Continuous-variable ramp quantum secret sharing with Gaussian states and operations

A CV quantum state is an continuously parameterized element of Hilbert space described by observables with continuous eigenspectra. Typically, a CV quantum state is described by n bosonic modes, associated with a tensor-product Hilbert space

$$\begin{eqnarray}&&{{\mathscr{H}}}^{\otimes n}=\underset{k=1}{\overset{k=n}{\displaystyle \bigotimes }}{{\mathscr{H}}}_{k}\sim {{ \mathcal L }}^{2}\left({{\mathbb{R}}}^{n}\right),\end{eqnarray} \tag{ 2 }$$

i.e. square integrable complex-valued functions over ${{\mathbb{R}}}^{N}$ and a vector of quadrature operators

$$\begin{eqnarray}&&\hat{{\boldsymbol{x}}}:= {\left({\hat{q}}_{1},{\hat{p}}_{1},\ldots ,{\hat{q}}_{n},{\hat{p}}_{n}\right)}^{\top }\end{eqnarray} \tag{ 3 }$$

for ${}^{\top }$ denoting transpose. The vector $\hat{{\boldsymbol{x}}}$ satisfies the commutation relation

$$\begin{eqnarray}\left[{\hat{{\boldsymbol{x}}}}_{i},{\hat{{\boldsymbol{x}}}}_{j}\right]={{\rm{\Omega }}}_{{ij}},\ \ {\boldsymbol{\Omega }}=\underset{k=1}{\overset{n}{\displaystyle \bigoplus }}\left(\begin{array}{cc}0 & 1\\ -1 & 0\end{array}\right),\end{eqnarray} \tag{ 4 }$$

known as the symplectic form.

An arbitrary CV quantum state is characterized by a density operator

$$\begin{eqnarray}&&\rho \in { \mathcal S }({\mathscr{H}}),\end{eqnarray} \tag{ 5 }$$

where ${ \mathcal S }({\mathscr{H}})$ is the set of positive semidefinite trace-class operators. These positive trace-class operators can be represented by the Wigner function [28]

$$\begin{eqnarray}&&W\left({\boldsymbol{x}}\right)=\displaystyle \frac{1}{{\left(2\pi \right)}^{2n}}{\int }_{{{\mathbb{R}}}^{2n}}{{\rm{d}}}^{2n}{\boldsymbol{\xi }}\exp \left(-{\rm{i}}{{\boldsymbol{x}}}^{\top }{\boldsymbol{\xi }}\right)\chi \left({\boldsymbol{\xi }}\right)\end{eqnarray} \tag{ 6 }$$

for

$$\begin{eqnarray}&&\chi ({\boldsymbol{\xi }}):= \mathrm{tr}\left[\rho \hat{D}({\boldsymbol{\xi }})\right],\end{eqnarray} \tag{ 7 }$$

being the the Wigner characteristic function and

$$\begin{eqnarray}&&\hat{D}\left({\boldsymbol{\xi }}\right):= \exp \left({\rm{i}}{{\boldsymbol{x}}}^{\top }{\boldsymbol{\xi }}\right),\qquad {\boldsymbol{\xi }}\in {{\mathbb{R}}}^{2n}\end{eqnarray} \tag{ 8 }$$

being the Weyl operator. Thus far, we have the Wigner representation for any state; now we restrict to Gaussian states.

A Gaussian state is defined to be a state whose Wigner representation is Gaussian. A Gaussian state can be completely characterized by its first moment $\bar{{\boldsymbol{x}}}=\mathrm{tr}\left(\hat{{\boldsymbol{x}}}\rho \right)$ and covariance matrix ${\boldsymbol{V}}$. The covariance matrix entries are

$$\begin{eqnarray}&&{V}_{{ij}}:= \displaystyle \frac{1}{2}\mathrm{tr}\left[\{{\boldsymbol{\Delta }}{\hat{{\boldsymbol{x}}}}_{i},{\boldsymbol{\Delta }}{\hat{{\boldsymbol{x}}}}_{j}\}\right],\,{\boldsymbol{\Delta }}{\hat{{\boldsymbol{x}}}}_{i}:= {\hat{{\boldsymbol{x}}}}_{i}-\mathrm{tr}\left({\hat{{\boldsymbol{x}}}}_{i}\rho \right),\,i,j\in \{1,\,\ldots ,\,2n\},\end{eqnarray} \tag{ 9 }$$

with $\{,\}$ the anticommutator.

The symplectic manipulation of a Gaussian state's covariance matrix can be used to express its fundamental properties. By definition, a $2n\times 2n$ real-valued matrix ${\boldsymbol{S}}$ is called symplectic if it preserves the symplectic form of equation (3); i.e.

$$\begin{eqnarray}&&{{\boldsymbol{S\Omega S}}}^{\top }={\boldsymbol{\Omega }}.\end{eqnarray} \tag{ 10 }$$

According to Williamson's theorem [29], each covariance matrix ${\boldsymbol{V}}$ has a corresponding symplectic transformation ${\boldsymbol{S}}$ satisfying

$$\begin{eqnarray}&&{\boldsymbol{V}}={\boldsymbol{S}}\left[\underset{k=1}{\overset{n}{\displaystyle \bigoplus }}{\nu }_{k}{{\boldsymbol{I}}}_{k}\right]{{\boldsymbol{S}}}^{\top },\end{eqnarray} \tag{ 11 }$$

with symplectic spectrum defined by the vector

$$\begin{eqnarray}&&{\boldsymbol{\nu }}:= \left({\nu }_{1},\,\ldots ,\,{\nu }_{n}\right)\end{eqnarray} \tag{ 12 }$$

unique to each ${\boldsymbol{V}}$ and satisfying

$$\begin{eqnarray}&&\displaystyle \prod _{k=1}^{n}{\nu }_{k}^{2}=\det {\boldsymbol{V}}.\end{eqnarray} \tag{ 13 }$$

As an example, a two-mode Gaussian state has covariance matrix

$$\begin{eqnarray}{\boldsymbol{V}}=\left(\begin{array}{cc}{\boldsymbol{A}} & {\boldsymbol{C}}\\ {\boldsymbol{C}} & {\boldsymbol{B}}\end{array}\right);\,{\boldsymbol{A}}={{\boldsymbol{A}}}^{\top },{\boldsymbol{B}}={{\boldsymbol{B}}}^{\top },{\boldsymbol{C}}\in {{\mathbb{R}}}^{2\times 2}.\end{eqnarray} \tag{ 14 }$$

The symplectic spectrum is [30]

$$\begin{eqnarray}&&{\nu }_{\pm }=\sqrt{\displaystyle \frac{{\rm{\Delta }}\pm \sqrt{{{\rm{\Delta }}}^{2}-4\det {\boldsymbol{V}}}}{2}},\end{eqnarray} \tag{ 15 }$$

where

$$\begin{eqnarray}&&{\rm{\Delta }}:= \det {\boldsymbol{A}}+\det {\boldsymbol{B}}+2\det {\boldsymbol{C}}.\end{eqnarray} \tag{ 16 }$$

As Gaussian states are easy to describe mathematically, a large class of transformations acting on such states are easy to characterize as well. In the next section, we discuss this class of transformations called Gaussian preserving maps.

Gaussian (linear) unitary Bogoliubov transformations are interactions that preserve the Gaussian character of a quantum state. In terms of the quadrature operators, a Gaussian map is described by the affine map

$$\begin{eqnarray}&&\left({\boldsymbol{S}},{\boldsymbol{d}}\right):{\boldsymbol{S}}\hat{{\boldsymbol{x}}}+{\boldsymbol{d}},\qquad {\boldsymbol{d}}\in {{\mathbb{R}}}^{2n},\end{eqnarray} \tag{ 17 }$$

for ${\boldsymbol{S}}$ (9) a matrix representation of the symplectic group. The most general form of a Gaussian map in terms of its action on the statistical moments $\bar{{\boldsymbol{x}}}$ and ${\boldsymbol{V}}$ is

$$\begin{eqnarray}&&\bar{{\boldsymbol{x}}}\mapsto {\boldsymbol{S}}\bar{{\boldsymbol{x}}}+{\boldsymbol{d}},\,{\boldsymbol{V}}\mapsto {\boldsymbol{S}}{\boldsymbol{V}}{{\boldsymbol{S}}}^{\top }.\end{eqnarray} \tag{ 18 }$$

A special class of Gaussian maps are linear canonical point transformations, for which the positions and momenta do not mix and transform separately [31].

For single-mode squeezing we have the infinite-dimensional unitary representation [32]

$$\begin{eqnarray}&&{S}_{1}={{\rm{e}}}^{\tfrac{1}{2}\left({\zeta }^{\star }{\hat{a}}^{2}-\zeta {\hat{a}}^{\dagger 2}\right)},\end{eqnarray} \tag{ 19 }$$

and for two-mode squeezing we have the infinite-dimensional unitary representation

$$\begin{eqnarray}&&{S}_{2}={{\rm{e}}}^{\tfrac{1}{2}\left({\zeta }^{\star }{\hat{a}}_{1}{\hat{a}}_{2}-\zeta {\hat{a}}_{1}^{\dagger }{\hat{a}}_{2}^{\dagger }\right)},\end{eqnarray} \tag{ 20 }$$

where

$$\begin{eqnarray}&&{\hat{a}}_{k}=\displaystyle \frac{{\hat{q}}_{k}+{\rm{i}}{\hat{p}}_{k}}{\sqrt{2}},\,{\hat{a}}_{k}^{\dagger }=\displaystyle \frac{{\hat{q}}_{k}-{\rm{i}}{\hat{p}}_{k}}{\sqrt{2}},\,\zeta =s{{\rm{e}}}^{{\rm{i}}\theta },\,s\in {{\mathbb{R}}}^{+}.\end{eqnarray} \tag{ 21 }$$

A two-mode squeezed vacuum (TMSV) state is mathematically represented as [32]

$$\begin{eqnarray}&&{\left|\zeta \right\rangle }_{\mathrm{TMSV}}:= {S}_{2}\left(\zeta \right)\left|0\right\rangle ,\,\zeta \in {\mathbb{C}}.\end{eqnarray} \tag{ 22 }$$

In the next section, we explain TRS03 CV quantum SS scheme in which the Gaussian maps are used for encoding and decoding.

In this section, we explain the TRS03 CV QSS scheme. In a $\left(k,2k-1\right)$-threshold scheme, the dealer possesses a pure secret state $\left|\psi \right\rangle \in {\mathscr{H}}$ and encodes the quantum secret into an entangled state of $2k-1$ modes of the electromagnetic field by combining it with $2k-2$ ancillary states. The dealer then distributes them among the n players, each of whom receive one share, and at least k players must combine their shares in an active interferometer to extract the secret state.

