Rational quantum secret sharing

The traditional quantum secret sharing does not succeed in the presence of rational participants. A rational participant’s motivation is to maximize his utility, and will try to get the secret alone. Therefore, in the reconstruction, no rational participant will send his share to others. To tackle with this problem, we propose a rational quantum secret sharing scheme in this paper. We adopt the game theory to analyze the behavior of rational participants and design a protocol to prevent them from deviating from the protocol. As proved, the rational participants can gain their maximal utilities when they perform the protocol faithfully, and the Nash equilibrium of the protocol is achieved. Compared to the traditional quantum secret sharing schemes, our scheme is fairer and more robust in practice.

The traditional quantum secret sharing does not succeed in the presence of rational participants. A rational participant's motivation is to maximize his utility, and will try to get the secret alone. Therefore, in the reconstruction, no rational participant will send his share to others. To tackle with this problem, we propose a rational quantum secret sharing scheme in this paper. We adopt the game theory to analyze the behavior of rational participants and design a protocol to prevent them from deviating from the protocol. As proved, the rational participants can gain their maximal utilities when they perform the protocol faithfully, and the Nash equilibrium of the protocol is achieved. Compared to the traditional quantum secret sharing schemes, our scheme is fairer and more robust in practice.
"Secret sharing" (SS) was first proposed by Shamir 1 , suggesting a secure way to distribute information (secret) to a set of participants. SS splits the secret into several parts and distributes them to different participants, so that only qualified participants can recover the original secret. In Shamir's scheme, a participant is classified as "good" or "bad". A good participant always performs the protocol faithfully, while the bad one would try his best to break it. However, this kind of classification may not reflect practical situations. Indeed, a participant can be neither good nor bad, but rational and always try to maximize his utility. Hence, each rational participant aims to get the secret, but at the same time, prevents others to get it.
The involvement of rational participants leads to a major problem in SS. In SS, a participant can recover the secret alone even not sending his share to others, if others have sent out theirs. On the other hand, if participants did not send their shares, none can recover the secret. Therefore, from the viewpoint of a rational participant, not sending his share weakly dominates sending his share. This implies the Nash equilibrium corresponds to the case that nobody sends his share to others, resulting in a failure of Shamir's scheme in the presence of rational participants.
To mitigate this problem, Halpern et al. 2 introduced the concept of "rational secret sharing" (RSS), and it has become an active area of research in recent years [3][4][5] . In classical RSS, signed share is used to prevent cheating of participants, while another approach is to use verifiable secret sharing 6 .
On the other hand, Hillery et al. 7 have proposed "Quantum secret sharing" (QSS), which can be considered as an extension of Shamir's SS into the area of quantum. In QSS, the secret is split, distributed and reconstructed by quantum operations. QSS provides more perfect security based on the quantum theory such as uncertainty principle and no-cloning theorem. Similar to SS schemes, the existing QSS schemes [8][9][10][11][12][13][14][15][16][17][18][19][20][21] do not consider the rational behavior of participants. However, it is natural for the last participant, if he is rational, to generate the secret and quit with it alone. Thus, rational participants in QSS would always prefer not to provide their shares, making the conventional QSS schemes fail.
It should be emphasized those approaches suggested in RSS, such as signed share or verifiable SS, are based on unproven assumptions such as the intractability of integer factorization. In the quantum domain, participants and adversaries are always assumed to have unbounded computational power. As a result, these methods are inadequate for the design of rational quantum secret sharing (RQSS). In addition, there are other technical hurdles to be overcome for the design of RQSS, for example, the existing quantum signature schemes 22,23 fail to deal with the entanglement among distributed shares, and a participant cannot generate copies of his share due to the no-cloning theorem.
Designing a workable RQSS is challenging but valuable, and it is also the main objective of this paper. In our proposal, the shared secret is assumed to be a d-dimensional quantum state. Some basic quantum operations, such as the quantum Fourier transform and quantum-controlled-not, are employed. Unlike our previous work 24 and other QSS schemes, here the issue of "rationality" is focused. Game theory is introduced to analyze the rational behavior of participants, based on the concepts of rationality, fairness and Nash equilibrium. As with most of the QSS schemes 7-12 , the threshold structure of our scheme is (n, n) structure, meaning that all the n participants compose the only qualified set and any subset with fewer than n participants is a forbidden set. Our Fairness. The fairness of RQSS is specified by the following conditions. Letting ⁎ a i be the suggested strategy of the protocol and a i be other possible strategy for participant P i , Nash equilibrium. A RQSS protocol should achieve the Nash equilibrium such that no participant has any incentive to deviate from the protocol. A suggested strategy is said to be in Nash equilibrium when there is no incentive for any participant to deviate from it, given that everyone else is following this strategy. Formally, it can be described as follows.
For an arbitrary participant P i , if . The corresponding quantum inverse Fourier transform is then given by Consider two d-dimensional quantum states |j 1 〉 and |j 2 〉, the d-dimensional quantum-controlled-not operation is expressed by: where |j 1 〉 and |j 2 〉 are referred as the control particle and target particle, respectively; and "+" is defined as the adder modulo d hereinafter.

