Hybrid threshold adaptable quantum secret sharing scheme with reverse Huffman-Fibonacci-tree coding

With prevalent attacks in communication, sharing a secret between communicating parties is an ongoing challenge. Moreover, it is important to integrate quantum solutions with classical secret sharing schemes with low computational cost for the real world use. This paper proposes a novel hybrid threshold adaptable quantum secret sharing scheme, using an m-bonacci orbital angular momentum (OAM) pump, Lagrange interpolation polynomials, and reverse Huffman-Fibonacci-tree coding. To be exact, we employ entangled states prepared by m-bonacci sequences to detect eavesdropping. Meanwhile, we encode m-bonacci sequences in Lagrange interpolation polynomials to generate the shares of a secret with reverse Huffman-Fibonacci-tree coding. The advantages of the proposed scheme is that it can detect eavesdropping without joint quantum operations, and permits secret sharing for an arbitrary but no less than threshold-value number of classical participants with much lower bandwidth. Also, in comparison with existing quantum secret sharing schemes, it still works when there are dynamic changes, such as the unavailability of some quantum channel, the arrival of new participants and the departure of participants. Finally, we provide security analysis of the new hybrid quantum secret sharing scheme and discuss its useful features for modern applications.

Secret sharing is an important and powerful tool for protecting confidentiality and integrity of sensitive information, such as missile launch codes, bank account information, medical information and encryption keys. Secret sharing can be categorized into two broad classes: classical and quantum. Secret sharing was invented in its classical form simultaneously by Shamir 1 and Blakley 2 . The Shamir secret sharing splits a secret into multiple shares in such a way that a large enough collection of shares can be used to reconstruct the secret. The minimum number of shares that enables the reconstruction is called the threshold or in general the access structure. However, if the number of shares is smaller than the threshold, then they provide no information about the secret. In other words, when a fewer than the threshold number of shares are compromised, the secret cannot be revealed. Later many other secret sharing schemes [3][4][5][6][7] have been proposed to improve the traditional ones. The obvious weakness of classical secret sharing is that an adversary can duplicate shares without being detected. As a result, eavesdropping attacks could happen in the reconstruction phase when the participants send their shares to a combiner who computes the secret.
To address the eavesdropping problem, Hillery et al. 8 extended classical secret sharing (CSS) to a (m, n)-threshold quantum secret sharing (QSS), which is the generation of quantum key distribution (QKD) [9][10][11] . In their scheme, GHZ states are used to transmit the shares securely in the presence of eavesdroppers, like the method used in ref. 12. The security of their scheme is guaranteed by the quantum no-cloning theorem 13 . Following Hillery et al.'s work, many quantum secret sharing schemes [14][15][16][17][18][19][20][21][22][23][24][25][26][27] have been proposed with rigorous security proofs as well as properties that make them suitable for many applications. Though quantum secret sharing can detect eavesdropping, Źukowski et al. 23 argue that QSS is different from CSS. The main difference is that in QSS, the choice of parameters m and n is restricted while in CSS, the parameters can be arbitrarily selected as long as n ≥ m. In particular, in a (m, n)-threshold QSS, the parameters m, n must satisfy the condition, 2m − 1 > n, which is imposed by the quantum no-cloning theorem 13 . However, in practice, security policies and the adversary structure demand the parameters m and n to be flexible and scalable. Therefore, it is very challenging to develop a new (m, n)-threshold QSS scheme, whose parameters m and n are not restricted.
In this paper, we propose a hybrid quantum secret sharing scheme to address this challenge. The new scheme is free from any restrictions on the parameters m and n and therefore it is suitable for many real-world applications. We employ entangled states prepared by m-bonacci sequences to detect eavesdropping, which can be done by any subset of participants that contains at least       is the smallest integer greater than or equal to x) members. That is to say, not all participants are required to reach a consensus in order to reveal eavesdropping. We use m-bonacci sequences encoded in Lagrange interpolation polynomials to generate the secret, with no restrictions imposed on the parameters m, n. Given that m-bonacci numbers can be represented by Fibonacci numbers, we use the structure of the Huffman-Fibonacci tree with the greedy algorithm to encode m-bonacci sequences, i.e., the higher the frequency at which a Fibonacci number appears in m-bonacci sequences, the longer the block of binary codes. Therefore, our scheme can greatly improve the coding capacity, thus reducing the use of entangled photons, which are expensive and difficult to prepare. In real-world applications, some changes may occur when a new participant joins or alternatively, an existing participant leaves or there is a sudden disruption of some quantum channels. The new scheme has the capability to deal with such changes since the m-bonacci-number coding can be easily modified to reflect changes in secret sharing.

