Abstract
Quantum secret sharing is a basic quantum cryptographic primitive, which has a lot of applications in information security and privacy preservation. An efficient multiparty quantum secret sharing protocol (Kuo et al. in EPJ Quantum Technol 10(1):29, 2023) based on a novel structure and single qubits was reported recently. In this paper, we give a cryptanalysis of this protocol and show that it cannot satisfy the security requirement for secret sharing because an unauthorized set of agents can gain access to some information on the dealer’s secret by a special collusion attack. Furthermore, we put forward a way to deal with the security problem.
Similar content being viewed by others
Introduction
In 1979, Shamir1 and Blakely2 independently introduced the concept of (k, n) threshold secret sharing scheme respectively, which allowed a secret s to be split into n shares such that s can be easily reconstructed from any k shares, but less than k shares can reveal no information on the secret s. Owing to the special property, secret sharing was used to construct robust key management, secure multiparty computation or other cryptographic schemes that can function securely and reliably even when misfortunes destroy most of the shares and security breaches expose all but one of the remaining shares3,4,5.
In the last decades, the principles of quantum mechanics supplied many interesting cryptographic applications such as quantum key distribution, quantum secure direct communication (QSDC), quantum digital signature, and quantum secret sharing (QSS)6,7,8. In contrast to classical secret sharing, the security of QSS is based on the fundamental principles of quantum mechanics rather than mathematical difficult problems, which makes it secure against any opponent even if he/she has infinite computing resources. On account of the security advantage, since the first proposal with Greenberger–Horne–Zeilinger states was given by Hillery et al.9, QSS has attracted much attention and many novel proposals have been reported both in theoretical and experimental aspects10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25. According to the quantum resources, these proposals can be divided two kinds: one was based on single photons10,11,12,13, and the other used entangled states14,15,16,17,18,19,20,21,22,23,24,25. In order to improve the efficiency and feasibility, two typical transmission strategies were introduced, i.e., circular transmission13,16 and teleportation transmission14,15. Additionally, measurement-device-independent QSS was also presented18,19,23,25,26, which can exclude all quantum attacks in the detection part.
As is well known to all, cryptographic design and cryptanalysis are two inherent directions, which are opposite to but stimulate each other. Both of them are indispensable to the development of cryptography. This is also the case for quantum cryptography. Nevertheless, it is very complicated to analyze the security of QSS because multiple participants are involved and some may be not honest27,28,29,30.
To achieve an excellent balance between security and performance, an efficient multiparty QSS protocol based on a novel structure and single qubits (named KTYC-protocol hereafter) was reported recently31, which can exclude some deficiency of traditional loop QSS schemes because each agent can interact with the dealer independently by an independent secure communication tunnel based on QSDC. In this paper, we analyze the security of KTYC-protocol and give a new collision attack, whereby an unauthorized set of agents can get some information on the dealer’s secret, which is in conflict with the security requirement in the sense that nobody can learn information on the dealer’s secret. Furthermore, the proportion that the unauthorized set can extract information on the secret will be close to 1 with the increase of the agents’ number in the unauthorized set. Finally, we propose a possible way to improve the security of KTYC-protocol.
Results
The KTYC-protocol
In this section, let us give a brief description of KTYC-protocol. Assume that the dealer Alice has a secret s whose length is S, and she wants the secret s to be shared among N agents: \(P_{1}\), \(P_{2}\), ..., \(P_{N}\). This protocol can be described as follows31.
Step 1. Every agent \(P_{i}\) \((i=1,2,\ldots ,N)\) prepares t qubits \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{i}\), and each qubit \(|\varphi \rangle _{j}^{i}\) is randomly chosen from the set \(\{|0\rangle ,|1\rangle ,|+\rangle ,|-\rangle \}\) for \(i=1,2,\ldots ,N\) and \(j=1,2,\ldots ,t\), where \(t=\lceil \frac{S}{N}\rceil\), \(|+\rangle =\frac{1}{\sqrt{2}}(|0\rangle +|1\rangle )\), \(|-\rangle =\frac{1}{\sqrt{2}}(|0\rangle -|1\rangle )\), and \(\otimes\) denotes the direct product of qubits. Then they send their respective quantum sequences to Alice after inserting several decoy qubits32,33.
Step 2. When receiving the quantum sequences, Alice checks the channel by the decoy qubits. Specifically, Alice randomly chooses sufficient qubits and requires all the agents to publish the basis and states of these qubits. Then she uses the same basis to measure and compare the results. If the error rate is higher than the threshold, she requests that the sequence be resent until it passes the channel checking.