Design of RQSS
In RQSS, similar to other SS or RSS, there is a dealer who would like to distribute a secret to a set of participants. However, there are some district features in RQSS.
Random structure. The dealer needs multiple rounds to distribute the shared secret to the participants. In each round, the dealer distributes the real secret (the shared secret) with a probability of γ, otherwise, a test secret is sent. Participants can only know whether the reconstructed secret is a real one or not after the dealer reveals the truth. Post verification. Dishonest participant should be punished and hence the behavior of participants must be verified. However, the methods employed in classical RSS are inadequate for RQSS due to the unbounded computational power in quantum domain. Therefore, quantum operations are to be applied.

Generation of multiple same quantum states.
In QSS, when the share is an unknown state, a participant cannot generate copies of his share due to the no-cloning theorem. If only one share is kept by a participant, only one secret can be reconstructed. Consequently, the participant who holds the reconstructed secret will have the privilege, breaking the fairness of RQSS. In order to resolve this problem, the dealer has to generate multiple same states and distribute to the participants, allowing all the qualified participants to get the reconstructed secret.
Parameters setting based on Nash equilibrium. The parameters of RQSS should be properly set to guarantee that each honest participant can gain his maximal utility under the suggested strategy. The Nash equilibrium is to be achieved to ensure that the protocol can be performed robustly in the presence of rational participants.
The details of the RQSS protocol are given as follows. For the sake of clarity, the dealer and the n rational participants are referred as Alice and {Bob 1 , Bob 2 , …, Bob n }, respectively. The shared secret is assumed to be a d-dimensional quantum state, defined as ϕ α To share ϕ among the n rational participants, Alice performs the following procedures for each round.
(1) A specific coin having a probability of γ to be "1" (head) is tossed. If it is "1", Alice generates n same real quantum states; otherwise, she generates n same test quantum states. For convenience, every one of these n quantum states is denoted as ϕ.
(2) For each ϕ, the quantum inverse Fourier transform is applied to obtain ϕ′. For each ϕ′, Alice generates (n − 1) single particles, p i = |d − 1〉 where i = 1, 2, …, (n − 1), and then performs d-dimensional quantum-controlled-not operation onto ϕ′ and each p i in turns, where ϕ′ and p i are the control particle and the target particle, respectively. An n-particle entangled state Φ is then resulted. Finally, Alice performs the quantum Fourier transform on each particle of Φ to obtain Φ′. (3) For every Φ′, Alice sends one particle of Φ′ to one participant sequentially. The particles transmission is protected by decoy particles, which are randomly selected from two bases, namely the Z-basis and the X-basis, as given in the following forms: (4) For reconstruction, all the particles of one Φ′ will be sent to one of the participants, and eventually everyone will get one Φ′. The participant will perform the quantum inverse Fourier transform on every particle of his own Φ′ and get back Φ. By performing d-dimensional quantum-controlled-not operations, the quantum state ϕ′ and the (n − 1) single particles {p 1 , p 2 , …, p n−1 } can be separated from Φ. Then the original state ϕ can be obtained by applying quantum Fourier transform onto ϕ′. For an arbitrary participant Bob i , the particles {p 1 , p 2 , …, p n−1 } come from other (n − 1) participants. If other participants perform the protocol faithfully, then the obtained particles {p 1 , p 2 , …, p n−1 } should all be in the state |d − 1〉. Therefore, by measuring these particles, Bob i can deduce whether the corresponding participant has sent the correct particle or not. However, it should also be remarked that, there is still a probability of d 1 that Bob i will get the correct measurement result even if the received particle is incorrect. (5) If a participant Bob i finds that he did not receive any particle from Bob j or the particle is not a correct one, Bob i will publicize the cheating behavior of Bob j . Other participants will then terminate the protocol. When the protocol is terminated by any of the participants, the dealer will not continue the next round. As a result, participants will not be able to get the secret if the current round is not the real one. (6) If no cheating behavior is found, the dealer will reveal whether the secret in this round is the real secret or a test one. If it is the real secret, the protocol will be over. Otherwise, the dealer will start the next round.

