A Kind of (t, n) Threshold Quantum Secret Sharing with Identity Authentication

Abstract

Quantum secret sharing (QSS) is an important branch of quantum cryptography. Identity authentication is a significant means to achieve information protection, which can effectively confirm the identity information of both communication parties. Due to the importance of information security, more and more communications require identity authentication. We propose a d-level $(t,n)$ threshold QSS scheme in which both sides of the communication use mutually unbiased bases for mutual identity authentication. In the secret recovery phase, the sharing of secrets that only the participant holds will not be disclosed or transmitted. Therefore, external eavesdroppers will not get any information about secrets at this phase. This protocol is more secure, effective, and practical. Security analysis shows that this scheme can effectively resist intercept–resend attacks, entangle–measure attacks, collusion attacks, and forgery attacks.

1. Introduction

Secret sharing is an important research field in cryptography. It has important applications in many aspects, such as network communication, signature checking, and identity verification. In 1979, Shamir [1] proposed the first secret-sharing protocol based on Lagrange interpolation formula. With the rapid development of quantum technology, quantum secret sharing (QSS) has also made great progress. In 1999, Hillery et al. [2] proposed the first QSS protocol using the Greenberger–Horne–Zeilinger (GHZ) state. Since then, more and more relatively complete QSS protocols [3,4,5,6,7,8,9,10,11,12,13,14,15,16,17] have been proposed by scholars. Like the $(n,n)$ threshold QSS protocol [3,4,5], the secret is divided into n parts. Only n participants can cooperate to recover the secret. However, due to practical needs and consideration of flexibility, some $(t,n)$ threshold QSS protocols [6,7,8,9,10,11,12,13,14,15,16,17] have received great attention. The secret is also divided into n parts, but t participants can recover the secret and fewer than t participants cannot recover the secret. In addition, to detect the existence of external attackers and check the integrity of internal participants, some verifiable QSS protocols [11,12,13,14,15,16,17] have been proposed. They mainly include message authentication (verify the correctness of the message) and identity authentication (verify the correctness of identity). Identity authentication is a systematic process to verify the identity of legitimate users, components and devices. Therefore, it is the security guarantee of various encryption tasks. In the identity authentication scheme, the sender registers the secret information as his identity information in the receiver’s database before communication. Afterwards, the sender proves the secret identification information to the receiver, that is, his identity information. The receiver can prove that the sender is a legitimate user before establishing the communication channel by using an authentication scheme, so he avoids the occurrence of an illegal sender. In quantum cryptography, quantum secret sharing [15,16,17], quantum key distribution [18,19,20,21], quantum secure direct communication [22,23], etc., all require identity authentication. In real life, the importance of identity authentication is also reflected everywhere.

In 2013, Yang et al. [3] constructed an QSS using entangled state and quantum Fourier transform (QFT). In 2015, Tavakoli [4] proposed a d-level QSS based on GHZ state and mutually unbiased bases. The above two schemes are $(n,n)$ threshold. In 2017, Song et al. [7] proposed a d-level $(t,n)$ threshold QSS based on Shamir’s secret-sharing scheme and the Lagrange interpolation formula. However, restricted by private secret shares, the scheme is infeasible. In 2020, Sutradhar et al. [8] proposed an QSS without credible participants. Nevertheless, in the actual process, the reconstructor needs to compare secrets and the hash value of secrets, so the reconstructor must be trustworthy. In 2020, Mashhadi [9] pointed out the problems in the protocol of Song et al. [7] and gave an improvement scheme. In this improved protocol, each participant applies the inverse quantum Fourier transform (IQFT) on its own particle. Then, each participant measures and publishes the measurement results. At this time, everyone can recover the original secret, but there is no identity authentication process in the transmission of quantum states, and we cannot guarantee that the corresponding operation is performed by the corresponding participant. In 2021, Hu et al. [17] proposed a dynamic QSS using GHZ state in a high-dimensional quantum system. In this protocol, each participant performs corresponding unitary operations according to its own measurement results.

In this paper, we overcome the above problems. The innovation of this article is to improve [8] by combining relevant knowledge. We mainly add identity authentication content to make the protocol more secure and complete. Our protocol is a d-level $(t,n)$ threshold scheme that both parties can be mutually verified. Each participant can act as a reconstructor to recover the secret. When a participant wants to recover the secret, he can cooperate with participants in an authorized subset to obtain the secret. The direct communication parties will conduct mutual identity authentication through mutually unbiased bases. After passing the authentication, other participants use direct product operation on their own particles and auxiliary particle passed by the reconstructor. Then, the reconstructor measures the final secret after performing the IQFT. Finally, he verifies whether the correct secret is obtained by comparing the secret and the hash value of the secret published by the dealer.

The rest of the article is organized as follows. In Section 2, we give the preliminary knowledge needed for this article. In Section 3, we propose a $(t,n)$ threshold quantum secret sharing scheme with identity authentication. In Section 4, we give the correctness proof of the agreement. In Section 5, we analyze the security of the protocol. In Section 6, we compare and analyze this protocol with some previous protocols. In Section 7, we give a specific example to better understand the protocol. In Section 8, we summarize the full text and draw conclusions.

2. Preliminaries

In this section, we introduce some basic knowledge needed in this article, including quantum measurement, mutually unbiased bases, QFT, IQFT, and $CNOT$ operation.

2.1. Quantum Measurement

Quantum measurement can be described based on a set of measurement operators $\left\{M_i\right\}$. These measurement operators satisfy the completeness equation:

$$\sum _i{M}_i^{†}{M}_i=1.$$

(1)

When the quantum state $\left|\phi \right.⟩$ is measured, the probability that the result is i is:

$$p(m)=\left.⟨\phi \right|M_i^{†}{M}_i\left|\phi \right.⟩.$$

(2)

After measurement, the quantum state collapses as follows:

$${\left|\phi \right.⟩}^{\prime }=\frac{M_i\left|\phi \right.⟩}{\sqrt{\left.⟨\phi \right|M_i^{†}{M}_i\left|\phi \right.⟩}}.$$

(3)

Therefore, quantum measurement will change the original state of the quantum state.

