Proposal for Quantum Rational Secret Sharing Arpita Maitra1, Sourya Joyee De2, Goutam Paul2 and Asim K. Pal1 1Management Information Systems Group, Indian Institute of Management Calcutta, India. Email: {arpitam, asim}@iimcal.ac.in 2 Cryptology & Security Research Unit, R. C. Bose Centre for Cryptology & Security, Indian Statistical Institute, Kolkata, Email: [email protected], [email protected] A rational secret sharing scheme is a game in which each party responsible for reconstructing a 5 secret tries to maximize hisutility by obtaining thesecret alone. Quantumsecret sharing schemes, 1 either derived from quantum teleportation or from quantum error correcting code, do not succeed 0 when weassume rational participants. This is because all existing quantumsecret sharing schemes 2 consider that the secret is reconstructed by a party chosen by the dealer. In this paper, for the first time, we propose a quantum secret sharing scheme which is resistant to rational parties. The g proposed schemeis fair (everyonegets thesecret), correct and achieves strict Nash equilibrium. u A 5 I. INTRODUCTION AND MOTIVATION concept of polynomial interpolation for generation and distributionofsharesofthesecretbyadealerandsubse- ] Secret sharing is an important primitive in cryptog- quentreconstructionofthesecretbytheplayers. Players h p raphy. It can be considered as a special case of secure that are ‘good’ or ‘honest’ cooperate to reconstruct the - multiparty computation [1–3] which has applications in secret, while players that are ‘bad’ or malicious do not nt electronic voting, cloud computing, online auction etc. cooperate [9]. So, for successful reconstructionof the se- a Recently,significantefforthas beengiventowardsbridg- cret, at most (n t) players can be ‘bad’. − u ing the gap between two apparently unrelated domains, In classical threshold secret sharing, Halpern and q namely, cryptography and game theory [2–4]. Cryptog- Teague [9] introduced the concept of rational players. [ raphy deals with the ‘worst case’ scenario making the Eachrationalpartywishestolearnthesecretwhileallow- 4 protocols secure against malicious behavior of a party. ing asfew othersaspossible to learnthe secret. Halpern v However,in gametheoreticperspective,aprotocolis de- and Teague [9] showed that in the presence of rational 2 signed against the rational deviation of a party. players, Shamir’s scheme fails. Specifically, no rational 1 In rational domain there is no concept of trust. Ra- player has the incentive to send his share during secret 2 4 tional players are classified as neither ‘good’ nor ‘bad’. reconstruction. From the viewpoint of each player Pi, 0 Theyparticipateinthegamewithamotivationtomaxi- either (t 1) other players send their shares or they do − . mizetheirutility. Incryptography,onemayconsiderthis not. If they send, then Pi, even without sending his own 1 asaspecialtypeofattackvector. However,thisdoesnot share, can reconstruct the secret for himself without al- 0 5 imposeanyspecialconditiononadversary,itratheradds lowing these (t −1) players to reconstruct. If they do 1 more flexibility to the adversary. not send, then none of the players can reconstruct the : In [5] it was commented that quantum secret sharing secret. So from each player Pi’s point of view, not send- v canbe treatedas a game betweenthe legitimate parties. ing his share weakly dominates sending his share. Thus i X Veryrecently,BrunnerandLinden[6]showedadeeplink the Nash equilibrium achieved in Shamir’s secret shar- r between quantum physics and game theory. By bring- ingcorrespondstothe casewhennobodysendsanything a ing quantummechanics into the game,they showedthat to each other. To mitigate this problem, the authors players who can use quantum resources, such as entan- of [9] introduced the concept of rational secret sharing gledquantumparticles,canoutperformclassicalplayers. (RSS). Its application in secure multiparty computation This is because of the fact that, in classical domain, the is known as rational multi-party computation or RMPC security depends on some computational hardness and and has been an active area of research[10–17] in recent thus is conditional. On the other hand, in quantum do- times. main, the security comes from the laws of physics and The idea of quantum secret sharing (QSS) of a single thus is unconditional. In this paper, for the first time, qubit was first due to Hillery et al. [18] using three and we introduce the rationality concept of game theory in four qubit GHZ states. Later, this process was investi- quantum secret sharing. gated by Karlsson et al. [19] using three particle entan- A (t,n) or t-out-of-n threshold secret sharing glement, Cleve et al. [20] using a process similar to error scheme [7, 8] comprises the distribution of shares of a correction and Zheng [21] using W state. The QSS of secret s among n players P ,...,P , such that at least t an arbitrary two-qubit state was proposed by Deng et 1 n of these players must communicate their shares to each al. [22] using two GHZ states. QSS using cluster states othertoreconstructthe secret. Anexampleofsuchase- was demonstrated by Nie [23], Panigrahi [24, 25] and cret sharing scheme is Shamir’s scheme [7] that uses the Han [26]. Recently, two qubit QSS was discussed using 2 arbitrary pure or mixed resource states [27] and asym- pants. Another approach is to use verifiable secret shar- metric multipartite state [28]. Note that in t-out-of-n ing[30]. Notethatboththeseapproachesarebasedupon QSS, the dealer chooses to reveal the secret to a specific unproven assumptions such as the intractability of inte- subset of t parties and not to any arbitrary subset of t ger factorization or the existence of secure encryption parties. schemes. Interestingly,Tompa and Woll proposed a scheme [29] thatmitigatesthehiddenproblemofcheatinginShamir’s A. QSS with Rational Adversaries secret sharing without any unproven assumption. They showed that the