Computing on quantum shared secrets
Yingkai Ouyang, Si-Hui Tan, Liming Zhao, Joseph F. Fitzsimons

TL;DR
This paper introduces a quantum secret-sharing scheme that enables computation on shared quantum secrets without decoding, ensuring security even with dishonest participants, advancing quantum cryptography protocols.
Contribution
It proposes a novel (n,n)-quantum secret sharing scheme and protocols for performing quantum computations on shared secrets securely.
Findings
Secure quantum computation on shared secrets demonstrated.
Dishonest participants cannot learn the secret if at least one honest participant exists.
Protocols maintain security against deviations from honest behavior.
Abstract
A (k,n)-threshold secret-sharing scheme allows for a string to be split into n shares in such a way that any subset of at least k shares suffices to recover the secret string, but such that any subset of at most k-1 shares contains no information about the secret. Quantum secret-sharing schemes extend this idea to the sharing of quantum states. Here we propose a method of performing computation on quantum shared secrets. We introduce a (n,n)-quantum secret sharing scheme together with a set of protocols that allow quantum circuits to be evaluated on the shared secret without the need to decode the secret. We consider a multipartite setting, with each participant holding a share of the secret. We show that if there exists at least one honest participant, no group of dishonest participants can recover any information about the shared secret, independent of their deviations from the…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsQuantum Computing Algorithms and Architecture · Quantum Information and Cryptography · Quantum Mechanics and Applications
Computing on quantum shared secrets
Yingkai Ouyang
Singapore University of Technology and Design, 8 Somapah Road, Singapore 487372
Si-Hui Tan
Singapore University of Technology and Design, 8 Somapah Road, Singapore 487372
Liming Zhao
Singapore University of Technology and Design, 8 Somapah Road, Singapore 487372
Joseph F. Fitzsimons
Singapore University of Technology and Design, 8 Somapah Road, Singapore 487372
Centre for Quantum Technologies, National University of Singapore, 3 Science Drive 2, Singapore 117543
Abstract
A (,)-threshold secret-sharing scheme allows for a string to be split into shares in such a way that any subset of at least shares suffices to recover the secret string, but such that any subset of at most shares contains no information about the secret. Quantum secret-sharing schemes extend this idea to the sharing of quantum states. Here we propose a method of performing computation on quantum shared secrets. We introduce a (,)-quantum secret sharing scheme together with a set of protocols that allow quantum circuits to be evaluated on the shared secret without the need to decode the secret. We consider a multipartite setting, with each participant holding a share of the secret. We show that if there exists at least one honest participant, no group of dishonest participants can recover any information about the shared secret, independent of their deviations from the protocol.
The connected nature of modern computing infrastructure has led to the widespread adoption of distributed and delegated computation Armbrust et al. (2010), with hard computational tasks routinely delegated to remote computers. In such a setting, security of the computation can be a very real concern. For several decades it has been understood that quantum cryptography offers stronger security for key distribution than is possible using purely classical communication over untrusted channels Bennett and Brassard (1984); Ekert (1991). More recently, quantum protocols have appeared for secure computation tasks such as secure multi-party computation Crépeau et al. (2002), blind computation Broadbent et al. (2009); Morimae and Fujii (2012); Barz et al. (2012); Broadbent (2015) and verifiable delegated computation Aharonov et al. (2010); Reichardt et al. (2013); Fitzsimons and Kashefi (2012); Morimae (2014); Hayashi and Morimae (2015). In the present manuscript, we focus on a different form of secure computation, namely the evaluation of quantum circuits on shared secrets.
In a secret sharing scheme, an -bit string r which is meant to be kept a secret, is encrypted into an -bit string s. These bits are subsequently distributed among parties, with the intention that whenever too few of the parties collude, the colluding parties cannot perfectly recover the secret message r. The reversibility of the encryption allows the secret message r to be recovered when all of the -parties assemble the data that they were distributed. In a -threshold scheme for classical secret sharing Shamir (1979); Blakley (1979), it is required that no group with fewer than colluding parties can reconstruct the secret message r, and any parties can reconstruct r. Similarly in a -threshold quantum secret sharing scheme, a secret quantum state of qubits is shared among parties such that no group fewer than colluding parties can reconstruct the secret quantum state Hillery et al. (1999); Cleve et al. (1999); Gottesman (2000); Zhang et al. (2005); Markham and Sanders (2008), and any parties can reconstruct the secret quantum state. Here, we present an -threshold quantum secret sharing scheme that also supports evaluation of quantum circuits on the shared secret.