Step 3. Alice joins these sequences together and reorders qubits. Then she encodes the secret s into the sequence by using I and Y operations according to her message “0”and “1”, respectively, and divides it into N sequences, where \({I}=|0\rangle \langle 0|+|1\rangle \langle 1|\)=\(\begin{pmatrix} 1 &{} 0\\ 0 &{} 1 \end{pmatrix}\) \(Y=|1\rangle \langle 0|-|0\rangle \langle 1|\)=\(\begin{pmatrix} 0 &{} -1\\ 1 &{} 0 \end{pmatrix}\). Subsequently, she sends these sequences back to all agents after inserting decoy qubits32,33.
Step 4. After all agents have received the sequences, Alice publishes the positions and states of the decoy qubits. All agents check the channel with these decoy qubits inserted by Alice. If the error rate is lower than the threshold, Alice publishes the order of the qubits; otherwise, the communication is terminated and restarted via a different channel.
Step 5. All agents cooperate to recover the secret s by exchanging their information on original quantum states.
The cryptanalysis of KTYC-protocol
As we know, the security of QSS requires that just an authorized set of agents can recover the secret s distributed by the dealer, but any unauthorized set of agents can learn no information on it9,27,28,29,30. However, here we show that an unauthorized set can gain access to some information on the secret s in the KTYC-protocol. Furthermore, the information on the secret s that an unauthorized set can obtain will increase in proportion to the number’s square of agents in the unauthorized set. The detailed analysis is given as follows.
From the above section, we can see that the KTYC-protocol is a (N, N) threshold QSS protocol in fact. Therefore, there is only one authorized set of agents, i.e., \(\{P_{1}, P_{2}, \ldots , P_{N}\}\), who can recover the secret s if all the N agents cooperate with each other in Step 5. As mentioned in31, in contrast to the traditional loop QSS schemes based on QSDC, the KTYC-protocol is based on a new structure that each agent can communicate with the dealer by an independent quantum secure direct communication path. This design makes all the N agents adopt the same privileges in this protocol, but it also gives a good chance for dishonest agents to gain access to the information on the secret s, which can be shown in Theorem 1.
Theorem 1
An unauthorized set can gain access to about \(\frac{d^{2}t}{N}\) bits of the dealer’s secret s if they collude with each other in the KTYC-protocol, where d \((d<N)\) is the number of agents in the unauthorized set.
Proof
In Step 3, when the dealer Alice receives all the N agents’ quantum sequences \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{1}\), \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{2}\), ..., \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{N}\), she joins them together and encodes the secret s into the quantum sequence. Then she divides it into N sequences and sends these sequences back to N agents. Clearly, each agent will receive a quantum sequence including t encoded qubits from Alice in Step 3, of which about \(\frac{t}{N}\) qubits are prepared by himself/herself in Step 1 according to the principle of probability distribution. For these qubits, when Alice publishes the order of the qubits in Step 4, the agent can choose the right basis to measure them and then deduce Alice’s encoding operations because he/she knows their initial states. It should be noted that the security check of channel with decoy qubits is invalid to this attack because the agent perform it after confirming the channel’s security. Therefore, any agent can gain access to about \(\frac{t}{N}\) bits of the secret s, which means that Theorem 1 holds for \(d=1\).
For \(d=2\), i.e., there are two agents in the unauthorized set. In this case, each of them will receive a quantum sequence including t encoding qubits from Alice in Step 3, and thus they hold 2t encoded qubits. According to the principle of probability distribution, about \(\frac{2t}{N}\) encoded qubits are prepared by each of them in Step 1. For these qubits, when Alice publishes the order of the qubits in Step 4, they can deduce Alice’s encoding information by measuring them with the right basis. Therefore, they can gain access to about
bits of the secret s.
For \(d=3\), i.e., there are three agents in the unauthorized set. In this case, each of them will receive a quantum sequence including t encoded qubits from Alice in Step 3, and thus they hold 3t encoded qubits. According to the principle of probability distribution, about \(\frac{3t}{N}\) encoded qubits are prepared by each of them in Step 1. For these qubits, they can deduce Alice’s encoding information by measuring them with the right basis after Alice publishes the order of the qubits in Step 4. Therefore, they can gain access to about
bits of the secret s.
For \(d=4\) to \(N-1\), we can get that the unauthorized set can gain access to about \(\frac{d^{2}t}{N}\) bits of the secret s by simple analysis.
In conclusion, when there are d (\(d<N\)) agents in the unauthorized set, they can gain access to about \(\frac{d^{2}t}{N}\) bits of the secret s. The proof of Theorem 1 is completed.
