Message Randomization and Strong Security in Quantum Stabilizer-Based Secret Sharing for Classical Secrets

by   Ryutaroh Matsumoto, et al.

We improve the flexibility in designing access structures of quantum stabilizer-based secret sharing schemes for classical secrets, by introducing message randomization in their encoding procedures. We generalize the Gilbert-Varshamov bound for deterministic encoding to randomized encoding of classical secrets. We also provide an explicit example of a ramp secret sharing scheme with which one symbol in its classical secret is revealed to an intermediate set, and justify the necessity of incorporating strong security criterion of conventional secret sharing. Finally, we propose an explicit construction of strongly secure ramp secret sharing by quantum stabilizers.



There are no comments yet.


page 1

page 2

page 3

page 4


Exploring Quantum Supremacy in Access Structures of Secret Sharing by Coding Theory

We consider secret sharing schemes with a classical secret and quantum s...

Classical Access Structures of Ramp Secret Sharing Based on Quantum Stabilizer Codes

In this paper we consider to use the quantum stabilizer codes as secret ...

Theory of Communication Efficient Quantum Secret Sharing

A ((k,n)) quantum threshold secret sharing (QTS) scheme is a quantum cry...

A quantum secret sharing scheme with verifiable function

In the ( t,n) threshold quantum secret sharing scheme, it is difficult t...

Short Secret Sharing Using Repeatable Random Sequence Generators

We present a new secret sharing algorithm that provides the storage effi...

Multiparty secret sharing based on hidden multipliers

Secret sharing schemes based on the idea of hidden multipliers in encryp...

Forging quantum data: classically defeating an IQP-based quantum test

In 2009, Shepherd and Bremner proposed a "test of quantum capability" ar...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Secret sharing is a scheme to share a secret among multiple participants so that only qualified sets of participants can reconstruct the secret, while forbidden sets have no information about the secret shamir79 ; stinson06 . A piece of information received by a participant is called a share. A set of participants that is neither qualified nor forbidden is said to be intermediate. If there is no intermediate set, a secret sharing scheme is said to be perfect, otherwise said to be ramp blakley85 ; yamamoto86 . There is an upper bound on the size of secret for fixed size of shares, when secret sharing is perfect. On the other hand, the size of secret can be arbitrarily large for fixed size of shares in ramp schemes. In this paper we consider ramp schemes, in other words, we allow intermediate sets of participants or shares.

Both secret and shares are traditionally classical information. There exists a close connection between secret sharing and classical error-correcting codes bains08 ; chen07 ; cruz10 ; duursma10 ; kurihara12 ; martinezpenas16 ; mceliece81 .

After the importance of quantum information became well-recognized, secret sharing schemes with quantum shares were proposed cleve99 ; gottesman00 ; hillery99 ; karlsson99 ; smith00 . A connection between quantum secret sharing and quantum error-correcting codes has been well-known for many years cleve99 ; gottesman00 ; marin13 ; markham08 ; sarvepalli12 ; smith00 . Well-known classes of quantum error-correcting codes are the CSS codes calderbank96 ; steane96 , the stabilizer codes calderbank97 ; calderbank98 ; gottesman96 and their nonbinary generalizations ashikhmin00 ; ketkar06 ; matsumotouematsu00 .

The access structure of a secret sharing scheme is the set of qualified sets, that of intermediate sets and that of forbidden sets. When both secret and shares are classical information, encoding of secrets to shares are almost always randomized, that is, for a fixed secret, shares are randomly chosen from a set determined by the secret shamir79 ; stinson06 . By message randomization we mean this kind of randomized encoding of secrets to shares. It was shown that some randomness in encoders is indispensable with classical shares blundo96 ; blundo98 ; blundo97 .

In contrast with classical shares, Gottesman (gottesman00, , Theorem 3)

proved that message randomization does not offer any advantage when both secret and shares are quantum information, and that use of unitary encoding of quantum secret to quantum shares is sufficient. Probably because of Gottesman’s observation, secret sharing schemes based on quantum error-correcting codes have not used message randomization, as far as this author knows.

