Commun. Theor. Phys. (Beijing, China) 51 (2009) pp. 221 226 c Chinese Physical Society and IOP Publishing Ltd Vol. 51, No. 2, February 15, 2009 Multiparty Quantum Secret Sharing Using Quantum Fourier Transform HUANG Da-Zu, 1,2, CHEN Zhi-Gang, 1, and GUO Ying 1, 1 School of Information Science Engineering, Central South University, Changsha 410083, China 2 Department of Information Management, Hunan College of Finance and Economics, Changsha 410205, China (Received March 20, 2008; Revised September 22, 2008) Abstract A (n, n)-threshold scheme of multiparty quantum secret sharing of classical or quantum message is proposed based on the discrete quantum Fourier transform. In our proposed scheme, the secret message, which is encoded by using the forward quantum Fourier transform and decoded by using the reverse, is split and shared in such a way that it can be reconstructed among them only if all the participants work in concert. Furthermore, we also discuss how this protocol must be carefully designed for correcting errors and checking eavesdropping or a dishonest participant. Security analysis shows that our scheme is secure. Also, this scheme has an advantage that it is completely compatible with quantum computation and easier to realize in the distributed quantum secure computation. PACS numbers: 03.67.Dd Key words: quantum secret sharing, quantum Fourier transform, quantum error correction code 1 Introduction Splitting a secret by distributing pieces of message among a group of participants in such a way that only authorized subsets of the participants can reconstruct it is called secret sharing. The basic idea of secret sharing in the simplest case is that a secret is shared between two persons, say Alice and Bob, in such a way that it can only be reconstructed if both collaborate. Solutions for secret sharing, and its generalization and variations, are studied extensively in classical cryptography. [1] In recent years, this concept was generalized to the quantum scenario. The most interesting aspect of exploring quantum physical mechanics is that quantum secret sharing (QSS) protocol allows for the unconditionally secure distribution of the message to the participants. [2] Different from quantum key distribution (QKD), [3,4] quantum secure direct communication (QSDC), [5 9] and other quantum cryptographic protocols, the QSS scheme is a method of encrypting quantum or classical message into a multi-partite entanglement state, which will be distributed among several quantum systems. Thus, the main aim of the QSS is to share an unknown multi-partite quantum state. Since the first Quantum secret sharing scheme was proposed by using three-particle and four-particle Greenberger, Horne, Zeilinger (GHZ) states, [10] it has attracted a great deal of attention in both the theoretical and experimental aspects, and various QSS schemes [2,11 20] were proposed. Quantum Fourier transform (QFT) is a key ingredient in quantum computation. Indeed, almost all known quantum computational algorithms employ the QFT, either explicitly or indirectly. It allows us to solve easily some interesting problems, including the factoring problem, [21] the discrete logarithm, the data search problem, the hidden subgroup problem, and so on. Of course, this transformation has an enormous number of applications in many branches of science. In our paper, we develop the application of QFT in quantum information and communication domain and propose a new (n, n) QSS scheme. The dealer first prepares n-qubit sequences according to the classical value if the shared message is classical. Then each sequence is entangled into a multi-particle state by the dealer using the QFT at the encoding stage, and every particle of the entangled state is distributed to n different sequences for n participants. Finally, the secret message may be restored with the reverse QFT under the cooperation of all participants at the discovery stage. This (n, n) QSS scheme is likely to play important roles in distributed quantum secure computation. This paper is organized as follows. First, in Sec. 2, the multiparty quantum secret sharing protocol is described in detail. Then, in Sec. 3, we discuss the security. Finally, the conclusion is given. 2 Multiparty Quantum Secret Sharing Protocol For simplicity, we first consider a (3, 3) QSS scheme. Suppose the dealer expects to distribute secret message The project supported in part by National Natural Science Foundation of China under Grant Nos. 60573127, 60773012, and 60873082, Natural Science Foundation of Hunan Province under Grant Nos. 07JJ3128 and 2008RS4016, and Scientific Research Fund of Hunan Provincial Education Department under Grant No. 08B011, and Postdoctoral Science Foundation of China under Grant Nos. 20070420184 and 200801341 E-mail: hdz0802@tom.com E-mail: czg@csu.edu.cn E-mail: yingguo@csu.edu.cn
