1 Introduction
Secret sharing is a scheme to share a secret among multiple participants so that only qualified sets of participants can reconstruct the secret, while forbidden sets have no information about the secret shamir79 ; stinson06 . A piece of information received by a participant is called a share. A set of participants that is neither qualified nor forbidden is said to be intermediate. If there is no intermediate set, a secret sharing scheme is said to be perfect, otherwise said to be ramp blakley85 ; yamamoto86 . There is an upper bound on the size of secret for fixed size of shares, when secret sharing is perfect. On the other hand, the size of secret can be arbitrarily large for fixed size of shares in ramp schemes. In this paper we consider ramp schemes, in other words, we allow intermediate sets of participants or shares.
Both secret and shares are traditionally classical information. There exists a close connection between secret sharing and classical errorcorrecting codes bains08 ; chen07 ; cruz10 ; duursma10 ; kurihara12 ; martinezpenas16 ; mceliece81 .
After the importance of quantum information became wellrecognized, secret sharing schemes with quantum shares were proposed cleve99 ; gottesman00 ; hillery99 ; karlsson99 ; smith00 . A connection between quantum secret sharing and quantum errorcorrecting codes has been wellknown for many years cleve99 ; gottesman00 ; marin13 ; markham08 ; sarvepalli12 ; smith00 . Wellknown classes of quantum errorcorrecting codes are the CSS codes calderbank96 ; steane96 , the stabilizer codes calderbank97 ; calderbank98 ; gottesman96 and their nonbinary generalizations ashikhmin00 ; ketkar06 ; matsumotouematsu00 .
The access structure of a secret sharing scheme is the set of qualified sets, that of intermediate sets and that of forbidden sets. When both secret and shares are classical information, encoding of secrets to shares are almost always randomized, that is, for a fixed secret, shares are randomly chosen from a set determined by the secret shamir79 ; stinson06 . By message randomization we mean this kind of randomized encoding of secrets to shares. It was shown that some randomness in encoders is indispensable with classical shares blundo96 ; blundo98 ; blundo97 .
In contrast with classical shares, Gottesman (gottesman00, , Theorem 3)
proved that message randomization does not offer any advantage when both secret and shares are quantum information, and that use of unitary encoding of quantum secret to quantum shares is sufficient. Probably because of Gottesman’s observation, secret sharing schemes based on quantum errorcorrecting codes have not used message randomization, as far as this author knows.
In our previous research matsumoto19wcc ; matsumoto19qinp , we expressed secret sharing for classical secrets based on quantum stabilizer codes by linear codes, and expressed qualified and forbidden sets in terms of the linear codes associated with quantum stabilizers. By using that, we gave a GilbertVarshamovtype existence condition of secret sharing schemes with given parameters, and proved that there exist infinitely many access structures that can be realized by quantum stabilizer codes but cannot be realized by any classical information processing.
However, there are some drawbacks in our proposal matsumoto19wcc ; matsumoto19qinp . For example, any participants out of participants can be made forbidden, for example, by Shamir’s scheme. But such an access structure cannot be realized by matsumoto19wcc ; matsumoto19qinp . The first goal of this paper is to make the stabilizerbased secret sharing more flexible in designing access structures by introducing message randomization in the encoding. In our previous proposal matsumoto19wcc ; matsumoto19qinp , shares are deterministic functions of secrets. The proposed scheme in this paper includes matsumoto19wcc ; matsumoto19qinp as a special case.
Ordinary ramp schemes have the following security risk: Suppose that classical secret is , …, , and an intermediate set has symbol of information about . Then that intermediate set sometimes knows explicitly for some . This insecurity was mentioned in mceliece81 ; yamamoto86 . Iwamoto and Yamamoto iwamoto06 explicitly constructed such an example with classical secret and classical shares, and Zhang and Matsumoto matsumoto14strong did with quantum shares. In order to address this security risk, Yamamoto yamamoto86 introduced the notion of strong security into ramp schemes: A secret sharing scheme with classical secret , …, is said to be strongly secure if any symbols in is always statistically independent of shares in an intermediate set that has symbol of information about , for , …, . The second goal of this paper is to give an explicit construction of strongly secure ramp secret sharing for classical secrets based on quantum stabilizer codes, by extending the previous construction matsumoto19wcc ; matsumoto19qinp .
Strong security concerns with secrecy of parts of a message. The secrecy of parts of a message has also been studied for network coding harada08 ; kurihara15 ; matsumoto17net ; silva09 and wiretap channel coding hayashi16smc ; yamamoto13 .
