Abstract
Semi-quantum secret sharing is an important research issue in quantum cryptography. In this paper, we propose a (t, n) threshold semi-quantum secret sharing protocol, which combines the practicality of semi-quantum secret sharing protocols and the flexibility of (t, n) threshold quantum secret sharing protocols. Participants prepare and transmit single particles in a circular way, and then any t out of n participants can recover the secret according to Shamir’s secret sharing scheme. As quantum resources, single particles are easy to prepare. Furthermore, classical participants only need to possess the capability to prepare and insert particles. The security analysis shows our protocol has security against most attacks. Except decoy particles, all particles are useful to carry the secret message, so the efficiency of the proposed protocol can achieve 100%.
1 Introduction
Secret sharing is an important branch of modern cryptography. The concept of secret sharing is that the secret holder divides his secret into several pieces and each participant can obtain a piece from the holder. The threshold number of participants can recover the secret in collaboration with others.
The first classical secret sharing (CSS) protocol [] was proposed by Shamir in 1979. However, if an eavesdropper, Eve, controls the communication channel, she can easily obtain the secret holder’s, Alice’s, secret []. Unfortunately, the physical properties of quantum mechanics mean that eavesdropping can be detected easily because eavesdropping may disturb quantum information, which induces errors. Therefore, quantum secret sharing (QSS) emerged based on security additional requirements. In 1999, Hillery et al. proposed the first QSS protocol []. Authors employed the three-particle and four-particle entangled Greenberger-Horne-Zeilinger (GHZ) state to share a secret message in their protocol. In 2003, Guo et al. proposed a more efficient QSS protocol [] that only used product states. In 2008, Wang et al. put forward a QSS protocol [] with higher efficiency and security based on single photons. After that, a huge number of QSS protocols [–] were proposed.
The above QSS protocols require all participants to possess full quantum capabilities, but not all participants are equipped with complete quantum devices. Fortunately, the concept of semi-quantum secret sharing (SQSS) was proposed. In a semi-quantum environment, some participants have limited quantum capabilities. They can cooperate with the participants with full quantum capabilities to complete tasks of secret distribution and reconstruction in SQSS protocols. In 2010, Li et al. proposed the first semi-quantum secret sharing protocol []. In the protocol, they used entangled GHZ-type states to share a secret message. In 2015, Xie et al. presented an efficient SQSS protocol [] that can share a specific secret. In 2018, an SQSS protocol with limited resources was designed by Li et al. [], which was more efficient compared with previous protocols. In 2021, Yin et al. proposed an SQSS protocol [] based on GHZ-type states. The protocol adopted identity authentication to verify the identification of participants in communication. In recent years, more SQSS protocols [, –] were proposed.
However, all the above SQSS protocols are (n, n) threshold protocols. That is to say, the secret sharing tasks cannot be completed when there is someone unable to participate. So, we propose a (t, n) threshold SQSS protocol based on Shamir’s secret sharing scheme, in which any t out of n participants with limited quantum capabilities can recover the secret. All participants only use single particles, which are easier to prepare than other quantum resources. In our protocol, the initial particles prepared by Alice are sent to the first participant. Every participant inserts his particles and sends the new sequence to the next one until Alice receives the final sequence from the last participant. The sequence composed of particles is transmitted in a circular way. Due to the circular transmission mode, participants play the different roles. Furthermore, classical participants in our protocol are released from many quantum operations and they are only required to possess the capability to prepare and insert particles. Moreover, the qubit efficiency of our protocol can achieve 100% because all particles are used to carry the secret message except for decoy particles. As mentioned above, a flexible and efficient SQSS protocol is proposed in this paper. In addition, the security of our protocol can be proved under intercept-resend attack, measure-resend attack, entangle-measure attack, and collusion attack.
The rest of this paper is organized as follows. In Section 2, we present some preliminaries about the setting of SQSS and Shamir’s secret sharing. Then, in Section 3, we describe a (t, n) threshold SQSS protocol. An example of the proposed (t, n) threshold SQSS protocol is given in Section 4. In Section 5, we analyze the security of our protocol and give a comparison with some SQSS protocols. Finally, a conclusion is provided in Section 6.
