Eavesdropping on Multiparty Quantum Secret Sharing Scheme Based on the Phase Shift Operations

Abstract

In a recent paper (Du and Bao in Opt. Commun. 308:159, 2013), a scheme of multiparty quantum secret sharing based on the phase shift operations was presented. We study the security of this scheme and find that it is not secure for dishonest participants, who can illegally elicit all of the dealer’s secret message without any error.

1 Introduction

Quantum secret sharing (QSS) allows that a secret message is splitted into several pieces by a dealer (Alice), and each participant (Bob _i , 1≤i≤n) owns a piece, and no subset of participants can be sufficient to extract the dealer’s secret message, but the whole set can. In 2007, Zhang et al. proposed a multiparty QSS scheme (ZGW scheme) [1] based on Einstein-Podolsky-Rosen (EPR) pairs and the five local unitary operations, which is more efficient and more feasible than the previous schemes. However, Lin et al. [2] showed that the last participant may solely obtain half of Alice’s secret messages without introducing any error, moreover, they gave an improvement of ZGW scheme. Later on, Wang et al. [3] claimed that the three-party case in Lin et al. improved scheme [2] is secure, and pointed out that the n-party (n≥4) case is not secure. In the n-party case, Wang et al. showed that the first participant and the last participant may collaborate to eavesdrop Alice’s secret messages without any error. In 2011, Gao [4] further studied the security of the improved n-party QSS scheme [2], and proposed an interesting attack on it. The attack given by Gao can obtain the entire secret, but it will introduce 25 % error rate [5]. Based on analyzing the reasons that make these schemes insecure, some possible improvements on the ZGW scheme have been proposed, i.e., ZGW-style schemes. In all the ZGW-style schemes, there are mainly Lin et al. improved scheme (Lin scheme) [2] and Gao modified scheme (Gao scheme) [4], by increasing the sample photons detections between the dealer and participants to improve the authentication of quantum channels. By contrast, Gao scheme is more secure than Lin scheme because of increasing the detection between Alice and Bob _n (the last participant).

Recently, Du and Bao [6] presented a novel collective eavesdropping attack strategy on Gao scheme. That is, Gao scheme can be successfully attacked by the first participant and the last two participants. They can obtain the entire secret messages without introducing any error, by attacking different photons from different participants separately. The strategy is also valid [6] to other ZGW-style schemes. Furthermore, they proposed a further improved multiparty QSS scheme (DB scheme) based on the 3-element phase shift operations set {U(0),U(2π/3),U(4π/3)}. It is claimed that DB scheme can resist not only the existing attacks on ZGW-style schemes, but also the Du and Bao collective eavesdropping attack strategy.

Cryptanalysis always plays an important role in the development of cryptography as pointed out by Gao et al. [7]. Up to now, quite a few effective attack strategies have been proposed in the study of quantum cryptography, such as the correlation-extractability attack [8], the intercept-resend attack [9], the entanglement swapping attack [10], and the participant attack [11] et al. Moreover, Qin et al. [11] pointed out that the attack power of dishonest participants is much stronger than outside eavesdroppers. In this paper, we study the security of DB scheme [6] and find that it is not secure against inside dishonest participants’ attacks.

2 The DB Scheme

Let us give a brief description of DB scheme [6] as follows (Fig. 1).

1. (1)

   Bob₁ prepares a photon pair |φ〉 _ts randomly in one of four Bell states, i.e. \(|\phi^{\pm}\rangle =\frac{1}{\sqrt{2}}(|00\rangle\pm|11\rangle)\), \(|\psi^{\pm}\rangle=\frac {1}{\sqrt{2}}(|01\rangle\pm|10\rangle)\). Then he stores the photon s in his lab and sends the other photon t to Bob₂.

2. (2)

   After receiving the photon t, Bob₂ ascertains whether the received photon is a single photon. If it is not a single photon, he aborts the communication; otherwise, he performs the local operation U(α ₂) on the photon t, which is chosen randomly from the 3-element phase shift operations set {U(0),U(2π/3),U(4π/3)}. Here U(α)=cosα|0〉〈0|−sinα|0〉〈1|+sinα|1〉〈0|+cosα|1〉〈1|, \(\alpha\in\{0,\frac{2\pi}{3},\frac{4\pi }{3}\}\). Then Bob₂ sends the photon t to Bob₃.

