Dynamic quantum secret sharing protocol based on two-particle transform of Bell states
Du Yu-Tao1, 2, Bao Wan-Su1, 2, †
Henan Key Laboratory of Quantum Information and Cryptography, Zhengzhou Information Science and Technology Institute, Zhengzhou 450001, China
Synergetic Innovation Center of Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei 230026, China

 

† Corresponding author. E-mail: bws2010thzz@163.com

Project supported by the National Basic Research Program of China (Grant No. 2013CB338002).

Abstract
Abstract

To solve the problems of updating sub-secrets or secrets as well as adding or deleting agents in the quantum secret sharing protocol, we propose a two-particle transform of Bell states, and consequently present a novel dynamic quantum secret sharing protocol. The new protocol can not only resist some typical attacks, but also be more efficient than the existing protocols. Furthermore, we take advantage of the protocol to establish the dynamic secret sharing of a quantum state protocol for two-particle maximum entangled states.

1. Introduction

Quantum secret sharing (QSS)[1] is one of the most attractive research branches in quantum cryptography,[15] which allows a secret of the dealer to be shared among many agents, and only the authorized groups of agents can reconstruct the secret information. In 1999, Hillery et al.[1] proposed the first QSS protocol based on the GHZ states. From then on, QSS has received widespread attention and a range of QSS protocols[624] have been presented in succession, which can be classified purposefully as two categories:[1] one is to share classical information and the other is to share quantum information (secret sharing of quantum state).

Although varieties of QSS protocols have been presented in recent decades, how we add or delete agents as well as update secret or sub-secrets (the messages held by agents) in the QSS protocol is still a novel field. Here we call it the problem of dynamic parameter update, and refer to this kind of protocol as a dynamic quantum secret sharing (DQSS) protocol. In 2011, Yang et al.[21] presented a DQSS protocol for the member expansion based on the ideas of the classical Shamir scheme.[25] However, in this protocol, the cost of quantum resource and the number of the transmission for member expansion are considerable. In 2012, Jia et al.[22] presented two DQSS protocols based on starlike duster states, which allows the agent group to change during the procedure of sharing classical and quantum secrets. But these protocols also consume too many quantum resources, and they cannot update secret or sub-secrets dynamically like Yang’s protocol can. In 2013, another DQSS protocol was presented by Hsu et al.[23] based on the entanglement swapping of EPR pairs, which can allow an agent to be added or deleted. However, it has been proved that the protocol cannot resist a collective attack.[26] In 2016, a multi-group DQSS protocol was presented by Liu et al.[24] based on single photons, which is more flexible and practical, but it is fitter for sharing secrets between a boss and some groups.

In this paper, we firstly propose the two-particle transform of Bell states to solve the problems of dynamic parameter update in QSS, which can perform different local unitary operations separately on two particles of Bell states. According to this transform, we present a DQSS protocol realizing the functions of adding or deleting agents and updating sub-secrets or secrets. The new protocol can resist attacks such as a dense-coding attack, compound entanglement swapping attack, and a cheating attack from a dishonest agent. Based on the high coding-efficiency of a two-particle transform of Bell states and the exchangeability of the phase shift operation set, the number of coding operations is only half of the secret bits, and the computation complexity of the secret reconstruction is O(n − 1). Furthermore, we take advantage of the new protocol to establish the dynamic secret sharing of the quantum state (DSSQS) protocol for the two-particle maximum entangled states.

2. Two-particle transform of Bell states

We propose a method by the name of two-particle transform of Bell states, which can perform the different local unitary operations chosen by the dealer and agents separately from the Pauli operations and the 3-element phase shift operations[27] on two particles of Bell states. Firstly, we prove the following conclusions.

According to theorem 1, when designing the QSS protocol, we can regard U1 as the compound operation on photon t performed by agents, and U2 as the encoding operation of the secret on photon h performed by the dealer, and as the reverse compound operation on photon t performed by agents.

It is obvious that there are three properties on this transform:

(i) Independence of operations

Based on Theorem 1, the operation on one particle of Bell states has no influence on the operation on the other particle. Thus we can make use of this property to design the DQSS protocol.

(ii) Nonlocal correlation of measuring results

Based on the nonlocal space properties of quantum entangled states, the local operation performed on one particle of Bell states can be deduced just by measuring collectively on the Bell states. Thus when we design the QSS protocol, the property can ensure the security of the protocol: if the unauthorized groups cannot obtain enough messages of agents’ operations (as the sub-secrets), they cannot deduce the encoding operation (as the secret) by measuring.

