Cryptanalysis and improvement of efficient multiparty quantum secret sharing based on a novel structure and single qubits

In the paper (EPJ Quant. Technol. 10:29, 2023), Kuo et al. proposed a multiparty quantum secret sharing protocol based on a novel structure and single qubits. Owing to the absence of an entanglement state, the proposed protocol is more practical than other quantum secret sharing protocols which use entanglement properties. Therefore, we study the security of the proposed protocol and find there exists a security loophole in the n-party (\(n\geq 4\)) secret sharing case in it, that is, two dishonest agents can collude to obtain (part of) Alice’s secret without the help of the other agents. In order to overcome the security loophole, we give an improved protocol and make a security analysis for it. By calculating, the qubit efficiency of the three-party case in it is equal to \(\frac{1}{8}\), which is higher than that in Hillery et al.’s protocol (Phys. Rev. A 59:1829, 1999).

Cryptography always plays a significant role in human society. Since ancient times, people have relied on cryptography, the art of writing and solving coded messages, to keep their secrets secure. Thus far, many branches of cryptography have been developed. Secret sharing (SS), which was independently proposed by Shamir [3] and Blakley [4] in 1979, is one of the branches. In SS, the secret of a dealer is splitted into several pieces, and each agent holds a piece, and no subset of agents is sufficient to recover the secret, but the entire set is. Twenty years later, by generalizing SS into quantum scenario, Hillery et al. [2] proposed the first quantum secret sharing (QSS) protocol using three-particle and four-particle GHZ states of qubits, namely the HBB99 protocol. In fact, the major difference between SS and QSS is what the respective securities rely on. The former’s security relies on the high complexity of the underlying mathematical problems, for instance the factorization of large numbers, and so on. And the latter’s relies on the fundamental theories in quantum mechanics, for instance the Heisenberg uncertainty principle, the quantum no-cloning theorem, and so on. Another difference between them is the number of actions carried out. SS can only carry out the action of sharing secrets, but not that of checking eavesdropping, while QSS can carry out the two actions simultaneously. Obviously, compared to SS, QSS demonstrates higher security, or say, QSS can ensure the unconditional security of the protocol, but SS can’t. According to the definition of SS, we know there are at least two agents in QSS, moreover, there must exist a collaboration between the two agents in recovering the secret of a dealer. In order to prevent the collaboration from dishonestly happening, the attack performed by one agent, that is, the internal attack, needs to be considered during analyzing the security of the protocol.

After the HBB99 protocol was proposed, QSS has received widespread attention and plenty of other protocols [1, 5–65] have been proposed in succession. For instance, in 2003, Bagherinezhad and Karimipour [5] utilized reusable GHZ states as secure carriers to propose a QSS protocol. In 2006, Deng et al. [9] proposed a circular QSS protocol, in which the quantum information carrier, single photons or entangled particles, can circularly run. In 2009, Gu et al. [14] proposed a high-capacity three-party QSS protocol with quantum superdense coding, in which almost all Einstein-Podolsky-Rosen pairs can be used for carrying useful information. In 2012, Tsai et al. [22] proposed a multiparty QSS protocol based on two special entangled states, in which an agent can obtain a shadow of the secret key by simply performing a measurement of single photon without requiring to generate any photon or do any local unitary operation. In 2017, Song et al. [28] proposed a \((t, n)\) threshold d-level QSS protocol, in which the d-level secret can be reconstructed only if at least t shares are collected. In 2022, Ju et al. [32] proposed a measurement-device-independent QSS protocol, in which the polarization-spatial-mode hyper-encoding technology is used in order to increase single photon’s channel capacity, and so on. By the way, two kinds of special QSS have received much attention recently. One is dynamic quantum secret sharing (DQSS) [33–47], in which agents can be added or deleted as well as the secret or sub-secrets (the messages held by agents) can be updated. The other is semi-quantum secret sharing (SQSS) [48–65], in which only the dealer is quantum and all agents are classical.

In 2023, Kuo et al. [1] proposed a multiparty QSS protocol based on a novel structure and single qubits. For simplicity, we will call this protocol the KTYC protocol later. It is interesting that the KTYC protocol can ensure the independence of each agent and grant them equal privileges. However, it is somewhat a pity that there exists a security loophole in the n-party (\(n\geq 4\)) secret sharing case in the KTYC protocol, that is, two dishonest agents can collude to obtain (part of) Alice’s secret messages without the help of the other agents.