In our previous research matsumoto19wcc ; matsumoto19qinp , we expressed secret sharing for classical secrets based on quantum stabilizer codes by linear codes, and expressed qualified and forbidden sets in terms of the linear codes associated with quantum stabilizers. By using that, we gave a Gilbert-Varshamov-type existence condition of secret sharing schemes with given parameters, and proved that there exist infinitely many access structures that can be realized by quantum stabilizer codes but cannot be realized by any classical information processing.

However, there are some drawbacks in our proposal matsumoto19wcc ; matsumoto19qinp . For example, any participants out of participants can be made forbidden, for example, by Shamir’s scheme. But such an access structure cannot be realized by matsumoto19wcc ; matsumoto19qinp . The first goal of this paper is to make the stabilizer-based secret sharing more flexible in designing access structures by introducing message randomization in the encoding. In our previous proposal matsumoto19wcc ; matsumoto19qinp , shares are deterministic functions of secrets. The proposed scheme in this paper includes matsumoto19wcc ; matsumoto19qinp as a special case.

Ordinary ramp schemes have the following security risk: Suppose that classical secret is , …, , and an intermediate set has symbol of information about . Then that intermediate set sometimes knows explicitly for some . This insecurity was mentioned in mceliece81 ; yamamoto86 . Iwamoto and Yamamoto iwamoto06 explicitly constructed such an example with classical secret and classical shares, and Zhang and Matsumoto matsumoto14strong did with quantum shares. In order to address this security risk, Yamamoto yamamoto86 introduced the notion of strong security into ramp schemes: A secret sharing scheme with classical secret , …, is said to be strongly secure if any symbols in is always statistically independent of shares in an intermediate set that has symbol of information about , for , …, . The second goal of this paper is to give an explicit construction of strongly secure ramp secret sharing for classical secrets based on quantum stabilizer codes, by extending the previous construction matsumoto19wcc ; matsumoto19qinp .

Strong security concerns with secrecy of parts of a message. The secrecy of parts of a message has also been studied for network coding harada08 ; kurihara15 ; matsumoto17net ; silva09 and wiretap channel coding hayashi16smc ; yamamoto13 .

This paper is organized as follows: Section 2 introduces necessary notations and proposes randomized encoding for quantum stabilizer-based secret sharing. Section 3 clarifies the access structure of the proposed scheme. Section 4 analyses the amount of information leaked to an intermediate set, which will be used for the strong security later. Section 5 generalize the Gilbert-Varshamov existential condition for secret sharing schemes from one given in matsumoto19wcc ; matsumoto19qinp . Section 6 introduces a strong security criterion and an explicit construction with strong security based on Reed-Solomon codes. Then we compare the proposed construction with the McEliece-Sarwate strongly secure ramp secret sharing scheme mceliece81 .

2 Randomized encoding and its access structures

2.1 Preliminaries

Let , …, be a set of shares (or equivalently participants), , …, , and the partial trace over . For a density matrix , denotes its column space. When , …, are orthogonal to each other, that is, for , we can distinguish , …, by a suitable projective measurement with probability

. Since density matrices are quantum generalization of probability distributions

chuangnielsen , the result of randomized encoding of a secret can be expressed as a density matrix.

Definition 1

matsumoto19wcc ; matsumoto19qinp Let be the density matrix of shares in encoded from a classical secret . We say to be qualified if and are orthogonal to each other for different classical secrets , . We say to be forbidden if is the same density matrix regardless of classical secret . By an access structure we mean the set of qualified sets and the set of forbidden sets.

Let be a prime number, the finite field with elements, and the -dimensional complex linear space. The quantum state space of qudits is denoted by with its orthonormal basis .

For two vectors

, , denote by , the standard Euclidean inner product. For two vectors and , we define the standard symplectic inner product

For an -linear space , denotes its orthogonal space in with respect to . Throughout this paper we always assume and . We will use to denote the number of symbols in classical secrets and to denote amount of randomness in encoding. We also assume that we have and .

For , define the

complex unitary matrix

as defined in ketkar06 . An quantum stabilizer codes encoding qudits into

qudits can be defined as a simultaneous eigenspace of all

(). Unlike ketkar06

we do not require the eigenvalue of

to be one.