(iii) High coding-efficiency

Based on the quantum high-coding scheme,[28] the Pauli operations on 1 qubit can code 2 bit classical messages; that is to say, the Pauli operation Ix, σz, iσy) corresponds to the two classical bits “00” (“10”,“01”,“11”). In the QSS protocol, if the number of classical secrets is n bits, the number of coding operations is ⌈n/2⌉, as many as half of the secret bits.

3. DQSS protocol based on two-particle transform of Bell states

The new DQSS protocol consists of two parts as follows.

3.1. Process of secret sharing

Suppose that Alice is the dealer with her secret, the set of agents is B = {Bob, Charlie, . . ., Zach}, and the number of B is n. The purpose of the protocol is that Alice shares a secret M among these agents in B, and all the agents can only reconstruct the secret information by cooperating with each other.

i) Alice prepares k pairs of Bell states (i.e., |φ1th, . . ., |φkth) randomly from {|ϕ+⟩, |ϕ⟩, |ψ+⟩, |ψ⟩}, here , . Then she stores all the photons h of these Bell states (as H-sequence) in her laboratory, and sends all the photons t (as T-sequence) to Bob.

ii) After receiving the T-sequence, Bob firstly ascertains whether it is the single-photon sequence by using the photon number splitter (PNS: 50 = 50) or photon beam splitter(PBS: 50 = 50), etc. If not, he aborts the communication; otherwise, he performs the local unitary operations U(αi) (i = 1, 2,. . ., k) respectively on the photon ti of the T-sequence, which is chosen randomly from the phase shift operation set S = {U(0),U(2π/3),U(4π/3)}.[27] Here

Then Bob stores all of the operation messages as his sub-secret, and sends the T(1)-sequence (transformed from T-sequence) to Charlie.

iii) Charlie and the other agents perform procedures similar to Bob till the last agent Zach finishes his operations. At that time, Zach stores all the photons of the T(n)-sequence in his laboratory, and tells Alice by the classical channel that all the operations of agents have been finished.

iv) After receiving the message from Zach, Alice encodes the secret M by performing the Pauli operations on the photons of the H-sequence according to the following definitions: Ix, σz, iσy) corresponds to the two classical bits “00” (“10”,“01”,“11”). Here

Then Alice sends the H(1)-sequence (encoded from H-sequence) to Zach.

v) After receiving the H(1)-sequence, Zach together with other agents firstly performs the eavesdropping detection with Alice. First Alice chooses randomly k1 positions of T(n)-sequence to tell all the agents. Then the agents choose randomly a delegate (like Green) to collect the others’ messages of operations on the chosen photons and to perform the reverse compound operations deduced by these messages. Then Green measures these photons associated with the corresponding photons of the H(1)-sequence in the Bell-basis, and sends the measuring results to Alice. According to the results and the initial states of corresponding Bell states, Alice deduces the corresponding operations and judges whether the photons are attacked by comparing them with the corresponding messages of the secret. If so, the communication is aborted. Otherwise, Alice announces all of the initial Bell states.

If there is no eavesdropping, all the agents can recover the secret by collaborating together. Similarly, they choose randomly a delegate (like Green) to collect all the agents’ messages of operations. Then Green performs the reverse compound operations deduced by these messages on photons of the T(n)-sequence and measures these photons associated with the corresponding photons of the H(1)-sequence in the Bell-basis. Finally, he can deduce the secret M, according to both the initial Bell states from Alice and the corresponding measuring results. The structure of the new protocol is depicted in Fig. 1.

Fig. 1. Structure of the dynamic QSS protocol.

Symbol “” denotes Bell states |φith (i = 1,2, . . ., k) prepared by Alice; symbol “” represents the new entangled states, the left particle of which the phase shift operations have been performed on by all of the agents, and the right particle of which the Pauli operations have been performed on by Alice.

3.2. Process of dynamic parameters update

Without loss of generality, we suppose that |ϕ+th are the Bell states prepared by Alice, is the compound operation on photon t by all the agents and N is the encoding operation on photon h by Alice. At that time, the new entangled state is |φth = (UN) |ϕ+th. Before Alice sends photon h to agents, two actions are taken as follows.

