Strongly Secure Quantum Ramp Secret Sharing Constructed from Algebraic Curves over Finite Fields
aa r X i v : . [ qu a n t - ph ] O c t Quantum Information Processing manuscript No. (will be inserted by the editor)
Strongly Secure Quantum Ramp Secret Sharing Constructedfrom Algebraic Curves over Finite Fields
Ryutaroh Matsumoto
October 20, 2014
Abstract
The first construction of strongly secure quantum ramp secret sharing byZhang and Matsumoto had an undesirable feature that the dimension of quantumshares must be larger than the number of shares. By using algebraic curves over finitefields, we propose a new construction in which the number of shares can becomearbitrarily large for fixed dimension of shares.
Keywords algebraic curve · quantum secret sharing · non-perfect secret sharing · ramp secret sharing · strong security PACS
Mathematics Subject Classification (2010) · · Secret sharing (SS) scheme encodes a secret into multiple shares being distributedto participants, so that only qualified sets of shares can reconstruct the secret per-fectly [13]. The secret and shares are traditionally classical information [13], but nowquantum secret and quantum shares can also be used [3,4,11].In perfect SS, if a set of shares is not qualified, that is, it cannot reconstruct thesecret perfectly, then the set has absolutely no information about the secret. It is well-known that the share sizes in perfect SS must be larger than or equal to that of thesecret, both in classical and quantum cases. To overcome this ine ffi ciency of storingshares, the ramp classical SS was proposed [1,8,14], which reduces the share sizesat the cost of allowing partial information leakage to non-qualified sets of shares. In Ryutaroh MatsumotoDepartment of Communications and Computer Engineering, Tokyo Institute of Technology, Japanand Department of Mathematical Sciences, Aalborg University, DenmarkORCID: 0000-0002-5085-8879E-mail: [email protected] Ryutaroh Matsumoto ramp SS, a share set is said to be forbidden if it has no information about secret, whileit is said to be intermediate if it is neither qualified nor forbidden [5,14].The first quantum ramp SS was proposed by Ogawa et al. [9], which made theshare size L times smaller than its secret, where L is the number of qudits in the se-cret. In their study [9], there were two drawbacks. Firstly, it does not control howinformation is leaked to a non-qualified set of shares, and there exists an undesirablecase in which an intermediate set of shares can understand a qudit in the secret, asdemonstrated in [15]. To exclude such a possibility, we introduced a notion of thestrong security of quantum ramp SS, which ensures no intermediate set can under-stand a qudit in the secret (see [15] for its formal definition) and proposed an explicitconstruction with the strong security.The second drawback of [9] as well as our previous proposal [15] is that thedimension of quantum shares must be larger than that of the number of participants.When the number of participants is large, handling quantum shares become moredi ffi cult, because handling large dimensional quantum systems are generally moredi ffi cult than smaller ones. Our previous proposal [15] solved the first drawback butdid not the second. The purpose of this paper is to solve the first and the seconddrawbacks of [9] simultaneously.We will proceed as follows: Firstly, we modify the strong security definition givenin [15] in Section 2, because the previous definition in [15] required that all the qual-ified sets are of the same size, and also that all the forbidden sets are of the same size.Secondly, in Section 3, we carry over the classical strongly secure ramp SS [2,7] us-ing algebraic curves to the quantum setting, then we prove that the proposed quantumSS has the strong security. We also present su ffi cient conditions for its qualified, in-termediate, and forbidden sets by using the technique in [6]. We conclude this paperin Section 4. Let q be a prime power, G i ( i =
1, . . . , L ) and H j ( j =
1, . . . , n ) be the q -dimensionalcomplex linear spaces, where G i contains the i -th qudit of the quantum secret, while H j contains the j -th quantum share. L is the number of qudits in secret and n is thenumber of shares or participants. In this paper we consider the so-called pure statescheme [3,4], in which a pure state secret is converted to pure state shares. Encodingis an isometric complex linear map from N Li = G i to N nj = H j . A subset J ⊂ { n } is said to be qualified if the quantum secret is perfectly reconstructed fromthe aggregated shares in N j ∈ J H j , forbidden if the aggregated shares in N j ∈ J H j is always the same quantum state regardless of the quantum secret, and intermediateotherwise, as defined in [9].We introduce a new definition of the strong security, which does not require thequalified and the forbidden sets being the same size. Let I ⊆ {
1, . . . , L } , J ⊆ {
1, . . . , n } , I = {
1, . . . , L } \ I , and J = {