A brief description of the n-party (\(n\geq 4\)) case in the KTYC protocol [1] is given as follows:

(1) Each agent prepares a sequence composed of \(\frac{S}{N}\) qubits. Here, S and N (\(N=n-1\)) represent the length of the secret and the number of agents, respectively, and each qubit is randomly in one of the four states: \(|0\rangle ,|1\rangle ,|+\rangle = \frac{|0\rangle +|1\rangle}{\sqrt{2}}\) and \(|-\rangle =\frac{|0\rangle -|1\rangle}{\sqrt{2}}\). For convenience, \(\{|0\rangle ,|1\rangle \}\) and \(\{|+\rangle ,|-\rangle \}\) are refereed to as the Z and X basis, respectively. Noted that, the prepared sequences must contain decoy qubits for channel checking.

(2) Alice selects out some qubits from the sequence of each agent as decoy qubits to check the security of channels.

(3) After the check, Alice joins these sequences together, that is, she holds one long sequence now. Next, Alice rearranges the order of qubits in the long sequence. Then, she encodes her secret into the sequence by using \(I=|0\rangle \langle 0|+|1\rangle \langle 1|\) and \(Y=|0\rangle \langle 1|-|1\rangle \langle 0|\) gates according to her message “0” and “1”, respectively, and divides the long sequence back into N short sequences. Alice inserts decoy qubits into the short sequences and sends them back to all agents.

(4) After receiving the short sequence, each agent checks the security of the channel by the inserted decoy qubits. After confirming all channels are safe, Alice publishes the order of the qubits.

(5) All agents have to cooperate to recover the secret by exchanging the information on original quantum states.

In order that the security loophole can be clearly shown later, the simplest four-party case in the KTYC protocol is described as follows:

(1′) Bob, Charlie and Dave are agents and prepare the short sequences \(S_{B}\) (composed of \(B_{1}\) and \(B_{d}\)), \(S_{C}\) (composed of \(C_{1}\) and \(C_{d}\)) and \(S_{D}\) (composed of \(D_{1}\) and \(D_{d}\)), respectively. Here, \(B_{1}\), \(C_{1}\) and \(D_{1}\) stand for three qubits to carry information and \(B_{d}\), \(C_{d}\) and \(D_{d}\) stand for decoy qubits. Then they send their sequences to Alice.

(2′) Suppose that Alice chooses \(B_{d}\), \(C_{d}\) and \(D_{d}\) to check the security of channels. After the check, she drops those qubits.

(3′) Alice combines the three short sequences to be a long sequence \(S_{L}\), which is denoted with [\(B_{1}\), \(C_{1}\), \(D_{1}\)]. Assume that \(S_{L}\) becomes [\(D_{1}\), \(B_{1}\), \(C_{1}\)] after Alice rearranges the order. According to the secret messages, Alice performs I, Y, and Y gates on qubits \(B_{1}\), \(C_{1}\) and \(D_{1}\), respectively. Then she divides [\(D_{1}\), \(B_{1}\), \(C_{1}\)] back into three short sequences and inserts decoy qubits into them. Last, Alice sends sequences \(S'_{B}\) (composed of \(D_{1}\) and \(B'_{d}\)), \(S'_{C}\) (composed of \(B_{1}\) and \(C'_{d}\)) and \(S'_{D}\) (composed of \(C_{1}\) and \(D'_{d}\)) to Bob, Charlie and Dave, respectively.

(4′) Bob, Charlie and Dave check the channels with Alice through the decoy qubits \(B'_{d}\), \(C'_{d}\) and \(D'_{d}\). After the check, the decoy qubits are discarded. At this moment, Bob, Charlie and Dave hold only \(D_{1}\), \(B_{1}\) and \(C_{1}\), respectively. Then Alice publishes the order of the encoding qubits.

(5′) Each agent must cooperate to extract the secret by exchanging their bases and secret from Alice.

In this section, we will propose a attack on the simplest four-party case. It is seen that, in step (4′), Bob holds qubit \(D_{1}\) which part of Alice’s secret has been encoded on. But, he can’t extract the part alone since he can’t select the correct basis to measure qubit \(D_{1}\). Also it is seen that qubit \(D_{1}\) is prepared by Dave in step (1′). Thus, he knows the basis which qubit \(D_{1}\) can be correctly measured in. Notice that, Bob doesn’t know that the qubit in his hand is qubit \(D_{1}\) until Alice publishes the order of the encoding qubits. As soon as the order is published, Bob only collaborates with Dave and they can easily extract the secret message encoded on qubit \(D_{1}\). In other words, Bob and Dave can collude to extract the secret message without the help of Charlie. Similarly, Charlie (Dave) and Bob (Charlie) can collude to extract the secret message encoded on qubit \(B_{1}\) (\(C_{1}\)) without the help of Dave (Bob). By the way, if the amount of secret message shared by Alice is 1 bit, one single qubit will be only needed. Let’s assume that the needed qubit is qubit \(B_{1}\), which will mean that, without the help of Dave, Bob and Charlie can collaborate to extract the one-bit secret message, that is, all secret messages of Alice. In the case, it isn’t known how Dave participates in sharing the one-bit secret message, either.