222 HUANG Da-Zu, CHEN Zhi-Gang, and GUO Ying Vol. 51 to three parties (i.e., Alice, Bob and Charlie). They agree on the encoding, decoding and reconciliation procedures before communication. The details of the protocol are as follows. Step 1 Without loss of generality, we consider a two-state quantum system, namely, a qubit is a twodimensional Hilbert space, 0 and 1 are its orthogonal computational basis. For two qubit system, the orthogonal product state in a Hilbert space is as follows. ϕ = C 0 00 + C 1 01 + C 2 10 + C 3 11, (1) where C 0 2 + C 1 2 + C 2 2 + C 3 2 = 1. It is a 4-dimensional Hilbert space. Therefore, an n-qubit system is a superposition state of 2 n different states and constructs a 2 n -dimensional Hilbert space. Provided that the secret message is classical, and a qubit has a chosen computational basis 0 and 1 corresponding to the classical bit values 0 and 1. A collection of 3m qubits, which represents 3m classical bits, are divided into m groups in order, and each group is saved in a register of 3 qubits called P A, P B, and P C, where the subscripts A, B, and C denote Alice, Bob, and Charlie, respectively. Thus, for example,number 469 represented by a register in the state 1 1 1 0 1 0 1 0 1, which is 111010101 in binary form, is divided into 3 groups, i.e., 1 PA1 0 PB1 1 PC1, 0 PA2 1 PB2 0 PC2, 1 PA3 1 PB3 1 PC3, where the subscripts P Ai, P Bi, P Ci denote the i-th qubit of Alice, Bob, and Charlie, respectively. Fig. 1 Quantum circuit structure for the discrete Fourier transform on each register of size 3. At the end is a SWAP gate. Step 2 The dealer performs the discrete QFT on each register of size 3. Following the prescription from Ref. [22], we can describe the action of the QFT on 3-qubit system in a useful product representation, U F 3 j A j B j C ϕ = 1 2 3/2 ( 0 + ei2π0 j C 1 ) ( 0 + e i2π0 j Bj C 1 )( 0 + e i2π0 j Aj B j C 1 ), (2) where 0 j C = j C /2, 0 j B j C = j B /2 + j C /4, and 0 j A j B j C = j A /2 + j B /4 + j C /8 denote the binary fractions. Based on this representation, an efficient quantum circuit is given in Fig. 1. This circuit utilizes Hadamard gates H j, B jk gates, and a SWAP gate. A one-bit unitary gate H j or Hadamard gate operates on the j-th qubit, H j = 1 2 ( 1 1 1 1 ). (3) A two-bit phase gate operates on the j-th and k-th qubits. B jk, which is a conditional phase-shift matrix between qubits j and k, is defined as namely, B jk = diag [1, 1, 1, e iπ/2k j ]. (4) 00 00, 01 01, 10 10, 11 e iπ/2k j 11. (5) To implement the QFT on 3 qubits, this series of gates H 1 B 1.2 B 1.3 H 2 B 2.3 H 3 must be performed, j is indexed from 1 to 3. Fig. 2 The arranged particle sequences. The dealer generates a tri-particle entanglement state expressed as Eq. (2) after the QFT on the register of size 3, and distributes the three particles (P A, P B, and P C ) into three different sequences, i.e., S A, S B, and S C, respectively. The dealer performs the same operation on all other registers of 3 qubits in order. After these operations the encoded 3m particles are stored respectively in three different sequences S A, S B, and S C. The arranged sequences are shown in Fig. 2. We note that three particles in each row are entangled, but all particles in each sequence are independent. Thus,
No. 2 Multiparty Quantum Secret Sharing Using Quantum Fourier Transform 223 the secret message is split into three parts and carried by three different sequences. Furthermore, in order to guarantee further security the dealer rearranges the order of each sequence. Step 3 The noise and loss of the quantum channel are inevitable in an actual quantum system, and quantum state may be changed in the transmission even if there are not any eavesdroppers. Thus, quantum error correction code (QECC) techniques [23,24] are adopted to encode sequences S A, S B, and S C into new sequences S A, S B, and S C, respectively. Step 4 For checking eavesdropping or a dishonest participant, after the dealer prepares randomly a sufficiently large number of decoy photons which are in one of the four states { 0, 1, +x, x }, he randomly inserts them into the sequences S A, S B, and S C to form new sequences S A, S B, and S C. Their positions and states are known to the dealer, but they are secret to