2.2 Proposed randomized encoding

It is well-known in mathematics (aschbacher00, , Chapter 7) that there always exists such that . Note that is not unique and usually there are many possible choices of . We have and have an isomorphism as linear spaces without inner products. Since , defines an quantum stabilizer code . Without loss of generality we may assume . Let be a quantum state vector. Since , for a coset and , , and differ by a constant multiple in and physically express the same quantum state in . By an abuse of notation, for a coset we will write to mean ().

For a given classical secret , we consider the following secret sharing scheme with participants:

  1. is a coset of and can also seen as a subset of . Choose at uniformly random. Prepare the quantum codeword that corresponds to the classical secret .

  2. Distribute each qudit in the quantum codeword to a participant.

Since there are choices of above, the density matrix of shares is

Remark 1

The encoding procedure in matsumoto19wcc ; matsumoto19qinp corresponds to the special case and in the above proposed scheme.

Example 1

Let , , . A basis of the doubly-extended Reed-Solomon code over consists of

By using them, we define , as the linear space spanned by , , and as the linear space spanned by , , , . Let

Then is spanned by , . Let

and we can use , as a basis of .

For a given secret , the proposed encoder chooses a vector at uniformly random from the set

Since , for fixed the number of possible choices is . But since

is an eigenvector of all unitary matrices corresponding to a vector in

, for fixed the number of possible quantum states is . The encoded shares consist of qudit in . Each quantum share in is distributed to each participant.

3 Necessary and sufficient conditions on qualified and forbidden sets

Let , …, . Define , …, , …, for . Let to be the projection map onto , that is, , …, , …, .

Theorem 3.1

For the secret sharing scheme described in Section 2, is qualified if and only if


is forbidden if and only if

Remark 2

The encoding procedure depends on the choice of but by Theorem 3.1 we see that the access structure is independent of that choice.

Proof (Theorem 3.1)

Assume Eq. (1). Then there exists a basis , …, of such that . Any two vectors in a coset have the same value of the symplectic inner product against a fixed , which will be denoted by . Suppose that we have two different cosets , , and that for all . It means that is zero in , a contradiction. We have seen that any two different cosets have different symplectic inner product values against some . For each , the participants can collectively perform quantum projective measurement corresponding to the eigenspaces of and can determine the symplectic inner product111If we assume a non-prime finite field as our base field, then the quantum measurement outcome just determines (ketkar06, , Lemma 5) in place of , where is the trace map from to its prime subfield . Assuming a non-prime field significantly complicates the proofs of Theorem 3.1 and Lemma 1. So we assume a prime finite field until Remark 4. as (ketkar06, , Lemma 5) when the classical secret is . Since has nonzero components only at , the above measurement can be done only by , which means can reconstruct .

Assume that Eq. (1) is false. Since the orthogonal space of in is isomorphic to , which can be seen as the almost same argument as the duality between shortened linear codes and punctured linear codes pless98 , we see that . This means that there exists two different classical secrets and such that . This means that the encoding procedures of and are the exactly the same on and produce the same density matrix on , which shows that is not qualified.

Assume Eq. (2). Then we have . This means that for all classical secrets , and their encoding procedures on are the same, which produces the same density matrix on regardless of . This shows that is forbidden.

Assume that Eq. (2) is false. Then there exist two different classical secrets , , and such that

By (ketkar06, , Lemma 5), this means that the quantum measurement corresponding to gives different outcomes with and . Since , measurement of can be performed only by participants in . These observations show that is not forbidden. ∎

Next we give sufficient conditions in terms of the coset distance duursma10 or the first relative generalized Hamming weight luo05 . To do so, we have to slightly modify them. For , …, , …, , define its symplectic weight , . For , we define their coset distance as .

Theorem 3.2

If then is forbidden. If then is qualified.

Example 2

Notations remain the same as Example 1. We have and . By Theorem 3.2, we know that two or less participants are forbidden and all the participants are qualified.

Proof (Theorem 3.2)

If then there is no and Eq. (2) holds.

