An Efficient Quantum Secret Sharing Scheme Based on Restricted Threshold Access Structure

Quantum secret sharing is an important branch of quantum cryptography, and secure multi-party quantum key distribution protocols can be constructed using quantum secret sharing. In this paper, we construct a quantum secret sharing scheme built on a constrained (t, n ) threshold access structure, where n is the number of participants and t is the threshold number of participants and the distributor. Participants from two different sets perform the corresponding phase shift operations on two particles in the GHZ state passed to them, and then t−1 participants with the distributor can recover the key, where the participant recovering the key measures the particles received by himself and finally obtains the key through the collaboration of the distributors. Security analysis shows that this protocol can be resistant to direct measurement attacks, interception retransmission attacks, and entanglement measurement attacks. This protocol is more secure, flexible, and efficient compared with similar existing protocols, which can save more quantum resources.


Introduction
Secret sharing is an important branch of information security research, and it provides new ideas for solving key management problems [1,2]. The secret sharing system divides the shared secrets into sub-secrets, which are sent separately to several participants for safekeeping, and it specifies which participants can restore the secrets together and which participants cannot cooperate to obtain the approved secret information. Quantum secret sharing is an important research direction in quantum cryptography, which combines quantum theory and classical secret sharing and belongs to a kind of quantum key distribution in quantum key management [3][4][5][6].
Quantum secret sharing means that the distributor divides a classical or quantum message into several copies, and only the participants in the authorized set can recover the secret, while the participants in the non-authorized set cannot recover the secret. The security of the quantum secret sharing scheme is significantly improved in terms of the security of sharing compared to computationally complex classical secrets due to the guarantee of the relevant fundamental principles in quantum exploitation.
The first quantum secret sharing (QSS) scheme was proposed by Hillery [7] in 1999 using the Greenberger-Horne-Zeilinger (GHZ) state. In the same year, Cleve et al. [6] proposed the threshold QSS scheme using the quantum error correction code theory, where the threshold quantum secret sharing scheme means that the distributor divides the secret information into n copies and sends them to n participants separately, and at least t participants cooperate to recover the secret; however, the set of less than t participants cannot recover the secret. Since then, increasingly quantum secret sharing schemes have been proposed [8][9][10][11][12][13][14], and some of these schemes are based on quantum physical properties to share classical information, while some schemes are based on quantum mechanics principles to share arbitrary quantum state information.
Many researchers have designed series of different types of schemes based on different quantum principles, such as based on single photons [15][16][17], product states [18][19][20], and entangled states [21][22][23][24][25], respectively. Among the above secret sharing schemes, threshold schemes occupy an important position [6,13,[26][27][28][29][30][31]; however, in practical applications, the authorized subset may not consist of any t participants, and there are some occasions in which the permissions of certain participants are restricted, such as confidential data restoration, hierarchical structures, and financial infidelity. Therefore, the (t, n) threshold structure is not suitable for these occasions.
In 2013, Gheorghiu et al. [21] constructed the first quantum secret sharing scheme by local operations and classical communication (LOCC); in 2015, Rahaman et al. [22] gave a QSS model based on LOCC. The above two schemes are built on restricted (t, n) threshold type access structures. This type of access structure does not belong to the general (t, n) threshold structure and can satisfy the use of secret sharing in some special cases. Since this scheme is simple and efficient [22], a number of scholars have constructed many QSS schemes based on this class of restricted access structures on the basis of this property of local distinguishability of quantum states [23][24][25][26].
However, all the above schemes utilize the entangled states of n particles, and when the number of participants n is large, n-qudit entangled states are currently difficult to make. Therefore, how to utilize the entangled states of a small number of particles for such restricted threshold structures to accomplish the distribution of multi-party quantum keys is a problem that needs to be solved in the construction of QSS schemes. In this paper, we use phase shift operation based on three-particle entangled states to achieve multi-party quantum key distribution on this kind of restricted access structures, which is an efficient and secure protocol, and at the same time, saves more quantum resources compared with similar protocols. This paper is organized as follows: In Section 1, we give the phase shift operator and its properties. Then, the detailed procedure of the scheme is given in Section 2. Next, the correctness and security of this scheme is proven in Sections 3 and 4, respectively. The efficiency and other metrics of this protocol are compared with several protocols of the same type in Section 5. Finally, a short conclusion is provided in Section 6.

