Quantum Secret Sharing Scheme with Credible Authentication based on Quantum Walk

Abstract

Based on the teleportation by quantum walk, a quantum secret sharing scheme with credible authentication is proposed. Using the Hash function and quantum local operation, combined with the two-step quantum walks circuit on the line, the identity authentication and the teleportation of the secret information in distribution phase are realized. Participants collaborate honestly to recover secret information based on particle measurement results, preventing untrusted agents and external attacks from obtaining useful information. Due to the application of quantum walk, the sender does not need to prepare the necessary entangled state in advance, simply encodes the information to be sent in the coin state, and applies the conditional shift operator between the coin space and the position space to produce the entangled state necessary for quantum teleportation. Security analysis shows that the protocol can effectively resist intercept/resend attacks, entanglement attacks, participant attacks, and impersonation attacks. In addition, the quantum walk circuit used has been implemented in many different physical systems and experiments, so this quantum secret sharing scheme may be achievable in the future.

1. Introduction

Quantum Secret Sharing (QSS) is a combination of classical secret sharing and quantum theory, which allows secret information (classical information or quantum encoded information) to be distributed, transmitted, and restored through quantum operations. Imagining Alice wants to hand over a secret plan to Bob and Charlie in the distance, but she is not completely trusting Bob and Charlie. Secret sharing protocols play an important role in the above scenarios, and the security of QSS is based on the fundamentals of quantum mechanics, which makes QSS safer than traditional secret sharing. The earliest QSS scheme was proposed by Hillery et al in 1999[1], they used the Greenberger-Horne-Zeilinger (GHZ) entangled state to complete secret sharing. With the development of quantum information, numerous quantum protocols and algorithms have been presented with entanglement and without entanglement[2-9], and the QSS protocols are no exception[10-13]. 

In reality, there is a situation where an illegal imposter pretends to impersonate Alice to issue a fake command, directing Bob and Charlie to complete an illegal task. However, in the various schemes mentioned above, it is presupposed that “Alice is legal, at least one of Bob and Charlie is credible”, only the segmentation of the message is discussed regardless of the identity authentication. Recently, Qin et al[14] proposed a QSS scheme using phase shift operation, they pointed out that identity authentication should be applied to avoid man-in-the-middle attacks in QSS scheme. This shows that identity authentication is needed in QSS schemes to prevent internal and external attacks. In fact, as early as 2008, Yang et al[15] had proposed a multi-party quantum identity authentication protocols to share secret information, the protocol do not use entangled states, but it can not ensure the safety of particle transmission, Zhang and Ji[16] pointed out that the protocol was vulnerable to participant attacks, resulting in the disclosure of secret information. Researchers began to use entangled states to ensure the security of QSS scheme with credible authentication, Yang et al [17] proposed a (t,n) QSS scheme with identity authentication based on GHZ states in 2012, Abulkasim H.[18] proposed a authenticated QSS scheme based on Bell states in 2016. 

Quantum walk is the quantum correspondence of classic walk, first proposed by Aharonov etal in 1993[19]. Quantum walks show meaningful applications in many ways[20,21], and applications in communication protocols are beginning to emerge [22-24]. In the past two years, Wang et al[22] and Shang et al[23] proposed the successful application of different models of quantum walk in teleportation. It pointed out that the necessary entangled states do not need to be prepared in advance, but they can spontaneously produce during walking. Since quantum walk has been proven to be possible in many different physical systems[25-27], and many quantum signature schemes based on quantum walk have been proposed[28,29]. 

Therefore, this paper proposes the first QSS scheme based on quantum walk by applying the teleportation based on quantum walk to QSS for secret information transmission. The proposed scheme has the following advantages: 

1.The credible authenticated protocol complete identity authentication between parties based on hash functions and quantum operations, avoiding participant attacks. 

2.The entangled state does not need to be prepared in advance, the entangled state necessary for teleportation is generated by the single particles in the quantum walk process. 

3.The one-dimensional two-step quantum walks circuit used in the paper is achievable, so the proposed QSS scheme may be achievable. 

The rest of this manuscript is outlined as follows. Section 2 introduces the preliminaries. Section 3 introduces the proposed scheme. Section 4 analyzes the security of the proposed scheme. Section 5 gives the efficiency of the proposed scheme and the comprehensive comparisons between the proposed scheme and other existing schemes. Finally, section 6 concludes the work. 

2. Preliminaries

2.1 Coding mechanism and multi-photon deception signal detecting device 

The preparations required for identity authentication of our QSS scheme is similar to that of Ref[30], that is the participant and the secret distributor shares the participant’s identity sequence and a one-way Hash function with an output length of N, which is kept secret to any third party. Take participant Bob as an example, Bob’s N-bit authentication key shared with Alice can be calculated as h_Bob(S_ID-_Bob), where h_Bob() is the Hash function negotiated jointly by Bob and Alice, S_ID-Bob is Bob’s identity sequence, we do not have to limit the length of each participant’s S_ID to be equal. 

Our QSS scheme uses the Pauli operations and Hadamard operation to encode classical information onto quantum states. 

