ebook img

Secret Sharing with a Single d-level Quantum System PDF

0.13 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Secret Sharing with a Single d-level Quantum System

Secret Sharing with a Single d-level Quantum System Armin Tavakoli1, Isabelle Herbauts1, Marek Z˙ukowski2 and Mohamed Bourennane1 1Department of Physics, Stockholm University, SE-10691 Stockholm, Sweden 2Institute of Theoretical Physics and Astrophysics, Uniwersytet Gdan´ski, PL-80-952 Gdan´sk, Poland (Dated: June16, 2015) We give an example of a wide class of problems for which quantum information protocols based on multi-system entanglement can bemapped intomuchsimpler ones involvingonesystem. Secret sharingisacryptographicprimitivewhichplaysacentralroleinvarioussecuremultipartycomputa- tiontasksandmanagementofkeysincryptography. Insecretsharingprotocols,aclassical message is divided into shares given to recipient parties in such a way that some numberof parties need to 5 collaborate in ordertoreconstruct themessage. Quantumprotocols for thetask commonly rely on 1 multi-partite GHZ entanglement. We present a multiparty secret sharing protocol which requires 0 only sequential communication of a single quantum d-level system (for any prime d). It has huge 2 advantages in scalabilility and can be realized with the state of the art technology. n u PACSnumbers: 03.67.Hk,03.67.-a,03.67.Dd J 5 1 I. INTRODUCTION entanglement is given in [9]. Also, general (N,k) quan- tumsecretsharingthresholdschemeshavebeenanalyzed ] in Ref. [10]. h Splitting a message into N shares so that the origi- p nal message can be reconstructed if and only if at least There are several experimental demonstrations of se- - k N of the shares are known is called a (N,k) secret cretsharingschemeswithquantumresources. Threeand nt sh≤aring threshold scheme (the threshold is k). Secret four partite secret sharing using entanglement were re- a sharingconstitutesanimportantcryptographicprimitive ported in Refs. [12, 13]. However, entanglement-based u in protocols for secure multiparty computation includ- protocolsarenotscalable. Thedifficultyofobtainingthe q ing password-authenticatedkey agreement,hardwarese- requiredquantumcorrelationsgrowswith the number of [ curity modules, private querying of databases, and es- parties involved. 2 tablishment of access codes with restricted access. The Fortunately,amorescalablesecretsharing(ofclassical v firstsecretsharingschemeswerepresentedindependently data) can be achieved using only sequential communica- 2 by Shamir and Blakley by means of classical algorithms tion of a single qubit, see Ref. [14]. The work reports a 8 5 to split the message and classical communication to dis- successfulproof-of-principleexperimentaldemonstration 5 tribute the shares [1, 2]. of six party secret sharing of such a kind. Nevertheless, 0 InShamir’s(N,k)secretsharingthresholdscheme,the the security of proposed secret sharing schemes is not 1. distributor chooses a set of k positive integers, known as robust as the security of Quantum Key Distribution 0 only to him/her, a ,...,a 1,...,P , where P is (QKD). This is discussed in Ref. [15, 16] for both the 0 k 1 5 some large prime. The first−inte∈ge{r a is t}he secret. The entanglement-basedscheme of [6, 7] and the single qubit 0 1 k’th order polynomial p(x)=a +a x+...+a xk 1, scheme of [14]. 