   Bob _i (i=3,4,…,n) does the similar procedure as Bob₂ till Bob _n finishes his operation. At last, Bob _n sends the photon t to Alice.

3. (3)

   After receiving the photon t, Alice firstly confirms whether it is a single photon like Bob₂. Then she randomly switches between the control mode and the message mode. In the control mode, Alice randomly selects one action from the two choices: One is that she lets Bob₁ randomly use the measuring basis Z={|0〉,|1〉} or X={|+〉,|−〉} to measure the photon s, and then tell her his measurement outcome and the initial Bell state. Then Alice requires other participants to announce their unitary operations. The other is that she first lets Bob₂, Bob₃,…,Bob _n announce their operations. She then asks Bob₁ to perform a measurement on the photon s and tell her his measurement outcome and the initial Bell state. Next, Alice uses correct measuring basis to measure the photon t. By comparing her measurement outcome with the deduced outcome, Alice can judge whether the quantum channel is secure. If the quantum channel is attacked, the communication is aborted. Otherwise, the transmission goes on to Step (1). In the message mode, Alice encodes the secret by performing the Pauli operation on the photon t, according to the following definitions: I(σ _x ,σ _z ,iσ _y ) corresponds to two classical bits 00(10, 01, 11). After her encoding, Alice sends all the t-photons of message mode as a sequence (t-sequence) to Bob₁ in one communication.

4. (4)

   After receiving the t-sequence, all the participants can recover the secret by collaborating together: Bob₁ (or the other participant) collects all the participants’ messages of operations, to deduce the compound operations and the correct measuring bases on these photons, and then he measures the pairs of photons in the corresponding positions of t-sequence and s-sequence to deduce the secret of Alice.

5. (5)

   At last, Alice announces a small part of the secret to participants to judge whether the t-sequence has been attacked. If it has, the eavesdropper cannot gain any useful information but destroy the communication.

Fig. 1

The structure of DB scheme. ∘−• denotes the Bell state |φ〉 _ts prepared by Bob₁, of which the left one is photon s, and the right one is photon t

3 Security Leak of the DB Scheme

In DB scheme [6], Bob₂,Bob₃,…,Bob _n change their operations from the unitary operations set {I,σ _x ,σ _z ,iσ _y ,H} into the 3-element phase shift operations set {U(0),U(2π/3),U(4π/3)} to resist the collective attack from the dishonest participants. By declaring false unitary operations on photon t by dishonest participants, Du and Bao [6] claimed that the collective attack strategy cannot escape from the eavesdropping detection.

However, there is a concealed condition in the Du and Bao attack strategy. That is, Bob₁ can only perform passive attacks in the eavesdropping process. For instance, Bob₁ only transfers his received false photons to Bob _n−1 in the message mode. In fact, it is entirely possible for Bob₁ to perform active attacks, such as telling Alice a false initial state or sending a false photon to Alice in DB scheme. If Bob₁ only tells Alice the false initial state, the last two participants (Bob _n−1 and Bob _n ) can perform the intercept-and-resend attack to all photons, and tell lies based on entanglement swapping in the control mode. Finally, they can associate with Bob₁ to illegally elicit all of Alice’s secret message without introducing any error, although the operations set is changed. The attack strategy is labeled by the collective eavesdropping attack strategy (Fig. 2). If Bob₁ tells Alice the false initial state and sends her false photons, he can solely perform the intercept-and-resend attack to all photons. Then, Bob₁ can tell lies based on entanglement swapping in the control mode. Finally, he can illegally elicit all of Alice’s secret message without introducing any error. For the sake of distinction, the attack strategy is called the individual eavesdropping attack strategy (Fig. 3). In fact, the two attack strategies are all based on the entanglement swapping, which are similar to each other. To be precise, the second strategy can replace the first one completely.

Fig. 2

The schematic diagram of the collective eavesdropping attack strategy

Fig. 3

The schematic diagram of the individual eavesdropping attack strategy

So the DB QSS scheme [6] is still not secure. In what follows, we will analyze in detail why it isn’t secure.