probability of undetected cheating can In QSS, all the parties are ‘good’ or ‘honest’ as they be made less than ǫ, for any ǫ >0, by suitably choosing haveagreedtoreconstructthesecrettotheparty(orpar- a large prime (that depends on ǫ) as the modulus of the ties)chosenbythedealer. However,ifweimposerational underlying field. behavioroftheparticipantsinQSS,itisquitenaturalfor Thus, the security issues of classical RSS can be sub- thelastplayer,whogeneratesthesecret,toquitwiththe divided into the following notions: 1) security of the un- secret alone. Hence, the other players always prefer not derlying secret secret sharing, 2) security of a signature togivetheirshares(eitherclassicalbitsorquantumbits) scheme,3)securityagainstrationalplayers. Thesecurity and hence the traditionalQSS scheme fails if the players issuesof1and2havebeendiscussedinanumberofliter- behave rationally. Like classical case, one may consider atures[7,29,31]. Thisiswhytheworksonrationalsecret this as a special type of attack vector in quantum se- sharing [9–17] have concentrated only on the security of cret sharing. In the context of quantum secret sharing, the rational part, that is formalized in terms of fairness, it is an important attack vector to consider. However, correctness and Nash equilibrium [11]. In this paper, we this does not impose any special condition on adversary, follow the same approachin the quantum domain. it rather empowers the adversary with more flexibility. In quantum domain, we impose rationality issues on In this paper, for the first time, we propose a quantum the top of the quantum secret sharing model which ex- secretsharingschemethatresiststhiskindofattackvec- ploits quantum error correcting code. Thus, the secu- torandforcestheparticipantstosendtheshares,though rity of the secret sharing part comes from the security they are rational in nature. We call this scheme a quan- of the quantum error correcting code, specifically CSS tum rational secret sharing (QRSS) scheme. code [20, 32, 33]. Note that as we exploit the quantum In classical domain, the adversary that controls a error correcting code to encode the secret, no unautho- player may be computationally bounded, but in quan- rized party can extract any information by subverting tum domain the adversary is always assumed to have one or more authorized parties [20, 33]. unboundedcomputationalpower. Becauseofthis,weas- Further, the existing RSS literatures [10–12, 14–16] sume a computationally unbounded adversary through- dealwithvariousflavoursofNashequilibrium. Asweas- out the entire paper and modify the security notions in sumecomputationallyunboundedadversaryinthequan- this direction. tum domain, we consider strict Nash equilibrium here. InclassicalRSS,the dealersignseachsharesothatno player can give out wrong shares to others. However, in B. Security Issues the quantum setting the scenario is different. Typically, quantum signature schemes consider signing either clas- InclassicalRSSprotocols,twotypeofsettingsarecon- sicalmessages[34]orquantummessagestringwithinde- sidered. One is called fail-stop setting and the other is pendent qubits [35]. In these works, there is no concept knownas Byzantine setting. Infail-stopsetting,a player of entanglement among the distributed shares, whereas mayabortearlyinanattempt to obtainthe secretalone in our proposed scheme, the shares are entangled. It is but does not send false shares of the secret. Whereas in notyetknownhowtosignsuchqubitswhichcontainthe Byzantine setting, a player can behave arbitrarily, i.e., information of the secret, as any type of measurement he can abort early or can fabricate a false share. on that qubits will destroy the entanglement and hence Forsharegeneration,rationalmultipartycomputation the information related to the secret. For this reason, exploits the idea of Shamir’s secret sharing, the security we assume that a rationalplayer in the quantum setting of which comes from the interpolation theorem [7, 29]. is fail-stop by nature, i.e., he may abort early towards Thus, it does not depend on some unproven hypothesis the motivationto getthe secretalone,but doesnotsend oncomputationalhardness. However,in[29]Tompaand false shares of the secret. Woll showed that in Shamir’s scheme, any (t 1) par- In quantum domain, it is very natural for a player to − ticipants can fabricate false shares in the motivation to measure his share as soon as he gets it. However,in this deceive the t-th participant to believe in a legal but in- work,weencodethesecretbyCSScodewhichtakescare correct secret. In other words, Shamir’s basic scheme is of arbitrary error. Thus measuring his qubit in an arbi- not secure against Byzantine players. trary basis gives no advantage to the player. Even with Onestraightforwardsolutiontothisproblemistosend unconditionalpowerofcomputation,thequantumadver- signed shares by the distributor (dealer) to the partici- saryextractsnoinformationaboutthesecret. Moreover, 3 if he measures the share, he will lose the information However,fornon-simultaneouschannels,theindicationis stored in the qubit. Thus no player has any incentive to delayedtill the subsequent round to avoidrushing strat- measurehis qubit(s)andeachplayercommunicateseach egy. In this case, the indicator cannot be reconstructed share as it is received from the dealer. or interpreted by all the players. The player who com- municates lastduring the reconstructionofthe indicator is the first and only one to know that the last round II. PRELIMINARIES was the revelation round. Once he comes to know this, he has no incentive to send his share of the indicator to the other players for reconstruction. Instead, he simply Inthissection,webrieflydescribeclassicalrationalse- quits. The factthatthis playerquitssignalsto the other cret sharing and discuss the concepts of rationality, fair- players that the secret has been reconstructed. ness, correctness and equilibrium used in this work. We A (t,n) rational secret reconstruction protocol is a also extend these concepts in the quantum domain. The dealer in a classical rational secret sharing (RSS) pair (Γ,−→σ)t,n, where Γ is the game (i.e., specification protocol is honest and can be online or offline. An on- of allowable actions) and −→σ=(σ1,...,σn) denotes the strategies followed by the players. We use the nota- line dealer remains available throughout the secret re- construction protocol, whereas an offline dealer becomes tions−→σ−i =(σ1,...,σi−1,σi+1,...,σn)and(σi′,−→σ−i)= (σ ,...,σ ,σ′,σ ,...,σ ). Theoutcomeofthegame unavailable after distributing the shares of the secret. 