0 1 k 1 − v: is used for coding the data. For l=1,...,N the d−istribu- In this letter, we present a (N,N) secret sharing i tor computes p(l) and communicates the value only the threshold scheme using a single d-level quantum system, X l’thparty. Ifatleastk oftherecipientscollaborate,they for odd prime dimension d. We investigate eavesdrop- r can easily recover the secret a , whereas knowing fewer ping attacks and security issues. Finally, we discuss the a 0 than k shares yields no informationon a . However,like scalability and efficiency of our protocol in comparison 0 manyschemesinclassicalcryptography,Shamir’sscheme to other schemes involving qudit systems. Our principal is vulnerable to intercept-resend attacks on the commu- aim is to show that you can map GHZ state protocols nications of the distributor. extended to d-level systems into protocols involving se- Thesecurityforcryptographictaskscanbeenforcedby quential transfer of a single qudit (as this is a significant introducingquantumresources[3,4]. Quantummethods simplification of such schemes). We restrict d to odd for (classical) secret sharing by three parties in a form primes because our protocol uses a cyclic property of a of cryptographic protocol based on three particle GHZ set of Mutually Unbiased (orthonormal) Bases (MUBs). entanglement [5] were given in [6]. In an independent Many MUBs are still unknown [17]. Complete sets are later development, secret sharing protocols for three or only known for dimensions which are powers of prime four parties were proposed in Ref. [7]. Secret sharing numbers [18]. For this restricted set of dimensions, the for arbitrary many parties exploiting multipartite qubit algebraicproperty on which our scheme relies was found entanglement can be found in Ref. [8], wherein security only for odd prime dimensions. issues were shown to be linked to Bell inequalities. A The relation of our single qudit scheme with respect general secret sharing scheme using multipartite d-level to GHZ state qudit secret sharing can be thought to be 2 similartothatoftheBB84QKD-protocol[3]andtheE91 In such a case, only results satisfying N+1l = 0 n=1 n QKD-protocol[19]basedonentanglement. However,due mod d occur, and all sets satisfying this relation are P to the in principle arbitrary number of parties involved, equally probable. However, if condition (3) does not significant advantages of the single qudit scheme emerge hold, then the probability distribution of the results is with the growing number parties. uniform. This is easy to see once one realizes that (2) and (1) implies that d−1ωk(l+jk) 2 =d for j =0 and | k=0 | 6 any l. II. SECRET SHARING USING GHZ STATE Oncethe measuremePntsareperformed,the partiesan- CORRELATIONS nounce their choices of j . The distributor checks con- n dition (3). Only if it is satisfied, the round is treated Let us first describe a secret sharing protocol using as valid and is used for secret sharing. The local results multipartite d-level entanglement, for which d is an odd satisfy N+1l =0 mod d, whereas a sum with one or n=1 n prime. This particular protocol is outlined in [9]. more l missing has an arbitrary value (mod d). Thus n The protocol is designed for N +1 party secret shar- even NP1 collaborating parties cannot learn the values ing and requires an N + 1 partite d-level GHZ state: obtained−by the other two. But N parties can establish |GHZdN+1i = √1d dj=−01|ji⊗N+1. The party 1 (R1) act- thevalueoftheremainingparty. Asthechoicesofjn are ing as the distributor prepares the GHZ state, keeps one random, the protocol succeeds in 1/d of the cases. P particle,anddistributestheremainingN particlestothe N recipient parties. In the given run, each of the N +1 parties independently chooses one of d possible bases in III. SECRET SHARING WITH A SINGLE which the local particle is measured. QUDIT Forsecuritypurposes,allpartieschoosetheirmeasure- ment bases from a set of d MUBs. The unit vectors be- Our protocol relies on a cyclic property of the set of longing to the full set of d+1 MUBs will be denoted as MUBs: there exist unitary transformations Ul′j′, such e(j) wherej =0,...,dlabelsthebasisandl=0,...,d 1 that for any l′,j′ 0,...,d 1 , any vector Ml,j can |enlumierates the vectors of the given basis. One has−for be mapped into M∈l+l{′,j+j′. T−hat}is, elements of M are j =j : mapped into elements of M. ′ 6 Notethat,foranyvectorM canbe transformedinto l,j e(j) e(j′) 2 = 1. (1) Ml+1,j by applying the transformation h l | l′ i d (cid:12) (cid:12) d 