An Efficient Simulation of Quantum Secret Sharing

1 Introduction

A dealer shares a secret with $n$ players in secret sharing $(S S)$ , and when the secret needs to be reconstructed, the threshold number of players can do so collaboratively. The quantum secret sharing hillery1999quantum ; bao2009threshold ; yang2013secret ; Gang4 ; lu2018verifiable ; lau2013quantum ; Hao ; mashhadi2016fairly ; dehkordi2019proactive ; mashhadi2017provably ; mashhadi2016share ; mashhadi2016analysis ; mashhadi2020toward ; mashhadi2020csa ; mashhadi2017new ; karimifard2016semiquantum ; charoghchi2021three ; mashhadi2020improvement ; shi2010quantum ; run2010efficient ; shi2011multi ; gyongyosi2019quantum ; sutradhar2020efficient is a fundamental primitive protocol for sharing a secret in quantum cryptography, which may be considered as an extension of secret sharing. The $Q S S$ protocol can be used to create complex multiparty quantum computing protocols that are secure. In the $(n, n)$ threshold $Q S S$ , a dealer shares a secret with $n$ players by dividing it into $n$ bits, known as shares, which are distributed among $n$ players, each of whom has only his share. The secret can be reconstructed by the $n$ players working together. Similarly, in the $(t, n)$ threshold $Q S S$ , a dealer shares a secret with $n$ players by dividing it into $n$ bits and distributing them to the $n$ players. The $t$ players will work together to solve the mystery. Because it protects the quantum threshold and secure quantum multiparty computation, the $Q S S$ is commonly used in quantum threshold cryptography and secure quantum multiparty computation.
Here, we propose a secure $d$ -level $Q S S$ protocol for sharing a secret, where $t$ players can reconstruct the secret without a trusted player. In our protocol, each player knows only his share, even the reconstructor knows only his share. In this protocol, we use some basic operations i.e., protocol-I of Shi et al. shi2016secure , $C N O T$ gate nielsen2002quantum , secure communication Gang1 ; Gang3 ; shi2017quantum ; shi2016efficient ; sun2020toward ; shi2018efficient ; peng2018novel ; zhang2018economic ; luo2018novel ; xu2017nearest ; sutradhar2020hybrid ; sutradhar2020generalized ; sutradhar2021efficient , entangle state Gang2 ; shi2016comment ; shi2016quantum ; dan2016efficient ; shi2016data ; shi2015quantum ; shi2015comments ; shi2013multi ; shi2012multiparty ; shi2012novel ; shi2011efficient ; run2011novel ; shi2011multi ; shi2011asymmetric

, Quantum Fourier Transform

(Q F T)

Nielsen2002 and Inverse Quantum Fourier Transform

(Q F T^{- 1})

Nielsen2002 , to transform the particles. We use a quantum approach in classical secret sharing to combine the benefits of both classical and quantum secret sharing, preventing attacks such as Intercept-Resend (IR), Intercept, Entangle-Measure (EM), Forgery, Collision, and Collusion.

2 Related Work

There are numerous $Q S S$ protocols for secret sharing in quantum cryptography Mashhadi2019 ; mashhadi2012novel ; hillery1999quantum ; bao2009threshold ; mashhadi2012analysis ; yang2013secret ; Gang4 ; lu2018verifiable ; lau2013quantum ; Hao ; dehkordi2008new ; dehkordi2008efficient ; mashhadi2015two ; dehkordi2008verifiable ; mashhadi2017secure ; mashhadi2015computationally ; mashhadi2013novel . In 1999, Hillery et al. discussed the first $Q S S$ protocol hillery1999quantum based on the Greenberger-Home-Zeilinger $(G H Z)$ state. In 2009, Li et al. introduced a $Q S S$ protocol bao2009threshold of secure direct communication. This protocol is $(t, n)$ threshold scheme but $2$ level. In 2013, Yang et al. introduced a $Q S S$ protocol yang2013secret based on the $Q F T$ . This protocol is $d$ -level $(t, n)$ threshold scheme but it is not secure because each player broadcasts the results of the measurement at the last step. Because the measurement results contain information about the secret, if an attacker intercepts the measurement results, he may expose the secret or execute an intercept-resend attack. In 2015, Qin et al. discussed a $Q S S$ protocol qin2015t based on the phase shift operation, which is $2$ -level $(t, n)$ threshold scheme. The protocols bao2009threshold and qin2015t are not secure because the unitary operation transforms the private information of player $P_{e - 1}$ and then the transformed information is transmitted to player $P_{e}$ . So, the players $P_{e - 1}$ and $P_{e + 1}$ collaboratively can retrieve the private information of player $P_{e}$ . In 2017, Song et al. discussed a $(t, n)$ threshold $d$ -level $Q S S$ protocol song2017t based on some basic operations, i.e., $d$ -level $C N O T$ gate, $Q F T$ , generalized Pauli operator, and $Q F T^{- 1}$ . In that protocol, Alice (dealer) selects $B o b_{1}$ as a trusted reconstructor from the set of participants $B = {B o b_{1}, B o b_{2}, \dots, B o b_{n}}$ and then selects a hash function $S H A 1$ eastlake2001us to compute the hash value of the secret (which is to be shared) and sends this hash value to the trusted reconstructor $B o b_{1}$ . Here, $B o b_{1}$ can perform collision attack to reveal the secret. So, the security of this protocol is dependent on the trusted reconstructor $B o b_{1}$ . The main problem of Song et al.’s protocol is that the reconstructor $B o b_{1}$ cannot recover the original secret because $Q F T^{- 1}$ cannot be summed up over all the states CommentKao2018 . In other words, the reconstructor $B o b_{1}$ needs the secret information of other players to reconstruct the original secret. In 2018, Qin et al. Qin2018Multidimensional discussed a $Q S S$ protocol which can efficiently share a secret by using the $Q F T$ and Pauli operator, but it is a $(n, n)$ threshold scheme.

In our protocol, any $t$ players can reconstruct the secret without a trusted player and each player knows only his share, nothing else. Furthermore, the reconstructor is unable to perform the collision attack because the secret’s hash value is shared among the players.