2 Preliminaries
Here, to make our protocol easier to understand, we will briefly introduce some preliminaries about the setting of SQSS and Shamir’s secret sharing.
2.1 The setting of SQSS
In SQSS protocols, there are participants restricted to using only the quantum states in the fixed computational basis , and they only have classical computing power. All participants of an SQSS protocol are required to perform the following operations only: (a) reflect the qubits undisturbed; (b) measure the qubits with the classical basis; (c) generate a (fresh) qubit with the classical basis and send it; and (d) reorder the qubits, so they can never prepare or measure qubits arbitrarily. The qubits with the classical basis are regarded as “classical bits”, and the participants restricted to performing the above operations are known as “classical participants”.
2.2 Shamir’s secret sharing
Shamir [] proposed a (t, n) threshold scheme based on polynomial interpolation in 1979. According to the property of polynomial interpolation, this technique enables the construction of secret sharing schemes that can function even when fewer than n participants want to reconstruct the secret. Therefore, Shamir’s scheme has been widely used in the field of quantum cryptography, such as quantum secret sharing [–] and quantum key distribution [].
Given that there is a secret holder Alice and n participants , Shamir’s secret sharing consists of two phases:
In the secret sharing phase, the secret holder Alice selects a polynomial of t–1 degree:
Here, S is Alice’s secret, t is the lower limit of the number of participants who can reconstruct Alice’s secret S, and is the coefficient Alice picks. Alice selects n integers as and computes as shadows. Then she distributes them among n participants. only knows and , where .
In secret reconstruction phase, t participants use the Lagrange interpolation formula and their shares to reconstruct the secret. The Lagrange interpolation formula is as follows:
Participants can calculate the polynomial under the condition that to obtain , which is just the secret S.
3 A (t, n) threshold SQSS protocol
In this section, we propose a (t, n) threshold SQSS protocol. Assume that the secret holder Alice wants to share her secret among n participants . Any t out of these n participants can recover Alice’s secret, and participants fewer than t cannot get information about the secret. The steps of the proposed (t, n) threshold SQSS protocol are described as follows:
Step 1Alice picks a random polynomial:where S is Alice’s secret and is a random coefficient.
Step 2Alice randomly chooses an integer xi and computes for with , meaning that the length of the binary sequence is less than N bits.
Step 3Alice randomly prepares N particles in one of the states , which compose a sequence . All particles in are used as decoy particles. Alice sends to .
Step 4After receiving from Alice, randomly chooses an N-bit binary sequence as his private key . prepares N new particles in according to his private key . The binary bit “0” denotes , and the binary bit “1” denotes . According to the rule mentioned above, inserts the corresponding particles into randomly to form a new sequence . is composed of 2N particles. Subsequently, sends to .
Step 5 repeats Step 4. Finally, sends the sequence to Alice.
Step 6Alice and perform the eavesdropping checking. Alice publicly announces that she has received , which is composed of Alice’s decoy particles in and classical participants’ particles in . Each participant announces the places where he inserts his particles. Then Alice knows the positions of her decoy particles in . She uses the proper measurement basis to measure her particles. By comparing measurement results of decoy particles with the initial states, Alice can evaluate the error rate. If the error rate exceeds the predefined threshold value, Alice will restart the protocol.
Step 7After the eavesdropping checks, Alice measures the remaining particles with Z basis. According to the measurement results, Alice can obtain the private key of . Then, Alice computes . Here, is the binary bit string of . In this way, Alice can get a corresponding new binary sequence , which is composed of . Finally, Alice announces her new sequence .
Step 8Because all participants announce where they insert their particles in Step 6, knows the positions of his particles in and obtains his corresponding binary bit string from . According to Step 7, . So, computes . After that, calculates an integer by the binary bit string and successfully obtains his secret shadow. At least t participants use their secret shadows to recover Alice’s secret S through the Lagrange interpolation:
4 An example
To give a clear explanation of our protocol, we will take a (3, 4) threshold protocol as an example in the following. Suppose the secret holder Alice wants to share her secret 00001 with the participants. Obviously, .
