Continuous Variable Quantum Secret Sharing with Fairness

The dishonest participants have many advantages to gain others’ shares by cheating in quantum secret sharing (QSS) protocols. However, the traditional methods such as identity authentication and message authentication can not resolve this problem due to the reason that the share has already been released to dishonest participants before realizing the deception. In this paper, a continuous variable QSS (CVQSS) scheme is proposed with fairness which ensures all participants can acquire or can not acquire the secret simultaneously. The quantum channel based on two-mode squeezing states provides secure communications through which it can send shares successfully, as long as setting the squeezing and modulation parameters according to the quantum channel transmission efficiency and the Shannon information of shares. In addition, the Chinese Remainder Theorem (CRT) can provides tunable threshold structures according to demands of the complex quantum network and the strategy for fairness can be incorporated with other sharing schemes, resulting in perfect compatibility for practical implementations.


Introduction
The secret sharing (SS) plays a significant role in cryptography. Since 1999, Hillery et al. [1] firstly invited SS to the quantum domain by applying three-particle and four-particle GHZ states, more and more QSS scheme have been proposed [2][3][4]. Based on the quantum mechanics, the secret distribution can be ensured unconditional safety.
Conventionally, a (t, n)-threshold secret sharing scheme is built to prohibit (t − 1) or fewer dishonest participants conspiring for secret. At the same time, the participant has more advantages to steal the secret than outside eavesdroppers. Hence, compared with other protocols, such as quantum key distribution [5][6][7], quantum signature [8], Quantum anonymous voting [9] and so on, the QSS protocols need to analysis the attack from both inside and outside. But in the previous literatures, it is rarely discussed how the secret is revealed securely against inner attack [10][11][12][13]. Until now, many SS protocols have been improved to verify participants and check the validity of shares in the recovery phase [14][15][16], but the participant who is the last one to release share, would desire to obtain the secret alone by sending fake share or keeping silence. So, in order to solve this problem without the simultaneously releasing constraint, Lin et al. [17] proposed a fair reconstruction, in which Dealer, in addition to the secret shadow, distributes a check vector, which is used to verify the validity of other participants' shadows in the reconstructing process and a certificate vector, which is used to prove the validity of his own shadow to each participant in classical scenario. Then, in quantum domain, Liu et al. [18] designed a QSS protocol based on partially and maximally entangled states, in which a secure and fair reconstruction mechanism is firstly organized to realize each participant can learn or cannot learn the secret simultaneously. Later, Maitra et al. [19] proposed a rational secret sharing scheme for the first time, in which the rational participant tries to maximize his or her utility by obtaining the secret alone, but it is impossible to occur, because the protocol is usually fair (everyone gets the secret).
The above-mentioned schemes are primarily based on discrete variable quantum entanglement states, which emerge some choke points as the extreme fragility, the low channel capacity and the difficulty of the preparation in experiment. So, in this paper, the continuous variable quantum information theory is invited to distribute shares [20,21]. The two-mode squeezed vacuum state is well done at preparation, operation and detection [22,23]. What's more, the modulation performed on the two-mode squeezed vacuum state is not only binary modulation, but also multiple modulation, which can improve the the channel capacity. Furthermore, the quantum channel based on two-mode squeezing states provides secure communication, which is proved that it can send shares successfully, as long as setting proper the squeezing and modulation parameters according to the quantum channel transmission efficiency and the Shannon information of shares. In order to ensure every participant learn or do not learn the secret simultaneously without the simultaneous channel, a fair construction is designed, in which a check sequence is used to hide real secret sequence, a determine pointer is used to find the hidden secret and a verify sequence is used to verify the recovered message. Furthermore, this fair protocol can be incorporated with other sharing schemes.
The organization of this paper is as follows. In Section 2, we design the (2, 2)-threshold CVQSS scheme with fairness. Section 3 explicates the security analysis of the scheme. At last, in Section 4, the conclusion is given.

CVQSS Scheme with Fairness
In this section, the CRT is introduced and a verifying function is defined, which are play an important role in CVQSS scheme proposed below.

