on a 50:50 beamsplitter to generate a two mode squeezed vacuum (TMSV) state.One mode is split on a second 50:50 beamsplitter and these modes are sent to parties B and C. The dealer implements a displacement (αx,i, αp,i) in the x and p quadratures on the final arm of their state before this mode is sent to party A. Depending on whether the parties work cooperatively or independently differing amounts of information can be extracted about the unknown displacements (αx,i, αp,i).AM and PM represent amplitude and phase modulators respectively.
tors satisfy [â, â † ] = 1, the x and p quadrature operators satisfy [x, p] = 2i.From the uncertainty principle [48][49][50][51], the variances in both quadratures must satisfy where ∆x2 is the variance in measuring the x quadrature and similarly for ∆p 2 .There do exist non-classical Gaussian states which can violate this uncertainty principle in certain settings.For example, by mixing two squeezed vacuum states on a 50:50 beam splitter one can create a two mode squeezed vacuum (TMSV) state.The two modes of this state are correlated in the x quadrature and anti-correlated in the p quadrature.With sufficiently high squeezing, low antisqueezing, and low loss, this state can be entangled or steerable in the x and p quadratures.With such states, it is possible to achieve a measurement sensitivity better than what is allowed by Eq. (1), see e.g Ref. [52].The non-classical correlations of the TMSV enable uniquely quantum mechanical tasks such as quantum teleporta-tion [53,54], quantum illumination [55,56], quantum enhanced sensing [52,[57][58][59][60] and QKD [61,62] to be carried out.

B. Theoretical Results
We consider the set-up shown in Fig. 1.The classical information that the dealer wishes to share with the three parties are displacements in the x and p quadratures, denoted as α x,i and α p,i respectively 2 .In an ideal experimental implementation of our protocol, the dealer prepares a TMSV state and introduces displacements on one arm.After mixing one mode of the TMSV on a second 50:50 beamsplitter with an ancilla vacuum state, the three parties in Fig. 1 share a continuous variable state with the mean vector 0 0 0 0 α x,i α p,i T where the modes are ordered T , where ⟨ îj ⟩ denotes the expectation value of the î quadrature for party j.The corresponding covariance matrix is where r is the squeezing parameter.We now wish to investigate various quantum information tasks which can be achieved with this state and the connection between these tasks.

Multiparameter estimation -Simultaneous estimation of displacements in both quadratures
We first compute the theoretical limits on how precisely the displacements shown in Fig. 1 can be simultaneously estimated.This is done for one party working alone, parties working in pairs, and all three parties working together.For a single party working alone, we shall use the Holevo Cramér-Rao bound (HCRB) to evaluate the precision which can be achieved.This is done as the HCRB provides the ultimate limit on the variance which can be achieved in multiparameter estimation [63,64].In general, the HCRB may require an entangling collective measurement on infinitely many copies of the probe state to be saturated [65][66][67][68], suggesting that other Cramér-Rao bounds may be more experimentally relevant [69][70][71].However, in the specific case of estimating Gaussian displacements, the HCRB can be saturated by linear measurements [64].When considering two and three parties working together, we shall evaluate the precision attainable by a specific measurement strategy.This is done to allow us to compare the experimentally attained two and three party precisions to the ultimate theoretical limits on the precision attainable by a single party.
The average mean squared error (MSE) that the party or parties can achieve when estimating α x,i is given by where we use a tilde to denote the estimated value and MSE p is defined similarly.When m parties work together, we will denote the average MSE with which α x,i and α p,i can be measured as v αx,m and v αp,m respectively.Clearly we have v αx,1 ≥ v αx,2 ≥ v αx,3 .
One party MSE From Fig. 1, it is evident that only party A will be able to access any information about the unknown displacements when working in isolation.Without any information from the other two parties, party A will receive a displaced thermal state, obtained by tracing out the first and second modes of the shared state in Eq. ( 2).In the ideal case, party A obtains a thermal state with variance cosh(2r) in both quadratures.More generally, we may have a slight asymmetry between the two quadratures, and so we write the covariance matrix of the state accessible by party A as where n i characterises the thermal variance.If n 1 = n 2 , then this quantity represents the mean thermal photon number.Note that without loss of generality we can assume that v 1 ≥ v 2 .In Appendix A we show that, for this state, the HCRB for estimating the amplitude and phase displacements simultaneously is Note that this MSE is normalised for the number of probe states used.In the scenario shown in Fig. 1, this represents the smallest possible average sum of the MSE that party A can attain using an unbiased estimator.