2.2. Mutually Unbiased Bases

Let d be an odd prime number and $Z_d$ be a finite field. Suppose $V_1=\{|u_i⟩{\}}_{i=1}^d$, $V_2=\{|v_j⟩{\}}_{j=1}^d$ are two sets of standard orthogonal bases on d-dimensional Hilbert space. If they satisfy:

$$|⟨u_i|v_j⟩|=\frac{1}{\sqrt{d}}.$$

(4)

Then these two groups of bases are called mutually unbiased bases. If any two sets of bases in $V=\{V_1,V_2,\cdots ,V_m\}$ are mutually unbiased, V is called mutual unbiased bases set. Additionally, there are at most $d+1$ elements in set V. Specifically, the calculation base $\{|z⟩\}$, $z\in Z_d$, is one of them. The remaining d groups can be expressed as:

$$|e_l^j⟩=\frac{1}{\sqrt{d}}\sum _{z=0}^{d-1}{\omega }^{z(l+jz)}|z⟩,$$

(5)

where $l,j\in \{0,1,\cdots ,d-1\}$, $\omega =e^{\frac{2\pi i}{d}}$, j represents the sequence of bases, and l represents vector sequence in a set of bases. They satisfy the following relation:

$$|⟨e_l^j|e_{l^{\prime }}^{j^{\prime }}⟩|=\frac{1}{\sqrt{d}},j\ne j^{\prime }.$$

(6)

Additionally, among mutually unbiased bases, the following unitary operation makes them transform each other:

$$X_d=\sum _{u=0}^{d-1}{\omega }^u|u⟩,Y_d=\sum _{u=0}^{d-1}{\omega }^{u^2}|u⟩,$$

(7)

let

$$U_{x,y}=X_d^x{Y}_d^y.$$

(8)

We have

$$U_{x,y}|e_l^j⟩=|e_{l+x}^{j+y}⟩.$$

(9)

2.3. QFT, IQFT

The QFT in the d-dimensional system can be expressed as follows:

$$F|x⟩=\frac{1}{\sqrt{d}}\sum _{y=0}^{d-1}{\omega }^{x·y}|y⟩.$$

(10)

where $\omega =e^{\frac{2\pi i}{d}}$, $x,y\in Z_d$. Similarly, the IQFT can be expressed as:

$$F^{-1}|x⟩=\frac{1}{\sqrt{d}}\sum _{y=0}^{d-1}{\omega }^{-x·y}|y⟩.$$

(11)

It is easy to know that both discrete QFT and discrete IQFT are unitary transformations. In addition, by

$$\begin{array}{c}\hfill \sum _{q=0}^{d-1}{\omega }^{sq}=\left\{\begin{array}{cc}0,\hfill & s\ne 0modd,\hfill \\ \\ d,\hfill & s=0modd,\hfill \end{array}\right.\end{array}$$

(12)

We can obtain

$$F^{-1}(F|x⟩)=|x⟩.$$

(13)

2.4. $CNOT$ Operation

$CNOT$ is a two-qubit gate. In the d-dimensional system, it can be expressed as follows:

$$CNOT(|x_1⟩,|x_2⟩)=(|x_1⟩,|x_1\oplus x_2⟩),$$

(14)

where $|x_1⟩$ is control bit, $|x_2⟩$ is the target bit, $x_1,x_2\in Z_d$.

3. Proposed Protocol

In this section, we propose a quantum secret-sharing scheme with d-level and $(t,n)$ threshold. Participants can verify each other mutually. Dealer Alice distributes secret shares among the set of participants B = {Bob${}_1$,Bob${}_2$,⋯,Bob${}_n$}. At least t participants can recover the secret. As the participants mutually verify, the protocol is more secure and practical. The entire scheme consists of three stages, namely the secret-sharing stage, identity authentication stage, and secret-recovery stage. The continuous identity authentication is included in the entire secret-recovery phase. Here, we use Figure 1 to briefly represent the entire process. The specific scheme of the protocol is shown below.

Figure 1. The process of this scheme.

3.1. Secret-Sharing Phase

In this phase, The dealer Alice performs the following operations:

(I) Alice selects a binary symmetric polynomial $F(x,y)$ of degree $(t-1)$ in the $Z_d$. The $(t-1)$ degree polynomial can be defined as:

$$F(x,y)=S+a_{10}x+a_{01}y+a_{20}{x}^2+a_{02}{y}^2+a_{11}xy+\cdots +a_{t-1,t-1}{x}^{t-1}{y}^{t-1},$$

(15)

where $Z_d$ is a finite field, S is secret, d is an odd prime number, coefficients $a_{ij}\in Z_d$, $a_{ij}=a_{ji}$, $i,j\in \{0,1,\cdots ,t-1\}$.

(II) Alice calculates polynomials F($x_i$,y) $(i=1,2,\cdots ,n)$, respectively, by (15) and sends them to the corresponding participants Bob${}_i$ through a secure classical channel, where $x_i\in Z_d$ is the public identity information of the corresponding participant Bob${}_i$ with $x_i\ne x_j$ for $i\ne j$.

(III) According to the characteristics of binary symmetric polynomials, we define the following two groups of constants:

$$k_{i,j}=F(x_i,x_j)=F(x_j,x_i)=k_{j,i},$$

(16)

$$s{k}_{i,j}=F(x_i,x_j)=F(x_j,x_i)=v{k}_{j,i}.$$

(17)

Remark 1.

Here, these four values are the same. However, in the following text, different symbols have different meanings. $k_{i,j}$ and $k_{j,i}$ represent the symmetry keys during encryption and decryption. $s{k}_{i,j}$ and $v{k}_{j,i}$ represent one’s own identity information, used to indicate one’s identity, which can be understood as one’s own signature information.

(IV) Alice chooses a one-way hash function $h()$. Then, Alice discloses the hash algorithm and hash value $H=h(S)$ of the secret S.

3.2. Secret-Recovery Phase

Suppose Bob${}_1$(reconstructor) wants to get the secret S. Then at least another $t-1$ participants need to be selected to form a qualified subset with him to jointly recover the secret S. Let us suppose B${}_1$ = {Bob${}_1$, Bob${}_2$, ⋯, Bob${}_t$} is a qualified subset from all the qualified subsets. Each participant in the set has the ability to independently produce a single photon. The corresponding participant will perform the following processes to recover the secret:

(I) Each participant Bob${}_i$, $i=(1,2,\cdots ,t)$, calculates the shadow $(S_i)$ of the share according to own polynomial and prepares computational basis state $|S_i⟩$ with d-level.

$$S_i=F(x_i,0)\prod _{j\ne i}^t\frac{x_j}{x_j-x_i}modd.$$

(18)

Remark 2.