3.1 The Collective Eavesdropping Attack Strategy

According to Step (1), Bob _i performs the local operation U(α _i ) on the photon t and sends it to Bob _i+1, where 2≤i≤n−2. After receiving the photon t, Bob _n−1 performs the local operation \(U(\alpha_{n-1}^{1})\) on the photon t. For the purpose of our discussion, let U(θ′)=U(α _n−2)⋯U(α ₃)U(α ₂), \(U(\theta)=U(\alpha _{n-1}^{1})U(\theta')\), and Bob _n−1 prepares one EPR photon pair |φ〉 _t′s′ randomly from four Bell states in advance. Then Bob _n−1 stores t and replaces it by the photon t′ from |φ〉 _t′s′. He sends t′ to Bob _n . After receiving the photon t′, Bob _n performs no operation on it. At last, Bob _n sends the photon t′ to Alice.

When Alice is in the control mode, Bob _n−1 performs the Bell measurement on the photon t and photon s′. Suppose that |ψ〉 _ts =(U(θ)⊗I)|φ〉 _ts is the new entanglement state after the Bob _n−1’s operation. Obviously,

$$\begin{aligned} |\psi\rangle_{ts}\in\bigl\{ \big|\phi^{\pm}\big\rangle ^{0},\big| \phi^{\pm}\big\rangle ^{2\pi/3},\big|\phi^{\pm}\big\rangle ^{4\pi/3}; \big|\psi^{\pm}\big\rangle ^{0},\big|\psi^{\pm}\big\rangle ^{2\pi/3},\big| \psi^{\pm}\big\rangle ^{4\pi/3}\bigr\} . \end{aligned}$$

(1)

Here,

$$\begin{aligned} \big|\phi^{\pm}\big\rangle ^{0}=\bigl(I\otimes U(0)\bigr)\big| \phi^{\pm}\big\rangle , \big|\phi^{\pm}\big\rangle ^{2\pi/3}=\bigl(I\otimes U(2\pi/3)\bigr)\big|\phi^{\pm}\big\rangle , \end{aligned}$$

$$\begin{aligned} \big|\phi^{\pm}\big\rangle ^{4\pi/3}=\bigl(I\otimes U(4\pi/3)\bigr)\big| \phi^{\pm}\big\rangle ; \big|\psi^{\pm}\big\rangle ^{0}=\bigl(I\otimes U(0)\bigr)\big|\psi^{\pm}\big\rangle , \end{aligned}$$

$$\begin{aligned} \big|\psi^{\pm}\big\rangle ^{2\pi/3}=\bigl(I\otimes U(2\pi/3)\bigr)\big|\psi^{\pm}\big\rangle , \end{aligned}$$

$$\begin{aligned} \big|\psi^{\pm}\big\rangle ^{4\pi/3}=\bigl(I\otimes U(4\pi/3)\bigr)\big| \psi^{\pm}\big\rangle \end{aligned}$$

and

$$\begin{aligned} U(2\pi/3)U(4\pi/3)=U(4\pi/3)U(2\pi/3)=U(0), \\ \bigl(U(2\pi/3)\bigr)^{3}=\bigl(U(4\pi/3)\bigr)^{3}=U(0); \end{aligned}$$

$$\begin{aligned} \bigl\{ \big|\phi^{\pm}\big\rangle ^{0},\big|\psi^{\pm} \big\rangle ^{0}\bigr\} , \bigl\{ \big|\phi^{\pm}\big\rangle ^{2\pi/3},\big| \psi^{\pm}\big\rangle ^{2\pi/3}\bigr\} , \bigl\{ \big|\phi^{\pm} \big\rangle ^{4\pi/3},\big|\psi^{\pm}\big\rangle ^{4\pi/3}\bigr\} \end{aligned}$$

are orthonormal basis respectively.

