Optics Communications 284 (2011) 1468–1471

Contents lists available at ScienceDirect

Optics Communications

j ourna l homepage: www.e lsev ie r.com/ locate /optcom

An enhancement on Shi et al.'s multiparty quantum secret sharing protocol

Jason Lin, Tzonelih Hwang ⁎National Cheng Kung University, Department of Computer Science and Information Engineering, No.1, University Road, Tainan City 701, Taiwan, ROC

⁎ Corresponding author.E-mail address: hwangtl@ismail.csie.ncku.edu.tw (T

0030-4018/$ – see front matter © 2010 Elsevier B.V. Adoi:10.1016/j.optcom.2010.10.095

a b s t r a c t

a r t i c l e i n f o

Article history:Received 29 July 2010Received in revised form 28 October 2010Accepted 29 October 2010

Keywords:Quantum secret sharingBell measurementsEntanglement swapping

Recently, Shi et al. proposed a multiparty quantum secret sharing (QSS) using Bell states and Bellmeasurements. In their protocol, for sharing two classical bits, all parties have to possess two photons afterentanglement swapping. This paper proposes an enhancement of Shi et al.'s protocol. Based on the idea thatall parties (except dealer) possess two photons to share two classical bits, the qubit efficiency has furtherimproved by removing the photons the dealer has to hold in Shi et al.'s protocol. Moreover, an insider attack isalso prevented in the proposed scheme.

. Hwang).

ll rights reserved.

© 2010 Elsevier B.V. All rights reserved.

1. Introduction

Quantum secret sharing (QSS) is an important branch of quantumcryptography. The main idea of QSS is to distribute a dealer's secretamong many agents in such a way that the secret could be recoveredonly when enough agents collaborate together. Since the first QSSscheme was proposed by Hillery et al. in 1999 [1], many other QSSschemes [2–11] have also been proposed.

Recently, Shi et al. [14] proposed a multiparty QSS scheme basedon the entanglement swapping of Einstein–Podolsky–Rosen (EPR)pairs. In their scheme, in order to share two classical bits among nagents, the dealer needs to prepare (n+1) EPR pairs as quantumresources. The agents are not required to prepare any entangled statesor perform any local unitary operation. They only need to perform Bellmeasurements to obtain the shadows of the secret. Moreover, noclassical information exchanges are required in the protocol except foreavesdropping checks. Since the EPR pairs are easily generated in theexperiment than Greenberger–Horne–Zeilinger (GHZ) states [12,14],Shi et al.'s scheme is more convenient than [13] in the practicalapplication.

Unfortunately,Wanget al. [15] pointedout that Shi et al.'smultipartyQSS is insecure against a collusion attack, inwhich twodishonest agentscan recover thedealer's secretwithout thehelp of the other agents. Theyalso provide a solution to remedy that weakness.

This studyproposes amore efficientmultipartyQSS by inheriting theadvantages of [14,15]. In contrast to [14,15] that need to use (n+1) EPRpairs to share two classical bits among n agents, by observing theproperty of entanglement swappingof EPRpairs, this study shows thatnEPR pairs are enough to carry out the work. Furthermore, the collusionattack in [14] is also avoided in the newly proposed scheme.

The rest of the paper will be constructed as follows: Section 2 givesa brief review of Shi et al.'s multiparty QSS protocol. Section 3 givesdetails of the improved multiparty QSS protocol and analyzes itssecurity. Section 4 discusses the qubit efficiency comparison betweenShi et al.'s and the proposed scheme. At last, a short conclusion will begiven in Section 5.

2. Review of Shi et al.'s multiparty QSS protocol

In this section, a brief review of Shi et al.'s scheme [14] is given. Athree-party scenario of QSS is considered as follows. Suppose Alice isthe dealer who wants to share 2N-bit secret key KA among two agents(say Bob and Charlie). KA can be recovered by Bob and Charliecollaborating together. On the other hand, Bob or Charlie cannot getthe secret key alone. The process of Shi et al.'s protocol can be depictedin the following steps (see also Fig. 1):

Step 1. Alice prepares 3N EPR pairs all in jϕþ⟩ = 1ffiffi2

p j00⟩+ j11⟩ð Þ.She divides the EPR pairs into N groups, and each group contains threeEPR pairs (i.e., |ϕ+⟩A1B1