From Theorem 1, we can find that the information bits on the secret s that an unauthorized set can obtain will increase in proportion to the number’s square of agents in the unauthorized set, which is shown in Fig. 1. Furthermore, the proportion \(\frac{d^{2}}{N^{2}}\) that the unauthorized set can extract information on the secret s is close to 1 with the increase of the agents’ number in the unauthorized set, which can be shown in Fig. 2.
So far, we have given a cryptanalysis of the KTYC-protocol, which shows that this protocol is not secure in the sense that it does not satisfy the security requirement for QSS.
Suggestion for improvement
From the cryptanalysis, it can be seen that the success of the proposed collusion attack is for that the KTYC-protocol is based on a novel structure, which makes other agents have no effect on the dealer’s secret bits if the encoded qubits are not prepared by themselves. Moreover, this attack is performed after the security check of channel. Therefore, the agents in the unauthorized set can choose the right basis to measure the encoded qubits prepared by themselves and then gain access to the information bits on the secret s. In order to deal with the security leak, every agent must hold a share on each bit of the dealer’s secret s, which can be realized in two ways. One is that every agent perform an encryption on each encoded qubit, but this will change the structure of the KTYC-protocol. The other way is that the dealer preprocesses the secret s to be shared in advance. Specifically, the dealer randomly prepares N random numbers \(s_{1},s_{2},\ldots ,s_{N}\) in Step 3, where
Then the dealer encodes \(s_{1},s_{2},\ldots ,s_{N}\) into the qubit sequences \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{1}\), \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{2}\), ..., \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{N}\), respectively. After that, the dealer performs the same actions as that in Step 3 except that the encoding operations are not performed any longer.
Now we show that this way is valid to prevent the collusion attack. Clearly, the shared secret s is the sum of N shares \(s_{1},s_{2},\ldots ,s_{N}\) in the improved version, and thus the absence of any share will not reconstruct the secret. Nevertheless, the shares \(s_{1},s_{2}\), ..., \(s_{N}\) are encoded into the qubit sequences \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{1}\), \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{2}\), ..., \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{N}\), respectively. Furthermore, only the agent \(P_{i}\) knows the initial states of the qubits \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{i}\) that are necessary to gain the encoded information \(s_{i}\). Therefore, the share \(s_{i}\) cannot be obtained without the cooperation of the agent \(P_{i}\). All in all, if and only if all the agents in the authorized set \(\{P_{1}, P_{2}, \ldots , P_{N}\}\) cooperate with each other, they can reconstruct the secret s, but any unauthorized set can reveal no information on it.
Conclusion
To sum up, we give a cryptanalysis of the KTYC-protocol and present a new participant attack. Using this attack, an unauthorized set of agents can gain access to some information on the dealer’s secret. Furthermore, it is shown that the information on the dealer’s secret that the unauthorized set can obtain increases in proportion to the number’s square of agents, and the proportion that the unauthorized set can extract information on the dealer’s secret is close to 1 with the increase of the agents’ number in the unauthorized set. Finally, we analyze the reason for the security leak and propose an effective way to improve the KTYC-protocol’s security. We hope this work shed some light on the next development for the design and analyzing of QSS.
Data availability
All data generated or analyzed during this study are included in this article.
References
Shamir, A. How to share a secret. Commun. ACM 22(11), 612–613 (1979).
Blakely, G. Safeguarding cryptographic keys. In Proceedings of the National Computer Conference FIPS, AFIPS, Montvale 313–317 (IEEE Press, 1979).
Cramer, R., Damgård, I. & Maurer, U. General secure multi-party computation from any linear secret-sharing scheme. Phys. Rev. A 59(3), 316–334 (2000).
Parakh, A. & Kak, S. Space efficient secret sharing for implicit data security. Inf. Sci. 181(2), 335–341 (2011).
Cai, X. Q. et al. Cryptanalysis of secure multiparty quantum summation. Quantum Inf. Process. 21(8), 285 (2022).
Long, G. L. et al. Theoretically efficient high-capacity quantum-key-distribution scheme. Phys. Rev. A 65(3), 032302 (2002).
Chen, G. et al. Quantum identity authentication based on the extension of quantum rotation. EPJ Quantum Technol. 10(1), 1–18 (2023).
Ye, C. Q. et al. Security and application of semi-quantum key distribution protocol for users with different quantum capabilities. EPJ Quantum Technol. 10(1), 1–23 (2023).
