Security of a kind of quantum secret sharing with entangled states

We present a new collusion attack to a kind of quantum secret sharing schemes with entangled states. Using this attack, an unauthorized set of agents can gain access to the shared secret without the others’ cooperation. Furthermore, we establish a general model for this kind of quantum secret sharing schemes and then give some necessary conditions to design a secure quantum secret sharing scheme under this model.

The concept of secret sharing schemes was firstly introduced by Shamir 1 and Blakely 2 , respectively, in which a secret S is divided into n pieces in such a way that S can be easily reconstructed from any k pieces, but even complete knowledge of k − 1 pieces reveals absolutely no information about S. The unique technique of secret sharing enables the construction of robust key management schemes or any other cryptographic schemes that can function securely and reliably even when misfortunes destroy half the pieces and security breaches expose all but one of the remaining pieces 1 .
In contrast to classical secret sharing, the security of quantum secret sharing (QSS) is based on the fundamental principles of quantum physics, which allows agents (holders of the shared secret) to share a secret securely even in the presence of an opponent Eve with unlimited computing ability 3 . Owning to the advantage of unconditional security, QSS has attracted much attention and a lot of schemes have been presented both in theoretical and experimental aspects [4][5][6][7][8][9][10][11][12] .
Although an opponent Eve must compromise at least k agents to learn the shared secret, and corrupt more than n − k shares to destroy the information in a (k, n) threshold sharing secret scheme, she has the entire life-time of the secret to mount these attacks. Gradual and instantaneous break-ins into a subset of agents over a long period of time may be feasible for her. Accordingly, the protection provided by traditional secret sharing may be not sufficient. A natural defense is to periodically refresh the secrets, but it is not always possible in some cases such as cryptographic master key and proprietary trade-secret information. As a result, what is actually required to protect the secret of the information is to periodically renew the shares without changing the secret, in such a way that any information learned by Eve about individual shares becomes obsolete after renewing the shares. This is so-called proactive secret sharing, which was firstly introduced by Herzberg et al. 13 So far, many proposals for proactive secret sharing have been given in classical cryptography 14,15 .
Based on two-step quantum secure direct communication (QSDC) 16 , a proactive QSS scheme (named QD-scheme hereafter) was proposed recently 17 , in which a dealer Alice prepares Einstein-Podolsky-Rosen (EPR) pairs and then sends all the second particles to every agent in sequence, and the agents code their shares on these particles with four local unitary operations. However, Gao and Wang show that the QD-scheme is not secure in the sense that dishonest participants may collaborate to eavesdrop the secret of the dealer without introducing any error 18 .
In this paper, we take the QD-scheme as an example and present a new collusion attack to this kind of QSS scheme based on QSDC, whereby an unauthorized set (the first agent and the last one) can gain access to the dealer's secret without the others' cooperation if they collude with each other. Then we establish a general model for this kind of QSS schemes. Finally, we give some necessary conditions to design a secure QSS scheme under this model.

Distribution
, each is randomly in one of the four Bell states: (BB84 particles) and inserts them into the [y] sequence. After that, she sends the [y] sequence to Bob 1 , and keeps a record of the insertion positions and initial states of the decoy particles.
(2) After confirming that Bob 1 has received the [y] sequence, Alice publicly announces the position of the decoy particles and asks Bob 1 to measure these particles with the base = Z { 0 , 1 } or = + − X { , } according to their bases and publish his measurement results. Then Alice computes the error rate through comparing the measurement results to the initial states. If the error rate exceeds the preset threshold, she asks Bob 1 to abort the process and start a new one. Otherwise, they continue to perform the protocol.
(3) Bob 1 randomly chooses a binary number  , where Ψ′ is the evolution of Ψ after the agents' operations. After that, Bob 1 updates his key as (V) After the above steps, the first updating period is over. When the second updating period starts, Bob 2 does the similar actions as Bob 1 . The other updating is performed periodically in the same way.

Recovery.
To recover the secret S, a trusted DC (designed combiner by the agents) is needed.