Example
To better illustrate the RQSS protocol, we consider a simple case with a dealer sharing a 3-dimensional quantum state to three participants. In each round, Alice firstly decides to distribute the real secret or a test secret, ϕ, according to the result of coin tossing. Three same quantum states are then generated, each specified by ϕ = α 0 |0〉 + α 1 |1〉 + α 2 |2〉. By performing the quantum inverse Fourier transform as given in (2) The quantum Fourier transform is then performed for each particle of Φ and finally Alice obtains Based on the above operations, Alice will get three same entangled states and for simplicity, each one of them is denoted as Φ′. The three particles of each Φ′ will be sent to Bob 1 , Bob 2 and Bob 3 , respectively. Consequently, each participant will have three particles which belong to one of the three entangled states.
In the reconstruction, the three particles of one Φ′ will be sent to one participant, and every participant will get one Φ′. When Φ′ is available, Bob i will recover the original state ϕ by following Step (4) of the procedures as described in the last section. First, he gets back Φ by applying the quantum inverse Fourier transform on every particle of his Φ′. Then, two quantum-controlled-not operations are performed to separate the state ϕ′ and two single particles {p 1 , p 2 } from Φ. Finally, the original state ϕ = α 0 |0〉 + α 1 |1〉 + α 2 |2〉 is obtained by applying the quantum Fourier transform onto ϕ′. Bob i can verify the honesty of other two participants by measuring {p 1 , p 2 }. If they sent Bob i the correct particles, {p 1 , p 2 } should both be in the state |2〉.
If all the participants are honest, Alice will reveal whether the secret is a real one or not. If it is the real secret, the protocol will be over and all the participants obtain the secret. Otherwise, Alice will start again for the next round.

Security analysis
In this section, the security of the proposed RQSS protocol is analyzed. Then, with the (n − 1) quantum-controlled-not operations, Φ is obtained as follows (8) Finally, after the n quantum Fourier transforms, one obtains

Confidentiality. Given that the initial state Alice generated is
. Therefore, only the item whose coefficient α j with = ∑ = j k i n i 1 in (10) can be retained, while other items will be disappeared. Therefore, the quantum state Φ′ can be simplified as , implying that the quantum state of shares is independent of that of the quantum secret. Therefore, participants cannot get any information of the quantum secret from their own shares, and our scheme can meet the confidentiality 25 .
Security for outside eavesdropping. In our scheme, the transmission of particles is protected by decoy particles. The decoy particles are randomly selected from the Z-basis or the X-basis, and the secret particle is randomly inserted into the decoy particles.
Since an attacker does not know the positions and bases of the decoy particles, if he intends to steal information by measuring the secret particle, he will probably measure the decoy particles with a random basis and would bring errors into the decoy particles. The probability of selecting a wrong basis for a decoy particle is 1 2 and the participant has a probability of − d d 1 to obtain a wrong value for the decoy particle. Therefore, the error rate of one decoy particle for eavesdropping is − . When l is sufficiently large, the probability will be close to 1. Besides direct eavesdropping, another famous attack from outsider is known as "entangle-and-measure". The attacker will entangle an ancillary particle on the secret particle, and then measure the ancillary particle to steal information. It is remarked that, according to the results in 26 , this attack can also be detected due to the errors of decoy particles.
Security for dishonest participant. In our scheme, the secret state ϕ is hidden in the entangled state Φ′ as given in (11). As described in Section 5.1, Φ′ is a symmetrical superposition state and each of its particles can be in any state from {|0〉, |1〉, …, |d − 1} with the same probability. Even if (n − 1) participants work together, it is still impossible for them to get the initial secret state.
Without loss of generality, we assume {Bob 2 , Bob 3 , …, Bob n } measure their particles and obtain results {r 2 , r 3 , …, r n }. Bob 1 's particle will become the following state From (12), we can see that {Bob 2 , Bob 3 , …, Bob n } still cannot get the secret state ϕ without Bob 1 . This confirms that the secret state can be recovered only if all participants are available, and hence collusion attack from dishonest participants will not succeed.