, |ϕ+⟩B2C1, |ϕ+⟩C2A2

). Every three EPR pairs canshare two classical bits among three parties. Therefore, Alice furtherdivides these EPR particles into six sequences as follows:

P1 A1ð Þ; P2 A1ð Þ; :::; PN A1ð Þ½ �;P1 A2ð Þ; P2 A2ð Þ; :::; PN A2ð Þ½ �;P1 B1ð Þ; P2 B1ð Þ; :::; PN B1ð Þ½ �;P1 B2ð Þ; P2 B2ð Þ; :::; PN B2ð Þ½ �;P1 C1ð Þ; P2 C1ð Þ; :::; PN C1ð Þ½ �;P1 C2ð Þ; P2 C2ð Þ; :::; PN C2ð Þ½ �;

which are denoted as SA1, SA2

, SB1, SB2

, SC1, and SC2

, respectively.

Step 2. Alice prepares four checking sets (DB1, DB2

, DC1and DC2

) ofdecoy photons randomly chosen from |0⟩, |1⟩, |+ ⟩, and |−⟩, wherej+⟩ = 1ffiffi

2p j0⟩+ j1⟩ð Þ and j−⟩ = 1ffiffi

2p j0⟩− j1⟩ð Þ. Then, she inserts all

Fig. 1. The scenario of Shi et al.'s three-party QSS protocol.

1469J. Lin, T. Hwang / Optics Communications 284 (2011) 1468–1471

decoy photons DB1(DB2

, DC1, DC2

) into SB1(SB2

, SC1, SC2

) in randompositions, respectively. The new sequences are denoted as SB1

* , SB2* , SC1

* ,and SC2

* , respectively.

Step 3. Alice retains the sequences SA1and SA2

to herself and sendsthe two sequences SB1

* and SB2* to Bob, and the two sequences SC1

* and SC2*

to Charlie.

Step 4. After confirming that both Bob and Charlie have received thetwo sequences, Alice announces the positions and the measurementbases of decoy photons DB1 (DB2) to Bob and DC1

(DC2) to Charlie,

respectively. Bob and Charlie measure the corresponding checking setsand tell Alice theirmeasurement results. By comparing themeasurementresults, Alice can tell whether an eavesdropper exists or not. If there is noeavesdropper, then continue the next step, otherwise Alice has to abortthis scheme and start it over again.

Step 5. Alice, Bob and Charlie use Bell basis to measure their ithtwo-particle pairs (Pi(A1), Pi(A2)), (Pi(B1), Pi(B2)), and (Pi(C1), Pi(C2)),respectively, for i=1, 2,..., N. There are four kinds of measurement

result in Bell state, which are |ϕ+⟩, jϕ−⟩ = 1ffiffi2

p j00⟩− j11⟩ð Þ� �

,

jψþ⟩ = 1ffiffi2

p j01⟩+ j10⟩ð Þ� �

, and jψ−⟩ = 1ffiffi2

p j01⟩− j10⟩ð Þ� �

. Each Bell

state can imply two bits of classical information, which are |ϕ+⟩, |ϕ−⟩,|ψ+⟩, and |ψ−⟩ that represent “00”, “01”, “10”, and “11”, respectively.After Bell measurement, Alice, Bob and Charlie transformed theirmeasurement result sequences to the classical bit strings KA, KB and KC,whereKA is the secret key of Alice, andKB andKC are the shadowkeys ofKA possessed by Bob and Charlie, respectively. Under the cooperationof Bob and Charlie, Alice's KA can be recovered by the relationship ofKA=KB⊕KC.

Shi et al.'s scheme is based on the relationship of entanglementswapping for EPR pairs. In their protocol, the dealer Alice would haveto maintain a quantummemory to store part of the photons in hands.Moreover, the protocol potentially exists an insecure problem asshown in [15]. When generalizing Shi et al.'s scheme to a multipartyscenario, the relationship of entanglement swapping has revealed aninsider attack problem [15], in which two dishonest agents are able to

Table 1The transform table of entanglement swapping Bell states [8].

