A Kind of (t, n) Threshold Quantum Secret Sharing with Identity Authentication

Quantum secret sharing (QSS) is an important branch of quantum cryptography. Identity authentication is a significant means to achieve information protection, which can effectively confirm the identity information of both communication parties. Due to the importance of information security, more and more communications require identity authentication. We propose a d-level (t,n) threshold QSS scheme in which both sides of the communication use mutually unbiased bases for mutual identity authentication. In the secret recovery phase, the sharing of secrets that only the participant holds will not be disclosed or transmitted. Therefore, external eavesdroppers will not get any information about secrets at this phase. This protocol is more secure, effective, and practical. Security analysis shows that this scheme can effectively resist intercept–resend attacks, entangle–measure attacks, collusion attacks, and forgery attacks.


Introduction
Secret sharing is an important research field in cryptography. It has important applications in many aspects, such as network communication, signature checking, and identity verification. In 1979, Shamir [1] proposed the first secret-sharing protocol based on Lagrange interpolation formula. With the rapid development of quantum technology, quantum secret sharing (QSS) has also made great progress. In 1999, Hillery et al. [2] proposed the first QSS protocol using the Greenberger-Horne-Zeilinger (GHZ) state. Since then, more and more relatively complete QSS protocols [3][4][5][6][7][8][9][10][11][12][13][14][15][16][17] have been proposed by scholars. Like the (n, n) threshold QSS protocol [3][4][5], the secret is divided into n parts. Only n participants can cooperate to recover the secret. However, due to practical needs and consideration of flexibility, some (t, n) threshold QSS protocols [6][7][8][9][10][11][12][13][14][15][16][17] have received great attention. The secret is also divided into n parts, but t participants can recover the secret and fewer than t participants cannot recover the secret. In addition, to detect the existence of external attackers and check the integrity of internal participants, some verifiable QSS protocols [11][12][13][14][15][16][17] have been proposed. They mainly include message authentication (verify the correctness of the message) and identity authentication (verify the correctness of identity). Identity authentication is a systematic process to verify the identity of legitimate users, components and devices. Therefore, it is the security guarantee of various encryption tasks. In the identity authentication scheme, the sender registers the secret information as his identity information in the receiver's database before communication. Afterwards, the sender proves the secret identification information to the receiver, that is, his identity information. The receiver can prove that the sender is a legitimate user before establishing the communication channel by using an authentication scheme, so he avoids the occurrence of an illegal sender. In quantum cryptography, quantum secret sharing [15][16][17], quantum key distribution [18][19][20][21], quantum secure direct communication [22,23], etc., all require identity authentication. In real life, the importance of identity authentication is also reflected everywhere.
After measurement, the quantum state collapses as follows: Therefore, quantum measurement will change the original state of the quantum state.

Mutually Unbiased Bases
Let d be an odd prime number and Z d be a finite field. Suppose are two sets of standard orthogonal bases on d-dimensional Hilbert space. If they satisfy: Then these two groups of bases are called mutually unbiased bases. If any two sets of bases in V = {V 1 , V 2 , · · · , V m } are mutually unbiased, V is called mutual unbiased bases set. Additionally, there are at most d + 1 elements in set V. Specifically, the calculation base {|z }, z ∈ Z d , is one of them. The remaining d groups can be expressed as: where l, j ∈ {0, 1, · · · , d − 1}, ω = e 2πi d , j represents the sequence of bases, and l represents vector sequence in a set of bases. They satisfy the following relation: Additionally, among mutually unbiased bases, the following unitary operation makes them transform each other: let We have U x,y |e j l = |e j+y l+x .

QFT, IQFT
The QFT in the d-dimensional system can be expressed as follows: where ω = e 2πi d , x, y ∈ Z d . Similarly, the IQFT can be expressed as: It is easy to know that both discrete QFT and discrete IQFT are unitary transformations. In addition, by We can obtain

CNOT Operation
CNOT is a two-qubit gate. In the d-dimensional system, it can be expressed as follows: where |x 1 is control bit, |x 2 is the target bit, x 1 , x 2 ∈ Z d .