Here, $\frac{1}{x_j-x_i}$ is the modular multiplicative inverse of the integer $(x_j-x_i)$. According to the recent literature, this calculation has a fast calculation method. We will not expand here as readers can refer to [24].

(II) Bob${}_1$ applies QFT on the computational basis state $|S_1⟩$ and gets the result $|{\varphi }_1⟩$.

$$|{\varphi }_1⟩=\mathrm{QFT}(|S_1⟩)=\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{S_{1}k}|k⟩.$$

(19)

(III) Bob${}_1$ again prepares computational basis state $|0⟩$ with d-level and performs $CNOT$ operation according to $|{\varphi }_1⟩$ and $|0⟩$. $|{\varphi }_1⟩$ is the control bit and $|0⟩$ is the target bit. When the operation is completed, Bob${}_1$ obtains the entangled state $|{\varphi }_2⟩$.

$$|{\varphi }_2⟩=CNOT(|{\varphi }_1⟩,|0⟩)=CNOT(\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{S_{1}k}|k⟩,|0⟩)=\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{S_{1}k}{|k⟩}_H{|k⟩}_T.$$

(20)

The subscript H and T here are used to distinguish two particles.

(IV) Bob${}_1$ and Bob${}_2$ mutually conduct identity authentication:

Step 1. Bob${}_1$ prepares a d-level initial quantum state $|e_0^0⟩$, two random numbers $c_1$, $p_1$, and opens $p_1$. Bob${}_1$ performs the unitary transformation $U_{p_1,c_1}$ on the initial quantum state and obtains a new quantum state $|{\Psi }_1⟩=U_{p_1,c_1}|e_0^0⟩=|e_{p_1}^{c_1}⟩$. Then according to own polynomial $F(x_1,y)$, Bob${}_1$ can obtain $s{k}_{1,2}=F(x_1,x_2)$. Subsequently, Bob${}_1$ performs the unitary transformation $U_{s{k}_{1,2},0}$ on $|{\Psi }_1⟩$ and obtains $|{\Psi }_{1,2}⟩=|e_{p_1+s{k}_{1,2}}^{c_1}⟩$. Bob${}_1$ again determines a random moment $t_{1,2}$. Lastly, Bob${}_1$ sends messages $E_{k_{1,2}}(c_1,t_{1,2})$, which has been encrypted, and $|{\Psi }_{1,2}⟩$ to Bob${}_2$ through secure classical channel and quantum channel, respectively.

Step 2. After Bob${}_2$ receives the quantum state and encrypted information, he first calculates $v{k}_{2,1}=F(x_2,x_1)$ according to the own polynomial $F(x_2,y)$. Afterwards Bob${}_2$ performs the unitary transformation $U_{-v{k}_{2,1},0}$ on $|{\Psi }_{1,2}⟩$ and obtains $|{\Psi }_1{⟩}^{\prime }=|e_{p_1+s{k}_{1,2}-v{k}_{2,1}}^{c_1}⟩$. Then, Bob${}_2$ obtains a number pair $(c_1,t_{1,2})=D_{k_{2,1}}(E_{k_{1,2}}(c_1,t_{1,2}))$ by decrypting the received classic information. Finally, Bob${}_2$ uses the basis $\{|e_l^{c_1}⟩\}(l\in Z_d)$ to measure $|{\Psi }_1{⟩}^{\prime }$ to obtain the measurement result ${(p_1)}^{\prime }$ and compares ${(p_1)}^{\prime }$ with the published random number $p_1$. If ${(p_1)}^{\prime }=p_1$; then, Bob${}_2$ considers that all the information comes from Bob${}_1$. The identity information of Bob${}_1$ is authenticated. Otherwise, Bob${}_2$ considers that the message does not come from Bob${}_1$ or is destroyed in the middle of the process and terminates this agreement.

Step 3. After Bob${}_2$ confirms that the message originated from Bob${}_1$, he also prepares a d-level initial quantum state $|e_0^0⟩$, two random numbers $c_2$, $p_2$, and opens $p_2$. Then, Bob${}_2$ performs the unitary transformation $U_{p_2,c_2}$ on $|e_0^0⟩$ and obtains a new quantum state $|{\Psi }_{2,1}⟩=U_{p_2,c_2}|e_0^0⟩=|e_{p_2}^{c_2}⟩$. Bob${}_2$ decides another moment $t_{2,1}$ and sends encrypted message $E_{k_{2,1}}(c_2,t_{2,1})$ to Bob${}_1$. Lastly, Bob${}_2$ is ready to send $|{\Psi }_{2,1}⟩$ to Bob${}_1$ at moment $t_{2,1}$.

Step 4. Bob${}_1$ decrypts the encrypted classical information to obtain a random number pair $(c_2,t_{2,1})=D_{k_{1,2}}(E_{k_{2,1}}(c_2,t_{2,1}))$. After receiving the message particle from Bob${}_2$ at moment $t_{2,1}$, Bob${}_1$ selects the basis $\{|e_l^{c_2}⟩\}(l\in Z_d)$ to measure $|{\Psi }_{2,1}⟩$ to obtain the measurement result ${(p_2)}^{\prime }$ and compares ${(p_2)}^{\prime }$ with the published random number $p_2$. If ${(p_2)}^{\prime }=p_2$, Bob${}_1$ believes that all the information comes from Bob${}_2$ and Bob${}_2$ has received an own message. So, Bob${}_1$ will send the auxiliary state ${|k⟩}_T$ in his own hand to Bob${}_2$ through the secure quantum channel at moment $t_{1,2}$. The entire identity authentication process is shown in Figure 2 below:

Figure 2. Identity authentication process between participants in this scheme.

Remark 3.

Here, secure quantum channel refers to a quantum channel that is not subject to external interference. That is, an authenticated quantum channel. Participants can engage in quantum direct communication.