In the following, we will discuss how to improve the KTYC protocol so that it can stand against the above proposed attack. Of curse, we try our best to retain the features of original protocol. The detailed improvement is as follows.

(1″) Each of Bob, Charlie and Dave prepares a sequence composed of single qubits, where each qubit is randomly in one of the four states: \(|0\rangle \), \(|1\rangle \), \(|+\rangle \) and \(|-\rangle \). Then they send their sequences to Alice.

(2″) After receiving the sequences, Alice randomly selects out some qubits from every sequence, which act as decoy qubits, and publishes the positions of the selected qubits, and then requires Bob, Charlie and Dave to publish the states of the selected qubits. So she can use the appropriate basis to measure every selected qubit. By comparing the measurement outcomes and the published states, Alice can analyze the error rate of every sequence transmission. If the error rate goes beyond a certain threshold, the process is aborted. Otherwise, the process goes on.

(3″) Alice discards the selected qubits. At this moment, for convenience, Bob’s, Charlie’s and Dave’s sequences are denoted with [\(B_{1},B_{2},\ldots,B_{m}\)], [\(C_{1},C_{2},\ldots,C_{m}\)] and [\(D_{1},D_{2},\ldots, D_{m}\)], respectively. Next, Alice encodes her secret by performing I or Y gate on each of \(B_{i}\), \(C_{i}\) and \(D_{i}\). All participants agree that I and Y are encoded into “0” and “1”, respectively. If the secret is “0” (“1”), the gates she can perform are three I gates or one I and two Y gates (three Y gates or one Y and two I gates). Then Alice inserts decoy qubits, which each is randomly in one of the four states: \(|0\rangle \), \(|1\rangle \), \(|+\rangle \) and \(|-\rangle \), into the three sequences and sends them back to Bob, Charlie and Dave.

(4″) After confirming that the sequences have been received, Alice publishes the positions and states of the decoy qubits. So Bob, Charlie and Dave can use the appropriate basis to measure every decoy qubit. By comparing the measurement outcomes and the published states, they can analyze the error rate of the sequence transmission. If the error rate goes beyond a certain threshold, the process is aborted. Otherwise, the process goes on.

(5″) Discarding decoy qubits, Bob, Charlie and Dave use the appropriate basis to measure the qubits in the same positions in their respective sequence, and can infer the gates performed by Alice. If they want to extract Alice’s secret, they must collaborate honestly.

In this section, we will analyze the security and efficiency of the improved protocol.

5.1 Security analysis

In general, in the QSS protocol, internal attackers, that is, dishonest agents, are more powerful than external attackers because they know more information about the secret. Thus, we will focus on the security of the improved protocol for dishonest agents below. In essence, the security of the improved protocol is based on the public discussion on some single qubits (decoy qubits). Next, we will analyze the intercept-resend attack and entanglement-measure attack against the improved protocol.

(i) The improved protocol stands against the intercept-resend attack

Assume that both Bob and Charlie in the improved protocol are dishonest agents. In order to obtain Alice’s secret messages without the help of Dave, they can try to launch the intercept-resend attack as follows: in step (1″), when Dave’s sequence is traveling from Dave to Alice, they intercept it and immediately measure each qubit in it in the Z basis or X basis. According to the measurement outcomes, they prepare a false sequence which is as long as Dave’s sequence and send it to Alice. Since they don’t know which state each qubit is in, the probability of guessing right is \(\frac{3}{4}\) (the same as in the BB84 protocol [66]). Assume that, the number of the qubits that Alice selects to check eavesdropping is l. As a result, the probability that the false sequence isn’t discovered is \((\frac{3}{4})^{l}\). While l is large enough, \((\frac{3}{4})^{l}\) is very small. Therefore, the improved protocol can stand against the intercept-resend attack launched by Bob and Charlie.