1, . . . , n } \ J . Define G I = N i ∈ I G i , and G I = N i ∈ I G i .The idea behind the following strong security with respect to I and J is that the shareset J has no idea on what is a quantum state ρ I on the part G I of the quantum secret.To formally express this idea, the quantum state σ J of shares on N j ∈ J H j is required uantum Ramp Secret Sharing by Algebraic Curves 3 to be independent of ρ I . On the other hand, σ J also depends on the quantum state on G I . When an illegitimate owner of the shares in J is guessing ρ I , she or he is assumedto have no prior knowledge on the part G I , which enables us to use the fully mixedstate as the state on G I .By using the above ideas, we formally define our extended version of the strongsecurity. Definition 1
We retain notations from the above discussion. A quantum ramp secretsharing scheme is said to be strongly secure with respect to I and J if the quantumstate σ J on the share set J is always the same state regardless of the quantum state ρ I ⊗ ρ I , mix of the whole quantum secret, where ρ I , mix is the fully mixed state on G I .In our previous paper [15], a ( k , L , n ) quantum ramp SS (in the sense of [9]) was saidto be strongly secure if all I and J with | I | + | J | ≤ k satisfy Definition 1, where k wasthe minimum size of share sets which can perfectly reconstruct the secret, and L , n had the same meaning as the present paper. In the previous constructions [9,15] of quantum ramp SS, shares are generated byusing evaluations of a polynomial at pairwise distinct numbers in the finite field F q with q elements. Obviously q must be larger than n in those constructions. In theabove constructions, the dimension of quantum shares is also q , and larger valuesof q usually make implementation di ffi cult. The restriction q > n also exists in theclassical SS based on evaluations of a polynomial [8,10]. One of standard ways inclassical SS to overcome the restriction q > n is to use points on an algebraic curveas done in [2]. We will propose an explicit strongly secure quantum ramp SS basedon the idea in [2].It is well-known that an algebraic curve is mathematically equivalent to an alge-braic function field of one variable [12]. So we will describe our proposal by usingterminology of algebraic function fields, as done in [2]. We briefly review the al-gebraic function fields, see [12] for a formal exposition. The rational function field F q ( x ) over F q is the set of f ( x ) / g ( x ), where f ( x ) and g ( x ) are polynomials in x withtheir coe ffi cients in F q . Addition, subtraction, multiplication and division in F q ( x )are defined in the standard way. An algebraic function field F is an extension fieldof F q ( x ) such that the dimension of F as an F q ( x )-linear space is finite. It is usuallydenoted as F / F q to indicate that it is defined by equations over F q . Example 1
Let F be the field obtained by adding y to F ( x ), where y is a root ofthe univariate polynomial y + y = x ( x is regarded as a coe ffi cient). Then F isan algebraic function field of one variable, and denoted by F ( x , y ). The process ofcreating F ( x , y ) from F ( x ) is the same in spirit as creating the field of complexnumbers from that of real numbers by adding a root of z = − y + y = x can also be seen as an algebraic curve.There are eight points R , . . . , R ∈ F satisfying y + y = x . For example, ( x , y ) = (0 ,
1) satisfies y + y = x and can be R . Those eight points can be used for evaluations Ryutaroh Matsumoto in the SS proposed in [2] and also in our proposal described later. Note that usablepoints for evaluation increase from 4 to 8.In the following we will use so-called F q -rational places. R , . . . , R are examplesof F -rational places in this function field. The solutions of the defining equation of F , e.g. y + y = x , are a subset of F q -rational places, provided that the curve definedby the equation is smooth . See [12] for formal definitions.We return to the general description of our proposal. Let P , . . . , P n , Q , . . . , Q L be pairwise distinct F q -rational places of F / F q . A divisor of F / F q is a formal sum of(not necessarily F q -rational) places F / F q , e.g. 2 R − R in Example 1. The supportof a divisor G is the set of places whose coe ffi cient in G is nonzero. For example, thesupport of 2 R − R is the set { R , R } . Let G be a divisor whose support contains noneof P , . . . , P n , Q , . . . , Q L . For any divisor G , there is a finite-dimensional F q -linearspace L ( G ), see [12] for a formal definition. Example 2
