1 Introduction

Secret sharing (SS) [16] is a cryptographic scheme to encode a secret to multiple shares being distributed to participants, so that only qualified sets of participants can reconstruct the original secret from their shares. Traditionally both secret and shares were classical information (bits). Several authors [4, 6, 8, 17] extended the traditional SS to quantum one so that a quantum secret can be encoded to quantum shares.

There was a difference between early pioneering works [4, 6, 8, 17] of quantum SS. The first quantum SS [8] was based on the controlled teleportation [9, 20], whose reconstruction of quantum secret involved classical communication among participants. On the other hand, the others works [4, 6, 17] related reconstruction to quantum error correction [3, 18], and their reconstruction procedures were generally unitary operations on quantum shares. This paper studies reconstruction in the second category.

When we require unqualified sets of participants to have zero information of the secret, the size of each share must be larger than or equal to that of secret. By tolerating partial information leakage to unqualified sets, the size of shares can be smaller than that of secret. Such SS is called ramp SS [2, 19]. The quantum ramp SS was proposed by Ogawa et al. [14]. If an unqualified set has absolutely no information about quantum secret (see [14] for a formal definition), it is called a forbidden set.

When we have a quantum error-correcting code (QECC) of length n and use it for quantum secret sharing, it can correct erasures in a set \(\overline{J} \subset \{1\), ..., \(n\}\), and it was shown [4, 6] that \(J = \{1\), ..., \(n\} \setminus \overline{J}\) is a qualified set and \(\overline{J}\) is a forbidden set. The above statement also holds for quantum ramp SS [14]. In such a situation, a straightforward method for the set J of participants to reconstruct quantum secret is as follows: Firstly, initialize quantum systems in \(\overline{J}\) to any quantum states and apply the erasure decoding procedure of QECC. This method is wasteful because decoding procedures usually involve measurement and they also need to attach \(|\overline{J}|\) extra quantum systems. For example, if \(|J| = 70\) and \(|\overline{J}|=30\), adding 30 quantum systems and performing measurement on 100 systems are wasteful.

To overcome this waste, unitary reconstruction methods were proposed for previous proposals of quantum SS [4, 12, 14, 21]. On the other hand, while quantum SS constructed from the stabilizer QECC had been already studied [10, 11, 15], no unitary reconstruction procedure has been proposed for stabilizer-based quantum SS. Stabilizer-based quantum SS is important because it can realize access structures that cannot be realized by quantum SS based on CSS codes [3, 18]. For example, only the [[5, 1, 3]] binary stabilizer QECC can realize quantum SS distributing 1 qubit of secret to 5 participants receiving 1-qubit shares and allowing only 3 or more participants to reconstruct secret. In addition, when sharing classical secret, it was recently shown that stabilizer QECC can realize an access structure that cannot be realized by classical information processing [13].

In this paper, we propose a unitary reconstruction method that can be executed by a qualified set J of participants without adding extra quantum systems. In Sect. 2, we introduce notations of stabilizer QECC and prove some properties of stabilizer QECC used later in the proposed reconstruction procedure. Section 3 describes the proposed procedure. Section 4 gives an explicit computational example of the proposed procedure applied to the well-known [[5, 1, 3]] binary stabilizer QECC. In “Appendix,” we discuss the security of quantum SS based on stabilizer QECCs.

2 Preliminaries

2.1 Notations for stabilizer codes

Let q be a prime power, and we consider the q-dimensional complex linear space \({\mathbf {C}}_q\). A quantum system whose state is expressed by \({\mathbf {C}}_q\) is called a qudit in this paper. Each share is assumed to be a qudit, and quantum secret consists of one or more qudits. If quantum secret has two or more qudits, the quantum SS becomes a ramp scheme. We fix a q-ary stabilizer QECC encoding k qudits to n qudits. The materials in this subsection are not new at all and can be found in, for example, [1, 7]. Its stabilizer can be expressed as an \((n-k)\)-dimensional \({\mathbf {F}}_q\)-linear subspace C of \({\mathbf {F}}_q^{2n}\), where \({\mathbf {F}}_q\) is the finite field with q elements.