3 Preliminaries

The $Q F T$ , $Q F T - 1$ , Control-NOT $(C N O T)$ gate, and Shamir’s Secret Sharing, which will be used in the proposed $Q S S$ protocol, are all introduced here.

3.1 Quantum Fourier Transform

The $Q F T$ Nielsen2002 , a unitary transform, is based on the quantum phenomenon and expansion of the standard discrete Fourier transform. For $s \in {0, 1, \dots d - 1}$ , the $Q F T$ of $d$ -level quantum system is defined as follows:

Q F T : | s ⟩ \to \frac{1}{\sqrt{d}} d - 1 \sum q = 0 e^{2 π i \frac{s}{d} q} | q ⟩ .

(1)

The $Q F T^{- 1}$ is defined by

Q F T^{- 1} : | q ⟩ \to \frac{1}{\sqrt{d}} d - 1 \sum s = 0 e^{- 2 π i \frac{q}{d} s} | s ⟩ .

(2)

Further,

d - 1 \sum q = 0 e^{2 π i \frac{s}{d} q} = {\begin{matrix} 0 if s \neq 0 m o d d d if s = 0 m o d d \end{matrix}

(3)

So,

\begin{matrix} Q F T^{- 1} (\frac{1}{\sqrt{d}} d - 1 \sum q = 0 e^{2 π i \frac{s}{d} q} | q ⟩) & = \frac{1}{\sqrt{d}} d - 1 \sum q = 0 e^{2 π i \frac{s}{d} q} Q F T^{- 1} | q ⟩ = \frac{1}{d} d - 1 \sum q = 0 | s ⟩ + \frac{1}{d} d - 1 \sum k = 0 \land k \neq s 0. | k ⟩ = | s ⟩ \end{matrix}

(4)

That is,

Q F T^{- 1} (Q F T | s ⟩) = | s ⟩ .

(5)

3.2 Control-NOT $(C n o t)$ gate

The $C N O T$ gate nielsen2002quantum

is a two-qubit gate, one is control qubit and other is target qubit. If the control bit of

C N O T

gate is set to

| 0 ⟩

, then the

N O T

gate would not be applied to the target bit. If the control bit of the

C N O T

gate is set to

| 1 ⟩

, then the

N O T

gate would be applied to the target bit.

3.3 Shamir’s Secret Sharing

In the Shamir’s secret sharing shamir1979share , there are a dealer $D$ and $n$ players $P = {P_{1}, P_{2}, \dots P_{n}}$ . The Shamir’s secret sharing consists of two phases:

3.3.1 Secret Sharing Phase

In this phase, the dealer selects a polynomial $f (x) = S + a_{1} x + a_{2} x^{2} + \dots + a_{t - 1} x^{t - 1}$ of degree $(t - 1)$ , where $S$ is a secret and $a_{1}, a_{2}, \dots, a_{t - 1}$ are coefficients of the polynomial $f (x)$ . The dealer computes $n$ shares and distributes them among $n$ players, each player $P_{i}$ only knows $f (x_{i})$ , where $i = 1, 2, \dots, n$ .

3.3.2 Secret Reconstruction Phase

Using $t$

shares of the secret and the Lagrange interpolation formula,

t

players will jointly reconstruct the secret in this phase.

f (x) = t \sum r = 1 f (x_{r}) \prod 1 \leq j \leq t, j \neq r \frac{x - x_{j}}{x_{r} - x_{j}}

(6)

To calculate the polynomial at $x = 0$ , Eq.(6) can be simplified as

\begin{matrix} f (0) & = t \sum r = 1 f (x_{r}) \prod 1 \leq j \leq t, j \neq r \frac{x_{j}}{x_{j} - x_{r}} \end{matrix}

(7)

4 Proposed Method

We present a $d$ -level $Q S S$ protocol for sharing a secret that allows $t$ players to reconstruct the secret without the help of a trusted player. In comparison to the existing $Q S S$ protocols, such as the $(n, n)$ threshold $2$ -level and $(t, n)$ threshold $d$ -level, which both require a trusted player, this protocol is more secure, versatile, and practical.Furthermore, no information about the secret is revealed to any of the players. There are two stages to the $Q S S$ protocol: secret sharing and secret reconstruction.

4.1 Secret Sharing Phase

In this phase, the dealer $D$ shares the secret among players $P = {P_{1}, P_{2}, \dots P_{n}}$ . Initially, the dealer $D$ selects a prime $d$ such that $2 \leq d \leq 2 n$ and sets a finite field $Z_{d}$ . Then, the dealer $D$ selects a polynomial $f (x) = S + a_{1} x + a_{2} x^{2} + \dots + a_{t - 1} x^{t - 1}$ of degree of $(t - 1)$ , where $S$ is secret, $a_{1}, a_{2}, \dots, a_{t - 1}$ are coefficients of polynomial $f (x) \in Z_{d}$ and the symbol $^{'} +^{'}$ is defined as addition modulo $d$ . The dealer computes the classical shares $f (x i)$ and uses the BB84 protocol to encode these classical shares $f (x i)$ in a qubit string bennett1984update . The qubit string of $f (x_{i})$ is distributed among $n$ players, player $P_{i}$ only knows the share $f (x_{i})$ . In addition, the dealer $D$ selects the $S H A 1$ hash function to compute the hash value $H (S)$ eastlake2001us and shares it among $n$ players using the polynomial $g (x) = H (S) + b_{1} x + b_{2} x^{2} + \dots + b_{t - 1} x^{t - 1}$ . Player $P_{i}$ only knows the share $g (x_{i})$ , where $i = 1, 2, \dots, n$ .