1 i−1 i i+1 n Note that an online dealer is not very practical as he is denoted by −→o((Γ,−→σ)t,n)=(o1,...,on). The outcomes ofasecretreconstructiongameΓwithrespecttoaparty repeatedly interacts with the players and such a dealer P areasfollows: 1)P obtainsthesecretwhileothersdo can directly provide the secret to the players. In 2008, i i not; 2) everybody obtains the secret; 3) nobody obtains KolandNaor[14]discussedrationalsecretsharinginthe the secret 4) others obtain the secret while P does not non-simultaneous channel model and in the presence of i and 5) others believe in a fake secret while P does not. an offline dealer,in an informationtheoretic setting. Al- i The output that no secret is obtained is denoted by mostallthesubsequentworks[11,12,16,17]onrational ⊥ and fake secret is denoted by any symbol / s, . secret sharing assumed the dealer to be offline. ∈{ ⊥} Rational secret sharing proceeds in two phases: 1) share generation and distribution and 2) secret recon- A. Utilities and Preferences struction. Share generation and distribution: If the dealer is on- line, then at the beginning of each round, he distributes The utility function ui ofeachparty Pi is defined over toeachplayerP theshareoftheactualsecretwithprob- the set of possible outcomes of the game. The outcomes i ability γ orthatofa fakesecretwith probability(1 γ). andcorrespondingutilitiesfort=n=2aredescribedin − The value of γ is kept secret from the parties and is de- Table I. For classical secret sharing, ui is assumed to be pendent on the utility values of the parties [9, 13]. An polynomialinthesecurityparameterk whichistypically offline dealerdistributes to eachparty Pi alist ofshares, thesizeofthesecret. Thus,UiTN =ui(1k,(oi =s,oj =⊥ one of which is that of the actual secret s and the re- )), UiTT = ui(1k,(oi = s,oj = s)) (where i 6= j) and so maining of fake secrets [12, 14, 16]. The position r of on. this actual share in the lists is not revealed to the play- ers and is chosen according to a geometric distribution TABLE I: Outcomes and Utilities for (2,2) rational secret (γ),wheretheparameterγ inturndependsontheutil- G reconstruction ity values of players. The dealer generates shares using Shamir’s secret sharing scheme. Secret Reconstruction: In the jth round of commu- P1’s outcome P2’s outcome P1’s Utility P2’s Utility nication, each player P (either simultaneously or non- (o1) (o2) U1(o1,o2) U2(o1,o2) i simultaneously) broadcastsor sends individually to each o1=s o2=s U1TT U2TT of the other players (in presence of synchronous, point- o1=⊥ o2=⊥ U1NN U2NN to-point channels) the share sij corresponding to that o1=s o2=⊥ U1TN U2NT round. The shares are signed by the dealer. Hence, no o1=⊥ o2=s U1NT U2TN player can give out false shares undetected and the only possible actionof a playerin a roundis to either 1)send o1=⊥ o2 6∈{s,⊥} U1NF U2FN the message or 2) remain silent. The round in which o1 6∈{s,⊥} o2=⊥ U1FN U2NF the shares of the actual secret are revealed and hence the secret is reconstructed is called revelation or defini- tive round. When the dealer is offline, players are made Forquantumdomain,thesecretisastate ψ =α 0 + | i | i awarethattheyhavecrossedtherevelationroundbythe β 1 ,orinotherwords,apairofcomplexnumbers(α,β). | i reconstruction or exchange of an indicator (a bit in [14], Thus, the size of the secret is effectively infinite. Hence, a signal in [12]). For simultaneous channel model, par- theassumptionontheutilitiesaspolynomialfunctionsof ties can identify a revelation round as soon as it occurs. thesecurityparameterhasnomeaning. Rather,wetreat 4 the utilities as real numbers that depend on the output Definition 2. (Correctness) A rational secret recon- values. struction mechanism (Γ,−→σ) is said to be correct if for Players have their preferences based on the different every arbitrary alternative strategy σ′ followed by party i possible outcomes. In this work, a rational player i is P , (i 1,...,n ) the following holds: i ∈{ } assumed to have the following preference: :UTN >UTT >UNN >UNT. Pr[o−i(Γ,(σi′,−→σ−i))6∈{s,⊥}]=0 R1 i i i i In classical rational secret sharing, the condition of Some players may have the additional preference correctness becomes significant in the non-simultaneous UiNF ≥UiTT, cchomanmnuelnimcaotdinelg. laTshteinraatnioynarolupnadrtmyawyitqhuiptreefaerrleynicne tRhe1 whereas the rest have protocol. Since other parties decide whether the revela- tion round has been reached depending on whether the UNF <UTT. i i last party has quit, they are easily misled into believing Formorethantwoplayers,thesecondsuperscriptY in in a wrong value of the secret. the notationUXY correspondtoanyofthe otherplayers i (except i itself). D. Equilibrium B. Fairness A rational secret reconstruction protocol should be suchthatnoplayerhasanyincentivetodeviatefromthis A rational player, being selfish, desires an unfair out- protocol. Consequently,Nashequilibriumanditsseveral come, i.e., obtaining the secret alone. Therefore, the ba- variantshavebeenusedastheequilibriumconceptinthe sic aim of rational secret sharing schemes has been to literatureofrationalsecretsharing. Asuggestedstrategy achieve fairness. A formal definition of fairness in the −→σ of a mechanism (Γ,−→σ) is said to be in Nash equilib- contextofa(2,2)RSSprotocolwaspresentedbyAsharov