I = |0〉0| + |1〉〈 1|      (1)

σ_x = |0〉〈 1|+|1〉〈 0|      (2)  

σ₂ = |0〉〈 0|-|1〉〈 1|        (3)

H = \(\frac{1}{\sqrt{2}}(|0\rangle\langle 0|-| 1\rangle\langle 1|+| 0\rangle\langle 1|+| 1\rangle\langle 0|)\)       (4)

In addition, in order to detect multi-photon deception signal attack, prevent operations on photons by secret distributor from baeing stolen, we use photon beam splitter(PBS) to detect multi-particle deception signal attack, the implementation is shown in Fig. 1. 

Fig. 1. Multi-photon deception signal detecting by using PBS 

The secret distributor Alice splits each of the signal used for detection by using PBS and measures it with the single photon detector. If the initial signal before splitting contains only one photon, only one detector will detect photon; if it is a multi-photon signal, it is likely that more than one detector will detect photon. This is the principle of multi-particle deception signal attack detection by using PBS. 

2.2 One-dimensional quantum walk model on the line 

The definition of a coin-based quantum walk model on the line was proposed by Ambainis et al[31] in 2001. 

It takes place in a compound Hilbert space consists of two main quantum spaces, position space and coin space, expressed as 

H=H_p⊗H_c      (5)

where H_p represents the position span {n,n∈ Z}, and H_c represents the coin direction of the walk {|0 , |1}, each step of the quantum walk can be described as 

W^(l) =E^(l)⋅(I⊗C)       (6)

where  E^(l) = S⊗|0〉〈0 +S^? ⊗|1 〉〈 1| , S is called the shift operator and denoted as S= ∑_n |n+ 1〉〈n | , and C is the coin operator acting on coin space. The walker moves from |n〉 to | n +1〉 if the tossed coin is |0〉 and steps backwards to |n −1〉 if the tossed coin is |1〉.

In the past two years, Wang et al[22] and Shang et al[23] have successfully applied quantum walk to the communication protocol of particle teleportation. In detail, the conditional shift operator can introduce entanglement between position space and coin space, this entanglement resource can be used as quantum channel for teleportation. In order to teleport secret information, we use one-dimensional quantum walk model on the line.

Suppose Alice wants to transmit an unkown qubit state |ϕ〉 = α |0〉+β |1〉 to Bob, where |α|²+|β|² =1, in order to complete the teleportation, Alice prepares particles A_p, A₁ and B, A_p contains the state of the position space, A₁ contains the state of the unknown qubit which can also be denoted as Coin1, particle B can be denoted as Coin2. The initial states of particle A_p and B are both | 0〉 . After two steps of the walk we can finish the teleportation task. The first step of the walk can be described as

W⁽¹⁾ = E⁽¹⁾ ·(A_p \(\otimes\) C₁ \(\otimes\)B )       (7)

where E⁽¹⁾ = S\(\otimes\)|0 〉₁〈0 | \(\otimes\) B + S^? \(\otimes\)  |1〉₁〈1|\(\otimes\) B, C₁ is the coin operation acting on Coin1-A₁, in our scheme we choose I operation as C₁. 

And the second step of the walk can be described as

W⁽²⁾ = E⁽²⁾ ·(A_p\(\otimes\) A₁\(\otimes\) H)       (8)

  E⁽²⁾ = S\(\otimes\) A₁ \(\otimes\) |0 〉₂ 〈0 | +S ^? \(\otimes\)A₁ \(\otimes\)|1 〉₂ 〈1|,  H means the Hadamard operation acting on Coin2-B.

After the two-step quantum walks, Alice sends the particle B to Bob. Alice measures particle A₁ with basis X(X=|+〉, |−〉}), the measurement results |+〉 and |−〉are marked as 1 and -1 respectively, record the collection of measurement results as λ1. After that, Alice measures A_p with basis |Q〉 ={ |-2' 〉, |-1〉 , |0 〉, |1〉 , |2' 〉} − − , where |2'〉 = \(1 / \sqrt{2}\)(|-2〉+ |2〉) and |-2'〉 = \(1 / \sqrt{2}\)(|-2〉-|2〉), |-2'〉 and |0〉 and |2'〉 are marked as -1 and 0 and 1 respectively, record the collection of measurement results as λ2.

Alice informs Bob of λ1 and λ2, Bob performs the corresponding Pauli operations on particle B to get the unknown qubit state of A₁ according to Table 1.

Table 1. The relationship between measurement result and Pauli operation

3. Quantum secret sharing scheme with credible authentication based on quantum walk

In our QSS scheme, Alice is the secret distributor, Bob and Charlie are the participants. The protocol involves four phases: the particle preparation phase, the identity authentication phase, the secret information encoding phase, the secret information distribution phase and the secret information recovery phase. Fig. 2 depicts the steps of the proposed scheme, which can be described in detail as follows.

Fig. 2. General process of the proposed scheme

3.1 Particle preparation phase

1. Bob and Charlie prepare N-bit single photons randomly at one of { |0〉 , |1〉 , |+〉 , |−〉 }, the two qubit sequences formed are denoted as SB and SC respectively.