(V) After Bob${}_2$ receives ${|k⟩}_T$ at moment $t_{1,2}$, he treats ${|k⟩}_T$ as the control bit and $|S_2⟩$ as the target bit. Then, Bob${}_2$ performs controlled black box operation $C_k$ on these two quantum states, where $C_k$ can be expressed as:

$$C_k{:|k⟩}_T|S_2{⟩\to |k⟩}_T{U}^k|S_2⟩.$$

(21)

U is a linear transformation and it satisfies $U|S_2⟩={\omega }^{S_2}|S_2⟩$. That is to say, $|S_2⟩$ is an eigenvector of U with an eigenvalue of ${\omega }^{S_2}$. After performing the controlled black box operation, Bob${}_2$ next conducts the direct product operation of $|S_2⟩$ and ${|k⟩}_T$. Then, the whole quantum state system becomes $|{\varphi }_3⟩$.

$$\begin{array}{cc}\hfill |{\varphi }_3⟩& =(I\otimes I\otimes C_k)(\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{S_{1}k}|k{⟩}_H{|k⟩}_T|S_2⟩)\hfill \\ \hfill & =\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{S_{1}k}{|k⟩}_H{|k⟩}_T{U}^k|S_2⟩\hfill \\ \hfill & =\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{S_{1}k}{|k⟩}_H{|k⟩}_T{\omega }^{S_{2}k}|S_2⟩\hfill \\ \hfill & =\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{(S_1+S_2)k}{|k⟩}_H{|k⟩}_T|S_2⟩.\hfill \end{array}$$

(22)

(VI) Each participant, Bob${}_i$ and Bob${}_{i+1}$, repeat the above mutual authentication and operation process of Bob${}_1$ and Bob${}_2$. When Bob${}_2$ and Bob${}_3$ complete mutual authentication, Bob${}_2$ will send the auxiliary state ${|k⟩}_T$ in his own hand to Bob${}_3$ through the secure quantum channel at moment $t_{2,3}$. Bob${}_3$ also performs a similar controlled black box operation first. Then, he performs the direct product operation on his quantum state $|S_3⟩$ and the whole quantum system, and so on, until the last participant Bob${}_t$ completes the direct product operation. At this time, the whole quantum system becomes $|{\varphi }_4⟩$.

$$|{\varphi }_4⟩=\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{({\displaystyle \sum _{i=1}^t}{S}_i)k}{|k⟩}_H{|k⟩}_T|S_2⟩|S_3⟩\cdots |S_t⟩.$$

(23)

(VII) When Bob${}_t$ completes the direct product operation, Bob${}_t$ completes the identity authentication process with Bob${}_1$ in the same way. After completing the authentication operation, Bob${}_t$ retransmits the auxiliary state ${|k⟩}_T$ back to Bob${}_1$ through a secure quantum channel. After Bob${}_1$ receives the auxiliary state ${|k⟩}_T$ again, he performs $CNOT$ operation on the two particles in his hand, where ${|k⟩}_H$ is control bit and ${|k⟩}_T$ is target bit. At this time, the whole quantum system becomes $|{\varphi }_5⟩$.

$$\begin{array}{cc}\hfill |{\varphi }_5⟩& =(CNOT(\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{({\displaystyle \sum _{i=1}^t}{S}_i)k}|k{⟩}_H|k{⟩}_T))|S_2⟩|S_3⟩\cdots |S_t⟩\hfill \\ \hfill & =\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{({\displaystyle \sum _{i=1}^t}{S}_i)k}{|k⟩}_H{|0⟩}_T|S_2⟩|S_3⟩\cdots |S_t⟩.\hfill \end{array}$$

(24)

(VIII) Bob${}_1$ uses computational basis to measure the quantum state ${|k⟩}_T$ which has been handled by the $CNOT$ operation. If the measurement result is $|0⟩$, Bob${}_1$ believes that his auxiliary particles have not been destroyed or replaced. Bob${}_1$ will continue to perform the following steps. Otherwise Bob${}_1$ has reason to believe that the auxiliary state is damaged or replaced during the transmission process, thus ending the entire agreement.

(IX) Bob${}_1$ applies IQFT on his first quantum state ${|k⟩}_H$ and measures the output to obtain the final secret $S^{\prime }={\displaystyle \sum _{i=1}^t}{S}_{i}modd$.

(X) Bob${}_1$ calculates $H^{\prime }=h(S^{\prime })$ according to hash function $h()$ released by Alice and compares it with public $H=h(S)$. If $H^{\prime }=H$, $S^{\prime }$, the secret obtained by Bob${}_1$ is the real secret. If not, Bob${}_1$ has reason to believe that there is at least one dishonest participant, thus terminating the agreement.

4. Correctness Analysis

In this section, we show the correctness of the protocol in the secret recovery phase through two theorems.

Theorem 1.

The sum of t shares of participants is the secret to be recovered.

Proof. 

According to the Lagrange interpolation formula, we have

$$\begin{array}{cc}\hfill {\displaystyle \sum _{i=1}^t}{S}_{i}modd& =F(x_1,0)\prod _{j=2}^t\frac{x_j}{x_j-x_1}+\cdots +F(x_t,0)\prod _{j=1}^{t-1}\frac{x_j}{x_j-x_t}modd\hfill \\ \hfill & =F(0,0)\hfill \\ \hfill & =S.\hfill \end{array}$$

(25)

□

Theorem 2.

When Bob${}_1$ applies the IQFT on the first quantum state ${|k⟩}_H$ in his hand and measures the output result, he could gobtain the secret S.

Proof. 

$$\begin{array}{cc}\hfill & \mathrm{IQFT}\otimes I(\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{({\displaystyle \sum _{i=1}^t}{S}_i)k}|k{⟩}_H{|0⟩}_T)\hfill \\ \hfill =& (\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{({\displaystyle \sum _{i=1}^t}{S}_i)k}\mathrm{IQFT}|k{⟩}_H{)|0⟩}_T\hfill \\ \hfill =& (\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{({\displaystyle \sum _{i=1}^t}{S}_i)k}(\frac{1}{\sqrt{d}}\sum _{l=0}^{d-1}{\omega }^{-lk})|l{⟩}_H{)|0⟩}_T\hfill \\ \hfill =& (\frac{1}{d}\sum _{k=0}^{d-1}\sum _{l=0}^{d-1}{\omega }^{({\displaystyle \sum _{i=1}^t}{S}_i-l)k}){|0⟩}_T\hfill \\ \hfill =& (\frac{1}{d}\sum _{k=0}^{d-1}|{\displaystyle \sum _{i=1}^t}{S}_{i}modd{⟩}_H+\frac{1}{d}\sum _{l=0,l\ne {\displaystyle \sum _{i=1}^t}{S}_i}^{d-1}(\sum _{k=0}^{d-1}{\omega }^{({\displaystyle \sum _{i=1}^t}{S}_i-l)k}){|l⟩}_H{)|0⟩}_T\hfill \\ \hfill =& (|{\displaystyle \sum _{i=1}^t}{S}_{i}modd{⟩}_H+\frac{1}{d}\sum _{l=0,l\ne {\displaystyle \sum _{i=1}^t}{S}_i}^{d-1}{0|l⟩}_H{)|0⟩}_T\hfill \\ \hfill =& |{\displaystyle \sum _{i=1}^t}{S}_i{modd⟩}_H{|0⟩}_T\hfill \\ \hfill =& {|F(0,0)⟩}_H{|0⟩}_T\hfill \\ \hfill =& {|S⟩}_H{|0⟩}_T.\hfill \end{array}$$

(26)

□

5. Security Analysis

In this section, we analyze the security of our scheme against quantum attacks [25,26,27,28,29].

