(t, n) Threshold d-Level Quantum Secret Sharing

Most of Quantum Secret Sharing(QSS) are (n, n) threshold 2-level schemes, in which the 2-level secret cannot be reconstructed until all n shares are collected. In this paper, we propose a (t, n) threshold d-level QSS scheme, in which the d-level secret can be reconstructed only if at least t shares are collected. Compared with (n, n) threshold 2-level QSS, the proposed QSS provides better universality, flexibility, and practicability. Moreover, in this scheme, any one of the participants does not know the other participants’ shares, even the trusted reconstructor Bob 1 is no exception. The transformation of the particles includes some simple operations such as d-level CNOT, Quantum Fourier Transform(QFT), Inverse Quantum Fourier Transform(IQFT), and generalized Pauli operator. The transformed particles need not to be transmitted from one participant to another in the quantum channel. Security analysis shows that the proposed scheme can resist intercept-resend attack, entangle-measure attack, collusion attack, and forgery attack. Performance comparison shows that it has lower computation and communication costs than other similar schemes when 2 < t < n − 1.

(QFT), d-dimensional Pauli operations, etc. In addition, the universality and practicability of d-level QSS are better than that of 2-level QSS, because the dimension of Hilbert space may be d, which is higher than 2.
Inspired by the flexibility of (t, n) threshold and the universality of d-level, in this paper, we propose a (t, n) threshold d-level QSS scheme. The scheme has generic properties of (t, n) threshold SS, e.g., the dealer Alice distributes n shares to n participants, and each participant only holds a share; any t out of the n participants can reconstruct the original secret. In addition, compared with the existing QSS schemes, the proposed QSS has better properties as follows. Owing to items 1 and 2, it provides lower computation cost; owing to item 3, it provides lower communication cost; owing to item 4, it is safer in resisting some common attacks.
• There only exist simple operations such as quantum Fourier transform (QFT) and generalized Pauli operator.
The complex operations, e.g., the graph state or error-correcting encoding, do not appear in our scheme; • Only the participant Bob 1 need apply quantum Fourier transform (QFT) to his own particle, other participants do not need; • It is unnecessary to transmit the quantum particles from one participant to the next in order; • Any one of the participants does not know the other participants' shares, even the trusted reconstructor Bob 1 is no exception.

Preliminaries
In this section, the related preliminaries are introduced including quantum Fourier transform (QFT) and inverse quantum Fourier transform (IQFT), generalized Pauli operator, and Shamir's (t, n) threshold SS. These preliminaries will be used in presenting (t, n) threshold QSS scheme. ∑ ω where ω = π e i d 2 / is a primitive d-th root of unity.

Quantum Fourier Transform and Inverse Quantum Fourier
1}, the inverse quantum Fourier transform (IQFT) is defined by Between the QFT and the IQFT, there exists the relationship given by 1}. In particular, on Hilbert space of d-level quantum system, the X gate and Z gate are represented by ref. 24 , Shamir's (t, n) threshold SS 25 consists of the following two algorithm: Share generation algorithm: The dealer randomly chooses a polynomial with degree t − 1:

