1) The document summarizes a talk about using quantum stabilizer codes to realize access structures for secret sharing that are impossible with classical information processing. 2) It proposes a general framework for quantum secret sharing based on quantum stabilizer codes that includes Gottesman's example as a special case. 3) Existence results are shown by providing Gilbert-Varshamov type bounds, demonstrating that some access structures have a constant fraction of forbidden sets independently of the secret size.

1. Classical access structures of ramp secret sharing based
on quantum stabilizer codes
Paper No. 2 in WCC proceedings, arXiv:1811.05217
Ryutaroh Matsumoto
Slide available from
https://www.slideshare.net/RyutarohMatsumoto
Nagoya University, Japan
Aalborg University, Denmark
Email ryutaroh.matsumoto@nagoya-u.jp
5 April 2019
@ International Workshop on Coding and Cryptography 2019
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 1 / 18

2. Motivation of this talk
Quantum supremacy or quantum advantage is the potential ability
of quantum computing devices to solve problems that classical
computers practically cannot. (Wikipedia)
It seems important to find a new quantum supremacy to clarify difference
between quantum and classical information processing.
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 2 / 18

3. What quantum supremacy I will talk
In a secret sharing scheme, quantum information processing enables an
access structure that cannot be realized by classical information processing.
I will briefly review
secret sharing, and
its access structure.
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 3 / 18

4. Most famous secret sharing scheme (Shamir-Blakley)
Goal: Share a secret s so that only qualified sets of participants know s.
Fq s: a secret
n: the number of participants
Fq α1, ..., αn: distinct nonzero elements
1 Choose a polynomial f(x) = s + a1x + · · · + ak−1xk−1 at random.
2 Distribute f(αi) to the i-th participant.
k − 1 or less participants has no information about s.
k or more participants can reconstruct s (by solving linear equations).
A share: a piece of information distributed to a participant (f(αi) in this
example)
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 4 / 18

5. Access structure in secret sharing
Forbidden set: a set of participants who collectively have no information
about the secret, that is, their shares are statistically independent of the secret,
as random variables.
Example: A set of k − 1 or less participants in the Shamir-Blakley scheme.
Qualified set: a set of participants who can collectively reconstruct the secret,
that is, there exists a map from their shares to the secret.
Example: A set of k or more participants
Access structure: set of forbidden sets and set of qualified sets, that is, the
structure of forbidden and qualified sets.
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 5 / 18

6. Example of a classically impossible access structure
Secret has n bits.
There are n participants.
Each participant has 1-bit share.
The only qualified set is {1, ..., n}, that is, all the participants.
Only the empty set can be a forbidden set. Non-empty sets of participants
must have non-zero information about the secret.
But if each participant has 1-qubit share, then non-empty set can become a
forbidden set.
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 6 / 18

7. Review of qubits
QUantum BIT: a unit of quantum information that can store 1 classical bit,
and expressed by two-dimensional complex linear space C2. Its orthonormal
basis is often written as |0 =
1
0
, |1 =
0
1
(ket-zero and ket-one).
n qubits are expressed as a vector in (C2)⊗n of dimension 2n.
|a ⊗ |b is often abbreviated as |ab .
Example: Two typical orthonormal bases of 2 qubits are
{|00 , |01 , |10 , |11 } and


|0 + (−1)m
|1(1 − )√
2
= 1√
2


1 −
(−1)m
(1 − )(−1)m


| , m = 0, 1



(the Bell basis).
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 7 / 18

8. Gottesman’s quantum secret sharing (PRA 2000)
Secret is 2 classical bits ( , m).
There are 2 participants.
The 1st participant has the 1st qubit and
the 2nd one has the 2nd qubit of
|0 + (−1)m
|1(1 − )
√
2
(called a Bell state).
{1, 2} is qualified.
The (matrix expression of) quantum state (i.e. density matrix) of each
share is I2×2/2 and independent of values ( , m), therefore ∅, {1} and {2}
are forbidden.
The above access structure is classically impossible (if each share is
1-bit).
The access structure is perfect, i.e., every set is either forbidden or
qualified, while secret size > share size. It is also classically impossible.
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 8 / 18

9. Purpose of this research
Proposing a general framework of quantum secret sharing based on
quantum stabilizer codes that includes Gottesman’s example as a special
case.
Relating the proposed framework to the classical algebraic coding theory.
Giving Gilbert-Varshamov type argument to ensure existence of quantum
secret sharing with a particular set of parameters.
Proving there exist infinitely many access structures that are quantumly
possible but classically impossible.
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 9 / 18

10. Review of the non-binary quantum stabilizer codes
For (a|b) = (a1, ..., an|b1, ..., bn), and (c|d) = (c1, ..., cn|d1, ..., dn) ∈ F2n
q ,
the symplectic inner product is defined as
(a|b), (c|d) s = a, d E − b, c E,
where , E denotes the Euclidean inner product.
A symplectic self-orthogonal space C ⊂ C⊥s ⊂ F2n
q with dim C = n − k gives
an [[n, k]]q quantum stabilizer code, encoding k qudits ∈ (Cq)⊗k into n qudits
∈ (Cq)⊗n
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 10 / 18