riumwhenthereisnoincentiveforaplayerP todeviate i and Lindell [11]. We modify this definition for the (t,n) from the suggested strategy, given that everyone else is quantum setting as follows: following this strategy. The conceptofstrictNashequilibriumbecomes useful Definition 1. (Fairness, adapted from [11]) A rational when the payoffs from playing a ‘good’ strategy and a secret reconstruction mechanism (Γ,−→σ)t,n is said to be ‘bad’strategyare soclose that anyminor changesin the completely fair if for every arbitrary alternative strategy beliefs of players about the strategy others are going to σ′ followed by party P , (i 1,...,n ) the following i i ∈ { } adopt may lead each of them to play the ‘bad’ strategy holds: [14]. It is defined as follows: Pr[oi(Γ,(σi′,−→σ−i))=s]<Pr[o−i(Γ,(σi′,−→σ−i))=s]. Definition 3. (Strict Nash equilibrium) The suggested In the above definition, the subscript i denotes all strategy−→σ inthemechanism(Γ,−→σ)isastrictNashequi- the players other than i. − librium if for every Pi and for any strategy σi′, we have Fairness can be achieved by a suitable randomized re- ui(σi′,−→σ−i)<ui(−→σ). construction of the protocol. The exact round in which There may exist several strategies which are the same the actual secret is to be revealed is not known to the parties. In Theorem 3, we show that the condition for as the suggested strategy −→σi for party Pi except for mi- nor differences such as performing some irrelevant com- fairness is putation orsending different messagesafter the protocol γUTN +(1 γ)UNN <UTT. is over. For the sake of proving that a proposed proto- i − i i colis instrict Nashequilibrium,we assume that allsuch UTT UNN strategies are essentially the same and do not constitute Or, γ < i − i any deviation. UTN UNN i − i for each i. This is the same condition that is required in the classical scenario. III. QUANTUM RATIONAL SECRET SHARING Inthissectionwefirstpresenta(3,7)quantumrational C. Correctness secret sharing (QRSS) protocol and we generalize it to the (t,n) setting in the next section. A formal definition of correctness in the context of a We do notexploit the ideas relatedto teleportationin (2,2) RSS protocol was presented by Asharov and Lin- quantum secret sharing. The idea of teleportation does dell[11]. Wemodifythisdefinitionforthe(t,n)quantum not naturally take care of the situation when parties are setting as follows: rational. Rather, we use quantum error correcting code. 5 Thereexistsomeworks[21,33,36,37]forbuildingquan- Thus if last three parties collaborate,then one can re- tum secret sharing schemes using (classical or quantum) construct the secret by measuring the last two qubits in error correcting codes. However, none of these schemes 00,01,10,11 basis. If a party gets 00 or 11 , he has { } | i | i addresses the rationality issue. to apply X gate to obtain the secret. If a party gets An arbitrary pure single-qubit quantum state is given 01 or 10 , he has to apply I gate to construct the se- by ψ = α 0 + β 1 with α2 + β 2 = 1, where |creti. Cl|oseiobservation reveals that there are only seven α,β| iC. Qu|aintum|eriror corr|ec|tion |sch|eme known as combinations of three parties for which secret can be re- ∈ CSS code [38], can be constructed from classical error constructed. Denoting the position of the participants correcting code. Let C and C be two classical linear by integer values, we can write those combinations as 1 codes such that 0 C C F7 with the generator = (5,6,7),(1,2,5), (2,4,6),(1,3,6),(1,4,7),(2,3,7), { } ⊂ 1 ⊂ ⊂ 2 A { matrices (3,4,7) . The set is called the access structure of the } A secret sharing scheme. 1 0 0 0 0 1 1 0 1 0 0 1 0 1 G= , A. (3,7) Quantum Rational Secret Sharing 0 0 1 0 1 1 0 Protocol 0 0 0 1 1 1 1 In classical rational secret sharing, an indicator is dis- 0 0 0 1 1 1 1 tributed along the shares of each secret to each party. G1 = 0 1 1 0 0 1 1 . Thepartiesreconstructthe indicatorandcomestoknow 1 0 1 0 1 0 1 about the revelation round. However, in quantum do- main,includinganindicatoriscostly. Wesolvethisprob- FromtheaboveexpressionitisclearthatC isthedual 1 lem by assuming that the dealer is semi-offline. In other code [39]ofC. AquantumCSS code canbe constructed words,thedealerinteractswiththeparticipantstwice,1) from these two linear codes with code words 0 and | iL at the time of the share distribution, and 2) at the time 1 . A pure single quantum state can be encoded with | iL when the game is over. In Section V, we discuss how to this code by attaching an ancilla state 0 and applying | i makethe dealeroffline. Like the classicalRSS protocols, the CNOT gate. After inserting the ancilla state we get our dealer is assumed to be honest. α 00 +β 10 which is converted to α 00 +β 11 after | i | i | i | i In classical simultaneous broadcasting channel, each the application of the CNOT gate. 00 can be encoded | i party is supposed to broadcast his share in each round. by the above CSS code as 1 and 11 can be encoded | iL | i So,in eachround,eachparty obtains (t 1)shares from as 0 . Thus the entire state is encoded as − | iL others and thus reconstructs the secret. In the point-to- 1 point channel model, instead of broadcasting his share, [[α 1111111 + 1010010 + 1100100 + 1001001 √8 | i | i | i | i each party in each round individually communicates his share to every other party. This means that each party + 0000111 + 0101010 + 0011100 + 0110001 ] | i | i | i | i preparestcopiesofhisorhershareanddistributes(t 1) +β[0000000 + 0101101 + 0011011 + 0110110 − | i | i | i | i sharesamong(t 1)parties retainingone sharefor him- + 1111000 + 1010101 + 1100011 + 1001110 ]]. self. In quantum− domain, due to the no cloning the- | i | i | i | i orem [40], a player cannot generate copies of his share. In light of the above discussion, let us now explain However,thedealercanprepareasmanycopiesofthese- our exact proposaland its importance. Here, we assume cret as required as he knows the secret. We exploit this the secret as