Let ${{\mathscr{H}}}^{(2k-1)}$ be the tensor product of $2k-1$ copies of ${{\mathscr{H}}}^{(1)}$ and each player owns one of these copies. Let us define ${{\mathbb{F}}}^{2k-1}$ as the real linear space of coordinate functions for ${{\mathbb{R}}}^{2k-1}$. Then a system of Euclidean coordinates

$$\begin{eqnarray}&&{\boldsymbol{x}}={\left({x}_{1},{x}_{2},\ldots ,{x}_{2k-1}\right)}^{\top }\in {{\mathbb{R}}}^{2k-1},\end{eqnarray} \tag{ 23 }$$

is equivalent to choosing an orthonormal basis of coordinate functions

$$\begin{eqnarray}&&{\boldsymbol{f}}:= {\left({f}_{1},{f}_{2},\ldots ,{f}_{2k-1}\right)}^{\top }\in {{\mathbb{F}}}^{2k-1}\end{eqnarray} \tag{ 24 }$$

such that

$$\begin{eqnarray}&&{f}_{i}\,:{{\mathbb{R}}}^{2k-1}\to {\mathbb{R}}:\left({\boldsymbol{x}}\right)={x}_{i}\end{eqnarray} \tag{ 25 }$$

with x_i the $i\mathrm{th}$ coordinate of ${\boldsymbol{x}}$ (23), and ${f}_{i}\cdot {f}_{j}={\delta }_{{ij}}$.

Initially, the dealer starts with an unentangled tensor product

$$\begin{eqnarray}&&\left|{\rm{\Psi }}\right\rangle =\left|\psi \right\rangle \otimes \mathop{\underbrace{\left|{\phi }_{a}\right\rangle \otimes \cdots \otimes \left|{\phi }_{a}\right\rangle }}\limits_{k-1}\otimes \mathop{\underbrace{\left|{\phi }_{1/a}\right\rangle \otimes \cdots \otimes \left|{\phi }_{1/a}\right\rangle }}\limits_{k-1},\end{eqnarray} \tag{ 26 }$$

where $\left|\psi \right\rangle$ is the secret state and

$$\begin{eqnarray}&&{\phi }_{a}\left(x\right)=\left\langle x| {\phi }_{a}\right\rangle ={\left(\pi {a}^{2}\right)}^{-1/4}{{\rm{e}}}^{-{x}^{2}/2{a}^{2}}.\end{eqnarray} \tag{ 27 }$$

Let us write this state as

$$\begin{eqnarray}\begin{array}{rcl}\left|{\rm{\Psi }}\right\rangle & = & \displaystyle \int {{\rm{d}}}^{n}{\boldsymbol{x}}\,{\rm{\Psi }}({\boldsymbol{x}})\left|{x}_{1}\right\rangle \otimes \cdots \otimes \left|{x}_{n}\right\rangle \\ & = & \displaystyle \int {{\rm{d}}}^{n}{\boldsymbol{x}}\ {\rm{\Psi }}\left({\boldsymbol{x}}\right)\left|{f}_{1}({\boldsymbol{x}})\right\rangle \otimes \cdots \otimes \left|{f}_{n}({\boldsymbol{x}})\right\rangle ,\end{array}\end{eqnarray} \tag{ 28 }$$

where

$$\begin{eqnarray}&&\left|{\rm{\Psi }}\right\rangle =\psi \left({x}_{1}\right)\displaystyle \prod _{i=2}^{k}{\phi }_{a}\left({x}_{i}\right)\displaystyle \prod _{i=k+1}^{n}{\phi }_{1/a}\left({x}_{i}\right).\end{eqnarray} \tag{ 29 }$$

The dealer then performs the encoding using a linear canonical point transformation

$$\begin{eqnarray}&&{f}_{j}\mapsto {g}_{i}=\displaystyle \sum _{j}{g}_{{ij}}{f}_{j}.\end{eqnarray} \tag{ 30 }$$

The corresponding unitary transformation then maps the state $\left|{\rm{\Psi }}\right\rangle$ to

$$\begin{eqnarray}&&{\left|\det g\right|}^{1/2}\int {{\rm{d}}}^{2k-1}{\boldsymbol{x}}{\rm{\Psi }}\left({\boldsymbol{x}}\right)\left|{g}_{1}({\boldsymbol{x}})\right\rangle \otimes \cdots \otimes \left|{g}_{2k-1}({\boldsymbol{x}})\right\rangle .\end{eqnarray} \tag{ 31 }$$

The dealer, however, has to choose $\{{g}_{i}\}$ such that any k players are able to disentangle the secret state but that fewer is unable to do so. For this purpose, in the case of sufficiently large a, only the orthogonal projection ${\iota }_{i}$ of each vector g_i into the space spanned by the vectors $\{{f}_{1},\,\ldots ,\,{f}_{2k-1}\}$ is important. The vectors $\{{g}_{i}\}$ then must be chosen such that any k vectors from the set $\{{f}_{1},{\iota }_{1},\,\ldots ,\,{\iota }_{2k-1}\}$ are linearly independent. This linear independence condition guarantees that any k players are able to extract the secret.

For convenience, let us express ${{\mathbb{F}}}^{2k-1}\in {{\mathbb{R}}}^{2k-1}$ as a direct sum of three mutually orthogonal subspaces

$$\begin{eqnarray}&&{{\mathbb{F}}}^{2k-1}={\mathbb{X}}\oplus {\mathbb{Y}}\oplus {\mathbb{Z}},\end{eqnarray} \tag{ 32 }$$

where ${\mathbb{X}}$ is the one-dimensional space spanned by f₁ and ${\mathbb{Y}}$ and ${\mathbb{Z}}$ are $k-1$-dimensional spaces spanned by $\{{f}_{2},\,\ldots ,\,{f}_{k}\}$ and $\{{f}_{k+1},\,\ldots ,\,{f}_{2k-1}\}$, respectively. Now let us relabel $\{{x}_{i}\}$ coordinates as $(x,{y}_{i},{z}_{i})$ coordinates with

$$\begin{eqnarray}&&x={x}_{1},\,{y}_{i}={x}_{i+1},\,{z}_{i}={x}_{k+i},i\in \{1,\,\ldots ,\,k-1\}.\end{eqnarray} \tag{ 33 }$$

The wavefunction Ψ is then

$$\begin{eqnarray}&&{\rm{\Psi }}\left({\boldsymbol{x}}\right)=\psi \left(x\right)\displaystyle \prod _{i=1}^{k-1}{\phi }_{a}\left({y}_{i}\right){\phi }_{1/a}({z}_{i}).\end{eqnarray} \tag{ 34 }$$

Without loss of generality, the first k players collaborate to retrieve the quantum secret. The players then make the linear coordinate transformation

$$\begin{eqnarray}&&{g}_{i}\mapsto {\xi }_{i}=\displaystyle \sum _{j}{\xi }_{{ij}}{f}_{j}\end{eqnarray} \tag{ 35 }$$

assuming ${\xi }_{i}={g}_{i}$ for all $i\gt k$.

For convenience, let us define a decomposition for every vector ${\xi }_{i}$ as a sum of three mutually orthogonal vectors, each of which belongs to subspaces ${\mathbb{X}}$, ${\mathbb{Y}}$ and ${\mathbb{Z}}$

$$\begin{eqnarray}&&{\xi }_{i}={\alpha }_{i}+{\beta }_{i}+{\gamma }_{i}.\end{eqnarray} \tag{ 36 }$$

Equivalently, we can write

$$\begin{eqnarray}&&{\xi }_{i}\left({\boldsymbol{x}}\right)={\alpha }_{i}x+\displaystyle \sum _{j}{\beta }_{{ij}}{y}_{j}+\displaystyle \sum _{j}{\gamma }_{{ij}}{z}_{j}.\end{eqnarray} \tag{ 37 }$$

In the case that the vectors g_i are chosen in such a way that any k vectors from the set $\{{f}_{1},{\iota }_{1},\,\ldots ,\,{\iota }_{2k-1}\}$ are linearly independent, the players can design the transformation ${g}_{i}\mapsto {\xi }_{i}$ such that

$$\begin{eqnarray}\begin{array}{rcl}{\alpha }_{1} & = & 1,\qquad {\beta }_{1}=0,\\ {\alpha }_{i+1} & = & {\alpha }_{k+i},\,{\beta }_{i+1}={\beta }_{k+i},\end{array}\end{eqnarray} \tag{ 38 }$$

where $i\in \{1,\,\ldots ,\,k-1\}$. Then transformation (38) extracts the secret for sufficiently large values of parameter a.

Here we review Shannon and von Neumann entropy as these notions of entropy underpin the formulation of classical and quantum mutual information. This section also helps to elucidate the compact notation we use throughout this paper.

Shannon entropy. Let Z be a statistical ensemble defined by a classical random variable z and its associated probability distribution $\{{p}_{j}\}=\{{p}_{1},\,\ldots ,\,{p}_{n}\}$, which can be expressed as a probability vector ${\boldsymbol{p}}={({p}_{1},\ldots ,{p}_{n})}^{\top }$. The logarithm of this vector (always using base 2 here) is

$$\begin{eqnarray}&&\mathrm{log}{\boldsymbol{p}}:= (\mathrm{log}{{\boldsymbol{p}}}_{j}).\end{eqnarray} \tag{ 39 }$$

Using the Hadamard (elementwise) product ${\boldsymbol{a}}\,\circ \,{\boldsymbol{b}}:= ({a}_{i}{b}_{i})$ [33] for vectors and the sum of such elements ${\boldsymbol{a}}\odot {\boldsymbol{b}}:= {\sum }_{i}{a}_{i}{b}_{i}$, the Shannon entropy is

$$\begin{eqnarray}&&{H}_{\mathrm{Sh}}({\boldsymbol{p}})=-{\boldsymbol{p}}\odot \mathrm{log}{\boldsymbol{p}}=-{\boldsymbol{p}}\cdot \mathrm{log}{\boldsymbol{p}}.\end{eqnarray} \tag{ 40 }$$

Thus, ${H}_{\mathrm{Sh}}$ yields the number of bits per letter needed to completely specify Z in the asymptotic limit of infinitely long strings [34]. Shannon entropy is thus a measure for the uncertainty of z or it indicates how much information each letter in the string that uses the alphabet Z carries.

Von Neumann entropy. In the same vein, the information content of a quantum state ρ (5) can be quantified by determining how many qubits are needed to represent state ρ in the asymptotic limit of an infinite ensemble of physical systems. This quantum-information content, known as the von Neumann entropy [35], amounts to computing a classical Shannon entropy (40)

$$\begin{eqnarray}&&{H}_{\mathrm{vN}}(\rho )=-\mathrm{tr}\left(\rho {\mathrm{log}}_{2}\rho \right)={H}_{\mathrm{Sh}}\left(\mathrm{spec}\ {\boldsymbol{\rho }}\right),\end{eqnarray} \tag{ 41 }$$

for $\mathrm{spec}\ {\boldsymbol{\rho }}$ a vector comprising eigenvalues of the state ρ.

CV quantum entropy. For CV Gaussian states, we define the vectors

$$\begin{eqnarray}&&{{\boldsymbol{\nu }}}^{\pm }:= \displaystyle \frac{{\boldsymbol{\nu }}\pm {\mathbb{1}}}{2}\end{eqnarray} \tag{ 42 }$$

with ${\boldsymbol{\nu }}$ the symplectic spectrum (12) and ${\mathbb{1}}$ the vector with all entries being unity. Thus, the von Neumann entropy is [36]

$$\begin{eqnarray}&&{H}_{\mathrm{vN}}(\rho )={{\boldsymbol{\nu }}}^{+}\odot \mathrm{log}{{\boldsymbol{\nu }}}^{+}+{{\boldsymbol{\nu }}}^{-}\odot \mathrm{log}{{\boldsymbol{\nu }}}^{-}.\end{eqnarray} \tag{ 43 }$$

These entropy expressions are used in the formulæ for mutual information.