5.1. Intercept–Resend Attack

Suppose that there is an eavesdropper, Eve, who wants to steal secret information by performing an intercept–resend attack. When Bob${}_i$ communicates with Bob${}_{i+1}$, there will be three quantum states interacting through the quantum channel. They are $|{\Psi }_{i,i+1}⟩=|e_{p_i+s{k}_{i,i+1}}^{c_i}⟩$, $|{\Psi }_{i+1,i}⟩=|e_{p_{i+1}}^{c_{i+1}}⟩$, and auxiliary state ${|k⟩}_T$. When Eve intercepts $|{\Psi }_{i,i+1}⟩$ and $|{\Psi }_{i+1,i}⟩$, she needs to obtain information by measuring, but Eve does not know the measurement basis $c_i$ and $c_{i+1}$. If Eve arbitrarily chooses a set of bases to measure, the probability of success is $\frac{1}{d}$ when $d\to \infty$, $\frac{1}{d}\to 0$. Therefore, the possibility of success is negligible. Even if Eve succeeds, $|{\Psi }_{i,i+1}⟩$ and $|{\Psi }_{i+1,i}⟩$ are also just the quantum states needed for Bob${}_i$ and Bob${}_{i+1}$ to verify their identities. These two quantum states have no information about secrets. As for auxiliary state ${|k⟩}_T$, it is only the control bit in the secret recovery process and also has no information about secrets. Therefore, the intercept–resend attack is not successful.

5.2. Entangle–Measure Attack

In this attack, the eavesdropper Eve prepares an auxiliary state $|e⟩$. By using unitary transformation to entangle the auxiliary state $|e⟩$ onto the transmission particle, Eve measures the auxiliary state and compares it with the original result to obtain relevant information about the secret. In our scheme, only particle ${|k⟩}_T$ is transferred between participants in the secret recovery phase. Therefore, suppose that when Bob${}_1$ transfers particle ${|k⟩}_T$ to Bob${}_2$, Eve performs the d-level $CNOT$ operation to entangle the auxiliary state $|e⟩$ to the particle ${|k⟩}_T$. At this time, $|{\varphi }_2⟩$ becomes $|{\varphi }_2{⟩}^{\prime }$.

$$|{\varphi }_2{⟩}^{\prime }=(CNOT{(|k⟩}_T,|e⟩))|{\varphi }_2⟩=\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{S_{1}k}{|k⟩}_H{|k⟩}_T|k\oplus e⟩.$$

(27)

When Bob${}_2$ completes its own operation and transfers particle ${|k⟩}_T$ to Bob${}_3$, Eve performs d-level $CNOT$ operation again. Where particle ${|k⟩}_T$ is the control bit and auxiliary state $|k+e⟩$ is target bit. At this time, $|{\varphi }_3⟩$ becomes $|{\varphi }_3{⟩}^{\prime }$.

$$\begin{array}{cc}\hfill |{\varphi }_3{⟩}^{\prime }& =(CNOT{(|k⟩}_T,|k\oplus e⟩))|{\varphi }_3⟩\hfill \\ \hfill & =\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{(S_1+S_2)k}{|k⟩}_H{|k⟩}_T|S_2⟩|k\oplus k\oplus e⟩\hfill \\ \hfill & =\frac{1}{\sqrt{d}}\sum _{k=0}^{d-1}{\omega }^{(S_1+S_2)k}{|k⟩}_H{|k⟩}_T|S_2⟩|e⟩.\hfill \end{array}$$

(28)

Next, Eve obtains the result e by measuring the auxiliary state particle. She concludes that the particles transmitted between participants are the same. The particle ${|k⟩}_T$ has no information about sharing the secret. She cannot obtain any information about the secret. Therefore, the entangle–measure attack is not feasible.

5.3. Collusion Attack

In the collusion attack, some collusive participants want to obtain information about others’ sharing of secrets through cooperation. Then, they can obtain the original secret. In our protocol, the sharing of secrets is calculated by each participant Bob${}_i$ through the own share polynomial $F(x_i,y)$. Each participant only knows his own share. In addition, the sharing of secrets will not be disclosed or transferred to other participants. As a consequence, it is impossible for participants to obtain the others’ sharing of secrets. So collusive attack is not feasible.

5.4. Forgery Attack

Suppose the participant Bob${}_i$ wants to perform a forgery attack. Then, in the identity authentication phase, to prove his identity to Bob${}_{i-1}$ and Bob${}_{i+1}$, Bob${}_i$ must use the correct authentication information. He cannot use forged information, or the agreement will end early. In the secret-recovery phase, on the one hand, if Bob${}_i$ forges an auxiliary state ${{|k⟩}_T}^{\prime }$ and transmits it to Bob${}_{i+1}$, then the measurement result of Bob${}_1$ in (VIII) will not be $|0⟩$. Bob${}_1$ believes that the auxiliary state has been damaged and terminates the agreement in advance. On the other hand, if Bob${}_i$ uses his sharing of $S_i$ to forge a false computational basis state ${|S_i⟩}^{\prime }$, Bob${}_1$ will get the wrong secret $S^{\prime }$ eventually. By comparing $h(S^{\prime })\ne h(S)$, Bob${}_1$ believes that at least one participant is dishonest and ends the agreement. Therefore, our protocol can resist forgery attacks.

6. Scheme Comparison

In this section, we analyze the quantum resources needed by our protocol and compare it with some previous protocols.

The protocol of Yang et al. [3] operates in d-dimensional space; it is a $(n,n)$ threshold scheme. The scheme needs $(n-1)$ message particles and performs n number of QFT operations and n number of measure operations. It uses fewer quantum resources, but the scheme is not flexible enough. This scheme can resist any computational attack, but it cannot resist collusion attacks.