Chinese Remainder Theorem
Let n ≥ 2, m 1 , ..., m n ≥ 2 and s 1 , ..., s n ∈ Z. The system of congruence equations has solutions in Z, when gcd(m i , m j ) = 1, for all i, j ∈ [1, n]. It has been proved that this solution can be calculated as where M = ∏ n i=1 m i , M i = M/m i and T i × M i mod m i = 1. According to the CRT equations described above, secret S can be divided to n shares named s i for n participants and also can be recovered, when shares are all collected, which means the (n, n)-threshold secret sharing scheme can be achieved. Of course, the (t, n)-threshold scheme also can be similarly designed, where n ≥ 2, t ≤ n as long as the moduli m i are prime numbers and secret S ∈ [h, H], where h = ∏ n i=n−(t−1)+1 m i , H = ∏ n i=1 m i [11]. Thus, whichever threshold scheme is demanded in practice, it can be designed by the CRT. What's more, compared with other traditional methods, such as the polynomial interpolation method of Shamir, whose key recovery interpolation formula requires O(t log 2 t) operations, the CRT-based scheme requires only O(t) operations [24].

Verifying Function for CVQSS
In order to verify the message, usually the Hash function is utilized to obtain the signature or digest of the whole message, which almost contains huge information. But, in this thesis, the message X is verified one number by one number. Therefore, it is obvious that the number is much smaller than the whole message and the same number recurs many times in the whole message. If the Hash function play on the numbers directly, the hash values used for verifiction would repeat, which will come up with one serious problem, that is the number can be derived from its hash value, after several times verifiction. However, the important character of Hash function is irreversibility. In order to avoid the problem of repetition, the message X is preprocessed to X with X i = X j | i = j as follow Here L is the length of the message, i ∈ [1, L], X i ∈ N and M = max(X i ). It is easily to prove that which proves X i = X j is true. Then, Hash function H(), such as SHA1, is invited to obtain verification information V for verifying. Above all, a modified Hash function for verifying a sequence X can be concluded as

(2, 2)-CVQSS Scheme with Fairness
In what follows, suppose Dealer has a classical secret S to be shared among participants. Dealer exploits CRT to decompose S and participants can reconstruct S. For simplicity, we consider the design of (2,2)-CVQSS scheme with fairness.
I2 For security, S is hidden in sequence R to form a new sequence named X, which is shown in Figure 1 and described as following steps. (1) Add P * to the end of S. (2) Insert S and P * into R at one random place. The sequence P * has to satisfy its uniqueness in message X, which means P * meets the constraint i.e., define I3 Dealer calculates the shadows X A = X mod m a and X B = X mod m b , generates the verification information V of X according to Equation (4)  X： Figure 1. The generating of message X using secret S, checking sequence R and determine pointer P * .

Distribution
Dealer distributes X A , X B to the participants Alice, Bob respectively, via continuous variable quantum deterministic key distribution based on two-mode squeezed states protocol [21]. In another words, each communication is from one Sender (Dealer) to one Receiver (Alice or Bob). The communication is briefly described as follow.
D1 Every Receiver prepares L + L 1 + L 2 two-mode squeezed vacuum states a 1 = x 1 + ip 1 and a 2 = x 2 + ip 2 as Figure 2. Here where a in1 =x 1,2 ] = 2i. As the squeezed parameter |r| increases, the correlation between a 1 and a 2 becomes increasingly perfect, i.e., D2 Receiver keeps a 1 at home and sends Sender a 2 with some coherent states c = |x c + ip c for checking eavesdropping. After receiving the whole state a 3 , Sender sends back an acknowledge. Following Receiver's instructions, Sender accurately selects out and measures the coherent states, so as to check eavesdropping. If the error rate exceeds certain threshold, receiver goes back to D1. In this paper, the strategy for checking eavesdropping is the same as above, so, it will be written as eavesdropper detection for short.
D3 According to the message X A/B , Sender modulates a 3 by D(α j ) to obtain a 4 . Here α = y + iy, y ∼ N(X A/B , σ 2 ) follows the Gaussian distribution and σ 2 is the variance of message.
D4 Sender sends back a 4 to Receiver with some coherent states. After receiving a 5 , Receiver does eavesdropper detection under Sender's help. If the channel is insecure, they give up this communication and go back to D1.
D5 Receiver plays a gain on a 6 before joint Bell Measurement on a 1 and a 6 to obtain the message X A/B . From Figure 2, it is shown that the joint Bell measurement consists one balanced beamsplitter (BS) and two detectors using homodyne measurement.