Consider again F ( x , y ) / F introduced in Example 1. Let Q be the com-mon pole of x and y , in other words, the unique point at infinity belonging to theprojective algebraic curve defined by y + y = x . Then a basis of L ( uQ ) as an F -linear space is { x a y b | ≤ a , ≤ b ≤ , a + b ≤ u } . (1)Thus, an element h ∈ L ( uQ ) is a polynomial in which every term is a multiple of amonomial in (1). We can obtain a value in F by substituting x , y in h by componentsin R i (for example R = (0 , h at R i and denoted by h ( R i ).In our proposal as well as [2], we also use another linear space L ( G − Q −· · ·− Q L ).When G = uQ as above, we have L ( G − Q − · · · − Q L ) = { h ∈ L ( G ) | h ( Q i ) = , for i = , . . . , L } . Now we are ready to describe our proposal. Since we assumed dim G i = dim H j = q for all i , j , we can assume their orthonormal basis to be {| a i | a ∈ F q } . Then the ba-sis of N Li = G i can be written as {| s i | s ∈ F Lq } . To describe quantum ramp SS, it issu ffi cient to specify the quantum state of shares corresponding to a quantum secret | s i ∈ N Li = G i for every s ∈ F Lq as done in [9,15]. We assume that L = dim L ( G ) − dim L ( G − Q − · · · − Q L ) , (2)0 = dim L ( G − P − · · · − P n ) . (3)The secret | s i is encoded to1 p q dim L ( G − Q −···− Q L ) X h ∈L ( G )( h ( Q ) ,..., h ( Q L )) = s | h ( P ) i ⊗ | h ( P ) i ⊗ · · · ⊗ | h ( P n ) i . (4)The mapping h ∈ L ( G ) to ( h ( Q ), . . . , h ( Q L )) is F q -linear and its kernel is L ( G − Q − · · · − Q L ) (see the end of Example 2). By (2) this mapping is surjective, and uantum Ramp Secret Sharing by Algebraic Curves 5 for any s ∈ F Lq there exist q dim L ( G − Q −···− Q L ) elements h ∈ L ( G ) satisfying ( h ( Q ),. . . , h ( Q L )) = s , which justifies the normalization factor in (4).On the other hand, (3) ensures that the mapping h ∈ L ( G ) to ( h ( P ), . . . , h ( P n ))is F q -linear and injective. This guarantees that terms appearing in the summation of(4) do not overlap for di ff erent s , s ′ ∈ F Lq , which means that the encoded shares (4)for di ff erent s , s ′ are orthogonal to each other. From these discussions we see that (4)maps an orthonormal basis to a subset of an orthonormal basis, and that (4) defines acomplex linear isometric embedding, from N Li = G i to N nj = H j . Remark 1
One of the two classical ramp SS proposed by Chen et al. [2] is as follows:For a classical secret ( s , . . . , s L ) ∈ F Lq , an element h ∈ L ( G ) with h ( Q i ) = s i ( i = L ) is chosen uniformly randomly. Then the j -th share is computed as h ( P j ). Itssimilarity to our proposal (4) should be obvious.For its strong security, we have the following theorem. Theorem 1
The above quantum ramp SS is strongly secure with respect to I ⊂ { ,. . . , L } and J ⊂ { , . . . , n } if | J | ≤ | I | + min { deg G − L − g ( F ) + , n − − deg G } , (5) where g ( F ) denotes the genus of the algebraic function field F / F q , see [12] for itsdefinition. Its proof is technically complicated and heavily uses the theory of algebraic functionfield [12], so we move it to Appendix A.For quantum ramp SS to be useful, a procedure for reconstructing the quantumsecret and su ffi cient conditions for qualified and forbidden sets are indispensable. Onthe other hand, actually the above proposal is a special case of quantum ramp SSconstructed from algebraic curves studied in [6]. By straightforward application of[6], {
1, . . . , n } ⊃ J is qualified if | J | ≥ max { + deg G , n − (deg G − L − g ( F ) + } , (6)and J is forbidden if | J | ≤ min { deg G − L − g ( F ) + , n − − deg G } . (7)Note that (5) contains (7) as its special case | I | =
0. The reconstruction procedure in[6] can also be used for the proposal in this paper.The algebraic function field in Examples 1 and 2 has genus g ( F ) =
1. To make n larger with fixed q , we must find an algebraic function fields with many F q -rationalplaces. It is well-known [12] that the number of F q -rational places is at most 1 + q + g ( F ) ⌊ √ q ⌋ . F / F in Examples 1 and 2 reaches this upper bound, because theplace Q in Example 2 is also F -rational and F / F in Examples 1 and 2 has nine F -rational places. Requiring more F q -rational places generally makes g ( F ) larger,which makes inequalities (5), (6) and (7) weaker. For fixed q and n , it is desirable touse an algebraic function field with smaller g ( F ). Search for such ones has been anactive research area in pure mathematics for past 30 years, see [12]. In particular, itis known that for fixed q we can construct an algebraic function field with arbitrarilymany F q -rational places. Ryutaroh Matsumoto
In this paper we argued that the previously proposed strongly secure quantum rampSS [15] becomes di ffi cult in implementation when the number n of participants islarge, because the dimension q of each quantum share must be > n . To overcomethis drawback, we proposed new quantum ramp SS that allows arbitrarily large n forfixed q while retaining the strong security. The proposed construction is similar to theclassical ramp SS proposed by Chen et al. [2]. Acknowledgements
This research is partly supported by the National Institute of Information and Com-munications Technology, Japan, and by the Japan Society for the Promotion of Science Grant Nos. 23246071and 26289116, and the Villum Foundation through their VELUX Visiting Professor Programme 2013–2014.