4.1 Alice’s preparation
Alice picks a polynomial . She respectively announces to . Alice also computes , which are the values Alice wants to distribute to classical participants.
Alice randomly prepares 5 decoy particles in one of the states , which compose .
4.2 Secret sharing
Alice sends to . After that, creates a 5-bit private key for himself. Therefore, prepares 5 particles in and inserts these particles into to form a new sequence . Then sends to .
creates his private key 01010. He prepares corresponding particles and inserts them into . Therefore, the new sequence is ’s private key is 11100 and ’s private key is 11111. They do the operations similar to and . The final sequence received by Alice is . Here,
For eavesdropping detection, participants announce where they insert their particles. Alice can obtain the positions of her particles. She measures these particles with proper measurement basis and checks the error rate. For example, if Alice prepares in , she should measure the corresponding particle in with X basis after receiving the final sequence from . If there is no eavesdropper, the measurement result will be . Once the result is different from , there exists an eavesdropper. Then, Alice can evaluate the error rate. If the error rate exceeds the predefined threshold value, they will restart the protocol.
After eavesdropping detection, Alice measures the remaining particles with Z basis. Subsequently, she obtains of . According to the relationship established in Step 7, Alice computes , where is the binary bit string of . She obtains a new binary sequence , which is composed of . Then Alice announces .
All participants declare where they insert their particles in Step 6, so knows the positions of his particles. can obtain his from and calculate , because . For , , , ,
Finally, transforms the binary bit into the integer .
4.3 Secret recovery
Suppose three participants, , try to recover Alice’s secret. According to the Lagrange interpolation,
In this way, they complete a (3,4) threshold SQSS protocol and recover the secret shared by Alice.
5 Security analysis and comparison
In this section, we will analyze the security of our protocol and further compare our protocol with some SQSS protocols. An inside participant has a more powerful ability to eavesdrop on an SQSS protocol than an outside attacker. If a protocol can resist the attack from an inside participant, it is also secure for an outside attacker. Thus, in the following security analysis, we focus on the attack from an inside participant. The dishonest participant will try to steal Alice’s secret by using the following attack strategies.
5.1 Measure-resend attack
Suppose that is the malicious participant. To obtain Alice’s shared integers needs to intercept the sequence when sends it to Alice. Then measures all particles in with Z basis. After that, can get any participant’s private key after every participant announces where he inserts his particles. However, without knowing the positions of the particles prepared by Alice, would be detected by the security checks in Step 4. Concretely speaking, if Alice prepares or , the state will not be changed. But if Alice prepares or , ’s attack will make the particle collapse into or . For each decoy particle prepared in X basis, ’s measure-resend attack on it will be detected by the security check with a probability of 50%. To sum up, the probability that Alice can detect ’s eavesdropping is , where k represents the num of or in . If k is large enough, the detection probability will approach to 100%. Therefore, will not be declared. According to , is unable to calculate any ’s or without . Finally, cannot get Alice’s secret S.
5.2 Intercept-resend attack
To obtain Alice’s shared integers, the malicious participant needs to intercept the sequence when sends it to Alice. Afterward, keeps the (n+1)N particles in his hand and prepares (n+1)N fake particles with Z basis. Subsequently, he sends the fake sequence to Alice. However, does not know the positions of Alice’s particles. He replaces Alice’s particles with his fake particles. When Alice measures fake particles in X basis in Step 6, she will obtain an incorrect result with a probability of 50%. Assume that there are k decoy particles prepared with X basis in , the probability that eavesdropping will be detected is , which approaches 100%. So cannot pass the security check. That is, Alice will not declare , which makes it impossible for to obtain Alice’s secret.
5.3 Entangle-measure attack
Suppose that is the dishonest participant. He cannot discover the difference between the particles prepared by Alice and those prepared by other participants. Therefore, he has to entangle his auxiliary particles with all of them. uses a unitary operation to entangle an ancillary particle on each of the transmitted particles and then measures the ancillary particles to obtain Alice’s shared secret information.