Assume that , or equivalently, . We have . We also have , which means . Since , we see that Eq. (1) holds with . ∎

4 Amount of information possessed by an intermediate set

Let , …, with and , …, . In this section we study the amount of information possessed by .

Because the result of mapping is an element in , any two vectors and give the same symplectic inner product values with any .

Lemma 1

For two classical secrets and , we have

  • if and only if and give the same symplectic inner product for all vectors in , and

  • and are orthogonal to each other if and only if and give different symplectic inner products for some vector in .


Assume that and give the same symplectic inner product for all vectors in . Then we have , and the encoding procedure on is the same for and , which shows .

Assume that and give different symplectic inner product values for some vector in . Then the quantum measurement corresponding to can be performed only by the participants in and by (ketkar06, , Lemma 5) the outcomes for and are different with probability . This means that and are orthogonal to each other. ∎

Proposition 1

If , then the number of density matrices in is .

For a fixed density matrix , the number of classical secrets such that is exactly .


If for with classical secrets (, ), then by Lemma 1 and are orthogonal. By the assumption, we have . There are elements in , which shows the first claim.

The composite -linear map “ from to is surjective. Thus the dimension of its kernel is , which shows the second claim. ∎

Definition 2

In light of Proposition 1, the amount of information possessed by a set of participants is defined as

Remark 3

When the probability distribution of classical secrets is uniform, the quantity in Definition 2 is equal to the Holevo information (chuangnielsen, , Section 12.1.1) between and by the same reason as (matsumoto19qinp, , Remark 14).

We say that a secret sharing scheme is -reconstructible if implies has or more bits of information geil14 . We say that a secret sharing scheme is -private if implies has less than bits of information geil14 . In order to express and in terms of combinatorial properties of , we review a slightly modified version of the relative generalized Hamming weight luo05 .

Definition 3

matsumoto19qinp For two linear spaces and , …, , define the -th relative generalized symplectic weight


Note that . The following theorem generalizes Theorem 3.2.

Theorem 4.1

Almost the same as (matsumoto19qinp, , Theorem 16). ∎

Remark 4

We have assumed the prime finite field . We can translate Theorems 3.1, 3.2, 4.1, Proposition 1 and Definition 2 to an arbitrary finite field in the same way as (matsumoto19qinp, , Section 5.1).

5 Gilbert-Varshamov-type existential condition

Let be some prime power. In this section, we give a sufficient condition for existence of , with given parameters.

Theorem 5.1

If positive integers , , , , satisfy


then there exist such that , and .


The following argument is similar to the proof of Gilbert-Varshamov bound for stabilizer codes calderbank97 and also to matsumoto19qinp . Let be the set of invertible matrices on that does not change the values of the symplectic inner product. Let be the set of pairs of linear spaces such that , and . For , define and .

For nonzero , , we have and , by the almost same argument as (matsumoto19qinp, , Proof of Theorem 25).

For each , the number of such that is . The number of triples , , such that is

which implies


Similarly we have


If there exists such that and for all and then there exists a pair of with the desired properties. The number of such that is given by


By combining Eqs. (6), (7) and (8) we see that Eq. (5) is a sufficient condition for ensuring the existence of required in Theorem 5.1. ∎

We will derive an asymptotic form of Theorem 5.1.

Theorem 5.2

Let , , and be nonnegative real numbers . Define . For sufficiently large , if

then there exist such that , and .


Proof can be done by almost the same argument as (matsumotouematsu01, , Section III.C). ∎

In (matsumoto19qinp, , Theorem 26) we proved a special case of Theorem 5.2. The new parameter provides larger flexibility.

6 Strong Security

Let , and let , be nonnegative even integers.. The field size

can be either odd or even. We will consider the case that the number of participants is smaller than

in Remark 5. Let , …, be distinct elements. Define an Reed-Solomon (RS) code as

Then because .

6.1 Insecure example

In order to justify our study of strong security, we will show an insecure ramp scheme constructed in the framework of matsumoto19wcc ; matsumoto19qinp . Assume that are even integers only in Section 6.1. Let