Two initial Bell states

jϕþ⟩; jϕþ⟩� �

A1A2B1B2jϕ−⟩; jϕ−⟩ð Þ; jψþ⟩; jψþ⟩

� �; jψ−⟩; jψ−⟩ð Þ� �

A1A2B1B2jϕþ⟩; jϕ−⟩� �

A1A2B1B2jϕ−⟩; jϕþ⟩

� �; jψþ⟩; jψ−⟩� �

; jψ−⟩; jψþ⟩� �� �

A1A2B1B2jϕþ⟩; jψþ⟩� �

A1A2B1B2jϕ−⟩; jψ−⟩ð Þ; jψþ⟩; jϕþ⟩

� �; jψ−⟩; jϕ−⟩ð Þ� �

A1A2B1B2jϕþ⟩; jψ−⟩� �

A1A2B1B2jϕ−⟩; jψþ⟩

� �; jψþ⟩; jϕ−⟩� �

; jψ−⟩; jϕþ⟩� �� �

A1A2B1B2

collude to recover the dealer's secret. The following section will showhow to enhance the efficiency of Shi et al.'s scheme and further avoidthe insider attack.

3. The proposed QSS protocol

In this section, first a special characteristic of entanglementswappingwill be pointed out. Then, based on this special characteristic,details of the enhancement to Shi et al.'s QSS protocol are described bysteps, in which less photons are needed to share the same amount ofqubits as in Shi et al.'s protocol. Furthermore, the security analysis of theproposed QSS scheme is also given at the end of this section.

3.1. A special characteristic of entanglement swapping

Entanglement swapping is a well-known technique in quantumcryptography. The basic concept of entanglement swapping is that two ormore unrelated entangled systems (i.e., EPR or GHZ state) can build up anentanglement relationship with each other by exchanging their photons.For instance, Alice andBob are twounrelatedparties. They prepare anEPRpair randomly fromfourBell states |ϕ+⟩, |ϕ−⟩, |ψ+⟩, and |ψ−⟩, respectively,i.e., the first particle and the second particle of Alice's EPR pair are (A1 andA2) and those of Bob's are (B1 and B2). Alice exchanges her first particle(A1) of EPR pair with Bob's first particle (B1) of EPR pair. The transformtable of two initial Bell states to the two measurement results afterswapping is shown in Table 1. Using two |ϕ+⟩ as an example, thederivation of measurement results after swapping can be depicted inEq. (1). Suppose the four Bell states |ϕ+⟩, |ϕ−⟩, |ψ+⟩, and |ψ−⟩ are definedas classical bits “00”, “01”, “10”, and “11”, respectively.

A special characteristic of EPR entanglement swapping can then beobserved: the exclusive-OR result of two initial Bell states will be thesame as the exclusive-OR result of two Bell states after swapping. Forexample, suppose two initial states (|ϕ+⟩ and |ϕ+⟩) are prepared forentanglement swapping. Since |ϕ+⟩ represents “00” in classical bits,the exclusive-OR result of the two initial Bell states is “00” (i.e.,00⊕00=00). According to Table 1, the Bell measurement result oftwo |ϕ+⟩ after swapping will be one of (|ϕ+⟩, |ϕ+⟩), (|ϕ−⟩, |ϕ−⟩),(|ψ+⟩, |ψ+⟩) or (|ψ−⟩, |ψ−⟩), in which the exclusive-OR results of theclassical bits are all “00”. This characteristic of entanglementswapping further leads to an enhancement of Shi et al.'s QSS protocol.