4.2 Secret Reconstruction Phase

Suppose $Q = {P_{1}, P_{2} \dots P_{t}}$ is a qualified subset from all the qualified subsets, where the number of players in each qualified subset is $t$ . The dealer $D$ selects a player from the qualified subset $Q = {P_{1}, P_{2} \dots P_{t}}$ as a reconstructor. Here, the dealer $D$ selects player $P_{1}$ from the qualified subset $Q = {P_{1}, P_{2} \dots P_{t}}$ as a reconstructor. The reconstructor $P_{1}$ only knows his share, nothing else. This reconstructor $P_{1}$ reconstructs the secret and hash value. The process of reconstruction is given as follows:
Step 1: Player $P_{r}$ , $r = 1, 2, \dots, t$ , calculates the shadow $(s_{r})$ of the share as follows.

s_{r} = f (x_{r}) \prod 1 \leq j \leq t, j \neq r \frac{x_{j}}{x_{j} - x_{r}} mod d

(8)

Step 2: Player $P_{1}$ (reconstructor) makes basis state $| s_{1} ⟩_{H}$ , where size of the basis state is $c$ -qubit, $s_{1}$ is his private shadow of the share and $c = ⌈ {log}_{2}^{d} ⌉$ . Then, player $P_{1}$ applies $Q F T$ on the state $| s_{1} ⟩_{H}$ and the resultant state $| φ_{1} ⟩$ is calculated as follows:

\begin{matrix} | φ_{1} ⟩ & = (Q F T | s_{1} ⟩_{H}) = \frac{1}{\sqrt{d}} d - 1 \sum k = 0 e^{2 π i \frac{s_{1}}{d} k} | k ⟩_{H} \end{matrix}

(9)

Step 3: Player $P_{1}$ again makes ancillary state $| 0 ⟩_{T}$ , where size of the ancillary state is $c$ -qubit and $c = ⌈ {log}_{2}^{d} ⌉$ , and then executes $C N O T^{\otimes c}$ operations on the combined state $| φ_{1} ⟩ | 0 ⟩_{T}$ , where the first $c$ -qubits is control qubit and second $c$ -qubits is target qubit. After performing $C N O T^{\otimes c}$ operations, the state $| φ_{1} ⟩$ evolves as an entangled state $| φ_{2} ⟩$ , where subscript $H$ or $T$ represents home state (non-transmitted state) or transmitted state.

(10)

Step 4: Player $P_{1}$ communicates with player $P_{2}$ using the authenticated quantum channel to send the ancillary state $| k ⟩_{T}$ (i.e., second $c$ -qubits).

Step 5: Player $P_{2}$ applies an oracle operator $C_{k}$ on $| k ⟩_{T} | s_{2} ⟩$ , where $C_{k}$ is given by

C_{k} : | k ⟩_{T} | s_{2} ⟩ \to | k ⟩_{T} U^{k} | s_{2} ⟩

(11)

with

U | s_{2} ⟩ = e^{2 π i \frac{s_{2}}{d}} | s_{2} ⟩

(12)

where, $| s_{2} ⟩$

is an eigenvector of

U

with eigenvalue

e^{2 π i \frac{s_{2}}{d}}

. The combined quantum system of

P_{1}

and

P_{2}

is shown as follows.

\begin{matrix} | φ_{3} ⟩ & = C_{k} \frac{1}{\sqrt{d}} d - 1 \sum k = 0 e^{2 π i \frac{s_{1}}{d} k} | k ⟩_{H} | k ⟩_{T} | s_{2} ⟩ = \frac{1}{\sqrt{d}} d - 1 \sum k = 0 e^{2 π i \frac{s_{1} + s_{2}}{d} k} | k ⟩_{H} | k ⟩_{T} | s_{2} ⟩ \end{matrix}

(13)

Step 6: Player $P_{2}$ communicates with player $P_{3}$ through an authenticated quantum channel to send the ancillary state $| k ⟩_{T}$ and keeps $| s_{2} ⟩$ as secret. Player $P_{3}$ performs $t - 1$ times similar process as done by $P_{2}$ . If $t$ players honestly perform the protocol, then the combined quantum state is obtained as shown below.

| φ_{4} ⟩ = \frac{1}{\sqrt{d}} d - 1 \sum k = 0 e^{2 π i (\frac{\sum_{r = 1}^{t} s_{r}}{d}) k} | k ⟩_{H} | k ⟩_{T} | s_{2} ⟩ \dots | s_{t} ⟩ .

(14)

Step 7: The ancillary state $| k ⟩_{T}$ is sent by $P_{t}$ back to $P_{1}$ through an authenticated quantum channel. Player $P_{1}$ again performs $C N O T^{\otimes c}$ operation on his $2 c$ qubits, where the first $c$ -qubits is control qubit and second $c$ -qubits is target qubit. The output state is shown as below.

(15)

Step 8: The second $c$ -qubits (i.e., ancillary state $| 0 ⟩_{T}$ ) is measured by player $P_{1}$ in computational basis. If the output of the measurement is $| 0 ⟩$ , then player $P_{1}$ continues the process; otherwise, he believes that the protocol executes with at least one corrupted player and ends the protocol.

Step 9: Player $P_{1}$ applies $Q F T^{- 1}$ on the first $c$ -qubits and measures the output to get the secret $f (0)^{'} = \sum_{r = 1}^{t} s_{r} m o d d$ .

Step 10: Finally, $t$ players perform all the above nine steps again to get the hash value of the secret and player $P_{1}$ gets the hash value of the secret $g (0)^{'} = \sum_{r = 1}^{t} h_{r} m o d d$ , where $h_{r}$ is the shadow of hash value shares. Player $P_{1}$ uses the hash function $S H A 1$ to compute the hash value $H (f (0)^{'})$ and compares it with the hash value $g (0)^{'}$ . If $(H (f (0)^{'}) = g (0)^{'})$ , then player $P_{1}$ realizes that all $t$ players have performed the reconstruction phase honestly; otherwise, player $P_{1}$ believes that there is at least one corrupted player.

5 Correctness Proof of $(t, n)$ threshold $d$ -level $Q s s$

Here, we prove the correctness of the proposed $(t, n)$ threshold $d$ -level $Q S S$ . We mainly focus on the correctness proof of Step $9$ of secret reconstruction phase.

Lemma 1

If $Q F T^{- 1}$ (as given in Equation 2) is applied to the first $c$ -qubits, then the measurement of the output is secret $(f (0)^{'})$ .