a single qubit α 0 +β 1 . We encode the | i | i idea to form our protocol. The communication in the secret with the above CSS code. Thus the secret is now quantum setting is similar to the communication in the splitintosevenqubits. Thedealerdistributestheseseven point-to-pointchannelmodel. UnlikeclassicalRSS,each qubits among seven parties. We now write the secret as round is further sub divided into sub-rounds. In the ith 1 [1111 [α 111 +β 000 ]+ 1010 [α 010 +β 101 ] sub-roundofaroundjtheparticipantPiisgiventhecur- √8 | i | i | i | i | i | i rentshares(qubits)bythe remainingplayers. Forexam- + 1100 [α 100 +β 011 ]+ 1001 [α 001 +β 110 ] ple, in (3,7)quantum rationalsecretsharing,inthe first | i | i | i | i | i | i + 0000 [α 111 +β 000 ]+ 0101 [α 010 +β 101 ] sub-roundP2 andP3 givetheircurrentshares(qubits)to | i | i | i | i | i | i P . Inthesecondsub-roundP andP givetheircurrent + 0011 [α 100 +β 011 ]+ 0110 [α 001 ]+β 110 ]]. 1 1 3 | i | i | i | i | i | i sharestoP2. Inthethirdsub-roundP1 andP2 givetheir Applying CNOT gate on last three qubits, we obtain current shares to P . 3 1 We assume that the players are of fail-stop nature. [1111 [α 1 +β 0 ] 00 + 1010 [α 0 +β 1 ] 10 √8 | i | i | i | i | i | i | i | i This means that they do not send wrong shares. In each round, a player has just two strategies, either to + 1100 [α 1 +β 0 ] 11 + 1001 [α 0 +β 1 ] 01 | i | i | i | i | i | i | i | i send his share or to remain silent. Remaining silent + 0000 [α 1 +β 0 ] 00 + 0101 [α 0 +β 1 ] 10 is equivalent to quit the game. Throughout the paper | i | i | i | i | i | i | i | i + 0011 [α 1 +β 0 ] 11 + 0110 [α 0 ]+β 1 ] 01 ]. whereas we use the word “quit”, we want to mean | i | i | i | i | i | i | i | i 6 that the player remains silent from the very sub-round At the end of round j, does the following: • of a round. The dealer is assumed to be honest. We describe our protocol π3,7 below. Without loss – Applies CNOT gate considering his current QRSS share (qubit) as control. of generality, we assume that the dealer wishes to reveal the secret to the parties receiving qubits 5, 6 and – Measures target bits in 00,01,10,11 basis. { } 7andwelabelthemasplayersP ,P andP respectively. 1 2 3 – Dependingonthemeasuredvalueoperatesei- ther X gate or I gate. [1. Protocol π3,7 ] QRSS 1.1 The Dealer’s Protocol π3,7 : Stores the secret sj obtained in the jth round. ShareGen • Input. The quantum secret to be shared using (3,7) If j = 1 list , sends sig = 1 to the dealer. If the threshold secret sharing. • 3| i| i dealer sends abort, then aborts; else if the dealer 1.1.1 Share Generation: The dealer does the sends the value of r stores only s and quits. If r following: j < 1 list , continues. 3| i| Choosestheraccordingtoageometricdistribution Output. The quantum secret s . • r (γ) with parameter γ. G Generates three copies of each secret (fake as well • IV. GENERALIZATION TO (t,n) QUANTUM asactual)foreachroundandencodesthoseinCSS RATIONAL SECRET SHARING code discussed above. Preparesalistlist ofsharesforeachpartyP such Beforegoingtothe(t,n)quantumrationalsecretshar- i i • that: ing, first we show an existential result. Theorem 1. Let C = [n,k,d] and C = [n,k 1,d′] be – Qubits(5,6,7)ofeachsecretaregiventoplay- 1 − two linear codes such that C C. Given C CT = 0, ers P1, P2, and P3 respectively so that each 1 ⊂ · 1 there is always a secret sharing scheme provided k is a partygetsthreequbits,i.e. P possessesthree 1 power of 2. of 5, P has three of 6 and P possesses three 2 3 of 7 for each round. Proof. Fromthe definition itis clearthat wealwayscon- – Eachlist contains 3(r+w) shares, where w is struct a CSS code from given C and C with codewords 1 also chosen according to (γ). 0 and 1 . Letthe secretbe α 0 +β 1 . Letus take G | iL | iL | i | i the tensor product of the secret and (m 1) number of Output. The dealer distributes listi to party Pi. theancillastates,wheremisanyintegerv−alue. Thefinal state becomes α 0 0 ...0 +β 1 0 ...0 . 1.1.2 Unmasking of Revelation Round πU3,n7mask: Applying CNO| T1 2gatemwie ob|ta1in2 α 0m10i2...0m + ICnopmutp.utSaitginoanl saingidfrComomeamchunpilcaayteironP.i, (iTh∈e1d,2ea,3le)r. βfo|r1m112b.y..a1m2im. b|0i1n0a2ry...v0emctiorc,an(1b0e0.w..r0i|t0t)e.n inSimmialaitrrliyx does the following: 1 1 ...1 can be represented by a 2m binary vector, 1 2 m | i (000...01). In secret sharing scheme 0 0 ...0 and • Itfoseiagc1h=Psi.ig2 =sig3 =1, announces the value of r l|o1g112k....A1smmi airseamneinsstaeggeers,tkatsehso.uTldhubse|kp1o=w2e2rmofom2r.imTh=e 2 encoded secret in CSS code becomes α 1 +β 0 . If for at least one value of i, sigi = 1, aborts after | iL | iL • 6 announcing abort to each party P . i Thenextresultgivesaboundonthenumberofparties that can reconstruct the secret. Output. Thedealeroutputseitherrorabort depending on the values of sigi. Theorem 2. Let C = [n,k,d] and C = [n,k 1,d′] be 1 − two linear codes such that C C. Given C CT = 0, 1.2 The Player’s Protocol 1 ⊂ · 1 there are minimum d number of parties who can recon- Input. The list of shares list . i struct the secret. 1.2.1 Secret Reconstruction π3,7 : Recon Computation and Communication. Each player Pi Proof. According to the definition of the CSS does the following: code, 0 = 1 x+C and 1 = | iL kC1kPx∈C1| 1i | iL 1 x+C . Thus, the codewords which In the ith sub-round of a round j, Pi is given the kC1kPx∈/C1| 1i • current shares (qubits) by other two parties. consist the codeword |0iL belong to C1. On the other hand,thecodewordsconsistingthecodeword 1 belong | iL Checks to see if the number of shares received is to C/C . So we always get two orthogonal codewords 1 • less than two. If yes, aborts and sends sig = 0 to which come from two different cosets. One codeword i dealer. Else, continues. is associated with α and other codeword is associated 7 with β. Let they be u and v. Since dist(u v) d, Input. The list of shares list . i if we apply CNOT gate on these d bits consid−ering≥the 2.2.1 Secret Reconstruction πt,n : Recon first bit as control, we get (d 1) target bits which Each player P does the following: i − are equal in both the codewords. So measuring those (d 1) qubits in 0,1 (d−1) basis we can reconstruct In the ith sub-round of a round j, Pi is given the • − { } current shares (qubits) by other (t 1) players. the secret depending on the measurement result. Thus, − for secret reconstruction minimum d parties have to Checks to see if the number of shares received is collaborate. • less than (t 1). If yes, aborts and sends sig = 0 i − Note that since C C, we must have d′ d. For to dealer. Else, continues. 