Nash equilibrium
In our scheme, there are four possible strategies when a rational participant performs the protocol.
• a 1 : send the correct particles to other participants; • a 2 : remain silent, i.e., not send any particles to other participants; • a 3 : send the forged particles to other participants; • a 4 : measure the particles and then send them to other participants, i.e., the shared state will be destroyed.
The participant may have the following four utilities.
• U 1 : he gets the secret but the other participants do not; • U 2 : he gets the secret and same for the other participants; • U 3 : he does not get the secret and neither the other participants; • U 4 : he does not get the secret but the other participants get the secret.
For a rational participant, it is obvious that Scientific REPORTS | (2018) 8:11115 | DOI:10.1038/s41598-018-29051-z Now, we analyze the utility of an arbitrary participant, Bob i , performing different strategies in a round j.
(2) Perform strategy a 2 : if the secret in this round is the real secret (the probability is γ), his utility is U 1 ; otherwise, his utility is U 3 . So the utility under a 2 is γU 1 + (1 − γ)U 3 . (3) Perform strategy a 3 : if the secret in this round is the real secret (the probability is γ), his utility is U 1 ; otherwise, his utility is αU 3 + (1 − α)U 2 , where α is the probability that his cheating behavior is detected by the others. As explained in Section 3, we have α = d 1 in our scheme. Therefore, the utility under a 3 is (4) Perform strategy a 4 : it is similar to case (3) and the utility also equals to γ γ The utility of Bob i under different strategy is summarized below: Since U 2 > U 3 , it can be easily deduced that u i (a 2 ) is always less than u i (a 3 ) or u i (a 4 ). Now, letting , the rational participant Bob i will always choose a 1 as his strategy since u i (a 1 ) > u i (a 3 ) = u i (a 4 ) > u i (a 2 ). Therefore, if the parameter γ is set to satisfy the inequality condition γ < , every rational participant will choose a 1 as his optimal strategy, which is the Nash equilibrium, and perform the protocol faithfully.

Comparison
In our scheme, it is assumed that the shared secret is a d-dimensional quantum state and quantum operations, such as the quantum Fourier transform and quantum-controlled-not, are employed. Although similar assumptions and operations are used in our previous work 24 , the design and focus of this paper are totally different. The main feature of our scheme is to manage the "rationality". The scheme in 24 is only a traditional QSS scheme without considering the "rationality".
In particular, we introduce the game theory into the QSS to analyze the rational behavior of participant, based on respective definitions of rationality, fairness and Nash equilibrium. The proposed RQSS possesses some distinct features as discussed in Section 3, including the random structure, post verification based on quantum operation, and parameters setting based on Nash equilibrium. Furthermore, we analyze different strategies and utilities of the rational participant, and derive conditions to ensure rational participants to follow the protocol faithfully, by achieving the Nash equilibrium. All these novel contents do not appear in 24 .
Indeed, the protocol of RQSS is also different from that suggested in 24 . In our scheme, the dealer applies the quantum inverse Fourier transform onto the shared state, and then performs the quantum-controlled-not operations and quantum Fourier transform to hide the shared state into an entangled state. For reconstruction, participants need to perform reverse operations, including the quantum inverse Fourier transform, the quantum-controlled-not and the quantum Fourier transform, to obtain the shared state and the verification states. In contrast, participants under the scheme in 24 only perform single-particle measurements and unitary operations to recover the shared state. Such a reconstruction process is not preferable, as participants cannot obtain the verification states to verify the faithfulness of other participants.

Conclusion
In this paper, we have proposed a RQSS scheme to manage rational participants who try to maximize their utilities. By using quantum operations, the dealer encodes the secret state into an entangled state and distributes to the participants, while participants can use reverse operations to recover the secret state. The behavior of the rational participant is analyzed with the use of Game theory, and suitable mechanisms are proposed to motivate rational participants to perform the protocol faithfully. As proved, our scheme is fair and secure, and the suggested strategy achieves the Nash equilibrium. Compared to the existing QSS schemes, our scheme is more practical in the presence of rational participants.
The entangled state is indispensable in our scheme. Compared with the single-qubit state, the multi-particles entangled state is harder to be prepared with the current technologies. However, as discussed in [27][28][29][30][31][32] , some practical ways are possible to generate the entangled state. With the rapid development of quantum technology, generating entangled states would become easier in the future, making our scheme more practical.