Two party MSE
When considering two parties working together, we will not use the HCRB to bound the MSE.Rather, we shall directly compute the MSE attainable when using homodyne detection as this is what was implemented in our experiment.Let us consider the ideal case, with no loss or thermal noise 3 .In this scenario, parties A and B (also parties A and C) share the following covariance matrix FIG. 2: Theoretical limits on the MSE in an ideal experiment when we restrict to the set-up shown in Fig. 1.We show how the attainable MSE changes as a function of the squeezing level for one party working independently, two parties working together and three parties working together.
Interestingly, by recombining the measurement results of parties A and B (scaling the measurement results of party B by an optimised factor), it is possible to always achieve a MSE of v αx,2 = v αp,2 = 1, regardless of the squeezing level.In this case the estimator used for the unknown Gaussian displacement is where we use x j to denote the x quadrature measurement results for party j and g B is a constant chosen to minimise the MSE.As g B depends on the experimental parameters, such as r, it must be optimised for every data point.Quantities for the p quadrature are similarly defined.
For a fair comparison with the single party case, in the two party case we measure each quadrature with half of the total states, which increases the MSE by a factor of 2, giving In any experimental implementation with imperfections, the variance achieved by any two parties can only be larger than this.

Three party MSE
As before, we consider the ideal case, with no loss or thermal noise.In this scenario, if all three parties measure the same quadrature, parties B and C can recombine their results, scaled by a factor √ 2, so that all three parties effectively share an ideal two mode squeezed vacuum state.Hence in this case, the estimator that is used is where g BC is a constant optimised to minimise the MSE, and a similar estimator is used for α p .Note that when there are no experimental imperfections, the optimal value of g BC is g BC = tanh(2r) [72].However, with experimental imperfections g BC must be optimised for every data point.Using this information, it is easy to calculate that in the ideal case all three parties can achieve a MSE of whic goes to 0 in the limit of infinite squeezing.A comparison of the MSE which can be attained by the different combinations of parties is shown in Fig. 2.

Secure access protocol
We are now in a position to introduce our secure access protocol.For this we draw a comparison with existing quantum secret sharing protocols.Note that we are considering the sharing of classical information using quantum states, as opposed to sharing the quantum state itself.In conventional (k, n) secret sharing, the dealer encodes information in such a way that any k parties, out of the total n parties, can work together to reconstruct the information encoded by the dealer.The remaining n − k parties cannot access any information.In practice, however, such perfect secret sharing is hampered by experimental imperfections and the finite entanglement available.We consider the protocol secure, only if the groups of k parties acquire more information than the groups of n − k parties. 4ur protocol differs slightly from existing protocols.In the ith round of the protocol the dealer implements displacements α i = (α x,i , α p,i ).In each round the parties, either working together or independently, estimate either α x,i or α p,i .As different measurements are needed to acquire information about α x,i and α p,i , the parties must announce at the end of the entire protocol which parameter they were trying to measure in each round, α x,i or α p,i .Any rounds in which the parties measured different parameters can then be discarded.We use (α x , α p ) to denote the two-dimensional vector of α x,i and α p,i values that are not discarded.After the reconciliation step, if we have M x remaining rounds of data in which α x,i was measured by all parties, the average MSE that the parties achieve is given by and MSE p is defined similarly.
As discussed in the previous section, given a certain input state, the dealer can use bounds from quantum metrology to place limits on how small v αx,m and v αp,m can be.This allows the dealer to define a threshold average MSE v T , below which the protocol is declared secure.In our setting, if we wish to ensure that no single party can access the trusted information, we shall refer to a protocol as δ secure if where Pr(X) is the probability of the event X occurring.Intuitively, δ represents the likelihood of any single party obtaining an average MSE below a certain threshold, or equivalently acquiring an amount of information about the displacements above a certain threshold.Although the MSE attainable by any party working independently (Eq.( 5)) is larger than when the parties work together (Eqs.( 8), ( 10)), this is only true statistically, i.e. on any given experimental run there is some finite probability that a party working alone predicts a value for α which is very close to the true value.Hence, in any practical setting with finite statistics, security can only be guaranteed up to some probability, Eq. ( 12).The MSE values attained follow a scaled χ 2 distribution.When using N probe states to measure each quadrature, if the mean MSE is denoted µ M , then the probability density of MSE's which will be attained is given by see Appendix B for the derivation.
Given the quantum state generated by the dealer, we can use the above equation to compute Pr(v αx,1 + v αp,1 ≤ v T ) for all possible v T .From this definition alone, we can trivially choose v T = 0 to ensure that maximum security is achieved.However, in this case the protocol will never succeed, i.e. although any individual party cannot achieve an MSE of 0, with any practical resources, all of the parties working together also cannot achieve an MSE of 0. Thus, it is necessary to also define the success rate as A good protocol should minimise δ and maximise P s,2(3) .