For two vectors \(\mathbf {x} = (a_1\), \(b_1\), ..., \(a_n\), \(b_n)\) and \(\mathbf {y} = (a'_1\), \(b'_1\), ..., \(a'_n\), \(b'_n) \in {\mathbf {F}}_q^{2n}\), we define its symplectic inner product as

$$\begin{aligned} \langle \mathbf {x}, \mathbf {y} \rangle = \sum _{i=1}^n a_i b'_i - a'_ib_i. \end{aligned}$$
(1)

Let \(C^\perp = \{ \mathbf {x} \in {\mathbf {F}}_q^{2n} \mid \forall \mathbf {y} \in C\), \(\langle \mathbf {x}\), \(\mathbf {y}\rangle =0\}\). Then we have \(C^\perp \supset C\) and \(\dim C^\perp = n+k\).

2.2 Qualified sets and related properties

To use any reconstruction procedure, the set J of participants must be qualified to reconstruct the secret. In this subsection, we clarify a necessary and sufficient condition for qualified sets and related properties that are later used for the proposed reconstruction procedure.

For a set \(J \subset \{1\), ..., \(n\}\) of participants to be qualified, the erasures in \(\overline{J}\) must be decodable, where an erasure means a quantum error with known location. In other words, when the errors are only in \(\overline{J}\), the stabilizer QECC defined by the stabilizer \(C \subset {\mathbf {F}}_q^{2n}\) must be able to correct the error.

Let \(\mathbf {g}_1\), ..., \(\mathbf {g}_{n-k}\) be a basis of C. A quantum error can also be identified with a vector \(\mathbf {e} =(a_1\), \(b_1\), ..., \(a_n\), \(b_n) \in {\mathbf {F}}_q^{2n}\) (see, e.g., [1, 7]). Measurement in the standard decoding procedure gives the symplectic inner products \(\langle \mathbf {e}\), \(\mathbf {g}_i\rangle \) for \(i=1\), ..., \(n-k\). Let \({\mathbf {F}}_q^{\overline{J}} = \{ (a_1\), \(b_1\), ..., \(a_n\), \(b_n) \in {\mathbf {F}}_q^{2n} \mid \) \( j \in J \Rightarrow (a_j\), \(b_j) = (0\), \(0) \}\) and \({\mathbf {F}}_q^{J} = \{ (a_1\), \(b_1\), ..., \(a_n\), \(b_n) \in {\mathbf {F}}_q^{2n} \mid \) \( j \in \overline{J} \Rightarrow (a_j\), \(b_j) = (0\), \(0) \}\). Observe that \(\dim {\mathbf {F}}_q^J = 2|J|\) and \(\dim {\mathbf {F}}_q^{\overline{J}} = 2|\overline{J}|\).

Under the assumption \(j \in J \Rightarrow (a_j\), \(b_j) = (0,0)\) for \(\mathbf {e}\), we can correct all errors \(\mathbf {e} \in {\mathbf {F}}_q^{\overline{J}}\) if and only if the implication

$$\begin{aligned} \forall i, \langle \mathbf {e}, \mathbf {g}_i\rangle = 0 \Rightarrow \mathbf {e} \in C \end{aligned}$$
(2)

holds. The condition (2) implies (with the assumption that errors belong to \(\overline{J}\))

$$\begin{aligned} C^\perp \cap {\mathbf {F}}_q^{\overline{J}} \subseteq C \cap {\mathbf {F}}_q^{\overline{J}}. \end{aligned}$$

On the other hand, the assumption \(C^\perp \supset C\) implies

$$\begin{aligned} C^\perp \cap {\mathbf {F}}_q^{\overline{J}} \supseteq C \cap {\mathbf {F}}_q^{\overline{J}}. \end{aligned}$$