3.2.1. Update the sub-secret or secret message

(I) Some agent (like Green) wants to update his sub-secret Uj (j = 1, 2, . . ., n). He can ask Zach to send photon t to himself, and then perform operation on it. At that time, the new entangled states have transformed like this

(II) Alice wants to update the secret. She can perform operation N′ · N on photon h. At that time, the new entangled states have transformed like this

3.2.2. Add or delete an agent

I) Some agent (like Green) wants to leave the protocol. He can ask Zach to send photon t to himself, and then perform operation on it. At that time, the new entangled states have transformed like this

II) The new agent (like James) wants to take part in the protocol. Similarly, he can ask Zach to send photon t to himself to perform his own operation Un + 1. At that time, the new entangled states have transformed like this

If Alice has sent photon h to agents, the secret cannot be updated obviously. Before measuring the entangled states, however, it is allowed to update the sub-secrets of agents, and add or delete an agent.

4. Security analysis

According to Ref. [29], the QSS protocol is secure if and only if both the sub-secret and secret are secure. Except a series of attacks in the practical views by using the photon number splitter, etc., we will analyze the security of both the sub-secret and secret separately from the theoretical views.

4.1. Security of the sub-secret message

The theoretic foundation of attack to sub-secret is as follows: the attacker measures the different quantum states which are gained by performing the different unitary operations (like I, σx, σz, iσy) on the same quantum states, and then can deduce these operations by distinguishing among the quantum states. The typical example is the dense-coding attack.[30]

In the dense-coding attack strategy,[30] the attacker (like Eve) intercepts the T(j)-sequence (j = 1, . . ., n) sent from one agent (like Green) to the other agent (like Hulk), and replaces them by a fake T′-sequence, which is composed of the first particles of the ordered Bell states (like |ψth) prepared by herself. Eve sends the T′-sequence to Hulk and intercepts them again when Hulk has operated on these photons and sends them to the next agent. Then Eve performs collective measurements on each pair of Bell states to deduce the operations of Hulk, and performs the same local operations on every photons of the T(j)-sequence to send them to the next agent. At that time, Eve can obtain the sub-secret of Hulk while she has not been detected by anyone.

This protocol can resist this attack. Now we prove that the operations of the phase shift operations set S = {U(0),U(2π/3),U(4π/3)} cannot be distinguished exactly by measuring the different quantum states, which are gained by someone’s performing operations of set S randomly on the same Bell states (from {|ϕ+⟩, |ϕ⟩, |ψ+⟩, |ψ⟩}).

4.2. Security of secret message

There are mainly two kinds of attack strategies on the secret message: one is the compound entanglement swapping attack,[3133] and the other is the cheating attack.[34]

4.2.1. Security against compound entanglement swapping attack

This kind of attack strategy combines an intercept-and-resend attack and entanglement swapping scheme (such as the collective attack[26]). In these attack strategies,[3133] the dishonest agent (such as Eve) or their group can intercept and replace the travel photon (such as photon t) with photon t′ of Bell state |ψth, and then send it to the dealer. After the dealer sends back photon t′ with the secret, Eve can associate with other agents to obtain the secret by measuring both photon t′ and h′ of |ψth together. If the eavesdropping detection is coming, Eve can measure both photon t and h′ together and deduce the suitable unitary operations according to the discipline of entanglement swapping, to escape from the detection.

The compound entanglement swapping attack requires two basic conditions: firstly, the agents of the QSS scheme need to send photon t to the dealer after their operations, thus Eve has the opportunity to replace it with fake photon t′; secondly, the fake operations declared by Eve must be contained in the unitary operations set of the QSS protocol so that the lies can escape from the eavesdropping detections. Correspondingly, there are two effective means against this kind of attack: firstly, modify the structure of the QSS protocol without sending any photons to the dealer, so that it is useless for Eve to replace the travel photon t; secondly, restrict Eve’s announcements, so that she cannot declare the proper unitary operations to hide her behaviors in the process of detections.

The protocol can resist the kind of attack by using the new structure and the phase shift operation set. Firstly, in our QSS protocol the dealer does not ask agents to send photon t back, but encodes the secret on photon h and then sends it to agents. Secondly, the phase shift operation set S = {U(0),U(2π/3),U(4π/3)} can restrict the fake announcements.[24] Suppose that S′ is the fake operation set, and all elements of S and their compositions may establish the multiplicative group (S). It is easy to know S = (S), then

It has been demonstrated that S′ ⊄ (S) in Ref. [29]. Thus, the fake operations cannot be deduced by all elements of S and their behaviors cannot escape from the detections.

4.2.2. Security against cheating attack

A cheating attack from a dishonest agent[34] is as follows. In the secret reconstruction phase, the dishonest agent may provide a false share so that the secret cannot be recovered correctly by the authorized groups but he can correct the error alone. At present, most schemes cannot resist this attack. Only by using the verifiable QSS scheme,[34] can authorized groups resist an attack by verifying the truth of shares.