Convenient notation for states in entropy formulæ. A convenient notation for entropy, which is independent of being classical or quantum, uses a label for the classical or quantum state. Rather than specify the state as ${\boldsymbol{p}}$ classically or ρ quantumly, we label the state by a capital letter such as A and B, with these labels commensurate with the usual Alice-and-Bob nomenclature in cryptology [37].

Conditional entropy. Labelling the joint state held by A and B as $\mathrm{AB}$, the conditional entropy is abstractly expressed as

$$\begin{eqnarray}&&H\left({\rm{A}}| {\rm{B}}\right):= H\left(\mathrm{AB}\right)-H\left({\rm{B}}\right)\end{eqnarray} \tag{ 44 }$$

for any valid formula for entropy, whether classical (40) or quantum (41).

Classical conditional entropy. The classical conditional entropy [38] is obtained from equation (44) by replacing

$$\begin{eqnarray}&&H({\rm{A}})\mapsto {H}_{\mathrm{Sh}}\left({{\boldsymbol{p}}}_{{\rm{A}}}\right)\end{eqnarray} \tag{ 45 }$$

for ${{\boldsymbol{p}}}_{{\rm{A}}}$ the distribution held by A. Similarly, we replace

$$\begin{eqnarray}&&H({\rm{B}})\mapsto {H}_{\mathrm{Sh}}\left({{\boldsymbol{p}}}_{{\rm{B}}}\right)\end{eqnarray} \tag{ 46 }$$

and

$$\begin{eqnarray}&&H(\mathrm{AB})\mapsto {H}_{\mathrm{Sh}}\left({{\boldsymbol{p}}}_{\mathrm{AB}}\right).\end{eqnarray} \tag{ 47 }$$

$H\left({\rm{A}}| {\rm{B}}\right)$ quantifies the correlation between ${\rm{A}}$ and ${\rm{B}}$ as the reduction of the number of bits per letter needed to specify ${\rm{A}}$ given ${\rm{B}}$ is known.

Quantum conditional entropy. The quantum conditional entropy [24] is obtained from equation (44) by replacing

$$\begin{eqnarray}&&H({\rm{A}})\mapsto {H}_{\mathrm{vN}}\left({\rho }_{{\rm{A}}}\right)\end{eqnarray} \tag{ 48 }$$

for ${\rho }_{{\rm{A}}}$ the quantum state held by A. Similarly, we replace

$$\begin{eqnarray}&&H({\rm{B}})\mapsto {H}_{\mathrm{vN}}\left({\rho }_{{\rm{B}}}\right)\end{eqnarray} \tag{ 49 }$$

and

$$\begin{eqnarray}&&H(\mathrm{AB})\mapsto {H}_{\mathrm{vN}}\left({\rho }_{\mathrm{AB}}\right).\end{eqnarray} \tag{ 50 }$$

Although classical conditional entropy is always positive, for evaluating quantum conditional entropy can be negative [39].

We explain classical mutual information [38] and quantum mutual information [24], first as an abstract concept regardless of whether classical or quantum information is chosen. Then we explain each of classical and quantum mutual information. Quantum mutual information is vital for evaluating security for SS.

Mutual information. Labelling the joint state held by A and B as $\mathrm{AB}$, mutual information is abstractly expressed as

$$\begin{eqnarray}&&I\left({\rm{A}};{\rm{B}}\right):= H\left({\rm{A}}\right)+H\left({\rm{B}}\right)-H\left(\mathrm{AB}\right)\end{eqnarray} \tag{ 51 }$$

for any valid formula for entropy, whether classical (40) or quantum (41). Classical mutual information [24] is obtained from equation (51) by replacing

$$\begin{eqnarray}&&H({X})\mapsto {H}_{\mathrm{Sh}}\left({{\boldsymbol{p}}}_{{X}}\right)\end{eqnarray} \tag{ 52 }$$

with ${X}\in \{{\rm{A}},{\rm{B}}\}$ for ${{\boldsymbol{p}}}_{{X}}$ and

$$\begin{eqnarray}&&H(\mathrm{AB})\mapsto {H}_{\mathrm{Sh}}\left({{\boldsymbol{p}}}_{\mathrm{AB}}\right)\end{eqnarray} \tag{ 53 }$$

as discussed in section 2.2.1. Classical mutual information quantifies the correlation between two statistical ensembles ${\rm{A}}$ and ${\rm{B}}$ as the reduction of the number of bits per letter needed to specify one of the variables given the other variable is known.

Quantum mutual information. The quantum mutual information [24] is obtained from equation (51) by replacing

$$\begin{eqnarray}&&H({\rm{A}})\mapsto {H}_{\mathrm{vN}}\left({\rho }_{{\rm{A}}}\right)\end{eqnarray} \tag{ 54 }$$

for ${\rho }_{{\rm{A}}}$ the quantum state held by A. Similarly, we replace

$$\begin{eqnarray}&&H({\rm{B}})\mapsto {H}_{\mathrm{vN}}\left({\rho }_{{\rm{B}}}\right)\end{eqnarray} \tag{ 55 }$$

and

$$\begin{eqnarray}&&H(\mathrm{AB})\mapsto {H}_{\mathrm{vN}}\left({\rho }_{\mathrm{AB}}\right).\end{eqnarray} \tag{ 56 }$$

Quantum mutual information is always positive and quantifies the total correlations contained in the bipartite state ${\rho }_{\mathrm{AB}}$. Quantum mutual information is employed to define and evaluate the security of QSS schemes.

Relation between conditional entropy and mutual information. The relation between conditional entropy and mutual information is

$$\begin{eqnarray}&&I\left({\rm{A}};{\rm{B}}\right)=H\left({\rm{A}}\right)-H\left({\rm{A}}| {\rm{B}}\right)=H\left({\rm{B}}\right)-H\left({\rm{B}}| {\rm{A}}\right)\end{eqnarray} \tag{ 57 }$$

for any valid formula for entropy, whether classical (40) or quantum (41). The relation between classical mutual information and classical conditional entropy is obtained from equation (57) by replacing

$$\begin{eqnarray}&&H({X})\mapsto {H}_{\mathrm{Sh}}\left({{\boldsymbol{p}}}_{{X}}\right)\end{eqnarray} \tag{ 58 }$$

with ${X}\in \{{\rm{A}},{\rm{B}}\}$ and

$$\begin{eqnarray}&&H({X}| {Y})\mapsto {H}_{{\rm{Sh}}}\left({{\boldsymbol{p}}}_{{XY}}\right)-{H}_{{\rm{Sh}}}\left({{\boldsymbol{p}}}_{{Y}}\right)\end{eqnarray} \tag{ 59 }$$

with $\left({X},{Y}\right)\in \{\left({\rm{A}},{\rm{B}}\right),\left({\rm{B}},{\rm{A}}\right)\}$ as discussed in section 2.2.1.

The relation between quantum mutual information and quantum conditional entropy is obtained from equation (57) by replacing

$$\begin{eqnarray}&&H({X})\mapsto {H}_{\mathrm{vN}}\left({\rho }_{{X}}\right)\end{eqnarray} \tag{ 60 }$$

with ${X}\in \{{\rm{A}},{\rm{B}}\}$ and

$$\begin{eqnarray}&&H({X}| {Y})\mapsto {H}_{{\rm{vN}}}\left({\rho }_{{XY}}\right)-{H}_{{\rm{vN}}}\left({\rho }_{{Y}}\right)\end{eqnarray} \tag{ 61 }$$

with $\left({X},{Y}\right)\in \{\left({\rm{A}},{\rm{B}}\right),\left({\rm{B}},{\rm{A}}\right)\}$ as discussed in section 2.2.1.

In this section, we explain classical and QSS protocols. We begin by establishing the agents of the protocol namely dealer and players and the structures corresponding to the set of players. Afterwards, we explain classical secret-sharing schemes along with classical secrecy and recoverability conditions corresponding to them. Then we define QSS and provide the secrecy and recoverability conditions corresponding to them based on quantum mutual information.

Dealer and players. We establish the agents of the protocol and the structures corresponding to sets of players, who are one kind of agent. Specifically, SS comprises $n+1$ agents, namely one dealer ${ \mathcal D }$ and n players labelled

$$\begin{eqnarray}&&{ \mathcal P }=\{{P}_{1},{P}_{2},\,\ldots ,\,{P}_{n}\}.\end{eqnarray} \tag{ 62 }$$

The power set of players is ${2}^{{ \mathcal P }}$, which is the set of all subsets of the set of players (62).

The role of the dealer is to encode the secret message $S\in \{0,1\}{}^{* }$ (classically) or ${\rho }_{s}\in { \mathcal S }\left({\mathscr{H}}\right)$ (5) quantumly, into n shares and distributes them among players in such a way that specific elements of ${2}^{{ \mathcal P }}$ form the authorized structure ${ \mathcal A }$ to retrieve the secret message whereas other elements are denied any information about the secret whatsoever. The set of elements that are denied any information is known as the forbidden structure ${ \mathcal F }$.

Access structure. Let

$$\begin{eqnarray}&&{ \mathcal F },{ \mathcal A }\subseteq {2}^{{ \mathcal P }},\,{ \mathcal F },{ \mathcal A }\ne \varnothing ,\end{eqnarray} \tag{ 63 }$$

where ${ \mathcal F }$ is monotonically decreasing and ${ \mathcal A }$ is monotonically increasing, and

$$\begin{eqnarray}&&{ \mathcal F }\cap { \mathcal A }=\varnothing .\end{eqnarray} \tag{ 64 }$$

Then the set

$$\begin{eqnarray}&&{\rm{\Gamma }}=\{{ \mathcal F },{ \mathcal A }\}\end{eqnarray} \tag{ 65 }$$

is the access structure on ${ \mathcal P }$. Quantumly, the no-cloning theorem implies that the existence of two disjoint authorized group is forbidden [40].

Secret-sharing protocol. Let ${\mathscr{H}}$ be a Hilbert space and let ${ \mathcal S }({\mathscr{H}})$ be all density operators on a Hilbert space ${\mathscr{H}}$. In a QSS scheme, the dealer's task is to encrypt a quantum secret ${\rho }_{{\rm{s}}}\in { \mathcal S }\left({\mathscr{H}}\right)$ into a composite system of Hilbert spaces

$$\begin{eqnarray}&&{{\mathscr{H}}}_{1},{{\mathscr{H}}}_{2},\,\ldots ,\,{{\mathscr{H}}}_{n},\end{eqnarray} \tag{ 66 }$$

each of which is called a share labelled by ${S}_{1},{S}_{2},\,\ldots ,\,{S}_{n}$. Let

$$\begin{eqnarray}&&N:= \{{S}_{1},{S}_{2},\,\ldots ,\,{S}_{n}\}\end{eqnarray} \tag{ 67 }$$

be the entire set of shares and

$$\begin{eqnarray}&&{{\mathscr{H}}}_{N}:= \mathop{\displaystyle \bigotimes }\limits_{{S}_{i}\in N}{{\mathscr{H}}}_{{S}_{i}}\end{eqnarray} \tag{ 68 }$$

be the corresponding Hilbert space. The dealer then distributes the shares among players (62). For a subset $A\subseteq N$ of shares

$$\begin{eqnarray}&&{{\mathscr{H}}}_{{A}}:= \mathop{\displaystyle \bigotimes }\limits_{{S}_{i}\in {A}}{{\mathscr{H}}}_{{S}_{i}},\end{eqnarray} \tag{ 69 }$$

the QSS encoding is

$$\begin{eqnarray}&&{W}_{N}:{ \mathcal S }({\mathscr{H}})\to { \mathcal S }({{\mathscr{H}}}_{N}),\end{eqnarray} \tag{ 70 }$$

which is a completely positive and trace preserving map [5].