Results
The Proposed QSS Scheme. Suppose that Alice is a dealer, and = is a set of n participants. Alice chooses any one of the participants Bob 1 as a trusted reconstructor. The role of Bob 1 is to collect any t shares from n participants and reconstruct the final secret. The proposed QSS scheme consists of three phases: initialization phase, share distribution phase, and secret reconstruction phase.
1, 2, , ), and then she publishes all x i . Each classical share f(x i ) can be encoded in a random qubit string according to the encoding method of BB84 protocol 26 or other secure quantum key distribution (QKD) protocols. After having finished the encoding procedure, Alice distributes sequentially the qubit string of f(x i ) to the corresponding participant Bob i for = … i n ( 1, 2, , ) via a secure quantum channel. That is to say, each participant Bob i holds a share f(x i ). After having finished the distribution procedure of the qubit strings of all shares, the secret a 0 is shared among a group of participants. In addition, Alice selects a Hash function H() such as SHA1 to compute hash value H(a 0 ), and sends it to the participant Bob 1 .
Secret Reconstruction Phase. we assume that all qualified subsets of the participants are decided according to the specific application scenario, and the number of participants of each qualified subset is t. On a certain day, the secret a 0 need to be reconstructed, any one of all qualified subsets is selected due to the absence of some participants. For simplicity of description, we assume that the selected qualified subset is denoted by . Figure 1 shows the reconstruction process of the original secret. In the process, each participant Bob r = … r t ( 2, 3, , ) performs the steps 5 and 6, and Bob 1 performs the steps 1-8. The details of the reconstruction process are described as follows.
Step 2. Let … − d 0 , 1 , , 1 be a standard orthonormal basis of a d-level quantum system and set a QFT based on this orthonormal basis. When Bob 1 applies the QFT to the first particle |0〉 1 , the composite state ϕ 1 of t particles is denoted by   where ω = π e i d 2 / is a primitive d-th root of unity.
Step 5. After all participants have received their particles, each participant Bob r = … r t ( 1, 2, , ) takes out his share f(x r ) and calculates respectively the following value For convenience, the s r is named shadow of the share f(x r ).
Step 6. Each participant Bob r = … r t ( 1, 2, , ) performs a generalized Pauli operator U s 0, r on his particle |k〉 r , where U s 0, r is defined by 1, 2, , ) is performed on each particle, the state ϕ 2 evolves as Step 7. Bob 1 applies QFT −1 to his own particle |k〉 1 and further measures it in the computational basis to obtain the secret Step 8. Bob 1 first computes the hash value H(f(0)′) using a hash function H(), and then verifies ′ = H f Ha ( (0) ) ( ) 0 . If the equation holds, he shares the secret with other participants; otherwise he thinks that there is at least one dishonest participant and ends the reconstruction phase.
Correctness Proof. The proposed (t, n) threshold QSS is proven in this section. The proof of correctness will focus primarily on Equation (12) of Step 6 and the secret recovery of Step 7.

Lemma 1. If the Pauli operator
1, 2, , ) of the orthogonal entangled state ϕ 2 of Equation (9) by the participant Bob r = … r t ( 1, 2, , ), the state ϕ 2 evolves as ϕ 3 of Equation (12). Lemma 2. If QFT −1 is applied to the particle |k〉 1 of the state ϕ 3 of Equation (12), the measurement output of the transformed particle is the original secret

Proof. When the Pauli operator