jϕþ⟩A1A2⊗ jϕþ⟩B1B2

=1ffiffiffi2

p j00⟩+ j11⟩ð ÞA1A2⊗ 1ffiffiffi

2p j00⟩+ j11⟩ð ÞB1B2

=12

j0000⟩+ j0011⟩+ j1100⟩+ j1111⟩ð ÞA1A2B1B2

=12

j0000⟩+ j1001⟩+ j0110⟩+ j1111⟩ð ÞB1A2A1B2

=14½ jϕþ

⟩+ jϕ−⟩

� �jϕþ

⟩+ jϕ−⟩

� �

+ jψþ⟩− jψ−

⟩� �

jψþ⟩ + jψ−

⟩� �

+ jψþ⟩ + jψ−

⟩� �

jψþ⟩− jψ−

⟩� �

+ jϕþ⟩− jϕ−

⟩� �

jϕþ⟩− jϕ−

⟩� �

�B1A2A1B2

=12

jϕþ⟩ jϕþ

⟩+ jϕ−⟩ jϕ−

⟩+ jψþ⟩ jψþ

⟩− jψ−⟩ jψ−

⟩� �

B1A2A1B2

ð1Þ

After entanglement swapping Bell states

jϕþ⟩; jϕþ⟩� �

; jϕ−⟩; jϕ−⟩ð Þ jψþ⟩; jψþ⟩� �

; jψ−⟩; jψ−⟩ð Þ� �B1A2A1B2jϕþ⟩; jϕ−⟩

� �; jϕ−⟩; jϕþ⟩� � jψþ⟩; jψ−⟩

� �; jψ−⟩; jψþ⟩� �� �

B1A2A1B2jϕþ⟩; jψþ⟩� �

; jϕ−⟩; jψ−⟩ð Þ jψþ⟩; jϕþ⟩� �

; jψ−⟩; jϕ−⟩ð Þ� �B1A2A1B2jϕþ⟩; jψ−⟩

� �; jϕ−⟩; jψþ⟩� � jψþ⟩; jϕ−⟩

� �; jψ−⟩; jϕþ⟩� �� �

B1A2A1B2

Fig. 2. The basic idea of the proposed three-party QSS protocol.

1470 J. Lin, T. Hwang / Optics Communications 284 (2011) 1468–1471

3.2. The improved QSS protocol

A three-party scenario of improved Shi et al.'s QSS protocol isdescribed in details as follows (see also Fig. 2):

Step 1. Aliceprepares 2NEPRpairs randomly in four Bell states |ϕ+⟩,|ϕ−⟩, |ψ+⟩ and |ψ−⟩. She then divides these EPR pairs intoN groups, andeach group contains twoEPRpairs (e.g. |ϕ+⟩B1C2

and |ϕ−⟩B2C1).Moreover,

these EPR pairs are further divided into four sequences of photons asfollows:

P1 B1ð Þ; P2 B1ð Þ; :::; PN B1ð Þ½ �;P1 B2ð Þ; P2 B2ð Þ; :::; PN B2ð Þ½ �;P1 C1ð Þ; P2 C1ð Þ; :::; PN C1ð Þ½ �;P1 C2ð Þ; P2 C2ð Þ; :::; PN C2ð Þ½ �;

which are denoted as SB1, SB2

, SC1, and SC2

, respectively.

Step 2. Similar to [14], Alice prepares four checking sets (DB1, DB2

,DC1

and DC2) randomly chosen from |0⟩, |1⟩, |+⟩, and |−⟩ as decoy

photons. She inserts DB1(DB2

, DC1, DC2

) into SB1(SB2

, SC1, SC2

) in randompositions, respectively. The four new sequences are denoted as SB1

* , SB2* ,

SC1* , and SC2

* .

Fig. 3. (a) The multiparty QSS scenario of Shi et al.'s pro

Step 3. Similar to [14], Alice delivers SB1* and SB2

* to Bob and SC1* and

SC2* to Charlie.

Step 4. The public discussion is also the same as in [14]. After Boband Charlie receive the sequences, Alice announces the position andthe measurement bases of decoy photons. Bob and Charlie pick up thedecoy photons and perform single photonmeasurement, respectively.Then, Bob and Charlie send themeasurement results back to Alice, andshe will inform them the verification result. If the quantum channel isconfirmed to be secured, then continue the next step, otherwise Aliceaborts this protocol and restarts from Step 1.

Step 5. After the confirmation of eavesdropping check, Bob andCharlie perform Bell measurement on ith two-particle pairs (Pi(B1),Pi(B2)) and (Pi(C1), Pi(C2)), respectively, for i=1, 2,...,N. Then, Bob andCharlie transform their N measurement results into 2N classical bits,where the four Bell states |ϕ+⟩, |ϕ−⟩, |ψ+⟩, and |ψ−⟩ represent fourtwo-bit classical information “00”, “01”, “10”, and “11”, respectively.The transformed classical bits of Bob and Charlie represent theshadow keys KB and KC, respectively. The result of KB⊕KC will beAlice's shared secret. Obviously, Alice can derive the key KA based onthe EPR pairs prepared in Step 1 by observing Table 1.

