Quantum secret sharing via local operations and classical communication

We investigate the distinguishability of orthogonal multipartite entangled states in d-qudit system by restricted local operations and classical communication. According to these properties, we propose a standard (2, n)-threshold quantum secret sharing scheme (called LOCC-QSS scheme), which solves the open question in [Rahaman et al., Phys. Rev. A, 91, 022330 (2015)]. On the other hand, we find that all the existing (k, n)-threshold LOCC-QSS schemes are imperfect (or “ramp”), i.e., unauthorized groups can obtain some information about the shared secret. Furthermore, we present a (3, 4)-threshold LOCC-QSS scheme which is close to perfect.

Quantum secret sharing (QSS) is an important branch of quantum cryptography, which was simultaneously proposed by Hillery et al. 1 and Cleve et al. 2 . It allows a secret to be shared among many participants in such a way that only the authorized groups can reconstruct it. In a (k, n)-threshold QSS scheme, the dealer distributes a shared secret among n participants, and any group of k or more participants can collaboratively recover the shared secret, however, no group of fewer than k participants can.
During the past two decades, many interesting QSS schemes [1][2][3][4][5][6][7][8][9][10][11] were proposed (for an incomplete list). Recently, Rahaman et al. concentrated on the implementation of classical secret sharing by quantum means, and first introduced the theory of local distinguishability of quantum states to the design of QSS scheme 12 . A novel, simple and efficient model of QSS scheme was presented, where the participants only used local quantum operations and classical communication (LOCC), in other words, any joint quantum operations were not required. This QSS model is called LOCC-QSS model. According to the model, a series of (k, n)-threshold LOCC-QSS schemes were proposed in ref. [12]. The designs of them are based on the local distinguishability of orthogonal multipartite quantum states. That is, some pairs of locally distinguishable orthogonal multipartite entangled states which represent the encoded secret can be collaboratively distinguished by a sufficient number of participants using LOCC, but cannot be distinguished by any fewer than the threshold k participants.
The topic of LOCC-QSS is very interesting, meanwhile, it brings us some valuable study points. First, (2, n)-threshold LOCC-QSS scheme in ref. [12] is a nonstandard QSS scheme since it needs a strictly restricted condition, i.e., the two cooperating participants must come from two disjoint groups. A natural question how to design a standard (2, n)-threshold LOCC-QSS scheme is an open question. Second, all the existing (k, n)-threshold LOCC-QSS schemes are ramp (or "imperfect") QSS schemes, i.e., there exist some information leakages in these schemes. How to quantify the information leakages and design a (k, n)-threshold LOCC-QSS scheme of less information leakages or even a perfect (k, n)-threshold LOCC-QSS scheme is also an interesting topic.
In this paper, we revolve around above study points to research and try to solve them. On the one hand, we study the properties of orthogonal multipartite entangled states in d-qudit system. What's more, a standard (2, n)-threshold LOCC-QSS scheme is presented, i.e., there is no any restricted condition

Results
Local distinguishability of quantum states in high dimension system. The paradigm of local distinguishability can be described as follows. Suppose some parties shared a multipartite quantum state which is secretly chosen from a known set of orthogonal quantum states. Their aim is to identify the unknown quantum state perfectly using local operations and classical communication. Numerous interesting results have been reported [13][14][15][16][17][18][19][20][21][22][23][24][25] . Now we discuss the distinguishability about a pair of orthogonal multipartite entangled states by restricted local operations and classical communication (rLOCC). Here, rLOCC means only a subset of parties is allowed to communicate with each other 12 .
1} be a standard orthonormal basis of a d-dimensional Hilbert space. Consider the following two orthogonal state ψ 1 , ψ 2 , which can act as generalized Bell states in d-qudit system.  Proof. On the one hand, according to the forms of the two states, it is easy to obtain a distinguishable protocol. All the cooperating participants (no less than two) measure their own particle in the computational basis locally. If they have precisely the same results, then the shared state is ψ 1 . Otherwise, if they have completely different results, the state is ψ 2 .
On the other hand, for the two states, it is straightforward to calculate that any single particle reduced density matrices are I/d, where I is the identity operator in d-dimensional system. It means that only one participant cannot obtain any information from his own particle. That is, the two states cannot be distinguished by only one participant. where ω = e 2π�/d . A stabilizer state ψ is a state of an n-qudit system that is the simultaneous eigenvector, with eigenvalues 1, of a subgroup of d n commuting elements of the Pauli group which does not contain multiples of the identity other than the identity itself. We call this subgroup as the stabilizer G of ψ 26 . When d is prime, G can always be generated by n suitably chosen group elements g j , where the order of each g j is d.
is called a set of generators. When d is not prime, one might need more than n generators in some cases.
In d-qudit system, d is a prime. Let us define two sets of quantum operations According to the definition of stabilizer, we can easily obtain the following lemma. Lemma 1. . Note that whether d is a prime or not, the two states ψ 1 , ψ 2 are both the eigenstates of all the elements of  1 . However, Theorem 2 holds only when d is a prime. It means that both of the two states can be uniquely determined by the set  1 according to eigenvalues. If d is not a prime, they may not be uniquely determined by the set  1 according to eigenvalues. Theorem 3. Two orthogonal entangled states in Eq. (4) can always be exactly distinguished by no less than three cooperating participants using LOCC. However, they cannot be deterministically distinguished by any two or fewer participants by LOCC.
where P is the set of all possible distinct permutations.
Proof. All the cooperating participants (no less than three) measure their own particle in the computational basis locally. If they have precisely the same results or completely different results, then the shared state is ϕ 1 . Otherwise, if there exist two participants who have the same results, but their results are different from the other participants' results, then the shared state is ϕ 2 .
On the other hand, for the two states, it is straightforward to calculate that any one participant have the same reduced density matrix I/d, where I is the identity operator in d-dimensional system. It means that only one participant cannot obtain any information from his own particle. All the bipartite reduced density matrices of ϕ 1 are same because of the symmetry of ϕ 1 , so are that of ϕ 2 . Employing the probability formula of the minimum-error state discrimination , where q 1 , q 2 are a priori probabilities and ρ 1 , ρ 2 are two states, we can calculate that the probability with which any two participants can distinguish the states is 0.5536. It means that two participants cannot perfectly distinguish the two states even if they use joint quantum operations. So the two states cannot be exactly distinguished by any two participants by LOCC. That completes the proof.