2. Bob performs the following operations on each photon in the SB according to its own authentication key h_Bob(S_ID-Bob): if the ith value of h_Bob(S_ID-Bob) is 0, he does an I operation on the ith photon of the qubit sequence S_B; if the ith value of h_Bob(S_ID-Bob) is 1, he does a H operation on the ith photon of the qubit sequence S_B. Similarly, Charlie also performs the above operations on each photon of S_C according to his own authentication key h_Charlie(S_ID-Charlie). Record the S_B and S_C after operation as S_B’ and S_C'.

3. After completing the above operation, Bob and Charlie send S_B’ and S_C’ to Alice.

3.2 Identity authentication phase

1. When Alice receives S_B’ and S_C’, she performs the same operations as the step 2 of the particle preparation phase on the photons in S_B’ and S_C’ according to the authentication keys h_Bob(S_ID-Bob) and h_Charlie(S_ID-Charlie) she owns. After operation, S_B’ and S_C’ revert to S_B and S_C.

2. Alice selects enough photons from S_B and S_C as sample particles to detect multi-particle spoofing signal attacks. Assuming the number of samples particles in both qubit sequences is N-t, Alice let the samples particles pass through the device shown in Fig 1(the split ratio of PBS is 50:50). The measurement bases of the photon detector is randomly selected from the Z base and the X base. In detecting the result, if the rate of multiple photons is lower than the Pre-determined threshold, Alice announces that the communication is invalid, Alice starts to authenticate Bob and Charlie. Otherwise, Alice informing Bob and Charlie to restart the scheme.

3. Alice announces the location of the sample particles and all measurement results, Bob and Charlie announced which locations do not match the initial states when they were prepared. If the error rate is lower than the predetermined threshold, Bob and Charlie are authenticated by Alice and the quantum channels are considered safe, they proceed to the next phase. Otherwise, Alice decides whether to conduct a new round of secret sharing.

3.3 Secret information encoding phase

1. Alice holds the remaining t particles of the unknown qubit information sequence SB. It can be described as

\(\left|S_{\mathrm{B}}\right\rangle=\left\{\left|S_{\mathrm{B} 1}\right\rangle,\left|S_{\mathrm{B} 1}\right\rangle, \ldots,\left|S_{\mathrm{B} i}\right\rangle, \ldots,\left|S_{\mathrm{B} t}\right\rangle\right\}\)       (9)

where  \(\left|S_{\mathrm{B} i}\right\rangle\) (i = 1, 2, · · ·, n) represents a single qubit, recorded as

\(\left|S_{\mathrm{B} i}\right\rangle=\alpha_{i}|0\rangle+\beta_{i}|1\rangle\)       (10)

where α_i and β_i are complex numbers and satisfy \(\left|\alpha_{i}\right|^{2}+\left|\beta_{i}\right|^{2}=1\).

Alice prepares another two particle sequences A_p and B_p of length t, the initial states of A_p and B_p are both \(|0\rangle\) . Considering a two-coin-based quantum walk model on the line, Alice uses particles A_p, S_B and B_p to build a quantum walk circuit. In the circuit, Alice takes the particles A_p as the displacement space,the particles S_B as the Coin1 space, the particles B_p as the Coin2 space. Take particles A_pi, S_Bi(Coin1) and B_pi(Coin 2) as an example, the general initial state \(|\Phi\rangle^{(0)}\) of the walk system is

\(\begin{array}{l} |\Phi\rangle^{(0)}=A_{\mathrm{p} i} \otimes S_{\mathrm{B} i} \otimes B_{\mathrm{p} i} \\ \quad=|0\rangle_{\mathrm{p}} \otimes(\alpha|0\rangle+\beta|1\rangle)_{1} \otimes|0\rangle_{2} \end{array}\)       (11)

Note that all the particle states in our system are written in the order of A_p, S_B and B_p particles.

After the first step of the quantum walk evolutionary operator W₁, the initial quantum state of the system based on the conditional phase shift rule evolves to

\(|\Phi\rangle^{(1)}=(\alpha|100\rangle+\beta|-110\rangle)_{\mathrm{pl} 2}\)       (12)

After the second step of the quantum walk evolutionary operator W₂, the final state \(|\Phi\rangle^{(2)}\) of the system is also based on the phase shift rule

\(|\Phi\rangle^{(2)}=(\alpha|200\rangle+\alpha|001\rangle+\beta|010\rangle+\beta|-211\rangle)_{\mathrm{p} 12}\)       (13)

After completing the above operation, particles A_p, S_B and B_p are entangled.

2. Alice encodes the secrets(length: t-bit) she wants to share as Pauli operations: 0↔I, 1↔σ _x , applying on each particle S_Bi, record the particles encoded by the secret information as M_B. Introduce the two-step quantum walks of A_p, S_B and B_p particles and this Pauli operation on S_B particles in detail.