Therefore, the condition (2) is equivalent to

$$\begin{aligned} C^\perp \cap {\mathbf {F}}_q^{\overline{J}} = C \cap {\mathbf {F}}_q^{\overline{J}}. \end{aligned}$$
(3)

We will study the linear spaces consisting of qudits in J or \(\overline{J}\) of quantum codewords. Let \(Q(C)\subset {\mathbf {C}}_q^{\otimes n}\), \(Q(C\cap {\mathbf {F}}_q^{\overline{J}}) \subset {\mathbf {C}}_q^{\otimes |\overline{J}|}\), \(Q(C\cap {\mathbf {F}}_q^J)\subset {\mathbf {C}}_q^{\otimes |J|}\) be stabilizer QECCs defined by C, \(C\cap {\mathbf {F}}_q^{\overline{J}}\), and \(C\cap {\mathbf {F}}_q^J\), respectively. When we consider qudits in J (resp. \(\overline{J}\)) of codewords in Q(C), their quantum states are density matrices whose row spaces are contained in \(Q(C\cap {\mathbf {F}}_q^J)\) (resp. \(Q(C\cap {\mathbf {F}}_q^{\overline{J}})\)).

In order to evaluate their dimensions, firstly we have to evaluate \(\dim C\cap {\mathbf {F}}_q^J\) and \(\dim C\cap {\mathbf {F}}_q^{\overline{J}}\), where \(\dim C\cap {\mathbf {F}}_q^J\) denotes the dimension of the linear space \(C\cap {\mathbf {F}}_q^J\). We have

$$\begin{aligned} |J|-k - |\overline{J}|\le & {} \dim C\cap {\mathbf {F}}_q^J \end{aligned}$$
(4)
$$\begin{aligned}\le & {} |J|-k. \end{aligned}$$
(5)

The linear space \(C\cap {\mathbf {F}}_q^J\) consists of vectors in C whose \((2j-1)\)th component and 2jth component are zero if \(j \in \overline{J}\), which implies \(\dim C - \dim C\cap {\mathbf {F}}_q^J \le 2 |\overline{J}|\). Equation  (4) holds because

$$\begin{aligned}&\underbrace{\dim C}_{=n-k} - 2|\overline{J}| \le \dim C\cap {\mathbf {F}}_q^J\\&\quad \Leftrightarrow \underbrace{n-|\overline{J}|}_{=|J|} -k - |\overline{J}| \le \dim C\cap {\mathbf {F}}_q^J\\&\quad \Leftrightarrow |J|-k - |\overline{J}| \le \dim C\cap {\mathbf {F}}_q^J. \end{aligned}$$

For \(\mathbf {x} = (a_1\), \(b_1\), ..., \(a_n\), \(b_n) \in {\mathbf {F}}_q^{2n}\), let \(P_{\overline{J}} (\mathbf {x}) = (a_j, b_j)_{j \in \overline{J}}\), that is, the projection to the index set \(\overline{J}\). Then we have \(C\cap {\mathbf {F}}_q^J = C \cap \ker (P_{\overline{J}})\) and \(\dim C\cap {\mathbf {F}}_q^J + \dim P_{\overline{J}}(C) = \dim C\), which implies

$$\begin{aligned} \dim P_{\overline{J}}(C) = (n-k) - \dim C\cap {\mathbf {F}}_q^J. \end{aligned}$$
(6)

Suppose that Eq. (5) does not hold, then we have \(\dim P_{\overline{J}}(C) < |\overline{J}|\) by Eq. (6) and the equality \(n=|J|+|\overline{J}|\). Since \(C^\perp \cap {\mathbf {F}}_q^{\overline{J}} = P_{\overline{J}}(C)^\perp \) (\(\perp \) in \(P_{\overline{J}}(C)^\perp \) is considered in \({\mathbf {F}}_q^{2|\overline{J}|}\)), we have \(\dim C^\perp \cap {\mathbf {F}}_q^{\overline{J}} = 2|\overline{J}| - \dim P_{\overline{J}}(C) > |\overline{J}|\). The last inequality implies \(\dim C^\perp \cap {\mathbf {F}}_q^{\overline{J}}> |\overline{J}| > \dim P_{\overline{J}}(C) \ge \dim C \cap {\mathbf {F}}_q^{\overline{J}}\) because \(P_{\overline{J}}(C) \supseteq C \cap {\mathbf {F}}_q^{\overline{J}}\). The inequality \(\dim C^\perp \cap {\mathbf {F}}_q^{\overline{J}}> \dim C \cap {\mathbf {F}}_q^{\overline{J}}\) contradicts with Eq. (3). So we see that Eq. (5) is true when J is a qualified set.

In light of Eqs. (4) and (5), let \(\dim C\cap {\mathbf {F}}_q^J = |J| - k - \ell \). Then \(Q(C\cap {\mathbf {F}}_q^J)\) encodes \(k+\ell \) qudits to |J| qudits.

We consider \(\dim C\cap {\mathbf {F}}_q^{\overline{J}}\). By Eq. (3) we have

$$\begin{aligned}&\dim C\cap {\mathbf {F}}_q^{\overline{J}} \\&\quad = \dim C^\perp \cap {\mathbf {F}}_q^{\overline{J}}\\&\quad = \dim C^\perp - \dim \underbrace{P_J(C^\perp )}_{=(C\cap {\mathbf {F}}_q^{J})^\perp \, \mathrm { in }\, {\mathbf {F}}_q^{2|J|}}\\&\quad = \underbrace{\dim C^\perp }_{=n+k} - \left( 2|J| - \dim C\cap {\mathbf {F}}_q^{J}\right) \\&\quad = n+k - 2|J| + \underbrace{\dim C\cap {\mathbf {F}}_q^{J}}_{=|J|-(k+\ell )}\\&\quad = |\overline{J}| - \ell , \end{aligned}$$

which means that \(Q(C\cap {\mathbf {F}}_q^{\overline{J}})\) encodes \(\ell \) qudits to \(|\overline{J}|\) qudits. Readers might wonder if \(\ell =|\overline{J}|\) is always true. The equality \(\ell = |\overline{J}|\) usually holds as we will see in Sect. 4 with an example. But \(\ell = |\overline{J}|\) is sometimes false in general cases, for example, consider an unpractical stabilizer QECC whose codewords are always set to \(|00\cdots 0\rangle \) in \(\overline{J}\), which gives \(\ell =0\).

3 Proposed unitary reconstruction

For ease of presentation, without loss of generality we may assume \(\overline{J} = \{1\), ..., \(|\overline{J}|\}\) and \(J = \{ |\overline{J}| + 1\), ..., \(n\}\), by reordering indices. Let

$$\begin{aligned} \left\{ |\mathbf {i^{(k)}}\rangle \mid \mathbf {i^{(k)}} \in {\mathbf {F}}_q^k \right\} \end{aligned}$$
(7)

be an orthonormal basis (ONB) of \({\mathbf {C}}_q^{\otimes k}\), let \(|\psi (\mathbf {i^{(k)}})\rangle \in Q(C)\) the quantum codeword corresponding to \(|\mathbf {i^{(k)}}\rangle \). Let

$$\begin{aligned} \left\{ |\varphi _{\overline{J}}(\mathbf {i^{(\ell )}})\rangle \mid \mathbf {i^{(\ell )}} \in {\mathbf {F}}_q^\ell \right\} \end{aligned}$$
(8)

be an ONB of \(Q(C\cap {\mathbf {F}}_q^{\overline{J}})\). Then

$$\begin{aligned} (|\varphi _{\overline{J}}(\mathbf {i^{(\ell )}})\rangle \langle \varphi _{\overline{J}}(\mathbf {i^{(\ell )}}) |\otimes I_J) |\psi (\mathbf {i^{(k)}})\rangle \end{aligned}$$
(9)

have the same nonzero length for all \(\mathbf {i^{(k)}}\) and \(\mathbf {i^{(\ell )}}\), where \(I_J\) is the identity matrix on qudits in J. Because otherwise the Holevo information between classical information \(\mathbf {i^{(k)}}\) and the qudits in \(\overline{J}\) would have strictly positive value which contradicts by Ogawa et al. [14] to our assumption that J is a qualified set

Define a state vector \(|\varphi _J(\mathbf {i^{(k)}}, \mathbf {i^{(\ell )}})\rangle \in Q(C\cap {\mathbf {F}}_q^J)\) by

$$\begin{aligned} |\varphi _{\overline{J}}(\mathbf {i^{(\ell )}})\rangle |\varphi _J(\mathbf {i^{(k)}}, \mathbf {i^{(\ell )}})\rangle = \frac{(|\varphi _{\overline{J}}(\mathbf {i^{(\ell )}})\rangle \langle \varphi _{\overline{J}}(\mathbf {i^{(\ell )}}) |\otimes I_J) |\psi (\mathbf {i^{(k)}})\rangle }{\Vert (|\varphi _{\overline{J}}(\mathbf {i^{(\ell )}})\rangle \langle \varphi _{\overline{J}}(\mathbf {i^{(\ell )}}) |\otimes I_J) |\psi (\mathbf {i^{(k)}})\rangle \Vert }. \end{aligned}$$
(10)

Then \(|\varphi _J(\mathbf {i^{(k)}}, \mathbf {i^{(\ell )}})\rangle \) is of length one and orthogonal to each other for different \((\mathbf {i^{(k)}}\), \(\mathbf {i^{(\ell )}})\). Therefore,

$$\begin{aligned} \left\{ |\varphi _J(\mathbf {i^{(k)}}, \mathbf {i^{(\ell )}})\rangle \mid \mathbf {i^{(k)}} \in {\mathbf {F}}_q^k, \mathbf {i^{(\ell )}} \in {\mathbf {F}}_q^\ell \right\} \end{aligned}$$
(11)

is an ONB of \(Q(C\cap {\mathbf {F}}_q^J)\).

By using the above notations, we can express

$$\begin{aligned} |\psi (\mathbf {i^{(k)}})\rangle = \frac{1}{\sqrt{q^\ell }} \sum _{\mathbf {i^{(\ell )}} \in {\mathbf {F}}_q^\ell } |\varphi _{\overline{J}}(\mathbf {i^{(\ell )}})\rangle |\varphi _J(\mathbf {i^{(k)}}, \mathbf {i^{(\ell )}})\rangle . \end{aligned}$$
(12)

We can define a unitary operation \(U_{\mathrm {rec}}\) from \(Q(C\cap {\mathbf {F}}_q^J)\) to \(Q(C\cap {\mathbf {F}}_q^{\overline{J}})\otimes {\mathbf {C}}_q^{\otimes k}\), sending \(|\varphi _J(\mathbf {i^{(k)}}, \mathbf {i^{(\ell )}})\rangle \) to \(|\varphi _{\overline{J}}(\mathbf {i^{(\ell )}})\rangle |\mathbf {i^{(k)}}\rangle \), because both \(\{ |\varphi _J(\mathbf {i^{(k)}}, \mathbf {i^{(\ell )}})\rangle \mid \mathbf {i^{(k)}} \in {\mathbf {F}}_q^k\), \(\mathbf {i^{(\ell )}} \in {\mathbf {F}}_q^\ell \}\) and \(\{ |\varphi _{\overline{J}}(\mathbf {i^{(\ell )}})\rangle |\mathbf {i^{(k)}}\rangle \mid \mathbf {i^{(k)}} \in {\mathbf {F}}_q^k\), \(\mathbf {i^{(\ell )}} \in {\mathbf {F}}_q^\ell \}\) are ONBs with the same number of quantum state vectors in them.