Preliminary Knowledge
This section further studies the properties of unitary operators on the basis of literature [28], providing a theoretical basis for constructing the multi-party quantum key distribution protocol in this paper. Let Z p be a finite field and p be an odd prime number. The GHZ states used in this paper are |GHZ 000 and |GHZ 100 , where An angle a shift operation is performed on the relative phase on the j-TH particle of GHZ, denoting by U j (a), where where a ∈ Z p , j = 1, 2, 3.

Lemma 1.
For the |GHZ state, we have where I is a constant operator.
Proof. Prove that the equation holds only for the case |GHZ = |GHZ 000 . Other cases can be proven similarly.
Similarly, it can be proven that |000 + e i·a |111 .
Lemma 1 shows the result that a shift of angle a to particle 1 of the GHZ state is equivalent to a shift of angle a to its particle 2 or 3.

Lemma 2.
For the |GHZ state, we have (2) Proof. We only prove that the equation holds for the case of |GHZ = |GHZ 000 ; the other cases can be proven similarly. Since |000 + e i·(a+b) |111 Therefore, when |GHZ = |GHZ 000 , (U 1 (a) ⊗ I ⊗ I)(U 1 (b) ⊗ I ⊗ I)|GHZ = U 1 (a + b) ⊗ I ⊗ I|GHZ holds. It can be proven in the same way that, when |GHZ = |GHZ 100 , there Lemma 2 shows that the result of performing two consecutive shifts of angles a and b on a particle of the quantum state GHZ is equivalent to performing a shift of angle a + b on this particle. Using Lemma 2, by induction, we have the following result: Theorem 1. For the |GHZ state, we have, Theorem 1 shows that the result of performing l successive shifts of angle a i on a particle of the quantum state |GHZ is equivalent to performing a shift of angle a 1 + a 2 + · · · + a l on this particle, where i = 1, 2, · · · , l.

The Proposed Protocol
In this section, we propose a multi-party quantum secret sharing protocol based on generalized GHZ states. This QSS protocol is divided into three phases: the initial phase, share distribution phase, and secret reconstruction phase.

Share Distribution Phase
In this phase, Alice shares sub-shares among the participants in the set P (1) ∪ P (2) .
x 0 are all not equal to each other.

3) Distribution of quantum state sequences
Alice lets the first particles in the sequence {|ϕ 1 , |ϕ 2 , · · · , |ϕ m } form the sequence G 1 , the second particles form the sequence G 2 , and the third particles form the sequence G 3 . Alice keeps all the particles in the sequence G 1 and does the phase shift operation U(2π − S + S 0 ) on all the particles in the sequence G 1 , where (4) Alice forms the sequence H 1 with the first particles in the sequence {|φ 1 , |φ 2 , · · · , |φ m }, the sequence H 2 with the second particle, and the sequence H 3 with the third particles. Alice takes random particles from the sequences G 2 and H 2 and sends them to (1) . Alice takes some particles from the sequences G 3 and H 3 randomly and then sends them to the participant P (2) 1 from the set P (2) , Alice records the serial numbers of the particles when they are sent from G i and H i (i = 2, 3), and Alice herself keeps all the particles from G 1 and H 1 .
The structure of the quantum network between Alice and all participants in this scheme is illustrated in Figure 1.
where r ∈ {1, 2, · · · , t 2 }. 1 and tells them about the position of each particle in the sequences G 2 , H 2 and G 3 , H 3 , respectively. The participants P 2 ) for each particle in G 2 and G 3 , respectively. Then, they send the particle sequences G 2 , H 2 and G 3 , H 3 to participant P (1) (i+2)modt 1 and participant P (2) 3 , respectively, and tell them about the position of each particle in the sequences G 2 , H 2 and G 3 , H 3 .

(8) Transferring particles to P
(1) (i+t 1 −1)modt 1 and P (2) t 2 Follow the above steps and so on, until P (1) (i+t 1 −1)modt 1 and P (2) t 2 receive the particle sequences G 2 , H 2 and G 3 , t 2 do phase shift each of the particles in G 2 and G 3 by U 2 (S (1) (i+t 1 −1)modt 1 ) and U 3 (S (2) t 2 ), respectively. Then, P (1) (i+t 1 −1)modt 1 sends the particle sequence G 2 , H 2 back to P (1) i . At the same time, P (2) t 2 also sends the particle sequence G 3 , H 3 back to P (1) i and tells P (1) i the position of each particle from the particle sequence G 2 , H 2 and G 3 , H 3 . Finally, participant i ) for each of the particles from the sequence G 2 .