Based on the principle of entanglement swapping,

$$\begin{aligned} |\psi\rangle_{ts}\otimes|\varphi\rangle_{t's'}\mapsto(I \otimes U)|\varphi\rangle_{ts'}\otimes(I\otimes U)|\psi \rangle_{t's} \end{aligned}$$

(2)

where U∈{I,σ _x ,iσ _y ,σ _z }, the photon t′ and photon s will establish the new entanglement state |ψ′〉 _ts .

Suppose that Bob _n−1’s Bell state measurement outcome on photons t and s′ is (I⊗U)|φ〉 _ts′. Bob _n−1 makes a comparison for (I⊗U)|φ〉 _ts′ and |φ〉 _t′s′, and gets the unitary operation U. This kind of Bell state comparison method and its comparison steps can be consulted in the paper [12]. According to Eq. (2), photons t′ and s must be in |ψ′〉 _ts =(I⊗U)|ψ〉 _t′s =(U(θ)⊗U)|φ〉 _ts , which is the real shared state between Alice and Bob₁. Bob _n−1 tells Bob₁ the unitary operation U. Bob₁ uses {|0〉,|1〉} or {|+〉,|−〉} to measure the photon s and tells Alice his single-qubit measurement outcome. According to Step (3), Bob₁ still needs to tell Alice his initial Bell state. In order that Bob _n−1’s replacing trick is not detected by Alice, Bob₁ may not directly say that the initial Bell state is |φ〉 _ts , but should tell the lie that it is (I⊗U)|φ〉 _ts (U is just the gotten operator that Bob _n−1 makes the Bell state comparison). At that time, Bob _n−1 declares he performed \(U(\alpha_{n-1}^{2})\) and Bob _n declares U(α _n ) operation, which satisfy

$$\begin{aligned} U(\alpha_{n})U\bigl(\alpha_{n-1}^{2}\bigr)=U\bigl( \alpha_{n-1}^{1}\bigr), \alpha_{n-1}^{2}, \alpha_{n}\in\{0,2\pi/3,4\pi/3\}. \end{aligned}$$

(3)

So, Bob _n−1’s replacing action will not be detected by Alice.

Next, we prove that there is no probabilistic error of the collective eavesdropping attack. Continuing to analyze, the key reason will be obtained. We know that Alice deduces |φ〉 _ts′ from the information published by Bob₁,Bob₂,…,Bob _n . Only if it is satisfied the following two conditions, Bob _n−1’s replacing trick cannot be detected by Alice. The one condition is that the deduced state by Alice satisfies Eq. (1), and the other condition is that Alice’s deducing state and (U(θ)⊗U)|φ〉 _ts are the same state. From the above content, Alice can obtain the initial state published by Bob₁ is (I⊗U)|φ〉 _ts , and the operations published by Bob _n−1 is \(U(\alpha_{n-1}^{2})\) and Bob _n is U(α _n ) respectively. If the compound operation of other participants is U(θ′), Alice can only deduce as follows:

$$\begin{aligned} |\varphi\rangle_{ts} \mapsto&\bigl(U(\alpha_{n})U\bigl( \alpha_{n-1}^{2}\bigr)U\bigl(\theta'\bigr)\otimes I\bigr) (I\otimes U)|\varphi\rangle_{ts} \\ &{}= \bigl(U\bigl(\alpha_{n-1}^{1}\bigr)U\bigl( \theta'\bigr)\otimes U\bigr)|\varphi\rangle_{ts}= \bigl(U( \theta)\otimes U\bigr)|\varphi\rangle_{ts}. \end{aligned}$$

(4)

Using the relationships after Eq. (1), it is easy to verify that the final entanglement state (U(θ)⊗U)|φ〉 _ts satisfies Eq. (1). Moreover, the (U(θ)⊗U)|φ〉 _ts and |ψ′〉 _ts are the same state. Hence, Bob _n−1’s replacing trick does not introduce any error. Meanwhile, because Bob _n−1 has replaced all the photons by his false photons, he can associate with Bob _n and Bob₁ to get Alice’s entire secret messages. In conclusion, the main reason for the success of Bob _n−1’s replacing action is that Bob₁ knows the initial Bell state of the scheme, and can announce a false initial state according to Bob _n−1’s measurement result.