A Proof of Theorem 1
To prove Theorem 1, we will prove a proposition covering a more general class of quantum ramp SS. Weconsider a quantum ramp SS constructed from a pair of linear codes C ( C ⊆ F nq with dim C − dim C = L , which was considered in [6].Encoding is done as follows: We will encode a quantum secret to n qudits in N nj = H j by a complexlinear isometric embedding. To specify such an embedding, it is enough to specify the image of each basisstate | s i ∈ N Li = G i . Fix an F q -linear isomorphism f : F dim C − dim C q → C / C . We encode | s i to1 √| C | X x ∈ f ( s ) | x i ∈ n O j = H j . (8)Recall that by definition of f , f ( s ) is a subset of C , f ( s ) ∩ f ( s ) = ∅ if s , s , and f ( s ) contains | C | vectors. From these properties we see that (8) defines a complex linear isometric embedding. The quantumsystem H j is distributed to the j -th participant. For I ⊂ {
1, . . . , L } , the map P I denotes the projection ofa vector to the index set I , that is, for s = ( s , . . . , s L ) ∈ F Lq , P I ( s ) = ( s i ) i ∈ I , which is a vector with | I | components. Proposition 1
Let f : F Lq → C / C be as above. DefineC ′ = { ( x , P I ( s )) | s ∈ F Lq , x ∈ f ( s ) } , (9) C ′ = { ( x , P I ( s )) | s ∈ F Lq , P I ( s ) = , x ∈ f ( s ) } . (10) Then the quantum ramp SS constructed from C ) C is strongly secure with respect to I and J if and onlyif dim P J ( C ′ ) − dim P J ( C ′ ) = , (11)dim P J ∪{ n + ,..., n + | I |} ( C ′ ) − dim P J ∪{ n + ,..., n + | I |} ( C ′ ) = | I | . (12) Proof
By reordering indices we may assume I = {
1, . . . , | I |} . For s I ∈ F | I | q define f ′ ( s I ) = { ( x , s I ) | s I ∈ F | I | q , x ∈ f ( s I s I ) } . We have dim C ′ = dim C , dim C ′ = dim C + | I | , and f ′ is an F q -linear isomorphism from F | I | q to C ′ / C ′ .In the definition of strong security, the quantum secret has the form X s I ∈ F | I | q α ( s I ) | s I i X s I ∈ F | I | q α ( s I ) h s I | ⊗ q | I | X s I ∈ F | I | q | s I ih s I | , uantum Ramp Secret Sharing by Algebraic Curves 7whose purification is X s I ∈ F | I | q α ( s I ) | s I i ⊗ q q | I | X s I ∈ F | I | q | s I i| s I i R , (13)where | s I i R is a state vector in the reference system for purification. The encoding procedure defined inthis appendix transforms (13) to 1 q q | I | X s I ∈ F | I | q α ( s I ) 1 √| C | X s I ∈ F | I | q X x ∈ f ( s I s I ) | x i| s I i R = q | C ′ | X s I ∈ F | I | q α ( s I ) X y ∈ f ′ ( s I ) | y i . The joint quantum state of shares and the reference system for purification can be regarded as encodedshares from the quantum secret X s I ∈ F | I | q α ( s I ) | s I i , by using C ′ / C ′ and f ′ . Equations (11) and (12) is the necessary and su ffi cient condition [6] for J to be aforbidden set, which shows the theorem. ⊓⊔ We start our proof of Theorem 1. Hereafter we make a di ff erent assumption I = {