Our protocol can also resist this cheating attack by utilizing the phase shift operation set S = {U(0),U(2π/3),U(4π/3)}. Suppose that |ϕ+⟩ is the Bell states prepared by Alice, and Eve is a dishonest agent who performed the unitary operation U(α) ∈ S on photon t in Step 2 or 3. However, she provides the false operation message U(β) ≠ U(α) in Step 5. If the compound operation of other agents is U(θ), and the encoding operation of Alice on photon h is N, thus [(U−1(β + θ) · U(α + θ)) ⊗ N]|ϕ+th ≠ (IN) |ϕ+th, and N ∈ {I, σx, σz, iσy}.

Now, the entanglement states cannot be located in the basis {|ϕ+⟩, |ϕ⟩, |ψ+⟩, |ψ⟩}, but in the basis , , , or , , , . Obviously the two bases are non-orthogonal with the Bell basis. If Eve provides the false share for recovery, the authorized group of agents will choose the wrong measurement basis. According to the uncertainty principle, the measurement result about the entanglement states will inevitably be distributed in error states randomly, so that Eve cannot correct and obtain the secret from the error because of the irreversibility of measurement. Therefore, the protocol can resist an in-attacker’s cheating attack.

5. Efficiency analysis

The new DQSS protocol is more efficient than previous ones.

Firstly, the two-particle transform of Bell states is based on a quantum dense-coding scheme. Thus we can transmit the 2-bit classical message by performing an operation on 1 qubit in this protocol.

Secondly, the elements of the set S = {U(0),U(2π/3), U(4π/3)} satisfy the commutative principle of multiplication. Suppose ∀α, β ∈ {0,2π/3,4π/3}, then

So the agents need not consider the order of agents’ local unitary operations in step 2 or 3 but just do the addition to deduce the compound operation of all agents. Suppose that Bobi (i = 1, . . ., n) performs unitary operations U(i) = U(θi) on the photon t, where θi ∈ {0,2π/3,4π/3}. The compound operation of all agents is

Thus it reduces the computation complexity of secret reconstruction to O(n − 1). It not only provides convenience to the secret reconstruction phase, but also improves the efficiency of the scheme.

Thirdly, the unitary operation set S has the least number of elements on the premise of satisfying the conditions of security, which improves further the efficiency for recovering the secret. According to the conclusions in Refs. [35] and [36], if the elements of set S constitute a multiplicative group (S), the number of elements of (S) must be no less than 3, or else elements of (S) can be distinguished during performing them on a suitable single-particle state or one particle of an entangled state, which cannot satisfy the conditions of security. Obviously, the number of elements of (S) reaches the lower bound: (S) = S = {U(0),U(2π/3),U(4π/3)}.

The detailed comparisons between the new protocol and some existing ones are presented in Table 1.

Table 1.

Comparisons between new protocol and some existing ones

.

Suppose that the length of the secret message is 2k bit, and the total number of sample photons used for detections will be k′ bit.

6. New DSSQS protocols

According to Ref. [20], we can also present a kind of DSSQS protocol based on the new protocol above, the DQSS protocol for two-particle maximum entangled states, which is as secure as the former, and similarly has the functions of dynamic parameter update: adding or deleting an agent and updating sub-secrets. Here we just brief it as follows:

Suppose that the unknown two-particle maximum entangled state is |φ12 = α|+x1 |+ y2 + β|−x1 |−y2 (α2 + β2 = 1). Similarly, Alice prepares two pairs of Bell states (like |φ1th and |φ2th), one of which is used for the quantum entanglement swapping from Alice to Bob, the other is used to send the classical message of the Bell-state measuring result on both |φ⟩ and one particle of |φ2th to other agents by use of the DQSS protocol we just proposed. In the secret reconstruction phase, Bob and other agents must collaborate together to reconstruct the unknown single quantum state. Moreover, this protocol can expand straightly into the one for unknown GHZ states. The structure of the DSSQS protocol for two-particle maximum entangled states is depicted in Fig. 2.

Fig. 2. Structure of the DSSQS protocol for two-particle maximum entangled states.

Symbol “” denotes unknown two-particle entangled state |φ12; symbol “” represents Bell states |φ1th or |φ2th prepared by Alice; symbol “” refers to new entangled states, the left particle of which the phase shift operations have been performed on by agents except Bob, and the right particle of which Pauli operations have been performed on by Alice.