The composition map of the encoder W_N for a subset $X\subseteq N$, and the partial trace of the complement $N\setminus X$ is

$$\begin{eqnarray}&&{W}_{X}:= {\mathrm{tr}}_{N\setminus X}{W}_{N}.\end{eqnarray} \tag{ 71 }$$

A QSS scheme is then defined by the quantum operation W_N (70) that is reversible with respect to ${ \mathcal S }({\mathscr{H}})$. The set N is divided into two mutually disjoint structures ${ \mathcal A }$ and ${ \mathcal F }$ [5].

• (i)  
  A set $X\subseteq N$ is authorized if W_X is reversible with respect to ${ \mathcal S }({\mathscr{H}})$.
• (ii)  
  A set $X\subseteq N$ is forbidden if W_X is vanishing with respect to ${ \mathcal S }({\mathscr{H}})$.

The arguments so far are valid in the classical cases, which is verified by replacing the corresponding notions with the classical ones [5].

Classical secrecy and recoverability conditions. Classical secrecy is expressed in terms of conditional entropy but equivalently can be expressed in terms of mutual information. Strictly speaking, conditional entropy is between shares. However, for simplicity, in the literature there is a tendency to refer to conditional entropy between players. Π is a perfect SS scheme on Γ if

• $\forall { \mathcal B }\in { \mathcal A }\,H\left(S| { \mathcal B }\right)=0$
• $\forall { \mathcal B }\notin { \mathcal A }\,H\left(S| { \mathcal B }\right)=H\left(S\right)$.

Quantum secrecy and recoverabiliy conditions. Here we discuss quantum secrecy conditions in terms of quantum mutual information. Strictly speaking, quantum mutual information is between shares. However, for simplicity, in the literature there is a tendency to refer to quantum mutual information between players. We can imagine that the system ${\rho }_{{s}}$ is part of a larger system and that this compound system is initially in a pure state $\left|{\psi }^{{RS}}\right\rangle$. Therefore,

$$\begin{eqnarray}&&{\rho }_{{s}}={\mathrm{tr}}_{{R}}\left(\left|{\psi }^{{RS}}\right\rangle \left\langle {\psi }^{{RS}}\right|\right).\end{eqnarray} \tag{ 72 }$$

In a QSS, if a subset $X\in {2}^{{ \mathcal P }}$ satisfies

$$\begin{eqnarray}&&I\left({R};{X}\right)=0\,(\mathrm{secrecy}\ \mathrm{condition}),\end{eqnarray} \tag{ 73 }$$

then ${\rho }^{X}$ does not contain any information about ${\rho }_{s}$ [23]. On the other hand, if a subset X satisfies

$$\begin{eqnarray}&&I\left({R};{X}\right)=I\left({R};{S}\right)\,(\mathrm{recoverability}\ \mathrm{condition}),\end{eqnarray} \tag{ 74 }$$

then X contains full information about ${\rho }_{{s}}$ [23].

Access structure. Specific subsets of players form the authorized structure

$$\begin{eqnarray}&&{ \mathcal A }:= \left\{{X}\in {2}^{{ \mathcal P }};I({R};{S})=I({R};{X})\right\}\end{eqnarray} \tag{ 75 }$$

to retrieve the message whereas the other subsets, i.e. the forbidden structure

$$\begin{eqnarray}&&{ \mathcal F }:= \left\{X\in {2}^{{ \mathcal P }};I(R;X)=0\right\},\end{eqnarray} \tag{ 76 }$$

are denied any information about the secret whatsoever. We define the QSS access structure as

$$\begin{eqnarray}&&{\rm{\Gamma }}:= \left\{{ \mathcal A },{ \mathcal F }\right\}.\end{eqnarray} \tag{ 77 }$$

Threshold SS. $((k,n))$ threshold QSS schemes are a class of QSS schemes in which the authorized structure comprises all groups of k or more players while there are n players in total (the use of double parentheses distinguishes it from a classical scheme). $((k,n))$ quantum threshold schemes exists provided no-cloning theorem is satisfied [40]. Any QSS scheme can be reduced to $((k,2k-1))$ threshold schemes [40]. In QSS schemes, the size of shares allocated to each player must be at least as large as the size of the secret [5, 40].

The optical realization comprises displacers that generate Heisenberg–Weyl group elements and single-mode squeezers, passive beam-splitters and phase-shifters that generate the semidirect product of the symplectic group  (1). The inputs are vacuum states of light. For the closed disk

$$\begin{eqnarray}&&{D}_{s}:= \left\{\zeta \in {\mathbb{C}}:| \zeta | \leqslant {s}^{2}\right\},\,s\in {{\mathbb{R}}}^{+},\end{eqnarray} \tag{ 79 }$$

the dealer's and players' single-mode squeezers (19) have limited squeezing capability corresponding to $\zeta \in {D}_{s}$, with $s={s}_{\max }^{{\rm{D}}}$ for the dealer and $s={s}_{\max }^{{\rm{P}}}$ for the player.

Here we specify the dealer's task in the RQSS protocol. Dealer's tasks include preparing a quantum secret, choosing an access structure, encoding the quantum secret and distributing shares.

Two-mode squeezed-vacuum source. The dealer prepares a TMSV state (22) drawn randomly from the uncountable set

$$\begin{eqnarray}&&{Q}_{{\rm{D}}}:= \left\{{\left|\zeta \right\rangle }_{\mathrm{TMSV}};\zeta \in {D}_{{s}_{\max }^{{\rm{D}}}}\right\}.\end{eqnarray} \tag{ 80 }$$

The dealer's task is to encode one mode of this quantum state into an n-mode entangled state by mixing it with $n-1$ ancillary states in an n-mode active interferometer. The dealer then sends one share to each of the players in such a way that the elements of power set of players are divided into three predetermined mutually disjoint sets known as authorized, intermediate and forbidden structures.

In order for the dealer to prepare the TMSV randomly, first, he needs to decide the complex two-mode squeezing parameter $\zeta =s{{\rm{e}}}^{{\rm{i}}\theta }$ (21), where s is bounded by ${s}_{\max }^{{\rm{D}}}$. The dealer generates two random numbers $a,b\in \left[0,1\right]$. Then the dealer assigns

$$\begin{eqnarray}&&s\leftarrow \sqrt{2{{as}}_{\max }^{{\rm{D}}}},\,\theta \leftarrow 2\pi b.\end{eqnarray} \tag{ 81 }$$

Choosing a useful, feasible access structure. The dealer chooses an access structure Γ based on the desired application. The dealer then runs an algorithm that accepts Γ, covariance matrix of TMSV state ${\boldsymbol{V}}$, ${s}_{\ \max }^{{\rm{D}}}$ and ${s}_{\ \max }^{{\rm{P}}}$ as input and yields the encoding transformation or else null as the output. The dealer then performs the encoding transformation and distributes the shares among players.

The players' task in any authorized set is to reconstruct the quantum secret. One player is assigned to hold the secret after reconstruction. The aforementioned player forms a structure with other players in the authorized set who perform a Gaussian unitary operation on their shares such that the state of the share belonging to the assigned player become the same as the original secret state. The players in any intermediate set are allowed to partially reconstruct the secret state. Furthermore, the players in a forbidden structure should not gain any information about the quantum secret whatsoever.

In this section, we establish the agents of the certification protocol, namely, the dealer, the players and the referee who serves as skeptical certifier. Furthermore, we specify available resources for each party.

The dealer and players share trusted error-free classical and quantum communication channels between each other, and the referee also shares trusted error-free classical and quantum communication channels with each player and with the dealer. In our CV setting, the referee possesses single-mode homodyne detectors [27]. Henceforth, we only refer explicitly to homodyne measurement, without loss of generality. The dealer possesses a classical computer to choose the access structure Γ discussed in section 3.1.2, and the referee possesses a classical computer to run the certification algorithm.

The dealer chooses an access structure Γ discussed in section 3.1.2 and announces Γ to the players and to the referee. The dealer encodes shares based on the choice of Γ and the quantum secret, such as a randomly chosen state in the parameter disk (80), and announces this encoding to the players.

In this section, we define 'rounds', which are repetitions of the protocol between the dealer, players and referees. The concept for these rounds is depicted in figure 1. First the dealer prepare a suitable two-mode Gaussian state, which is the same two-mode Gaussian state for all rounds, and sends one mode to the referee and the other mode into an encoder, which is also unchanging over all rounds. This encoder creates shares that are sent to each player.

Zoom In Zoom Out Reset image size

After the players receive shares, the referee requests a subset of players, who can be authorized, forbidden or intermediate, to try to reconstruct the quantum secret and then send their resultant shares to the referee. Depending on instructions to the referee as an input, the referee performs single-mode homodyne measurement on either the reconstructed secret state, the reference state or both. Furthermore the referee follows the instruction to choose the local-oscillator phase for each homodyne detection. After each round, she saves these measurement results for classical post processing. Rounds continue until the referee permits the dealer and players to stop.

The referee's task is to certify the protocol by ascertaining the dealer's announcement that the access structure is the announced Γ. The referee conducts tests by requiring many rounds per instance, with each instance corresponding to testing whether a fixed subset of players is in ${ \mathcal A }$, ${ \mathcal I }$ or ${ \mathcal F }$ structures determined by Γ. Due to the statistical nature of the test, the referee cannot be 100% sure that the inference is correct; rather the referee makes a decision if the probability of being correct exceeds some threshold value, itself strictly greater than 1/2.

Sufficiency condition. When a sufficiency condition is met to ascertain whether the subset of players are determined to be in a structure compatible with the dealer's announced Γ, the referee instructs the players to stop. If that instance passes the test, the referee announces a new subset of players to test and the rounds repeat until the referee has enough data to pass the sufficiency test. If the instance results in the dealer and players failing, the procedure stops as the team of dealer and players has failed the test. The dealer and players pass only if every instance passes.

Below we provide the steps for certifying RQSS. Before commencing certification, the referee numerically labels each element of the power set and proceeds to test each labelled element of the power set in order according to this labelling. For simplicity, and without loss of generality, we assume that each player holds one share; thus, the number n of modes equals one more than the number of players, hence shares, in the given subset. This extra mode allows a single-mode reference field in addition to the modes held by the players.

The referee conducts a test that requires many rounds (3.2.3) for each power-set element. The test evaluates whether a fixed subset of players is in ${ \mathcal A }$, ${ \mathcal I }$ or ${ \mathcal F }$. In order to do so, the referee estimates the quantum mutual information ${I}_{{\rm{e}}}\left({R},{{S}}_{{\rm{e}}}\right)$ between the reference state ${\rho }^{{R}}$ and the extracted secret state ${\rho }^{{{S}}_{{\rm{e}}}}$ such that

$$\begin{eqnarray}&&{I}_{{\rm{e}}}\left({R};{{S}}_{{\rm{e}}}\right)\in \left[I\left({R};{{S}}_{{\rm{e}}}\right)-\epsilon ,I\left({R};{{S}}_{{\rm{e}}}\right)+\epsilon \right],\end{eqnarray} \tag{ 90 }$$

with a failure probability $\beta \lt 1/2$. Algorithm 4 accepts ${I}_{{\rm{e}}}\left({R},{{S}}_{{\rm{e}}}\right)$ as input and determines the structure of the power-set element. If the test result is consistent with the dealer's announcement that the access structure is the announced Γ, the referee announces a new subset of players to test; otherwise the procedure halts as the team of dealer and players has failed the certification test.