Detecting Eavesdropping
Alice uses the measurement base B x = {|x , | − x } to measure the particles in the sequence H 1 . Then, P For |GHZ 000 and |GHZ 100 , when Alice and P (1) i measure with the above bases, the following four combinations of measurement bases with associated properties occur.
(1) If both sides measure |GHZ 000 with B x , B x , B x -bases, then (2) If both sides measure |GHZ 000 with B x , B y , B y -bases, then (4) If both sides measure |GHZ 100 with B x , B y , B y -bases, then From the above results, it is clear that, when Alice measures the particles from the sequence H 1 with basis B x , P (1) i measures the corresponding particles, which he holds using the basis B x or B y , then the measurements are correlated; see Table 1.
When these measurements are completed, Alice asks P (1) i to tell her the results of their measurements; however, Alice will not open her measurement base. Then, Alice statistically determines the error rate from Table 1. If the error rate is above a certain threshold, this communication is abandoned. Otherwise, this protocol continues.

Measuring Information Particles
When Alice and P (1) i confirms that the channel is secure, Alice measures her particle sequence G 1 , and P (1) i measures her particle sequence G 2 and G 3 .
(1) First, P (1) i secretly selects the random sequence K consisting of 0 and 1 and uses the following rules to measure the particles from sequence G 2 and G 3 from their own hand, and the rules for the measuring base are as follows: When the j-th bit of K is equal to 0, it selects the B x base.
When the j-th bit of K (1,i) 1 is equal to 1, it selects the B y base.
(2) P (1) i uses the same base to measure the particles from sequences G 2 and G 3 and records these results. These measurements are converted into binary numbers-that is, | + x and | + y correspond to 1, while | − x and | − y correspond to 0, which in turn constitute two subkeys of P

Reconstruction and Detection of Keys
i retains S as the shared key. Otherwise, he judges that some of the participants had offered a false share in the secret recovery process and can therefore abandon this round.
Next, we present the process in which participant P (1) i (i ∈ {1, 2, · · · , t 1 }) from the set P (1) gives their shares to all participants. For the ease of presentation, we arranged the order in which the participants from the set P (2) pass the particles with the natural order of their numbers. Figure 2a shows the transferring process of the information particle in the q-th GHZ state where the GHZ state consists of a green ball G 3 , q ∈ {1, 2, · · · , m}. First, Alice does the U(2π − S + S 0 ) phase operation to particle G  The process participant P (2) i (i ∈ {1, 2, · · · , t 2 }) from the set P (2) shares the sub-shares for all participants, which is similar to the above process.

Proof. First, if Alice and P
(1) i confirm that the channel is secure, the quantum state |ϕ j will become U 1 (2π − S + S 0 ) ⊗ I ⊗ I|ϕ j when Alice has performed the phase shift operation j ∈ {1, 2, · · · , m}. In the recovery phase, according to Theorems 1 and 2, after t − 1 participants have performed a phase shift operation, the quantum state U 1 (2π − S + S 0 ) ⊗ I ⊗ I|ϕ j will become Here, it is easy to see from Lagrange's formula that r . Thus, P (1) i will recover the sequence of quantum states {|ϕ 1 , |ϕ 2 , · · · , |ϕ m }.
Next, we will prove that, when Alice and P (1) i confirmed that the channel is security, P (1) i will obtain the following equation according to this protocol, i.e., Here, S = (s 1 , s 2 , · · · , s m ), s i ∈ {0, 1}, i = 1, 2, · · · , m. Let where M is a 5 × m matrix. Let us first analyze the value of the j-th column of this matrix M.

Case (1)
When the j-th portion of S is 0, i.e., the j-th entangled state of S is encoded as |GHZ 100 . In this case, there are two ways that K ) will take the following two cases.
In case (i), the j-th element of K ) will take the following two cases.
In case (i), the j-th element of K Case (2) When the j-th portion of S is 1, i.e., the j-th entangled state that S is encoded as |GHZ 000 , in this case, there are two ways that K ) takes the following two cases.
In case (i), the j-th element of K From the above analysis, it is clear that the j-th column of M is in the following four cases.
Equations (13)- (16) give all the values of the j-th row element of the matrix M, which shows that the first column of M is exactly the sum of the remaining four rows; thus, we have proven that S = K (1,i) . Therefore, P (1) i (i ∈ {1, 2, · · · , t 1 }) will finally obtain the key S distributed by Alice.