\(\begin{aligned} |\Phi\rangle^{(1)} &=E^{(1)} \cdot\left(A_{\mathrm{p}} \otimes C_{1} \otimes S_{\mathrm{B}}\right) \\ &=\left(|1\rangle_{\mathrm{p}}\langle 0|\otimes| 0\rangle_{1}\langle 0|+|-1\rangle_{\mathrm{p}}\langle 0|\otimes| 1\rangle_{1}\langle 1|\right) \otimes|0\rangle_{2} \cdot\left(|0\rangle_{\mathrm{p}} \otimes(\alpha|0\rangle+\beta|1\rangle)_{1}\right) \\ &=(\alpha|100\rangle+\beta|-110\rangle)_{\mathrm{p} 12} \end{aligned}\)       (14)

It can be found that after W⁽¹⁾, the position space particle A_p and the coin space particle S_B have been entangled, their composite state changes from \((\alpha|0\rangle+\beta|1\rangle)_{1} \otimes|0\rangle_{\mathrm{p}}\) to \((\alpha|10\rangle+\beta|-11\rangle)_{\mathrm{pl}}\).

\(\begin{aligned} |\Phi\rangle^{(2)}=& E^{(2)} \cdot\left(I_{\mathrm{p} 1} \otimes H \otimes B_{\mathrm{p}}\right) \\ =& E^{(2)} \cdot\left[(\alpha|10\rangle+\beta|-11\rangle)_{\mathrm{p} 1} \otimes(|0\rangle+|1\rangle / \sqrt{2})_{2}\right] \\ =&\left(S \otimes|0\rangle_{2}\left\langle 0\left|+S^{\dagger} \otimes\right| 1\right\rangle_{2}\langle 1|\right) \\ & \cdot(\alpha|100\rangle+\beta|-110\rangle+\alpha|101\rangle+\beta|-111\rangle)_{\mathrm{p} 12} / \sqrt{ } \\ =&\left(|2\rangle_{\mathrm{p}}\langle 1|\otimes| 0\rangle_{2}\langle 0|+| 0\rangle_{\mathrm{p}}\langle 1|\otimes| 1\rangle_{2}\langle 1|\right) \\ & \cdot(\alpha|100\rangle+\beta|-110\rangle+\alpha|101\rangle+\beta|-111\rangle)_{\mathrm{p} 12} / \mathrm{V} \\ =&(\alpha|200\rangle+\alpha|001\rangle+\beta|010\rangle+\beta|-211\rangle)_{\mathrm{p} 12} / \sqrt{2} \end{aligned}\)        (15)

After W⁽²⁾, the coin space particles S_B and B_p are also entangled. If Alice does Pauli operation I on S_Bi, the general state do not change, if Alice does Pauli operation σ _x on S_Bi, the general state evolves to \((\alpha|210\rangle+\alpha|011\rangle+\beta|000\rangle+\beta|-201\rangle)_{\mathrm{p} 12} / \sqrt{2}\).

3. For another unknown qubit information sequence S_C, the same as steps 1-4 in this phase, Alice prepares additional particles A_p as the displacement space and the particles C_p as the Coin2, takes the particles S_C as the Coin1, uses particles A_p, S_C and C_p to build another quantum walk circuit. After two-step quantum walks, Alice applies the same Pauli operations sequence to encode particles S_C, gets the secret encoded particles M_C.

3.4 Secret information distribution phase

1. After completing the above operation, Alice sends particle sequence B_p to Charlie, particle sequence C_p to Bob.

2. Bob and Charlie apprize Alice after receiving C_p and B_p. Charlie uses particle B_p to complete the teleportation with Alice’s particle M_B. Alice measures M_B with basis X, the measurement results λ1 is recorded as: |+〉 ↔1, | − 〉↔-1. Then, Alice measures Ap with basis Q, the measurement results λ2 is recorded as: |−2'〉 ↔-1, |0 ↔0, |2' 〉↔1. Alice announces λ1 and λ2 to Charlie.

3. According to λ1 and λ2, Charlie does the revise Pauli operation on particle string Bp depending on Table1 to recover the target state. After this, Charlie completes the teleportation of unknown qubit state from Alice, the states of B_p convert to the states of M_B. Explain in detail the particle state recovery process as follows. If Alice does Pauli operation I on S_Bi and measures particle S_Bi, particle A_pi and B_pi will collapse to the corresponding state.

\(\begin{array}{l} (a|200\rangle+a|001\rangle+b|01 0\rangle+b|-21 1\rangle)_{\mathrm{p} 12} \\ =\left(|+\rangle_{1}(a|20\rangle+a|01\rangle+b|00\rangle+b|-21\rangle)_{\mathrm{p} 2}+\right. \\ \left.|-\rangle_{1}(a|20\rangle+a|01\rangle-b|00\rangle-b|-21\rangle)_{\mathrm{p} 2}\right) / \sqrt{2} \end{array}\)       (16)

When S_Bi’s measurement result is |+〉 , it can be seen that the entangled state of A_pi and B_pi is \((a|20\rangle+a|01\rangle+b|00\rangle+b|-21\rangle)_{p 2}\), then Alice measures A_pi, causing B_pi collapses into the state of S_Bi, the final general state after collapse is

\(\left|2^{\prime}\right\rangle_{\mathrm{p}}(a|0\rangle+b|1\rangle)_{2} / 2+\left|-2^{\prime}\right\rangle_{\mathrm{p}}(a|0\rangle-b|1\rangle)_{2} / 2+|0\rangle_{\mathrm{p}}(a|1\rangle+b|0\rangle)_{2} / \sqrt{2}\)       (17)