To estimate ${I}_{{\rm{e}}}\left({R};{{S}}_{{\rm{e}}}\right)$, the referee estimates the expectation values corresponding to each element of the matrices

$$\begin{eqnarray}{\boldsymbol{G}}=\left(\begin{array}{cccc}2{\hat{{\boldsymbol{x}}}}_{1}^{2} & \tfrac{{\left({\hat{{\boldsymbol{x}}}}_{1}+{\hat{{\boldsymbol{x}}}}_{2}\right)}^{2}}{2} & {\hat{{\boldsymbol{x}}}}_{1}{\hat{{\boldsymbol{x}}}}_{3}+{\hat{{\boldsymbol{x}}}}_{3}{\hat{{\boldsymbol{x}}}}_{1} & {\hat{{\boldsymbol{x}}}}_{1}{\hat{{\boldsymbol{x}}}}_{4}+{\hat{{\boldsymbol{x}}}}_{4}{\hat{{\boldsymbol{x}}}}_{1}\\ \tfrac{{\left({\hat{{\boldsymbol{x}}}}_{1}+{\hat{{\boldsymbol{x}}}}_{2}\right)}^{2}}{2} & 2{\hat{{\boldsymbol{x}}}}_{2}^{2} & {\hat{{\boldsymbol{x}}}}_{2}{\hat{{\boldsymbol{x}}}}_{3}+{\hat{{\boldsymbol{x}}}}_{3}{\hat{{\boldsymbol{x}}}}_{2} & {\hat{{\boldsymbol{x}}}}_{2}{\hat{{\boldsymbol{x}}}}_{4}+{\hat{{\boldsymbol{x}}}}_{4}{\hat{{\boldsymbol{x}}}}_{2}\\ {\hat{{\boldsymbol{x}}}}_{1}{\hat{{\boldsymbol{x}}}}_{3}+{\hat{{\boldsymbol{x}}}}_{3}{\hat{{\boldsymbol{x}}}}_{1} & {\hat{{\boldsymbol{x}}}}_{2}{\hat{{\boldsymbol{x}}}}_{3}+{\hat{{\boldsymbol{x}}}}_{3}{\hat{{\boldsymbol{x}}}}_{2} & 2{\hat{{\boldsymbol{x}}}}_{3}^{2} & \tfrac{{\left({\hat{{\boldsymbol{x}}}}_{3}+{\hat{{\boldsymbol{x}}}}_{4}\right)}^{2}}{2}\\ {\hat{{\boldsymbol{x}}}}_{1}{\hat{{\boldsymbol{x}}}}_{4}+{\hat{{\boldsymbol{x}}}}_{4}{\hat{{\boldsymbol{x}}}}_{1} & {\hat{{\boldsymbol{x}}}}_{3}{\hat{{\boldsymbol{x}}}}_{4}+{\hat{{\boldsymbol{x}}}}_{4}{\hat{{\boldsymbol{x}}}}_{3} & \tfrac{{\left({\hat{{\boldsymbol{x}}}}_{3}+{\hat{{\boldsymbol{x}}}}_{4}\right)}^{2}}{2} & 2{\hat{{\boldsymbol{x}}}}_{4}^{2}\end{array}\right),\end{eqnarray} \tag{ 91 }$$

and

$$\begin{eqnarray}{\boldsymbol{C}}=\left(\begin{array}{cccc}{\hat{{\boldsymbol{x}}}}_{1} & {\hat{{\boldsymbol{x}}}}_{2} & {\hat{{\boldsymbol{x}}}}_{3} & {\hat{{\boldsymbol{x}}}}_{4}\end{array}\right),\end{eqnarray} \tag{ 92 }$$

with $\hat{{\boldsymbol{x}}}$ defined in equation (3). The first and second modes hold reference and reconstructed secret states, respectively. The referee's result is then used to estimate the covariance matrix (9) of ${\rho }^{{{RS}}_{{\rm{e}}}}$ according to [13]

$$\begin{eqnarray}&&{V}_{{ij}}^{{{RS}}_{{\rm{e}}}}=\langle {{\boldsymbol{G}}}_{{ij}}\rangle -\langle {{\boldsymbol{C}}}_{{i}}\rangle \langle {{\boldsymbol{C}}}_{{j}}\rangle ,\qquad {ij}\notin \{12,21,34,43\},\end{eqnarray} \tag{ 93 }$$

$$\begin{eqnarray}&&{V}_{{ij}}^{{{RS}}_{{\rm{e}}}}=2\langle {{\boldsymbol{G}}}_{{ij}}\rangle -\langle {{\boldsymbol{G}}}_{{ii}}\rangle /2-\langle {{\boldsymbol{G}}}_{{jj}}\rangle /2-\langle {{\boldsymbol{C}}}_{{i}}\rangle \langle {{\boldsymbol{C}}}_{{j}}\rangle ,\qquad {ij}\in \{12,21,34,43\}.\end{eqnarray} \tag{ 94 }$$

This covariance matrix is used to calculate the entropies of ${\rho }^{{{S}}_{{\rm{e}}}},{\rho }^{{R}}$ and ${\rho }^{{{RS}}_{{\rm{e}}}}$ using algorithm 1. The resultant entropies are then inserted into the standard formula for quantum mutual information (57).

The expectation value of each element of (91) and (92) is calculated by performing multiple homodyne measurements on identical and independent copies of ${\rho }^{{{RS}}_{{\rm{e}}}}$ and taking the average of the measurement results. Using Chebyshev's inequality [13], the referee calculates an upper-bound for the estimation error of each expectation value as a function of number of rounds and β. Subsequently, this estimation error is then used to calculate the maximum expectation values' estimation error ${\epsilon }_{\max }$ of covariance-matrix entries via the standard formula for error propagation. Afterwards she calculates the bound on the estimation error of entropies following algorithm 2. The estimation error of ${I}_{{\rm{e}}}\left({R};{{S}}_{{\rm{e}}}\right)$ is bounded by summation of the entropies estimation errors. The rounds continue until the estimation error of ${I}_{{\rm{e}}}\left({R};{{S}}_{{\rm{e}}}\right)$ is below a prespecified acceptable error.

Algorithm 1. Continuous-variable quantum entropy (${H}_{\mathrm{vN}}$).

Input:

$n\in {\mathbb{N}}$                                                                          ▹ Number of modes

${\boldsymbol{V}}\in {{\mathbb{R}}}^{2n}\times {{\mathbb{R}}}^{2n}$                                                                           ▹ Covariance matrix

${\boldsymbol{\Omega }}\in {{\mathbb{Z}}}^{2n}\times {{\mathbb{Z}}}^{2n}$ (4)

Output:

${H}_{\mathrm{vN}}\in {{\mathbb{R}}}^{+}$                                                                          ▹ von Neumann entropy

function vonNeumannH ${\boldsymbol{V}}$

${\boldsymbol{\nu }}\leftarrow {\mathrm{Eigenvalues}}_{+}\left({\rm{i}}{\rm{\Omega }}{\boldsymbol{V}}\right)$.                                                                          ▹ Calculates positive eigenvalues.

${{\boldsymbol{\nu }}}^{\pm }\leftarrow \tfrac{{\boldsymbol{\nu }}\pm {\mathbb{1}}}{2}$.

return ${H}_{\mathrm{vN}}\leftarrow {{\boldsymbol{\nu }}}^{+}\cdot \mathrm{log}{{\boldsymbol{\nu }}}^{+}+{{\boldsymbol{\nu }}}^{-}\cdot \mathrm{log}{{\boldsymbol{\nu }}}^{-}.$

end function

Algorithm 2. Upper bound of ${H}_{\mathrm{vN}}$ estimation error.

Input:

$n\in {\mathbb{N}}$                                      ▹ Number of modes

${\boldsymbol{V}}\in {{\mathbb{R}}}^{2n}\times {{\mathbb{R}}}^{2n}$                                     ▹ Covariance matrix

${\epsilon }_{\max }$                                      ▹ Maximum estimation error of covariance matrix elements

Output:

${H}_{\mathrm{vN},\mathrm{error}}^{\mathrm{upper}}\in {{\mathbb{R}}}^{+}$                                     ▹ Upper bound of QMI estimation error

function ${H}_{\mathrm{vN},\mathrm{error}}^{\mathrm{upper}}$ ${\boldsymbol{V}},{\epsilon }_{\max }$

${\sigma }_{\max }\leftarrow$ maximal singular value of ${\boldsymbol{V}}$.

${\sigma }_{\min }\leftarrow$ minimal singular value of ${\boldsymbol{V}}$.

return ${H}_{\mathrm{vN},\mathrm{error}}^{\mathrm{upper}}\leftarrow \kappa \left(1+\mathrm{log}\left(2n{\sigma }_{\max }\right)\right)2n{\epsilon }_{\max }.$                        ▹ $\kappa =\tfrac{{\sigma }_{\max }}{{\sigma }_{\min }}$ is always finite.

end function

Algorithm 3. Estimation of QMI.

Input:

$T\in {\mathbb{N}}$                  ▹ Number of trials

${\rho }^{\otimes T}\in { \mathcal B }\left({L}^{2}({{\mathbb{R}}}^{2T}\right)$                  ▹ T copies of the joint state ρ for the reference and players' reconstructed state

$\epsilon \in {{\mathbb{R}}}^{+}$                  ▹ Error tolerance for estimated QMI

${\rm{T}}{\rm{OL}}\in 0,1/2)$                  ▹ Failure probability tolerance

$\sigma \in {{\mathbb{R}}}^{+}$                  ▹ A uniform upper bound on the standard deviations of measurement results

${\rm{H}}{\rm{OM}}{\rm{M}}{\rm{EAS}}[\rho ,x,{\rm{M}}{\rm{ODE}},\theta ]$                  ▹ Homodyne measurement on mode MODE $\in \{0,1\}$ with respect to local-oscillator phase θ; replaces ρ by some $\left|x\right\rangle \left\langle x\right|$ with probability $\left\langle x\right|\rho \left|x\right\rangle$

Output:

${\rm{E}}{\rm{ST}}\mathrm{QMI}\in {{\mathbb{R}}}^{+}$                 ▹ Estimated QMI

procedure EstimateQMI,Tol,$T,{\rho }^{\otimes T},\sigma ,{\rm{H}}{\rm{OM}}{\rm{M}}{\rm{EAS}}[\rho ,x,{\rm{M}}{\rm{ODE}},\theta ]$

for i from 1 to 2 do

for j from 1 to 2 do

${\rm{C}}{\rm{OV}}{\rm{R}}{\rm{ECON}}\left[{ij}\right]\leftarrow 0$                  ▹ Initialize covariance matrix for the players' reconstructed state including position-position, position-momentum, momentum-position and momentum-momentum