Proof. Based on Equation (10) and Lagrange interpolation formula of Equation (7), f(0) can be calculated by According to the Equation (3), Bob 1 applies QFT −1 to the first particle of the state ϕ 3 of Equation (12) and obtains

Security Analysis.
In this section, the security of the proposed (t, n) threshold QSS scheme is analyzed. The security analysis focuses primarily on intercept-resend attack, entangle-measure attack, collusion attack, and forgery attack.
Intercept-Resend Attack. Without loss of generality, Eve is assumed as an eavesdropper, who has unlimited computing power whose technology is only limited by the laws of quantum mechanics. Suppose Eve controls the quantum channel and intercepts any one quantum particle on the way from Bob 1 to Bob r ∈ … r t ( {2, 3, , }) in Step 4, then she measures the intercepted particle by using the computational basis | 〉 | 〉 … | − 〉 d { 0 , 1 , , 1 }. With the probability of 1/d she can succeed with the attack and get ∈ … − k k d ( {0, 1, , 1}). Further she prepares a new particle that is the same as the intercepted one, and then resends the new particle to Bob r ∈ … r t ( {2, 3, , }). Unfortunately, the measurement outcome k does not contain any information about private share f(x r ) or its shadow s r . Therefore, Eve cannot get any valuable information in the intercept-resend attack.
Entangle-Measure Attack. In entangle-measure attack, the eavesdropper Eve may use a unitary operation to entangle an ancillary particle on the intercepted one, and then measures the ancillary particle to obtain valuable information. Suppose Eve intercepts all t − 1 particles transmitted from Bob 1 to Bob r ∈ … r t ( {2, 3, , }), and then prepares an ancillary particle |e〉 a ∈ … − e d ( {0,1, , 1})). Further, she entangles the ancillary particle |e〉 a on any one of the intercepted particles such as |k〉 u by using d-level CNOT operation, where |k〉 u is the control qudit and |e〉 a is the target qudit. The state ϕ 2 of Equation (9) evolves as ϕ 2 ′ Next step, Eve chooses another particle |k〉 v as control particle to perform d-level CNOT operation on the target particle |e〉 a . Now the state ϕ ′ 2 evolves as ϕ ″ It can be seen that the ancillary particle |e〉 a is disentangled out from the entangled state ϕ ′ 2 , and the original state ϕ 2 is not changed. If Eve measures the ancillary particle |e〉 a , she obtains e, which is the same as prepared at the beginning. From this, Eve can come to the conclusion that the particles |k〉 u and |k〉 v are the same.
Suppose Eve takes each intercepted particle |k〉 r = … r t ( 2, 3, , ) as control particle respectively, and |e〉 a as target particle to perform d-level CNOT operation. As a result, she finds all particles are the same. Similar to the entangle-measure attack, the measurement outcome of the particle |k〉 r = … r t ( 2, 3, , ) does not contain any information about private share f(x r ) or its shadow s r . Therefore, Eve cannot also get any valuable information in the entangle-measure attack, only knowing that all transmitted particles are the same.
SCienTifiC REPORTS | 7: 6366 | DOI:10.1038/s41598-017-06486-4 Collusion Attack. As is known to all, QSS scheme uses the qualified subsets to prevent collusion attack of the participants. After analyzing the existing QSS schemes, we find some schemes cannot resist collusion attack, in which some participants can collude to get the private information of other participants. That is to say, in these QSS schemes, by getting rid of several qualified participants, the unqualified subsets of participants can reconstruct the original secret. Classifying collusion attacks of the existing QSS schemes, the study focuses on the following cases.