Security Analysis of the Protocol
The security of the protocol relies on the decoy particle sequences randomly inserted during the transmission of quantum information. In this protocol, Alice sends randomly selected particles from sequences G 2 and H 2 to participant P (1) i from the set P (1) and randomly selected particles from sequences G 3 and H 3 to participant P (2) 1 from the set P (2) . Then, when these information particles are transmitted according to Figure 2a, the decoy particles are also interspersed with the information particle sequence until P (1) i receives the particles from sequence G 2 and G 3 , and the particles in sequence H 2 and H 3 . P (1) i will detect this round of communication by detecting particles from the decoy state sequences H 2 and H 3 .
If the measurement is above a certain threshold, it indicates that there is the presence of an external eavesdropper, Eve. This means that any attack from an external eavesdropper will be detected with a certain probability during the eavesdropping inspection phase. That is to say, this protocol can prevent eavesdropping from external attackers, thus, achieving the security of the scheme. In essence, this prevents eavesdropping by external attackers. The types of attacks that the protocol can resist are further discussed below based on certain properties.

Direct Measurement by the Attacker
If the eavesdropper Eve attacks the two particles in the GHZ state by measuring the two transmitting particles, which are distributed to participants from the set P (1) and P (2) , respectively. However, Eve cannot measure both particles at the same time, she can only measure one of them.
Assuming that the i-th initial GHZ state is |ϕ i = 1 √ 2 (|000 + |111 ) , then, after Alice performs the phase shift operation U 1 (2π − S + S 0 ) on the first particle in the quantum state |ϕ i , the participants perform the phase shift operation on |ϕ i in turn. After Alice has operated on the quantum state |ϕ i , suppose that l 1 (l 1 ∈ {1, 2, · · · , t 1 }) participants from the set P (1) have performed l 1 operations and l 2 (l 2 ∈ {1, 2, · · · , t 2 }) participants from the set P (2) have performed l 2 operations. Using Theorems 1 and 2, it follows that the quantum state |ϕ i then becomes where From Equation (6), the probability of each particle in the GHZ state existing in state |0 or |1 is Furthermore, since l i (i = 1, 2) was arbitrary, it was impossible for Eve to obtain any useful information by measuring the GHZ particles that had been passed on.

Interception-Relaunch Attack
Eve may have intercepted the particles in the participants' hands and sent her own counterfeit particles to the participants. In this case, Eve cannot obtain any information about the key. This is because it is known from this protocol construction process that the entire key is obtained through the post-processing phase after the transferring the particle sequences G (2) and G (3) from the GHZ sequence {|ϕ 1 , |ϕ 2 , . . . , |ϕ m }, during which the original quantum sequence {|ϕ 1 , |ϕ 2 , . . . , |ϕ m } requires the phase shifting operations of each participant, and these unitary matrices are known only by each participant.
Even if Eve tries to intercept the last round of particles, we suppose that the P (1) i (i ∈ {1, 2, · · · , t 1 }) can reconstruct the key. Specifically, if Eve had managed to intercept particles from P

Entanglement Measurement Attack
Eve tries to launch an entanglement attack when the participants from the sets P (1) and P (2) each transport particles. Let us set that, when the participant P i+1(modt 1 ) , Eve launches an entanglement attack, and the auxiliary qubit is |E init , while the entanglement bit and the auxiliary qubit form a hybrid quantum state, j , E denote the holders of four particles from the entangled state Ψ and Eve, respectively, where i ∈ {1, 2, · · · , t 1 }, j ∈ {1, 2, · · · , t 2 }.
The attacker applies a quantum operation to Ψ Since |E init is a qubit |0 E or |1 E , let us say that |E init = |0 E , and let the U(ε) act on the particles held by P (1) i and Eve. Then, we have According to the Schmidt decomposition of the quantum state, let and then where |E 1 ⊥ |E 2 , Ẽ 1 ⊥ Ẽ 2 , and E 1 |Ẽ 2 + E 2 |Ẽ 1 = 0. From Equation (12) and the key generation process of this protocol, it is clear that Eve cannot obtain any information about the key from U(ε) Ψ