When S_Bi’s measurement result is |−〉 , it can be seen that the entangled state of A_pi and B_pi is \((a|20\rangle+a|01\rangle+b|00\rangle+b|-21\rangle)_{p 2}\) , then Alice measures A_pi, causing B_pi collapses into the state of S_Bi, the final general state after collapse is

\(\left|2^{\prime}\right\rangle_{\mathrm{p}}(a|0\rangle-b|1\rangle)_{2} / 2+\left|-2^{\prime}\right\rangle_{\mathrm{p}}(a|0\rangle+b|1\rangle)_{2} / 2+|0\rangle_{\mathrm{p}}(a|1\rangle-b|0\rangle)_{2} / \sqrt{2}\)       (18)

Based on λ1, λ2 and Table 1, Bob performs corresponding Pauli operations on Particle B_pi, gets the transformed result \(\alpha_{i}|0\rangle+\beta_{i}|1\rangle\). 

Another situation can be similarly verified: if Alice does Pauli operation σ _x on S_Bi and measures particle S_Bi, A_pi in order, the final general state after collapse is

\(\left|2^{\prime}\right\rangle_{p}(a|1\rangle+b|0\rangle)_{2} / 2+\left|-2^{\prime}\right\rangle_{p}(a|1\rangle-b|0\rangle)_{2} / 2+|0\rangle_{p}(a|0\rangle+b|1\rangle)_{2} / \sqrt{2}\)       (19)

or

\(\left|2^{\prime}\right\rangle_{p}(a|1\rangle-b|0\rangle)_{2} / 2+\left|-2^{\prime}\right\rangle_{p}(a|1\rangle+b|0\rangle)_{2} / 2+|0\rangle_{p}(a|0\rangle-b|1\rangle)_{2} / \sqrt{2}\)       (20)

Charlie performs corresponding Pauli operations on Particle B_pi, gets the transformed result \(\alpha_{i}|1\rangle+\beta_{i}|0\rangle\).

4. Similar to the steps of the teleportation of Alice with Charlie, Alice can teleport the states of M_C to Bob. Denoting this time’s basis X and basis Q’s measurement results as γ1 and γ2 respectively, the states of C_p in Bob’s hands convert to the states of M_C according to γ1 and γ2 announced by Alice.

3.5 Secret information recovery phase

1. Bob and Charlie collaborate. The two show the initial states of the single particles prepared in the particle preparation phase, select the corresponding basis to measure each particle, and Alice was reversely authenticated by the measurement results according to Table 2.

Table 2. The correspondence between the initial state of single photons and the particles encoded by secret information

If the error rate is lower than the pre-agreed threshold, Alice is considered legal and can start rebuilding the secret. Otherwise, Alice is considered illegal.

2. Record the measurement result of M_B(M_C) as R_B(R_C), combined with the particles SB and SC which Bob and Charlie prepared in the particle preparation phase, Bob and Charlie can get the same Alice's Pauli operation sequence. Bob and Charlie map Pauli operations to t-bit secrets: I↔0, σ _x ↔1, Alice's secret reconstruction is complete.

4. Security analysis

4.1 Discussion on dishonest participant Bob*

Assuming that the dishonest participant Bob* attempts to take intercept-resend attack or entanglement attack to obtain information carried by Charlie’s particles.

• Intercept–resend attack by Bob*

For the intercept-resend attack, suppose Bob* intercepts the particles Sc’ that Charlie sent to Alice and resends the same particles to Alice. Bob* attempts to determine the particle states of Sc, so that when the states of Cp in Bob* ’s hands convert to the states of MC, he could recover the secret alone.

First, it is impossible for Bob* to obtain authentication key information about Charlie, so he could not restore Sc’ to Sc without the authentication key h_Charlie(S_ID-Charlie) and he could not bypass the authentication.

Second, Bob* was unable to get the entire particle states of the Sc’ either, since the state of each particle in sequence Sc’ is randomly at one of \(\begin{equation} \{|0\rangle,|1\rangle,|+\rangle,|-\rangle\} \end{equation}\). Suppose the probability of Bob* correctly measuring the state of each particle is 50%, the probability PB of correctly measuring the entire particle states of Sc’ can be quantitatively assessed according to statistics.

\(\begin{equation} P_{B}=\left(\begin{array}{c} N \\ k \end{array}\right)\left(\frac{1}{2}\right)^{k}\left(\frac{1}{2}\right)^{N-k} \end{equation}\)       (21)

where k represents the total number of particle states correctly measured. N represents the length of the Sc’. The probability P_B satisfies the binomial distribution and the binomial coefficient.

\(\begin{equation} \left(\begin{array}{l} N \\ k \end{array}\right)=\frac{N !}{k !(N-k) !} \end{equation}\)       (22)

P_B in dependence on k for the respective N = 256, N = 512 and N = 1024 in Fig. 3 shows that there exists a maximal value of P_B for different N, and it diminishes with the increase of N. Therefore, Bob* was unable to get the entire particle states of the Sc’ and combines the initial particle states of Sc presented by Charlie in the secret recovery phase to infer the authentication key h_Charlie(S_ID-Charlie).

