Introduction

In 1979, Shamir1 and Blakely2 independently introduced the concept of (kn) threshold secret sharing scheme respectively, which allowed a secret s to be split into n shares such that s can be easily reconstructed from any k shares, but less than k shares can reveal no information on the secret s. Owing to the special property, secret sharing was used to construct robust key management, secure multiparty computation or other cryptographic schemes that can function securely and reliably even when misfortunes destroy most of the shares and security breaches expose all but one of the remaining shares3,4,5.

In the last decades, the principles of quantum mechanics supplied many interesting cryptographic applications such as quantum key distribution, quantum secure direct communication (QSDC), quantum digital signature, and quantum secret sharing (QSS)6,7,8. In contrast to classical secret sharing, the security of QSS is based on the fundamental principles of quantum mechanics rather than mathematical difficult problems, which makes it secure against any opponent even if he/she has infinite computing resources. On account of the security advantage, since the first proposal with Greenberger–Horne–Zeilinger states was given by Hillery et al.9, QSS has attracted much attention and many novel proposals have been reported both in theoretical and experimental aspects10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25. According to the quantum resources, these proposals can be divided two kinds: one was based on single photons10,11,12,13, and the other used entangled states14,15,16,17,18,19,20,21,22,23,24,25. In order to improve the efficiency and feasibility, two typical transmission strategies were introduced, i.e., circular transmission13,16 and teleportation transmission14,15. Additionally, measurement-device-independent QSS was also presented18,19,23,25,26, which can exclude all quantum attacks in the detection part.

As is well known to all, cryptographic design and cryptanalysis are two inherent directions, which are opposite to but stimulate each other. Both of them are indispensable to the development of cryptography. This is also the case for quantum cryptography. Nevertheless, it is very complicated to analyze the security of QSS because multiple participants are involved and some may be not honest27,28,29,30.

To achieve an excellent balance between security and performance, an efficient multiparty QSS protocol based on a novel structure and single qubits (named KTYC-protocol hereafter) was reported recently31, which can exclude some deficiency of traditional loop QSS schemes because each agent can interact with the dealer independently by an independent secure communication tunnel based on QSDC. In this paper, we analyze the security of KTYC-protocol and give a new collision attack, whereby an unauthorized set of agents can get some information on the dealer’s secret, which is in conflict with the security requirement in the sense that nobody can learn information on the dealer’s secret. Furthermore, the proportion that the unauthorized set can extract information on the secret will be close to 1 with the increase of the agents’ number in the unauthorized set. Finally, we propose a possible way to improve the security of KTYC-protocol.

Results

The KTYC-protocol

In this section, let us give a brief description of KTYC-protocol. Assume that the dealer Alice has a secret s whose length is S, and she wants the secret s to be shared among N agents: \(P_{1}\), \(P_{2}\), ..., \(P_{N}\). This protocol can be described as follows31.

Step 1. Every agent \(P_{i}\) \((i=1,2,\ldots ,N)\) prepares t qubits \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{i}\), and each qubit \(|\varphi \rangle _{j}^{i}\) is randomly chosen from the set \(\{|0\rangle ,|1\rangle ,|+\rangle ,|-\rangle \}\) for \(i=1,2,\ldots ,N\) and \(j=1,2,\ldots ,t\), where \(t=\lceil \frac{S}{N}\rceil\), \(|+\rangle =\frac{1}{\sqrt{2}}(|0\rangle +|1\rangle )\), \(|-\rangle =\frac{1}{\sqrt{2}}(|0\rangle -|1\rangle )\), and \(\otimes\) denotes the direct product of qubits. Then they send their respective quantum sequences to Alice after inserting several decoy qubits32,33.

Step 2. When receiving the quantum sequences, Alice checks the channel by the decoy qubits. Specifically, Alice randomly chooses sufficient qubits and requires all the agents to publish the basis and states of these qubits. Then she uses the same basis to measure and compare the results. If the error rate is higher than the threshold, she requests that the sequence be resent until it passes the channel checking.

Step 3. Alice joins these sequences together and reorders qubits. Then she encodes the secret s into the sequence by using I and Y operations according to her message “0”and “1”, respectively, and divides it into N sequences, where \({I}=|0\rangle \langle 0|+|1\rangle \langle 1|\)=\(\begin{pmatrix} 1 &{} 0\\ 0 &{} 1 \end{pmatrix}\) \(Y=|1\rangle \langle 0|-|0\rangle \langle 1|\)=\(\begin{pmatrix} 0 &{} -1\\ 1 &{} 0 \end{pmatrix}\). Subsequently, she sends these sequences back to all agents after inserting decoy qubits32,33.