Recovery
When Alice and Bob wants to rebuild secret S, they exchange their own shares. Dishonest one may refuse to send her or his correct share, after receiving the other one's. In order to avoid this situation, this protocol applies some strategies to achieve fairness, in another words, all participants can or cannot acquire the secret simultaneously.
In this part, firstly, Alice and Bob generate random number sequences A, B ∈ {0, 1, ..., M} (L+L 1 +L 2 ) to encrypt their shares as ( , respectively. Then Alice and Bob exchange their encrypted messages as steps(D1) to (D5) and obtain the measurement results M A e and M B e . At last, they decrypt M A e and M B e to reconstruct X and verify them one by one number, which is described below in detail.
V1 Define j is the round of secret reconstruction and the initial value j = 0. V2 j = j + 1. V3 Alice and Bob exchange or broadcast the j th key A j and B j in classical channel, decrypt M A e j and M B e j to obtain X B j = (M A e j − B j ) mod (M + 1) and X A j = (M B e j − A j ) mod (M + 1), recovery X j according to Table 1 and calculate its verification information V j = H(X j + j(L + M)).

V4
If V j = V j , return: "Error" and end, otherwise, continues. V5 If j < (L + L 2 ), go to (v2). Otherwise T j = X j−L 2 +1 , X j−L 2 , . . . , X j . If T j = P * , S = X j−L−L 2 +1 , X j−L−L 2 , . . . , X j−L 2 , end and return: S, otherwise, go to (v2). In the stage of recovery, Alice sends her share to Bob and also Bob sends his share to Bob. Therefore, the security of this protocol is primarily based on security of this communication, which is detailedly analyzed below.

No Attack
At first, receiver prepares the initial two-mode squeezed states (a 1 , a 2 ), then, send mode a 2 to sender through the quantum channel with the additive white Gaussian noise (AWGN), so, a 3 can be described as Here, η 1 is the channel transmission efficiency and x N1 , p N1 ∼ N(0, Σ 2 1 ) presents the channel noise from receiver to sender. Next, a 3 is modulated by displacement operation according to message X A/B and turns to a 4 expressed as Then, a 4 is sent back to receiver and becomes a 5 , where x N2 , p N2 ∼ N(0, Σ 2 2 ) and η 2 stands for the parameter of the quantum channel from sender to receiver. In order to compensate a 5 for lossy in quantum channel, a 5 has to be amplified with gain g before Bell Measurement, so, At last, receiver plays a measurement on a 1 and a 6 for capturing message X A/B and the results a 7 , a 8 are If r > 0, using Equations (5), (7)-(11) and setting g = 1 η 1 η 2 , we obtain Obviously, x 8 obeys a Gaussian distribution, so, the variance of signal distribution is and the variance of noise is The signal-noise-ratio (SNR) between sender and receiver is According to the Shannon information theory [25], the mutual information is expressed as As for the two-mode squeezed state, the amplitude and phase are symmetric and both can be used to transfer message, so, the total mutual information is 2I(S, R) and the channel capacity is also 2I(S, R), when there is no attack. But, for describing more briefly, the messages carried on amplitude and phase are the same in this paper, so, the security is discussed only based on the amplitude, also the channel capacity is seen as C = I(S, R) accordingly. For satisfying the message transferring successfully, the channel capacity cannot be less than the information of X A/B i , expressed as C ≥ H(X A/B i ). According to the (2,2)-threshold CVQSS proposed above, suppose X i is equally distributed in {0, 1, . . . , 5}, so P(X i = 0) = P(X i = 1) = · · · = P(X i = 5) = 1 6 , i = (1, 2, ..., L + L 1 + L 2 ), From definition of CRT or Tabel 1, the share of Alice is X A i ∈ {0, 1} and its probability function is Similarly, the share of Bob is X B i ∈ {0, 1, 2} and its probability function is Therefore, the information entropy of X i , X A i and X B are H(X i ) = log 2 6 bit, H(X A i ) = 1 bit and H(X B i ) = log 2 3 bit. Hence, the channel can succeed to send X A and X B , when C = I(S, R) ≥ log 2 3bit ≈ 1.6 bit. Suppose the two quantum channels are the same with η 1 = η 2 = η and Σ 1 = Σ 2 = Σ, the information rate I(S, R) is depicted in Figure 3 which shows that the increment of squeezed parameter r and the variance of message σ 2 can improve I(S, R), especially, the growth of σ 2 can enhance the tolerance of low channel transmission efficiency. Under condition I(S, R) = log 2 3bit, the relation between r and σ 2 is drawn in Figure 4. It is shown that the σ 2 decreases to a fixed value, when r increases to 3 from 1, under the conditions of η = {1, 0.9, 0.6}. To come over more loss in quantum channel, the more energy has to be afforded by increasing σ 2 in modulation.