By t h e prop e r t y of t h e E P R p ai r s an d fou r e n c o d i ng op e r at i ons , we c an k n ow
, w h i c h m e a n s . Clearly, after the first updating period of keys, the shared secret is . The other updating periods of keys are similar to the first, and thus the shared secret S is not changed after the updating of keys. T h e r e f o r e , t h e r e c o v e r e d s e c r e t b y e q u a t i o n The collusion scheme. As we know, the security of QSS requires that only an authorized set of agents can recover the secret S distributed by the dealer, but any unauthorized set of agents can gain access to nothing about it. Consequently, the main goal for the security of QSS is to prevent dishonest agents from deceiving. Nevertheless, the dishonest agents have a lot of advantages in contrast to outside opponents. On the one hand, they know partial information legally. On the other hand, they can tell a lie in the process of eavesdropping check to avoid introducing errors. Therefore, it is more complicated to analyse the security of QSS schemes compared with two-party cryptographic schemes [19][20][21] .
From the QD-scheme, it can be seen that the distribution phase, the updating phase and the recovery phase are very similar, all of them are based on QSDC. Here we take the distribution phase as an example to show its insecurity. In the distribution phase, the [y] sequence prepared by Alice is transferred among n agents Bob 1 , Bob 2 ,…, Bob n in turn, and when it is sent to an agent Bob j (j = 1, 2, …, n), Bob j encodes his share Although each agent Bob j (j = 1, 2, …, n) checks the security of quantum channel between him and the previous agent Bob j−1 , and Alice checks the security of quantum channel between her and the agent Bob n , there is also a chance for dishonest agents to deceive. Specifically, the first agent Bob 1 and the last agent Bob n , an unauthorized set of agents, can gain access to the shared secret S without the cooperation of any other agent if they collude with each other by the following collusion attack.
(i) In the distribution phase, Bob 1 prepares m EPR pairs after checking the security of quantum channel between him and Bob n−1 , where Ψ′″ is the evolution of Ψ″ after the agents' operations.
(iv) As does in Step (4)  (v) As does in Step (4), after inserting BB84 decoy particles into [y n ] (the real [y 1 ] sequence after Bob n 's operation), Bob n sends it to Alice.
(vi) After the completion of distribution, Bob 1 and Bob n can recover the shared secret S at any time by computing Now let us prove the effectiveness of joint attack. Firstly, it is evident that this deception introduces no error and therefore cannot be detected in the process of eavesdropping check from the above attack. Secondly, the EPR pairs generated by Bob 1   after the unitary operations of Bob 2 , Bob 3 , …, Bob n−1 . Therefore, we can get which means that the secret S also satisfies Obviously, =  S S. Additionally, as shown in the QD-scheme 17 , the shared secret S is not changed after the updating of keys.
As a result, Bob 1 and Bob n can gain access to the shared secret S at any time without the others' cooperation if they collude with each other, which is in conflict with the security requirement of QSS that only an authorized set of agents can recover the secret S, but the unauthorized set of agents can gain access to nothing about it.
Noted that Bob 1 and Bob n also can directly gain access to the shared secret S in the recovery phase if they collude with each other by the similar joint attack.