The protocol of Song et al. [7] operates in d-dimensional space, it is a $(t,n)$ threshold scheme. The secret reconstructor prepares t message particles and distributes $(t-1)$ number of them to the other participants. The reconstructor starts with an QFT. Until the other participants complete the operation, the reconstructor performs an IQFT and measures particles to obtain the secret. Finally, the reconstructor verifies it through the hash function. This protocol can resist various common attacks. However, after some calculation and analysis, due to the mutual entanglement between particles, simple IQFT cannot recover the secret.

The protocol of Sutradhar et al. [8] is d level with $(t,n)$ threshold. Using the Lagrange interpolation formula, the reconstructor first applies QFT to a particle. After each participant adds its share to the whole recovery process, the reconstructor uses the IQFT to recover the secret and measures to obtain the secret. The whole secret recovery process is repeated twice using two polynomials to restore the secret and the hash value of the secret, respectively. Through this method, the reconstructor can verify the correctness of the message. However, the protocol must require a trusted reconstructor, so the protocol can not resist collusion attack and can resist other common attacks.

The protocol of Mashhadi et al. [9] is an improvement to the protocol of Song et al. [7]. The protocol points out the inadequacy of its entanglement and proposes an improved scheme. Since the IQFT performed by the reconstructor cannot obtain the secret, t participants are required to perform IQFT in the entanglement system and summarize the measurement results to obtain the initial secret. Therefore, the protocol cannot resist intercept–resend attacks and collusion attacks.

Our protocol is also d level with $(t,n)$ threshold. The dealer uses the binary symmetric polynomial to distribute the share polynomial. Each participant can use its own share polynomial to calculate the secret share and complete the identity authentication process. The protocol uses $2t$ number of message particles to complete the mutual authentication process of both parties. Finally, the reconstructor restores the secret by performing IQFT and obtains the secret through measurement. Although our protocol uses more quantum resources, every step is necessary. The identity authentication process will make the protocol more secure and reliable. Our protocol can also resist some attacks well. The comparison of these protocols is shown in Table 1 below.

Table 1. Comparison of parameters among our protocol and previous protocols.

Protocols	Yang [3]	Song [7]	Sutradhar [8]	Mashhadi [9]	Our
$(t,n)threshold$	N	Y	Y	Y	Y
QFT	n	1	2	1	1
IQFT	-	1	2	t	1
measurement operation	n	1	2	t	$2t+1$
dimensional space	d	d	d	d	d
message particle	$n-1$	t	$t+1$	t	$3t+1$
hash function	2	2	2	2	2
intercept–resend	-	Y	Y	N	Y
entangle–measure	-	Y	Y	Y	Y
collusive attack	N	Y	N	N	Y
forgery attack	-	Y	Y	Y	Y
identity authentication	N	N	N	N	Y

7. Example

In this section, in order to better understand our protocol, we give a quantum secret sharing scheme with (4,6) threshold. In this protocol, t = 4, n = 6, d = 17, S = 2.

7.1. Secret-Sharing Phase

Alice performs the following operations:

(I) Alice selects a binary symmetric polynomial $F(x,y)$ of degree 3 in the $Z_{17}$.

$$\begin{array}{cc}\hfill F(x,y)=& 2+7x+7y+3x^2+3y^2+9xy+4x^3+4y^3+5x^{2}y+5x{y}^2\hfill \\ \hfill & +10x^{3}y+10x{y}^3+8x^2{y}^2+3x^3{y}^2+3x^2{y}^3+15x^3{y}^3,\hfill \end{array}$$

(29)

where secret S = 2.

(II) Alice calculates polynomials F($x_i$,y) $(i=1,2,\cdots ,6)$, respectively, by Equation (29) and sends them to the corresponding participants Bob${}_i$ through a secure channel, where $x_i=i$. Here, the polynomial obtained by each Bob${}_i$ is:

$$\begin{array}{cc}\hfill \mathrm{Bob}{}_1:F(1,y)& =16+14y+2y^2+15y^3;\hfill \\ \hfill \mathrm{Bob}{}_2:F(2,y)& =9+6y+y^2+3y^3;\hfill \\ \hfill \mathrm{Bob}{}_3:F(3,y)& =5+9y+y^2+7y^3;\hfill \\ \hfill \mathrm{Bob}{}_4:F(4,y)& =11+15y+3y^2+15y^3;\hfill \\ \hfill \mathrm{Bob}{}_5:F(5,y)& =16y+8y^2+15y^3;\hfill \\ \hfill \mathrm{Bob}{}_6:F(6,y)& =14+4y+12y^3.\hfill \end{array}$$

(30)

(III) According to the characteristics of binary symmetric polynomial, constants have the following relationship: $s{k}_{i,j}=v{k}_{j,i}=k_{i,j}=k_{j,i}=F(x_i,x_j)=F(x_j,x_i)$. According to the selected binary symmetric polynomial and the identity information of each participant, we can obtain:

$$\begin{array}{cc}\hfill s{k}_{1,2}=v{k}_{2,1}=k_{1,2}=k_{2,1}=F(x_1,x_2)=F(x_2,x_1)& =2;\hfill \\ \hfill s{k}_{2,3}=v{k}_{3,2}=k_{2,3}=k_{3,2}=F(x_2,x_3)=F(x_3,x_2)& =15;\hfill \\ \hfill s{k}_{3,4}=v{k}_{4,3}=k_{3,4}=k_{4,3}=F(x_3,x_4)=F(x_4,x_3)& =12;\hfill \\ \hfill s{k}_{4,1}=v{k}_{1,4}=k_{4,1}=k_{1,4}=F(x_4,x_1)=F(x_1,x_4)& =10.\hfill \end{array}$$

(31)

(IV) Alice chooses a one-way hash function $h()$. Then, Alice discloses the hash algorithm and hash value $H=h(2)$ of the secret S = 2.

7.2. Secret-Recovery Phase

Suppose Bob${}_1$(reconstructor) wants to get the secret S. Bob${}_1$ chooses Bob${}_2$, Bob${}_3$, and Bob${}_4$ to help him recover the secret. Each participant has the ability to independently produce a single photon.

(I) Each participant Bob${}_i$, $i=(1,2,3,4)$, calculates the shadow $(S_i)$ of the share according to the own polynomial $F(x_i,y)$.

$$\mathrm{Bob}{}_1:S_1=F(1,0)·\frac{2}{2-1}·\frac{3}{3-1}·\frac{4}{4-1}mod17=13.$$

(32)

Similarly, $S_2$ = 14, $S_3$ = 3, $S_4$ = 6. Then, they separately prepare a 17-level computational basis state $|13⟩$, $|14⟩$, $|3⟩$, and $|6⟩$.

(II) Bob${}_1$ applies QFT on the computational basis state $|13⟩$ and obtains the result $|{\varphi }_1⟩$.

$$|{\varphi }_1⟩=\mathrm{QFT}(|13⟩)=\frac{1}{\sqrt{17}}\sum _{k=0}^{16}{\omega }^{13k}|k⟩.$$

(33)

(III) Bob${}_1$ again prepares computational basis state $|0⟩$ with 17-levels and performs $CNOT$ operation according to $|{\varphi }_1⟩$ and $|0⟩$. $|{\varphi }_1⟩$ is the control bit and $|0⟩$ is the target bit. When the operation is completed, Bob${}_1$ obtains the entangled state $|{\varphi }_2⟩$.

$$|{\varphi }_2⟩=CNOT(|{\varphi }_1⟩,|0⟩)=CNOT(\frac{1}{\sqrt{17}}\sum _{k=0}^{16}{\omega }^{13k}|k⟩,|0⟩)=\frac{1}{\sqrt{17}}\sum _{k=0}^{16}{\omega }^{13k}{|k⟩}_H{|k⟩}_T.$$

(34)

(IV) Bob${}_1$ and Bob${}_2$ mutually conduct identity authentication:

Step 1. Bob${}_1$ prepares a 17-level initial quantum state $|e_0^0⟩$, 2 random numbers $c_1$ = 6, $p_1$ = 8, and opens $p_1$. Bob${}_1$ performs the unitary transformation $U_{p_1,c_1}=U_{8,6}$ on the initial quantum state and obtains a new quantum state $|{\Psi }_1⟩=U_{8,6}|e_0^0⟩=|e_8^6⟩$. Then, according to the own polynomial $F(1,y)$, Bob${}_1$ can obtain $s{k}_{1,2}=F(1,2)=2$. Subsequently, Bob${}_1$ performs the unitary transformation $U_{2,0}$ on $|{\Psi }_1⟩$ and obtains $|{\Psi }_{1,2}⟩=U_{2,0}|e_8^6⟩=|e_{10}^6⟩$. Bob${}_1$ again determines a random moment $t_{1,2}=9$. Lastly, Bob${}_1$ sends message $E_{k_{1,2}}(6,9)$, which has been encrypted, and $|{\Psi }_{1,2}⟩$ to Bob${}_2$ through secure classical channel and quantum channel, respectively.

Step 2. After Bob${}_2$ receives the quantum state and encrypted information, he first calculates $v{k}_{2,1}=F(2,1)=2$ according to the own polynomial $F(2,y)$. Afterwards, Bob${}_2$ performs the unitary transformation $U_{-2,0}$ on $|{\Psi }_{1,2}⟩$ and obtains $|{\Psi }_1{⟩}^{\prime }=U_{-2,0}|e_{10}^6⟩=|e_{10-2}^6⟩=|e_8^6⟩$. Then, Bob${}_2$ obtains a number pair $(6,9)=D_{k_{2,1}}(E_{k_{1,2}}(6,))$ by decrypting the received classic information. Finally, Bob${}_2$ uses the basis $\{|e_l^6⟩\}(l\in Z_{17})$ to measure $|{\Psi }_1{⟩}^{\prime }$ to obtain the measurement result ${(p_1)}^{\prime }$ and compares ${(p_1)}^{\prime }$ with the published random number $p_1=8$. If ${(p_1)}^{\prime }=8$, then Bob${}_2$ considers that all the information comes from Bob${}_1$. The identity information of Bob${}_1$ is authenticated. Otherwise, Bob${}_2$ considers that the message does not come from Bob${}_1$ or is destroyed in the middle of the process and terminates this agreement.

Step 3. After Bob${}_2$ confirms that the message originated from Bob${}_1$, he also prepares a 17-level initial quantum state $|e_0^0⟩$, 2 random numbers $c_2=5$, $p_2=12$, and opens $p_2$. Then, Bob${}_2$ performs the unitary transformation $U_{p_2,c_2}=U_{12,5}$ on $|e_0^0⟩$ and obtains a new quantum state $|{\Psi }_{2,1}⟩=U_{12,5}|e_0^0⟩=|e_{12}^5⟩$. Bob${}_2$ decides another moment $t_{2,1}=7$ and sends encrypted message $E_{k_{2,1}}(5,7)$ to Bob${}_1$. Lastly, Bob${}_2$ is ready to send $|{\Psi }_{2,1}⟩$ to Bob${}_1$ at moment $t_{2,1}=7$.

Step 4. Bob${}_1$ decrypts the encrypted classical information to obtain a random number pair $(5,7)=D_{k_{1,2}}(E_{k_{2,1}}(5,7))$. After receiving the message particle from Bob${}_2$ at moment $t_{2,1}=7$, Bob${}_1$ selects the basis $\{|e_l^5⟩\}(l\in Z_{17})$ to measure $|{\Psi }_{2,1}⟩$ to obtain the measurement result ${(p_2)}^{\prime }$ and compares ${(p_2)}^{\prime }$ with the published random number $p_2=12$. If ${(p_2)}^{\prime }=p_2=12$, Bob${}_1$ believes that all the information comes from Bob${}_2$ and Bob${}_2$ has received an own message. So, Bob${}_1$ will send the auxiliary state ${|k⟩}_T$ in his own hand to Bob${}_2$ through the secure quantum channel at moment $t_{1,2}=9$.