${\rm{C}}{\rm{OV}}{\rm{R}}{\rm{EF}}\left[{ij}\right]\leftarrow 0$                  ▹ Initialize covariance matrix for the reference state including position-position, position-momentum, momentum-position and momentum-momentum

end for

end for

for i from 1 to 4 do

${\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}\left[i\right]\leftarrow 0$                  ▹ Initialize vector comprising sums of in-phase and out-of-phase homodyne measurements of modes 0 and 1

for j from 1 to 4 do

${\rm{C}}{\rm{OV}}{\rm{R}}{\rm{EC}}{\rm{R}}{\rm{EF}}\left[{ij}\right]\leftarrow 0$                 ▹ Initialize joint reconstructed-reference covariance matrix including position-position, position-momentum, momentum-position and momentum-momentum

SecondMom $\left[{ij}\right]\leftarrow 0$                  ▹ Second-moment matrix defined in equation (91)

end for

end for

$\varepsilon \leftarrow \unicode{x02308}\sigma \sqrt{\tfrac{1}{l\left(1-{\left(1-{\rm{TOL}}\right)}^{1/14}\right)}}\unicode{x02309}$                 ▹ Maximum estimation error of measurement results expectation values with a least probability ${\rm{T}}{\rm{OL}}$

$l\leftarrow 0$                 ▹ Number of times that the referee performs the sufficiency test

${\rm{RHO}}\leftarrow \rho$                  ▹ Initialize ${\rm{RHO}}$ to the first of input ${\rho }^{\otimes T}$

${\epsilon }_{\mathrm{QMI}}\leftarrow 2\epsilon$                  ▹ Initialize to any value greater than

for r from 1 to T

while ${\epsilon }_{\mathrm{QMI}}\gt \epsilon$ do

$l\leftarrow l+1$                 ▹ Increment the sufficiency-test counter

if $14l\gt T$ then                 ▹ Referee measures 14 copies before ascertaining sufficiency

return Fail

Exit                 ▹ Abort procedure if fewer than 14 copies remain

end if

if $r-1$ mod 14 = 0                  ▹ Measure one of T copies of ρ

Call ${\rm{H}}{\rm{OM}}{\rm{M}}{\rm{EAS}}$ $({\rm{R}}{\rm{HO}},x,0,0)$                 ▹ In-phase homodyne measurement of the reconstructed state

${\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}[1]\leftarrow {\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}[1]+x$                  ▹ Sum detection outcomes

else if $r-2$ mod 14 = 0                 ▹ Measure one of T copies of ρ

Call HOMMEAS $({\rm{R}}{\rm{HO}},x,0,\tfrac{\pi }{2})$                  ▹ Out-of-phase homodyne measurement of the reconstructed state

${\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}[2]\leftarrow {\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}[2]+x$                 ▹ Sum detection outcomes

else if $r-3$ mod 14 = 0                 ▹ Measure one of T copies of ρ

Call ${\rm{H}}{\rm{OM}}{\rm{M}}{\rm{EAS}}({\rm{R}}{\rm{HO}},x,1,0)$                  ▹ In-phase homodyne measurement of the reference state

${\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}[3]\leftarrow {\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}[3]+x$                 ▹ Sum detection outcomes

else if $r-4$ mod 14 = 0                 ▹ Measure one of T copies of ρ

Call HOMMEAS $({\rm{R}}{\rm{HO}},x,1,\tfrac{\pi }{2})$                  ▹ Out-of-phase homodyne measurement of the reference state

${\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}[4]\leftarrow {\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}[4]+x$                 ▹ Sum detection outcomes

else if $r-5$ mod 14 = 0 then                 ▹ Measure one of T copies of ρ

Call HOMMEAS $({\rm{R}}{\rm{HO}},x,0,0)$                  ▹ In-phase homodyne measurement of the reconstructed state

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[11]\leftarrow {\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[11]+2{x}^{2}$

else if $r-6$ mod 14 = 0 then                 ▹ Measure one of T copies of ρ

Call HOMMEAS $({\rm{R}}{\rm{HO}},x,0,0)$                  ▹ In-phase homodyne measurement of the reconstructed state

$y\leftarrow x$

Call HOMMEAS $({\rm{R}}{\rm{HO}},x,1,0)$                  ▹ In-phase homodyne measurement of the reference state

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[13]\leftarrow {\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[13]+2{xy}$

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[31]\leftarrow {\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[13]$

else if $r-7$ mod 14 = 0 then                 ▹ Measure one of T copies of ρ

Call HOMMEAS $({\rm{R}}{\rm{HO}},x,0,0)$                  ▹ In-phase homodyne measurement of the reconstructed state

$y\leftarrow x$

Call HOMMEAS $\left({\rm{R}}{\rm{HO}},x,1,\tfrac{\pi }{2}\right)$                  ▹ Out-of-phase homodyne measurement of the reference state

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[14]\leftarrow {\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[14]+2{xy}$

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[41]\leftarrow {\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[14]$

else if $r-8$ mod 14 = 0 then                 ▹ Measure one of T copies of ρ

Call HOMMEAS $\left({\rm{R}}{\rm{HO}},x,0,\tfrac{\pi }{2}\right)$                  ▹ Out-of-phase homodyne measurement of the reconstructed state

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[22]\leftarrow {\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[22]+2{x}^{2}$

else if $r-9$ mod 14 = 0 then                 ▹ Measure one of T copies of ρ

Call HOMMEAS $\left({\rm{R}}{\rm{HO}},x,0,\tfrac{\pi }{2}\right)$                 ▹ Out-of-phase homodyne measurement of the reconstructed state

$y\leftarrow x$

Call HOMMEAS $({\rm{R}}{\rm{HO}},x,1,0)$                 ▹ In-phase homodyne measurement of the reference state

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[23]\leftarrow {\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[23]+2{xy}$

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[32]\leftarrow {\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[23]$

else if $r-10$ mod 14 = 0 then                 ▹ Measure one of T copies of ρ

Call HOMMEAS $\left({\rm{R}}{\rm{HO}},x,0,\tfrac{\pi }{2}\right)$                  ▹ Out- of-phase homodyne measurement of the reconstructed state

$y\leftarrow x$

Call HOMMEAS $\left({\rm{R}}{\rm{HO}},x,1,\tfrac{\pi }{2}\right)$                  ▹ Out-of-phase homodyne measurement of the reference state

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[24]\leftarrow {\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[24]+2{xy}$

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[42]\leftarrow {\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[24]$

else if $r-11$ mod 14 = 0 then                 ▹ Measure one of T copies of ρ

Call HOMMEAS $({\rm{R}}{\rm{HO}},x,1,0)$                  ▹ In-phase homodyne measurement of the reference state

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[33]\leftarrow {\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[33]+2{x}^{2}$

else if $r-12$ mod 14 = 0 then                 ▹ Measure one of T copies of ρ

Call HOMMEAS $\left({\rm{R}}{\rm{HO}},x,1,\tfrac{\pi }{2}\right)$                  ▹ Out-of-phase homodyne measurement of the reference state

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[44]\leftarrow {\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[44]+2{x}^{2}$

else if $r-13$ mod 14 = 0 then                 ▹ Measure one of T copies of ρ

Call HOMMEAS $\left({\rm{R}}{\rm{HO}},x,0,\tfrac{\pi }{4}\right)$                 ▹ Homodyne measurement of the reconstructed state with respect to local-oscillator phase $\tfrac{\pi }{4}$

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[12]$ = $2{x}^{2}-{\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}{[11]}^{2}-{\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}{[22]}^{2}$

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[21]\leftarrow {\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[12]$

else $r-14$ mod 14 = 0                  ▹ Measure one of T copies of ρ

Call HOMMEAS $\left({\rm{R}}{\rm{HO}},x,1,\tfrac{\pi }{4}\right)$                  ▹ Homodyne measurement of the reference state with respect to local-oscillator phase $\tfrac{\pi }{4}$

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[34]$ = $2{x}^{2}-{\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}{[33]}^{2}-{\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}{[44]}^{2}$

${\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[43]\leftarrow {\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[34]$

end if

for i from 1 to 4 do

for j from i to 4 do

${\rm{C}}{\rm{OV}}{\rm{R}}{\rm{EC}}{\rm{R}}{\rm{EF}}\left[{ij}\right]\leftarrow \tfrac{1}{l}\left({\rm{S}}{\rm{ECOND}}{\rm{M}}{\rm{OM}}[{ij}]-{\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}[i]{\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}[j]\right)$

${\rm{C}}{\rm{OV}}{\rm{R}}{\rm{EC}}{\rm{R}}{\rm{EF}}\left[{ij}\right]\leftarrow {\rm{COVRECREF}}\left[{ji}\right]$

end for

end for

for i from 1 to 2

for j from 1 to 2

${\rm{C}}{\rm{OV}}{\rm{R}}{\rm{ECON}}\left[{ij}\right]\leftarrow {\rm{COVRECON}}\left[{ij}\right]$

${\rm{C}}{\rm{OV}}{\rm{R}}{\rm{EF}}\left[{ij}\right]\leftarrow {\rm{COVRECON}}\left[i+2j+2\right]$

end for

end for

$$\begin{eqnarray}&&{\varepsilon }_{\max }\leftarrow \displaystyle \frac{\varepsilon }{l}{\max }_{{ij}}\sqrt{1+{\left({\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}\left[i\right]\right)}^{2}+{\left({\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}\left[j\right]\right)}^{2}}\end{eqnarray} \tag{ 95 }$$ $$\begin{eqnarray}&&{\varepsilon }_{\max }\leftarrow \max \left\{{\varepsilon }_{\max },\displaystyle \frac{\varepsilon }{l}\sqrt{4+{\left({\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}\left[1\right]\right)}^{2}+{\left({\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}\left[2\right]\right)}^{2}},\right.\end{eqnarray} \tag{ 96 }$$ $$\begin{eqnarray}&&\left.\displaystyle \frac{\varepsilon }{l}\sqrt{4+{\left({\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}\left[3\right]\right)}^{2}+{\left({\rm{H}}{\rm{OM}}{\rm{R}}{\rm{ESULT}}\left[4\right]\right)}^{2}}\right\}\end{eqnarray} \tag{ 97 }$$

▹ Via standard error propagation method

${\epsilon }_{\mathrm{QMI}}\leftarrow {\sum }_{{\rm{Q}}=\mathrm{Rp},{\rm{p}},{\rm{R}}}\ {{\rm{H}}}_{\mathrm{vN},\mathrm{error}}^{\mathrm{upper}}\left({{\bf{V}}}^{{\rm{e}},{\rm{Q}}},\right.\left.{\varepsilon }_{\max }\right)$                 ▹ See algorithm 2

end while

end for

return ${\rm{E}}{\rm{ST}}\mathrm{QMI}\leftarrow {\sum }_{{\rm{Q}}={\rm{R}},{\rm{p}}}\ \mathrm{vonNeumannH}({{\bf{V}}}^{{\rm{e}},{\rm{Q}}})-\mathrm{vonNeumannH}({{\bf{V}}}^{{\rm{e}},\mathrm{Rp}})$                 ▹ see algorithm 1

end procedure

Algorithm 4. Certification of RQSS protocols.