Proof

Applying $Q F T^{- 1}$ to the first $c$ -qubits provides the process of secret recovery as given below:
The original secret $f (0)^{'}$ can be calculated using the Lagrange interpolation and Equation 7 as follows.

\begin{matrix} f (0)^{'} & = f (x_{1}) \prod 1 \leq j \leq t, j \neq 1 \frac{x_{j}}{x_{j} - x_{1}} + \dots + f (x_{t}) \prod 1 \leq j \leq t, j \neq t \frac{x_{j}}{x_{j} - x_{t}} mod d = (s_{1} + \dots + s_{t}) mod d = (t \sum r = 1 s_{r} mod d) \end{matrix}

(16)

Player $P_{1}$ applies $Q F T^{- 1}$ to the first $c$ -qubits.

\begin{matrix} Q F T^{- 1} (\frac{1}{\sqrt{d}} d - 1 \sum k = 0 e^{2 π i (\frac{\sum_{r = 1}^{t} s_{r}}{d}) k} | k ⟩_{H}) & = \frac{1}{\sqrt{d}} d - 1 \sum k = 0 e^{2 π i (\frac{\sum_{r = 1}^{t} s_{r}}{d}) k} Q F T^{- 1} | k ⟩_{H} = ∣ ∣ ∣ t \sum r = 1 s_{r} m o d d ⟩_{H} + \frac{1}{d} d - 1 \sum l = 0 0. | l ⟩_{H} = ∣ ∣ ∣ t \sum r = 1 s_{r} m o d d ⟩_{H} = | f (0)^{'} ⟩_{H} \end{matrix}

(17)

Therefore, if this protocol honestly is executed by $t$ players, the reconstructor $P_{1}$ will get the original secret.

6 Simulation Results

In this protocol, the initiator $P_{1}$ applies $Q F T$ on the $q$ -qubit state and executes $C N O T$ gate. Then, the ancillary qubit is sent to player $P_{2}$ , who applies the oracle operator on the ancillary qubit. Thereafter, player $P_{2}$ sends the ancillary qubit to $P_{3}$ and player $P_{3}$ performs similar process. This process is performed $(t - 1)$ times. After that, the ancillary qubit is sent back to player $P_{1}$ by $P_{t}$ . The player $P_{1}$ performs $C N O T$ and $Q F T^{- 1}$ to get the multiplication. In the secure multiparty quantum multiplication, the Hadamard gate is taken to be the $Q F T$ . After this, the initiator $P_{1}$ performs $Q F T$ on the $c$ -qubit state and executes $C N O T$ gate. Then, $| k ⟩_{T}$ is sent to player $P_{2}$ who applies the oracle operator on $| k ⟩_{T}$ . Thereafter, player $P_{2}$ sends $| k ⟩_{T}$ to $P_{3}$ , who performs similar process. This process is performed $(t - 1)$ times. After that, the ancillary state $| k ⟩_{T}$ is sent back to player $P_{1}$ by $P_{t}$ . Player $P_{1}$ performs $C N O T$ and $Q F T^{- 1}$ to get the multiplication. We have executed this quantum protocol for $(t, n)$ threshold secure multiparty multiplication using the following number of players and qubits:

In simulations $1 - 3$ , we have considered three players with one qubit, three players with two qubits, and three players with three qubits, respectively, and got efficient result after taking $8192$ number of average shots.
In simulations $4 - 6$ , we have considered four players with one qubit, four players with two qubits, and four players with three qubits, respectively, and got efficient result after taking $8192$ number of average shots.
In simulations $7 - 9$ , we have considered fifteen players with one qubit, fifteen players with two qubits, and fifteen players with three qubits, respectively, and got efficient result after taking $8192$ number of average shots.

We got efficient results of multiplication after taking $8192$ number of average shots.

7 Results and Discussion

In this section, we discuss the security and performance analysis of the proposed $(t, n)$ threshold $Q S S$ protocol based on some properties.

7.1 Security Analysis

Here, we analyze the outside (i.e., outside eavesdropper wants to steal the private information of all players) and participant (i.e., attack from one or more dishonest players) attacks. We discuss four types of outside attacks (i.e., Intercept-Resend $(I R)$ , Intercept, Entangle-Measure $(E M)$ and Forgery) and two types of participant attacks (i.e., Collision and Collusion) cai2019cryptanalysis ; ting2009participant ; Wang2008 ; wang2011security ; wang2013cryptanalysis ; wang2017security .

7.1.1 Outside Attack

In this type of attack, an outside eavesdropper wants to steal the private information of all players. We discuss the Intercept-Resend $(I R)$ , Intercept, Entangle-Measure $(E M)$ and Forgery attacks as follows.

Intercept-Resend $(I r)$ Attack:

In intercept-resend attack, a player measures the quantum state, which is sent by another player and replaces this state with his own state and then sends the replacement state to other players. In our proposed protocol, player $P_{1}$ sends the ancillary state $| k ⟩_{T}$ to dishonest player $P_{2}$ through an authenticated quantum channel and player $P_{2}$ wants to eavesdrop $P_{1}$ ’s shadow of the share $s_{1}$ . If the ancillary state measured by dishonest player $P_{2}$ in computational basis $| 0 ⟩, | 1 ⟩, \dots, | d - 1 ⟩$ . The dishonest player $P_{2}$ can succeed to get $| l ⟩_{T}$

with the probability of

1 / d

, but the output of the measurement

k

is totally independent of

P_{1}^{'} s

s_{1}

. Further, player

P_{2}

sends the state

| k ⟩_{T}

to player

P_{3}

. Unfortunately,

k

does not possess any partial information about

P_{1}

’s shadow of the share

s_{1}

. The dishonest player

P_{2}

cannot get any information from the intercepted state, and similarly the dishonest player

P_{3}

cannot get any information from the transmitted state

| k ⟩_{T}

. So, the intercept-resend attack is infeasible.

Intercept Attack:

In this attack, the dishonest player $P_{2}$ wants to eavesdrop $P_{1}$ ’s shadow of the share $s_{1}$ . The dishonest player $P_{2}$ can measure the output of the unitary operator (transformed state) because, based on $Q F T$ , player $P_{2}$ knows that player $P_{1}$ ’s shadow of the share state $| s_{1} ⟩$ has evolved as the ancillary state $| k ⟩_{T}$ . So, $Q F T^{- 1}$ can be performed on the ancillary state $| k ⟩_{T}$ by dishonest player $P_{2}$ to reveal $s_{1}$ . If the ancillary state measured by dishonest player $P_{2}$ in computational basis $| 0 ⟩, | 1 ⟩, \dots, | d - 1 ⟩$ , then $P_{2}$ can succeed to get $| l ⟩_{T}$ with the probability of $1 / d$ , but $P_{2}$ cannot get $P_{1}$ ’s shadow of the share, because the global information cannot be extracted from the limited number of qubits. The entangled systems cannot be disentangled by the limited number of qubits. So, the attacker cannot get any information about $P_{1}$ ’s shadow of the share.