(ii) The improved protocol stands against entangle-measure attack

As the improved protocol only uses decoy qubits to check eavesdropping, we only consider the effect on decoy qubits for entangle-measure attacks. Similarly, assume that Bob and Charlie are internal attackers. They can try to launch the entangle-measure attack as follows: in advance, they prepare some auxiliary qubits which each is in \(|\xi \rangle \). When Dave’s sequence is traveling from Dave to Alice, they entangle the qubits in it with the auxiliary qubits by performing a unitary operation \(U_{E}\). After \(U_{E}\) is performed, the following relations should be established:

here, \(\| a \| ^{2}+\| b \| ^{2}=1\) and \(\| c \| ^{2}+\| d \| ^{2}=1\), and \(|\xi _{00}\rangle \), \(|\xi _{01}\rangle \), \(|\xi _{10}\rangle \) and \(|\xi _{11}\rangle \) represent four states probed by Bob and Charlie. If they want to introduce no error in the eavesdropping check by Alice, \(U_{E}\) must satisfy the following conditions:

From equations (3)–(6), we can obtain as follows:

here, 0 denotes a null vector. Therefore, we can conclude that, only when the auxiliary qubit and decoy qubit are in the product state, Bob and Charlie will introduce no error in the eavesdropping check. This means which the improved protocol can stand against the entangle-measure attack.

5.2 Efficiency analysis

There exist two rounds of eavesdropping check in the improved protocol, and decoy qubits are used in each round. In the first round, some qubits are selected from the sequences of agents as decoy qubits. In the second round, decoy qubits are prepared by Alice, in fact, they can be also selected from the sequences of agents. Assume that, in each round, half of the transmitted states are used for the check. Next, let us calculate the qubit efficiency of the improved protocol according to \(\eta _{q}=\eta _{u}/\eta _{t}\), where \(\eta _{q}\) stands for the efficiency, \(\eta _{u}\) is the number of bits shared and \(\eta _{t}\) is the total number of qubits. By analyzing, \((n-1)\) qubits carry one-bit classical information in the improved protocol. Furthermore, half qubits in the sequences of agents are discarded in the first round, and half the remaining qubits are discarded again in the second round. Therefore, the qubit efficiency of the improved protocol \(\eta _{q}=\frac{1}{4(n-1)}\). If the improved protocol is three-party QSS protocol, its \(\eta _{q}\) will be equal to \(\frac{1}{8}\). By calculating, we can also obtain that \(\eta _{q}\) of the three-party HBB99 protocol is equal to \(\frac{1}{12}\). Obviously, in the three-party case, the qubit efficiency of the improved protocol is higher than that of the HBB99 protocol.

In conclusion, we have pointed out there exists a security loophole in the KTYC protocol, that is, two dishonest agents can collude to obtain (part of) Alice’s secret without the help of the other agents. In addition, it is worth emphasizing that our attack on the KTYC protocol doesn’t require the dishonest agents to perform any intercepting, entangling, measuring or resending operation, but requires that two special agents can only collude to steal special secret. Here, the “special” means that Bob and Dave can’t steal Alice’s secret messages encoded on qubits \(B_{1}\) and \(C_{1}\), and can only steal that on qubit \(D_{1}\). So to speak, the security loophole can be pointed out by us since there exists a design flaw in the KTYC protocol itself, that is, part agents can’t actively participate in sharing the secret in their protocol. In the end, we give a feasible improvement of the KTYC protocol, which can stand against the attack proposed by us. By the way, in the improved protocol, the agents needn’t perform any quantum gate operation, which is similar to the HBB99 protocol.

No datasets were generated or analysed during the current study.

QKD:

Quantum Key Distribution

QSDC:

Quantum Secure Direct Communication

QSS:

Quantum Secret Sharing

KTYC:

S-Y Kuo K-C Tseng C-C Yang and Y-H Chou

I thank my parents for their encouragements.

This work is supported by the Program for Academic Leader Reserve Candidates in Tongling University under Grant No. 2020tlxyxs43, the Talent Scientific Research Fundation of Tongling University under grant No. 2015tlxyrc01 and the 2014-year Program for Excellent Youth Talents in University of Anhui Province.

Authors and Affiliations

1. Department of Electrical Engineering, Tongling University, Tongling, 244061, China

   Gan Gao

2. AnHui Engineering Research Center of Intelligent Manufacturing of Copper-Based Materials, Tongling University, Tongling, 244061, China

   Gan Gao

3. Anhui Joint Key Laboratory of Critical Technologies for High-End Copper-Based New Materials, Tongling University, Tongling, 244061, China

   Gan Gao

Contributions

Gan Gao is the sole author of this manuscript.

Corresponding author

Correspondence to Gan Gao.

Ethics approval and consent to participate

Not applicable.

Consent for publication

Not applicable.

Competing interests

The authors declare no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions