Abstract
We propose a unitary procedure to reconstruct quantum secret for a quantum secret sharing scheme constructed from stabilizer quantum error-correcting codes. Erasure correcting procedures for stabilizer codes need to add missing shares for reconstruction of quantum secret, while unitary reconstruction procedures for certain class of quantum secret sharing are known to work without adding missing shares. The proposed procedure also works without adding missing shares.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
Secret sharing (SS) [16] is a cryptographic scheme to encode a secret to multiple shares being distributed to participants, so that only qualified sets of participants can reconstruct the original secret from their shares. Traditionally both secret and shares were classical information (bits). Several authors [4, 6, 8, 17] extended the traditional SS to quantum one so that a quantum secret can be encoded to quantum shares.
There was a difference between early pioneering works [4, 6, 8, 17] of quantum SS. The first quantum SS [8] was based on the controlled teleportation [9, 20], whose reconstruction of quantum secret involved classical communication among participants. On the other hand, the others works [4, 6, 17] related reconstruction to quantum error correction [3, 18], and their reconstruction procedures were generally unitary operations on quantum shares. This paper studies reconstruction in the second category.
When we require unqualified sets of participants to have zero information of the secret, the size of each share must be larger than or equal to that of secret. By tolerating partial information leakage to unqualified sets, the size of shares can be smaller than that of secret. Such SS is called ramp SS [2, 19]. The quantum ramp SS was proposed by Ogawa et al. [14]. If an unqualified set has absolutely no information about quantum secret (see [14] for a formal definition), it is called a forbidden set.
When we have a quantum error-correcting code (QECC) of length n and use it for quantum secret sharing, it can correct erasures in a set \(\overline{J} \subset \{1\), ..., \(n\}\), and it was shown [4, 6] that \(J = \{1\), ..., \(n\} \setminus \overline{J}\) is a qualified set and \(\overline{J}\) is a forbidden set. The above statement also holds for quantum ramp SS [14]. In such a situation, a straightforward method for the set J of participants to reconstruct quantum secret is as follows: Firstly, initialize quantum systems in \(\overline{J}\) to any quantum states and apply the erasure decoding procedure of QECC. This method is wasteful because decoding procedures usually involve measurement and they also need to attach \(|\overline{J}|\) extra quantum systems. For example, if \(|J| = 70\) and \(|\overline{J}|=30\), adding 30 quantum systems and performing measurement on 100 systems are wasteful.
To overcome this waste, unitary reconstruction methods were proposed for previous proposals of quantum SS [4, 12, 14, 21]. On the other hand, while quantum SS constructed from the stabilizer QECC had been already studied [10, 11, 15], no unitary reconstruction procedure has been proposed for stabilizer-based quantum SS. Stabilizer-based quantum SS is important because it can realize access structures that cannot be realized by quantum SS based on CSS codes [3, 18]. For example, only the [[5, 1, 3]] binary stabilizer QECC can realize quantum SS distributing 1 qubit of secret to 5 participants receiving 1-qubit shares and allowing only 3 or more participants to reconstruct secret. In addition, when sharing classical secret, it was recently shown that stabilizer QECC can realize an access structure that cannot be realized by classical information processing [13].
In this paper, we propose a unitary reconstruction method that can be executed by a qualified set J of participants without adding extra quantum systems. In Sect. 2, we introduce notations of stabilizer QECC and prove some properties of stabilizer QECC used later in the proposed reconstruction procedure. Section 3 describes the proposed procedure. Section 4 gives an explicit computational example of the proposed procedure applied to the well-known [[5, 1, 3]] binary stabilizer QECC. In “Appendix,” we discuss the security of quantum SS based on stabilizer QECCs.
2 Preliminaries
2.1 Notations for stabilizer codes
Let q be a prime power, and we consider the q-dimensional complex linear space \({\mathbf {C}}_q\). A quantum system whose state is expressed by \({\mathbf {C}}_q\) is called a qudit in this paper. Each share is assumed to be a qudit, and quantum secret consists of one or more qudits. If quantum secret has two or more qudits, the quantum SS becomes a ramp scheme. We fix a q-ary stabilizer QECC encoding k qudits to n qudits. The materials in this subsection are not new at all and can be found in, for example, [1, 7]. Its stabilizer can be expressed as an \((n-k)\)-dimensional \({\mathbf {F}}_q\)-linear subspace C of \({\mathbf {F}}_q^{2n}\), where \({\mathbf {F}}_q\) is the finite field with q elements.
For two vectors \(\mathbf {x} = (a_1\), \(b_1\), ..., \(a_n\), \(b_n)\) and \(\mathbf {y} = (a'_1\), \(b'_1\), ..., \(a'_n\), \(b'_n) \in {\mathbf {F}}_q^{2n}\), we define its symplectic inner product as
Let \(C^\perp = \{ \mathbf {x} \in {\mathbf {F}}_q^{2n} \mid \forall \mathbf {y} \in C\), \(\langle \mathbf {x}\), \(\mathbf {y}\rangle =0\}\). Then we have \(C^\perp \supset C\) and \(\dim C^\perp = n+k\).
2.2 Qualified sets and related properties
To use any reconstruction procedure, the set J of participants must be qualified to reconstruct the secret. In this subsection, we clarify a necessary and sufficient condition for qualified sets and related properties that are later used for the proposed reconstruction procedure.
For a set \(J \subset \{1\), ..., \(n\}\) of participants to be qualified, the erasures in \(\overline{J}\) must be decodable, where an erasure means a quantum error with known location. In other words, when the errors are only in \(\overline{J}\), the stabilizer QECC defined by the stabilizer \(C \subset {\mathbf {F}}_q^{2n}\) must be able to correct the error.
Let \(\mathbf {g}_1\), ..., \(\mathbf {g}_{n-k}\) be a basis of C. A quantum error can also be identified with a vector \(\mathbf {e} =(a_1\), \(b_1\), ..., \(a_n\), \(b_n) \in {\mathbf {F}}_q^{2n}\) (see, e.g., [1, 7]). Measurement in the standard decoding procedure gives the symplectic inner products \(\langle \mathbf {e}\), \(\mathbf {g}_i\rangle \) for \(i=1\), ..., \(n-k\). Let \({\mathbf {F}}_q^{\overline{J}} = \{ (a_1\), \(b_1\), ..., \(a_n\), \(b_n) \in {\mathbf {F}}_q^{2n} \mid \) \( j \in J \Rightarrow (a_j\), \(b_j) = (0\), \(0) \}\) and \({\mathbf {F}}_q^{J} = \{ (a_1\), \(b_1\), ..., \(a_n\), \(b_n) \in {\mathbf {F}}_q^{2n} \mid \) \( j \in \overline{J} \Rightarrow (a_j\), \(b_j) = (0\), \(0) \}\). Observe that \(\dim {\mathbf {F}}_q^J = 2|J|\) and \(\dim {\mathbf {F}}_q^{\overline{J}} = 2|\overline{J}|\).
Under the assumption \(j \in J \Rightarrow (a_j\), \(b_j) = (0,0)\) for \(\mathbf {e}\), we can correct all errors \(\mathbf {e} \in {\mathbf {F}}_q^{\overline{J}}\) if and only if the implication
holds. The condition (2) implies (with the assumption that errors belong to \(\overline{J}\))
On the other hand, the assumption \(C^\perp \supset C\) implies
Therefore, the condition (2) is equivalent to
We will study the linear spaces consisting of qudits in J or \(\overline{J}\) of quantum codewords. Let \(Q(C)\subset {\mathbf {C}}_q^{\otimes n}\), \(Q(C\cap {\mathbf {F}}_q^{\overline{J}}) \subset {\mathbf {C}}_q^{\otimes |\overline{J}|}\), \(Q(C\cap {\mathbf {F}}_q^J)\subset {\mathbf {C}}_q^{\otimes |J|}\) be stabilizer QECCs defined by C, \(C\cap {\mathbf {F}}_q^{\overline{J}}\), and \(C\cap {\mathbf {F}}_q^J\), respectively. When we consider qudits in J (resp. \(\overline{J}\)) of codewords in Q(C), their quantum states are density matrices whose row spaces are contained in \(Q(C\cap {\mathbf {F}}_q^J)\) (resp. \(Q(C\cap {\mathbf {F}}_q^{\overline{J}})\)).
In order to evaluate their dimensions, firstly we have to evaluate \(\dim C\cap {\mathbf {F}}_q^J\) and \(\dim C\cap {\mathbf {F}}_q^{\overline{J}}\), where \(\dim C\cap {\mathbf {F}}_q^J\) denotes the dimension of the linear space \(C\cap {\mathbf {F}}_q^J\). We have
The linear space \(C\cap {\mathbf {F}}_q^J\) consists of vectors in C whose \((2j-1)\)th component and 2jth component are zero if \(j \in \overline{J}\), which implies \(\dim C - \dim C\cap {\mathbf {F}}_q^J \le 2 |\overline{J}|\). Equation (4) holds because
For \(\mathbf {x} = (a_1\), \(b_1\), ..., \(a_n\), \(b_n) \in {\mathbf {F}}_q^{2n}\), let \(P_{\overline{J}} (\mathbf {x}) = (a_j, b_j)_{j \in \overline{J}}\), that is, the projection to the index set \(\overline{J}\). Then we have \(C\cap {\mathbf {F}}_q^J = C \cap \ker (P_{\overline{J}})\) and \(\dim C\cap {\mathbf {F}}_q^J + \dim P_{\overline{J}}(C) = \dim C\), which implies
Suppose that Eq. (5) does not hold, then we have \(\dim P_{\overline{J}}(C) < |\overline{J}|\) by Eq. (6) and the equality \(n=|J|+|\overline{J}|\). Since \(C^\perp \cap {\mathbf {F}}_q^{\overline{J}} = P_{\overline{J}}(C)^\perp \) (\(\perp \) in \(P_{\overline{J}}(C)^\perp \) is considered in \({\mathbf {F}}_q^{2|\overline{J}|}\)), we have \(\dim C^\perp \cap {\mathbf {F}}_q^{\overline{J}} = 2|\overline{J}| - \dim P_{\overline{J}}(C) > |\overline{J}|\). The last inequality implies \(\dim C^\perp \cap {\mathbf {F}}_q^{\overline{J}}> |\overline{J}| > \dim P_{\overline{J}}(C) \ge \dim C \cap {\mathbf {F}}_q^{\overline{J}}\) because \(P_{\overline{J}}(C) \supseteq C \cap {\mathbf {F}}_q^{\overline{J}}\). The inequality \(\dim C^\perp \cap {\mathbf {F}}_q^{\overline{J}}> \dim C \cap {\mathbf {F}}_q^{\overline{J}}\) contradicts with Eq. (3). So we see that Eq. (5) is true when J is a qualified set.
In light of Eqs. (4) and (5), let \(\dim C\cap {\mathbf {F}}_q^J = |J| - k - \ell \). Then \(Q(C\cap {\mathbf {F}}_q^J)\) encodes \(k+\ell \) qudits to |J| qudits.
We consider \(\dim C\cap {\mathbf {F}}_q^{\overline{J}}\). By Eq. (3) we have
which means that \(Q(C\cap {\mathbf {F}}_q^{\overline{J}})\) encodes \(\ell \) qudits to \(|\overline{J}|\) qudits. Readers might wonder if \(\ell =|\overline{J}|\) is always true. The equality \(\ell = |\overline{J}|\) usually holds as we will see in Sect. 4 with an example. But \(\ell = |\overline{J}|\) is sometimes false in general cases, for example, consider an unpractical stabilizer QECC whose codewords are always set to \(|00\cdots 0\rangle \) in \(\overline{J}\), which gives \(\ell =0\).
3 Proposed unitary reconstruction
For ease of presentation, without loss of generality we may assume \(\overline{J} = \{1\), ..., \(|\overline{J}|\}\) and \(J = \{ |\overline{J}| + 1\), ..., \(n\}\), by reordering indices. Let
be an orthonormal basis (ONB) of \({\mathbf {C}}_q^{\otimes k}\), let \(|\psi (\mathbf {i^{(k)}})\rangle \in Q(C)\) the quantum codeword corresponding to \(|\mathbf {i^{(k)}}\rangle \). Let
be an ONB of \(Q(C\cap {\mathbf {F}}_q^{\overline{J}})\). Then
have the same nonzero length for all \(\mathbf {i^{(k)}}\) and \(\mathbf {i^{(\ell )}}\), where \(I_J\) is the identity matrix on qudits in J. Because otherwise the Holevo information between classical information \(\mathbf {i^{(k)}}\) and the qudits in \(\overline{J}\) would have strictly positive value which contradicts by Ogawa et al. [14] to our assumption that J is a qualified set
Define a state vector \(|\varphi _J(\mathbf {i^{(k)}}, \mathbf {i^{(\ell )}})\rangle \in Q(C\cap {\mathbf {F}}_q^J)\) by
Then \(|\varphi _J(\mathbf {i^{(k)}}, \mathbf {i^{(\ell )}})\rangle \) is of length one and orthogonal to each other for different \((\mathbf {i^{(k)}}\), \(\mathbf {i^{(\ell )}})\). Therefore,
is an ONB of \(Q(C\cap {\mathbf {F}}_q^J)\).
By using the above notations, we can express
We can define a unitary operation \(U_{\mathrm {rec}}\) from \(Q(C\cap {\mathbf {F}}_q^J)\) to \(Q(C\cap {\mathbf {F}}_q^{\overline{J}})\otimes {\mathbf {C}}_q^{\otimes k}\), sending \(|\varphi _J(\mathbf {i^{(k)}}, \mathbf {i^{(\ell )}})\rangle \) to \(|\varphi _{\overline{J}}(\mathbf {i^{(\ell )}})\rangle |\mathbf {i^{(k)}}\rangle \), because both \(\{ |\varphi _J(\mathbf {i^{(k)}}, \mathbf {i^{(\ell )}})\rangle \mid \mathbf {i^{(k)}} \in {\mathbf {F}}_q^k\), \(\mathbf {i^{(\ell )}} \in {\mathbf {F}}_q^\ell \}\) and \(\{ |\varphi _{\overline{J}}(\mathbf {i^{(\ell )}})\rangle |\mathbf {i^{(k)}}\rangle \mid \mathbf {i^{(k)}} \in {\mathbf {F}}_q^k\), \(\mathbf {i^{(\ell )}} \in {\mathbf {F}}_q^\ell \}\) are ONBs with the same number of quantum state vectors in them.
Suppose that quantum secret is
where \(\alpha (\mathbf {i^{(k)}})\) are complex coefficients. Then the whole quantum state of all shares is, by Eq. (12),
Applying \(U_{\mathrm {rec}}\) on the qualified set J yields
Equation (13) means that the quantum secret is reconstructed in the rightmost k qudits and that it is unentangled from the rest of qudits.
4 Explicit computational example of the [[5, 1, 3]] binary stabilizer QECC
Since our presentation of the proposed procedure is slightly abstract, in this section we will see an explicit computational example with the [[5, 1, 3]] binary stabilizer QECC. According to Gottesman [5], the [[5, 1, 3]] binary stabilizer QECC encodes \(|0\rangle \) to
and \(|1\rangle \) to
According to Gottesman [5, Table 3.2], the corresponding stabilizer \(C \subset {\mathbf {F}}_2^{10}\) is generated by
Since it can correct any two erasures, we can set \(J=\{3\), 4, \(5\}\) and \(\overline{J} = \{1\), \(2\}\). Since \(C \cap {\mathbf {F}}_2^{\overline{J}} = C^\perp \cap {\mathbf {F}}_2^{\overline{J}}\) are zero linear spaces, we can see that Eq. (3) holds and \(\ell =2\). We can choose \(|\varphi _{\overline{J}}(\mathbf {i^{(\ell )}})\rangle \) of Eq. (8) as \(|\varphi _{\overline{J}}(00)\rangle =|00\rangle \), \(|\varphi _{\overline{J}}(01)\rangle =|01\rangle \), \(|\varphi _{\overline{J}}(10)\rangle =|10\rangle \), and \(|\varphi _{\overline{J}}(11)\rangle =|11\rangle \). Then \(|\varphi _J(\mathbf {i^{(k)}}, \mathbf {i^{(\ell )}})\rangle \) of Eq. (10) become the following states:
The unitary reconstruction \(U_{\mathrm {rec}}\) works as follows:
If the quantum secret is \(\alpha (0)|0\rangle + \alpha (1)|1\rangle \), then the quantum state of all shares is \(\alpha (0)|\psi (0)\rangle + \alpha (1)|\psi (1)\rangle \). Application of \(U_{\mathrm {rec}}\) to the 3rd, the 4th and the 5th qubits of \(\alpha (0)|\psi (0)\rangle + \alpha (1)|\psi (1)\rangle \) gives
which means that the 3rd, the 4th and the 5th participants successfully reconstructed the quantum secret into the 5th qubit. Also observe that after the reconstruction the 5th qubit is completely unentangled from the rest of qubits. Since the proposed procedure only interacts with the 3rd to the 5th qubits, even if there are errors in the 1st and the 2nd qubits, after reconstruction we obtain \(\alpha (0)|0\rangle + \alpha (1)|1\rangle \) at the 5th qubit.
5 Appendix: security analysis
For the completeness of this paper, in this appendix we discuss the security of quantum SS based on stabilizer QECCs. For the security analysis of quantum secret sharing based on quantum error correction, such as [4, 6], we need to clarify (a) which share sets are qualified (being able to reconstruct secret perfectly) and (b) which share sets are forbidden (having no information about secret). The characterization of qualified sets in the proposed scheme is given by Eq. (3). Observe also that from a given basis \(\mathbf {g}_1\), ..., \(\mathbf {g}_{n-k}\) of C, we can easily verify by standard linear algebra whether or not Eq. (3) holds for an arbitrarily given share set J. The characterization of forbidden sets also immediately follows from the fact that a share set is forbidden if and only if the rest of shares is qualified, as shown in [4, 6, 14].
References
Ashikhmin, A., Knill, E.: Nonbinary quantum stabilizer codes. IEEE Trans. Inform. Theory 47(7), 3065–3072 (2001)
Blakley, G.R., Meadows, C.: Security of ramp schemes. In: Advances in Cryptology–CRYPTO’84. Lecture Notes in Computer Science, vol. 196, pp. 242–269. Springer (1985). doi:10.1007/3-540-39568-7_20
Calderbank, A.R., Shor, P.W.: Good quantum error-correcting codes exist. Phys. Rev. A 54(2), 1098–1105 (1996)
Cleve, R., Gottesman, D., Lo, H.K.: How to share a quantum secret. Phys. Rev. Lett. 83(3), 648–651 (1999). doi:10.1103/PhysRevLett.83.648
Gottesman, D.: Stabilizer codes and quantum error correction. Ph.D. thesis, California Institute of Technology (1997)
Gottesman, D.: Theory of quantum secret sharing. Phys. Rev. A 61(4), 042311 (2000). doi:10.1103/PhysRevA.61.042311
Grassl, M.: Variations on encoding circuits for stabilizer quantum codes. In: Chee, Y.M., et al. (eds.) IWCC 2011, Lecture Notes in Computer Science, vol. 6639, pp. 142–158. Springer (2011)
Hillery, M., Bužek, V., Berthiaume, A.: Quantum secret sharing. Phys. Rev. A 59, 1829–1834 (1999). doi:10.1103/PhysRevA.59.1829
Karlsson, A., Bourennane, M.: Quantum teleportation using three-particle entanglement. Phys. Rev. A 58, 4394–4400 (1998). doi:10.1103/PhysRevA.58.4394
Marin, A., Markham, D.: Equivalence between sharing quantum and classical secrets and error correction. Phys. Rev. A 88(4), 042332 (2013). doi:10.1103/PhysRevA.88.042332
Markham, D., Sanders, B.C.: Graph states for quantum secret sharing. Phys. Rev. A 78(4), 042309 (2008). doi:10.1103/PhysRevA.78.042309
Matsumoto, R.: Coding theoretic construction of quantum ramp secret sharing, (2014). arXiv:1405.0149
Matsumoto, R.: Quantum stabilizer codes can realize access structures impossible by classical secret sharing. IEICE Trans. Fundamentals E100-A(12) (2017). To be published, arXiv:1701.02911
Ogawa, T., Sasaki, A., Iwamoto, M., Yamamoto, H.: Quantum secret sharing schemes and reversibility of quantum operations. Phys. Rev. A 72(3), 032318 (2005). doi:10.1103/PhysRevA.72.032318
Sarvepalli, P.K.: Nonthreshold quantum secret-sharing schemes in the graph-state formalism. Phys. Rev. A 86(4), 042303 (2012). doi:10.1103/PhysRevA.86.042303
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979). doi:10.1145/359168.359176
Smith, A.D.: Quantum secret sharing for general access structures (2000). arXiv:quant-ph/0001087
Steane, A.M.: Multiple particle interference and quantum error correction. Proc. R. Soc. London Ser. A 452(1954), 2551–2577 (1996)
Yamamoto, H.: Secret sharing system using \((k, l, n)\) threshold scheme. Electron. Commun. Jpn. Part I Commun. 69(9), 46–54 (1986). doi:10.1002/ecja.4410690906
Yang, C.P., Chu, S.I., Han, S.: Efficient many-party controlled teleportation of multiqubit quantum information via entanglement. Phys. Rev. A 70, 022329 (2004). doi:10.1103/PhysRevA.70.022329
Zhang, P., Matsumoto, R.: Quantum strongly secure ramp secret sharing. Quantum Inf. Process. 14(2), 715–729 (2015). doi:10.1007/s11128-014-0863-2
Acknowledgements
The author would like to thank reviewers’ comments that improved this paper significantly. This research is partly supported by the JSPS Grant No. 26289116.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
About this article
Cite this article
Matsumoto, R. Unitary reconstruction of secret for stabilizer-based quantum secret sharing. Quantum Inf Process 16, 202 (2017). https://doi.org/10.1007/s11128-017-1656-1
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11128-017-1656-1