Our secret sharing scheme with computation can be seen as a form of secure delegated multipartite quantum computation where the delegated computation is made public. We emphasize that our scheme is not naturally a blind quantum computation scheme, because blind quantum computation also requires the intended quantum computation kept secret from the evaluator 111However, by fixing the public function to act as a programmable computer, it is possible to implement a form of blind computation, similar to other secure computing protocols Dunjko et al. (2014).. As such, the setting we consider is more closely related to that of quantum homomorphic encryption schemes Rohde et al. (2012); Tan et al. (2016); Ouyang et al. (2015); Broadbent and Jeffery (2015); Dulek et al. (2016), which allows the quantum computation to be performed to be public and requires the decoding algorithm to be independent of the depth of the computation. Indeed, we are motivated by a particular quantum homomorphic encryption scheme, introduced in Ouyang et al. (2015), that supports transversal evaluations of Clifford gates, and present a secret sharing scheme that allows the evaluation of Clifford gates by requiring the non-interacting parties to perform the corresponding Clifford operations in parallel. A constant number of non-Clifford gates can also be implemented via a coordinated gate teleportation using logical magic states. Since the security of our scheme is independent of the security of the quantum homomorphic encryption scheme in Ref. Ouyang et al. (2015), the no-go results for fully quantum homomorphic encryption schemes with both perfect Yu et al. (2014) and imperfect Newman and Shi (2016) information theoretic security do not limit the class of circuits which can be evaluated.
Our secret sharing scheme comprises of four procedures as described in Protocol 1. We label qubits according to a 2-dimensional arrangement as depicted in Fig. 1. In the input procedure of Protocol 1, qubits are initialized on a single column, with the first qubits containing the quantum secret, and the last qubits each initialized in the magic state , where , , , and are the usual Pauli matrices. These magic states are consumed during the evaluation in reverse order, starting from the last row. We focus on the case where is divisible by 4. This is not a limiting factor, since if this is not the case, one can simply prepare shares and give multiple shares to a single party. In the encoding procedure of Protocol 1, additional columns of qubits in the maximally mixed state are appended. This yields an -qubit quantum state arranged in a grid with rows and columns. Subsequently a unitary encoding is applied on the qubits, which spreads the quantum secret from the first column to all the columns. Here is a tensor product of the unitaries , where each acts only on the -th row of qubits and comprises of only CNOT gates. Specifically , where (i) comprises of commuting CNOT gates with controls all on the first column and targets on each of the remaining columns, and (ii) comprises of commuting CNOT with targets all on the first column and controls on every other column. Although is a fixed unitary, the induced encoding is random because of the qubits that acts on are random; the qubits from the second column to the last column are initialized as either or with probability . This random encoding maps the quantum secret into a random code which is a highly mixed state, similar to Ref. Ouyang et al. (2015). In the sharing procedure of Protocol 1, the -qubit quantum state is shared equally among parties, with each party receiving a single column of qubits. In decoding procedure of Protocol 1, the shares are assembled, the inverse encoding circuit is performed, and all but the first column of qubits are discarded, which yields the -quantum secret on the first column.
To evaluate a quantum circuit on the shared secret, each party performs quantum computation only on their share of the quantum state. We consider the approximately universal model of quantum computation based on a discrete set of gates composed of Clifford group gates and a single non-Clifford group gate, in this case although other choices are possible. As we shall see, quantum circuits composed of arbitrarily many Clifford gates and up to some constant number of -gates can be evaluated on the shared secret. We will consider the evaluation of a sequence of such gates on the -qubit quantum secret shared by parties. The gates are unitary matrices on qubits and are assumed to be known to every party. Using the knowledge of , each party implements a sequence of operations on their share of the qubits, as specified in Protocol 2. The computation is performed after the sharing procedure and before the decoding procedure of Protocol 1, as we now describe.