1 ⊂ ≥ (t,n) QRSS, we set t=d. At the end of round j, does the following: • – Applies CNOT gate considering his current A. t-out-of-n Quantum Rational Secret Sharing share (qubit) as control. Protocol – Measures target bits in 0,1 (t−1) basis. { } Let us now present our generalized scheme. – Dependingonthemeasuredvalueoperatesei- ther X gate or I gate. [2. Protocol πt,n ] QRSS Stores the secret s obtained in the jth round. j 2.1 The Dealer’s Protocol πt,n : • Input. The quantum secret toShbareeGsehnared using (t,n) • If j = 1t|listi|, sends sigi = 1 to the dealer. If the threshold secret sharing. dealer sends abort, then aborts; else if the dealer 2.1.1 Share Generation: The dealer does the follow- sends the value of r stores only sr and quits. If ing: j < 1t|listi|, continues. The dealer designates t players among n, from the Output. The quantum secret sr. • access structure. In the next result, we show that the fairness condition forclassicaldomainremainsvalidinthequantumdomain Choosestheraccordingtoageometricdistribution as well. • (γ) with parameter γ. G Theorem 3. If γ >0 and UTT >γUTN+(1 γ)UNN, Generates t copies of each secret (fake as well as the protocol πt,n achieves ifairness.i − i • QRSS actual) for each round and encodes those in CSS code derived from C and C (see Theorem 2). Proof. A player who wants to obtain the secret alone 1 must be able to correctly guess which round is the rev- Preparesalistlisti ofsharesforeachpartyPi such elation round. Suppose the ith player guesses that the • that: jth round is the revelation round and quits in the ith sub-round of the jth round. On other words, the player – Each player P is given a qubit from a valid i remainssilentfromthe (i+1)thsub-roundofjthround. set of t qubits from the access structure like Ourprotocolis designedin sucha waythatif anyplayer (3,7) QRSS. quits in any intermediate round, then it is reported to – Each list contains t(r+w) shares, where w is the dealer by a signal bit (sig). If for at least one value also chosen according to (γ). of i, sig = 1, the dealer aborts after announcing abort G i 6 to each party P .Thus, if the guess of the ith player is Output. The dealer distributes list to party P . i i i correct i.e j =r,the probability of which is γ, his utility 2.1.2 Unmasking of Revelation Round πt,n : is UiTN, else his utility is UiNN. So the expected utility Unmask oftheplayerwhodecidestodeviatebasedonhisguessis Input. Signal sig from each player P , (i 1,...,t). i i ∈ given by γUTN +(1 γ)UNN. On the other hand, if he Computation and Communication. The dealer i − i simply followedthe protocol,his utility wouldhave been does the following: UTT. However, the dealer chooses the value γ in such a i If sig = 1 for all i 1,...,t, announces the value way so that i • ∈ of r to each P . i γUTN +(1 γ)UNN <UTT. i − i i If for at least one value of i, sig = 1, aborts after i • 6 announcing abort to each party P . Thus the player should have no incentive to deviate. He i always gives his share and hence the protocol achieves Output. Thedealeroutputseitherrorabort depending fairness. on the values of sig . i The next result establishes the correctness of our gen- 2.2 The Player’s Protocol eral scheme. 8 Theorem 4. Even if some players may have UNF Katz [13] showed a general (t,n) rational secret sharing i ≥ UTT, the protocol πt,n achieves correctness. that works for n = t = 2, thus refuting the claim of [9]. i QRSS Our (t,n) quantum rational secret sharing scheme also Proof. In our protocol, the dealer is semi-offline. The works for t = 2. In that case, we require [n,k,2] linear revelation round is unmasked by him after all the play- code to construct the CSS code. In principle, (2,n) QSS ers report that the reconstruction game is over. There- isthequantumanalogueof(2,2)classicalsecretsharing, fore, players do not depend on the action of the last sinceinthe quantumdomainthe dealerdesignates,from player to know which round is the revelation round (see the access structures, a specific subset of 2 players (out section IIC). Thus, the protocol is UiNF independent. of n) except whom no one else can obtain the secret. No player has any incentive to quit in an intermediate roundinthepurposetomaketheothersbelieveinafake secretasactualsecret. Hencetheprotocoliscorrect. V. OFFLINE DEALER FOR QRSS Note that in [11], it is mentioned that for non- simultaneous channel model, UNF independence is im- In this section, we propose a (t,n) quantum rational i possible. But there the underlying assumption is that secret sharing scheme with the dealer offline, i.e., after the dealer is offline. Since in our QRSS, the dealer is distributing the shares, the dealer does not come into semi-offline, we can easily get UNF independence even the picture. i in non-simultaneous channel. Considering the dealer as semi-offline, we have shown Now, we can state the following result on equilibrium. thatourprotocolπt,n becomesUNF independentand QRSS hence correct. In [11], it is shown that in case of offline Theorem 5. If γ >0 and UTT >γUTN+(1 γ)UNN, i i − i dealerandnon-simultaneouschannelmodel,theprotocol then protocol πt,n achieves strict Nash equilibrium. becomes UNF dependent. Hence, achieving correctness QRSS isnotguaranteed,whenthepreferencesoftheplayersare Proof. LetusassumethatapartyP followsthedeviating i defined by . Thus, in case of offline