Entangle-Measure $(E m)$ Attack:

The dishonest player $P_{2}$ performs a more complicated entangle-measure attack. Player $P_{2}$ prepares an ancillary state $| 0 ⟩_{P_{2}}$ that gets entangled with the transmitted state $| k ⟩_{T}$ using the local unitary operations. Then, player $P_{2}$ measures the entangle state to get the partial information about player $P_{1}$ ’s shadow of the share. After successful completion of honesty test, it can easily be deduced that $η_{k} = 1$ . After performing ${¯ U}_{T P_{2}}$ , $P_{2}$ sends $| k ⟩_{T}$ back to $P_{1}$ and measures the ancillary system after execution of $C N O T^{\otimes c}$ operation by player $P_{1}$ . If player $P_{2}$ measures the ancillary state $| ϕ (k) ⟩_{P_{2}}$ , $P_{2}$ cannot get any information about $P_{1}$ ’s shadow of the share $s_{1}$ because of entanglement of $| k ⟩_{H}$ and $| ϕ (k) ⟩_{P_{2}}$ . So, this attack is also infeasible.

Forgery Attack:

In forgery attack, the participants can execute the protocol with the fake shares. The proposed $Q S S$ protocol can prevent the forgery attack, which is one of the important issues, where the participants can provide the fake shares. If any dishonest player performs the Pauli operator with the fake shadow, the original secret cannot be reconstructed correctly. In the proposed protocol, player $P_{1}$ uses the hash function $S H A 1$ to compute the hash value $H (f (0)^{'})$ and compares it with the hash value $g (0)^{'}$ . If $(H (f (0)^{'}) = g (0)^{'})$ , then $P_{1}$ shares the secret with other $t - 1$ players; otherwise, $P_{1}$ realizes that at least one player performs the reconstruction phase dishonestly and terminates the reconstruction phase. So, the forgery attack is not possible in our quantum ( $t, n$ ) threshold $Q S S$ protocol.

7.1.2 Participant Attack

This type of attack is performed by one or more dishonest players to reveal the secret information.

Collision (attack from one) Attack:

In collision attack, the attacker performs an attack on the hash function, where the hash function produces the same hash value for two different inputs. Many existing $Q S S$ protocols cannot prevent the collision attack. In song2017t , Alice (dealer) selects $B o b_{1}$ as a trusted reconstructor from the set of participants $B = {B o b_{1}, B o b_{2}, \dots, B o b_{n}}$ and then selects a hash function $S H A 1$ to compute the hash value of the secret (which is to be shared). Then, Alice sends this hash value to the trusted reconstructor $B o b_{1}$ . At this point, $B o b_{1}$ can perform collision attack to reveal the secret. So, the security of their protocol is dependent on the trusted reconstructor $B o b_{1}$ . In our protocol, the dealer $D$ computes the hash value $H (S)$ using the $S H A 1$ hash function and shares it among $n$ players. Therefore, the reconstructor $P_{1}$ does not have any information about the hash value and he cannot perform the collision attack.

Collusion (attack from more than one dishonest players) Attack:

In collusion attack, some players can collude together to get the shadow of the share of other player. In order to get the private information of $P_{e}$ , players $P_{e - 1}$ and $P_{e + 1}$ perform the protocol dishonestly. In our proposed protocol, players $P_{e - 1}$ and $P_{e + 1}$ cannot perform the collusion attack because the unitary operation is performed by each participant with his private information. Moreover, this private information is not transmitted through a quantum channel.

7.2 Performance Analysis

We analyze and compare the performance of the proposed $Q S S$ protocol with the existing $Q S S$ protocols, i.e., Li et al.’s $Q S S$ bao2009threshold , Yang et al.’s $Q S S$ yang2013secret , Qin et al.’s $Q S S$ qin2015t , Song et al.’s $Q S S$ song2017t , and Qin et al.’s $Q S S$ Qin2018Multidimensional in terms of three parameters: universality, cost, and attack. Li et al.’s $Q S S$ protocol bao2009threshold is ( $t, n$ ) threshold scheme, but it is not for $d$ -level particle. Yang et al.’s $Q S S$ protocol yang2013secret is for $d$ -level particle, but this protocol is ( $n, n$ ) threshold scheme. Qin et al.’s $Q S S$ protocol qin2015t is ( $t, n$ ) threshold scheme, but it is not for $d$ -level particle. Song et al.’s $Q S S$ protocol song2017t is for $d$ -level particle, and also it is ( $t, n$ ) threshold scheme. Song et al.’s $Q S S$ protocol song2017t can prevent the $I R$ , $E M$ , forgery attacks, but it cannot prevent the collision attack. Qin et al.’s $Q S S$ protocol Qin2018Multidimensional is for $d$ -level particle and $c n$ qubits, but this protocol is ( $n, n$ ) threshold scheme. Here, we have compared the proposed $Q S S$ protocol with six existing protocols in terms of the communication cost and computation cost.The communication cost can be computed based on the transmitted particles, i.e., message particles and decoy particles. The computation cost can be computed based on five parameters: $Q F T$ , $U$ operation, $Q F T^{- 1}$ , measure operation, and hash operation. The Li et al.’s $Q S S$ protocol bao2009threshold needs to perform $t (2 t - 1)$ number of $U$ operations, $t$ number of measure operations, needs to transmit $t (t + 1)$ number of messages, and $z (t + 1)$ number of decoy particles, where $z$ is the number of decoy particles. The Yang et al.’s protocol yang2013secret needs to perform $n$ number of $Q F T$ , $n$ number of $U$ operations, $n$ number of measure operations, and needs to transmit $(n - 1)$ number of message particles. The Qin et al.’s protocol qin2015t needs to perform $t (t + 1)$ number of $U$ operations, needs to transmit $t (t + 1)$ number of messages, and $z (t + 1)$ number of decoy particles. The Song et al.’s protocol song2017t needs to perform $1$ number of $Q F T$ , $t$ number of $U$ operations, $1$ number of $Q F T^{- 1}$ , $1$ number of measure operations, $2$ number of hash operations and needs to transmit $(t - 1)$ number of message particles. The Qin et al.’s protocol Qin2018Multidimensional needs to perform $1$ number of $Q F T$ , $t (t + 1) + n$ number of $U$ operations, $1$ number of $Q F T^{- 1}$ , $n$ number of measure operations, and needs to transmit $n$ number of message particles as well as $z (t + 1)$ number of decoy particles. Our proposed protocol needs to perform $1$ number of $Q F T$ , $(t - 1)$ number of $U$ operations, $1$ number of $Q F T^{- 1}$ , $2$ number of hash operations, and needs to transmit $t$ number of decoy particles. So, the complexity of our proposed protocol is less as compared to the existing $Q S S$ protocols.

