Enhanced (t, n) threshold d-level quantum secret sharing

The quantum secret sharing is an essential and fundamental technique for sharing a secret with the all participants in quantum cryptography. It can be used to design many complex protocols such as secure multiparty summation, multiplication, sorting, voting, etc. Recently, Song et al. have discussed a quantum protocol for secret sharing, which has (t, n) threshold approach and modulo d, where t and n denote the threshold number of participants and total number of participants, respectively. Kao et al. point out that the secret in the Song et al.’s protocol cannot be reconstructed without other participants’ information. In this paper, we discuss a protocol that overcomes this problem.


Review of Song et al.'s protocol
Here, we review the Song et al.'s protocol. In this protocol, the dealer shares a secret S among n participants B = {Bob 1 , Bob 2 , . . . , Bob n } . From n participants, any one is selected by the dealer as a trusted reconstructor. We may consider here Bob 1 as a trusted reconstructor.
Distribution of shares. The dealer selects an arbitrary polynomial p(x) of degree ( t − 1 ) such that p(x) ∈ Z d , where Z d is a finite field. The ( t − 1)-degree polynomial may be defined as A non-zero value x i ∈ Z d is also selected by the dealer to compute n shares p(x i ) . The dealer encodes p(x i ) ′ s using BB84 and sends the qubit string of p(x i ) through a secure quantum channel to every participant Bob i , i = 1, 2, . . . , n . The dealer chooses a hash algorithm H() to determine the hash value H(S) of the secret S and sends this hash value H(S) to the participant Bob 1 .
Reconstruction of secret. The secret is reconstructed by a certain number of participants using the following steps.
Step 5 The Pauli operator (U 0,s v ) is applied by each participant Bob v on their respective private particles |u� v , v = 1, 2, . . . , t , as follows.
After performing the Pauli operator on each participant particle, the state |ϕ 2 � extends as follows: Step 6 Finally, the participant Bob 1 applies the IQFT on his private particle |u� 1 and, based on computational basis, measures it to acquire the secret p(0) ′ = t v=1 s v mod d.

Comments on Song et al.'s protocol
Here The secret S ′ = t v=1 s v cannot be retrieved even when IQFT is performed over the particle |l� 1 and measured computationally by Bob 1 .
For better understanding of the problem, consider an example, where d = 3, t = 2, n = 4 and S = 2 . From step 5 of the reconstruction phase of the Song et al. 's protocol, we have On applying the inverse quantum Fourier transform IQFT over the particle |u� , we get

Proposed quantum secret sharing protocol
Here, we propose a new quantum secret sharing protocol that has (t, n) threshold and d-level. The distribution of the shares and the reconstruction of secret are its two main phases, as discussed below.

Distribution of share. The dealer selects an arbitrary
field, as follows: The dealer selects a non-zero value x i ∈ Z d to compute n shares p(x i ) , encodes p(x i )s using BB84 and sends the qubit string of p(x i ) via a secure quantum channel to every participant Bob i , i = 1, 2, .., n . Then, the dealer chooses a hash algorithm to determine the secret hash value H(S) . After computing H(S) , the dealer shares it using a polynomial h(x) = H(S) + γ 1 x + γ 2 x 2 + · · · + γ t−1 x t−1 among n participants. Participant Bob i only learns the share h(x i ) , i = 1, 2, . . . , n.
Reconstruction of the secret. Let B = {Bob 1 , Bob 2 , . . . , Bob t } be a qualified subset of t participants. The dealer chooses a reconstructor participant from the qualified subset. In this phase, the dealer chooses Bob 1 as a reconstructor participant that recovers the secret and the secret hash value using the following steps: Step 1 Reconstructor Bob 1 prepares t qudit particle |l� 1 , |l� 2 , . . . , |l� t , which contains m qubits, m = ⌈log d 2 ⌉ . The participant Bob 1 applies the QFT 45 on the particle |l� 1 . The output state |ϕ 1 � is computed as follows.
(11) www.nature.com/scientificreports/ Step 6 Each participant Bob v applies the IQFT on his private particle |u� v and measures the result of IQFT. After measuring, each participant Bob v broadcasts the result of measurement.
Step 7 Each participant Bob v computes the secret p(0) ′ = t v=1 s v mod d by adding the measurement results.
Step 8 Finally, all seven steps discussed above are again performed by the threshold number of participants t to reconstruct the secret hash value. The secret hash value h(0) ′ = t r=1 g r mod d is reconstructed by the participant Bob 1 , where g r represents the hash value share's shadow. The participant Bob 1 uses the hash algorithm SHA − 1 to determine the hash value H(p(0) ′ ) and matches it with the secret' hash value h(0) ′ . If (H(p(0) ′ ) = h(0) ′ ) , then the participant Bob 1 perceives that the threshold number of participants have executed the protocol honestly; otherwise, Bob 1 believes that the one or more corrupt participants have executed the protocol.