dealer, to achieve strategy σ′, when all other parties follow the protocol. R1 i correctness (which we show later), we suitably redefine SupposeP abortsatroundj andtherevelationroundis i the preferences of the players as follows: r. Then either j is itself the revelation round, i.e., r =j oritisaroundbeforetherevelationround,i.e. r >j. In :UTN >UTT >UNN >UNT, our case, the secret reconstruction game is played until R2 i i i i each party exhausts his list of shares. After that the and dealer points out the revelation round. Hence, there is a possibility that Pi deviates after the revelation round, UNF <UTT i.e., r < j although such deviation is not helpful in any i i way to the deviating party. We assume that the correct forallplayersi. Notethatwehavetorestricttheutilities secret can be obtained by a player only when he quits so that no player can have UNF UTT. in the revelation round. From the property of geometric In our protocol πt,n i bel≥ow,iwe use a Boolean distribution, we have QRSSDO indicator variable b associated with each round. The γ =Pr[j =rj r]= Pr[j=r], and | ≤ Pr[j≤r] secretbit b is distributed among the designatedt parties 1 γ =Pr[j <rj r]= Pr[j<r]. through a (t,t) Shamir secret sharing to denote whether − | ≤ Pr[j≤r] Then, ui(σi′,−→σ−i) is given by t(bhe=pr0e)v.ioLuastreoru,nwdewdaisscuresvsehlaotwiontoromuonvde(fbro=m1c)laosrsincoatl UTNPr[j =r]+UNNPr[j <r]+UTT Pr[j >r] indicator to quantum indicator. i i i = +γUUiTTNT(P1r[jP≤r[rj]+(r1])−γ)UiNNPr[j ≤r] [3. Protocol πQt,nRSSDO] i − ≤ 3.1 The Dealer’s Protocol πt,n : = (γUTN +(1 γ)UNN UTT)Pr[j r]+UTT ShareGen i − i − i ≤ i Input. The quantum secret to be shared using (t,n) < UTT. threshold secret sharing. i 3.1.1 Share Generation: The dealer does the The last inequality follows from our assumption that following: γUTN + (1 γ)UNN < UTT, which makes the term i − i i added to UTT negative. In each sub-round, a player can Sets t=d and designates t players among n. i • send only a unique share (namely, the correct share) as we have ui(σi′,−→σ−i) < ui(−→σ). So, our protocol follows • Choosestheraccordingtoageometricdistribution strict Nash equilibrium. (γ) with parameter γ. G Intheclassicalrationalsecretsharingdomain,Halpern Generates t copies of each secret (fake as well as • and Teague [9] claimed that (2,2) rational secret shar- actual) for each round and encodes those in CSS ing scheme cannot be constructed. Later, Gordon and code derived from C and C (see Theorem 2). 1 9 Preparesalistlist ofsharesforeachpartyP such classical) or 1 (in quantum). He has no incentive to i i • | i that: send his shares in subsequent sub-rounds. He then just quits the game. The rest of the players then conclude – Each element e in the list list consists of k,i i that the revelation round has been occurred just before two parts: a qubit from a valid set of t qubits that round. Thus they also get the secret by operating from the access structure as in (3,7) QRSS CNOT gate and measuring the target bits for the last and a (t,t) Shamir share of a Boolean value complete round. indicatingwhetherthepreviousroundwasthe Unlikesemi-offlinedealer,inthis casethe playersneed revelation round. not to reconstruct the secret qubits for each round. In- – Each list contains k =t(r+w) shares, where stead, they reconstructthe secret only for the revelation w is also chosen according to (γ). round. Moreover, the players are not forced to exhaust G their lists of shares. The revelation round is the last 3.2 The Player’s Protocol round in this protocol as after the revelation round the Input. The list of shares listi. playershavenoincentivetocontinuethegame. Thepro- 3.2.1 Secret Reconstruction πRt,necon: tocolisfair,correctandachievesstrictNashequilibrium. Each player P does the following: i Theorem 6. If γ >0 and UTT >γUTN+(1 γ)UNN, i i − i In the ith sub-round of a round j, Pi is given the the protocol πt,n achieves fairness. • QRSSDO currentelement(onequbitandoneclassicalbit)in the lists by other (t 1) players. The proof is the same as Theorem 3. − Theorem 7. Provided UTT > UNF, the protocol If the number of elements receivedis less than (t i i • 1) or if a partial element has been received the−n πQt,nRSSDO achieves correctness. aborts. Else, continues. Proof. As UTT > UNF, no player has any incentive to i i At the sub-round i of round j, does the following: mislead others to believe in a wrong secret as an actual • secretwhenhehimselfdoesnotgettherealsecret. Thus – Stores the qubits obtained from the (t 1) the protocol is correct. − parties. We show strict Nash equilibrium in the next result. – Reconstruct the Boolean value b associated with that round. Theorem 8. If γ >0 and UTT >γUTN+(1 γ)UNN, – If b=1, then protocol πQt,nRSSDO achieives strictiNash eq−uilibriium. Set r =(j 1). Proof. LetusassumethatapartyP followsthedeviating i ∗ Applies CN−OT gate considering his (j strategy σi′, when all other parties follow the protocol. ∗ 1)th share (qubit) as control. − SupposePi abortsatroundj andtherevelationroundis Measures target bits in 0,1 (t−1) basis. r. Then either j is itself the revelation round, i.e., r =j ∗ { } or it is a round before the revelation round, i.e., r > j. Depending on the measured value oper- ∗ We assume that the correct secret can be obtained by a ates either X gate or I gate. player only when he quits in the revelation round. From Stores the quantum secret s obtained in r the property of geometric distribution, we have ∗ the (j−1)th round. γ =Pr[j =rj r]= Pr[j=r], and | ≤ Pr[j≤r] Else, continues. 