The only difference between Shi et al.'s scheme and the proposedscheme is that the dealer Alice in the proposed scheme is not requiredto retain any photons, and thus the quantum memory for Alicerequired in the original scheme can be omitted here. This is due to theobservation described in Section 3.1. This difference has also broughtout an advantage that Alice can further share a predetermined keyinstead of a random key to the agents. For instance, if Alice wants toshare two bits of the classical secret key “00” between agents Bob andCharlie, she can prepare two EPR pairs all in |ϕ+⟩, in which themeasurement result after swapping will be (|ϕ+⟩, |ϕ+⟩), (|ϕ−⟩, |ϕ−⟩),(|ψ+⟩, |ψ+⟩) or (|ψ−⟩, |ψ−⟩). Moreover, since Shi et al.'s QSS schemecan be generalized to multiparty, the proposed scheme can also beextended to share secret among multiparty as shown in Fig. 3.Considering the qubit efficiency of both schemes, more details can befound in Section 4.

3.3. Security analysis

Similar to Shi et al.'s QSS protocol, the security analysis of theimproved QSS protocol is also based on the security of public

tocol; and (b) the proposed enhancement protocol.

1471J. Lin, T. Hwang / Optics Communications 284 (2011) 1468–1471

discussion. The proposed scheme can prevent an eavesdropper or thepotentially dishonest insider (e.g. Bob or Charlie) from stealinginformation about the shadow keys. Since themeasurement bases andthe positions of the decoy photons are unknown before the publicdiscussion, those who try to use the intercept-and-resend attack toread out other users' shadow keys will be detected. Therefore, theproposed QSS scheme can securely prevent any eavesdropping bythe fundamental principle of quantummechanics. Moreover, since thedealer in the proposed scheme distributes all photons to the agentswithout preserving anything, none of the agents has the potentialphotons that lead to reveal the dealer's secret. Thus, the special kind ofinsider attack pointed out in [15] is not going to work in our proposedQSS scheme.

4. Qubit efficiency

This section gives a comparison to the qubit efficiency of Shi et al.'sand the proposed scheme. According to [14], two methods ηq = qu

qtand ηt = qu

qt + cthave been used to evaluate the qubit efficiency, where

qu denotes the useful qubits (i.e., the qubits used for creating themaster key and the shadow keys), qt denotes the total number oftransmitted qubits (except the number of decoy photons), and ctdenotes the bit length for classical information exchanged (except theinformation for eavesdropping check). Based on the earlier methods,both Shi et al.'s and the proposed scheme achieve a maximum value of100%.

Another qubit efficiency ηE of a quantum protocol, defined asηE = qs

qt, where qs denotes the bit length of the dealer's shared key

(also known as the master key), and qt is the total number ofgenerated photons, is also frequently used as in [16–20]. ηE, under thisdefinition, emphasizes on computing the information each photoncontributes in average to the final shared (distributed) key in theprotocol. Under the three-party scenario of Shi et al.'s QSS scheme,two classical bits can be shared via three EPR pairs after photondistribution. Suppose that every quantum channel to each agent costs50% photons (i.e., also known as decoy photons) for eavesdroppingcheck. The protocol therefore leads to only 20% qubit efficiency(i.e., 2

2 × 3 + 2 × 2 = 15). In the proposed scheme, since two agents

perform the Bell measurements to retrieve two-bit information of theshadow key, and each quantum channel takes 50% photons foreavesdropping check, the three parties can share two classical bits ofsecret via two EPR pairs, which further leads to 25% qubit efficiency(i.e., 2

2 × 2 × 12 = 1

4).Considering themultiparty QSS scenario, the proposed scheme can

save 2N photons for sharing 2N bits of classical secret as compared toShi et al.'s scheme. More specifically, suppose the secrets are sharedamong n agents, every quantum channel to each agent costs 50%photons for eavesdropping check. For sharing 2N bits via N EPRpairs, the qubit efficiency of the proposed scheme can be expressed as12n

(i.e., 2N2N × n ×

12 = 1

2n). In contrast to Shi et al.'s protocol, since Shi

et al.'s protocol requires the dealer to possess 2N extra photons forsharing 2N bits of classical secret, the qubit efficiency hence leads to

12n + 1

(i.e., 2N2N × n+2N × 1

2 = 12n + 1). Thus, the qubit efficiency of the

proposed scheme is always2n+12n

times higher than Shi et al.'s protocol

under (n+1)-party QSS scenario.