1 Apart from the com(cid:12)(cid:12)putationa(cid:12)(cid:12)l basis, for which we give Xd = − ωn n n (4) theindexj =d,anddenoteitsstatesby k ,theremain- | ih | | i nX=0 ing d MUBs are given by Simply, using (4) and (2), one gets d 1 |el(j)i= √1d − ωk(l+jk)|ki (2) Xd|e(lj)i= √1d dn−=10ωn|nihn| dk−=10ωk(l+jk)|ki k=0 X = 1 dP−1ωk((l+1)+jk) Pk = e(j) . (5) whereω =e2πi/d. Itcanbeeasilyshownthat(2)satisfies √d k=1 | i | l+1i (1) for all prime dimensions [20]. We will denote by M Also, any M cPan be transformed into M by l,j l,j+1 the set of all vectors belonging to the MUB defined by (2), and its elements by M , with the meaning of the d 1 indices as above. l,j Yd = − ωn2 n n. (6) | ih | Ineachrunoftheexperimentpartyn(denotedbyR ) n=0 n X chooses randomly a measurement basis j . The local n This can be shown in a similar way. Thus, by applying moneeasoufrveemcteonrtsiMn the.bTahsiiss ipsrgoojevcetrsnehdis/bhyetrhpeaprrtoicblaeboilnittyo the operator Ul′j′ = Xdl′Ydj′, any Ml,j is mapped into distribution l,jn Ml+l′,j+j′. The protocol runs as follows. P(l1,...,lN+1 j1,...,jN+1) (i) The distributor R1, who by the nature of the task | is always assumed to be an honest party, prepares the 2 = dN1+2 dk−=10ω−PNn=+11(kln+k2jn) . state |e(00)i = √1d dj=−01|ji ∈ M, which will be denoted (cid:12)(cid:12)P (cid:12)(cid:12) by |ψ0di. P (cid:12) (cid:12) (ii) R picks two random numbers x ,y 0,...,d 1 1 1 Perfect GHZ correlations are possible if 1 , and performs on ψd the transformati∈on{Xx1Yy−1. } | 0i d d This gives ψd M. The state is sent to party R . N+1 | 1i∈ 2 jn =0 mod d. (3) (iii) For n = 2,...,N +1, the party Rn generates two independentrandomnumbersx ,y 0,...,d 1 ,and nX=1 n n ∈{ − } 3 appliesXxnYyn tothe qudit ψd receivedfromR . IV. SECURITY DISCUSSION R ’sactiodngidvesastate ψd |whn−ic1hiissenttosubsequne−n1t n | ni party Rn+1, except incase of RN+1 who sends the qudit Protocolsforsecretsharinghavetoguaranteesecurity. back to the distributor, R1. Consider an example of an attack by an external eaves- (iv) R1 randomly chooses J 0,...,d 1 and mea- dropper. Iftheeavesdropper,Eve,attemptsanintercept- ∈ { − } sures the qudit in the basis {|el(J)i}l. The outcome is resendattackandinterceptsthequdit,inthestate|e(lj)i, labeled a 0,...,d 1 . onthewayformR toR ,shecanchooseoneofdrele- ∈{ − } k k+1 (v) In random order only parties R2,...,RN+1 an- vantbasestomeasure. With probability1/dshe chooses nounce their choice of yn. The distributor announces abasisj′ =j andtheattacksucceeds,butwithprobabil- only whether the round is valid or not. It is valid pro- ity d 1 shehasj =j inwhichcasethestateshesendsto −d 6 ′ vided: R willbe altered. The eavesdropping,to someextent k+1 depending on d, causes inconsistencies between the pri- N+1 vate data and condition (8), and is therefore detectable y =J mod d. (7) n in step (vi) of the protocol. n=1 X For more general eavesdropping attacks, in the qudit Otherwisetheroundisrejected. Iftheroundisvalid,the transfer from R and R , we can regard the parties k k+1 private data of the parties, x , satisfy globally R ,...,R as a ’block’ effectively representing a single { n} 1 k party, and parties R ,...,R and R , acting as the k+1 N+1 1 N+1 measuringparty,wecantreatsimilarly. Thus,theattack x =a mod d. (8) n isreducibletothescenarioencounteredintheBB84two- nX=1 party QKD (see e.g. [21]) in which the sender and the The data exhibit perfect correlations and thus can be receiver, both effectively our R1, do not announce their used for secret sharing, as was the case for GHZ based bases, but only validity of a run. Generally, this makes protocols,providedR resetshis/herx tox(scrt) =x securityeffectivelyperfect, evenifEvetries this strategy 1 1 1 1− at more than one qudit transfer link. a. Again, the probability of a valid round is 1/d. An alternative trick which can be used by Eve is to (vi)Inordertocheckthesecurity,forarandomlycho- send via the unitary gate of