Attainable mutual information
Finally, let us consider how to quantify, the amount of classical information that the dealer can share with these three parties.Assume the dealer chooses the displacements α from a Gaussian distribution with variance V dist .The parties involved in the protocol then attempt to estimate α x,i and α p,i as well as they possibly can.Averaging over all (α x , α p ) allows the correlation matrix, between the dealer and any number of parties to be constructed as where σ i,j = ⟨α i αj ⟩ − ⟨α i ⟩⟨α j ⟩ and we use the mode ordering ( αx,D , αp,D , αx,p , αp,p ) where (in an abuse of notation) the second subscript now denotes whether we are considering either the dealer or the players estimate.Thus, the first two diagonal elements represent the variance of the parameters to be estimated, and the second two diagonal elements represent this variance plus the error associated with the imperfect measurement of the unknown displacements.The off-diagonal elements represent the correlation between the dealer's estimate (i.e. the true value) and the estimate made by the players.Note that in this way multiple different covariance matrices can be constructed, between the dealer and any single party, between the dealer and any pair of parties and between the dealer and all three parties.From these covariance matrices the mutual information between the dealer and the different parties can be constructed.Let us make the assumption that v αx,m = v αp,m = v α,m .Then the mutual information can be calculated as Therefore, to achieve a mutual information of c bits or more, we require a MSE less than or equal to From this equation and Eq. ( 13), we can determine the probability of obtaining a mutual information above a certain value.This allows us to compare the mutual information when different numbers of parties work together.We note that, due to the asymmetry of our scheme, when parties C or B work individually or as a pair, they can access no information.Hence, we will ignore these combinations going forward.In this sense, we are not implementing "real" secret sharing, as not all subsets of two or more parties can access the secret information.

C. Experimental results
In this section we will first describe our experimental set-up, and then verify that the quantum state we are using is entangled.We next present results for the sensing task described in the previous section.Finally, we connect these results to the secret sharing of classical information.Secret sharing using CV states has been investigated many times in the past [38][39][40][41][42][43][44][45][46] and so the idea is not novel in and of itself.However, we shall analyse the security through the HCRB.For DV systems, the analogy between secure quantum sensing and quantum secret sharing was noted in Ref. [75].In this work security was obtained by preparing check states with a certain probability, as opposed to measuring conjugate parameters as is the case here.

Experimental set-up
A schematic of the experimental set-up is shown in Fig. 1 b).The dealer, generates two squeezed states and mixes them on a 50:50 beam splitter.Details on the squeezed light sources used can be found in Ref. [76].One mode of this state is subject to a second 50:50 beam splitter from which the two output modes are respectively distributed to parties B and C. A displacement in each quadrature is implemented on the remaining mode, before this is distributed to party A. In practice this displacement is implemented through an auxiliary beam which is amplitude and phase modulated and then mixed with party A's mode of the TMSV state on a 98:2 beam splitter.The aim of the three parties, either working together or independently, is to measure the displacements as accurately as possible.In our experiment, each party implements homodyne detection on either the x or p quadrature.However, in our security analysis, we do not place such restrictions on any party.