• Entanglement attack by Bob*

For the entanglement attack, suppose Bob* intercepts the particles Sc’ that Charlie sent to Alice during transmission and uses unitary operation E to entangle the new particles e with Sc’ to form a bigger Hilbert space, where \(\begin{equation} S c_{i}^{\prime}=\{|0\rangle,|1\rangle,|+\rangle,|-\rangle\} \end{equation}.\)

\(\begin{equation} E \otimes|0 e\rangle=a\left|0 e_{00}\right\rangle+b\left|1 e_{01}\right\rangle \end{equation}\)       (23)

\(\begin{equation} E \otimes|1 e\rangle=b^{\prime}\left|0 e_{10}\right\rangle+a^{\prime}\left|1 e_{11}\right\rangle \end{equation}\)       (24)

\(\begin{equation} \begin{aligned} E \otimes|+e\rangle=& \frac{1}{\sqrt{2}}\left(a\left|0 e_{00}\right\rangle+b\left|1 e_{01}\right\rangle+b^{\prime}\left|0 e_{10}\right\rangle+a^{\prime}\left|1 e_{11}\right\rangle\right) \\ =& \frac{1}{2}\left[|+\rangle\left(a\left|e_{00}\right\rangle+b\left|e_{01}\right\rangle+b^{\prime}\left|e_{10}\right\rangle+a^{\prime}\left|e_{11}\right\rangle\right)\right.\\ &\left.+|-\rangle\left(a\left|e_{00}\right\rangle-b\left|e_{01}\right\rangle+b^{\prime}\left|e_{10}\right\rangle-a^{\prime}\left|e_{11}\right\rangle\right)\right] \end{aligned} \end{equation}\)       (25)

\(\begin{equation} \begin{aligned} E \otimes|-e\rangle=& \frac{1}{\sqrt{2}}\left(a\left|0 e_{00}\right\rangle+b\left|1 e_{01}\right\rangle-b^{\prime}\left|0 e_{10}\right\rangle-a^{\prime}\left|1 e_{11}\right\rangle\right) \\ =& \frac{1}{2}\left[|+\rangle\left(a\left|e_{00}\right\rangle+b\left|e_{01}\right\rangle-b^{\prime}\left|e_{10}\right\rangle-a^{\prime}\left|e_{11}\right\rangle\right)\right.\\ &\left.+|-\rangle\left(a\left|e_{00}\right\rangle-b\left|e_{01}\right\rangle-b^{\prime}\left|e_{10}\right\rangle+a^{\prime}\left|e_{11}\right\rangle\right)\right] \end{aligned} \end{equation}\)       (26)

The unitary operation matrix E is expressed as

\(\begin{equation} E=\left(\begin{array}{ll} a & b^{\prime} \\ b & a^{\prime} \end{array}\right) \end{equation}\)       (27)

where e_i,j decided by operator E satisfy the normalization condition

\(\begin{equation} \sum_{i, j \in\{0,1\}}\left\langle e_{i j} \mid e_{i j}\right\rangle=1 \end{equation}\)       (28)

Since EE* =1, a, b, a’, b’ satisfy the following relationship

\(\begin{equation} |a|^{2}+|b|^{2}=1,\left|a^{\prime}\right|^{2}+\left|b^{\prime}\right|^{2}=1, a b^{*}=\left(a^{\prime}\right)^{*} b^{\prime} \end{equation}\)       (29)

We can get the result

\(\begin{equation} |a|^{2}=\left|a^{\prime}\right|^{2},|b|^{2}=\left|b^{\prime}\right|^{2} \end{equation}\)       (30)

If particle e is in an entangled state, Bob* ’s entanglement attack will inevitably introduce an error rate P_error

\(\begin{equation} P_{\text {error }}=|b|^{2}=1-|a|^{2}=\left|b^{\prime}\right|^{2}=1-\left|a^{\prime}\right|^{2} \end{equation}\)       (31)

If Bob* tries to achieve the eavesdropping without being detected, the transmitted qubits and Bob* ’s auxiliary particles are in a tensor-product state. However, in direct state there is no correlation between the auxiliary particle e and the whole system, Bob* could not get any useful information, thus proving that the entanglement attack is futile.

Therefore, it is concluded that the dishonest participant Bob* can not get any valid information by intercept-resend attack or entanglement attack without introducing errors.

4.2 Discussion on eavesdropper Eve

Suppose the eavesdropper Eve wants to acquire the Bob and Charlie’s authentication key by intercept-resend attack or entanglement attack and bypassing eavesdropping detection. Before, we have analyzed that the internal dishonest participant Bob* can not get any valid information by intercept-resend attack or entanglement attack to get the authentication key h_Charlie(S_ID-Charlie). Obviously, Bob* has a greater attack advantage than the external eavesdropper Eve, but Bob* ’s two attacks are futile. It can be considered that Eve’s intercept-resend attack or entanglement attack to S_B’/S_C’ is also futile. So, we only discuss Eve’s intercept-retransmit attack and entanglement attack on particles B_p/C_p.