Input:

$T\in {\mathbb{N}}$                  ▹ Number of trials for each instance

${I}_{{\rm{T}}}^{{ \mathcal F }}\in {{\mathbb{R}}}^{+}$                  ▹ Threshold quantum mutual information for the forbidden structure

${I}_{{\rm{T}}}^{{ \mathcal A }}\in {{\mathbb{R}}}^{+}$                  ▹ Threshold quantum mutual information for all authorized structures

$\epsilon \in {{\mathbb{R}}}^{+}$                  ▹ Estimation error bound of estimated QMI

${\rm{T}}{\rm{OL}}\in 0,1/2)$                  ▹ Maximum failure probability

$P\in {\mathbb{N}}$                  ▹ Cardinality of the set of players

${\rm{F}}\left[J\right]\in \{0,1,2\}$                 ▹ Returns $J\mathrm{th}$ power set of players structure claimed by the dealer (78)

${\displaystyle \bigotimes }_{J=1}^{{2}^{P}-1}{\rho }_{J}^{\otimes T}\in { \mathcal B }\left({L}^{2}({{\mathbb{R}}}^{{2}^{P}T}\right)$                 ▹ ${\rho }_{J}$ is the joint state for the reference and players' reconstructed state for $J\mathrm{th}$ subset of players

$\sigma \in {{\mathbb{R}}}^{+}$                  ▹ A uniform upper bound on the standard deviations of measurement results

${\rm{H}}{\rm{OM}}{\rm{M}}{\rm{EAS}}[\rho ,x,{\rm{M}}{\rm{ODE}},\theta ]$                  ▹ Homodyne measurement on mode MODE $\in \{0,1\}$ with respect to local-oscillator phase θ; replaces ρ by some $\left|x\right\rangle \left\langle x\right|$ with probability $\left\langle x\right|\rho \left|x\right\rangle$

Output:

$b\in \{0,1\}$                 ▹ Certify (b = 1) or not certify (b = 0)

Procedure Certification${I}_{{\rm{T}}}^{{ \mathcal F }},{I}_{{\rm{T}}}^{{ \mathcal A }},\epsilon ,P,{\displaystyle \bigotimes }_{J=1}^{{2}^{P}-1}{\rho }_{J}^{\otimes T},{\rm{F}}[J],\sigma ,{\rm{TOL}},{\rm{H}}{\rm{OM}}{\rm{M}}{\rm{EAS}}[\rho ,x,{\rm{M}}{\rm{ODE}},\theta ]$

$c\leftarrow {\rm{F}}\left[1\right]$                 ▹ initialize the structure of power-set elements based on referees' test to ${\rm{F}}\left[1\right]$

${\rm{PASS}}\leftarrow 0$                  ▹ initialize the number of power-set elements that pass the test

for J from 1 to ${2}^{P}-1$ do

${\rm{E}}{\rm{ST}}\mathrm{QMI}\leftarrow {\rm{ESTIMATEQMI}}\left(\epsilon ,{\rm{TOL}},T,{\rho }_{J}^{\otimes T},\sigma ,{\rm{H}}{\rm{OM}}{\rm{M}}{\rm{EAS}}[\rho ,x,{\rm{M}}{\rm{ODE}},\theta ]\right)$                 ▹ see algorithm 3.

if

$$\begin{eqnarray}&&{\rm{ESTQMI}}\gt {I}_{{\rm{T}}}^{{ \mathcal A }}+\epsilon ,\end{eqnarray} \tag{ 98 }$$

then

$c\leftarrow 2$

else if $$\begin{eqnarray}&&{I}_{{\rm{T}}}^{{ \mathcal F }}-\epsilon \lt {\rm{ESTQMI}}\lt {I}_{{\rm{T}}}^{{ \mathcal A }}+\epsilon ,\end{eqnarray} \tag{ 99 }$$     then

$c\leftarrow 1$

else

$c\leftarrow 0$

end if

if $c={\rm{f}}[J]$ then ${\rm{PASS}}\leftarrow {\rm{PASS}}+1$

else

Exit                 ▹ Halt

end if

end for

if ${\rm{PASS}}={2}^{P}$then

$b\leftarrow 1$.

else

$b\leftarrow 0$.

end if

return b

end procedure

Proposition 1. Algorithm 3 ensures

$$\begin{eqnarray}&&\mathrm{pr}\left[\left|{I}_{{\rm{e}}}\left(X;R\right)-I\left(X;R\right)\right|\leqslant {\epsilon }_{\mathrm{QMI}}\right]\geqslant 1-\beta ,\end{eqnarray} \tag{ 100 }$$

and

$$\begin{eqnarray}&&{\epsilon }_{\mathrm{QMI}}\in O\left(\displaystyle \frac{1}{\sqrt{N}}\right)\end{eqnarray} \tag{ 101 }$$

for N the number of rounds.

Proof. Using Chebyshev's inequality [13],

$$\begin{eqnarray}&&\mathrm{pr}\left[\left|{\bar{{\boldsymbol{G}}}}_{{ij}}-{\mathbb{E}}\left({{\boldsymbol{G}}}_{{ij}}\right)\right|\geqslant \epsilon \right]\leqslant \displaystyle \frac{{\sigma }^{2}}{{\epsilon }^{2}l},\end{eqnarray} \tag{ 102 }$$

$$\begin{eqnarray}&&\mathrm{pr}\left[\left|{\bar{{\boldsymbol{C}}}}_{i}-{\mathbb{E}}\left({{\boldsymbol{C}}}_{i}\right)\right|\geqslant \epsilon \right]\leqslant \displaystyle \frac{{\sigma }^{2}}{{\epsilon }^{2}l}.\end{eqnarray} \tag{ 103 }$$

Equations (102) and (103) equivalently are

$$\begin{eqnarray}&&\mathrm{pr}\left[\left|{\bar{{\boldsymbol{G}}}}_{{ij}}-{\mathbb{E}}\left({{\boldsymbol{G}}}_{{ij}}\right)\right|\leqslant \epsilon \right]\geqslant 1-\displaystyle \frac{{\sigma }^{2}}{{\epsilon }^{2}l},\end{eqnarray} \tag{ 104 }$$

$$\begin{eqnarray}&&\mathrm{pr}\left[\left|{\bar{{\boldsymbol{C}}}}_{i}-{\mathbb{E}}\left({{\boldsymbol{C}}}_{i}\right)\right|\leqslant \epsilon \right]\geqslant 1-\displaystyle \frac{{\sigma }^{2}}{{\epsilon }^{2}l}.\end{eqnarray} \tag{ 105 }$$

Assigning

$$\begin{eqnarray}&&\epsilon \leftarrow \unicode{x02308}\displaystyle \frac{\sigma }{\sqrt{l\left(1-{\left(1-\beta \right)}^{\tfrac{1}{14}}\right)}}\unicode{x02309}\end{eqnarray} \tag{ 106 }$$

and assuming an independent identically distributed (iid) protocol delivers

$$\begin{eqnarray}&&\mathrm{pr}\left[\forall i,j:\left|{\bar{{\boldsymbol{C}}}}_{i}-{\mathbb{E}}\left({{\boldsymbol{C}}}_{i}\right)\right|\wedge \left|{\bar{{\boldsymbol{G}}}}_{{ij}}-{\mathbb{E}}\left({{\boldsymbol{G}}}_{{ij}}\right)\right|\leqslant \epsilon \right]\geqslant 1-\beta .\end{eqnarray} \tag{ 107 }$$

Let ${\epsilon }_{\max }$ be the maximum estimation error of estimated covariance matrix, which is calculated in terms of  (106) via standard error propagation methods. In the following we give an upper bound on the estimation error of quantum mutual information in terms of ${\epsilon }_{\max }$. In order to do so, we introduce some helpful notation and theorems used in our proofs.

For any two Gaussian states with corresponding covariance matrices ${{\boldsymbol{V}}}_{{\rm{A}}}$ and ${{\boldsymbol{V}}}_{{\rm{B}}}$, the entropy difference is bounded by [42]

$$\begin{eqnarray}&&\left|{H}_{\mathrm{vN}}\left({{\boldsymbol{V}}}_{{\rm{A}}}\right)-{H}_{\mathrm{vN}}\left({{\boldsymbol{V}}}_{{\rm{B}}}\right)\right|\leqslant \kappa \left({{\boldsymbol{V}}}_{{\rm{A}}}\right)K\parallel {{\boldsymbol{V}}}_{{\rm{A}}}-{{\boldsymbol{V}}}_{{\rm{B}}}{\parallel }_{1},\end{eqnarray} \tag{ 108 }$$

for

$$\begin{eqnarray}&&K:= 1+\mathrm{log}\left[\max \left(\parallel {{\boldsymbol{V}}}_{{\rm{A}}}{\parallel }_{\infty },\displaystyle \frac{1}{2}\left(\parallel {{\boldsymbol{V}}}_{{\rm{A}}}^{-1}{\parallel }_{\infty }^{-1}-1\right)\right)\right].\end{eqnarray} \tag{ 109 }$$

Also

$$\begin{eqnarray}&&{\parallel {{\boldsymbol{A}}}^{-1}\parallel }_{\infty }^{-1}\leqslant {\parallel {\boldsymbol{A}}\parallel }_{\infty },\end{eqnarray} \tag{ 110 }$$

holds for any covariance matrix ${\boldsymbol{A}}$ [43]. Hence,

$$\begin{eqnarray}&&\displaystyle \frac{1}{2}\left({\parallel {{\boldsymbol{A}}}^{-1}\parallel }_{\infty }^{-1}-1\right)\leqslant {\parallel {\boldsymbol{A}}\parallel }_{\infty }.\end{eqnarray} \tag{ 111 }$$

By substituting equation (111) into (109), we obtain the perturbation bound

$$\begin{eqnarray}&&\left|{H}_{\mathrm{vN}}\left({{\boldsymbol{V}}}_{{\rm{A}}}\right)-{H}_{\mathrm{vN}}\left({{\boldsymbol{V}}}_{{\rm{B}}}\right)\right|\leqslant \kappa \left({{\boldsymbol{V}}}_{{\rm{A}}}\right)\parallel {{\boldsymbol{V}}}_{{\rm{A}}}-{{\boldsymbol{V}}}_{{\rm{B}}}{\parallel }_{1}\left(1+\mathrm{log}\left(\parallel {{\boldsymbol{V}}}_{{\rm{A}}}{\parallel }_{\infty }\right)\right).\end{eqnarray} \tag{ 112 }$$

For any ${\rm{Q}}\in \{{\rm{R}},{\rm{P}},\mathrm{RP}\}$, let ${{\boldsymbol{V}}}^{{\rm{e}},{\rm{Q}}}$ and ${{\boldsymbol{V}}}^{{\rm{Q}}}$ be the estimated and real covariance matrices, respectively. Then

$$\begin{eqnarray}&&{\parallel {{\boldsymbol{V}}}^{{\rm{e}},{\rm{Q}}}\parallel }_{\infty }\leqslant {\parallel {\boldsymbol{U}}\parallel }_{\infty }{\parallel {\boldsymbol{\Sigma }}\parallel }_{\infty }{\parallel {\boldsymbol{V}}\parallel }_{\infty }\leqslant {\sigma }_{\max ,{\rm{e}},{\rm{Q}}}\dim {{\boldsymbol{V}}}^{{\rm{e}},{\rm{Q}}}.\end{eqnarray} \tag{ 113 }$$

Also

$$\begin{eqnarray}&&{\parallel {{\boldsymbol{V}}}^{{\rm{Q}}}-{{\boldsymbol{V}}}^{{\rm{e}},{\rm{Q}}}\parallel }_{1}\leqslant {\varepsilon }_{\max }\dim {{\boldsymbol{V}}}^{{\rm{e}},{\rm{Q}}}.\end{eqnarray} \tag{ 114 }$$