Entanglement-enabled metrology task
We next perform an entanglement witnessing task, to ensure that no party is intercepting the quantum state and sending on a different state.The requirement on a CV state to be entangled, see Refs.[77,78], allows us to design an entanglement-enabled quantum metrology task.When all three parties work together, we can construct the following quantities , which are unbiased estimators for (α x , α p )/ √ 2. In the ideal case, using these estimators, it is possible to achieve a MSE for estimating (α x , α p )/ √ 2 of see Appendix C for the derivation.If the initial two mode state created by the dealer is not entangled, then , where we use v α ′ x to denote that we are considering the MSE in estimating α x / √ 2 and similarly for v α ′ p .We can therefore use this task to verify that we are using a non-classical resource.Our experimental results when using this estimator are shown in Fig. 3.

Quantum metrology results
In Fig. 4 we present the MSE in estimating (α x , α p ) for different combinations of parties working together.For two and three parties working together, the MSE is obtained directly from the experimental data.The experimental data differs significantly from the ideal theoretical precision (see Fig. 2) due to loss and anti-squeezing present in our experiment.For a single party working alone, the experimental data presented corresponds to the inferred HCRB.In reality, the homodyne detection which we implemented is not sufficient to reach the HCRB.Nevertheless, from the homodyne statistics we can infer the HCRB.We present the inferred HCRB, as opposed to the MSE obtained from homodyne detection, to place limits on the information which could have been extracted by any potentially omnipotent party working alone.

Secure access protocol
We now examine the security of our experiment in the sense of Eqs. ( 12) and ( 14).Fig. 5 shows the probability density functions (PDFs) for the distribution of MSEs which could be obtained in all three scenarios (one, two and three parties working together) based on the rightmost data points in Fig. 4. The theoretical PDFs are obtained using Eq. ( 13) and the experimentally observed MSEs.The histograms show the experimental data analysed using different numbers of probe states.The slight deviation between the theoretical PDF and the observed PDF is potentially caused by the fact that the experimental MSEs in the x and p quadratures are not identical, which is assumed when deriving Eq. (13).It is evident that, as more probe states are used, the overlap of the distributions of MSE values attainable with multiple parties overlap less with the distribution of MSE values attainable by an individual party.Let us first compare the MSE attainable by all three parties working together to the MSE attainable by a single party.Choosing v T as the point where the two distributions are equally likely5 , using 10, 50 and 100 probe states for each quadrature, we can achieve a security given by δ = 0.18, δ = 0.013 and δ = 8×10 −4 respectively.The corresponding success rates are P s,3 = 0.87, P s,3 = 0.989 and P s,3 = 0.9993 respectively.When we compare the two party MSE to that of a single party, using 10, 50 and 100 probe states for each quadrature, we find δ = 0.39, δ = 0.22 and δ = 0.13 and P s,2 = 0.68, P s,2 = 0.81 and P s,2 = 0.89 respectively.
Let us now consider a scenario where this type of protocol could be useful from a security viewpoint.One could imagine a trust fund bank account which we want to be accessible when either two or three parties work together and inaccessible when parties work individually.By distributing N quantum probe states with unknown displacements (α x,i , α p,i ), a bank manager could only allow access to the bank provided the MSE was below some threshold.Depending on the threshold chosen, either two or three parties would be required to work together to access the bank account.In this manner either a (2,3) or (3,3) access structure can be created with security guaranteed up to the probabilities discussed above.