The proposed model. In this section, let us give a general model for this kind of QSS schemes based on
QSDC. Let k be the security parameter. The general procedure for this kind of QSS can be rephrased in the following.
1) Alice prepares m quantum states φ φ = ⊗ = i m i 1 (two-particle or multi-particle entangled states). Then she takes one particle from each entangled states φ i to form a travel sequence (named T-sequence hereafter). After that, she prepares 2k decoy particles and inserts them into the T-sequence before sending it to Bob 1 .
2) When receiving the T-sequence, Bob 1 firstly ascertains whether each particle in the T-sequence is sure a single one or not by the similar methods in refs 22-24. If it is so, Alice tells Bob 1 the initial states and positions of k decoy particles and then Bob 1 checks whether the T-sequence is secure or not by the measurement outcomes on them. If it is secure, for each particle in the T-sequence, Bob 1 chooses two unitary operations U, U′ and then performs the operation U′U on it, where U is chosen from a set ∼ U according to his sub-secret K 1 and is used to encode his sub-secret, U′ is randomly chosen from a set ′ ∼ U and is used to encrypt his sub-secret. After that, he also prepares k decoy particles and inserts them into the T-sequence before sending it to Bob 2 . In other cases, he aborts the protocol and asks Alice to restart.
3) Bob 2 performs the similar actions as Bob 1 does in Step 2) after receiving the T-sequence. This process is repeated until Bob n sends the T-sequence to Alice. 4) When receiving the T-sequence, Alice also firstly ascertains whether each of them is sure a single particle or not. If it is so, she announces the remaining k decoy particles' positions to the agents and requires them to send their unitary operations U′U performed on these particles to her. Then she judges whether the T-sequence is attacked or not by the measurement outcomes on the k decoy particles. If it is secure, she requires all agents to send her their encryption operations U′ and then she performs a projective measurement on each entangled states φ i , i = 1, 2, …, m. According to the measurement outcomes and initial states, she can obtain the secret . In other cases, she aborts the protocol. By running this program, Alice makes n agents share a secret S that can be reconstructed if and only if they cooperate together.
The proposed conditions. Now let us study the necessary conditions to design a secure QSS scheme under this model. For QSS, the security mainly includes two aspects: the agents' encoding operations (sub-secrets) and the shared secret S.
Firstly, let us analyse the conditions that nobody can obtain a agent's sub-secret except himself. To get an agent Bob i 's sub-secret K i , there are generally three ways for an opponent Eve: one is intercepting the T-sequence and then learning some information by directly measuring each particle in the T-sequence. The second is sending fake particles to Bob i as the T-sequence and then intercepting them when they are sent to Bob i+1 by Bob i . After that, Eve tries to learn some information by measuring these fake particles later. The last is sending multi-particle signal to Bob i , i.e., Trojan horse attack: Eve inserts one or multi spy particles, an invisible particle, or a delay one in each particle of the T-sequence when it is sent to Bob i , and captures the spy particles when they are sent to the next agent Bob i+1 and gets some information by measuring them later. This kind of attacks were introduced in Scientific RepoRts | 7: 2485 | DOI:10.1038/s41598-017-02543-0 2005 by Deng et al. 22 and have been used to break through a lot of cryptographic schemes 23,24 , and therefore we must seriously consider how to deal with them here. Let us analyse whether it is feasible or not by the first way, it can be seen from the proposed model that nobody knows the initial state of φ i except Alice. In addition, Eve only has one particle of each entangled state φ i . Accordingly, she can learn no information on Bob i 's encoding operation U according to the principle of quantum measurement, which means that nobody can know an agent's sub-secret by this way. If Eve wants to steal Bob i 's sub-secret K i by the second way, she must escape the security check on the T-sequence between Bob i and Bob i−1 firstly. It is impossible for an outside opponent Eve to do that except with exponentially small probability, but it is not a problem for an inside opponent Bob i−1 . Nevertheless, if Bob i−1 wants to steal Bob i 's sub-secret K i by directly measuring these fake particles, he must have the ability to discriminate the encoding operation U from the set ∼ U after the encrypting operation U′, which is equivalent to discriminate the unitary operation U′U is in which one of the sets Nevertheless, the unitary operation U′U is performed on a fake particle (a single particle or one qubit of an entangled state) only once, if the two sets ′ ∼ U and ∼ U are selected properly, Bob i−1 will not discriminate the unitary operation U′U is in which one of the sets ′ ∼ U U, ∈ ∼ U U only by measuring the fake particle. To get rid of this restriction, Bob i−1 can measure these fake particles after Bob i publishes his encryption operation U′ in Step 4), but it requires his deception must escape the security check between Bob i+1 and Bob i in Step 3), and Alice's security check in Step 4). Obviously, if Bob i+1 is also dishonest, that is he colludes with Bob i−1 , in this case Bob i−1 's deception can easily escape the security check between Bob i+1 and Bob i . To escape Alice's security check in Step 4), the teleportation attack was proposed in 2008 20,25,26 , but how to prevent this attack will be analysed in the following paragraph. To steal Bob i 's sub-secret by the last way, Eve's deception must escape Bob i 's multi-particle signal check. Nevertheless, it is very difficult because this kind of attacks can be prevented by technical measures. Li et al. 23 gave a way to filter out invisible photons. Specifically, Bob i can add a filter in his laboratory first. All photon pulses should pass through his filter first. Only wavelengths close to the operating wavelength can be let in. Thus, Eve's invisible photons can be filtered out by using the filter. Furthermore, if Eve's spy photons cannot be filtered out, Deng et al. 22 gave a feasible way to detect them. Specifically, Bob i chooses some sample signals and splits them with a photon number splitter, and then measures the two signals with Z-basis or X-basis randomly. If both the measurements have an outcome, Bob i can judge the quantum signal is a multi-photon signal. Therefore, if Bob i has the ability of discriminating whether each quantum signal only contains a single particle, this way will not be feasible any longer.
Secondly, let us analyse the conditions that nobody can recover the shared secret S except that all the agents cooperate together. Since the shared secret is the module sum of the agents' sub-secrets, i.e., , the conditions of protecting sub-secrets should be firstly satisfied to maintain its security. To gain access to the shared secret S, one possible way is stealing all the agents' sub-secrets K 1 , K 2 , …, K n , whereby the difficulties have been analysed in the above paragraph. Another possible way is using teleportation attack. The basic principle of this attack can be described as the following. In step 2), a dishonest agent (e.g., Bob 1 ) sends m + k fake particles (each of them is one qubit of a Bell state) instead of the T-sequence to the next agent. At the same time, he stores the real T-sequence and the remaining m + k qubits of the Bell states in his quantum database. In step 4), when Alice announces the remaining k decoy particles' positions, Bob 1 performs a teleportation measurement on the corresponding original decoy particle and the remaining qubit of the corresponding Bell state. By this way, the state of the corresponding original decoy particle can be teleported to the fake one (i.e., the one qubit of the corresponding Bell state sent to Alice in the end) by the principle of teleportation except the lack of a unitary operation, and therefore the dishonest agent can successfully hide his replacing deception by sending the corresponding unitary operation to Alice. The condition to prevent this attack under single particle model has been deeply discussed in ref. 27. By similar analysis, we can find this condition is also suitable for this model. Specifically, the condition is , where U denotes a unitary operation set that consists of the unitary operations corresponding to the teleportation measurement outcomes, and ′ ∼ ∼ U U , represents a unitary operation set, which consists of all the elements in ∼ U and ′ ∼ U and all the possible products of them.
Up to now, we have clarified the conditions to prevent all the present attacks under the proposed model, i.e., (i) the dealer Alice and every agent have the ability to discriminate whether each quantum signal only contains a single particle; (ii) the unitary operation U′U ) cannot be discriminated in the set ′ ∼ U U when it is performed only on a single particle or one qubit of any entangled state; (iii)  ′ ∼ ∼ U U U , .