Suppose that quantum secret is

$$\begin{aligned} \sum _{\mathbf {i^{(k)}} \in {\mathbf {F}}_q^k} \alpha (\mathbf {i^{(k)}}) |\mathbf {i^{(k)}}\rangle , \end{aligned}$$

where \(\alpha (\mathbf {i^{(k)}})\) are complex coefficients. Then the whole quantum state of all shares is, by Eq. (12),

$$\begin{aligned} \sum _{\mathbf {i^{(k)}} \in {\mathbf {F}}_q^k}\alpha (\mathbf {i^{(k)}}) \frac{1}{\sqrt{q^\ell }} \sum _{\mathbf {i^{(\ell )}} \in {\mathbf {F}}_q^\ell } |\varphi _{\overline{J}}(\mathbf {i^{(\ell )}})\rangle |\varphi _J(\mathbf {i^{(k)}}, \mathbf {i^{(\ell )}})\rangle . \end{aligned}$$

Applying \(U_{\mathrm {rec}}\) on the qualified set J yields

$$\begin{aligned} \left( \frac{1}{\sqrt{q^\ell }} \sum _{\mathbf {i^{(\ell )}} \in {\mathbf {F}}_q^\ell } |\varphi _{\overline{J}}(\mathbf {i^{(\ell )}})\rangle |\varphi _{\overline{J}}(\mathbf {i^{(\ell )}})\rangle \right) \otimes \sum _{\mathbf {i^{(k)}} \in {\mathbf {F}}_q^k}\alpha (\mathbf {i^{(k)}})|\mathbf {i^{(k)}}\rangle . \end{aligned}$$
(13)

Equation (13) means that the quantum secret is reconstructed in the rightmost k qudits and that it is unentangled from the rest of qudits.

4 Explicit computational example of the [[5, 1, 3]] binary stabilizer QECC

Since our presentation of the proposed procedure is slightly abstract, in this section we will see an explicit computational example with the [[5, 1, 3]] binary stabilizer QECC. According to Gottesman [5], the [[5, 1, 3]] binary stabilizer QECC encodes \(|0\rangle \) to

$$\begin{aligned}&|\psi (0)\rangle \\&\quad = |00000\rangle + |10010\rangle + |01001\rangle + |10100\rangle \\&\qquad + |01010\rangle - |11011\rangle - |00110\rangle - |11000\rangle \\&\qquad - |11101\rangle - |00011\rangle - |11110\rangle - |01111\rangle \\&\qquad - |10001\rangle - |01100\rangle - |10111\rangle + |00101\rangle , \end{aligned}$$

and \(|1\rangle \) to

$$\begin{aligned}&|\psi (1)\rangle \\&\quad = |11111\rangle + |01101\rangle + |10110\rangle + |01011\rangle \\&\qquad + |10101\rangle - |00100\rangle - |11001\rangle - |00111\rangle \\&\qquad - |00010\rangle - |11100\rangle - |00001\rangle - |10000\rangle \\&\qquad - |01110\rangle - |10011\rangle - |01000\rangle + |11010\rangle . \end{aligned}$$

According to Gottesman [5, Table 3.2], the corresponding stabilizer \(C \subset {\mathbf {F}}_2^{10}\) is generated by

$$\begin{aligned} \mathbf {g}_1= & {} (1,0,0,1,0,1,1,0,0,0),\\ \mathbf {g}_2= & {} (0,0,1,0,0,1,0,1,1,0),\\ \mathbf {g}_3= & {} (1,0,0,0,1,0,0,1,0,1),\\ \mathbf {g}_4= & {} (0,1,1,0,0,0,1,0,0,1). \end{aligned}$$