Mutual information
Finally, we shall discuss how this protocol could be extended to sharing a continuous stream of information.As discussed in section II B 3, we can imagine that the dealer chooses (α x,i , α p,i ) from a Gaussian distribution with variance V dist .Then the correlation matrix between the dealer and any number of collaborating parties is given by Eq. (15).From this the mutual information between the dealers input and the final estimate of (α x , α p ) can be calculated using Eq. ( 16).We emphasise that we have not actually implemented this protocol, as in our experiment, we do not change (α x,i , α p,i ) in every run, rather we use a fixed value throughout the experiment.This is a technical limitation of our experiment which can be avoided and does not change any of the main results or conclusions.In Fig. 6 a) and b) we show the mutual information which could have been attained in theory, based on the parameters in our experiment, had we drawn (α x,i , α p,i ) from a Gaussian distribution.
Finally we investigate how the probability of attaining a mutual information above a certain value changes as a function of the number of probe states used.This is shown in Fig. 6 c), based on the MSE values obtained experimentally.Note that in the experiment, v αx,m ̸ = v αp,m (although this is approximately true), and so we use the average MSE in Fig. 6 c).13), using the rightmost experimental data points from Fig. 4.

Potential security flaws and issues
Before concluding, we point out some potential security loopholes and other potential issues.To guarantee security in the above protocols, all three parties will need verify that the state they share is entangled, as in section II C 2. This is easily done by using a small subset of the data to verify entanglement.It will also be important to check that the parties are using unbiased estimators of (α x , α p ), as otherwise it can be possible to violate the HCRB.This can be easily checked by the dealer using a small fraction of the experiments.We also note that party A could claim to have observed high loss on their mode.In this case, in order to ensure the estimates are unbiased, we need to scale the estimate by the inverse of the loss, which increases the MSE attainable.However, party A may not be telling the truth about the loss on their arm.Nevertheless, this issue can be avoided by aborting the protocol if the loss is too high.Additionally, in order to perform homodyne detection at remote stations, it will be necessary for the different parties to share a common phase reference.One approach for this is to distribute a local oscillator to the different parties, a well established technique previously demonstrated over distances greater than 200 km [79].Alternatively, the parties could use a local local oscillator [80].If the excess noise introduced by the use of a local local oscillator is sufficiently low, it would still be possible to demonstrate quantum-enhanced sensitivity.
Finally, it is important to point out that the HCRB sets a limit on the sum of the MSEs in the local estimation setting when parameters are a priori known to within some range.It stands to reason that by removing this information and assuming the parameters to be estimated are unknown no better estimation is possible.The HCRB also in general only applies in the limit of a large number of probe states.This isn't an issue, as we can simply scale all the (α x,i , α p,i ) down by a factor √ N , and send N copies of this state.Then we can use N large enough for the HCRB to be applicable.In this case, everything from above holds true.A problem with this is it requires N times more channel uses to send the same number of bits of information.

III. CONCLUSION
We have theoretically and experimentally examined the role of quantum metrology in a secure access protocol and a quantum communication protocol.We envisage these results to be of importance to both the quantum metrology and secure quantum communication communities.In particular, the use of tools from quantum metrology to bound the security of quantum secret sharing may help to connect these two areas and may prompt the search for a more fundamental connection between these two areas.Along this line, Hayashi and Song have recently shown a connection between quantum secret sharing and symmetric private information retrieval [81].Furthermore, as our multiparameter estimation involves multiple distinct parties, it may be of relevance for distributed quantum sensing [82] or other scenarios where a remote parameter is being probed, such as gravitational field sensing [83].Our sensing protocol may also be beneficial for the remote sensing of confidential information, such as medical information, as has been discussed for secure quantum enhanced sensing [75,[84][85][86][87][88][89][90][91] (see also Refs.[92,93]).The fact that our protocol and the corresponding analysis naturally incorporates finite size effects, as discussed in section II C 4, is another practical benefit compared to conventional quantum secure communication protocols, where finite size effects have to be added in [94,95].
There are many ways to extend this research.In the limit of infinite squeezing, our protocol becomes perfectly secure.This suggests that in a DV setting it may be possible to demonstrate perfectly secure secret sharing, with the security guaranteed through quantum metrology.The results in this paper could be strengthened if FIG. 6: Mutual information between the dealer and different numbers of parties working together.a) The dot-dashed red, dashed green and solid blue lines show the mutual information which would be attainable for different input modulation variances when three parties work together, two parties work together and one party works alone respectively.In our experiment, we did not actually implement any random modulations.However, the plot is based on the experimental parameters of the rightmost data points in Fig. 4. b) The mutual information which can be attained for V dist = 2 as a function of the squeezing.This plot is also based on the experimental parameters.Note that the blue line assumes that any individual party is capable of reaching the HCRB.c) Probability of obtaining a mutual information of more than 1 bit, assuming V dist = 4 based on the rightmost data points in Fig. 4.
the dealer implemented displacements on all three modes.Additionally, CV graph states, which have recently been shown to demonstrate an advantage for secret sharing in a quantum network setting [96], may further enhance the performance of our protocol.It could also be beneficial to investigate the MSE which can be attained by a malicious party performing commonly considered attacks in QKD.In order to write our solution, we need to define a basis for 2 × 2 real symmetric matrices.We shall use and A j = 0 for j = 4, 5, 6.We also define B j = 0 for j = 1, 2, 3, B 4 = A 1 , B 5 = A 2 and B 6 = A 3 .Finally, we have b = [0, 0, 0, 1, 1, 0].This allows us to provide the solution to the primal and dual problems.