Results
In this section, we first describe a new hybrid quantum secret sharing based on m-bonacci sequences, as shown in Fig. 1. The scheme consists of two components: quantum and classical. The classical component allows to establish an infinite random sequence in a way of quantum encoding, which is shared by classical participants. The classical shares of the random sequence allow any m + 1 participants to recover the sequence. The one-time-pad encryption is done by a collection of m + 1 classical participants. The decryption can be done by any other collection of m + 1 classical participants. There are three phases in the proposed scheme: • share generation and distribution -the dealer phase • eavesdropping detection phase • secret reconstruction phase Then its security is analyzed and compared with other related QKD protocols. represents m-bonacci sequences, B 1 , B 2 , ···, B m denote m quantum shares, and C 1 , C 2 , ···, C n denote n classical shares, P e denotes the error rate and t the preset threshold value for P e .
Scientific RepoRts | 6:31350 | DOI: 10.1038/srep31350 New hybrid threshold quantum secret sharing scheme. First, we introduce the generalized Fibonacci sequence 28 , that is so-called m-bonacci sequence which is used in our later scheme. The m-bonacci sequence of order m ≥ 2 denoted by F n m (  ∈ + n ) is defined by the following recurrence 28,29 : with the first m − 2 initial terms set to 0 and the (m − 1)th initial term set to 1. In particular, the 2-bonacci sequence is the usual Fibonacci sequence 30 ; 3-bonacci sequence is usually called the Tribonacci sequence 28 . In Table 1, we list the first ten m-bonacci numbers when m = 2, 3, 4, 5, 6. Then, we present the entities used in our secret sharing, which are as follows: • a dealer, • m (which is the same as m in m-bonacci numbers) participants who hold quantum shares (quantum participants), •  participants who hold classical shares (classical participants) and • Adversaries.
Dealer is a party who is trusted by all quantum and classical participants. It is responsible for the initialization of the secret sharing. It generates shares and distributes them to all the participants. It is assumed that after finishing its tasks, the dealer "forgets" all the parameters of the scheme together with the secret.
Quantum participants hold their quantum shares. Each quantum participant owns one quantum share. Their task is to detect eavesdropping. This guarantees unconditional security of the scheme.
Classical participants hold their classical shares. There are  classical participants. They are responsible for secret reconstruction. Each classical participant receives their share from the dealer via a classical secure channel. Unlike in CSS, in our hybrid QSS, any q (q ≥ m + 1) classical participants can recover the key (secret) using their classical shares (after eavesdropping detection).
Adversaries includes the outsider and at most m insiders. The former has no valid share, while the latter is actually a legal participant with a valid share.
Finally, the proposed hybrid ′ +  t m m (( , ), ( 1, )) threshold QSS is defined as follows: Definition 1 (Hybrid ′ +  t m m 1 (( , ), ( , )) threshold QSS). There are m (where > > ′  m t ) quantum participants and  classical participants. The secret can be recovered by m + 1 classical participants and t′ quantum participants. t′ quantum shares from t′ quantum participants can be used for eavesdropping detection while m + 1 classical shares owned by m + 1 classical participants can be used to recover the secret.
The steps of our scheme are described in details as follows: Dealer phase. (1) Dealer first prepares entangled states using the m-bonacci number source as shown in An OAM-entangled outgoing state depends on m, which is as follows: where the index m runs through the allowed m-bonacci numbers in the pump beam: ∑ F n m . Each of the m quantum participants receives one entangled photon from the entangled states. In the lab of each quantum participant, there are two types of detection sorters (i.e., the E i sorter and the F i sorter, i ∈ {1, 2, ···, m}), directing the entangled photon to one of them at random. The E i sorter is made up of an OAM sorter 33 followed by a set of single-photon detectors. The OAM sorter transmits OAM eigenstates of various pump values into various outgoing directions, allowing them to be registered and determined in different detectors. The F i sorter is used to distinguish different superpositions of the form. The states obtained in the E i -and F i -type measurements are nonorthogonal to each other. Therefore, the security of our proposed scheme is based on the fact that nonorthogonal states are indistinguishable 34 , and this principle is similar to the one used in the BB84 9 and Ekert 10 protocols. However, the equation (2) has an unusual feature, that is, the states detected in the E i -type measurement form a mutually orthogonal set among themselves, while those in the F i -type measurements are not all orthogonal to each other but form a  chain, where each state is nonorthogonal to the two adjacent states in the chain. Moreover, for orbital angular momentum, it is not necessary for quantum states that are orthogonal in Hilbert space to associate to orthogonal vectors in the physical space. Likewise, it is not necessary for quantum states that are nonorthogonal in Hilbert space to associate to nonorthogonal vectors in the physical space. That is the second fact for our scheme's security.