When Alice is in the message mode, she encodes her secret message by performing a unitary operation U _A ∈{I,σ _x ,iσ _y ,σ _z } on photon t′. Then, she sends photon t′ back to Bob₁. Bob₁ can associate with both Bob _n−1 and Bob _n to make Bell state measurement on photons t′ and s′, finally to deduce Alice’s secret.

Example

Suppose |φ〉 _ts =|ϕ ⁺〉, |φ〉 _t′s′=|ψ ⁺〉, |φ′〉 _ts =|φ〉 _ts′=(I⊗iσ _y )|ϕ ⁺〉=−|ψ ⁻〉, U(θ′)=I, \(U(\alpha_{n-1}^{1})=U(2\pi/3)\), and \(U(\alpha_{n})U(\alpha_{n-1}^{2})=U(2\pi/3)\), then the real entanglement state between Alice and Bob₁ should be

$$\begin{aligned} \big|\psi'\big\rangle _{ts} =&\bigl(U\bigl(\alpha_{n-1}^{1} \bigr)U\bigl(\theta'\bigr)\otimes i\sigma_{y}\bigr)| \varphi\rangle_{ts} \\ =&\frac{U(2\pi/3)\otimes i\sigma_{y}}{\sqrt{2}}\bigl(|00\rangle+|11\rangle \bigr)=-\frac{1}{\sqrt{2}}\biggl( \frac{1}{2}\big|\psi^{-}\big\rangle +\frac{\sqrt{3}}{2}\big|\phi^{+} \big\rangle \biggr). \end{aligned}$$

According to the information published by participants, Alice can only deduce the following state.

$$\begin{aligned} \bigl(U(\alpha_{n})U\bigl(\alpha_{n-1}^{2} \bigr)U\bigl(\theta'\bigr)\otimes I\bigr)\big|\varphi' \big\rangle _{ts} =&\bigl(U(2\pi/3)U\bigl(\theta'\bigr)\otimes i \sigma_{y}\bigr)|\varphi\rangle_{ts}\\ =&-\frac{1}{\sqrt{2}} \biggl(\frac{1}{2}\big|\psi^{-}\big\rangle +\frac{\sqrt{3}}{2}\big| \phi^{+}\big\rangle \biggr). \end{aligned}$$

It is easy to verify that |ψ′〉 _ts conforms to the constraint of Eq. (1). Moreover, the real entanglement state |ψ′〉 _ts between Alice and Bob₁ and the deduced state from Alice are all equivalent to \(\frac{1}{2}|\psi^{-}\rangle +\frac{\sqrt{3}}{2}|\phi^{+}\rangle\). In a word, Bob _n−1’s replacing action will not be detected by Alice.

When the message mode is switched into, since Alice doesn’t know that a replacing trick has been done by dishonest participants, she encodes her secret messages by performing a unitary operation on the received photon t′. Suppose that Alice encodes the secret message by performing the operation U _A =σ _z on photon t′, then the final entanglement state should be

$$ (\sigma_{z}\otimes I)|\varphi\rangle_{t's'}=\big| \psi^{-}\big\rangle _{t's'}. $$

(5)

After Bob₁ receives photon t′, he performs a Bell state measurement on photons t′ and s′. Bob _n−1 tells Bob₁ the initial state of photons t′ and s′, he very easily gets the operation U _A =σ _z which represents Alice’s secret message “01”.

3.2 The Individual Eavesdropping Attack Strategy

The DB scheme [6] reduces two detections of sample photons compared with the Gao scheme [4], in order to decrease the numbers of message communications and quantum states preparations. In this case, we will show that Bob₁ may solely obtain the entire of Alice’s secret messages without the other participants’ help.

