Cryptanalysis of secure multiparty quantum summation

Abstract

Secure multiparty summation plays an important role in the field of secure communication. In this paper, we give a cryptanalysis of a generalized quantum protocol for secure multiparty summation and find a security leak, whereby a dishonest player can steal all the other players’ shares and the summation of secrets without being found, which is in conflict with the security requirement for secure multiparty summation. Furthermore, we analyze the reason and present an improved version to deal with the security problem.

Appendices

Appendix A  Access structure

Given a set of participants \(P=\{P_{1},P_{2},\ldots ,P_{n}\}\), an access structure \(\alpha \subseteq 2^{|P|}\) is such a qualified set of participants that if \(X\in \alpha \) and \(X\subseteq Y\subseteq P\), then \(Y\in \alpha \). The set of unqualified participants is called an adversary structure \(\zeta \) [25].

Appendix B  Monotone span program

The MSP consists of four tuples \((F,M,\eta ,\overrightarrow{\sigma })\), where F is a finite field, M is a \(u\times v\) matrix over F, \(\eta : \{1,2,\ldots ,u\}\rightarrow P\) is a surjective mapping, and \(\overrightarrow{\sigma }\) is a target vector such that \(\overrightarrow{\sigma }=(1,0,\ldots ,0)^{T}\in F^{v}\). If \((F,M,\eta ,\overrightarrow{\sigma })\) is a MSP for access structure \(\alpha \), then it must satisfy: If \(X\in \alpha \), there exists a vector \(\overrightarrow{\beta _{X}}\in F^{k}\) such that \(M_{X}^{T}\overrightarrow{\beta _{X}}=\overrightarrow{\sigma }\); otherwise, if \(X\in \zeta \), there exists a vector \(\overrightarrow{u}=(u_{1},u_{2},\ldots ,u_{v})^{T}\in F^{v}\) such that \(M_{X}\overrightarrow{u}=\overrightarrow{0}\in F^{k}\) with \(u_{1}=1\), where k denotes the number of participants in X, and \(M_{X}\) denotes the ith row of M such that \(\eta (i)\in X\) [25].

Appendix C  Linear secret sharing

The LSS scheme consists of two phases: secret distribution phase and reconstruction phase [25].

Distribution phase: The dealer selects a random vector \(\overrightarrow{w}=(e,w_{2},\ldots ,w_{v})^{T}\) and computes \(\overrightarrow{e}=M\overrightarrow{w}=(e_{1},e_{2},\ldots ,e_{n})^{T}\), where e is a secret. Then, it sends \(e_{z}\) to player \(\eta (z)\) by a secure channel.

Reconstruction phase: The authenticated set X of players can recover the secret e by computing

$$\begin{aligned} \overrightarrow{e_{X}}\cdot \overrightarrow{\beta _{X}}= & {} (M_{X}\overrightarrow{w})^{T}\cdot \overrightarrow{\beta _{X}}\\= & {} \overrightarrow{w}^{T}\cdot (M_{X}^{T}\overrightarrow{\beta _{X}})\\= & {} \overrightarrow{w}^{T}\cdot \overrightarrow{\sigma }\\= & {} e. \end{aligned}$$