This paper is organized as follows: Section 2 introduces necessary notations and proposes randomized encoding for quantum stabilizerbased secret sharing. Section 3 clarifies the access structure of the proposed scheme. Section 4 analyses the amount of information leaked to an intermediate set, which will be used for the strong security later. Section 5 generalize the GilbertVarshamov existential condition for secret sharing schemes from one given in matsumoto19wcc ; matsumoto19qinp . Section 6 introduces a strong security criterion and an explicit construction with strong security based on ReedSolomon codes. Then we compare the proposed construction with the McElieceSarwate strongly secure ramp secret sharing scheme mceliece81 .
2 Randomized encoding and its access structures
2.1 Preliminaries
Let , …, be a set of shares (or equivalently participants), , …, , and the partial trace over . For a density matrix , denotes its column space. When , …, are orthogonal to each other, that is, for , we can distinguish , …, by a suitable projective measurement with probability
. Since density matrices are quantum generalization of probability distributions
chuangnielsen , the result of randomized encoding of a secret can be expressed as a density matrix.Definition 1
matsumoto19wcc ; matsumoto19qinp Let be the density matrix of shares in encoded from a classical secret . We say to be qualified if and are orthogonal to each other for different classical secrets , . We say to be forbidden if is the same density matrix regardless of classical secret . By an access structure we mean the set of qualified sets and the set of forbidden sets.
Let be a prime number, the finite field with elements, and the dimensional complex linear space. The quantum state space of qudits is denoted by with its orthonormal basis .
For two vectors
, , denote by , the standard Euclidean inner product. For two vectors and , we define the standard symplectic inner productFor an linear space , denotes its orthogonal space in with respect to . Throughout this paper we always assume and . We will use to denote the number of symbols in classical secrets and to denote amount of randomness in encoding. We also assume that we have and .
For , define the
complex unitary matrix
as defined in ketkar06 . An quantum stabilizer codes encoding qudits intoqudits can be defined as a simultaneous eigenspace of all
(). Unlike ketkar06we do not require the eigenvalue of
to be one.2.2 Proposed randomized encoding
It is wellknown in mathematics (aschbacher00, , Chapter 7) that there always exists such that . Note that is not unique and usually there are many possible choices of . We have and have an isomorphism as linear spaces without inner products. Since , defines an quantum stabilizer code . Without loss of generality we may assume . Let be a quantum state vector. Since , for a coset and , , and differ by a constant multiple in and physically express the same quantum state in . By an abuse of notation, for a coset we will write to mean ().
For a given classical secret , we consider the following secret sharing scheme with participants:

is a coset of and can also seen as a subset of . Choose at uniformly random. Prepare the quantum codeword that corresponds to the classical secret .

Distribute each qudit in the quantum codeword to a participant.
Since there are choices of above, the density matrix of shares is
Remark 1
The encoding procedure in matsumoto19wcc ; matsumoto19qinp corresponds to the special case and in the above proposed scheme.
Example 1
Let , , . A basis of the doublyextended ReedSolomon code over consists of
By using them, we define , as the linear space spanned by , , and as the linear space spanned by , , , . Let
Then is spanned by , . Let
and we can use , as a basis of .
For a given secret , the proposed encoder chooses a vector at uniformly random from the set
Since , for fixed the number of possible choices is . But since
is an eigenvector of all unitary matrices corresponding to a vector in
, for fixed the number of possible quantum states is . The encoded shares consist of qudit in . Each quantum share in is distributed to each participant.3 Necessary and sufficient conditions on qualified and forbidden sets
Let , …, . Define , …, , …, for . Let to be the projection map onto , that is, , …, , …, .
Theorem 3.1
For the secret sharing scheme described in Section 2, is qualified if and only if
(1) 
is forbidden if and only if
(2) 
Remark 2
The encoding procedure depends on the choice of but by Theorem 3.1 we see that the access structure is independent of that choice.
Proof (Theorem 3.1)
Assume Eq. (1). Then there exists a basis , …, of such that . Any two vectors in a coset have the same value of the symplectic inner product against a fixed , which will be denoted by . Suppose that we have two different cosets , , and that for all . It means that is zero in , a contradiction. We have seen that any two different cosets have different symplectic inner product values against some . For each , the participants can collectively perform quantum projective measurement corresponding to the eigenspaces of and can determine the symplectic inner product^{1}^{1}1If we assume a nonprime finite field as our base field, then the quantum measurement outcome just determines (ketkar06, , Lemma 5) in place of , where is the trace map from to its prime subfield . Assuming a nonprime field significantly complicates the proofs of Theorem 3.1 and Lemma 1. So we assume a prime finite field until Remark 4. as (ketkar06, , Lemma 5) when the classical secret is . Since has nonzero components only at , the above measurement can be done only by , which means can reconstruct .