1, . . . , | I |} . C ′ and C ′ in Proposition 1 become C ′ = { ( f ( P ) , . . . , f ( P n ) , f ( Q ) , . . . , f ( Q | I | )) | f ∈ L ( G ) } , C ′ = { ( f ( P ) , . . . , f ( P n ) , f ( Q ) , . . . , f ( Q | I | )) | f ∈ L ( G ) , ∀ i ∈ I , f ( Q i ) = } = { ( f ( P ) , . . . , f ( P n ) , f ( Q ) , . . . , f ( Q | I | )) | f ∈ L ( G − X i ∈ I Q i ) } . Equation (5) ensures that | J | ≤ | I | + n − − deg G ⇔ deg G ≤ | J | + | I | − . (14)By [12], (14) implies that the mapping L ( G ) ∋ h ( h ( P j ), . . . , h ( P j | J | ), h ( Q i ), . . . , h ( Q i | I | )) ∈ P J ( C ′ ) is F q -linear and bijective, where { i , . . . , i | I | } = I and { j , . . . , j | J | } = J . The above mapping also gives P J ( C ′ )as its image of L ( G − P i ∈ I Q i ). Equation (2) implies | I | = dim L ( G ) − dim L ( G − X i ∈ I Q i ) , which in turn implies (12) by the above bijection between L ( G ) and P J ( C ′ ).On the other hand, (5) also ensures that | J | ≤ | I | + deg G − L − g ( F ) + ⇔ | J | ≤ deg G − | I | − g ( F ) + ⇔ | J | ≤ deg( G − X i ∈ I Q i ) − g ( F ) + . (15)By [12], (15) implies that the mapping L ( G − P i ∈ I Q i ) ∋ h ( h ( P j ′ ), . . . , h ( P j ′| J | )) ∈ F | J | q is F q -linear andsurjective, where { j ′ , . . . , j ′| J | } = J . On the other hand, the image of the above mapping is P J ( C ′ ), whichmeans that P J ( C ′ ) = F | J | q = P J ( C ′ ), which in turn means that (11) holds. Since we have confirmed (11)and (12), the proof of Theorem 1 is completed by using Proposition 1. ⊓⊔ Ryutaroh Matsumoto
References
1. Blakley, G.R., Meadows, C.: Security of ramp schemes. In: Advances in Cryptology–CRYPTO’84,
Lecture Notes in Computer Science , vol. 196, pp. 242–269. Springer-Verlag (1985). DOI 10.1007 / Lecture Notes in Computer Science , vol. 4965, pp. 451–470. Springer-Verlag (2008). DOI10.1007 / (3), 648–651(1999). DOI 10.1103 / PhysRevLett.83.6484. Gottesman, D.: Theory of quantum secret sharing. Phys. Rev. A (4), 042311 (2000). DOI 10.1103 / PhysRevA.61.0423115. Iwamoto, M., Yamamoto, H.: Strongly secure ramp secret sharing schemes for general access struc-tures. Inform. Process. Lett. (2), 52–57 (2006). DOI 10.1016 / j.ipl.2005.09.0126. Matsumoto, R.: Coding theoretic construction of quantum ramp secret sharing (2014).arXiv:1405.0149v4 (version 4 or later)7. Matsumoto, R.: Strong security of the strongly multiplicative ramp secret sharing based on algebraiccurves (2014). Preprint8. McEliece, R.J., Sarwate, D.V.: On sharing secrets and Reed-Solomon codes. Comm. ACM (9),583–584 (1981). DOI 10.1145 / (3), 032318 (2005). DOI 10.1103 / PhysRevA.72.03231810. Shamir, A.: How to share a secret. Comm. ACM (11), 612–613 (1979). DOI 10.1145 / / Graduate Texts in Mathematics , vol. 254, 2ndedn. Springer-Verlag, Berlin Heidelberg (2009). DOI 10.1007 / / CRC (2006)14. Yamamoto, H.: Secret sharing system using ( k , l , n ) threshold scheme. Electronics and Communica-tions in Japan (Part I: Communications) (9), 46–54 (1986). DOI 10.1002 / ecja.4410690906. (theoriginal Japanese version published in 1985)15. Zhang, P., Matsumoto, R.: Quantum strongly secure ramp secret sharing. Quantum Information Pro-cessing (2014). DOI 10.1007 //