Internal Attack
Generally, there are two kinds of attack considered in the QSS scheme. One is eavesdropping of Eve from outside, the other one is the dishonest participant attack from inside. However the dishonest participant has more superiorities to steal the secret than Eve from outside. Therefore, the scheme is secure with Eve's attack, so long as the protocol can resist inner attack. Consequently, the following security analysis primarily focuses on inner attack in noisy channel.
For curiousness, Alice and Bob may guess the original key S, which is hiden in X. Although each participant has one share X A/B , they have no idea about the position of S in X, which means they should guess the right P * at first, then recover S by guess. According to the Equation (2) or Table 1, the authorized set X A ∪ X B can recover the message X and from above caculations, H(X i ) = H(X A i ) + H(X B i ), which means the unauthorized sets X A i and X B i are independent to each other. Apparently, H(X i ) > H(X B i ) > H(X A i ) > 0, so, curious member cannot deduce X i from unauthorized set X A i or X B i , alone. Furthermore, from Tabel 1 and Equations (17) and (18), the conditional probabilities P(X i | X A i ) and P(X i | X B i ) can be concluded as Tables 2 and 3. Thus, according to Alice's share X A i , the successful probabilities of guessing P * and S are ( 1 3 ) L 2 and ( 1 3 ) L , which approaches to zero, when L, L 2 > 3. Similarly, Bob can successfully guess P * and S with probabilities ( 1 2 ) L 2 and ( 1 2 ) L . So, it is hardly to accurately locate S in X and then recover it for Alice and Bob. Therefore, dishonest participant has to perform attacks to acquire more information for secret recovery. Table 2. The conditional probability of P(X i | X A i ). Table 3. The conditional probability of P(X i | X B i ).
In this protocol, the usage of coherent states can resist intercepting and re-sending attack, so, dishonest participant named Eve plays BS attack strategy [21,26], which is shown in Figure 2. To avoid being detected, Eve modulates the parameters of beam splitters to imitate the noisy quantum channels, i.e., the transmission coefficient of BS equals to the transmission efficiency of noisy quantum channel. In this way, the communicant may regard this attack as quantum channel lossy and noise. So, the mutual information between sender and receiver can be calculated as Equation (16). As for Eve, passing through the first BS, Eve can get where η 1 is the transmission coefficient of BS, a N1 = (x N1 , p N1 ) is a vacuum state and x N1 , p N1 ∼ N(0, Σ 2 1 ). Similarly, using the second BS, Eve can obtain where η 2 is the transmission coefficient of BS, a N2 = (x N2 , p N2 ) is a vacuum state and x N2 , p N2 ∼ N(0, Σ 2 2 ). Then, Eve performs a gain amplification on them to obtain where g E1 = 1 √ 1−η 1 and g E2 = . At last, Eve measures a E1 and a E2 and gets According to the equations before, x E can be expressed as So, the signal variance of x E is and the noise variance of x E is So, the SNR of x E is 26) and the mutual information between sender and Eve is Therefore, the channel capacity C or the information rate ∆I is Suppose the two quantum channels are the same with η 1 = η 2 = η and Σ 1 = Σ 2 = Σ. According to the analysis above, the mutual information between sender and Eve is draw in Figure 5. It is obvious that setting lower noise variance of a N1 and a N2 , Σ 2 2 , Eve can obtain more information. Moreover, the growth of σ 2 also can increase I(S, E), but r has little effect on it. Then, when Σ 2 = 1, the relationship between information rate ∆I and transmission efficiency η is exhibited in Figure 6. Under different conditions, such as σ 2 = 1, r = 1, σ 2 = 1, r = 5, σ 2 = 28, r = 1 and σ 2 = 28, r = 5, it is clear that the positions of ∆I = 0 are all very closed to (0.43, 0). When η < 0.43, ∆I < 0 and Eve can acquire more information than legal communicators, so, the communication is insecure. When η > 0.43, ∆I > 0 and ∆I increases with the growth of σ 2 or r, especially σ 2 can invite lots of improvement on ∆I. In order to transfer the secret shares successfully (∆I ≥ log 2 3 ≈ 1.6), the requirement is rather more stringent, for example, when σ 2 = 28, r = 5, η need be greater than 0.79. Furthermore, Figure 7 depicts the relation between the squeezed parameter r and the variance of message σ 2 for satisfying ∆I = log 2 3, under conditions η = {1, 0.9, 0.8}. Obviously, when r > 3, the demand of σ 2 approaches to a stable value, which is seriously related with η of BSs. Compared with Figure 3, the requirement of σ 2 an r is much rougher. Because the loss of information is collected and used by Eve, rather than lost merely. Although the loss of channel is inevitable and Eve always exists, some strategies can be adopted to avoid Eve utilizing the lost or stolen information to infer the real secret. For example, encrypt the secret with one time pad generated by CVQKD [9], which is discussed in Ref. [26]. In this way, the I(S, E) would be the same, but Eve can not exact any useful information about secret, which means no secret information leakage. So, the protocol would be feasible and secure under the low quantum channel transmission efficiency, only if the requirement of σ 2 an r can be achieved.