other persons. Step 5 The dealer sends the sequences S A and S B to Alice and Bob, respectively. After verifying the receipt of all photons, the dealer tells Alice and Bob the positions and corresponding states of decoy photons. They measure the decoy photons in corresponding X basis or Z basis and analyze the measurement results with the dealer, respectively. If the error rate is lower than expected, the dealer exposes the secret order of the Alice sequence S A and Bob sequence S B, and then Alice and Bob decode the sequences S A and S B using the corresponding QECC techniques and rearrange the order to obtain the original state sequences S A and S B. Otherwise, they terminate their communication and start again from the beginning. Step 6 The dealer sends the sequence S C to Charlie. The basic operation procedure is similar to Step 5. Finally, Alice, Bob and Charlie obtain the sequences S A, S B, and S C, respectively, and hold shares of the secret message. Step 7 Someday, cooperation of Alice, Bob and Charlie may restore the secret message by making use of the reverse QFT on 3 qubits from the corresponding sequences S A, S B, and S C in order. The action of the reverse QFT can be described in the following representation, ( U F 1 1 ( 3 0 + e i2π0 j C 1 )( 0 + e i2π0 j Bj C 1 )( 0 + e i2π0 j Aj B j C 1 )) j 2 3/2 A j B j C. (6) A quantum circuit is given in Fig. 3. They work in concert and recover the original states of 3m qubits. Thus, they achieve the shared secret message by measuring them in the Z basis. Fig. 3 Quantum circuit structure for the reverse quantum Fourier transform on each register of size 3. At the end is a SWAP gate. Fig. 4 Quantum circuit structure for the reverse quantum Fourier transform on each register of size 3. At the end is a SWAP gate. So far we have presented a tri-party QSS scheme. This scheme can be generalized easily to a (n, n) QSS scheme. Similar to the proposed three-party QSS scheme, the dealer performs the discrete QFT on each register of size n. We let N = 2 n, and the basis 0,..., N 1 be the computational basis for n qubits. Each j is expressed in its binary representation j = j 1 j 2 j n, namely j = 2 n 1 j 1 + 2 n 2 j 2 + + 2 0 j n. We use the notation 0 j k j k+1 j n to represent the binary fraction j k /2 + j k+1 /4 + + j n /2 n k+1. We can describe the action of the QFT in a useful
224 HUANG Da-Zu, CHEN Zhi-Gang, and GUO Ying Vol. 51 product representation, U F n j 1 j n 1 2 n/2 ( 0 + e i2π0 j n 1 )( 0 + e i2π0 j n 1j n 1 ) ( 0 + e i2π0 j 1 j n 1j n 1 ), (7) where 0 j n = j n /2, 0 j n 1 j n = j n 1 /2 + j n /4,, 0 j 1 j n = j 1 /2+j 2 /4+ +j n /2 n. Based on this representation, an actual quantum circuit is given in Fig. 4. This circuit also utilizes Hadamard gates H j, B jk gates, and SWAP gates. n one-qubit operations and n(n 1)/2 two-qubit operations are necessary to implement the QFT of n qubits, in total n(n + 1)/2 elementary operations. The QFT can be implemented efficiently, and recently some practical implementations [25,26] were proposed. Other operations are completely similar to those in the above three-party QSS scheme. 3 Security Analysis In our proposed scheme, the secret message to be shared is deterministic information, and more advanced security is required for protecting it against Eve s eavesdropping and dishonest participants. The security of this scheme is considered identical to the previous systems using three particle GHZ states or other entanglement source, on the basis of the assumption that classical channels may be eavesdropped, but cannot be modified. In the following we will analyze the security of the proposed scheme. 3.1 Security Against Intercept-and-Resend Attack The decoy photons are produced by choosing randomly one of the two bases Z and X, and are inserted into the traveling sequence randomly. Suppose Eve can take the intercept-and-resend attack. To acquire the secret message, in Step 5 when the dealer sends the sequences S A and S B to Alice and Bob, Eve would capture the sequences S A and S B and replace them with her own particles prepared in advance. Eve does not know the states of the traveling sequences sent by the dealer and cannot resend a perfect copy of the original signals she intercepts according to the properties of quantum physics such as Heisenberg uncertainty principle and quantum no-cloning principle. We let the number of decoy photons in each traveling sequence S be b, in which the number of the decoy photons with the basis X is b/2, the length of the photon sequence S is a, and hence the total