Hillery, M., Buzěk, V. & Berthiaume, A. Quantum secret sharing. Phys. Rev. A 59(3), 1829–1834 (1999).
Zhang, Z. J., Li, Y. & Man, Z. X. Multiparty quantum secret sharing. Phys. Rev. A 71(4), 044301 (2005).
Schmid, C. et al. Experimental single qubit quantum secret sharing. Phys. Rev. Lett. 95(23), 230505 (2005).
Deng, F. G., Zhou, H. Y. & Long, G. L. Circular quantum secret sharing. J. Phys. A 39(45), 14089 (2006).
Wang, T. Y. et al. An efficient and secure multiparty quantum secret sharing scheme based on single photons. Opt. Commun. 281(24), 6130–6134 (2008).
Zhang, Z. J. & Man, Z. X. Multiparty quantum secret sharing of classical messages based on entanglement swapping. Phys. Rev. A 72(2), 022303 (2005).
Lin, J. & Hwang, T. An enhancement on Shi et al.’s multiparty quantum secret sharing protocol. Opt. Commun. 284(5), 1468–1471 (2011).
Lin, J. & Hwang, T. New circular quantum secret sharing for remote agents. Quantum Inf. Process. 12(1), 685–697 (2013).
Chen, Y. A. et al. Experimental quantum secret sharing and third-man quantum cryptography. Phys. Rev. Lett. 95(20), 200502 (2005).
Fu, Y. et al. Long-distance measurement-device-independent multiparty quantum communication. Phys. Rev. Lett. 1149, 090501 (2015).
Wu, Y. et al. Continuous-variable measurement-device-independent multipartite quantum communication. Phys. Rev. A 93(2), 022325 (2016).
Zhou, Y. et al. Quantum secret sharing among four players using multipartite bound entanglement of an optical field. Phys. Rev. Lett. 121(15), 150502 (2018).
Dou, Z. et al. A secure rational quantum state sharing protocol. Sci. China Inf. Sci. 61(2), 1–12 (2018).
Zhou, Y. Y. et al. Quantum secret sharing among four players using multipartite bound entanglement of an optical field. Phys. Rev. Lett. 121(15), 150502 (2018).
Gao, Z. K., Li, T. & Li, Z. H. Deterministic measurement-device-independent quantum secret sharing. Sci. China-Phys. Mech. Astron. 63(12), 120311 (2020).
Liao, Q. et al. Quantum secret sharing using discretely modulated coherent states. Phys. Rev. A 103(3), 032410 (2021).
Ju, X. X. et al. Measurement-device-independent quantum secret sharing with hyper-encoding. Chin. Phys. B 31(10), 100302 (2022).
Cai, X. Q. et al. Measurement-device-independent quantum secret sharing. Adv. Quantum Technol.https://doi.org/10.1002/qute.202400060 (2024).
Qin, S. J. et al. Cryptanalysis of the Hillery–Buzek–Berthiaume quantum secret-sharing protocol. Phys. Rev. A 76(7), 062324 (2007).
Gao, F. et al. Dense-coding attack on threeparty quantum key distribution protocols. IEEE J. Quantum Electron. 47(5), 630–635 (2011).
Yang, Y. G. et al. Participant attack on the measurement-device-independent protocol for deterministic quantum secret sharing. Sci. China-Phys. Mech. Astron. 64(26), 260321 (2021).
Wang, T. Y. et al. Security of a kind of quantum secret sharing with entangled states. Sci. Rep. 7, 2485 (2017).
Kuo, S. Y. et al. Efficient multiparty quantum secret sharing based on a novel structure and single qubits. EPJ Quantum Technol. 10(1), 29 (2023).
Hwang, W. Y. Quantum key distribution with high loss: Toward global secure communication. Phys. Rev. Lett. 91(5), 057901 (2003).
Li, C. Y. et al. Secure quantum key distribution network with Bell states and local unitary operations. Chin. Phys. Lett. 22(5), 1049 (2005).
Acknowledgements
This work was supported by the National Natural Science Foundation of China (Grant Nos. 62272208, 62172196, 61902166), and the Natural Science Foundation of Henan Province, China (Grant No. 212300410062).
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Publisher's note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.
About this article
Cite this article
Cai, XQ., Li, S., Liu, ZF. et al. Improving security of efficient multiparty quantum secret sharing based on a novel structure and single qubits. Sci Rep 14, 18385 (2024). https://doi.org/10.1038/s41598-024-69417-0
Received:
Accepted:
Published:
DOI: https://doi.org/10.1038/s41598-024-69417-0
Comments
By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.