Security analysis
In this section, we discuss the collision, coherent, and collective attacks, which can be resisted by the proposed protocol.
Collision attack. An attacker uses the hash algorithm attack to generate the same secret hash value for two inputs in this attack. In the Song et al. 's 9 and Mashhadi's 43 protocols, the Bob 1 can execute the collision attack to get the secret because the dealer sends the secret's hash value to Bob 1 and hence it is not secure against the collision attack. Our protocol is secure against the collision attack because the dealer determines the secret hash value and shares this value among n participants. So, the reconstructor participant Bob 1 has no knowledge about the hash value and hence he is unable to execute the collision attack.
Coherent attack. In this attack, an attacker creates an independent ancillary particle |w� and intercepts every participant's particle |l� v by jointly interacting with every qudit of participant Bob v , v = 1, 2, . . . , t . On every participant's particle |l� v , the attacker conducts the measurement process in computational basis. The attacker just gets l with 1 d probability from this calculation of particle |l� v . However, l does not hold any valuable data about the share's shadow. Only the interacting particle |l� v is known to the attacker in this case. As a result, the attacker cannot get the share's shadow from the coherent attack.
Collective attack. In a collective attack, an attacker communicates with each qudit by creating an individual ancillary particle and performing a measure all of the ancillary qudits at the same time to obtain the share's shadow. Every qudit of participant Bob v , v = 1, 2, . . . , t is interacted with by an individual ancillary particle |w� created by the attacker. After communicating, the attacker obtains the particle |l� v and conducts a joint calculation procedure in the computational basis to reveal the share's shadow. Since the particle |l� v does not hold any valuable data about the share's shadow, the attacker cannot obtain any information about it from this joint calculation.

Performance analysis
Here, we analyze the performance of the proposed protocol and compare with that of the Song et al.'s 9 , and Mashhadi's 43 protocols in terms of the security and cost. The Song em et al. 's protocol 9 requires one QFT operation, t unitary operations, two hash operations, one IQFT operation, one measure operations, and transmit (t − 1) message particles. This protocol is not efficient because the IQFT cannot recover the original secret. The Mashhadi's protocol 43 needs one QFT operation, t unitary operations, two hash operations, t number of IQFT operations, (t − 1) SUM operations, t measure operations, and transmit (t − 1) message particles with (t − 1) decoy particles. However, our protocol requires one QFT operation, t unitary operations, two hash operations, (t − 1) IQFT operation, (t − 1) measure operations, and transmit (t − 1) number of message particles. Moreover, the Mashhadi's protocol uses the SUM operation, more number of IQFT operation, and transmission of (t − 1) decoy particles; whereas, our protocol uses CNOT gate, less number of IQFT operation, and no transmission of the decoy particles. Hence, it has high cost as compared to our protocol. In addition, the proposed protocol is more cost effective, efficient, and secure as compared to the Song et al. 's 9 , and Mashhadi's 43 protocols. Table 1 shows the comparison of these protocols.

Conclusion
In this paper, we have discussed a new (t, n) threshold protocol for quantum secret sharing in which the reconstructor can reconstruct the original secret efficiently. This protocol can execute the threshold number of participants without any trusted reconstructor participant. Further, the secret hash value and the secret are unknown to the reconstructor participant and he cannot execute the collision attack, but can correctly execute the proposed protocol. The proposed protocol can also resist the coherent and collective attacks.