partner R one more qudit sen (by the distributor) subset of the rounds, all parties k or even a multi qudit pulse, say separated in time, so R ,...,R announce their values of their private data 2 N+1 that it can be somehow intercepted by her beyond the x (in the same sequence as was the announcement of n gate, without intercepting the protocol qudit. After y y ’s). The distributor checks (8). If R registers a sub- k n 1 is announced she can learn the actual unitary transfor- stantial fraction check runs for which (8) does not hold, mation and thus x . However, this is easily detectable, R declares the whole secret sharing attempt as corrupt n 1 if R makes the number of particles measurementat the (more details on security checks later). k exit of his/her gate (in some randomly chosen runs). (vii) If the secret sharing attempt is not corrupt, par- Yet another possibility is for Eve to intercept the qu- ties R ,...,R , after exchanging all their data x for 2 N+1 n dit sent by R , and send a qudit of her own to R in its a valid run, not used in the security check, can learn the 1 2 otherwise secret value x(scrt), for the given run, earlier stead. Eve collects her qudit once it is sent by RN+1, 1 andwaitsfortheannouncementofy ’s. Theintercepted known only to the distributor R . n 1 qudit of R can be somehow manipulated by her, how- The protocol works because after all the transforma- 1 ever it must reach the measurement station of R at the tions the final state reads 1 right time. After y ’s are announced she can measure n her qudit and recover the value x +...+x mod d. N+1 2 N+1 ψd = XxnYyn ψd However, the attack will be detected in step (vi) of the | finali n=1 d d !| 0i protocol since R1 performs the measurement before the Y y ’sareannounced. ThereisnowayforEvetoperforma d 1 n = 1 0 + − ωPNn=+11(kxn+k2yn) k . (9) yn’sdependentmanipulationonaquditwhichis already √d | i k=1 | i! measured by R1. X R ’s measurement of (9) yields an outcome with unit 1 probability,provided ψd isaneigenstateofthemea- A. Discussing security against conspiracies | finali sured observable. This happens if and only if (7) is sat- isfied. Otherwise, |ψfdinali is some element Ml′,j′ with Insecretsharingonefacesthepossibilityofconspiring j =J and thus by (1) the probability of any outcome is cheating subsets of parties. In the worst case, only the ′ 6 1/d. distributor R and one more party are honest, leaving 1 For a valid run the correlations are effectively equiva- N 1conspiringparties. Conspiraciessignificantlycom- − lent to the ones for the GHZ based protocol: the choice plicates the security analysis of secret sharing schemes of y corresponds to R ’s choice of measurement basis, and much is therefore unknown about security of var- n n while x is analogous to the local outcome. ious schemes. Here, we will discuss the robustness of n 4 our scheme against some particular conspiracies. How- to achieve secret sharing. However, using d-level QKD ever, rigorous security proof for general conspiracies is eachrecipienthas a probabilityof 1/dto choose the cor- unknown. rect basis. If the QKD scheme between the distributor In,e.g.,Refs[16,22]eavesdroppingattacksusingquan- and R is repeated m times, the probability that R n n tum memories and entangling of systems with an ancilla chooses the correct basis at least once is 1 1 1 m. − − d were shown to lead to security problems in the protocol ForsuccessfulsecretsharingthroughQKD,the distribu- (cid:0) (cid:1) of Ref. [14]. However,the attacks of [22] require that ei- tor has to repeat the scheme independently with each ther the firstor the finalpartyare cheating,whichnever party until all of them report a correct choice of ba- happens in our protocolas R is effectively both first an sis at least once. The probability, p , that for all 1 success lastparty. Additionally,theeavesdroppingattacksof[22] n = 2,...,N +1, R has at least one correct choice is n srienqcueirRe