11. Encoding in quantum secret sharing
An [[n, k]]q quantum stabilizer code is a qk-dimensional complex subspace Q
of (Cq)⊗n.
Q can encode (k log2 q) classical bits to n qudits ∈ (Cq)⊗n. Let {|v | v ∈ Fk
q} be
an orthonormal basis of Q.
Classical secret v ∈ Fk
q is encoded to |v ∈ Q, then each participant has each
qudit in the quantum codeword |v ∈ (Cq)⊗n.
The access structure depends on the choice of bases
{|v | v ∈ Fk
q} ⊂ Q ⊂ (Cq)⊗n. So I will express choices of {|v | v ∈ Fk
q} in an
algebraic coding theoretic way.
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 11 / 18

12. Proposed encoding in quantum secret sharing
For any C ⊂ C⊥s ⊂ F2n
q there always exists self-dual Cmax = C⊥s
max such that
C ⊂ Cmax = C⊥s
max ⊂ C⊥s
.
Cmax = C⊥s
max defines a commutative group S of complex Pauli matrices.
Communitativity enables us to diagnalize all matrices in S by single common
orthonormal basis.
Each complex vector in an orthonormal basis {|v | v ∈ Fk
q} of Q is chosen as a
simultaneous eigenvector of all complex unitary matrices in S.
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 12 / 18

13. Algebraic coding theoretic expression of quantum secret
sharing
C ⊂ Cmax = C⊥s
max ⊂ C⊥s ⊂ F2n
q with dim C = n − k,
(k log2 q)-bits classical secret is encoded.
There are n participants and each participant has 1 qudit (q-dimensional
complex vector) in a quantum codeword defined by C and the secret.
Necessary and sufficient conditions for qualified and forbidden sets can
be given in terms of C (see the proceedings).
I will talk sufficient conditions in terms of the symplectic weight in F2n
q .
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 13 / 18

14. Sufficient conditions by symplectic weights
For (a|b) = (a1, ..., an|b1, ..., bn), its symplectic weight is
swt(a|b) = |{i | (ai, bi) (0, 0)}|.
For a nested pair V1 ⊃ V2 we define the symplectic coset distance
ds(V1, V2) = min{swt(a|b) | (a|b) ∈ V1 V2}.
Recall that C ⊂ Cmax = C⊥s
max ⊂ C⊥s ⊂ F2n
q define quantum secret sharing.
Sufficient conditions for forbidden and qualified sets
ds(Cmax, C) − 1 or less participants are forbidden.
n − ds(C⊥s, Cmax) + 1 or more participants are qualified.
I will use two distances ds(Cmax, C) and ds(C⊥s, Cmax) in the
Gilbert-Varshamov-type condition next.
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 14 / 18

15. Gilbert-Varshamov-type existential conditions
Recall that C ⊂ Cmax = C⊥s
max ⊂ C⊥s ⊂ F2n
q define quantum secret sharing.
If positive integers n, k, δt, δr satisfy
qn+k − qn
q2n − 1
δr−1
i=1
n
i
(q2
− 1)i
+
qn − qk
q2n − 1
δt−1
i=1
n
i
(q2
− 1)i
< 1,
then there exist C ⊂ Cmax = C⊥s
max ⊂ C⊥s ⊂ F2n
q such that dim C = n − k,
ds(C⊥s, Cmax) ≥ δr and ds(Cmax, C) ≥ δt. (i are forgotten in the proc. paper)
Asymptotic form: Let R, t and r be nonnegative real numbers ≤ 1. Define
hq(x) = −x logq x − (1 − x) logq(1 − x). For sufficiently large n, if
hq( r) + r logq(q2
− 1) < 1 − R (not containing t) and
hq( t) + t logq(q2
− 1) < 1, (not containning R nor r)
then there exist C ⊂ Cmax ⊂ C⊥s ⊂ F2n
q such that dim C = n − nR ,
ds(C⊥s, Cmax) ≥ n t and ds(Cmax, C) ≥ n t .
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 15 / 18

16. Consequences of the GV bound
Recall that C ⊂ Cmax = C⊥s
max ⊂ C⊥s ⊂ F2n
q define quantum secret sharing.
ds(Cmax, C) − 1 or less participants are forbidden,
ds(Cmax, C) ≥ n t ,
the sufficient condition hq( t) + t logq(q2 − 1) < 1 does not contain R, and
h2(0.19) + 0.19 log2 3 1.
⇒ We can construct a secret sharing scheme with roughly 19% of participants
being forbidden independently of the size (i.e. R) of classical secrets for
q = 2 and large n.
On the other hand, if the size of classical secret = the total size of classical
shares, then the forbidden set is only ∅ or the secret cannot be reconstructed
even by all participants.
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 16 / 18

17. Summary of this talk
Relating quantum secret sharing of classical secrets to algebraic coding
theory
Expressing properties of quantum secret sharing by the underlying linear
codes
Gilbert-Varshamov-type existential conditions
Access structures impossible by classical information processing
Acknowledgment: The research problem was inspired by a discussion with
Diego Ruano. Thank you for your listening!
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 17 / 18

18. Gottesman’s example as a stabilizer code
We will see how one can express Gottesman’s secret sharing scheme by a
quantum stabilizer. Let p = 2, n = 2 and C be the zero-dimensional linear
space consisting of only the zero vector. Then C⊥s = F4
2. We choose Cmax as
the space spanned by (1, 1|0, 0) and (0, 0|1, 1).
Matsumoto (Nagoya U. & Aalborg U.) Quantum secret sharing (Paper No. 2) WCC 2019 18 / 18