Here, . If wants to avoid introducing an error, he must make his operation meet the following relations:
We can infer
Here, 0 denotes a column zero vector.
Then, the deduced results are as follows:
From Eq. 12, we can create Eq. 13:
In this way, the final results can be deduced as the following, Eq. 14:
So, cannot distinguish without introducing an error. Once errors are found in the eavesdropping checks, Alice will abort the protocol, and will obtain no information about Alice’s secret.
5.4 Collusion attack
Two or more dishonest participants may try to steal other participants’ secret shadows by stealing their private keys. First, we assume that and are the ones who start the collusion attack to obtain ’s private key. After receiving the sequence , prepares fake particles and then sends the fake sequence to . Then inserts his particles into the fake sequence and sends it to . and try to perform measurement on the new sequence to steal ’s private key. Neither nor knows the positions of ’s particles because the order is disrupted after inserts his particles. That means it is impossible for to distinguish ’s particles from the fake particles after measuring all the particles with Z basis. So cannot obtain private key without being detected in Step 6. If dishonest participants cannot pass through Alice’s check, Alice will not declare . As a result, dishonest participants cannot get any information about secret shadow.
Subsequently, we will discuss the situation where and cooperate to steal private key. Because of the collusion among , dishonest participants can master the positions of Alice’s decoy particles in . prepares a fake sequence and sends it to . However, upon receiving the new sequence from , are unable to know where inserts his particles. That is, can no longer distinguish ’s particles from the fake particles. In this case, it is almost impossible for dishonest participants to steal ’s private key and pass the security check. If the collusion attack is detected, Alice will not declare , and dishonest participants cannot get any information about secret shadow.
In this section, we prove that the proposed protocol is secure enough to resist measure-resend attack, intercept-resend attack, entangle-measure attack, and collusion attack.
5.5 Comparison
Here, we will give a comparison with some SQSS protocols. The comparison results are displayed in Table 1. The qubit efficiency is defined as , where n denotes the number of the useful qubits, and m denotes the number of the qubits transmitted.
TABLE 1
| Protocol | Quantum resource | Qubit efficiency | Threshold |
|---|---|---|---|
| Xie et al. [] | GHZ-like state | (n, n) | |
| Tsai et al. [] | W-state | (3, 3) | |
| Li et al. [] | GHZ state | (3, 3) | |
| Ye et al. [] | Single particle | 1 | (n, n) |
| Our protocol | Single particle | 1 | (t, n) |
Comparison of the SQSS protocols.
In terms of the threshold structure, our protocol is (t, n) threshold protocol. That is, the proposed protocol is more flexible than the (n, n) threshold protocols in Refs. [, , , ]. For quantum resources, all participants in our protocol use single particles, which are easier to prepare than entangled states used in the protocols in Refs. [, , ]. Furthermore, in our protocol, except for the decoy particles, all particles prepared are used to carry the secret shadows in principle. Thus, the qubit efficiency of our protocol can achieve 100%. Therefore, our protocol has better qubit efficiency than the protocols in Refs. [, , ]. In summary, our protocol is efficient, and it is more flexible than these protocols.
6 Conclusion
In this paper, we have proposed a (t, n) threshold SQSS protocol. Different from previous SQSS protocols, any t out of n classical participants can recover the secret in our protocol. Next, as quantum resources, single particles used in our protocol are easy to prepare. Moreover, except decoy particles, all particles are useful to transmit secret shadows, so the qubit efficiency of our protocol can achieve 100%. In addition, for classical participants, only the capability to prepare and insert single particles is required in our protocol. On the whole, the protocol proposed in this paper is flexible and efficient.
Statements
Data availability statement
The original contributions presented in the study are included in the article/Supplementary Material, further inquiries can be directed to the corresponding author.
Author contributions
All authors listed have made a substantial and intellectual contribution to this work and approved it for publication.
Funding
National Science Foundation of China (Grant No. 62272051) Foundation of Guizhou Provincial Key Laboratory of Public Big Data (Grant No. 2019BDKFJJ014). Project supported by the National Key R&D Program of China (Grant No. 2020YFB1805405), the 111 Project (Grant No. B21049), the National Science Foundation of China (Grant No. 62272051), the Foundation of Guizhou Provincial Key Laboratory of Public Big Data (Grant No. 2019BDKFJJ014), and the Fundamental Research Funds for the Central Universities, China (Grant Nos. 2020RC38, 2019XD-A02).
Conflict of interest
The authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.
Publisher’s note
All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors and the reviewers. Any product that may be evaluated in this article, or claim that may be made by its manufacturer, is not guaranteed or endorsed by the publisher.
References
1.
ShamirA. How to share a secret. Commun ACM (1979) 22(11):612–3. 10.1145/359168.359176
2.
YinAWangZFuF. A novel semi-quantum secret sharing scheme based on Bell states. Mod Phys Lett B (2017) 31(13):1750150. 10.1142/S0217984917501500
3.
HilleryMBužekMBerthiaumeA. Quantum secret sharing. Phys Rev A (1999) 59(3):1829–34. 10.1103/PhysRevA.59.1829
4.
GuoGPGuoGC. Quantum secret sharing without entanglement. Phys Lett A (2003) 310(4):247–51. 10.1016/S0375-9601(03)00074-4
5.
WangTWenQChenXGuoFZhuF. An efficient and secure multiparty quantum secret sharing scheme based on single photons. Opt Commun (2008) 281(24):6130–4. 10.1016/j.optcom.2008.09.026
6.
KarimipourVBahraminasabABagherinezhadS. Entanglement swapping of generalized cat states and secret sharing. Phys Rev A (2002) 65(4):042320. 10.1103/PhysRevA.65.042320
7.
ChauHF. Practical scheme to share a secret key through a quantum channel with a 27.6% bit error rate. Phys Rev A (2002) 66(6):060302. 10.1103/PhysRevA.66.060302
8.
LiYZhangKPengK. Multiparty secret sharing of quantum information based on entanglement swapping. Phys Lett A (2004) 324(5-6):420–4. 10.1016/j.physleta.2004.03.034
9.
WangHFJiXZhangS. Improving the security of multiparty quantum secret splitting and quantum state sharing. Phys Lett A (2006) 358(1):11–4. 10.1016/j.physleta.2006.04.110
10.
LinSWenQYGaoFZhuFC. Improving the security of multiparty quantum secret sharing based on the improved Boström–Felbinger protocol. Opt Commun (2008) 281(17):4553–4. 10.1016/j.optcom.2008.05.026
11.
GaoG. Improvement of efficient multiparty quantum secret sharing based on bell states and continuous variable operations. Int J Theor Phys (2014) 53(7):2231–5. 10.1007/s10773-014-2023-y
12.
WangJZhangSZhangQTangCJ. Semiquantum key distribution using entangled states. Chin Phys Lett (2011) 28(10):100301. 10.1088/0256-307X/28/10/100301
13.
GaoG. Secure multiparty quantum secret sharing with the collective eavesdropping-check character. Quan Inf Process (2013) 12(1):55–68. 10.1007/s11128-011-0351-x
14.
RahamanRParkerMG. Quantum scheme for secret sharing based on local distinguishability. Phys Rev A (2015) 91(2):022330. 10.1103/PhysRevA.91.022330
15.
GaoGWangYWangD. Multiparty semiquantum secret sharing based on rearranging orders of qubits. Mod Phys Lett B (2016) 30(10):1650130. 10.1142/S021798491650130X
16.
LiQChanWHLongDY. Semiquantum secret sharing using entangled states. Phys Rev A (2010) 82(2):022303. 10.1103/PhysRevA.82.022303
17.
XieCLiLQiuD. A novel semi-quantum secret sharing scheme of specific bits. Int J Theor Phys (2015) 54(10):3819–24. 10.1007/s10773-015-2622-2
18.