Proposed Protocol
In this section, we propose a quantum secret-sharing scheme with d-level and (t, n) threshold. Participants can verify each other mutually. Dealer Alice distributes secret shares among the set of participants B = {Bob 1 ,Bob 2 ,· · · ,Bob n }. At least t participants can recover the secret. As the participants mutually verify, the protocol is more secure and practical. The entire scheme consists of three stages, namely the secret-sharing stage, identity authentication stage, and secret-recovery stage. The continuous identity authentication is included in the entire secret-recovery phase. Here, we use Figure 1 to briefly represent the entire process. The specific scheme of the protocol is shown below.

Secret-Sharing Phase
In this phase, The dealer Alice performs the following operations: (I) Alice selects a binary symmetric polynomial F(x, y) of degree (t − 1) in the Z d . The (t − 1) degree polynomial can be defined as: F(x, y) = S + a 10 x + a 01 y + a 20 x 2 + a 02 y 2 + a 11 xy + · · · + a t−1,t−1 x t−1 y t−1 , where Z d is a finite field, S is secret, d is an odd prime number, coefficients a ij ∈ Z d , a ij = a ji , i, j ∈ {0, 1, · · · , t − 1}.
(II) Alice calculates polynomials F(x i ,y) (i = 1, 2, · · · , n), respectively, by (15) and sends them to the corresponding participants Bob i through a secure classical channel, where x i ∈ Z d is the public identity information of the corresponding participant Bob i with x i = x j for i = j.
(III) According to the characteristics of binary symmetric polynomials, we define the following two groups of constants: Remark 1. Here, these four values are the same. However, in the following text, different symbols have different meanings. k i,j and k j,i represent the symmetry keys during encryption and decryption. sk i,j and vk j,i represent one's own identity information, used to indicate one's identity, which can be understood as one's own signature information.
(IV) Alice chooses a one-way hash function h(). Then, Alice discloses the hash algorithm and hash value H = h(S) of the secret S.

Secret-Recovery Phase
Suppose Bob 1 (reconstructor) wants to get the secret S. Then at least another t − 1 participants need to be selected to form a qualified subset with him to jointly recover the secret S. Let us suppose B 1 = {Bob 1 , Bob 2 , · · · , Bob t } is a qualified subset from all the qualified subsets. Each participant in the set has the ability to independently produce a single photon. The corresponding participant will perform the following processes to recover the secret: (I) Each participant Bob i , i = (1, 2, · · · , t), calculates the shadow (S i ) of the share according to own polynomial and prepares computational basis state |S i with d-level.
is the modular multiplicative inverse of the integer (x j − x i ). According to the recent literature, this calculation has a fast calculation method. We will not expand here as readers can refer to [24].
(II) Bob 1 applies QFT on the computational basis state |S 1 and gets the result |φ 1 .
(III) Bob 1 again prepares computational basis state |0 with d-level and performs CNOT operation according to |φ 1 and |0 . |φ 1 is the control bit and |0 is the target bit. When the operation is completed, Bob 1 obtains the entangled state |φ 2 .
The subscript H and T here are used to distinguish two particles.
Step 2. After Bob 2 receives the quantum state and encrypted information, he first calculates vk 2,1 = F(x 2 , x 1 ) according to the own polynomial F(x 2 , y). Afterwards Bob 2 performs the unitary transformation U −vk 2,1 ,0 on |Ψ 1,2 and obtains |Ψ 1 = |e c 1 Then, Bob 2 obtains a number pair (c 1 , t 1,2 ) = D k 2,1 (E k 1,2 (c 1 , t 1,2 )) by decrypting the received classic information. Finally, Bob 2 uses the basis {|e c 1 l }(l ∈ Z d ) to measure |Ψ 1 to obtain the measurement result (p 1 ) and compares (p 1 ) with the published random number p 1 . If (p 1 ) = p 1 ; then, Bob 2 considers that all the information comes from Bob 1 . The identity information of Bob 1 is authenticated. Otherwise, Bob 2 considers that the message does not come from Bob 1 or is destroyed in the middle of the process and terminates this agreement.
Step 4. Bob 1 decrypts the encrypted classical information to obtain a random number pair (c 2 , t 2,1 ) = D k 1,2 (E k 2,1 (c 2 , t 2,1 )). After receiving the message particle from Bob 2 at moment t 2,1 , Bob 1 selects the basis {|e c 2 l }(l ∈ Z d ) to measure |Ψ 2,1 to obtain the measurement result (p 2 ) and compares (p 2 ) with the published random number p 2 . If (p 2 ) = p 2 , Bob 1 believes that all the information comes from Bob 2 and Bob 2 has received an own message. So, Bob 1 will send the auxiliary state |k T in his own hand to Bob 2 through the secure quantum channel at moment t 1,2 . The entire identity authentication process is shown in Figure 2 below: Remark 3. Here, secure quantum channel refers to a quantum channel that is not subject to external interference. That is, an authenticated quantum channel. Participants can engage in quantum direct communication. (V) After Bob 2 receives |k T at moment t 1,2 , he treats |k T as the control bit and |S 2 as the target bit. Then, Bob 2 performs controlled black box operation C k on these two quantum states, where C k can be expressed as: U is a linear transformation and it satisfies U|S 2 = ω S 2 |S 2 . That is to say, |S 2 is an eigenvector of U with an eigenvalue of ω S 2 . After performing the controlled black box operation, Bob 2 next conducts the direct product operation of |S 2 and |k T . Then, the whole quantum state system becomes |φ 3 .
(VI) Each participant, Bob i and Bob i+1 , repeat the above mutual authentication and operation process of Bob 1 and Bob 2 . When Bob 2 and Bob 3 complete mutual authentication, Bob 2 will send the auxiliary state |k T in his own hand to Bob 3 through the secure quantum channel at moment t 2,3 . Bob 3 also performs a similar controlled black box operation first. Then, he performs the direct product operation on his quantum state |S 3 and the whole quantum system, and so on, until the last participant Bob t completes the direct product operation. At this time, the whole quantum system becomes |φ 4 .
(VII) When Bob t completes the direct product operation, Bob t completes the identity authentication process with Bob 1 in the same way. After completing the authentication operation, Bob t retransmits the auxiliary state |k T back to Bob 1 through a secure quantum channel. After Bob 1 receives the auxiliary state |k T again, he performs CNOT operation on the two particles in his hand, where |k H is control bit and |k T is target bit. At this time, the whole quantum system becomes |φ 5 .
(VIII) Bob 1 uses computational basis to measure the quantum state |k T which has been handled by the CNOT operation. If the measurement result is |0 , Bob 1 believes that his auxiliary particles have not been destroyed or replaced. Bob 1 will continue to perform the following steps. Otherwise Bob 1 has reason to believe that the auxiliary state is damaged or replaced during the transmission process, thus ending the entire agreement.