Case 1: Collusion attack of Bob e−1 and Bob e+1
In Case 1 never happens in the proposed (t, n) threshold QSS scheme, because each participant performs unitary operation with private information in his own lab, and the transformed private information is not transmitted via the quantum channel. Case 2 never also happens in the proposed (t, n) threshold QSS scheme, because the dealer (Alice) and reconstructor (Bob 1 ) do not take part in the circular transmission route, and their private information are not passed from one participant to the next but saved in their own hands. Therefore, as long as the dealer (Alice) and the reconstructor (Bob 1 ) are both trusted entities, the proposed QSS scheme can resist collusion attack.
Forgery Attack. For secret sharing scheme, as always, it is an issue of public concern to prevent the participants from providing fake shares or shadows. In SS, Feldman 28 first studied this problem and proposed a verifiable secret sharing, in which each participant's share can be verified publicly. In QSS, Yang et al. 13,14 proposed two verifiable schemes to check whether some dishonest participants provide fake shares. Song et al. 15 pointed out the forged quantum particles can pass the verification of other participants in ref. 13 and further proposed an new verifiable QSS scheme to improve the original one. From here we can see that verifiable QSS must provide validation function to resist forgery attack of the participants.
In the proposed QSS scheme, in order to resist forgery attack, the reconstructor Bob 1 uses hash function H() to certify the authenticity of the secret. During the secret reconstruction phase, if a dishonest participant Universality and Practicability. In ref. 7, Yang et al. prepares an n-particle entangled state to design their protocol, and each participant holds a d-level particle. In ref. 17, the dealer prepares a multi-particle sequence, in which each particle is 2-level. In the protocol I and III of ref. 22, the initiator who is taken as one of the participants prepares a d-level 2-particle entangled state, and each of other n − 1 participants prepares respectively a d-level single particle. In ref. 27, the dealer prepares an ordered sequence of multiple EPR pairs. In the proposed QSS, the participant Bob 1 prepares a t-particle entangled state by using d-level CNOT operation, and each participant holds a d-level particle.
We assume that the number of the prepared single particles or EPR pairs is the same as that of the participants who reconstruct the secret in the six similar schemes. In ref. 7 and the proposed scheme, each participant holds a particle, and each particle has m qubits, where = ⌈ ⌉ m d log 2 . As Table 1 shows, ref. 7 need prepare mn qubits, and the proposed QSS need prepare mt qubits. In the protocol I of ref. 22, the total number of the prepared particles is n + 1, so that is m(n + 1) qubits. In the protocol III of ref. 22, the number of the prepared qubits is mn(n + 1). In ref. 17, Alice need prepare t particles, so that is mt qubits. In ref. 27, Alice need prepare t EPR pairs, so that is 2mt qubits.
From the Table 1 we can see that refs 17 and 27 and the proposed QSS are (t, n) schemes, and the three other QSSs are (n, n) schemes. Ref. 7, the protocol I and III of ref. 22, and the proposed QSS are d-level schemes, and the two other QSSs are 2-level schemes. The proposed QSS scheme has not only the merits of (t, n) scheme but also the merits of d-level scheme. It should has better flexibility, universality and practicability than the five other QSS schemes. Moreover, the proposed QSS prepares the same number of the particles as ref. 17, and both schemes can save more resources on the prepared particles than the four other similar schemes.
Computation Cost. Ref. 7 does not show how to prepare an n-particle entangled state, and ref. 27 also does not describe how to prepare an ordered sequence of t EPR pairs. Therefore, in order to make a simplified comparison, we do not consider computation cost of preparing the particles in the protocol I and III of ref. 22 and the proposed QSS scheme. Refs 17 and 27 and the proposed QSS describe the generation process of the shares, however, refs 7 and 22 make no reference to it. Also we do not consider computation cost of the generation process of the shares. In refs 17 and 27, each particle is 2-level. Differently, in refs 7 and 22 and the proposed QSS, each particle is d-level. To be convenient for comparison, the particle dimension d is to be set to 2, thus = = ⌈ ⌉ m d log 1 2 . The computation costs of the six similar schemes are shown in Table 2. In ref. 7, each participant first performs QFT on his particle |k〉 r = … r n ( 1, 3, , ), and then applies U k s ,0 r to the particle QFT|k〉 r , further measures the transformed particle in his lab. The total computation cost is + + nQFT nU nM s ,0 r . In ref. 17, the dealer Alice performs U(θ a ) on every particle of the sequence ψ 0 , and then sends the transformed sequence to the participant Bob i . For = … r t 1, 2, , , the participant Bob r applies U(θ r ) to the particle sequence ψ − r 1 received from − Bob r 1 , and then sends the transformed sequence to subsequent participant + Bob r 1 . The total computation cost is θ + t t U ( 1) ( ). In the protocol I of ref. 22, the initiator performs QFT on the first particle, and sends the second particle (ancillary particle) to next participant. For = … r n 2, 3, , , each participant Bob r performs unitary operation U j on his particle. Finally, Bob 1 performs QFT −1 on his particle, and then measures it to obtain the secret. The total computation cost of the protocol I is + − + + Alice → Bob 1 →  → Bob t , and that of the X′ sequence is determined as: Alice → Bob t . The total number of the transmitted particles is also + + t l t ( )( 1). In the protocol I of ref. 22, the ancillary particle is transmitted from one participant to another, and its transmission route is determined as: Initiator → Bob 2 →  → Bob n → Initiator. The total number of the transmitted particles is n. In the protocol III of ref. 22, for = … r n 1, 2, , , each participant splits his share into n pieces, and every n pieces need one ancillary particle to compute y r . The total number of the transmitted particles is nn.
In the proposed QSS and ref. 7, the decoy particles are not inserted into the message particles, and the transformed message particles are not transmitted in the quantum channel from one participant to another. The communication cost only is dominated by the distribution of the initial particles from the dealer (or the reconstructor) to every participant. The number of the transmitted particles of the proposed QSS is t − 1, and that of ref.

Discussion
Some existing QSS schemes cannot resist collusion attack of the participants, and the unqualified subsets set of participants can obtain some information about the secret. To resist collusion attack, ref. 22 upgraded the protocol I to the protocol III. With the enhancement of the security, the computation cost of the protocol III flies to (n + 1) times. In this paper, we present a (t, n) threshold d-level QSS scheme. Security analysis shows that our scheme can also resist collusion attack. Furthermore, if 2 < t < n − 1, our scheme has lower computation and communication cost than other similar schemes including the protocol I of ref. 22. Our scheme is feasible and practical with the present technologies, because it employs quantum CNOT, QFT, and Pauli operator U s 0, r as main transformation operations, which have been used widely in quantum field.