7. Summary

To summarize, firstly, we have proposed the two-particle transform of Bell states, and then presented a novel DQSS protocol for classical messages and DSSQS protocols based on the former one. Compared with the existing QSS protocol, this kind of QSS protocol is not only more secure and efficient, but also has the functions of a dynamic parameter update. Besides, our protocols are merely the (n,n) threshold protocols, which can be described by the fact that at least n agents must combine their sub-secrets together to recover the secret, and we will propose the (t,n) threshold protocol (with t ˂ n) in the coming paper. Furthermore, the two-particle transform of Bell states may also have potential impacts on quantum key distribution,[37,38] quantum secure direct communication, quantum signature, and quantum secure multiparty computation, and so on, which is worth further exploration.

Reference
[1] Hillery M Buzek V Berthiaume A 1999 Phys. Rev. 59 1829
[2] Bennett C H Brassard G 1984 Proceedings of IEEE International Conference on Computers, Systems and Signal Processing New York IEEE 175
[3] Zeng G H Ma W P Wang X M 2001 Acta Electron. Sin. 29 1098
[4] Long G L Wang C Li Y S Deng F G 2011 Sci. Sin. Phys. Mech. Astron. 41 332
[5] Ma H X Bao W S Li H W Zhou C 2016 Chin. Phys. 25 080309
[6] Karlsson A Koashi M Imoto N 1999 Phys. Rev. 59 162
[7] Cleve R Gottesman D Lo H K 1999 Phys. Rev. Lett. 83 648
[8] Gottesman D 2000 Phys. Rev. 61 042311
[9] Tittel W Zbinden H Gisin N 2001 Phys. Rev. 63 042301
[10] Karimipour V Bahraminasab A Bagherinezhad S 2002 Phys. Rev. 65 042320
[11] Chau H F 2002 Phys. Rev. 66 060302
[12] Guo G P Guo G C 2003 Phys. Lett. 310 247
[13] Xiao L Long G L Deng F G Pan J W 2004 Phys. Rev. 69 052307
[14] Zhang Z J Li Y Man Z X 2005 Phys. Rev. 71 044301
[15] Zhang Z J Man Z X 2005 Phys. Rev. 72 022303
[16] Zhang Z J 2005 Phys. Lett. 342 60
[17] Deng F G Li X H Zhou H Y Zhang Z J 2005 Phys. Rev. A 72 044303
[18] Hsu L Y 2003 Phys. Rev. 68 022306
[19] Han L F Liu Y M Liu J Zhang Z J 2008 Opt. Commun. 281 2690
[20] He L Zhen Zh Chen L K Li Zh D Liu Ch Li L Liu N L Ma X F Chen Y Ao Pan J W 2016 Phys. Rev. Lett. 117 030501
[21] Yang Y G Wang Y Chai H Teng Y Zhang H 2011 Opt. Commun. 284 3479
[22] Jia H Y Wen Q Y Gao F Qin S J Guo F Z 2012 Phys. Lett. 376 1035
[23] Hsu J L Chong S K Hwang T Tsai C W 2013 Quantum Inf. Proc. 12 331
[24] Liu H W Ma H Q Wei K J Yang X Q Qu W X Dou T Q Chen Y T Li R X Zhu W 2016 Phys. Lett. 380 2349
[25] Shamir A 1979 Commun. ACM 22 612
[26] Wang T Y Li Y P 2013 Quantum Inf. Proc. 12 1991
[27] Du Y T Bao W S 2013 Opt. Commun. 308 159
[28] Bennett C H Wiesner S J 1992 Phys. Rev. Lett. 69 2881
[29] Wang T Y Wen Q Y 2011 Quantum Inf. Comput. 11 0434
[30] Gao F Qin S J Guo F Z Wen Q Y 2011 IEEE J. Quantum Electron. 47 630
[31] Lin S Wen Q Y Gao F Zhu F C 2008 Opt. Commun. 281 4553
[32] Wang T Y Wen Q Y Gao F Lin S Zhu F C 2008 Phys. Lett. 373 65
[33] Gao G 2011 Opt. Commun. 284 902
[34] Yang Y G Teng Y W Chai H P Wen Q Y 2011 Int. J. Theor. Phys. 50 792
[35] Acín A 2001 Phys. Rev. Lett. 87 177901
[36] Duan R Y Feng Y Ying M S 2007 Phys. Rev. Lett. 98 100503
[37] Zhou C Zhang Y Y Bao W S Li H W Wang Y Jiang M S 2017 Chin. Phys. 26 020303
[38] Bao H Z Bao W S Wang Y Chen R K Ma H X Zhou C Li H W 2017 Chin. Phys. 26 050302