(2) The beam splitter in the quantum participant's laboratory, sends the entangled photon to either the sorter E i or the sorter F i at random, where i ∈ {1, 2, ···, m}. Quantum participants B 1 , B 2 , ···, B m record the sorter to which the photon goes and the detected OAM value.
(3) Dealer allocates , , 1 2 in the following way. Note that if there is something wrong with quantum channel transmission or the composition of classical participants changes (i.e., a new participant wants to join or an existing participant wishes to leave), then the dealer chooses adaptable m-bonacci numbers to produce new secret shares in terms of the mentioned flow of participants. This is a novel feature of our threshold adaptable secret sharing scheme.
Next the dealer uses the following algorithm to encode the secret: (2) R a n d o m l y a n d u n i f o r m l y g e n e r at e a nu m b e r  ∈ a p 0 a n d c r e at e a p o l y n o m i a l : Finally, the dealer communicates  shares (i′ , A i′ ) to appropriate classical participants, where ≤ ′ ≤  i 1 .
Eavesdropping detection phase. During the process of secret share distribution, when there is a mismatch in the entangled state photons, and if the error rate P e is larger than the preset threshold t between Dealer and participants, they abort this communication and return to the Dealer's phase. Otherwise, the communication continues to obtain a secure key for encrypting the shared secret, until the dealer sends an error notification or stops sending secret shares. The details are given below.
(1) Any m + 1 classical participants use their shares ∪ ′ ′ (  illustrate how eavesdropping is detected. Suppose that an adversary Eve is eavesdropping on the quantum channel between B 1 , B 2 . Clearly, she does not know which type of a detection measurement (the sorter E i or the sorter F i ) took place in B i 's laboratory (1 ≤ i ≤ m). So, Eve has to guess. If the entangled photon goes to the E i sorter in Eve's laboratory when going to the F i sorter in B i 's laboratory, or the entangled photon goes to the F i sorter in Eve's laboratory when going to the E i sorter in B i 's laboratory, then the B i measurement is going to be erroneous with the probability of 1 2 . Eve's activity is going to be detected by B 1 , B 2 , ···, B m when they compare their scheme transcripts. More precisely, we have the following two cases to consider: (1) Eve makes an E i -type measurement on a photon, which is actually in the eigenstate F i m . Then she will detect one of the two , respectively. Eve may send a copy of it to B i . If B i receives one of these eigenstates and makes an E i -type measurement, she will obtain one of the superpositions In both cases, if Eve eavesdrops with a fraction η (fraction of times Eve interferes) of the trials, the fraction of times Eve guesses wrong basis is 1 2 , and the fraction of times wrong basis leads to error is 1 2 . So, when quantum participant B 1 compares her results with B 2 's, they will find that their outcomes are inconsistent a fraction f of the time, which is Note that in our scheme, each entangled photon binds the classical share together. Moreover, not all quantum participants are needed to detect eavesdropping when m > 2. This is because we can apply the recovered m-bonacci numbers with classical shares, to verify its consistency with the m-bonacci numbers carried by entangled states. Furthermore, with the detected values from the entangled photons, we can assess the security of the quantum channel (whether it is free from the adversarial activity or not). In this scheme, we use quantum coding to generate the key for encrypting messages. Moreover, various m-bonacci sequences can be used to encode the final key. That is, m is changeable for the key, which can address the problems of restricted quantum sources in certain settings and the membership change of participants, such as the joining of a new participant or departure of existing participants. Therefore, our scheme is more practical compared the other quantum secret sharing schemes.

Security Analysis
First, using the technique of Simon et al. 31,32,35 , we show that our scheme is secure against insider and outsider attacks (Theorems 1 and 2). Later, we analyze the security of the proposed scheme and show that it is immune against a number of attacks including cloning, impersonation, replay and man-in-the-middle attacks.

Theorem 1 (Insiders attacks).