8 Conclusion

In this paper, we discussed a secret-sharing protocol in which $t$ players can reconstruct the secret without the help of a trusted player. In comparison to existing $Q S S$ protocols, our protocol is more secure, versatile, and practical. The reconstructor $P 1$ only knows his share and nothing else; even the secret’s hash value is unknown to him. Since the reconstructor $P_{1}$ only knows his share, it cannot perform the collision attack.

Ethical Statement

This article does not contain any studies with human or animal subjects performed by the any of the authors. The manuscript has been prepared following the instructions provided in the Authors Guidelines of the journal.

Conflict of Interest

The authors declare that they have no conflict of interest.

References

(1) Bao-Kui, L., Yu-Guang, Y., Qiao-Yan, W.: Threshold quantum secret sharing of secure direct communication. Chinese Physics Letters 26(1), 010302 (2009)
(2) Bennett, C.H., Brassard, G.: An update on quantum cryptography. In: Workshop on the Theory and Application of Cryptographic Techniques, pp. 475–480. Springer (1984)
(3) Cai, X.Q., Wang, T.Y., Wei, C.Y., Gao, F.: Cryptanalysis of multiparty quantum digital signatures. Quantum Information Processing 18(8), 252 (2019)
(4) Charoghchi, S., Mashhadi, S.: Three (t, n)-secret image sharing schemes based on homogeneous linear recursion. Information Sciences 552, 220–243 (2021)
(5) Chen, X.B., Sun, Y.R., Xu, G., Yang, Y.X.: Quantum homomorphic encryption scheme with flexible number of evaluator based on (k, n)-threshold quantum state sharing☆. Information Sciences (2019)
(6) Chen, X.B., Wang, Y.L., Xu, G., Yang, Y.X.: Quantum network communication with a novel discrete-time quantum walk. IEEE Access 7, 13634–13642 (2019)
(7) Dan, L., SHI, R.h., ZHANG, S., ZHONG, H.: Efficient anonymous roaming authentication scheme using certificateless aggregate signature in wireless network. Journal on Communications 37(7), 182 (2016)
(8) Dehkordi, M.H., Mashhadi, S.: An efficient threshold verifiable multi-secret sharing. Computer Standards & Interfaces 30(3), 187–190 (2008)
(9) Dehkordi, M.H., Mashhadi, S.: New efficient and practical verifiable multi-secret sharing schemes. Information Sciences 178(9), 2262–2274 (2008)
(10) Dehkordi, M.H., Mashhadi, S.: Verifiable secret sharing schemes based on non-homogeneous linear recursions and elliptic curves. Computer Communications 31(9), 1777–1784 (2008)
(11) Dehkordi, M.H., Mashhadi, S., Oraei, H.: A proactive multi stage secret sharing scheme for any given access structure. Wireless Personal Communications 104(1), 491–503 (2019)
(12) Eastlake, D., Jones, P.: Us secure hash algorithm 1 (sha1) (2001)
(13) Gyongyosi, L., Imre, S.: Quantum circuit design for objective function maximization in gate-model quantum computers. Quantum Information Processing 18(7), 1–33 (2019)
(14) Hao, C., Wenping, M.: (t, n) threshold quantum state sharing scheme based on linear equations and unitary operation. IEEE Photonics Journal 9(1), 1–7 (2017)
(15) Hillery, M., Bužek, V., Berthiaume, A.: Quantum secret sharing. Physical Review A 59(3), 1829 (1999)
(16) Kao, S.H., Hwang, T.: Comment on (t, n) threshold d-level quantum secret sharing. arXiv preprint arXiv:1803.00216 (2018)
(17) Karimifard, Z., Mashhadi, S., EBRAHIMI, B.D.: Semiquantum secret sharing using three particles without entanglement (2016)
(18) Lau, H.K., Weedbrook, C.: Quantum secret sharing with continuous-variable cluster states. Physical Review A 88(4), 042313 (2013)
(19) Lo, H.K., Spiller, T., Popescu, S.: Introduction to quantum computation and information. World Scientific (1998)
(20) Lu, C., Miao, F., Hou, J., Meng, K.: Verifiable threshold quantum secret sharing with sequential communication. Quantum Information Processing 17(11), 310 (2018)
(21) Luo, Z.y., Shi, R.h., Xu, M., Zhang, S.: A novel quantum solution to privacy-preserving nearest neighbor query in location-based services. International Journal of Theoretical Physics 57(4), 1049–1059 (2018)
(22) Mashhadi, S.: Analysis of frame attack on hsu et al.’s non-repudiable threshold multi-proxy multi-signature scheme with shared verification. Scientia Iranica 19(3), 674–679 (2012)
(23) Mashhadi, S.: A novel secure self proxy signature scheme. IJ Network Security 14(1), 22–26 (2012)
(24) Mashhadi, S.: A novel non-repudiable threshold proxy signature scheme with known signers. IJ Network Security 15(4), 274–279 (2013)
(25) Mashhadi, S.: Computationally secure multiple secret sharing: Models, schemes, and formal security analysis. ISeCure 7(2) (2015)
(26) Mashhadi, S.: Analysis of warrant attacks on some threshold proxy signature schemes. Journal of Information Processing Systems 12(2), 249–262 (2016)
(27) Mashhadi, S.: How to fairly share multiple secrets stage by stage. Wireless Personal Communications 90(1), 93–107 (2016)
(28) Mashhadi, S.: Share secrets stage by stage with homogeneous linear feedback shift register in the standard model. Security and Communication Networks 9(17), 4495–4504 (2016)
(29) Mashhadi, S.: New multi-stage secret sharing in the standard model. Information Processing Letters 127, 43–48 (2017)
(30) Mashhadi, S.: Secure publicly verifiable and proactive secret sharing schemes with general access structure. Information sciences 378, 99–108 (2017)
(31) Mashhadi, S.: General secret sharing based on quantum fourier transform. Quantum Information Processing 18(4), 114 (2019)
(32) Mashhadi, S.: A csa-secure multi-secret sharing scheme in the standard model. Journal of Applied Security Research 15(1), 84–95 (2020)
(33) Mashhadi, S.: Improvement of a (t, n) threshold d- level quantum secret sharing scheme. Journal of Applied Security Research pp. 1–12 (2020)
(34) Mashhadi, S.: Toward a formal proof for multi-secret sharing in the random oracle model. Information Security Journal: A Global Perspective 29(5), 244–249 (2020)
(35) Mashhadi, S., Dehkordi, M.H.: Two verifiable multi secret sharing schemes based on nonhomogeneous linear recursion and lfsr public-key cryptosystem. Information Sciences 294, 31–40 (2015)
(36) Mashhadi, S., Dehkordi, M.H., Kiamari, N.: Provably secure verifiable multi-stage secret sharing scheme based on monotone span program. IET Information Security 11(6), 326–331 (2017)
(37) Nielsen, M.A., Chuang, I.: Quantum computation and quantum information (2002)