Step 4. After all agents have received the sequences, Alice publishes the positions and states of the decoy qubits. All agents check the channel with these decoy qubits inserted by Alice. If the error rate is lower than the threshold, Alice publishes the order of the qubits; otherwise, the communication is terminated and restarted via a different channel.

Step 5. All agents cooperate to recover the secret s by exchanging their information on original quantum states.

The cryptanalysis of KTYC-protocol

As we know, the security of QSS requires that just an authorized set of agents can recover the secret s distributed by the dealer, but any unauthorized set of agents can learn no information on it9,27,28,29,30. However, here we show that an unauthorized set can gain access to some information on the secret s in the KTYC-protocol. Furthermore, the information on the secret s that an unauthorized set can obtain will increase in proportion to the number’s square of agents in the unauthorized set. The detailed analysis is given as follows.

From the above section, we can see that the KTYC-protocol is a (NN) threshold QSS protocol in fact. Therefore, there is only one authorized set of agents, i.e., \(\{P_{1}, P_{2}, \ldots , P_{N}\}\), who can recover the secret s if all the N agents cooperate with each other in Step 5. As mentioned in31, in contrast to the traditional loop QSS schemes based on QSDC, the KTYC-protocol is based on a new structure that each agent can communicate with the dealer by an independent quantum secure direct communication path. This design makes all the N agents adopt the same privileges in this protocol, but it also gives a good chance for dishonest agents to gain access to the information on the secret s, which can be shown in Theorem 1.

Theorem 1

An unauthorized set can gain access to about \(\frac{d^{2}t}{N}\) bits of the dealer’s secret s if they collude with each other in the KTYC-protocol, where d \((d<N)\) is the number of agents in the unauthorized set.

Proof

In Step 3, when the dealer Alice receives all the N agents’ quantum sequences \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{1}\), \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{2}\), ..., \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{N}\), she joins them together and encodes the secret s into the quantum sequence. Then she divides it into N sequences and sends these sequences back to N agents. Clearly, each agent will receive a quantum sequence including t encoded qubits from Alice in Step 3, of which about \(\frac{t}{N}\) qubits are prepared by himself/herself in Step 1 according to the principle of probability distribution. For these qubits, when Alice publishes the order of the qubits in Step 4, the agent can choose the right basis to measure them and then deduce Alice’s encoding operations because he/she knows their initial states. It should be noted that the security check of channel with decoy qubits is invalid to this attack because the agent perform it after confirming the channel’s security. Therefore, any agent can gain access to about \(\frac{t}{N}\) bits of the secret s, which means that Theorem 1 holds for \(d=1\).

Figure 1
figure 1

The relation between the number (d) of agents in an unauthorized set and the bits’ number (\(\frac{d^{2}t}{N}\)) that they can gain on the secret s. The bits that the agents in the unauthorized set can obtain increase in proportion to their number’s square (\(d^{2}\)). Here, we set \(N=10, t=7\) and \(S=tN=70\).

For \(d=2\), i.e., there are two agents in the unauthorized set. In this case, each of them will receive a quantum sequence including t encoding qubits from Alice in Step 3, and thus they hold 2t encoded qubits. According to the principle of probability distribution, about \(\frac{2t}{N}\) encoded qubits are prepared by each of them in Step 1. For these qubits, when Alice publishes the order of the qubits in Step 4, they can deduce Alice’s encoding information by measuring them with the right basis. Therefore, they can gain access to about

$$\begin{aligned}{} & {} \frac{2t}{N}+\frac{2t}{N}\nonumber \\{} & {} \quad =\frac{4t}{N}\nonumber \\{} & {} \quad =\frac{2^{2}t}{N} \end{aligned}$$
(1)

bits of the secret s.

For \(d=3\), i.e., there are three agents in the unauthorized set. In this case, each of them will receive a quantum sequence including t encoded qubits from Alice in Step 3, and thus they hold 3t encoded qubits. According to the principle of probability distribution, about \(\frac{3t}{N}\) encoded qubits are prepared by each of them in Step 1. For these qubits, they can deduce Alice’s encoding information by measuring them with the right basis after Alice publishes the order of the qubits in Step 4. Therefore, they can gain access to about

$$\begin{aligned}{} & {} \frac{3t}{N}+\frac{3t}{N}+\frac{3t}{N}\nonumber \\{} & {} \quad = \frac{9t}{N}\nonumber \\{} & {} \quad =\frac{3^{2}t}{N} \end{aligned}$$
(2)

bits of the secret s.