Furthermore, let us define

$$\begin{eqnarray}&&{\rm{\Delta }}{H}_{\mathrm{vN}}\left({\rm{Q}}\right):= {H}_{\mathrm{vN}}\left({{\boldsymbol{V}}}^{{\rm{Q}}}\right)-{H}_{\mathrm{vN}}\left({{\boldsymbol{V}}}^{{\rm{e}},{\rm{Q}}}\right),\end{eqnarray} \tag{ 115 }$$

and

$$\begin{eqnarray}&&{\rm{\Delta }}I\left(X\right)=I\left(X;R\right)-{I}_{{\rm{e}}}\left(X;R\right).\end{eqnarray} \tag{ 116 }$$

Thus,

$$\begin{eqnarray}&&{\rm{\Delta }}I\left({X}\right)={\rm{\Delta }}{H}_{\mathrm{vN}}\left({X}\right)+{\rm{\Delta }}{H}_{\mathrm{vN}}\left({R}\right)-{\rm{\Delta }}{H}_{\mathrm{vN}}\left({RX}\right).\end{eqnarray} \tag{ 117 }$$

Due to the triangle inequality,

$$\begin{eqnarray}&&\left|{\rm{\Delta }}I\left({X}\right)\right|\leqslant \left|{\rm{\Delta }}{H}_{\mathrm{vN}}\left({X}\right)\right|+\left|{\rm{\Delta }}{H}_{\mathrm{vN}}\left({R}\right)\right|+\left|{\rm{\Delta }}{H}_{\mathrm{vN}}\left({RX}\right)\right|.\end{eqnarray} \tag{ 118 }$$

Each of the terms in the right-hand side of equation (118) is suitably achieved by using equation (112). Substituting equations (114) and (115) into the resultant equation delivers equation (100).

Now we show that ${\epsilon }_{\mathrm{QMI}}$ scales properly with respect to number of rounds. Using the Weyl [44] perturbation bound for singular value decomposition, we conclude

$$\begin{eqnarray}&&\kappa \left({{\boldsymbol{V}}}^{{\rm{e}},{\rm{Q}}}\right),{\sigma }_{\max ,{\rm{e}},{\rm{Q}}}\in O(1),\,{\varepsilon }_{\max }\in O\left(\displaystyle \frac{1}{\sqrt{N}}\right).\end{eqnarray} \tag{ 119 }$$

Therefore, the error bound scales inversely with square root of the number of rounds. Next we prove the algorithm 4 is both sound and complete.□

Proposition 2. 

• (i)  
  If $X\in { \mathcal A }$, algorithm 4 passes with probability at least $1-\beta$ and
• (ii)  
  if $X\notin { \mathcal A }$ then the algorithm fails with probability at least $1-\beta$.

Proof. We show cases (i) and (ii) in sequence.

Case (i): We first recall that

$$\begin{eqnarray}&&X\in { \mathcal A }\Longrightarrow I\left(X;R\right)\geqslant {I}_{{\rm{T}}}^{{ \mathcal A }}+\delta .\end{eqnarray} \tag{ 120 }$$

Also

$$\begin{eqnarray}&&\mathrm{pr}\left[\left|I\left(X;R\right)-{I}_{{\rm{e}}}\left(X;R\right)\right|\leqslant \epsilon \right]\geqslant 1-\beta .\end{eqnarray} \tag{ 121 }$$

Therefore,

$$\begin{eqnarray}&&\mathrm{pr}\left[{I}_{{\rm{T}}}^{{ \mathcal A }}+\delta -\epsilon \leqslant {I}_{{\rm{e}}}\left(X;R\right)\right]\geqslant 1-\beta .\end{eqnarray} \tag{ 122 }$$

As $\delta -\epsilon \geqslant \epsilon$, we conclude

$$\begin{eqnarray}&&\mathrm{pr}\left[{I}_{{\rm{T}}}^{{ \mathcal A }}+\epsilon \leqslant {I}_{{\rm{e}}}\left(X;R\right)\right]\geqslant 1-\beta .\end{eqnarray} \tag{ 123 }$$

Thus, algorithm 4 accepts with probability at least $1-\beta$ if $X\in { \mathcal A }$.

Case (ii): We note that

$$\begin{eqnarray}&&\mathrm{pr}\left[{I}_{{\rm{e}}}\left(X;R\right)-\epsilon \leqslant I\left(X;R\right)\right]\geqslant 1-\beta .\end{eqnarray} \tag{ 124 }$$

Therefore, substituting equation (83) into (124) delivers

$$\begin{eqnarray}&&\mathrm{pr}\left[{I}_{{\rm{e}}}\left(X;R\right)\lt {I}_{{\rm{T}}}^{{ \mathcal A }}+\epsilon \right]\geqslant 1-\beta .\end{eqnarray} \tag{ 125 }$$

Thus, algorithm 4 rejects with probability at least $1-\beta$ if $X\notin { \mathcal A }$.□

Proposition 3. 

• (i)  
  If $X\in { \mathcal F }$, then algorithm 4 accepts with probability at least $1-\beta$ and
• (ii)  
  if $X\notin { \mathcal F }$ then algorithm 4 rejects with probability at least $1-\beta$.

Proof. We show cases (i) and (ii) in sequence.

Case (i):

$$\begin{eqnarray}&&X\in { \mathcal F }\Longrightarrow I\left(X;R\right)\leqslant {I}_{{\rm{T}}}^{{ \mathcal F }}-\delta .\end{eqnarray} \tag{ 126 }$$

Also

$$\begin{eqnarray}&&\mathrm{pr}\left[\left|I\left(X;R\right)-{I}_{{\rm{e}}}\left(X;R\right)\right|\leqslant \epsilon \right]\geqslant 1-\beta .\end{eqnarray} \tag{ 127 }$$

Therefore,

$$\begin{eqnarray}&&\mathrm{pr}\left[{I}_{{\rm{e}}}\left(X;R\right)\leqslant I\left(X;R\right)+\epsilon \right]\geqslant 1-\beta .\end{eqnarray} \tag{ 128 }$$

Substituting equation (126) in (128) delivers

$$\begin{eqnarray}&&\mathrm{pr}\left[{I}_{{\rm{e}}}\left(X;R\right)\leqslant {I}_{{\rm{T}}}^{{ \mathcal F }}-\delta +\epsilon \right]\geqslant 1-\beta .\end{eqnarray} \tag{ 129 }$$

As $\delta -\epsilon \geqslant \epsilon$, we conclude

$$\begin{eqnarray}&&\mathrm{pr}\left[{I}_{{\rm{e}}}\left(X;R\right)\leqslant {I}_{{\rm{T}}}^{{ \mathcal F }}-\epsilon \right]\geqslant 1-\beta .\end{eqnarray} \tag{ 130 }$$

Thus, algorithm 4 accepts with probability at least $1-\beta$ if $X\in { \mathcal F }$.

Case (ii):

$$\begin{eqnarray}&&\mathrm{pr}\left[I\left(X;R\right)-\epsilon \leqslant {I}_{{\rm{e}}}\left(X;R\right)\right]\geqslant 1-\beta .\end{eqnarray} \tag{ 131 }$$

Substituting equation (86) into (128) delivers

$$\begin{eqnarray}&&\mathrm{pr}\left[{I}_{{\rm{T}}}^{{ \mathcal F }}-\epsilon \leqslant {I}_{{\rm{e}}}\left(X;R\right)\right]\geqslant 1-\beta .\end{eqnarray} \tag{ 132 }$$

Thus, algorithm 4 rejects with probability at least $1-\beta$ if $X\notin { \mathcal F }$.□

Proposition 4. 

• (i)  
  If $X\in { \mathcal I }$, then algorithm 4 accepts with probability at least $1-\beta$ and
• (ii)  
  $X\notin { \mathcal I }$ then algorithm 4 rejects with probability at least $1-\beta$.

Proof. We show cases (i) and (ii) in sequence.

Case (i):

$$\begin{eqnarray}&&X\in { \mathcal I }\Longrightarrow {I}_{{\rm{T}}}^{{ \mathcal F }}\lt I\left(X;R\right)\lt {I}_{{\rm{T}}}^{{ \mathcal A }}.\end{eqnarray} \tag{ 133 }$$

Also

$$\begin{eqnarray}&&\mathrm{pr}\left[\left|I\left(X;R\right)-{I}_{{\rm{e}}}\left(X;R\right)\right|\leqslant \epsilon \right]\geqslant 1-\beta .\end{eqnarray} \tag{ 134 }$$

Therefore,

$$\begin{eqnarray}&&\mathrm{pr}\left[I\left({X};{R}\right)-\epsilon \leqslant {I}_{{\rm{e}}}\left({X};{R}\right)\leqslant I\left({X};{R}\right)+\epsilon \right]\geqslant 1-\beta .\end{eqnarray} \tag{ 135 }$$

Substituting equation (133) into (135) delivers

$$\begin{eqnarray}&&\mathrm{pr}\left[{I}_{{\rm{T}}}^{{ \mathcal F }}-\epsilon \leqslant {I}_{{\rm{e}}}\left(X;R\right)\leqslant {I}_{{\rm{T}}}^{{ \mathcal A }}+\epsilon \right]\geqslant 1-\beta .\end{eqnarray} \tag{ 136 }$$

Thus, algorithm 4 accepts with probability at least $1-\beta$ if $X\in { \mathcal I }$.

Case (ii):

$$\begin{eqnarray}&&\mathrm{pr}\left[{I}_{{\rm{e}}}\left(X;R\right)-\epsilon \leqslant I\left(X;R\right)\right]\geqslant 1-\beta ,\end{eqnarray} \tag{ 137 }$$

and

$$\begin{eqnarray}&&\mathrm{pr}\left[I\left(X;R\right)\leqslant {I}_{{\rm{e}}}\left(X;R\right)+\epsilon \right]\geqslant 1-\beta .\end{eqnarray} \tag{ 138 }$$

Substituting equations (87) and (88) into equations (137) and (138), respectively, delivers

$$\begin{eqnarray}&&\mathrm{pr}\left[{I}_{{\rm{e}}}\left(X;R\right)\leqslant {I}_{{\rm{T}}}^{{ \mathcal F }}-\delta +\epsilon \right]\geqslant 1-\beta ,\end{eqnarray} \tag{ 139 }$$

and

$$\begin{eqnarray}&&\mathrm{pr}\left[{I}_{{\rm{T}}}^{{ \mathcal A }}\leqslant {I}_{{\rm{e}}}\left(X;R\right)-\delta +\epsilon \right]\geqslant 1-\beta .\end{eqnarray} \tag{ 140 }$$

As $\delta -\epsilon \geqslant \epsilon$, we conclude

$$\begin{eqnarray}&&\mathrm{pr}\left[{I}_{{\rm{e}}}\left(X;R\right)\leqslant {I}_{{\rm{T}}}^{{ \mathcal F }}-\epsilon \right]\geqslant 1-\beta ,\end{eqnarray} \tag{ 141 }$$

and

$$\begin{eqnarray}&&\mathrm{pr}\left[{I}_{{\rm{T}}}^{{ \mathcal A }}+\epsilon \leqslant {I}_{{\rm{e}}}\left(X;R\right)\right]\geqslant 1-\beta .\end{eqnarray} \tag{ 142 }$$

Thus, algorithm 4 rejects with probability at least $1-\beta$ if $X\notin { \mathcal I }$.□