Correctness Analysis
In this section, we show the correctness of the protocol in the secret recovery phase through two theorems. Theorem 1. The sum of t shares of participants is the secret to be recovered.
Proof. According to the Lagrange interpolation formula, we have Theorem 2. When Bob 1 applies the IQFT on the first quantum state |k H in his hand and measures the output result, he could gobtain the secret S. Proof.

Intercept-Resend Attack
Suppose that there is an eavesdropper, Eve, who wants to steal secret information by performing an intercept-resend attack. When Bob i communicates with Bob i+1 , there will be three quantum states interacting through the quantum channel. They are p i+1 , and auxiliary state |k T . When Eve intercepts |Ψ i,i+1 and |Ψ i+1,i , she needs to obtain information by measuring, but Eve does not know the measurement basis c i and c i+1 . If Eve arbitrarily chooses a set of bases to measure, the probability of success is 1 d when d → ∞, 1 d → 0. Therefore, the possibility of success is negligible. Even if Eve succeeds, |Ψ i,i+1 and |Ψ i+1,i are also just the quantum states needed for Bob i and Bob i+1 to verify their identities. These two quantum states have no information about secrets. As for auxiliary state |k T , it is only the control bit in the secret recovery process and also has no information about secrets. Therefore, the intercept-resend attack is not successful.

Entangle-Measure Attack
In this attack, the eavesdropper Eve prepares an auxiliary state |e . By using unitary transformation to entangle the auxiliary state |e onto the transmission particle, Eve measures the auxiliary state and compares it with the original result to obtain relevant information about the secret. In our scheme, only particle |k T is transferred between participants in the secret recovery phase. Therefore, suppose that when Bob 1 transfers particle |k T to Bob 2 , Eve performs the d-level CNOT operation to entangle the auxiliary state |e to the particle |k T . At this time, |φ 2 becomes |φ 2 .
When Bob 2 completes its own operation and transfers particle |k T to Bob 3 , Eve performs d-level CNOT operation again. Where particle |k T is the control bit and auxiliary state |k + e is target bit. At this time, |φ 3 becomes |φ 3 . |φ 3 = (CNOT(|k T , |k ⊕ e ))|φ 3 Next, Eve obtains the result e by measuring the auxiliary state particle. She concludes that the particles transmitted between participants are the same. The particle |k T has no information about sharing the secret. She cannot obtain any information about the secret. Therefore, the entangle-measure attack is not feasible.