length of the sequence S is a + b. Thus, the probability with which Eve s presence is not detected is P e = (b/4)4 Pa+b b 1 ( 1 ) 4 = (a + b)(a + b 1) (a b + 1) 4 b, (8) and hence the probability of detecting Eve is 1 ( 1 ) 4 1 P e = 1 (a + b)(a + b 1) (a b + 1) 4 b. (9) Thus, for example, let b = 20, a = 100, the probability with which Eve s presence is detected is 1 1 (120)(119) (81) (54 ) 1. (10) Consequently, Eve s eavesdropping will inevitably disturb the states of the decoy photons and be detected from the higher error rate. As soon as they find that Eve is online they terminate the communicating process. Of course, when the dealer announces the position of decoy photons in a public channel Eve can obtain the sequences S A and S B. Then, she can acquire the sequences S A and S B under the assumption that Eve knows the used QECC techniques. However, it is impossible for Eve to know their order because the dealer disordered each sequence randomly in step 2. As a result, even if Eve captures the sequences S C in next communication she cannot perform correctly the reverse QFT and reconstruct the original quantum states. 3.2 Security Against Dishonest Participants Cheating Assuming that Eve, who may be a collaborator of dishonest Bob, follows a complicated strategy by entangling her ancilla system with the states of the receivers in the general form, Ξ abce = i,j,k i a j b k c η ijk, i, j, k = 0, 1, (11) where η ijk is un-normalized states of Eve. Eve wants to make this entanglement so that some useful information about the secret message can be collected in her ancilla system at the end of each sending. Eve is clever enough to entangle her state such that she does not perturb the values of the final qubits measured by every receiver when the scheme is run. She may obtain the ideal form of entanglement denoted by Ξ abce = α 1 000 η 000 + α 2 001 η 001 + α 3 010 η 010 + α 4 011 η 011 + α 5 101 η 101 + α 6 100 η 100 + α 7 110 η 110 + α 8 111 η 111, (12) where the subscripts a, b, and c on the states of the receivers have been omitted. If Eve keeps any other states in Eq. (12), say one of the states in the set { 000 η 000, 001 η 001, 010 η 010, 011 η 011, 101 η 101, 100 η 100, 110 η 110, 111 η 111 }, she will be detected by the participants and the dealer. One may argue that Eve may not want to completely avoid any error introduced into the distributed state sequence and she can entangle her system to the state φ
No. 2 Multiparty Quantum Secret Sharing Using Quantum Fourier Transform 225 in order to reduce the error rate as low as possible, lower than the expected level to escape the detection. Next, we will show that even if we allow Eve a small error rate, she cannot find any form of entanglement of her system to the state φ to achieve the secret message. Suppose that Eve entangles her system to the state φ in the general form 7 ( Ξ abce = α i η α i + β i η β i ), (13) i=0 where for simplicity we have used binary notation for i. After performing CNOT gate C bc, Eve obtains C bc Ξ abce = ( α i η α i + β i η β i ) i=0,1,4,5 + i=2,3,6,7 ( α i η α i+( 1) i +β i η β i+( 1) i ).(14) In order to reduce the probability of unwanted qubits introduced into the distributed states below a tolerable threshold, she should choose the proper states { η i : 0 i 7} such that α 2( η α 2 η α 2 + η α 5 η α 5 ) + β 2( η β 3 ηβ 3 + ηβ 4 ηβ 4 ) 1 ε. (15) Thus, the probability of Eve obtaining the correct qubits can be calculated as P c = α 2( η α 2 ηα 2 + ηα 5 ηα 5 ) + β 2( η β 3 ηβ 3 + ηβ 4 ηβ 4 ). (16) In this condition, the mutual information of Eve and the secret message can be calculated as P(E, φ m ) = 1 H(P c ), (17) where H(x) is the Shannon binary entropy, i.e., H(x) = x log x (1 x) log(1 x). To obtain the maximum information on the secret message, the tolerable threshold ε should be equal to 1/2. Thus, the probability of detecting Eve is P d = 1/2, which may be large enough for Eve to be detected by the participants in the detecting procedure 4 Security Against the Collective Attacking of n 1 Participants The discrete QFT, which is used for encoding and decoding the qubits sequence among legal communicators on the basis of the feature that the input states of the reverse QFT must be identical to the output states of the sender s QFT, plays a key role to prevent from the collective attacking of n 1 participants. The original qubits sequence cannot be reconstructed even if only one qubit is error. The input states of the reverse QFT may not be identical to the output states of the sender s QFT if one party is