For \(d=4\) to \(N-1\), we can get that the unauthorized set can gain access to about \(\frac{d^{2}t}{N}\) bits of the secret s by simple analysis.

In conclusion, when there are d (\(d<N\)) agents in the unauthorized set, they can gain access to about \(\frac{d^{2}t}{N}\) bits of the secret s. The proof of Theorem 1 is completed.

From Theorem 1, we can find that the information bits on the secret s that an unauthorized set can obtain will increase in proportion to the number’s square of agents in the unauthorized set, which is shown in Fig. 1. Furthermore, the proportion \(\frac{d^{2}}{N^{2}}\) that the unauthorized set can extract information on the secret s is close to 1 with the increase of the agents’ number in the unauthorized set, which can be shown in Fig. 2.

So far, we have given a cryptanalysis of the KTYC-protocol, which shows that this protocol is not secure in the sense that it does not satisfy the security requirement for QSS.

Figure 2
figure 2

The relation between the number (d) of agents in an unauthorized set and the proportion (\(\frac{d^{2}}{N^{2}}\)) that they can extract information on the secret s. The proportion \(\frac{d^{2}}{N^{2}}\) is close to 1 with the increase of the agents’ number (d) in the unauthorized set. Here we set \(N=10, t=7\) and \(S=tN=70\).

Suggestion for improvement

From the cryptanalysis, it can be seen that the success of the proposed collusion attack is for that the KTYC-protocol is based on a novel structure, which makes other agents have no effect on the dealer’s secret bits if the encoded qubits are not prepared by themselves. Moreover, this attack is performed after the security check of channel. Therefore, the agents in the unauthorized set can choose the right basis to measure the encoded qubits prepared by themselves and then gain access to the information bits on the secret s. In order to deal with the security leak, every agent must hold a share on each bit of the dealer’s secret s, which can be realized in two ways. One is that every agent perform an encryption on each encoded qubit, but this will change the structure of the KTYC-protocol. The other way is that the dealer preprocesses the secret s to be shared in advance. Specifically, the dealer randomly prepares N random numbers \(s_{1},s_{2},\ldots ,s_{N}\) in Step 3, where

$$\begin{aligned} \hspace{1cm} s_{1}+s_{2}+\cdots +s_{N}=s. \end{aligned}$$
(3)

Then the dealer encodes \(s_{1},s_{2},\ldots ,s_{N}\) into the qubit sequences \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{1}\), \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{2}\), ..., \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{N}\), respectively. After that, the dealer performs the same actions as that in Step 3 except that the encoding operations are not performed any longer.

Now we show that this way is valid to prevent the collusion attack. Clearly, the shared secret s is the sum of N shares \(s_{1},s_{2},\ldots ,s_{N}\) in the improved version, and thus the absence of any share will not reconstruct the secret. Nevertheless, the shares \(s_{1},s_{2}\), ..., \(s_{N}\) are encoded into the qubit sequences \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{1}\), \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{2}\), ..., \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{N}\), respectively. Furthermore, only the agent \(P_{i}\) knows the initial states of the qubits \(\otimes _{j=1}^{t}|\varphi \rangle _{j}^{i}\) that are necessary to gain the encoded information \(s_{i}\). Therefore, the share \(s_{i}\) cannot be obtained without the cooperation of the agent \(P_{i}\). All in all, if and only if all the agents in the authorized set \(\{P_{1}, P_{2}, \ldots , P_{N}\}\) cooperate with each other, they can reconstruct the secret s, but any unauthorized set can reveal no information on it.

Conclusion

To sum up, we give a cryptanalysis of the KTYC-protocol and present a new participant attack. Using this attack, an unauthorized set of agents can gain access to some information on the dealer’s secret. Furthermore, it is shown that the information on the dealer’s secret that the unauthorized set can obtain increases in proportion to the number’s square of agents, and the proportion that the unauthorized set can extract information on the dealer’s secret is close to 1 with the increase of the agents’ number in the unauthorized set. Finally, we analyze the reason for the security leak and propose an effective way to improve the KTYC-protocol’s security. We hope this work shed some light on the next development for the design and analyzing of QSS.