• Intercept-resend attack by Eve

Suppose Eve intercepts the particles B_p, which is entangled with particles A_p and M_B in quantum walk system, and gets Alice’s measurement results λ1, λ2 to recover the target states. Since he knows nothing about the states of particle S_B, it is unable for him to obtain correct measurement results and resend correct particles to Charlie, he will bring the error rate of 50% for each particle in step1 of the secret information recovery phase.

The detected probability P_D can be quantitatively assessed according to statistics.

\(\begin{equation} P_{D}=1-\left(\frac{t !}{k !(t-k) !}\right)\left(\frac{1}{2}\right)^{k}\left(\frac{1}{2}\right)^{t-k} \end{equation}\)       (32)

where k represents the total number of correct measurement results, t represents the length of the B_p.

P_D in dependence on k for the respective t = 256, t = 512 and t = 1024 in Fig. 4 shows that there exists a minimum value of P_E for different N, and it increases as N increases.

• Entanglement attack by Eve

For the entanglement attack, suppose Eve uses unitary operation E to entangle the new particles e with paticle B_p in \(\begin{equation} |\Phi\rangle^{(2)} \end{equation}\), the unitary operation matrix E and the e_i,j decided by operator E are conform to Formula(23-30), and we will not repeat them here. where \(\begin{equation} |\Phi\rangle^{(2)}=(\alpha|200\rangle+\alpha|001\rangle+\beta|010\rangle+\beta|-211\rangle)_{\mathrm{p} 12} \end{equation}\).

The state of the composite system becomes

\(\begin{equation} \begin{aligned} |\Phi\rangle_{\text {Eve }} &=\alpha|20\rangle_{\mathrm{pl}}\left(a\left|0 e_{00}\right\rangle+b\left|1 e_{01}\right\rangle\right)_{2 E}+\alpha|00\rangle_{\mathrm{pl}}\left(b^{\prime}\left|0 e_{10}\right\rangle+a^{\prime}\left|1 e_{11}\right\rangle\right)_{2 E} \\ &+\beta|01\rangle_{\mathrm{pl}}\left(a\left|0 e_{00}\right\rangle+b\left|1 e_{01}\right\rangle\right)_{2 E}+\beta|-21\rangle_{\mathrm{pl}}\left(b^{\prime}\left|0 e_{10}\right\rangle+a^{\prime}\left|1 e_{11}\right\rangle\right)_{2 E} \\ &=\alpha|0\rangle_{1}\left[\left(a\left|20 e_{00}\right\rangle+b\left|21 e_{01}\right\rangle\right)_{\mathrm{p} 2 E}+\left(b^{\prime}\left|00 e_{10}\right\rangle+a^{\prime}\left|01 e_{11}\right\rangle\right)_{\mathrm{p} 2 E}\right] \\ &+\beta|1\rangle_{1}\left[\left(a\left|00 e_{00}\right\rangle+b\left|01 e_{01}\right\rangle\right)_{\mathrm{p} 2 E}+\left(b^{\prime}\left|-20 e_{10}\right\rangle+a^{\prime}\left|-21 e_{11}\right\rangle\right)_{\mathrm{p} 2 E}\right] \end{aligned} \end{equation}\)       (33)

When Alice measures particle S_B, the composite state of particles A_p, B_p, e converts to \(\begin{equation} \left(a\left|20 e_{00}\right\rangle+b\left|21 e_{01}\right\rangle\right)_{\mathrm{p} 2 E}+\left(b^{\prime}\left|00 e_{10}\right\rangle+a^{\prime}\left|01 e_{11}\right\rangle\right)_{\mathrm{p} 2 E} \end{equation}\) if the measurement result is | 0〉₁ , and converts to \(\begin{equation} \left(a\left|00 e_{00}\right\rangle+b\left|01 e_{01}\right\rangle\right)_{\mathrm{p} 2 E}+\left(b^{\prime}\left|-20 e_{10}\right\rangle+a^{\prime}\left|-21 e_{11}\right\rangle\right)_{\mathrm{p} 2 E} \end{equation}\) if the result is 1 |1〉 . We continue the analysis with the measurement result of 1 | 0〉 , Alice measures particle A_p based on this, the state of the composite particles becomes

\(\begin{equation} \begin{array}{l} \left(a\left|20 e_{00}\right\rangle+b\left|21 e_{01}\right\rangle\right)_{\mathrm{p} 2 E}+\left(b^{\prime}\left|00 e_{10}\right\rangle+a^{\prime}\left|01 e_{11}\right\rangle\right)_{\mathrm{p} 2 E} \\ =|2\rangle_{\mathrm{p}}\left(a\left|0 e_{00}\right\rangle+b\left|1 e_{01}\right\rangle\right)_{2 E}+|0\rangle_{\mathrm{p}}\left(b^{\prime}\left|0 e_{10}\right\rangle+a^{\prime}\left|1 e_{11}\right\rangle\right)_{2 E} \\ =\frac{1}{\sqrt{2}}\left[\left|2^{\prime}\right\rangle_{\mathrm{p}}\left(a\left|0 e_{00}\right\rangle+b\left|1 e_{01}\right\rangle\right)_{2 E}+\left|-2^{\prime}\right\rangle_{\mathrm{p}}\left(a\left|0 e_{00}\right\rangle+b\left|1 e_{01}\right\rangle\right)_{2 E}\right] \\ \quad+|0\rangle_{\mathrm{p}}\left(b^{\prime}\left|0 e_{10}\right\rangle+a^{\prime}\left|1 e_{11}\right\rangle\right)_{2 E} \end{array} \end{equation}\)       (34)