Collusion Attack
In the collusion attack, some collusive participants want to obtain information about others' sharing of secrets through cooperation. Then, they can obtain the original secret. In our protocol, the sharing of secrets is calculated by each participant Bob i through the own share polynomial F(x i , y). Each participant only knows his own share. In addition, the sharing of secrets will not be disclosed or transferred to other participants. As a consequence, it is impossible for participants to obtain the others' sharing of secrets. So collusive attack is not feasible.

Forgery Attack
Suppose the participant Bob i wants to perform a forgery attack. Then, in the identity authentication phase, to prove his identity to Bob i−1 and Bob i+1 , Bob i must use the correct authentication information. He cannot use forged information, or the agreement will end early. In the secret-recovery phase, on the one hand, if Bob i forges an auxiliary state |k T and transmits it to Bob i+1 , then the measurement result of Bob 1 in (VIII) will not be |0 . Bob 1 believes that the auxiliary state has been damaged and terminates the agreement in advance. On the other hand, if Bob i uses his sharing of S i to forge a false computational basis state |S i , Bob 1 will get the wrong secret S eventually. By comparing h(S ) = h(S), Bob 1 believes that at least one participant is dishonest and ends the agreement. Therefore, our protocol can resist forgery attacks.

Scheme Comparison
In this section, we analyze the quantum resources needed by our protocol and compare it with some previous protocols.
The protocol of Yang et al. [3] operates in d-dimensional space; it is a (n, n) threshold scheme. The scheme needs (n − 1) message particles and performs n number of QFT operations and n number of measure operations. It uses fewer quantum resources, but the scheme is not flexible enough. This scheme can resist any computational attack, but it cannot resist collusion attacks.
The protocol of Song et al. [7] operates in d-dimensional space, it is a (t, n) threshold scheme. The secret reconstructor prepares t message particles and distributes (t − 1) number of them to the other participants. The reconstructor starts with an QFT. Until the other participants complete the operation, the reconstructor performs an IQFT and measures particles to obtain the secret. Finally, the reconstructor verifies it through the hash function. This protocol can resist various common attacks. However, after some calculation and analysis, due to the mutual entanglement between particles, simple IQFT cannot recover the secret.
The protocol of Sutradhar et al. [8] is d level with (t, n) threshold. Using the Lagrange interpolation formula, the reconstructor first applies QFT to a particle. After each participant adds its share to the whole recovery process, the reconstructor uses the IQFT to recover the secret and measures to obtain the secret. The whole secret recovery process is repeated twice using two polynomials to restore the secret and the hash value of the secret, respectively. Through this method, the reconstructor can verify the correctness of the message. However, the protocol must require a trusted reconstructor, so the protocol can not resist collusion attack and can resist other common attacks.
The protocol of Mashhadi et al. [9] is an improvement to the protocol of Song et al. [7]. The protocol points out the inadequacy of its entanglement and proposes an improved scheme. Since the IQFT performed by the reconstructor cannot obtain the secret, t participants are required to perform IQFT in the entanglement system and summarize the measurement results to obtain the initial secret. Therefore, the protocol cannot resist intercept-resend attacks and collusion attacks. Our protocol is also d level with (t, n) threshold. The dealer uses the binary symmetric polynomial to distribute the share polynomial. Each participant can use its own share polynomial to calculate the secret share and complete the identity authentication process. The protocol uses 2t number of message particles to complete the mutual authentication process of both parties. Finally, the reconstructor restores the secret by performing IQFT and obtains the secret through measurement. Although our protocol uses more quantum resources, every step is necessary. The identity authentication process will make the protocol more secure and reliable. Our protocol can also resist some attacks well. The comparison of these protocols is shown in Table 1 below.

Example
In this section, in order to better understand our protocol, we give a quantum secret sharing scheme with (4,6) threshold. In this protocol, t = 4, n = 6, d = 17, S = 2.