Discussion
Using the given conditions, we can judge whether a QSS scheme under the proposed model is secure or not, i.e., if a QSS scheme under the proposed model does not satisfy all the conditions i)-iii), this scheme must be not secure, e.g., the QD-scheme is vulnerable to a lot of attacks because it satisfies none of the conditions i), ii) and iii); otherwise, this scheme is immune to all the present attacks in the sense that these attacks will be detected by Alice in the process of eavesdropping detection with probability p. The probability p can be computed by the following equation where p e denotes the least probability that an opponent introduces an error when a decoy particle is checked. Assume a QSS scheme under the proposed model satisfies all the conditions i)-iii), the least probability p e only depends on the set ′ ∼ ∼ U U since the multi-particle signal attack and the invisible particle attack have been excluded by the condition i), and thus the least probability p e is no less than 1/r since at least one of the unitary operations corresponding to teleportation measurement cannot be properly announced by the condition iii), where r is the element number of the set U.
From Eq. (12), it can be seen that p is exponentially close to 1 with the increase of the security parameter k, which means that the opponent's attack will be detected by Alice with probability exponentially close to 1.
It is evident that if the opponent's attack is detected by Alice, he/she will get no information on the shared secret S. Nevertheless, Alice cannot distinguish which one is the attacker when she finds that there is deceiving among the agents in the process of eavesdropping check, which will induce that a dishonest agent may like to take the risk to cheat, because if the cheating is not detected then he will be benefited, while even if it is detected, he will be not blamed by Alice. Furthermore, when k is very small, the dishonest agent may have a chance to escape Alice's detection.
Using the given conditions, we also can judge whether a QSS scheme is not secure if it is similar to the present model, e.g., the QSS scheme in ref. 28 is not secure since it does not satisfy the condition (iii). Nevertheless, we cannot give a full classification on the security of previous schemes by the conditions (i)-(iii) because most of them are far different from the present model.