LOCC-QSS.
Suppose the sender Alice wants to share a key between n separated participants Bob 1 , Bob 2 , …, Bob n . Only no less than k participants can collaboratively recover the shared secret. That is, a (k, n)-threshold QSS should be designed. Here, we still adopt the basic model of LOCC-QSS in ref. [12] since the basic model is very simple and efficient. For readability, we still use the same notations.
The standard (2, n)-threshold LOCC-QSS scheme. Step 1. Alice first prepares a large number (say L > n) of states chosen randomly from a specified pair of orthogonal n-qudit (n = d) entangled states in Eq.(1) according to her requirement. Let us denote the prepared states by ( , ) S a b t to keep details of each prepared state in each run (run t is associated with the prepared state ( , ) S a b t at time t). Here, a represents the state randomly chosen from a pair of orthogonal states, that Alice prepares at time t represents the positions of all n qudits of a prepared state ( , ) S a b t at time t, i.e., the position of ith qudit of a prepared state a at time t is denoted by Step 2. Alice prepares at random, a different sequence, = Π ( , , …, ) r L 1 2 i i for each Bob i , and sends the i t th qudit (i = 1, 2, …, n; t = 1, 2, …, L) to Bob i according to the r i sequence order, where Π i is an arbitrary permutation of the sequence (1, 2, …, L). No one has the information about Π i except for Alice. After receiving their associated sequence of qudits, all of the receivers now share L n-qudit entangled Step 3. Alice now randomly selects some run, say (⊂ , , …, ) Here Alice choose randomly elements of the set  1 in Eq.(3) to determine Bob i ′ s measurement basis. Now we interpret it. First, for the set  1 , both ψ 1 and ψ 2 are the eigenstates of the elements of  1 . They have the following relation By analyzing the measurement results, Alice can easily detect whether there is an eavesdropper or not. If there is one, she aborts the protocol and starts again from step 1.
Step according to her secret a (= 0 or 1). The mapping between classical bit value and orthogonal entangled states is fixed and is communicated securely from Alice and Bobs in advance. If Alice's secret is more than one bit, then she reveals the qudit positions of a sequence of unmeasured states | , ( ) 〉 S a r b [ ] t . According to Theorem 2, the states ψ 1 , ψ 2 can be uniquely determined by the set S 1 according to eigenvalues if d is prime. It makes the protocol be more secure. On the other hand, although ψ 1 and ψ 2 cannot be uniquely determined if d is not prime, the protocol is still secure due to the design method of this scheme. It will be shown in the section of security analysis.
Employing Theorem 1, the two states can be exactly distinguished by no less than two cooperating participants using LOCC. But they cannot be distinguished by only one participant. Thus, this is a standard (2, n)-threshold LOCC-QSS scheme. (2, n)-threshold LOCC-QSS scheme can be regarded as secure because the shared secret cannot be eavesdropped without being detected. Usually, there are three eavesdropping strategies for Eve (she may be dishonest Bob). Now we consider the security of our scheme under the three attacks. The first eavesdropping strategy is called "intercept-measure-resend", that is, Eve intercepts the legal particles when Alice sends them to Bob i , chooses local or global measurement basis to measure them, then resends them to Bob i . (i) If Eve wants to obtain Alice's secret, she can choose and measure n qudits by global measurement to distinguish the unknown state. However, Eve does not know which n qudits come from the same entangled state because Alice has scrambled the order of qudits using permutation Π i , and no one has the information about Π i except for Alice. Therefore, this attack will be detected in the eavesdropping detection if Eve chooses this method of attack. (ii) If Eve wants to obtain Bob i ′ s secret or wants to obtain Alice's secret according to more than t (threshold value) Bob i ′ s secrets, she can measure one or more qudits by local measurement. However, the original correlations of quantum states will be destroyed. For example, Eve chooses computation basis to locally measure the unknown state ψ ? . Then ψ ? collapses to a product state, which does not satisfy the conditions of eavesdropping detection. This attack will be detected in the eavesdropping detection.
The second one is "intercept-replace-resend", i.e., Eve intercepts the legal particles and replaces them by her counterfeit ones. If Eve escapes from the detection of Alice, she will obtain Alice's secret. Now we show that our scheme is security under the attack. replace the states which are sent by Alice. Otherwise, the eavesdropping will be found by Alice.