Primal problem
The primal problem can be written as The solution to the primal problem is given by where (A11) The only non-zero eigenvalue of X 2 is given by c + d.Therefore all the eigenvalues of X are non-negative.It is easily verified that the other condition on X, tr{XB} = b j , is satisfied by this solution.We can then verify that tr{XC} = 4 + 2n 1 + 2n 2 .

Dual problem
By showing that the dual problem has the same solution, we confirm the optimality of our result.The dual problem can be written The matrix j y j B j − C is given by j where (A19)

FIG. 3 :
FIG. 3: Entanglement-witnessing metrology task.The experimental data corresponds to the MSE when estimating (αx, αp)/ √ 2 using the estimator described in section II C 2. The orange shaded region shows MSE values smaller than 4 which indicates that the parties share an entangled state.The x−axis shows the effective squeezing parameter.The alpha values being estimated on average have |α| = 0.2.Each data point corresponds to at least 10 7 measurement results and statistical error bars based on one standard deviations are smaller than the marker size.

FIG. 4 :
FIG.4: MSE attainable by different sets of parties working together.We show the MSE attained experimentally for simultaneously estimating the displacements (αx, αp).The solid blue line corresponds to the HCRB, Eq. (5), which sets the ultimate limit on the MSE which can be attained by any party working individually.The blue data points are the HCRB inferred from the experimentally reconstructed covariance matrix.The dashed green line and data points correspond to the MSE attainable when two parties work together.The upward and downward pointing green triangular data points correspond to parties A and C, and parties A and B working together respectively.The dot-dashed red line and data points correspond to the MSE when all three parties work together.The theoretical lines are based on fitting to a model.The shaded region represents 3% fluctuations in the optical loss on each arm and thermal noise fluctuations of 0.02 shot noise units on each arm.The displacements being estimated on average have |α| = 0.2.Each data point corresponds to at least 10 7 measurement results and statistical error bars based on one standard deviations are smaller than the marker size.

FIG. 5 :
FIG. 5: Probability density functions (PDFs) for the mean squared error (MSE) attainable by different groups of parties using differing numbers of probe states.The red, green and blue PDFs show the theoretical distribution of MSE values attainable when three parties work together, two parties work together and one party works alone respectively.N is the number of probe states used for estimating both αx and αp.The histograms show the corresponding experimental data based on 1.85 × 10 7 /N data points.The theoretical PDFs are inferred from Eq. (13), using the rightmost experimental data points from Fig. 4.

METHODS
which satisfies α(e j , e k ) = δ j,k .This lets us calculate A5) subject to tr{XB} = b j where X is a positive Hermitian matrix.We define where I d is the d × d identity matrix, 0 d is the d × d zero matrix and C = (1 + iD/2) −1 .