Given the hybrid ′ +  t m m (( , ), ( 1, )) threshold QSS, and the set of classical shares available for any k < m + 1 insiders (classical participants) is , then scheme is asymptotically perfect with respect to the set of probability distributions P(⋅ ) on the secret space S. That is, for any  > 0, there exists an integer p 0 such that for any , where i 1 is the public information of A k i 1 , A K d can conspire to compute   of Q m i , then scheme is asymptotically perfect with respect to the set of probability distributions P(⋅ ) on the secret space S. That is, for any > 0  , there exists an integer p 0 such that for any p > p 0 with On the other hand, the quantum participants' shares are independent of the classical participants' shares. Moreover, the quantum participants' shares are used for eavesdropping detection rather than key generation. Consequently, outsiders cannot use their quantum shares directly as they do in Cleve et al.'s QSS 14 to obtain the secret. Therefore, outsiders cannot have a better way to get the secret except to assume s′ = s.
Second, as we know, the classical shares are allocated in Shamir's SS 1 , which are uniformly distributed over  p . That is to say, when p → + ∞ , Δ (s; Q k ) → 0. Hence, our proposed hybrid ′ +  t m m (( , ), ( 1, )) threshold QSS is asymptotically perfect with respect to the secret space S. Here, F log n m is the abbreviation of to other quantum participant B i . However, due to the particular encoding used in our scheme, the m-bonacci-value-entangled photon varies and the impersonation attack is easy to be detected. For example, if she detects that the value of entangled photon is 2 from − F n 1 5 , she sends one 3-bonacci-value-entangled photon as the fake state. Obviously, the impersonation attack does not succeed.
Resistance against replay attacks. Our scheme is immune against replay attacks. A replay attack is such an attack that a valid data transmission is maliciously or fraudulently repeated or delayed. Because we use adaptable m-bonacci sequences for preparing m-bonacci-sequence entangled states, the quantum and classical shares change accordingly. Moreover, due to the use of varying m-bonacci numbers to prepare entangled states, Eve cannot know which m-bonacci sequence is really used every time. For example, suppose that for the fourth subkey, 3-bonacci sequences are used, however, 6-bonacci sequences are used for the fifth subkey. As a result, it is impossible to launch an impersonation attack by inserting the used m-bonacci sequences for the subkey. Therefore, our scheme is immune to replay attacks.

Resistance against man-in-the-middle attacks.
A man-in-the-middle attack is an attack, in which Eve intercepts the transmitted entangled photons and replays other entangled photons. We now show that our scheme provides resistance against the man-in-the-middle attacks. First, quantum channels are authenticated; second, for the party who detects a particular m-bonacci number, there is still a m-fold uncertainty about the m-bonacci number other parties detect. Suppose that the eavesdropper Eve, is in possession of an entangled state analyzer for the m-bonacci-value entangled states. If so, she will be able to distinguish − , which is the same as two-state cryptography. In a manner similar to the two-state cryptography, it is also possible to launch a more complex eavesdropping attack using an ancilla, or measuring in an intermediate basis compared to the {0, 1} bases. However, the eavesdropper is still detectable, and the fundamental security remains. Hence, our scheme provides resistance against the man-in-the-middle attacks.

Discussion
Simon et al. 31 used positive and negative OAM pumps to improve information capacity which can only be doubled, and their scheme needs a joint quantum operation. Moreover, with 2-bonacci values used alone, to multiple the information capacity, larger 2-bonacci values should be used, and the available bandwidth becomes more of a challenge. Also, they argued that though lower error rates can be achieved by the use of higher-2-bonacci values (Fibonacci numbers), the transmission distances are shorter. While the longer distances can be achieved by the use of lower-2-bonacci values, the error rates are higher. When only 2-bonacci values are used, it is hard to satisfy the requirements of lower error rates and longer transmission distances. Based on these mentioned problems, we incorporate m-bonacci sequences into both quantum and classical coding, with reverse Huffman-Fibonacci-tree coding, to achieve higher-capacity and lower-bandwidth hybrid threshold adaptable QSS scheme.