It can be indicated that if particle e is in an entangled state, Eve’s will introduce an error rate P_error

\(\begin{equation} P_{\text {error }}=|b|^{2}=1-|a|^{2}=\left|b^{\prime}\right|^{2}=1-\left|a^{\prime}\right|^{2} \end{equation}\)       (35)

If Eve doesn't want to introduce an error rate, the qubits in quantum walk system and the qubits e must be in a tensor-product state. However, in direct state there is no correlation between them, Eve could not get any useful information, thus the entanglement attack is futile.

Therefore, the eavesdropper Eve can not get any valid information by intercept-retransmit attack and entanglement attack on particles B_p/C_p without introducing errors.

4.3 Discussion on the security of Alice certification

Suppose an illegal imposter tries to impersonate Alice.

The scheme firstly lets Bob and Charlie prepare random photons, perform Pauli operations on photons according to their authentication key, then send to Alice. Alice authenticates the received particles and builds quantum walk circuits. Previously, we have analyzed that any third party cannot obtain the authentication keys through intercept-resend attack or entanglement attack. Therefore, the imposter cannot obtain Bob and Charlie's legal authentication keys.

In addition, when Bob and Charlie collaborate to authenticate Alice, because each single photon of M_B/M_C is randomly in the one of \(\begin{equation} \{|0\rangle,|1\rangle,|+\rangle,|-\rangle\} \end{equation}\), Bob and Charlie select the measurement basis according to the initial particle state their prepared to measure M_Bi/M_Ci, the measurement results has two possibilities: the measurement result is the same as the initial particle state, if Alice performs an I operation on S_Bi/ S_Ci, and be opposite if Alice performs a σ_x operation on S_Bi/ S_Ci. Therefore, based on the known information and in comparison with Table 2, it can be found whether Alice actually owns the authentication keys of Bob and Charlie, and can determine whether Alice is legal.

5. Efficiency analysis and comparisons

According to Cabello[32], information-theoretical efficiency can be defined as η=q_e/(q_t+b_t), where q_u is the final effective number of qubits, q_t represents the total number of qubits transmitted through the quantum channel, and bt is the classical bits for decoding of the qubits. (The quantum resources and the classical resources which are used for identity authentication and security checks are not counted.) The information-theoretical efficiency of the proposed protocol is 2n/(4t+2t)=33.33% which is the same as the efficiency performance computed in most protocols like Ref[41,42]. However, the proposed protocol is more secure with respect to the feature of identity authentication.

Evaluate the protocol from the quantum resources used, whether it has identity authentication and whether it can against participant attack, the comparison results of between the proposed protocol and some other QSS protocols are listed in Table 3.

Table 3. Comparisons between the proposed QSS protocol and previous QSS protocols

The comparison results shows this scheme is distinguished with the function of identity authentication and secure against participant attack. In addition, the initial phase of the particle preparation only requires single photons, the necessary entangled states do not need to be prepared in advance, they can be spontaneously entangled after the first step of quantum walk. (Comparing with difficult entangled state preparation, this is a big improvement.)

6. Conclusion

This paper proposes a quantum secret sharing scheme with credible authentication based on quantum walk. Different from the existing QSS protocols, the proposed scheme is to prepare single photons by Bob and Charlie respectively, and then send it to Alice. Alice authenticates Bob and Charlie, and then encodes the secret onto the quantum states by constructing a quantum walk circuit and performing Pauli operation. Secrets are distributed to Bob and Charlie through quantum teleportation. Eventually, they complete identity authentication for Alice, and collaborate to measure and recover the secret. The scheme realizes the authentication of both parties in the process of secret sharing, and it can effectively prevent an attacker from impersonating Alice to issue fake commands.

In addition, the protocol transmits information securely through quantum teleportation, but does not need to prepare entangled states in initial, it spontaneously generates entangled states between Alice and Bob in the circuit of one-dimensional two-step quantum walks on the line. This quantum circuit causes Alice to collapse the transmission information in the quantum state of Bob(Charlie) after measuring her own quantum state, then Bob(Charlie) performs the corresponding Pauli operation to recover the information, thereby completing the teleportation. Due to the function of identity authentication and the use of quantum walk, the protocol greatly enhances the security of the QSS protocol. At present, Xue et al[43] have successfully confirmed that quantum walk can be applied to quantum communication and can perform quantum walks of more than 20 steps in a one-dimensional space. Due to the limitation of equipment, this paper cannot provide such physical verification for the time being, but the quantum resources that the protocol relies on are satisfyable under the current technology, so it is feasible to implement the QSS protocol proposed in this paper based on the current technology.