knnoewvelredagnenoofunaclseos ay1nyanddatJa., which is impossible psuccess = 1− 1− d1 m N. Solving for the number of 1 ln(1 p1/N ) More generally, the cheaters could use some attack rounds,m,(cid:0)wefin(cid:0)dm=(cid:1) (cid:1) − success . Asanexample, ln(1 1/d) based on entangling the qudit with an ancilla, or pos- (cid:24) − (cid:25) we can choose N = 10, and pick d large, say d = 23, so sibly storing the protocol qudit in a quantum memory that p leads to a good estimate of the number of success andcreatinganewentangledstate,ofwhichasubsystem roundsrequiredtodistributeexactly onenumbertoeach is communicated further along the protocol loop. Still, recipient. We require that the probability of success is they ought not to be able to profit. The reason is the somewhat high, say p = 0.8. Then the approxi- success absence of data announcement from R renders the qu- 1 mate number of rounds required is about m = 86. For dit availablefor the cheaters effectively in a mixed state, distributingasecretofrealisticsizeinmanysharesandto forwhichthereisnoobservablewhichwouldgiveanout- guarateeitssecurity,onewilltypicallyneedtodistribute come with unit probability. Furthermore, if the cheaters larger data sets. In this estimation we have not consid- combine their attack with eavesdropping,on the actions ered the parties having inefficient detectors. Including ofthehonestparties,theywillbedetectedinstep(vi)of this possibility decreases the protocol efficiency by an the protocolonbasisofthe argumentsfromthe previous average factor of ηN. Therefore, such QKD-schemes re- section. quiresmuchmoreroundsanddetectorsthanourscheme. However, the security of QKD [21] is more robust and wellstudied thanthat ofsecretsharing,which allowsfor V. COMPARING SECRET SHARING SCHEMES higher security to the price of lower efficiency. The security can be further increased for such QKD There existsa number ofquantumprotocolsforsecret schemes by performing the QKD in a device indepen- sharing. The protocols for three and four-partite secret dent manner, i.e. with parties performing measurements sharingproposedin[7]anditsgeneralizationtohigh-level on entangled state obtaining data that violates a Bell multipartiteconfigurations[9]requiresthepreparationof inequality. However, this also leads to an additional re- a high-fidelity GHZ state with N +1 subsystems. With ductionofefficiencyduetothelowkeyrateshighexperi- growing N this becomes an increasingly difficult task. mental requirements associatedwith device independent The experimental requirements make these schemes un- schemes. scalable. Furthermore, another problem arises if we also In our protocol, for any N, only a single qudit is re- consider inefficient detection. Let η [0,1]be the detec- quired. This enhances experimental feasibility: there is ∈ torefficiency. Giventhatthecondition(3)issatisfiedfor no issue ofscalability of the initial state preparation. As a particular round, it is required that all parties succeed the protocolinvolvesjustone detectorstationscalability with their measurements otherwise the round has to be isfurtherenhanced. Inaddition,fromthepointofviewof rejected. The probability that all N +1 detection sta- interferometry,ourschemeisinthedomainofsinglepar- tions give a successful detection is ηN+1. Furthermore, ticle interference. It is well known that one can achieve note that in GHZ state protocols d(N +1) detectors are very high interference visibilities in such cases whereas required. As each detection station introduces possible multiparticle interference effects for photons can accuire registration errors, the overall error would accumulate. highvisibilitiesonlyinthe caseoftwoqubits. Multipho- However, such GHZ state protocols can enable security ton qudit experiments will experience alignment prob- againstdevice manipulation which is animportant secu- lems, errors due to imperfections in the optical compo- rityfeaturewhentheexperimenterdoesnotfully