When is a Clifford gate that applies non-trivially on some set of logical qubits, each party performs on the corresponding subset of their column of qubits, thereby collectively implementing . This procedure is depicted in Fig. 2A for single qubit Clifford gates, and Fig. 2B for a CNOT gate. Let denote the set of the Pauli matrices. Then the fact that is divisible by 4 implies that for ,
[TABLE]
Since is in the Clifford group, it maps the Pauli group onto itself,
[TABLE]
Hence the transversal Clifford group gates correspond to the logical Clifford group gates on our random codespace Ouyang et al. (2015).
It is also possible to perform a constant number of -gates on the quantum secret via gate teleportation. For each -gate that is to be performed, a logical magic state
[TABLE]
must be prepared. This is achieved by the input and encoding procedures of Protocol 1, however we do not rule out the possibility of replacing this pre-sharing of magic states with a procedure for the parties to interactively prepare states on demand without the involvement of the initial sharer. Each of these logical magic states is taken to be located on the last rows of the encoding. To prepare on the -th row, the first qubit in the -th row is initialized as with the remaining qubits prepared in the maximally mixed state. The encoding unitary is subsequently applied. To evaluate the -th -gate on qubit of the shared secret, each party proceeds as follows. They first apply a CNOT with control on the -th qubit and target on the -th last qubit of their share. They then apply a CNOT with control on the -th last qubit and target on the -th qubit. Each party then measures the -th last qubit in the basis and broadcasts the measurement result to every other party over a public classical channel. Lastly, if the parity of the measurement results is odd, each party applies a single-qubit Clifford gate on the -th qubit. If the parity is even, no such correction is necessary. This procedure is depicted in Fig. 2C. The evaluation of each -gate in this way amounts to the logical implementation of a gate teleportation protocol that consumes one magic state Zhou et al. (2000).
We now describe how the evaluation of the -gate works by explicitly considering the operations that the parties implement. Denoting , , and , the correct implementation of a logical -gate on the state shared by the -th qubit of each party must yield
[TABLE]
This follows from the conjugation relations for the -gate given by , , and . After every party applies the CNOT gates as depeicted in Fig. 2C, the joint quantum state on the -th qubit and the -th last qubit of every party given by is mapped to the state
[TABLE]
To show this, we have used the commutation relations of the CNOT with various two-qubit Pauli matrices (Nielsen and Chuang, 2000, Eqs. (4.32)-(4.37)). The parity of is equivalent to the observable on the -th last qubit of each share. If the parity is even, the resultant state on the -th qubit of every party is collectively
[TABLE]
and the evaluation of the -gate is successful. If the parity is odd, however, the resultant state of these qubits is
[TABLE]
Applying to each qubit transforms the state into , resulting in a correct evaluation of the -gate.
We now turn to the issue of security. This requires several steps. First we show that the scheme outlined in Protocol 1 is a -threshold secret sharing scheme as claimed. We then prove that the evaluation of quantum circuits on the shared secret performed according to Protocol 2 does not compromise the encoding. Specifically, we show that no subset of parties can collude to produce any state correlated with the encoded secret, beyond any prior knowledge they may have.
A -threshold quantum secret-sharing scheme Cleve et al. (1999); Gottesman (2000) is a quantum operation that maps a secret quantum density matrix to an encoded state that can be divided among parties such that (1) any or more parties can perfectly reconstruct the secret quantum state, and (2) any or fewer parties can collectively deduce no information at all about the secret quantum state. The first property is trivially satisfied by Protocol 1 when , since the encoding procedure is perfectly reversible with inverse operation given by the specified decoding procedure. Turning to the second property, we consider the result of encoding a state
[TABLE]
according to Protocol 1. Here and when is the trivial Pauli operator, . It is the coefficients for the non-trivial Pauli operators in that collectively define the quantum secret. From Eq. 1 it follows that the resulting state is
[TABLE]
where the tensor product in is taken across different shares of the secret. Property (2) then follows trivially, since the reduced density matrix for any subsystem of shares (i.e. columns) is necessarily the maximally mixed state, because all non-trivial are traceless.