absent. Thus, the original qubits sequence cannot be recovered correctly through the reverse QFT because of lack of a group of available qubit sequence. Therefore, no subset is efficient to read the secret message. However, it is impossible for Bob to restore the original states with the reverse QFT in view of the noise and loss of the quantum channel. In order to make sure that this protocol is feasible the corresponding QECC techniques are adopted after the forward QFT and before the reverse QFT. Thus, before the reverse QFT is performed, Alice, Bob and Charlie first apply the QECC techniques to correct completely error qubits in the transmission. In this way they can recover the original qubits successfully. Of course, if quantum channel is disturbed seriously, in step 5 the error rate must be higher than expected, they would terminate their communication. 5 Conclusion Here we have proposed a multiparty quantum secret sharing scheme by using the quantum Fourier transform. A secret message is split and shared in such a way that the secret message can be recovered among n participants, all of whom must participate the reverse QFT in concert. In the meantime, taking into account of attacker s eavesdropping, the dishonest participants and the noise and loss of the channel, three measures are taken, i.e., before the QFT, each sequence is disordered to prevent the secret message from being leaked out; random decoy photons are used for the eavesdropping and cheating detections; and the QECC technique is employed for correcting errors on the transmitted state in a low noisy channel to ensure that the input of the reverse QFT is identical to the output of the forward. Security analysis shows that our scheme is secure against the eavesdropper s eavesdropping and dishonest participants. Moreover, our scheme is easier to realize in actual quantum distribution computation because of its complete compatibility with quantum computation. As has been demonstrated in our proposed scheme, the QFT, which is used extensively in quantum computation, plays an important role in maintaining security. Therefore, there may be many possible applications in the processing of other quantum information as well. References [1] B. Schneier, Applied Cryptography, John Wiley Sons, New York (1996). [2] M. Hillery, V. Buzek, and A. Berthiaume. Phys. Rev. A 59 (1999) 1829. [3] A. Karlsson, M. Koashi, and N. Imoto, Phys. Rev. A 59 (1999) 162. [4] R. Cleve, D. Gottesman, and H.K. Lo, Phys. Rev. Lett. 83 (1999) 648.
226 HUANG Da-Zu, CHEN Zhi-Gang, and GUO Ying Vol. 51 [5] F.G. Deng, G.L. Long, and X.S. Liu, Phys. Rev. A 68 (2003) 042317. [6] F.G. Deng and G.L. Long, Phys. Rev. A 69 (2004) 052319. [7] G.L. Long, F.G. Deng, C. Wang, et al., Front. Phys. China 2(3) (2007) 251. [8] D.Z. Huang, Z.G. Chen, Y. Guo, et al., J. Phys. Soc. Jpn. 76 (2007) 124001. [9] C.Y. Li, X.H. Li, F.G. Deng, and H.Y. Zhou, Chin. Phys. Soc. 17 (2008) 2352 (in Chinese). [10] A.C.A. Nascimento, J.M. Quade, and H. Imai, Phys. Rev. A 64 (2001) 042311. [11] S. Bagherinezhad and V. Karimipour, Phys. Rev. A 67 (2003) 044302. [12] L. Xiao, G.L. Long, F.G. Deng, and J.W. Pan, Phys. Rev. A 69 (2004) 052307. [13] Y.A. Chen, A.N. Zhang, Z. Zhao, et al., Phys. Rev. Lett. 95 (2005) 200502. [14] F.G. Deng, X.H. Li, C.Y. Li, et al., Phys. Rev. A 72 (2005) 044301. [15] F.Z. Guo, F. Gao, Q.Y. Wen, and F.C. Zhu. Acta Electron ICA Sin. ICA 34 (2006) 883 (in Chinese). [16] Y.G. Yang, Q.Y. Wen, and F.C. Zhu, Acta Phys. Sin. 55 (2006) 3255 (in Chinese). [17] C.-H.F. Fung, B. Qi, K. Tamaki, and H.-K. Lo, Phys. Rev. A 75 (2007) 032314. [18] J. Wang, Q. Zhang, and C.J. Tang, Commun. Theor. Phys. 47 (2007) 454. [19] Y. Guo, D.Z. Huang, G.H. Zeng, et al. Chin. Phys. Lett. 25 (2008) 16. [20] Y. Sun, J.Z. Du, S.J. Qin, Q.Y. Wen, and F.C. Zhu, Chin. Phys. Soc. 57 (2008) 4689. [21] P.W. Shor, Algorithms for Quantum Computation: Discrete Logarithms and Factoring, in Proc. of 35th Annual Symposium on Foundations of Computer Science, IEEE Computer Society Press, California (1994) p. 124. [22] M.A. Nielsen and I.L. Chuang, Quantum Computation and Quantum Information, Cambridge University Press, Cambridge, U.K. (2000). [23] D. Poulin, Phys. Rev. A 95 (2005) 230504. [24] D.Z. Huang, Z.G. Chen, and Y. Guo, International Conference on Advanced Intelligent Computing Technology and Application-ICIC 2007, Qingdao, China, 2007, LNCS4681, pp. 18 24. [25] M.O. Scully and M.S. Zubairy, Phys. Rev. A 65 (2002) 052324. [26] Y.S. Weinstein, M.A. Pravia, and E.M. Fortunato, Phys. Rev. Lett. 86 (2001) 1889.