In advance, Bob₁ prepares two EPR photon pairs. Suppose that one pair is in |ϕ ⁻〉 _ts and the other |ψ ⁺〉 _t′s′. According to Step (1), Bob _i sends photon t to Bob _i+1. After receiving photon t, Bob _i+1 performs one local operation U(α _i )∈{U(0),U(2π/3),U(4π/3)} on it. Here, 1≤i≤n−1. Finally, Bob _n sends photon t to Alice. When photon t is traveling between Bob _n and Alice, Bob₁ intercepts it, and stores it well. At the same time, Bob₁ sends photon t′ (that is from |ψ ⁺〉 _t′s′), instead of photon t, to Alice. Alice randomly switches the control mode and the message mode. In the control mode, when Alice requires Bob₁ to make single-photon measurement on photon s, Bob₁ immediately makes Bell state measurement on photons s and s′. Obviously, this is the entangle swapping process of Bell states. Suppose that the operation performed by Bob₂,Bob₃,… , and Bob _n is U(2π/3)=U(α _n )⋯U(α ₂), then the whole system state can be written as follows:

$$\begin{aligned} &|\phi^{-}\rangle_{ts}\otimes|\psi^{+} \rangle_{t's'} \\ &\quad\rightarrow\bigl(U(2\pi/3)\otimes I\bigr)| \phi^{-}\rangle_{ts}\otimes|\psi^{+} \rangle_{t's'} \\ &\quad\quad= \frac{1}{2}\biggl[|\phi^{+}\rangle_{ss'}\biggl( \frac{1}{2}|\psi^{-}\rangle+ \frac{\sqrt{3}}{2}|\phi^{+} \rangle\biggr)_{tt'} +|\phi^{-}\rangle_{ss'}\biggl( \frac{1}{2}|\psi^{+}\rangle-\frac{\sqrt{3}}{2}|\phi^{-} \rangle\biggr)_{tt'} \\ &\quad\qquad{}+|\psi^{+}\rangle_{ss'}\biggl(\frac{1}{2}| \phi^{-}\rangle+\frac{\sqrt{3}}{2}|\psi^{+}\rangle \biggr)_{tt'} +|\psi^{-}\rangle_{ss'} \biggl( \frac{1}{2}|\phi^{+}\rangle-\frac{\sqrt{3}}{2}|\psi^{-} \rangle\biggr)_{tt'}\biggr]. \end{aligned}$$

(6)

Suppose that Bob₁’s Bell state measurement outcome on photons s and s′ is |ψ ⁻〉 _ss′. According to Eq. (6), photons t and t′ must be in \((\frac{1}{2}|\phi^{+}\rangle-\frac {\sqrt{3}}{2}|\psi^{-}\rangle)_{tt'}\). Next, Bob₁ makes a comparison for |ψ ⁻〉 _ss′ and |ψ ⁺〉 _t′s′, and gets the unitary operation U=σ _z . After making Bell state measurement, Bob₁ uses {|0〉,|1〉} or {|+〉,|−〉} to measure photon t and tells Alice his single-qubit measurement outcome. According to Step (3), Bob₁ still needs to tell Alice his initial Bell state. In order that his replacing trick is not detected by Alice, Bob₁ may not directly say that the initial Bell state is |ψ ⁺〉 _t′s′, but should tell the lie that it is (I⊗σ _z )|ψ ⁺〉 _t′s′=|ψ ⁻〉 _t′s′. So his replacing action will not be detected by Alice.

As for the other Bell states that Bob₁’s measurement outcomes on photons s and s′ are, the law exists as of old. So Bob₁ may evade Alice’s security-check successfully in the case that Bob₂,Bob₃,… , and Bob _n ’s compound operation is U(2π/3). Similarly, if the compound operation is U(0) or U(4π/3), Bob₁’s replacing trick is also feasible. In a word, no matter what Bob₂,Bob₃,… , and Bob _n ’s operation is, Bob₁’s replacing trick is not detected by Alice in the control mode [4].

When the message mode is switched into, since Alice doesn’t know that Bob₁ has done the replacing trick and regards photon t′ as photon t as of old, she encodes her secret messages by performing a unitary operation U _A ∈{I,σ _x ,iσ _y ,σ _z } on photon t′. Then she sends photon t′ back to Bob₁. Bob₁ very easily gets Alice’s secret messages by making Bell state measurement on photons s′ and t′ without other participants’ help.

4 Conclusions

In summary, we have shown that the multiparty quantum secret sharing scheme [6] based on the 3-element phase shift operations is not secure against the collective eavesdropping attack strategy and the individual eavesdropping attack strategy. We hope that these problems are noticed in the following research.