Secret-Sharing Phase
Alice performs the following operations: (I) Alice selects a binary symmetric polynomial F(x, y) of degree 3 in the Z 17 .
(30) (III) According to the characteristics of binary symmetric polynomial, constants have the following relationship: According to the selected binary symmetric polynomial and the identity information of each participant, we can obtain: (IV) Alice chooses a one-way hash function h(). Then, Alice discloses the hash algorithm and hash value H = h(2) of the secret S = 2.

Secret-Recovery Phase
Suppose Bob 1 (reconstructor) wants to get the secret S. Bob 1 chooses Bob 2 , Bob 3 , and Bob 4 to help him recover the secret. Each participant has the ability to independently produce a single photon.
(I) Each participant Bob i , i = (1, 2, 3, 4), calculates the shadow (S i ) of the share according to the own polynomial F(x i , y).
(III) Bob 1 again prepares computational basis state |0 with 17-levels and performs CNOT operation according to |φ 1 and |0 . |φ 1 is the control bit and |0 is the target bit. When the operation is completed, Bob 1 obtains the entangled state |φ 2 .
Step 4. Bob 1 decrypts the encrypted classical information to obtain a random number pair (5, 7) = D k 1,2 (E k 2,1 (5, 7)). After receiving the message particle from Bob 2 at moment t 2,1 = 7, Bob 1 selects the basis {|e 5 l }(l ∈ Z 17 ) to measure |Ψ 2,1 to obtain the measurement result (p 2 ) and compares (p 2 ) with the published random number p 2 = 12. If (p 2 ) = p 2 = 12, Bob 1 believes that all the information comes from Bob 2 and Bob 2 has received an own message. So, Bob 1 will send the auxiliary state |k T in his own hand to Bob 2 through the secure quantum channel at moment t 1,2 = 9.
(V) After Bob 2 receives |k T at moment t 1,2 = 9, he treats |k T as the control bit and |S 2 = |14 as the target bit. He performs controlled black box operation C k on these two quantum states. After performing the controlled black box operation, Bob 2 next conducts the direct product operation on |S 2 = |14 and |k T . Then the whole quantum state system becomes |φ 3 .
(VI) Each participant Bob i and Bob i+1 repeat the above mutual authentication and operation process of Bob 1 and Bob 2 . When Bob 2 and Bob 3 complete mutual authentication, Bob 2 will send the auxiliary state |k T in his own hand to Bob 3 through the secure quantum channel at moment t 2,3 = 15. Bob 3 also performs a similar controlled black box operation first. Then, he performs the direct product operation on his quantum state |S 3 = |3 and the whole quantum system, and so on, until the last participant Bob 4 completes the direct product operation. At this time, the whole quantum system becomes |φ 4 .
(VII) When Bob 4 completes the direct product operation, Bob 4 completes the identity authentication process with Bob 1 in the same way. After completing the authentication operation, Bob 4 retransmits the auxiliary state |k T back to Bob 1 through a secure quantum channel. After Bob 1 receives the auxiliary state |k T again, he performs a CNOT operation on the two particles in his hand, where |k H is control bit and |k T is target bit. At this time, the whole quantum system becomes |φ 5 .
(VIII) Bob 1 uses computational basis to measure the quantum state |k T which has been handled by CNOT operation. If the measurement result is |0 , Bob 1 believes that his auxiliary particles have not been destroyed or replaced. Bob 1 will continue to perform the following steps. Otherwise Bob 1 has reason to believe that the auxiliary state is damaged or replaced during the transmission process, thus ending the entire agreement. (38) (X) Bob 1 calculates H = h(2) according to hash function h() released by Alice and compares with public H = h(S). If H = H, S , the secret obtained by Bob 1 is the real secret. If not, Bob 1 has reason to believe that there is at least one dishonest participant, thus terminating the agreement.

Conclusions
In this article, using QFT, IQFT, mutually unbiased bases, and other relevant knowledge, we propose a quantum secret-sharing scheme that both sides of the communication can mutually verify the identity. Each participant holds his own share which will neither be disclosed nor transferred. Only at the secret-recovery stage, each participant will directly integrate his information into the whole quantum system, which avoids being stolen. Any participant has reason to recover the secret and only the reconstructor obtains the secret and is responsible for it. Since only t participants can recover the secret, the protocol is more flexible and practical. After our analysis, the protocol can resist intercept-resend attacks, entanglement-measurement attacks, collusion attacks, and forgery attacks, so it is safe enough.