(V) After Bob${}_2$ receives ${|k⟩}_T$ at moment $t_{1,2}=9$, he treats ${|k⟩}_T$ as the control bit and $|S_2⟩=|14⟩$ as the target bit. He performs controlled black box operation $C_k$ on these two quantum states. After performing the controlled black box operation, Bob${}_2$ next conducts the direct product operation on $|S_2⟩=|14⟩$ and ${|k⟩}_T$. Then the whole quantum state system becomes $|{\varphi }_3⟩$.

$$\begin{array}{cc}\hfill |{\varphi }_3⟩& =(I\otimes I\otimes C_k)(\frac{1}{\sqrt{17}}\sum _{k=0}^{16}{\omega }^{13k}|k{⟩}_H{|k⟩}_T|14⟩)\hfill \\ \hfill & =\frac{1}{\sqrt{17}}\sum _{k=0}^{16}{\omega }^{13k}{|k⟩}_H{|k⟩}_T{U}^k|14⟩\hfill \\ \hfill & =\frac{1}{\sqrt{17}}\sum _{k=0}^{16}{\omega }^{13k}{|k⟩}_H{|k⟩}_T{\omega }^{14k}|14⟩\hfill \\ \hfill & =\frac{1}{\sqrt{17}}\sum _{k=0}^{16}{\omega }^{(13+14)k}{|k⟩}_H{|k⟩}_T|14⟩.\hfill \end{array}$$

(35)

(VI) Each participant Bob${}_i$ and Bob${}_{i+1}$ repeat the above mutual authentication and operation process of Bob${}_1$ and Bob${}_2$. When Bob${}_2$ and Bob${}_3$ complete mutual authentication, Bob${}_2$ will send the auxiliary state ${|k⟩}_T$ in his own hand to Bob${}_3$ through the secure quantum channel at moment $t_{2,3}=15$. Bob${}_3$ also performs a similar controlled black box operation first. Then, he performs the direct product operation on his quantum state $|S_3⟩=|3⟩$ and the whole quantum system, and so on, until the last participant Bob${}_4$ completes the direct product operation. At this time, the whole quantum system becomes $|{\varphi }_4⟩$.

$$\begin{array}{cc}\hfill |{\varphi }_4⟩& =\frac{1}{\sqrt{17}}\sum _{k=0}^{16}{\omega }^{(13+14+3+6)k}{|k⟩}_H{|k⟩}_T|14⟩|3⟩|6⟩\hfill \\ \hfill & =\frac{1}{\sqrt{17}}\sum _{k=0}^{16}{\omega }^{2k}{|k⟩}_H{|k⟩}_T|14⟩|3⟩|6⟩.\hfill \end{array}$$

(36)

(VII) When Bob${}_4$ completes the direct product operation, Bob${}_4$ completes the identity authentication process with Bob${}_1$ in the same way. After completing the authentication operation, Bob${}_4$ retransmits the auxiliary state ${|k⟩}_T$ back to Bob${}_1$ through a secure quantum channel. After Bob${}_1$ receives the auxiliary state ${|k⟩}_T$ again, he performs a $CNOT$ operation on the two particles in his hand, where ${|k⟩}_H$ is control bit and ${|k⟩}_T$ is target bit. At this time, the whole quantum system becomes $|{\varphi }_5⟩$.

$$\begin{array}{cc}\hfill |{\varphi }_5⟩& =(CNOT(\frac{1}{\sqrt{17}}\sum _{k=0}^{16}{\omega }^{2k}|k{⟩}_H|k{⟩}_T))|14⟩|3⟩|6⟩\hfill \\ \hfill & =\frac{1}{\sqrt{17}}\sum _{k=0}^{16}{\omega }^{2k}{|k⟩}_H{|0⟩}_T|14⟩|3⟩|6⟩.\hfill \end{array}$$

(37)

(VIII) Bob${}_1$ uses computational basis to measure the quantum state ${|k⟩}_T$ which has been handled by $CNOT$ operation. If the measurement result is $|0⟩$, Bob${}_1$ believes that his auxiliary particles have not been destroyed or replaced. Bob${}_1$ will continue to perform the following steps. Otherwise Bob${}_1$ has reason to believe that the auxiliary state is damaged or replaced during the transmission process, thus ending the entire agreement.

(IX) Bob${}_1$ applies IQFT on his first quantum state ${|k⟩}_H$ and measures the output to obtain the final secret $S^{\prime }=2$.

$$\begin{array}{cc}\hfill & \mathrm{IQFT}\otimes I(\frac{1}{\sqrt{17}}\sum _{k=0}^{16}{\omega }^{2k}|k{⟩}_H{|0⟩}_T)\hfill \\ \hfill =& (\frac{1}{\sqrt{17}}\sum _{k=0}^{16}{\omega }^{2k}\mathrm{IQFT}|k{⟩}_H{)|0⟩}_T\hfill \\ \hfill =& (\frac{1}{\sqrt{17}}\sum _{k=0}^{16}{\omega }^{2k}(\frac{1}{\sqrt{17}}\sum _{l=0}^{16}{\omega }^{-lk})|l{⟩}_H{)|0⟩}_T\hfill \\ \hfill =& (\frac{1}{17}\sum _{k=0}^{16}\sum _{l=0}^{16}{\omega }^{(2-l)k}|l{⟩}_H{)|0⟩}_T\hfill \\ \hfill =& (\frac{1}{17}\sum _{k=0}^{16}|2{⟩}_H+\frac{1}{17}\sum _{l=0,l\ne 2}^{16}(\sum _{k=0}^{16}{\omega }^{2-l)k}){|l⟩}_H{)|0⟩}_T\hfill \\ \hfill =& {(|2⟩}_H+\frac{1}{17}\sum _{l=0,l\ne 2}^{16}{0|l⟩}_H{)|0⟩}_T\hfill \\ \hfill =& {|2⟩}_H{|0⟩}_T.\hfill \end{array}$$

(38)

(X) Bob${}_1$ calculates $H^{\prime }=h(2)$ according to hash function $h()$ released by Alice and compares with public $H=h(S)$. If $H^{\prime }=H$, $S^{\prime }$, the secret obtained by ${\mathrm{Bob}}_1$ is the real secret. If not, ${\mathrm{Bob}}_1$ has reason to believe that there is at least one dishonest participant, thus terminating the agreement.

8. Conclusions

In this article, using QFT, IQFT, mutually unbiased bases, and other relevant knowledge, we propose a quantum secret-sharing scheme that both sides of the communication can mutually verify the identity. Each participant holds his own share which will neither be disclosed nor transferred. Only at the secret-recovery stage, each participant will directly integrate his information into the whole quantum system, which avoids being stolen. Any participant has reason to recover the secret and only the reconstructor obtains the secret and is responsible for it. Since only t participants can recover the secret, the protocol is more flexible and practical. After our analysis, the protocol can resist intercept–resend attacks, entanglement–measurement attacks, collusion attacks, and forgery attacks, so it is safe enough.