1 γ =Pr[j <rj r]= Pr[j<r]. − | ≤ Pr[j≤r] Output. The quantum secret sr. Then, ui(σi′,−→σ−i) is given by We can make the above protocol fully quantum by UiTNPr[j =r]+UiNNPr[j <r] replacing the indicator bits 0 and 1 by qubits 0 and 1 = γUTNPr[j r]+(1 γ)UNNPr[j r] | i | i i ≤ − i ≤ respectively. However, instead of Shamir’s (t,t) share, = (γUTN +(1 γ)UNN)Pr[j r] 0 and 1 are encoded by CSS code just like the secret i − i ≤ | i | i < UTT. state s. The dealer distributes the list (list ) to each i i player P , containing two qubits, first one for the secret i The last inequality follows from our assumption that and the second one for the round. In each sub-round i γUTN+(1 γ)UNN <UTT. Ineachsub-round,aplayer of a round j, player P reconstructs the qubit associated i − i i i cansend only a unique share (namely, the correctshare) twhiatht tthheat(jroun1d)t.hIfroiutnids |w1ia,stthheeprleavyeelratcioonmersoutnodk.nHowe aswehaveui(σi′,→−σ−i)<ui(−→σ). So,ourprotocolfollows strict Nash equilibrium. − reconstructs the secret for the (j 1)th round and − discards other qubits obtained in the previous rounds. Note that the proof in this case is a bit different from Note that unlike the protocol for semi-offline dealer, the proof in Theorem 5, because the case r <j does not the game will be over when the first player gets 1 (in occur here. 10 VI. CONCLUSION AND FUTURE WORK quire quantum memory. Also, quantum no cloning the- orem [40] resists the players to copy their shares. So Quantum secret sharing schemes either derived from we let the dealer can prepare the copies of the secret as QECC or teleportation do not succeed when we assume he knows the secret. Removing the requirement of the rational players. In this paper, for the first time we pro- quantum memory is an interesting open problem. poseanewquantumrationalsecretsharingschemesthat In the classical rational secret sharing schemes, there is fair, correctand achievesstrict Nash equilibrium. Un- are other notions of Nash equilibrium, such as computa- derthisscheme,weproposetwoprotocols,onewithsemi- tionalNashequilibrium under differentadversarialmod- offline dealer and the other with offline dealer. Semi- els[12,16,17,41]. DuetoCSScodestructure,nocloning offline dealer appears twice 1) at the time of the share andinfiniterangeofthesecret,thescenarioiscompletely distribution, 2) at the end of the game. In the second different in quantum setting and hence we consider only protocol,wemakethedealerofflinebygivingtheplayers strict Nash equilibrium. Extended analysis of our pro- auxiliary information related to the revelation round. tocol or its variants for alternative equilibrium models Theonlydisadvantageoftheprotocolsisthattheyre- could be another potential future work. [1] S. D. Gordon, C. Hazay, J. Katz, Y. Lindell. Proceed- [21] S. B. Zheng. Phys. Rev. A 74, 054303 (2006). ings of the 40th Annual ACM symposium on Theory of [22] F.G.Deng,C.Li,Y.Li,P.Zhou,H.Zhou.Physics Rev. computing (STOC), 413–422, ACM Press, (2008) A 72, 044301 (2005). [2] G. Asharov, R. Canetti, C. Hazay. Advances in Cryptol- [23] Y. Nie, M. Sang, Y. Li, J. Liu. Int. J. Theor. Phys. 50, ogy-EUROCRYPT2011,LNCS6632,426–445, (2011). 1367–1371 (2011). [3] A. Groce, J. Katz. Advances in Cryptology - EURO- [24] S.Muralidharan,S.Jain,P.K.Panigrahi.Opt.Commun. CRYPT 2012, LNCS 7237, 81–98, (2012). 284, 1082–1085 (2011). [4] A.Groce, J. Katz, A.Thiruvengadam, V.Zikas. ICALP [25] N. Paul, J. V. Menon, S. Karumanchi, S. Muralidha- 2012, LNCS 7392, 561–572, (2012). ran,P.K.Panigrahi.Quantum Inf.Process.10,619–632 [5] J. O. Grabbe. arXiv [quant-ph] 0506219v1 (2005). (2011). [6] N.Brunner,N.Linden.NatureCommunications4,2057, [26] L.F.Han,H.F.Xu.Int. J. Theor. Phys.51, 2540–2554 (2013). (2012). [7] A. Shamir. Communications of the ACM 22, 612–613, [27] M. Zhao, Z. Li, S. Fei, Z. Wang, X. Jost. J. Phys. A: (1979). Math. Theor. 44, 215302 (2011). [8] G.R.Blakley.ManagingRequirementsKnowledge,Inter- [28] Q.Y.Zhang,Y.B.Zhan.Int. J. Theor. Phys.51,3037– nationalWorkshop,313,IEEEComputerSociety,(1979). 3044 (2012). [9] J. Halpern, V. Teague. Proceedings of the 36th An- [29] M. Tompa, H. Woll. Journal of Cryptology 1, 133–138, nualACM symposium onTheory of computing,623–632, (1988). (2004). [30] B. Chor, S. Goldwasser, S. Micali, B. Awerbuch. FOCS [10] I.Abraham,D.Dolev,R.Gonen,J.Halpern.Proceedings 1985, IEEE Com. Society, Washington, DC, USA., 383– of the 25th Annual ACM Symposium on Principles of 395, (1985). distributed computing, New York, USA, 53–62, (2006). [31] S.Goldwasser,S.Micali,R.L.Rivest.FOCS1984,IEEE [11] G. Asharov, Y. Lindell. Journal of Cryptology. 24, 157– Com. Society, Washington, DC, USA.,441–448, (1984). 202, (2010). [32] P. W. Shor, J. Preskill. Phy. Rev. Lett. 85, 441–444, [12] G. Fuchsbauer, J. Katz, D. Naccache. Proceedings of (2000). the 7th Conference on Theory of Cryptography, 419–436, [33] P. K. Sarvepalli, A. Klappenecker. Phys. Rev. A 80(2), Springer-Verlag, (2010). 022321. [13] S. D. Gordon, J. Katz. Security and Cryptography for [34] D. Gottesman and I. Chuang. arXiv [quant-ph] Networks, Springer, 229–241, (2006). 0105032v2 (2001). [14] G. Kol, M. Naor. Proceedings of the 40th Annual ACM [35] X.Lu¨,D.-G.Feng.Computational andInformationSci- Symposium on Theory of Computing, 423–432, (2008). ence, LNCS 3314, 1054–1060 (2005). [15] A.Lysyanskaya,N.Triandopoulos.Advances inCryptol- [36] C. Crepeau, D. Gottesman, A. Smith. EUROCRYPT ogy - CRYPTO’ 06, Springer, Berlin, 180–197, (2006). 2005, LNCS 3494, 285–301 (2005). [16] A. Lysyanskaya, A. Segal. IACR Cryptology ePrint [37] K.Rietjens,B.Schoenmakers,P.Tuyls.IEEEISIT2005, Archive: Report 2010/540, (2010). Australia, 1598–1602 (2005). [17] S. J. Ong, D. V. Parkes, A. Rosen, S. Vadhan. Proceed- [38] M. A. Nielsen and I. L. Chuang. Quantum Computation ings of the 6th Conference on Theory of Cryptography, andQuantumInformation,CambridgeUniv.Press,2004. 36–53, Springer-Verlag, (2009). [39] F.J.MacWilliams(Author),N.J.A.Sloane.TheTheory [18] M. Hillery, V. Buˇzek, A. Berthiaume. Phys. Rev. A 59, of Error-Correcting Codes. North Holland (1977). 1829–1834 (1999). [40] W. K. Wootters, W. H. Zurek. Nature, 299, 802–803, [19] A.Karlsson,M.Koashi,N.Imoto.Phys.Rev.A59,162– (1982). 168 (1999). [41] J. Katz. Theory of Cryptography, 251–272, Springer [20] R. Cleve, D. Gottesman, H. K. Lo. Phys. Rev. Lett. 83, Berlin Heidelberg, (2008). 648–651 (1999).