(38) Peng, Z.w., Shi, R.h., Wang, P.h., Zhang, S.: A novel quantum solution to secure two-party distance computation. Quantum Information Processing 17(6), 1–12 (2018)
(39) Qin, H., Tso, R., Dai, Y.: Multi-dimensional quantum state sharing based on quantum fourier transform. Quantum Information Processing 17(3), 48 (2018)
(40) Qin, H., Zhu, X., Dai, Y.: (t, n) threshold quantum secret sharing using the phase shift operation. Quantum Information Processing 14(8), 2997–3004 (2015)
(41) Run-Hua, S., Liu-Sheng, H., Wei, Y., Hong, Z.: An efficient scheme for multiparty multi-particle state sharing. Communications in Theoretical Physics 54(1), 93 (2010)
(42) Run-Hua, S., Liu-Sheng, H., Wei, Y., Hong, Z.: A novel multiparty quantum secret sharing scheme of secure direct communication based on bell states and bell measurements. Chinese Physics Letters 28(5), 050303 (2011)
(43) Shamir, A.: How to share a secret. Communications of the ACM 22(11), 612–613 (1979)
(44) Shi, R., Huang, L., Yang, W., Zhong, H.: Quantum secret sharing between multiparty and multiparty with bell states and bell measurements. SCIENCE CHINA Physics, Mechanics and Astronomy 53(12), 2238–2244 (2010)
(45) Shi, R., Zhang, Y., Zhong, H., Cui, J., Zhang, S.: Data integrity checking protocol based on secure multiparty computation. In: Wireless Communications, Networking and Applications, pp. 873–882. Springer (2016)
(46) Shi, R.H.: Efficient quantum protocol for private set intersection cardinality. IEEE Access 6, 73102–73109 (2018)
(47) Shi, R.h., Huang, L.s., Yang, W., Zhong, H.: Efficient symmetric five-party quantum state sharing of an arbitrary m-qubit state. International Journal of Theoretical Physics 50(11), 3329–3336 (2011)
(48) Shi, R.h., Huang, L.s., Yang, W., Zhong, H.: Multi-party quantum state sharing of an arbitrary two-qubit state with bell states. Quantum Information Processing 10(2), 231–239 (2011)
(49) Shi, R.H., Huang, L.S., Yang, W., Zhong, H.: Novel and effective secret sharing scheme. Journal of China Institute of Communications 33(1), 10–16 (2012)
(50) Shi, R.h., Mu, Y., Zhong, H., Cui, J., Zhang, S.: An efficient quantum scheme for private set intersection. Quantum Information Processing 15(1), 363–371 (2016)
(51) Shi, R.h., Mu, Y., Zhong, H., Cui, J., Zhang, S.: Secure multiparty quantum computation for summation and multiplication. Scientific reports 6(1), 1–9 (2016)
(52) Shi, R.h., Mu, Y., Zhong, H., Zhang, S.: Quantum oblivious set-member decision protocol. Physical Review A 92(2), 022309 (2015)
(53) Shi, R.h., Mu, Y., Zhong, H., Zhang, S.: Comment on “secure quantum private information retrieval using phase-encoded queries”. Physical Review A 94(6), 066301 (2016)
(54) Shi, R.h., Mu, Y., Zhong, H., Zhang, S., Cui, J.: Quantum private set intersection cardinality and its application to anonymous authentication. Information Sciences 370, 147–158 (2016)
(55) Shi, R.H., Zhang, S.: Quantum solution to a class of two-party private summation problems. Quantum Information Processing 16(9), 1–9 (2017)
(56) Shi, R.H., Zhong, H.: Asymmetric multiparty-controlled teleportation of arbitrary n-qudit states using different quantum channels. In: International Conference on Theoretical and Mathematical Foundations of Computer Science, pp. 337–344. Springer (2011)
(57) Shi, R.h., Zhong, H.: Multiparty quantum secret sharing with the pure entangled two-photon states. Quantum Information Processing 11(1), 161–169 (2012)
(58) Shi, R.H., Zhong, H.: Multi-party quantum key agreement with bell states and bell measurements. Quantum information processing 12(2), 921–932 (2013)
(59) Shi, R.h., Zhong, H., Zhang, S.: Comments on two schemes of identity-based user authentication and key agreement for mobile client–server networks. The Journal of Supercomputing 71(11), 4015–4018 (2015)
(60) Song, X.L., Liu, Y.B., Deng, H.Y., Xiao, Y.G.: (t, n) threshold d-level quantum secret sharing. Scientific reports 7(1), 6366 (2017)
(61) Sun, Z., Song, L., Huang, Q., Yin, L., Long, G., Lu, J., Hanzo, L.: Toward practical quantum secure direct communication: A quantum-memory-free protocol and code design. IEEE Transactions on Communications 68(9), 5778–5792 (2020)
(62) Sutradhar, K., Om, H.: Efficient quantum secret sharing without a trusted player. Quantum Information Processing 19(2), 1–15 (2020)
(63) Sutradhar, K., Om, H.: A generalized quantum protocol for secure multiparty summation. IEEE Transactions on Circuits and Systems II: Express Briefs 67(12), 2978–2982 (2020)
(64) Sutradhar, K., Om, H.: Hybrid quantum protocols for secure multiparty summation and multiplication. Scientific Reports 10(1), 1–9 (2020)
(65) Sutradhar, K., Om, H.: An efficient simulation for quantum secure multiparty computation. Scientific Reports 11(1), 1–9 (2021)
(66) Ting-Ting, S., Jie, Z., Fei, G., Qiao-Yan, W., Fu-Chen, Z.: Participant attack on quantum secret sharing based on entanglement swapping. Chinese Physics B 18(4), 1333 (2009)
(67) Wang, T.Y., Li, Y.P.: Cryptanalysis of dynamic quantum secret sharing. Quantum information processing 12(5), 1991–1997 (2013)
(68) Wang, T.Y., Liu, Y.Z., Wei, C.Y., Cai, X.Q., Ma, J.F.: Security of a kind of quantum secret sharing with entangled states. Scientific reports 7(1), 2485 (2017)
(69) Wang, T.Y., Wen, Q.Y.: Security of a kind of quantum secret sharing with single photons. Quantum Information & Computation 11(5), 434–443 (2011)
(70) Wang, T.y., Wen, Q.y., Gao, F., Lin, S., Zhu, F.c.: Cryptanalysis and improvement of multiparty quantum secret sharing schemes. Physics Letters A 373(1), 65–68 (2008)
(71) Xu, G., Chen, X.B., Dou, Z., Li, J., Liu, X., Li, Z.: Novel criteria for deterministic remote state preparation via the entangled six-qubit state. Entropy 18(7), 267 (2016)
(72) Xu, G., Xiao, K., Li, Z., Niu, X.X., Ryan, M.: Controlled secure direct communication protocol via the three-qubit partially entangled set of states. Comput. Mater. Continua 58(3), 809–827 (2019)
(73) Xu, M., Shi, R.h., Luo, Z.y., Peng, Z.w.: Nearest private query based on quantum oblivious key distribution. Quantum Information Processing 16(12), 1–12 (2017)
(74) Yang, W., Huang, L., Shi, R., He, L.: Secret sharing based on quantum fourier transform. Quantum information processing 12(7), 2465–2474 (2013)
(75) Zhang, R., Shi, R.h., Qin, J.q., Peng, Z.w.: An economic and feasible quantum sealed-bid auction protocol. Quantum Information Processing 17(2), 1–14 (2018)