Turning to the issue of the security of Protocol 2, we consider the state of the system across a bipartition between a single honest party, who follows the protocol, and the remaining parties who are not restricted in their actions. We now show that the bits broadcast by the honest party are uniformly random and independent of the actions of the other parties. Given a sequence of gates with the honest party acting as described by Protocol 2, our strategy is to show that after evaluation of the -th gate, the state of the system has the form
[TABLE]
where is the number of -gates in , is a set of scalars, and is a set of operators on the Hilbert space representing the system of the dishonest parties. We have excluded the honest party’s measured qubits, as these are in a product state with the rest of the system.
The proof proceeds by induction. We assume that the system is in a state of the form of Eq. 10 after evaluation of the first gates. If is a Clifford group gate, then the honest party applies on some subset of the first qubits of their share, while the dishonest parties are free to perform any completely positive and trace preserving map on their side of the bipartition. Since and , and since the operation applied by the dishonest parties on their side of the bipartition is linear, the resulting state is in the form of Eq. 10 as claimed. When is a -gate on some qubit , the situation is more complicated. Since the actions of the honest party only affect the -th qubit and -th last qubit of their share, we will consider the effect of these actions on all combinations of Pauli operators on these two qubits which can have non-zero coefficients in . From the induction assumption, these are given by the first column of Table 1. The effect of the honest party applying CNOT operations as prescribed by the first two steps of the -gate procedure in Protocol 2 is to transform these operators into the corresponding Pauli operators given by the second column of Table 1. As the operator does not appear, it follows that the expectation for , the measurement result of the honest party’s measurement, is precisely zero. Hence is uniformly random and independent of the non-trivial weights . The effect of the measurement on the Pauli operators is given by the third column of Table 1, which implies that the resulting state is in the form of Eq. 10. Since the correction is merely a local Clifford group operator, the final state is always of the correct form independent of the parity of . Since the initial state after sharing, given by Eq. 9 is of the form of Eq. 10, the induction hypothesis holds for all , and the measurement results of the honest party convey no information which can be used by the dishonest participants to recover .
The scheme we have presented above, therefore, represents a -threshold secret sharing scheme that also allows for the evaluation of quantum circuits on the shared secret without lowering the threshold. While the complexity of such circuits is limited in terms of the number of -gates to the number of corresponding magic states incorporated in the initial sharing, whether it is possible to create such states as needed without involvement of the initial sharer presents an interesting avenue for future research. Intuitively, the security of our scheme is based on a randomized error correction code which leaves only weight operators constant while admitting transversal Clifford gates. This suggests that the use of less random error-correction codes will allow for -threshold schemes for other values of .
The authors thank Mahboobeh Houshmand and Monireh Houshmand for useful discussions. The authors acknowledge support from Singapore’s Ministry of Education and National Research Foundation. JFF and SHT acknowledge support from the Air Force Office of Scientific Research under AOARD grant FA2386-15-1-4082. This material is based on research funded in part by the Singapore National Research Foundation under NRF Award NRF-NRFF2013-01.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Armbrust et al. (2010) M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, et al., Communications of the ACM 53 , 50 (2010).
- 2Bennett and Brassard (1984) C. H. Bennett and G. Brassard, in Proceedings of IEEE International Conference on Computers, Systems and Signal Processing (New York, 1984), vol. 175.
- 3Ekert (1991) A. K. Ekert, Phys. Rev. Lett. 67 , 661 (1991), URL http://link.aps.org/doi/10.1103/Phys Rev Lett.67.661 .
- 4Crépeau et al. (2002) C. Crépeau, D. Gottesman, and A. Smith, in Proceedings of the Thiry-fourth Annual ACM Symposium on Theory of Computing (ACM, New York, NY, USA, 2002), STOC ’02, pp. 643–652, ISBN 1-58113-495-9, URL http://doi.acm.org/10.1145/509907.510000 .
- 5Broadbent et al. (2009) A. Broadbent, J. Fitzsimons, and E. Kashefi, in Foundations of Computer Science, 2009. FOCS’09. 50th Annual IEEE Symposium on (IEEE, 2009), pp. 517–526.
- 6Morimae and Fujii (2012) T. Morimae and K. Fujii, Nature communications 3 , 1036 (2012).
- 7Barz et al. (2012) S. Barz, E. Kashefi, A. Broadbent, J. F. Fitzsimons, A. Zeilinger, and P. Walther, Science 335 , 303 (2012).
- 8Broadbent (2015) A. Broadbent, Canadian Journal of Physics 93 , 941 (2015).