The third one is "entangle-measure", i.e., Eve entangles an ancilla with the n-qudit, at some later time she can measure the ancilla to gain information. Without loss of generality, assume that Eve uses a unitary operator such that the ancilla 0 entangles with the quantum state ψ i , i.e., ψ φ , where the subscripts B and E express the particles belonging to Bob i and Eve, respectively. In fact, This kind of attack is general, it contains the above two attacks. Now we will show that the legal particles (B) and the ancilla (E) must be not entangled if no error is introduced into the QSS procedures. It means that Eve will gain no information about the secret by observing the ancilla.
(i) If d is a prime, according to Theorem 2, ψ 1 and ψ 2 are uniquely determined by S 1 . In other words, the state φ ( = , ) i 1 2 i BE must be not entangled between B and E, otherwise, this attack will be detected by Alice with certain probability.
(ii) Next we consider that d is not a prime. Firstly, since Eve does not know which n qudits come from the same entangled state, the unitary operator can only act on one qudit from ψ i and the ancilla. Secondly, note that the operator Z ⊗n can be generated by the elements of S 1 , i.e., Therefore, only if the state φ i BE satisfies the property that the product of all Bob i ′ s measurement results measured by computation basis is equal to λ (= 1), may Eve escape from the detection of Alice.
j ≠ 0. Obviously, they must be eliminated, i.e., α α α α , j ≠ 0. Otherwise, this attack will be found by Alice. It means ( ) is a product state between legal qudits and the ancilla. The similar discussion can be applied for the analysis of quantum state φ BE 2 , and we can obtain the same result.
Intuitively, maybe it is surprised that the scheme is secure despite ψ i cannot be uniquely determined by the set S 1 for non-prime d. The reason is that Alice has scrambled the order of qudits such that the states satisfying conditions of eavesdropping detection are excluded. If the unitary operator can only act on one qudit from ψ i and the ancilla, Eve cannot obtain any information according to the above proof.
The quantification of information leakages. It is difficult to design a perfect (without any information leakage) (k, n)-threshold LOCC-QSS scheme. At present all of the existing (k, n)-threshold LOCC-QSS schemes are ramp schemes. We try to quantify the information leakages. Now we consider conspiracy attack for (k, n)-threshold LOCC-QSS scheme. If there exist l(< k) dishonest Bob i , they can recover the secret together. This attack method is called conspiracy attack. For the (k, n)-threshold LOCC-QSS scheme 12 , according to the following two intentions, they can choose different ways to eavesdrop.
(i) No matter whether eavesdroppers obtain the shared secret or not, it is not allowed that they obtain a wrong shared secret and disturb the authorized groups to recover the shared secret. For simplicity, the eavesdropping probability of success is called unambiguous probability.
(ii) In order to obtain information about the shared secret as much as possible, it is allowed that eavesdroppers minimize the errors that occur in a state discrimination task and can disturb the authorized groups to recover the shared secret. The eavesdropping probability of success is called guessing probability.
For the sake of simplicity, we only analyze the example 3 in ref. [12], i.e., (5, 6)-threshold LOCC-QSS scheme. It is easy to be generalized for (k, n)-threshold LOCC-QSS scheme. First we recall the key steps in the original scheme.

Discussion
In ref. [11], Gheorghiu et al. also proposed an efficient QSS scheme by LOCC, which is based on quantum error-correcting codes to distribute a quantum secret. In their QSS scheme, they reduced the required quantum communication at the cost of some classical communication. But our schemes are based on local discrimination of quantum states to distribute classical secrets. And any joint quantum operations and quantum communication are not required in secret recovery stage. Although the designs of these schemes have all used LOCC, their essences are completely different.
In this paper, based on the distinguishability of orthogonal multipartite entangled states by rLOCC in d-qudit system, we present a standard (2, n)-threshold LOCC-QSS scheme, which work out the open question in ref. [12]. In addition, we take (5, 6)-threshold LOCC-QSS scheme as a example to present that all the existing (k, n)-threshold LOCC-QSS schemes are ramp schemes. Then we propose a (3, 4)-threshold LOCC-QSS scheme, which is close to perfect. We hope that these results will encourage researchers to study generalized (k, n)-threshold LOCC-QSS scheme.