LiZLiQLiuCPengYChanWH. Limited resource semiquantum secret sharing. Quan Inf Process (2018) 17(10):285–11. 10.1007/s11128-018-2058-8
19.
YinAChenT. Authenticated semi-quantum secret sharing based on GHZ-type states. Int J Theor Phys (2021) 60(1):265–73. 10.1007/s10773-020-04688-7
20.
HuWWZhouRGLuoJ. Semi-quantum secret sharing in high-dimensional quantum system using product states. Chin J Phys (2022) 77:1701–12. 10.1016/j.cjph.2022.03.031
21.
TsaiCWYangCWLeeNY. Semi-quantum secret sharing protocol using W-state. Mod Phys Lett A (2019) 34(27):1950213. 10.1142/S0217732319502134
22.
CaoGChenCJiangM. A scalable and flexible multi-user semi-quantum secret sharing. In: Proceedings of the 2nd International Conference on Telecommunications and Communication Engineering; November 2018; Beijing China (2018). p. 28–32. 10.1145/3291842.3291857
23.
YinAHTongY. A novel semi-quantum secret sharing scheme using entangled states. Mod Phys Lett B (2018) 32(22):1850256. 10.1142/S0217984918502561
24.
YeCQYeTY. Circular semi-quantum secret sharing using single particles. Commun Theor Phys (2018) 70(6):661. 10.1088/0253-6102/70/6/661
25.
LiXYChangYZhangSB. Multi-party semi-quantum secret sharing protocol based on Bell states. In: Proceedings of the International Conference on Artificial Intelligence and Security; November 2020; Cham (2020). p. 280–8. 10.1007/978-3-030-57881-7_25
26.
TianYLiJChenXBYeCQLiHJ. An efficient semi-quantum secret sharing protocol of specific bits. Quan Inf Process (2021) 20(6):217–1. 10.1007/s11128-021-03157-2
27.
TianYLiJYuanKGLiHJChenXB. An efficient semi-quantum key distribution protocol based on EPR and single-particle hybridization. QUANTUM INFORMATION COMPUTATION (2021) 21(7-8):563–76. 10.26421/QIC21.7-8-3
28.
YangYGWenQY. Threshold quantum secure direct communication without entanglement. Sci China Ser G: Phys Mech Astron (2008) 51(2):176–83. 10.1007/s11433-008-0028-3
29.
QinHWDaiYW. An efficient (t, n) threshold quantum secret sharing without entanglement. Mod Phys Lett B (2016) 30(12):1650138. 10.1142/S0217984916501384
30.
LuCBMiaoFYMengKJYuY. Threshold quantum secret sharing based on single qubit. Quan Inf Process (2018) 17:64–13. 10.1007/s11128-017-1793-6
31.
LiLLiZ. A multi-party quantum key agreement protocol based on Shamir’s secret sharing. Int J Theor Phys (2019) 58:3081–90. 10.1007/s10773-019-04187-4
Summary
Keywords
semi-quantum secret sharing, (t, n) threshold, single particles, efficiency, circular transmission
Citation
Zhou Z, Wang Y, Dou Z, Li J, Chen X and Li L (2023) A (t, n) threshold protocol of semi-quantum secret sharing based on single particles. Front. Phys. 11:1225059. doi: 10.3389/fphy.2023.1225059
Received
18 May 2023
Accepted
03 July 2023
Published
21 July 2023
Volume
11 - 2023
Edited by
Nanrun Zhou, Shanghai University of Engineering Sciences, China
Reviewed by
Qin Li, Xiangtan University, China
Dan Li, Nanjing University of Aeronautics and Astronautics, China
Updates
Copyright
© 2023 Zhou, Wang, Dou, Li, Chen and Li.
This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) and the copyright owner(s) are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.
*Correspondence: Zhao Dou, dou@bupt.edu.cn
Disclaimer
All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors and the reviewers. Any product that may be evaluated in this article or claim that may be made by its manufacturer is not guaranteed or endorsed by the publisher.