Assume that Eq. (1) is false. Since the orthogonal space of in is isomorphic to , which can be seen as the almost same argument as the duality between shortened linear codes and punctured linear codes pless98 , we see that . This means that there exists two different classical secrets and such that . This means that the encoding procedures of and are the exactly the same on and produce the same density matrix on , which shows that is not qualified.
Assume Eq. (2). Then we have . This means that for all classical secrets , and their encoding procedures on are the same, which produces the same density matrix on regardless of . This shows that is forbidden.
Assume that Eq. (2) is false. Then there exist two different classical secrets , , and such that
By (ketkar06, , Lemma 5), this means that the quantum measurement corresponding to gives different outcomes with and . Since , measurement of can be performed only by participants in . These observations show that is not forbidden. ∎
Next we give sufficient conditions in terms of the coset distance duursma10 or the first relative generalized Hamming weight luo05 . To do so, we have to slightly modify them. For , …, , …, , define its symplectic weight , . For , we define their coset distance as .
Theorem 3.2
If then is forbidden. If then is qualified.
Example 2
4 Amount of information possessed by an intermediate set
Let , …, with and , …, . In this section we study the amount of information possessed by .
Because the result of mapping is an element in , any two vectors and give the same symplectic inner product values with any .
Lemma 1
For two classical secrets and , we have

if and only if and give the same symplectic inner product for all vectors in , and

and are orthogonal to each other if and only if and give different symplectic inner products for some vector in .
Proof
Assume that and give the same symplectic inner product for all vectors in . Then we have , and the encoding procedure on is the same for and , which shows .
Assume that and give different symplectic inner product values for some vector in . Then the quantum measurement corresponding to can be performed only by the participants in and by (ketkar06, , Lemma 5) the outcomes for and are different with probability . This means that and are orthogonal to each other. ∎
Proposition 1
If , then the number of density matrices in is .
For a fixed density matrix , the number of classical secrets such that is exactly .
Proof
If for with classical secrets (, ), then by Lemma 1 and are orthogonal. By the assumption, we have . There are elements in , which shows the first claim.
The composite linear map “” from to is surjective. Thus the dimension of its kernel is , which shows the second claim. ∎
Definition 2
In light of Proposition 1, the amount of information possessed by a set of participants is defined as
(3) 
Remark 3
When the probability distribution of classical secrets is uniform, the quantity in Definition 2 is equal to the Holevo information (chuangnielsen, , Section 12.1.1) between and by the same reason as (matsumoto19qinp, , Remark 14).
We say that a secret sharing scheme is reconstructible if implies has or more bits of information geil14 . We say that a secret sharing scheme is private if implies has less than bits of information geil14 . In order to express and in terms of combinatorial properties of , we review a slightly modified version of the relative generalized Hamming weight luo05 .
Definition 3
matsumoto19qinp For two linear spaces and , …, , define the th relative generalized symplectic weight
(4) 
Note that . The following theorem generalizes Theorem 3.2.
Theorem 4.1
Proof
Almost the same as (matsumoto19qinp, , Theorem 16). ∎
5 GilbertVarshamovtype existential condition
Let be some prime power. In this section, we give a sufficient condition for existence of , with given parameters.
Theorem 5.1
If positive integers , , , , satisfy
(5) 
then there exist such that , and .
Proof
The following argument is similar to the proof of GilbertVarshamov bound for stabilizer codes calderbank97 and also to matsumoto19qinp . Let be the set of invertible matrices on that does not change the values of the symplectic inner product. Let be the set of pairs of linear spaces such that , and . For , define and .
For nonzero , , we have and , by the almost same argument as (matsumoto19qinp, , Proof of Theorem 25).
For each , the number of such that is . The number of triples , , such that is
which implies
(6) 
Similarly we have
(7) 
If there exists such that and for all and then there exists a pair of with the desired properties. The number of such that is given by
(8) 
By combining Eqs. (6), (7) and (8) we see that Eq. (5) is a sufficient condition for ensuring the existence of required in Theorem 5.1. ∎
We will derive an asymptotic form of Theorem 5.1.
Theorem 5.2
Let , , and be nonnegative real numbers . Define . For sufficiently large , if
then there exist such that , and .
Proof
Proof can be done by almost the same argument as (matsumotouematsu01, , Section III.C). ∎
In (matsumoto19qinp, , Theorem 26) we proved a special case of Theorem 5.2. The new parameter provides larger flexibility.
6 Strong Security
Let , and let , be nonnegative even integers.. The field size
can be either odd or even. We will consider the case that the number of participants is smaller than
in Remark 5. Let , …, be distinct elements. Define an ReedSolomon (RS) code asThen because .
6.1 Insecure example
In order to justify our study of strong security, we will show an insecure ramp scheme constructed in the framework of matsumoto19wcc ; matsumoto19qinp . Assume that are even integers only in Section 6.1. Let
Comments
There are no comments yet.