5. Conclusions

This paper has proposed a method to enhance the qubit efficiencyof Shi et al.'s multiparty QSS protocol. Under the three-party QSSscenario, the qubit efficiency grows from 20% to 25%, which is 1.25times higher than Shi et al.'s scheme. For sharing 2N bits classicalsecret among multiparty, our proposed scheme can save 2N photonsas compared to Shi et al.'s protocol, where N is the number of sharedEPR pairs. The enhanced protocol has the same advantages as in Shi etal.'s protocol, i.e., all agents do not need to perform any local unitaryoperation, and no classical information exchanged is necessary.Moreover, the special insider attack pointed out in [15] can also beavoided in our scheme, and the quantum memory for dealer requiredin their scheme can be removed here. Therefore, the proposed QSSprotocol is more secure, efficient, and provides higher quantum bitefficiency than the original Shi et al.'s scheme.

Acknowledgements

The authorswould like to thank the anonymous reviewers for theirvery valuable comments that enhance the clarity of this paper a lot.We also like to thank the National Science Council of the Republic ofChina (Taiwan) for financially supporting this research underContract No. NSC 98-2221-E-006-097-MY3.

References

[1] M. Hillery, V. Buzek, A. Berthiaume, Physical Review A 59 (1999) 1829.[2] Gottesman Daniel, Physical Review A 61 (2000)8 id. 042311.[3] Anderson C.A. Nascimento, Mueller-Quade Joern, Imai Hideki, Physical Review A

64 (4) (Oct. 2001)8 id.042311.[4] Guo-Ping Guo, Guang-Can Guo, Physics Letters A 310 (4) (Apr. 2003) 247.[5] Yongmin Li, Kuanshou Zhang, Kunchi Peng, Physics Letters A 324 (5–6) (2004)

420.[6] Fu-Guo Deng, Hong-Yu Zhou, Gui-Lu Long, Physics Letters A 337 (4–6) (Apr.

2005) 329.[7] Zhan-jun Zhang, Zhong-xiao Man, Physical Review A 72 (2) (2005)8 id. 022303.[8] Z.J. Zhang, J. Yang, Z.X. Man, Y. Li, The European Physical Journal D 33 (1) (Mar.

2005) 133.[9] Lin Song, Gao Fei, Guo Fen-Zhuo, Wen Qiao-Yan, Zhu Fu-Chen, Physical Review A

76 (3) (2007)8 id. 036301.[10] Lian-Fang Han, Yi-Min Liu, Jun Liu, Zhan-Jun Zhang, Optics Communications 281

(9) (May 2008) 2690.[11] Tian-yin Wang, Qiao-yan Wen, Xiu-bo Chen, Fen-zhuo Guo, Fu-chen Zhu, Optics

Communications 281 (24) (Dec. 2008) 6130.[12] Mei-Yu Wang, Feng-Li Yan, Chinese Physics Letters 24 (9) (2007) 2486.[13] Ying Sun, Qiao-yan Wen, Fei Gao, Xiu-bo Chen, Fu-chen Zhu, Optics Communica-

tions 282 (17) (Sep. 2009) 3647.[14] R.H. Shi, L.S. Huang, W. Yang, H. Zhong, Optics Communications 283 (11) (Jun.

2010) 2476.[15] S.H. Wang, S.K. Chong, T. Hwang, Optics Communications 283 (21) (Jul. 2010)

4405.[16] T. Hwang, K.C. Lee, IET Information Security 1 (1) (Mar. 2007) 43.[17] J.H. Chen, K.C. Lee, T. Hwang, International Journal of Modern Physics C 20 (10)

(October 2009) 1531.[18] H.C. Shih, K.C. Lee, T. Hwang, IEEE Journal of Selected Topics in Quantum

Electronics 15 (6) (November/December 2009) 1602.[19] S.-K. Chong, T. Hwang, Optics Communications 284 (1) (January 2011) 515.[20] C.R. Hsieh, C.W. Tsai, T. Hwang, “Quantum Secret Sharing Using GHZ-like State”,

Communications in Theoretical Physics 54 (6) (December 2010) 1019.