Since it can correct any two erasures, we can set \(J=\{3\), 4, \(5\}\) and \(\overline{J} = \{1\), \(2\}\). Since \(C \cap {\mathbf {F}}_2^{\overline{J}} = C^\perp \cap {\mathbf {F}}_2^{\overline{J}}\) are zero linear spaces, we can see that Eq. (3) holds and \(\ell =2\). We can choose \(|\varphi _{\overline{J}}(\mathbf {i^{(\ell )}})\rangle \) of Eq. (8) as \(|\varphi _{\overline{J}}(00)\rangle =|00\rangle \), \(|\varphi _{\overline{J}}(01)\rangle =|01\rangle \), \(|\varphi _{\overline{J}}(10)\rangle =|10\rangle \), and \(|\varphi _{\overline{J}}(11)\rangle =|11\rangle \). Then \(|\varphi _J(\mathbf {i^{(k)}}, \mathbf {i^{(\ell )}})\rangle \) of Eq. (10) become the following states:

$$\begin{aligned} |\varphi _J(0,00)\rangle= & {} \frac{1}{2}(|000\rangle -|110\rangle -|011\rangle +|101\rangle ),\\ |\varphi _J(0,01)\rangle= & {} \frac{1}{2}(|001\rangle +|010\rangle -|111\rangle -|100\rangle ),\\ |\varphi _J(0,10)\rangle= & {} \frac{1}{2}(|010\rangle +|100\rangle -|001\rangle -|111\rangle ),\\ |\varphi _J(0,11)\rangle= & {} \frac{1}{2}(-|011\rangle -|000\rangle -|101\rangle -|110\rangle ),\\ |\varphi _J(1,00)\rangle= & {} \frac{1}{2}(-|100\rangle -|111\rangle -|010\rangle -|001\rangle ),\\ |\varphi _J(1,01)\rangle= & {} \frac{1}{2}(|101\rangle +|011\rangle -|110\rangle -|000\rangle ),\\ |\varphi _J(1,10)\rangle= & {} \frac{1}{2}(|110\rangle +|101\rangle -|000\rangle -|011\rangle ),\\ |\varphi _J(1,11)\rangle= & {} \frac{1}{2}(|111\rangle -|001\rangle -|100\rangle +|010\rangle ). \end{aligned}$$

The unitary reconstruction \(U_{\mathrm {rec}}\) works as follows:

$$\begin{aligned} U_{\mathrm {rec}}|\varphi _J(i_1,i_2i_3)\rangle = |i_2 i_3\rangle |i_1\rangle . \end{aligned}$$

If the quantum secret is \(\alpha (0)|0\rangle + \alpha (1)|1\rangle \), then the quantum state of all shares is \(\alpha (0)|\psi (0)\rangle + \alpha (1)|\psi (1)\rangle \). Application of \(U_{\mathrm {rec}}\) to the 3rd, the 4th and the 5th qubits of \(\alpha (0)|\psi (0)\rangle + \alpha (1)|\psi (1)\rangle \) gives

$$\begin{aligned} \frac{1}{2}(|0000\rangle +|0101\rangle +|1010\rangle +|1111\rangle )(\alpha (0)|0\rangle + \alpha (1)|1\rangle ), \end{aligned}$$

which means that the 3rd, the 4th and the 5th participants successfully reconstructed the quantum secret into the 5th qubit. Also observe that after the reconstruction the 5th qubit is completely unentangled from the rest of qubits. Since the proposed procedure only interacts with the 3rd to the 5th qubits, even if there are errors in the 1st and the 2nd qubits, after reconstruction we obtain \(\alpha (0)|0\rangle + \alpha (1)|1\rangle \) at the 5th qubit.

5 Appendix: security analysis

For the completeness of this paper, in this appendix we discuss the security of quantum SS based on stabilizer QECCs. For the security analysis of quantum secret sharing based on quantum error correction, such as [4, 6], we need to clarify (a) which share sets are qualified (being able to reconstruct secret perfectly) and (b) which share sets are forbidden (having no information about secret). The characterization of qualified sets in the proposed scheme is given by Eq. (3). Observe also that from a given basis \(\mathbf {g}_1\), ..., \(\mathbf {g}_{n-k}\) of C, we can easily verify by standard linear algebra whether or not Eq. (3) holds for an arbitrarily given share set J. The characterization of forbidden sets also immediately follows from the fact that a share set is forbidden if and only if the rest of shares is qualified, as shown in [4, 6, 14].