Fairness Property
In this protocol, the fairness property means Alice and Bob both can reconstruct the secret S or neither can recover it. According to the steps in recovery, the following situations would occur. (1) Suppose the position of the last secret S L in message X is k. If Alice and Bob are both honest and follow the recovery steps to exchange their shares or the fake shares released at j th round, j > k + L 2 . After (k + L 2 ) th round, the determine pointer P * appears, which means the secret S is recovered and can be picked out in front of P * with length L. (2) If the fake shares released at j th round, 1 ≤ j < k, the dishonest participant would be detected by message verification and the secret S has not been reconstructed before termination. (3) If the fake shares released at j th round, k < j < k + L 2 , the dishonest participant is checked out. At this moment, the secret S has been reconstructed and P * does not appear completely. So, they both has possibility to guess right position and picks out S. (4) If the fake shares released at k th round with probability 1/L 1 , dishonest participant he or she would reconstruct S and other participants are failed, but he or she can not assure this is the secret, because the right position is unknown. After this round, dishonest participant would be found. (5) If the fake shares released at (k + L 2 ) th round, dishonest participant, he or she, would reconstruct S and P * , also honest participant would guess the position of S and pick it out correctly with great probability. Above all situations, both participants can recover or cannot recover the secret simultaneously, except in situation (4), dishonest participant may have little more advantage to acquire the whole secret, but, when the length of checking sequence R, L 1 , is great enough, the probability of situation (4) is close to zero.

Conclusions
We have suggested a CVQSS scheme with fairness to resist dishonest participants keeping silence or returning error shares after receiving other ones' shares, which would be detected in verifying process. The participants release their shares interactively without simultaneity, but they can or can not reconstruct secret simultaneously. The above perspectives can be concluded from the discussion on fairness property, in which all five cases are enumerated and analyzed in detail. Of course, without loss of generality, participants cannot deduce the secret from their own shares independently.
The two-mode squeezed states are indispensable in our scheme and are exploited to transmit deterministic shares. As proved, this communication can send shares successfully, as long as setting proper the squeezing and modulation parameters according to the quantum channel transmission efficiency and the Shannon information of shares. Although, there must be eavesdropping in the channels, owing to the communication based on the two-mode squeezed states, legal communicators can detect the eavesdropper. In order to ensure the message directly transmitted succesfully, the channel transmission efficiency should be greater than 0.79. But, if the encrypted message is sent in the quantum channel, the infomation leakage of shares can be neglected, so that the demand of channel transmission efficiency can be regard as the conditon under no attack, that is lower to 0.08. However the increment of participants in the quantum network would greatly add the times of communication in this protocol. With the rapid development of n-particle CV entanglement, the CV GHZ can be invited to distribute shares which will make our scheme higher efficiency and more practical.