Comparisons
We analyzed and compared the proposed QSS protocol with several similar existing QSS protocols-namely, RP2015 [22], YGWQZW2015 [26], BLWLL2018 [16], and LYZ2021 [25], based on four parameters, including the universality of the scheme, communication costs, computational costs, and the efficiency of the scheme as shown in Table 2. First, the similarity of these schemes is that their access structure is a kind of special threshold structure.
Universality is shown in Table 2, which includes the theoretical basis of these schemes' dependency, the adaptive access structure, the trajectory of information particles, the number of participants who ultimately calculate the key, and the key validation. Communication costs are based on the transmitted particles, i.e., information particles and decoy particles. The cost is calculated according to the following three parameters: the unitary operation, the measurement operation, and the hash function. Finally, we give the efficiency of each scheme. Information Efficiency η [32] is defined as η = c q , in which c represents the number of classical bits shared and q represents the total number of qubits transmitted within a quantum channel. According to this efficiency formula, the information efficiency of a protocol sharing m classical information can be expressed as η = m n 1 m+n 2 v , where n 1 represents the number of particles contained in each quantum state when m bits of classical information are converted to m quantum state information. n 2 represents the number of particles contained in each quantum state in which the eavesdropping is detected. Furthermore, v represents the number of quantum states in which the eavesdropping is detected. Let v = L when the detected particles are entangled, and let v = l when the detected particles are single photons.
For the sake of parameter uniformity, the communication and computational costs required to recover the key once for t participants in each scenario are calculated in Table 1.
(1) RP2015 Protocol The RP2015 protocol distribution model is a tree structure, i.e., the distributor distributes t information particles from the GHZ state to t participants, all from the two-dimensional Hilbert space. m GHZ states are used to share m bits of classical information, while L GHZ states are applied to detect eavesdropping . Thus, the information efficiency of both schemes is m t(m+L) . The access structure of the participants in this distribution model is a restricted threshold structure, which is also a fully bipartite graph structure.
(2) YGWQZW2015 Protocol The distribution YGWQZW2015 model is a tree structure, i.e., the distributor distributes t information particles from the GHZ state to t participants, unlike in the BLWLL2018 protocol [16] where these particles are all from the K-dimensional Hilbert space. m GHZ states are used to share m bits of classical information, while L GHZ states are applied to detect eavesdropping. Therefore, the information efficiency of this scheme is m t(m+L) . The access structure of the participants in this allocation model belongs to the fully bipartite graph.
(3) BLWLL2018 Protocol This distribution model of the BLWLL2018 scheme is also a tree structure, i.e., the distributor distributes t information particles from the GHZ state to t participants, all of which come from the k-dimensional Hilbert space. m GHZ states are used to share m bits of classical information, while L GHZ states are applied to detect eavesdropping. Therefore, the information efficiency of this scheme is m t(m+L) . Unlike the YGWQZW2015 protocol, the access structure of the participants in this distribution model is a restricted threshold structure and also a fully bipartite graph structure.
(4) LYZ2021 Protocol The LYZ2021 distribution model of the LYZ2021 scheme is a one circle structure, where the distributor distributes a particle of information from a generalized Bell state to one of the participants, and the particle is then passed through t participants in turn, where the two particles in the Bell state are from the k-dimensional Hilbert space. m-generalised Bell states are used to share m-bit classical information, while l X-bases and Z-bases are applied to detect eavesdropping. Thus, the information efficiency of the scheme is m t(m+l) . (5) Our Protocol This distribution model of our scheme is a bicyclic structure, i.e., the distributor distributes two information particles from the GHZ state to t participants according to the requirements of a fully bipartite graph structure, where the three particles from the GHZ state are from a three-dimensional Hilbert space. m GHZ states are used to share m-bit classical information, while L GHZ states are applied to detect eavesdropping. Thus, the information efficiency of both schemes is m 3(m+L) . In the protocol proposed, the quantum states corresponding to the information particles and the detection particles are three-dimensional GHZ states, and are only detected between Alice and P (1) i (or P (2) j ), where (m + L) three-dimensional GHZ states are used as information quantum states and detection quantum states, m-dimensional bits of classical information are obtained, and the efficiency of the scheme is m 3(m+L) . It can be seen that the scheme in this paper significantly saves quantum resources and is significantly more efficient than the above schemes.

Conclusions
In this paper, we proposed an efficient quantum secret sharing scheme for restricted gated access structures. The three-dimensional GHZ state of this scheme was used for the key transfer and the detection of the decoy state particles, and the distributor did not need to send the particles that she holds to the key reconstruction during the detection of the decoy state particles and the reconstruction of the key. This protocol is more practical, secure, and quantum resource efficient compared with similar processes.