control nentsandonlypartialdistinguishabilityofphotonscom- its own measuring device. ming from different sources [23]. For security purposes, Consider now secret sharing with QKD involving qu- it is very important to keep the quantum error rates to dits, in which the distributor uses N pairwise indepen- a minimum. However, our scheme requires control over dent QKD channels, each shared with one of the recip- thedevicesandthesecurityagainstcollectiveattacksre- ients. The protocol of such type which is directly com- mains unknown. Finally, we do note that our scheme parable to our scheme involves encoding in d different requires the same number of local unitary operations as MUBs. For every round the distributor sends data x is used in the correspondingGHZ state protocol[9], and n to party n such that suitable correlations are obtained is therefore subject to the same accumulation of noise 5 due to imperfections in the local unitary actions. over, using our methods a wide class of quantum proto- colsusing(multiparty)entanglementcanbemappedinto simple ones involving one qudit. VI. CONCLUSIONS Wehavepresentedasecretsharingprotocolusingonly Acknowledgments a communication of a single qudit. While the security proofs are incomplete against possible sophisticated at- We thank Ingemar Bengtsson for sharing his knowl- tackswhichwedidnotincludeinouranalysis,thescheme edge about MUBs. The project was supported by is secure against standard attacks. The scheme provides the Swedish Research Council, ADOPT, and QOLAPS big advantages in scalability over earlier schemes and projectofERC.MZacknowledgesthe supportofTEAM thus make proof-of-concept experiments feasible. More- project of FNP. [1] A. Shamir in Communications of the ACM 22, 11 p. 83, 648 (1999). 612-13. [11] W. Tittel, H. Zbinden and N. Gisin Phys. Rev. A 63, [2] G. R. Blakley in Proceedings of the National Computer 042301 (2001). Conference 48 pp 313-317. [12] Y.-A.Chen et al., Phys.Rev.Lett. 95, 200502 (2005). [3] C. Bennett and G. Brassard in Proceedings of IEEE In- [13] S. Gaertner, C. Kurtsiefer, M. Bourennane and H. We- ternational Conference onComputers, Systems, andSig- infurter Phys. Rev.Lett. 98, 020503 (2007). nal Processing (Bangalore, India 1984) p.175. [14] C. Schmidt et al.,Phys. Rev.Lett. 95, 230505 (2005). [4] N. Gisin, G. Ribordy, W. Tittel and H. Zbinden, Rev. [15] S-J.Qin,F.Gao, Q-Y.WenandF-C.ZhuPhys.Rev.A Mod. Phys. 74, 145 (2002). 76, 062324 (2007). [5] D. M. Greenberger, M. A. Horne, and A. Zeilinger, in [16] G.-P.HePhys.Rev.Lett.98,028901(2007);forthereply Bell’s Theorem, Quantum Theory, and Conceptions of see S. Christian, P. Trojek, M Bourennane, et al. Phys. the Universe, edited by M. Kafatos (Kluwer Academic, Rev. Lett.98, 028902 (2007). Dordrecht, 1989); D. M. Greenberger, M. A. Horne, A. [17] T.Durt,B-G.Englert,I.BengtssonandZ˙yczkowskiInt. Shimony, and A. Zeilinger, 1990, Am. J. Phys. 58, 1131 J. QuantumInformation, 8, 535-640 (2010). (1990). [18] W. K. Wootters and B. D. Fields Ann. Phys. 191, 363- [6] M. Zukowski, A. Zeilinger, M.A. Horne, H. Weinfurter, 381 (1989). Acta Phys. Pol. 93, 187 (1998) (Proceedings of Inter- [19] A. K. Ekert,Phys. Rev.Lett. 67, 661 (1991). national Conference on Quantum Optics IV, Jaszowiec, [20] I. D. IvanovicJ. Phys. A 14, 3241 (1981). Poland, June 17-24, 1997) [21] N. J. Cerf, M. Bourennane, A. Karlsson and N. Gisin [7] M. Hillery, V. Buˆzek and A. Berthiaume Phys. Rev. A Phys. Rev.Lett. 88, 127902 (2002). 59, 1829 (1999). [22] G.-P. He and Z.D. Wang Quant. Inf. Comput. 10, 28 [8] A. Sen De, U. Sen and M. Zukowski Phys. Rev. A 68, (2010). 032309 (2003). [23] J-W. Pan, Z-B. Chen, C-Y. Lu, H. Weinfurter, A. [9] I-C. Yu, F-L. Lin and C-Y. Huang Phys. Rev. A 78, Zeilinger, and M. ukowski, Rev. Mod. Phys. 84, 777 012344 (2008). (2012). [10] R. Cleve, D. Gottesman and H-K. Lo, Phys. Rev. Lett.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.