The information capacity. Given the above conclusion, proper m-bonacci values can be chosen to achieve the lower error rates and longer distances. Hence, we propose to use Huffman coding tree to encode m-bonacci numbers with the greedy algorithm, which can greatly improve the coding capacity, thus reducing the use of entangled photons. To be exact, for fixed m-bonacci number sets, we use binary representations of m-bonacci numbers based on Fibonacci numbers of order m ≥ 2 (see Equation (11)). Hence, this paper extends Simon et al.'s quantum key distribution protocol presenting a novel feature, where Fibonacci numbers 1, 2, 3, 5, 8, 13, 31, 34 are used. According to the method of reverse Huffman-Fibonacci-tree coding in Eqs (11) and (12) of the following section, each m-bonacci number can then represent a binary string as follows:   Table 1, according to Equations (11) and (12), their binary Fibonacci representations would be as follows: It can be seen from Equation (10), compared with the high-capacity coding in terms with Simon et al.'s protocol, in which they double the information capacity per photon, we multiply the information capacity. In the above example, the average bits per photon is 10.375. If the size of the key is 360,000, we need to prepare about 36,000 rather than 90,000 entangled states, making our scheme more practical. This is because it is difficult and costly to prepare entangled states. Besides the information capacity, Table 2 compares the features of our proposed scheme with those of the secret sharing schemes in refs 1, 14, 24 and 26. The comparison suggests that our secret sharing scheme is more suitable for real-world applications. Distinct from the well-known Shamir's classical secret sharing scheme 1 against secret leakage, our proposed scheme can both detect eavesdropping and protect the secret from leaking. Meanwhile, compared with QSS schemes 14,24,26 , our scheme can achieve the adaptability and flexibility based on the following two facts: 1) the various m-bonacci values are used to adapt to participant mobility; 2) the m-bonacci values are encoded in Lagrange polynominal, and as a result, any t′ quantum participants and any m + 1 classical participants can recover the secret. Due to the no-cloning theorem and its impact on parameters, for QSS schemes 14,24,26,31 , the parameters  and t′ must satisfy the requirement of < ′ −  t 2 1, and once t′ quantum participants are fixed, other quantum participants are unable to participate in the recovery of the secret. However, in our scheme, the parameters  and t′ can be arbitrary, and our scheme is robust when a new participant joins or an existing participant leaves.
Unlike eavesdropping detection in QSS schemes 14,24,26 , due to entangled states prepared by m-bonacci sequences, the detection is possible by any subset that contains at least       m 2 participants. That is to say, none of the number of threshold value quantum participants are required to reach a consensus in order to reveal eavesdropping. Because the method of the Huffman-Fibonacci coding is employed in our scheme, the classical bits denoted by every m-bonacci number are significantly improved, from four bits at most to more than ten bits using a similar experimental setup. Consequently, our scheme can greatly improve the coding capacity, thus reducing the use of entangled photons which are expensive and difficult to prepare. Moreover, to generate the secret, the m-bonacci sequences encoded in Lagrange interpolation polynomials and the Huffman-Fibonacci coding are applied. So, compared with the CSS in ref. 1 where the size of secret shares is the same as that of the secret itself, our scheme allows the former to be of much smaller than the secret itself. To be exact, the smaller m-bonacci sequences such as m = 2, 3, 4, 5, 6 can be used in our proposed scheme, the pump values in Fig. 1 is smaller and the size of classical shares is much smaller since the size of the prime is much smaller than that used in ref. 1  bits.
In conclusion, we combine the Huffman-Fibonacci quantum coding with Lagrange polynomials to achieve threshold adaptable QSS. The key point of our scheme is that it does not suffer from the restriction derived from the quantum no-cloning theorem, because it permits secret sharing for arbitrary values of parameters  and m + 1 provided that ≥ +  m 1. We use the Huffman coding tree to encode the obtained m-bonacci numbers, aiming at improving the coding capacity greatly, and thus incurring a low communication overhead. When compared to the existing QSS schemes, there is an improvement in sharing the secret without joint quantum operations. Meanwhile, our scheme still works when there are dynamic changes in comparison with existing quantum secret sharing, such as the unavailability of some quantum channel, the arrival of new participants and the departure of participants.

Methods
Huffman-Fibonacci coding. Fraenkel  When one uses the following procedure to produce it, the Equation (11) will be unique. Given the integer F n m , find the largest Fibonacci number F r 2 smaller or equal to F n m ; then continue recursively with F F n m r 2 . Therefore, for coding, we explore the properties of Fibonacci representations for variable-length encoding, especially the trade-off between their robustness and their scalability efficiency. To be exact, we use the Huffman coding in ref. 36    So, the available reconstructed − F n m m is used in terms of Eqs (9) and (12), and a sub-key can be obtained. The key can be obtained by concatenating all the sub-keys generated in the same way.   , ···, their corresponding coding is 011101111110, 101110, ··· in terms of Eq. (12). The key can be established with 011101111110 101110 concatenated for secret sharing. In other words, any m + 1 classical participants can share the secret encrypted by the key using the one-time-pad encryption.