An Efficient Simulation of Quantum Secret Sharing

Authors

Lightweight Mediated Semi-Quantum Secret Sharing Protocol

Multiparty Mediated Semi-Quantum Secret Sharing Protocol

A Network Reliability Approach to the Analysis of Combinatorial Repairable Threshold Schemes

Algebraic Geometric Secret Sharing Schemes over Large Fields Are Asymptotically Threshold

Asynchronous Verifiable Secret-Sharing Protocols on a Good Day

Quantum Weak Coin Flipping

A symmetric extensible protocol for quantum secret sharing

1 Introduction

2 Related Work

3 Preliminaries

3.1 Quantum Fourier Transform

3.2 Control-NOT $(C n o t)$ gate

3.3 Shamir’s Secret Sharing

3.3.1 Secret Sharing Phase

3.3.2 Secret Reconstruction Phase

4 Proposed Method

4.1 Secret Sharing Phase

4.2 Secret Reconstruction Phase

5 Correctness Proof of $(t, n)$ threshold $d$ -level $Q s s$

Lemma 1

Proof

6 Simulation Results

7 Results and Discussion

7.1 Security Analysis

7.1.1 Outside Attack

Intercept-Resend $(I r)$ Attack:

Intercept Attack:

Entangle-Measure $(E m)$ Attack:

Forgery Attack:

7.1.2 Participant Attack

Collision (attack from one) Attack:

Collusion (attack from more than one dishonest players) Attack:

7.2 Performance Analysis

8 Conclusion

Ethical Statement

Conflict of Interest

References

An Efficient Simulation of Quantum Secret Sharing

Authors

Related Research

Lightweight Mediated Semi-Quantum Secret Sharing Protocol

Multiparty Mediated Semi-Quantum Secret Sharing Protocol

A Network Reliability Approach to the Analysis of Combinatorial Repairable Threshold Schemes

Algebraic Geometric Secret Sharing Schemes over Large Fields Are Asymptotically Threshold

Asynchronous Verifiable Secret-Sharing Protocols on a Good Day

Quantum Weak Coin Flipping

A symmetric extensible protocol for quantum secret sharing

This week in AI

1 Introduction

2 Related Work

3 Preliminaries

3.1 Quantum Fourier Transform

3.2 Control-NOT (Cnot) gate

3.3 Shamir’s Secret Sharing

3.3.1 Secret Sharing Phase

3.3.2 Secret Reconstruction Phase

4 Proposed Method

4.1 Secret Sharing Phase

4.2 Secret Reconstruction Phase

5 Correctness Proof of (t,n) threshold d-level Qss

Lemma 1

Proof

6 Simulation Results

7 Results and Discussion

7.1 Security Analysis

7.1.1 Outside Attack

Intercept-Resend (Ir) Attack:

Intercept Attack:

Entangle-Measure (Em) Attack:

Forgery Attack:

7.1.2 Participant Attack

Collision (attack from one) Attack:

Collusion (attack from more than one dishonest players) Attack:

7.2 Performance Analysis

8 Conclusion

Ethical Statement

Conflict of Interest

References

3.2 Control-NOT $(C n o t)$ gate

5 Correctness Proof of $(t, n)$ threshold $d$ -level $Q s s$

Intercept-Resend $(I r)$ Attack:

Entangle-Measure $(E m)$ Attack: