Hybrid protocols for multi-party semiquantum private comparison, multiplication and summation without a pre-shared key based on d-dimensional single-particle states

In this paper, by utilizing d-dimensional single-particle states, three semiquantum cryptography protocols, i.e., the multi-party semiquantum private comparison (MSQPC) protocol, the multi-party semiquantum multiplication (MSQM) protocol and the multi-party semiquantum summation (MSQS) protocol, can be achieved simultaneously under the assistance of two semi-honest quantum third parties (TPs). Here, the proposed MSQPC scheme is the only protocol which is devoted to judging the size relationship of secret integers from more than two semiquantum participants without a pre-shared key. And the proposed MSQM protocol absorbs the innovative concept of semiquantumness into quantum multiplication for the first time, which can calculate the modulo d multiplication of private inputs from more than two semiquantum users. As for the proposed MSQS protocol, it is the only semiquantum summation protocol which aims to accomplish the modulo d addition of more than three semiquantum users’ private integers. Neither quantum entanglement swapping nor unitary operations are necessary in the three proposed protocols. The security analysis verifies in detail that both the external attacks and the internal attacks can be resisted in the three proposed protocols.

In the year of 1984, the pioneer protocol of quantum cryptography, which became known as BB84 protocol hereafter, was proposed by Bennett and Brassard [1]. As a quantum key distribution (QKD) protocol, BB84 protocol successfully integrated quantum mechanics into classical cryptography by employing the polarization of single photons. Since then, plenty of quantum cryptography protocols [1–39] have been born in turn, which can be categorized into quantum secret sharing (QSS) [2–10], quantum private comparison (QPC) [11–19], quantum multiplication (QM) [20–25], quantum summation (QS) [20–22, 26–36], quantum blockchain [37, 38], quantum secure multiparty computation [39] and so on. The application of quantum cryptography into practical circumstances, for example, applying quantum cryptographic protocol into vehicular communication [40], has also been explored. Different from classical cryptography, quantum cryptography provides the unconditional security theoretically based on the laws of quantum mechanics. Nevertheless, not everyone has ability to afford the expensive quantum devices.

Thereupon, a novel concept of semiquantumness was put forward by Boyer et al. [41, 42] in the year of 2007, which means the birth of semiquantum cryptography. Unlike quantum cryptography schemes, semiquantum cryptography schemes [41–44] don’t require semiquantum participants to prepare or measure quantum superposition states and quantum entangled states, which greatly saves experiment costs. In other words, the quantum users need to equip complete quantum capabilities, while the semiquantum participants are restricted to own limited abilities. In semiquantum cryptography, the first semiquantum private comparison (SQPC) protocol was proposed by Chou et al. [45] based on entanglement swapping of Bell states in the year of 2016, the first semiquantum summation (SQS) protocol was put forward by Zhang et al. [46] based on single photons in the year of 2021, and the semiquantum multiplication (SQM) protocol hasn’t been designed until now.

Speaking of SQPC, it can be divided into two kinds: SQPC of equality [45, 47–50] and SQPC of size relationship [51–56]. Compared with the former kind, the latter kind has more functions on determining the relationship of semiquantum participants’ private inputs. In the year of 2021, by adopting d-dimensional Bell states, Zhou et al. [51] designed a SQPC scheme of size relationship with a pre-shared key; and by using d-dimensional GHZ states, Wang et al. [52] proposed a SQPC protocol of size relationship with a pre-shared key. In the year of 2022, by employing d-dimensional single-particle states, Li et al. [53] put forward two SQPC protocols of size relationship, each of which requires a pre-shared key, where the first protocol and the second protocol use the distribution model and the circle model to transmit particles, respectively; by utilizing d-dimensional Bell states, Luo et al. [54] designed a SQPC scheme of size relationship which requires a pre-shared key; and by employing d-dimensional single-particle states, Geng et al. [55] put forward a SQPC protocol of size relationship with a pre-shared key, where TP has no knowledge about the final comparison results; and in the year of 2023, Ye and Lian [56] put forward the first multi-party semiquantum private comparison (MSQPC) protocol of size relationship with d-dimensional single-particle states. Compared to SQPC schemes, SQS protocols [46, 57, 58] have been few up to now. More seriously, there is no SQS scheme which can implement the modulo d addition of secret integers from more than three semiquantum participants within one round implementation.

According to the foregoing discussion, in this paper, we utilize d-dimensional single-particle states to design three semiquantum cryptography protocols, i.e., the MSQPC protocol, the multi-party semiquantum multiplication (MSQM) protocol and the multi-party semiquantum summation (MSQS) protocol. Note that only under the assistance of two semi-honest quantum third parties (TPs) can the goals of the three proposed protocols be achieved, where the semi-honest TPs are permitted to try their best to eavesdrop secret integers of semiquantum participants but cannot collude with anyone else. The proposed MSQPC protocol is the only MSQPC protocol which can implement the comparison of size relationship of more than two semiquantum participants’ private inputs within one execution of protocol, with no requirement of a pre-shared key. The proposed MSQM protocol is the first scheme absorbing the innovative concept of semiquantumness into quantum multiplication, which is devoted to computing the modulo d multiplication of secret integers from more than two semiquantum users within one round implementation. Note that within a d-dimensional quantum system, semiquantum users are typically constrained to the following operations: (a) measuring the qudits in the Z basis \(\{ \vert 0 \rangle , \vert 1 \rangle , \ldots , \vert d - 1 \rangle \}\); (b) preparing the fresh qudits in the Z basis; (c) transmitting or reflecting the qudits without disturbance; and (d) recordering the qudits via various delay lines. As for the proposed MSQS protocol, it is also the pioneer scheme of SQS, aiming to compute the modulo d addition of private integers from more than three semiquantum users within one execution of protocol. Neither quantum entanglement swapping nor unitary operations are required in the three proposed protocols. Besides, the usage of quantum resources for the three proposed schemes is identical, as the only section where quantum resources are utilized is in Sect. 2.1 during the key-sharing process.

In a d-dimensional Hilbert space, two common conjugate bases can be described as

and

Here, F is the d-dimensional discrete quantum Fourier transform, \(F \vert t \rangle = \frac{1}{\sqrt{d}} \sum_{\delta = 0}^{d - 1} e^{\frac{2\pi i\delta t}{d}} \vert \delta \rangle \) and \(t = 0,1, \ldots ,d - 1\).

There are N semiquantum users, \(P_{1},P_{2}, \ldots ,P_{N}\), and two quantum TPs, \(TP_{1}\) and \(TP_{2}\), where the TPs are required to have complete quantum capabilities, while \(P_{1},P_{2}, \ldots ,P_{N}\) are merely asked to possess restricted quantum abilities. It is worth noting that both \(TP_{1}\) and \(TP_{2}\) are semi-honest, which means that they can launch all possible attacks to steal private inputs of N semiquantum users except colluding with anyone else. Assume that \(P_{n}\) possesses a L-length secret integer string \(p_{n} = \{ p_{n}^{1},p_{n}^{2}, \ldots ,p_{n}^{L}\}\), where \(P_{n}\) denotes the nth semiquantum participant, \(p_{n}^{i}\) denotes the ith private integer of nth semiquantum participant, \(p_{n}^{i} \in \{ 0,1, \ldots ,d - 1\} \), \(n = 1,2, \ldots ,N\) and \(i = 1,2, \ldots ,L\). The quantum channels are assumed to be ideal, and the classical channels are assumed to be authenticated.

This paper proposes a hybrid protocol which initially designs a semiquantum key distribution (SQKD) scheme based on d-dimensional single particles in Sect. 2.1, followed by the use of traditional mathematical methods to achieve multi-party private comparison, multiplication, and summation in Sect. 2.2, Sect. 2.3 and Sect. 2.4, respectively. The term “hybrid” means that the proposed multi-party semiquantum private comparison scheme, the proposed multi-party semiquantum multiplication scheme and the proposed multi-party semiquantum summation scheme share the SQKD scheme based on d-dimensional single-particle states together. The SQKD scheme based on d-dimensional single particles aims to create a semiquantum private key between \(P_{n}\) and \(TP_{1}\) and a semiquantum private key between \(P_{n}\) and \(TP_{2}\) by using d-dimensional single particles.

To make it much easier to understand the process of the proposed hybrid protocols, we create a concise flowchart, depicted in Fig. 1.

The flow chart for the proposed hybrid protocols

Full size image

2.1 Common procedures of protocols

Step 1: \(TP_{1}\) prepares \(N\ d\)-dimensional single-particle state sequences \(S_{1},S_{2}, \ldots ,S_{N}\) whose particles are randomly picked out from two sets \(T_{1}\) and \(T_{2}\) but excluding \(\vert 0 \rangle \). Note that for the successful implementation of the three proposed protocols, the minimum number of particles in \(S_{n}\) should be 8L. Here, let \(S_{n} = \{ S_{n}^{1},S_{n}^{2}, \ldots ,S_{n}^{8L}\}\) for \(n = 1,2, \ldots ,N\), where \(S_{n}^{l}\) denotes the lth particle of \(S_{n}\) and \(l = 1,2, \ldots ,8L\). Furthermore, \(TP_{1}\) sends \(S_{n}\) to \(P_{n}\) through a quantum channel. Note that except the first particle, \(TP_{1}\) sends out the next particle of \(S_{n}\) to \(P_{n}\) only after receiving the previous one from \(P_{n}\).

Step 2: \(P_{n}\) randomly enters into the REFLECT mode or the MEASURE mode after gaining the lth particle from \(TP_{1}\). Here, the REFLECT mode means to reflect the received particle back without any disturbance, while the MEASURE mode implies to measure the received particle with the \(T_{1}\) basis, record the measurement result, prepare the fresh quantum state as found and return the fresh particle back to the sender. The new sequence after \(P_{n}\) performs her operations on \(S_{n}\) is represented by \(S_{n}'\).

Step 3: After receiving all particles of \(S_{n}'\) from \(P_{n}\), \(TP_{1}\) announces \(P_{n}\) the positions where the particles were produced within the \(T_{1}\) basis, and \(P_{n}\) publishes \(TP_{1}\) her specific operation modes on the particles of \(S_{n}\). Based on the announced information, \(TP_{1}\) implements the corresponding operations as shown in Table 1.

Case 1: \(P_{n}\) has applied the REFLECT mode to the received particle prepared within the \(T_{1}\) basis. After measuring \(S_{n}^{l'}\) with the \(T_{1}\) basis, \(TP_{1}\) compares her measurement result with the corresponding initially prepared state to determine whether there is an eavesdropper or not, where \(l \in \{ 1,2, \ldots ,8L\}\). If there is no eavesdropper, this protocol will be proceeded;

Case 2: \(P_{n}\) has applied the REFLECT mode to the received particle prepared within the \(T_{2}\) basis. After measuring \(S_{n}^{l'}\) with the \(T_{2}\) basis, \(TP_{1}\) compares her measurement result with the corresponding initially prepared state to judge whether there is a stealer or not, where \(l \in \{ 1,2, \ldots ,8L\}\). If there is no stealer, this protocol will be proceeded;

Case 3: \(P_{n}\) has applied the MEASURE mode to the received particle prepared within the \(T_{2}\) basis and \(TP_{1}\) takes no action. It is noteworthy that this Case is ignored;

Case 4: \(P_{n}\) has applied the MEASURE mode to the received particle prepared within the \(T_{1}\) basis. \(TP_{1}\) measures \(S_{n}^{l'}\) with the \(T_{1}\) basis. \(TP_{1}\) randomly picks out half particles belonging to this Case in her hand. Then, \(TP_{1}\) announces \(P_{n}\) the selected positions, and then \(P_{n}\) publishes \(TP_{1}\) her measurement results on the corresponding positions. Afterward, \(TP_{1}\) can know whether there is an eavesdropping behavior or not by comparing her measurement results, the corresponding initially prepared states and the measurement results published by \(P_{n}\). If there is no eavesdropping behavior, this protocol will be proceeded.

Step 4: \(TP_{1}\) counts the number of remaining particles in Case 4. If this quantity is less than L, the communication will be suspended and restarted from Step 1. Then, \(P_{n}\) and \(TP_{1}\) select the first L particles from the remaining particles in Case 4 and record the corresponding measurement results as \(x_{n} = \{ x_{n}^{1},x_{n}^{2}, \ldots ,x_{n}^{L}\}\), where \(x_{n}^{i} \in \{ 1,2, \ldots ,d - 1\}\), \(n = 1,2, \ldots ,N\) and \(i = 1,2, \ldots ,L\).

Step 5: \(TP_{2}\) executes the same procedures as \(TP_{1}\) in Steps (1)–(4), in order to make \(TP_{2}\) and \(P_{n}\) also share a L-length secret sequence represented by \(y_{n} = \{ y_{n}^{1},y_{n}^{2}, \ldots ,y_{n}^{L}\}\), where \(y_{n}^{i} \in \{ 1,2, \ldots ,d - 1\}\), \(i = 1,2, \ldots ,L\) and \(n = 1,2, \ldots ,N\).

Additionally, it is important to clarify why the minimum particle number in \(S_{n}\) should be 8L. In Case 4, the number of particles used for privacy comparison should be L, consequently requiring the number of particles for eavesdropping detection greater than or equal to L. This suggests that the particle number in Case 4 should be greater than or equal to 2L. Given that the particles in \(S_{n}\) are distributed in the four Cases with equal probabilities, the quantity of particles in \(S_{n}\) should be greater than or equal to 8L.

2.2 Protocol for multi-party semiquantum private comparison

It is necessary to highlight that the value range of \(p_{n}^{i}\) needs to be reset, i.e., \(p_{n}^{i} \in \{ 0,1, \ldots ,h\}\), where \(h = \lfloor \frac{d - 1}{2} \rfloor \) and the symbol ⌊⌋ denotes the floor operation. For instance, if \(d = 12\), then \(h = \lfloor \frac{12 - 1}{2} \rfloor = \lfloor 5.5 \rfloor = 5\).

Step 6′: After performing Steps (1)–(5) of Sect. 2.1, \(P_{n}\) calculates

where the symbol ⊕ represents the modulo d addition, \(n = 1,2, \ldots ,N\) and \(i = 1,2, \ldots ,L\). Then, \(P_{n}\) sends \(c_{n}^{i}\) to \(TP_{1}\) through an authenticated classical channel. Furthermore, \(TP_{2}\) computes

and sends \(\chi _{n'n}^{i}\) to \(TP_{1}\) through an authenticated classical channel, where the symbol ⊝ denotes the modulo d subtraction, \(i = 1,2, \ldots ,L\), \(n = 1,2, \ldots ,N\), \(n' = 2,3, \ldots ,N\) and \(n' > n\).

Step 7′: After obtaining \(\chi _{n'n}^{i}\) from \(TP_{2}\), \(TP_{1}\) calculates

and

where \(i = 1,2, \ldots ,L\), \(n = 1,2, \ldots ,N\), \(n' = 2,3, \ldots ,N\) and \(n < n'\).

Furthermore, \(TP_{1}\) makes

Here, \(\gamma ( R_{nn'}^{i} ) = - 1\) means \(p_{n}^{i} < p_{n'}^{i}\); \(\gamma ( R_{nn'}^{i} ) = 1\) means \(p_{n}^{i} > p_{n'}^{i}\); and \(\gamma ( R_{nn'}^{i} ) = 0\) means \(p_{n}^{i} = p_{n'}^{i}\). Finally, \(TP_{1}\) publishes the comparison results to \(P_{1},P_{2}, \ldots ,P_{N}\).

2.3 Protocol for multi-party semiquantum multiplication

Step 6″: After executing Steps (1)–(5) of Sect. 2.1, \(P_{n}\) calculates

where \(n = 1,2, \ldots ,N\) and \(i = 1,2, \ldots ,L\). Then, \(P_{n}\) sends \(g_{n} = \{ g_{n}^{1},g_{n}^{2}, \ldots ,g_{n}^{L}\}\) to \(TP_{1}\) via an authenticated classical channel. Furthermore, \(TP_{2}\) calculates

for \(i = 1,2, \ldots ,L\) and sends the sequence \(\beta = \{ \beta _{1},\beta _{2}, \ldots ,\beta _{L}\}\) to \(TP_{1}\) through an authenticated classical channel.

Step 7″: After obtaining \(g_{n}\) for \(n = 1,2, \ldots ,N\) and the sequence β, \(TP_{1}\) calculates

and

for \(i = 1,2, \ldots ,L\). Finally, \(TP_{1}\) announces \(P_{1},P_{2}, \ldots ,P_{N}\) the multiplication result sequence \(M = \{ M_{1},M_{2}, \ldots M_{L}\}\), where \(M_{i}\) denotes the modulo d multiplication of \(p_{1}^{i},p_{2}^{i}, \ldots ,p_{N}^{i}\).

2.4 Protocol for multi-party semiquantum summation

Step 6‴: After implementing Steps (1)–(5) of Sect. 2.1, \(P_{n}\) calculates

where \(n = 1,2, \ldots ,N\) and \(i = 1,2, \ldots ,L\). Then, \(P_{n}\) sends \(\mu _{n} = \{ \mu _{n}^{1},\mu _{n}^{2}, \ldots ,\mu _{n}^{L}\}\) to \(TP_{1}\) via an authenticated classical channel. Moreover, \(TP_{2}\) computes

for \(i = 1,2, \ldots ,L\) and sends the sequence \(\nu = \{ v_{1},v_{2}, \ldots ,v_{L}\}\) to \(TP_{1}\) through an authenticated classical channel.

Step 7‴: After obtaining \(\mu _{n}\) for \(n = 1,2, \ldots ,N\) and the sequence ν, \(TP_{1}\) calculates

and

for \(i = 1,2, \ldots ,L\). Finally, \(TP_{1}\) calculates

for \(i = 1,2, \ldots ,L\) and publishes the final summation result sequence \(\mathit{sum} = \{ \mathit{sum}_{1},\mathit{sum}_{2}, \ldots , \mathit{sum}_{L}\}\) to \(P_{1},P_{2}, \ldots ,P_{n}\), where \(\mathit{sum}_{i}\) represents the modulo d addition of \(p_{1}^{i},p_{2}^{i}, \ldots ,p_{N}^{i}\).

3.1 Correctness analysis of the proposed MSQPC protocol

3.1.1 Output correctness

By combining Eq. (3) with Eq. (5), we infer that

After inserting Eq. (17) and Eq. (4) into Eq. (6), we acquire that

In the light of Eq. (18) and Eq. (7), it can be concluded that when \(h < p_{n}^{i}\circleddash p_{n'}^{i} \le 2h\), i.e., \(\gamma (R_{nn'}^{i}) = - 1\), we get \(p_{n}^{i} < p_{n'}^{i}\); when \(p_{n}^{i}\circleddash p_{n'}^{i} = 0\), i.e., \(\gamma (R_{nn'}^{i}) = 0\), we have \(p_{n}^{i} = p_{n'}^{i}\); when \(0 < p_{n}^{i}\circleddash p_{n'}^{i} \le h\), i.e., \(\gamma (R_{nn'}^{i}) = 1\), we acquire \(p_{n}^{i} > p_{n'}^{i}\). Here, \(i = 1,2, \ldots ,L\), \(n = 1,2, \ldots ,N\), \(n' = 2,3, \ldots ,N\) and \(n < n'\). Thus, it can be concluded that the accuracy of comparison results of the proposed MSQPC protocol can be ensured.

3.1.2 Example

For the sake of further supporting the foregoing analysis of output correctness of the presented MSQPC protocol, a specific example is given in detail. Suppose that \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) are four semiquantum participants whose first private inputs are \(p_{1}^{1} = 0\), \(p_{2}^{1} = 6\), \(p_{3}^{1} = 4\), \(p_{4}^{1} = 8\), respectively in a 17-dimensional quantum system; after measuring the qudits prepared by \(TP_{1}\), \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) obtain \(x_{1}^{1} = 2\), \(x_{2}^{1} = 14\), \(x_{3}^{1} = 1\), \(x_{4}^{1} = 16\), respectively; and after measuring the qudits prepared by \(TP_{2}\), \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) acquire \(y_{1}^{1} = 6\), \(y_{2}^{1} = 4\), \(y_{3}^{1} = 12\), \(y_{4}^{1} = 1\),respectively. By virtue of Eq. (3), \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) compute \(c_{1}^{1} = 0 \oplus 2 \oplus 6 = 8\), \(c_{2}^{1} = 6 \oplus 14 \oplus 4 = 7\), \(c_{3}^{1} = 4 \oplus 1 \oplus 12 = 0\) and \(c_{4}^{1} = 8 \oplus 16 \oplus 1 = 8\), respectively. Furthermore, \(TP_{2}\) gets \(\chi _{21}^{1} = 4\circleddash 6 = 15\), \(\chi _{31}^{1} = 12\circleddash 6 = 6\), \(\chi _{41}^{1} = 1\circleddash 6 = 12\), \(\chi _{32}^{1} = 12\circleddash 4 = 8\), \(\chi _{42}^{1} = 1\circleddash 4 = 14\) and \(\chi _{43}^{1} = 1\circleddash 12 = 6\) in accordance with Eq. (4).

After receiving the classical information sent out by \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) and \(TP_{2}\), \(TP_{1}\) gets \(m_{1}^{1} = 8\circleddash 2 = 6\), \(m_{2}^{1} = 7\circleddash 14 = 10\), \(m_{3}^{1} = 0\circleddash 1 = 16\) and \(m_{4}^{1} = 8\circleddash 16 = 9\) based on Eq. (5). Then, \(TP_{1}\) calculates \(R_{12}^{1} = 6\circleddash 10 \oplus 15 = 11\), \(R_{13}^{1} = 6\circleddash 16 \oplus 6 = 13\), \(R_{14}^{1} = 6\circleddash 9 \oplus 12 = 9\), \(R_{23}^{1} = 10\circleddash 16 \oplus 8 = 2\), \(R_{24}^{1} = 10\circleddash 9 \oplus 14 = 15\) and \(R_{34}^{1} = 16\circleddash 9 \oplus 6 = 13\) by virtue of Eq. (6). Furthermore, according to Eq. (7), \(TP_{1}\) makes \(\gamma (R_{12}^{1}) = - 1\), \(\gamma (R_{13}^{1}) = - 1\), \(\gamma (R_{14}^{1}) = - 1\), \(\gamma (R_{23}^{1}) = 1\), \(\gamma (R_{24}^{1}) = - 1\) and \(\gamma (R_{34}^{1}) = - 1\). In other words, \(TP_{1}\) obtains \(p_{1}^{1} < p_{2}^{1}\), \(p_{1}^{1} < p_{3}^{1}\), \(p_{1}^{1} < p_{4}^{1}\), \(p_{2}^{1} > p_{3}^{1}\), \(p_{2}^{1} < p_{4}^{1}\) and \(p_{3}^{1} < p_{4}^{1}\), which means \(p_{1}^{1} < p_{3}^{1} < p_{2}^{1} < p_{4}^{1}\). Therefore, we can conclude that the comparison results of the proposed MSQPC protocol are right.

3.2 Correctness analysis of the proposed MSQM protocol

3.2.1 Output correctness

In the light of Eqs. (8)–(10), it can be deduced that

After inserting Eq. (19) into Eq. (11), it has

for \(i = 1,2, \ldots ,L\), which validates that the output correctness of multiplication results in the proposed MSQM protocol.

3.2.2 Example

Here, a numerical example is given to further demonstrate that the output of the proposed MSQM is accurate. Assume that the first private integer of four semiquantum users \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) are \(p_{1}^{1} = 3\), \(p_{2}^{1} = 7\), \(p_{3}^{1} = 1\) and \(p_{4}^{1} = 6\),respectively in a 10-dimensional quantum system; and by measuring the corresponding single photons prepared by \(TP_{1}\) and \(TP_{2}\), \(P_{1}\) obtains \(x_{1}^{1} = 2\), \(y_{1}^{1} = 9\), \(P_{2}\) gets \(x_{2}^{1} = 5\), \(y_{2}^{1} = 4\), \(P_{3}\) acquires \(x_{3}^{1} = 7\), \(y_{3}^{1} = 1\) and \(P_{4}\) gains \(x_{4}^{1} = 3\), \(y_{4}^{1} = 2\). Then, according to Eq. (8), \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) calculate \(g_{1}^{1} = 3 \times 2 \times 9 = 54\), \(g_{2}^{1} = 7 \times 5 \times 4 = 140\), \(g_{3}^{1} = 1 \times 7 \times 1 = 7\) and \(g_{4}^{1} = 6 \times 3 \times 2 = 36\),respectively, and sends them to \(TP_{1}\). Furthermore, in accordance with Eq. (9), \(TP_{2}\) calculates \(\beta _{1} = 9 \times 4 \times 1 \times 2 = 72\) and sends it to \(TP_{1}\).

Afterward, \(TP_{1}\) computes \(\alpha _{1} = 2 \times 5 \times 7 \times 3 = 210\) according to Eq. (10) and figures up \(M_{1} = \frac{54 \times 140 \times 7 \times 36}{210 \times 72}\bmod 10 = 6\) by virtue of Eq. (11), which represents that the output accuracy of the proposed MSQM protocol can be assured.

3.3 Correctness analysis of the proposed MSQS protocol

3.3.1 Output correctness

By substituting Eq. (12) into Eq. (15), it can be shown that

Furthermore, inserting Eq. (21), Eq. (13) and Eq. (14) into Eq. (16) generates

for \(i = 1,2, \ldots ,L\), which means that the summation results of the proposed MSQS protocol are reliable.

3.3.2 Example

In this section, we give a specific example to further prove that the summation result of the proposed MSQS protocol is correct. It is assumed that semiquantum subscribers \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) possess their own private inputs \(p_{1}^{1} = 0\), \(p_{2}^{1} = 11\), \(p_{3}^{1} = 3\) and \(p_{4}^{1} = 6\), respectively in a 12-dimensional quantum system. After \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) measure the single photons produced by \(TP_{1}\) and \(TP_{2}\), respectively, it can be obtained that \(x_{1}^{1} = 8\), \(y_{1}^{1} = 2\), \(x_{2}^{1} = 4\), \(y_{2}^{1} = 1\), \(x_{3}^{1} = 7\), \(y_{3}^{1} = 11\), \(x_{4}^{1} = 1\) and \(y_{4}^{1} = 6\). Then, in accordance with Eq. (12), \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) compute \(\mu _{1}^{1} = 0 \oplus 8 \oplus 2 = 10\), \(\mu _{2}^{1} = 11 \oplus 4 \oplus 1 = 4\), \(\mu _{3}^{1} = 3 \oplus 7 \oplus 11 = 9\) and \(\mu _{4}^{1} = 6 \oplus 1 \oplus 6 = 1\), respectively. Furthermore, \(TP_{2}\) transmits \(v_{1} = (12 - 2) \oplus (12 - 1) \oplus (12 - 11) \oplus (12 - 6) = 4\) to \(TP_{1}\) in accordance with Eq. (13).

After receiving \(\mu _{1}^{1}\), \(\mu _{2}^{1}\), \(\mu _{3}^{1}\), \(\mu _{4}^{1}\) and \(v_{1}\), by virtue of Eq. (14) and Eq. (15), \(TP_{1}\) calculates \(\sigma _{1} = (12 - 8) \oplus (12 - 4) \oplus (12 - 7) \oplus (12 - 1) = 4\) and \(\theta _{1} = 10 \oplus 4 \oplus 9 \oplus 1 = 0\). As a result, based on Eq. (16), \(TP_{1}\) acquires \(\mathit{sum}_{1} = 4 \oplus 4 \oplus 0 = 8\), which confirms that the output correctness of the proposed MSQS protocol.

To further demonstrate the output correctness of three proposed protocols, we conduct the simulation experiment by utilizing IBM’s Qiskit without considering the eavesdropping check processes. The three proposed protocols only utilize d-dimensional single-particle states as quantum resources and perform d-dimensional single-particle measurements, which suggests that only when the quantum measurement results on single photons are accurate can the output correctness of protocols be guaranteed. It is easy to construct the quantum measurement circuit for single photon. In the following, we will simulate out the measurement outcomes of four single photons, considering a quantum system with a level of 8. The simulated quantum measurement circuits for \(\vert 6 \rangle , \vert 7 \rangle ,F \vert 6 \rangle\) and \(F \vert 7 \rangle \) are shown in Figs. 2-5, respectively. Here, \(F\left| 6 \right\rangle = \frac{1}{\sqrt {8}}\sum_{\delta = 0}^{7} {e^{\frac{3\pi \delta i}{2}}} \left| \delta \right\rangle \) and \(F\left| 7 \right\rangle = \frac{1}{\sqrt {8}}\sum_{\delta = 0}^{7} {e^{\frac{7\pi \delta i}{4}}} \left| \delta \right\rangle \) . Obviously, for any \(\delta = 0,1, \ldots ,7\), we have \(\left| e^{\frac{{3\pi \delta i}}{2}} \right|^{2} = \left| e^{\frac{{7\pi \delta i}}{4}} \right|^{2} = 1\). Therefore, for simplicity, we disregard the specific phase values \({e^{i \times \frac{{3\pi \delta }}{2}}}\) and \({e^{i \times \frac{{7\pi \delta }}{4}}}\) in Figs. 4(a) and Figs. 5(a), respectively, as they have no impact on the corresponding measurement results. Note that 100,000 simulation experiments are conducted for each single photon.

(a) Quantum circuit of the single-particle state \(\vert 6 \rangle \) (b) The simulation results of (a)

Full size image

(a) Quantum circuit of the single-particle state \(\vert 7 \rangle \) (b) The simulation results of (a)

Full size image

(a) Quantum circuit of the single-particle state \(F \vert 6 \rangle \) (b) The simulation results of (a)

Full size image

(a) Quantum circuit of the single-particle state \(F \vert 7 \rangle \) (b) The simulation results of (a)

Full size image

Based on Figs. 2-5, it can be concluded that the measurement outcomes on single photons are entirely accurate. This implies that the output correctness of three proposed protocols can be guaranteed, as they only necessitate the d-dimensional single-particle measurements.

5.1 Outside attacks

To steal the confidential integer sequence \(p_{n}\), an outside eavesdropper, Eve, may launch seven types of attacks during Steps (1)–(5), i.e., the intercept-resend attack, the measure-resend attack, the entangle-measure attack, the double controlled-not (CNOT) attacks, the Trojan horse attacks, the collective attack and the coherent attack. Note that either in the quantum channel between \(TP_{1}\) and \(P_{n}\) or between \(TP_{2}\) and \(P_{n}\), Eve always acts equally. Consequently, we only discuss the security of the quantum channel between \(TP_{1}\) and \(P_{n}\).

1. (1)

   The intercept-resend attack

Eve intercepts the particle of \(S_{n}\) from \(TP_{1}\) to \(P_{n}\) and sends \(P_{n}\) the fake one she has already produced in the \(T_{1}\) basis in Step 1; after \(P_{n}\) implements her operation on the fake particle, Eve intercepts the corresponding particle of \(S_{n}'\) from \(P_{n}\) to \(TP_{1}\) and transmits \(TP_{1}\) the intercepted genuine one of \(S_{n}\) in Step 2. When the intercepted genuine particle is prepared in the \(T_{2}\) basis, no matter what mode \(P_{n}\) has entered into, the existence of Eve cannot be discovered either in Case 2 or Case 3 of Step 3. Considering that the intercepted genuine particle is produced in the \(T_{1}\) basis, if \(P_{n}\) has entered into the REFLECT mode, the eavesdropping behavior of Eve cannot be detected in Case 1 of Step 3; if \(P_{n}\) has entered into the MEASURE mode, the probability that the intercepted particle is chosen for eavesdropping detection is \(\frac{1}{2}\), and the probability that \(P_{n}\)’s measurement result on the fake particle is not same to the corresponding initial prepared state and \(TP_{1}\)’s measurement result on the intercepted genuine particle of \(S_{n}\) is \(\frac{d - 2}{d - 1}\), so the existence of Eve can be discovered with the probability of \(\frac{d - 2}{2d - 2}\) in Case 4 of Step 3, which validates that Eve’s eavesdropping behavior on one of the particles transmitted between \(TP_{1}\) and \(P_{n}\) cannot be detected with the probability of \(\frac{d}{2d - 2}\). Consequently, the probability that Eve’s this intercept-resend attack on the 8L particles of \(S_{n}\) can be discovered is \(1 - (\frac{d}{2d - 2})^{8L}\), which will approach to 1 if L is large enough.

1. (2)

   The measure-resend attack

In Step 1, Eve intercepts the particle of \(S_{n}\) from \(TP_{1}\) to \(P_{n}\), utilizes the \(T_{1}\) basis to measure it and transmits the resulted state to \(P_{n}\). When the intercepted particle is in the \(T_{1}\) basis, the presence of Eve cannot be detected either in Case 1 or Case 4 of Step 3, no matter what mode \(P_{n}\) has entered into. Considering that the intercepted particle is in the \(T_{2}\) basis, when \(P_{n}\) has entered into the MEASURE mode, the eavesdropping behavior of Eve cannot be discovered in Case 3 of Step 3, as the intercepted particle is not chosen for security check; when \(P_{n}\) has entered into the REFLECT mode, the presence of Eve will be detected undoubtedly in Case 2 of Step 3, as Eve’s measurement destroys the quantum superposition state of the intercepted particle.

1. (3)

   The entangle-measure attack

As shown in Fig. 6, Eve launches her entangle-measure attack on the transmitted particle by employing two unitary operations \(U_{E}\) and \(U_{F}\), where \(U_{E}\) is imposed on the particle of \(S_{n}\) from \(TP_{1}\) to \(P_{n}\) in Step 1 and \(U_{F}\) is performed on the particle of \(S_{n}'\) from \(P_{n}\) to \(TP_{1}\) in Step 2. As illustrated in Refs.[41, 42], \(U_{E}\) and \(U_{F}\) share a common probe space with the auxiliary state \(\vert \Omega \rangle \), where Eve is permitted by the shared probe to launch the attack on the particle of \(S_{n}'\) on the basis of the knowledge gained from \(U_{E}\).

Eve’s entangle-measure attack with \(U_{E}\) and \(U_{F}\)

Full size image

Theorem 1

Suppose that Eve implements \(U_{E}\) on the qudit from \(TP_{1}\) to \(P_{n}\) in Step 1 and imposes \(U_{F}\) on the qudit from \(P_{n}\) to \(TP_{1}\) in Step 2. For introducing no error in Step 3, the final state of Eve’s probe should be independent of not only the operations of \(P_{n}\) and \(TP_{1}\), but also their measurement results. Consequently, Eve fails to acquire knowledge about \(x_{n}\).

Proof

For convenience, we utilize \(\vert t \rangle \) and \(\vert G_{t} \rangle \) to denote the \(T_{1}\) basis and the \(T_{2}\) basis, respectively, where \(\vert G_{t} \rangle = F \vert t \rangle = \frac{1}{\sqrt{d}} \sum_{\delta = 0}^{d - 1} e^{\frac{2\pi i\delta t}{d}} \vert \delta \rangle \) and \(t = 0,1, \ldots ,d - 1\).

(i) Consider the situation that the particle attacked by Eve in Step 1 is prepared in the \(T_{1}\) basis.

In the light of Ref.[55], the effect of \(U_{E}\) on the particle and Eve’s probe can be described as

where the probe \(\vert \omega _{tt'} \rangle \) are decided by \(U_{E}\), \(\sum_{t' = 0}^{d - 1} \vert \lambda _{tt'} \vert ^{2} = 1\) and \(t = 0,1, \ldots ,d - 1\).

When \(P_{n}\) intends to enter into the MEASURE mode, in order to get rid of the eavesdropping check in Case 4, Eve should make \(P_{n}\)’s measurement result on the attacked particle be the same to the corresponding initial prepared state. Hence, it can be deduced that

for \(t \ne t'\). After \(P_{n}\) performed the MEASURE mode, the global state of composite system was collapsed into \(\lambda _{tt} \vert t \rangle \vert \omega _{tt} \rangle \) in accordance with Eq. (23) and Eq. (24). In order to escape the security check in Case 4, Eve should make \(P_{n}\)’s measurement result on the attacked particle of \(S_{n}\) be the same to \(TP_{1}\)’s measurement result on the corresponding particle of \(S_{n}'\). Thus, the whole quantum system after being applied with \(U_{F}\) should be

which means that \(U_{F}\) is not allowed to alter the quantum state of \(S_{n}'\).

When \(P_{n}\) has chosen the REFLECT mode, by virtue of Eqs. (23)–(25), the whole quantum system after being applied with \(U_{F}\) should be

which means that \(TP_{1}\)’s measurement result on the particle of \(S_{n}'\) is naturally same to the corresponding initial prepared state. As a result, as long as Eqs. (24), (25) are established, the eavesdropping behavior of Eve cannot be discovered in Case 1 of Step 3.

(ii) Consider the situation that the attacked particle is prepared in the \(T_{2}\) basis. Combining Eq. (23) and Eq. (24), we obtain

When \(U_{E}\) is implemented on the particle prepared in the \(T_{2}\) basis and Eve’s probe, the global composite system should be

On the basis of Eq. (27) and Eq. (28), it can be derived that

When \(P_{n}\) has chosen the MEASURE mode, the trace of Eve will never be discovered in Case 3 of Step 3, as there is no eavesdropping detection in this Case. When \(P_{n}\) has chosen the REFLECT mode, based on Eq. (25) and Eq. (29), the whole quantum system after being applied with \(U_{F}\) should be

In the light of the inverse quantum Fourier transform, it can be deduced that

where \(\delta = 0,1, \ldots ,d - 1\). Inserting Eq. (31) into Eq. (30) generates

In order to escape the security check in Case 2 of Step 3, Eve should make \(TP_{1}\)’s measurement result on the particle of \(S_{n}'\) be the same to the corresponding initial prepared state. Hence, in accordance with Eq. (32), it can be deduced that

for \(t \ne j\), where \(t,j = 0,1, \ldots ,d - 1\). Obviously, for any \(t \ne j\), we obtain

Combining Eq. (33) and Eq. (34), it can be derived that

(iii) Inserting Eq. (35) into Eq. (25) produces

which means that Eve cannot extract any knowledge about \(x_{n}^{i}\), under the condition that the attacked particle is prepared in the \(T_{1}\) basis and \(P_{n}\) enters into the MEASURE mode. Then, inserting Eq. (35) into Eq. (26) produces

which means that Eve cannot obtain \(x_{n}^{i}\), under the condition that the attacked particle is prepared in the \(T_{1}\) basis and \(P_{n}\) enters into the REFLECT mode. Furthermore, inserting Eq. (35) into Eq. (32) produces

which means that Eve has no knowledge about \(x_{n}^{i}\), under the condition that the attacked particle is prepared in the \(T_{2}\) basis and \(P_{n}\) enters into the REFLECT mode.

By virtue of Eqs. (36)–(38), it can be concluded that when Eve implements \(U_{E}\) on the qudit from \(TP_{1}\) to \(P_{n}\) in Step 1 and imposes \(U_{F}\) on the qudit from \(P_{n}\) to \(TP_{1}\) in Step 2. For introducing no error in Step 3, the final state of Eve’s probe should be independent of not only the operations of \(P_{n}\) and \(TP_{1}\), but also their measurement results. Consequently, Eve fails to acquire knowledge about \(x_{n}\). □

1. (4)

   The double CNOT attacks

In accordance with Ref. [49], Eve initiates the first CNOT attack in Step 1, employing the particle of \(S_{n}\) and her ancillary particle as the control qudit and the target qudit, respectively. Subsequently, Eve proceeds with the second CNOT operation on the particle of \(S_{n}'\) as the control qudit and her auxiliary particle as the target qudit in Step 2, with the aim of extracting the information about \(P_{n}\)’s operation from her auxiliary particle. For convenience, we adopt \(\vert t \rangle \) and \(\vert G_{t} \rangle \) to represent the \(T_{1}\) basis and the \(T_{2}\) basis, respectively, where \(\vert G_{t} \rangle = F \vert t \rangle = \frac{1}{\sqrt{d}} \sum_{\delta = 0}^{d - 1} e^{\frac{2\pi i\delta t}{d}} \vert \delta \rangle \) and \(t = 0,1, \ldots ,d - 1\). In a d-level quantum system, the CNOT operation can be described as

where the symbol ⊕ denotes the modulo d addition.

(i) Consider the scenario where the initial particle of \(S_{n}\) is prepared in the \(T_{1}\) basis. After Eve performs the first CNOT attack \(U_{CT(d)}\) on the single photon \(\vert t \rangle _{S}\) and her ancillary qudit \(\vert \varepsilon \rangle _{E}\) in Step 1, the global state of the composite system is evolved into

for \(t = 0,1, \ldots ,d - 1\), where ε is a constant that can take any value from 0 to \(d - 1\). Afterward, \(P_{n}\) executes the REFLECT mode or the MEASURE mode on the received particle. It is worth noting that regardless of the mode \(P_{n}\) has chosen, the new quantum system after undergoing the second CNOT attack launched by Eve in Step 2 will collapse into

Based on Eq. (40) and Eq. (41), it can be understood that \(TP_{1}\)’s measurement result on the particle of \(S_{n}'\) is automatically identical to \(P_{n}\)’s measurement result on the particle of \(S_{n}\) and the initial prepared state of \(S_{n}\), which implies that Eve can evade the security check in both Case 1 and Case 4 of Step 3.

(ii) Consider the scenario where the initial prepared state of \(S_{n}\) is in the \(T_{2}\) basis. When the single particle \(\vert G{}_{t} \rangle _{S}\) and the auxiliary qudit \(\vert \varepsilon \rangle _{E}\) generated by Eve are subjected to the first CNOT operation \(U_{CT(d)}\) in Step 1, the composite system global state is evolved into

for \(t = 0,1, \ldots ,d - 1\), where ε is a constant that can take any value from 0 to \(d - 1\). After \(P_{n}\) has applied the REFLECT mode to the received particle, Eve launches the second CNOT operation in Step 2, which can be depicted as

in accordance with Eq. (39) and Eq. (42). In order to escape the eavesdropping detection in Case 2 of Step 3, Eve should make \(TP_{1}\)’s measurement result on the particle of \(S_{n}'\) be same to the initial produced particle state of \(S_{n}\), which means that the values of \(\delta \oplus \delta \) should consistently be a constant for \(\delta = 0,1, \ldots ,d - 1\) according to Eq. (43).

(iii) By consolidating the foregoing discussions, we can draw the following two judgements.

Firstly, considering that d is equal to 2. Then, regardless of whether \(t = 0\) or \(t = 1\), we can consistently deduce that the value of \(t \oplus t\) is equal to 0. Hence, Eq. (41) and Eq. (43) will transform into

and

respectively. On the basis of Eq. (44) and Eq. (45), we can infer that Eve’s attacks cannot be discovered in Step 3. Nevertheless, Eve still has no way to obtain the information about \(P_{n}\)’s operation, due to that her auxiliary particle \(\vert \varepsilon \rangle _{E}\) consistently stays unchanged. It can be concluded that if d is equal to 2, Eve will acquire nothing by performing the double CNOT operations on the particles transmitted in the quantum channel between \(TP_{1}\) and \(P_{n}\) in Step 1 and Step 2.

Secondly, considering that d is greater than 2. When δ takes all values from 0 to \(d - 1\), the corresponding d values of \(\delta \oplus \delta \) must not be a constant. Therefore, according to Eq. (43), \(TP_{1}\)’s measurement result on \(S_{n}'\) must not be same to the initial produced state, which implies that if d is greater than 2, Eve’s double CNOT attacks will inevitably be detected in Case 2 of Step 3.

(iv) Overall, by initiating the double CNOT attacks on the qudits transmitted between \(TP_{1}\) and \(P_{n}\) in Step 1 and Step 2, Eve fails to eavesdrop the information about \(P_{n}\)’s operation without being detected, not to mention the knowledge about \(x_{n}\).

1. (5)

   The Trojan horse attacks

As the particles of \(S_{n}\) travel from \(TP_{1}\) to \(P_{n}\) and back from \(P_{n}\) to \(TP_{1}\), we need to address two kinds of Trojan horse attacks launched by Eve: the delay-photon Trojan horse attack [59, 60] and the invisible photon eavesdropping attack [61]. Both these attacks involve stealing the information about \(P_{n}\)’s operation by inserting a tail-made photon produced by Eve into the one transmitted between \(TP_{1}\) and \(P_{n}\). To guarantee the security of the proposed protocols, \(P_{n}\) employs a photon beam splitter (PBS: 50/50) to divide each sample signal into two pieces and measure them, which can effectively resist the former type of attack. [60, 62] As for the latter type of attack, \(P_{n}\) utilizes a wavelength filter to process each signal before executing the operation. [60, 62]

1. (6)

   The collective and coherent attacks

The collective attack represents a class of attacks that exploit the vulnerabilities within a quantum communication system. The coherent attack denotes a type of attack that takes advantage of the coherence of quantum systems. According to Ref. [22], Eve generates an autonomous ancillary particle to communicate with each qudit and jointly performs the measurement operation on all the ancillary qudits, which can be seen as the collective attack. In the coherent attack, Eve produces an individual ancillary particle, intercepts the participant’s particle and conducts the measurement process within the computational basis \(\{ \vert 1 \rangle , \vert 2 \rangle , \ldots , \vert d - 1 \rangle \}\). Unfortunately, Eve’s trace will undoubtedly be discovered based on the deduction of Eqs. (23)–(45), indicating that she has no way to acquire \(p_{n}\).

5.2 Participant attacks

1. (1)

   The participant attack from one dishonest user

In the three proposed protocols, the semiquantum subscribers \(P_{1},P_{2}, \ldots ,P_{N}\) play the equal roles all the time. Without losing generality, it is assumed that \(P_{1}\) is the dishonest user who tries her best to steal the secret integers of the remaining \(N - 1\) participants.

Firstly, in Steps (1)–(5), to acquire \(x_{a} = \{ x_{a}^{1},x_{a}^{2}, \ldots ,x_{a}^{L}\}\) or \(y_{a} = \{ y_{a}^{1},y_{a}^{2}, \ldots ,y_{a}^{L}\}\), \(P_{1}\) may launch her attacks on the qudits between \(TP_{1}\) and \(P_{a}\) or between \(TP_{2}\) and \(P_{a}\), where \(a = 2,3, \ldots ,N\). Nevertheless, \(P_{1}\) is independent from \(P_{a}\), \(TP_{1}\) and \(TP_{2}\), which makes her play the role of an outside eavesdropper. Consequently, in the three proposed protocols, \(P_{1}\) has no information about \(x_{a}\) and \(y_{a}\) in accordance with Sect. 5.1.

Secondly, in Step 6′, \(P_{1}\) may hear of \(c_{a}^{i}\) sent out from \(P_{a}\) and \(\chi _{n'n}^{i}\) sent out from \(TP_{2}\), but she cannot acquire \(p_{a}^{i}\) according to Eq. (3) and Eq. (4), due to that she is unable to obtain \(x_{a}^{i}\) and \(y_{a}^{i}\) simultaneously. Then, in Step 7′, although \(P_{1}\) may hear of the final comparison results from \(TP_{1}\), she still cannot obtain \(p_{a}^{i}\).

Thirdly, in Step 6″, \(P_{1}\) may hear of \(g_{a}^{i}\) sent out from \(P_{a}\) and \(\beta _{i}\) sent out from \(TP_{2}\), but she has no way to infer out \(p_{a}^{i}\) in accordance with Eq. (8) and Eq. (9), because of being short of both \(x_{a}^{i}\) and \(y_{a}^{i}\). Besides, in Step 7″, \(P_{1}\) may hear of the final multiplication results from \(TP_{1}\), but she still has no chance to get \(p_{a}^{i}\).

Fourthly, in Step 6‴, \(P_{1}\) may hear of \(\mu _{a}^{i}\) sent out from \(P_{a}\) and \(\nu _{i}\) sent out from \(TP_{2}\), but she is unable to acquire \(p_{a}^{i}\) based on Eq. (12) and Eq. (13), due to lack of both \(x_{a}^{i}\) and \(y_{a}^{i}\). Furthermore, in Step 7‴, \(P_{1}\) may hear of the final summation results from \(TP_{1}\), but she still has no idea about \(p_{a}^{i}\).

In short, one dishonest user cannot acquire the private inputs of remaining \(N - 1\) users in the three proposed protocols.

1. (2)

   The participant attack from two or more dishonest users

Consider the worst situation that \(N - 1\) participants, \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\), conspire to steal the secret inputs of \(P_{b}\), where \(b \in \{ 2,3, \ldots ,N - 1\}\).

Firstly, in Steps (1)–(5), to acquire \(x_{b} = \{ x_{b}^{1},x_{b}^{2}, \ldots ,x_{b}^{L}\}\) or \(y_{b} = \{ y_{b}^{1},y_{b}^{2}, \ldots ,y_{b}^{L}\}\), \(P_{1},P_{2}, \ldots , P_{b - 1}, P_{b + 1}, \ldots ,P_{N}\) may launch their attacks on the qudits between \(TP_{1}\) and \(P_{b}\) or between \(TP_{2}\) and \(P_{b}\). Obviously, the union of \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) is independent from \(P_{b}\), \(TP_{1}\) and \(TP_{2}\), making the union of \(N - 1\) participants play the role of an external attacker. As a result, \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) has no way to get the knowledge about \(x_{b}\) or \(y_{b}\) according to Sect. 5.1.

Secondly, in Step 6′, \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) may steal \(c_{b}^{i}\) sent out from \(P_{b}\) and \(\chi _{n'n}^{i}\) sent out from \(TP_{2}\), which means that \(y_{b}^{i}\) can be decoded out in the light of Eq. (4). Nevertheless, \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) still cannot obtain \(p_{b}^{i}\) based on \(y_{b}^{i}\) and \(c_{b}^{i}\), because of being short of \(x_{b}^{i}\), according to Eq. (3). Then, in Step 7′, although \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) may hear of the final comparison results from \(TP_{1}\), they still has no way to extract \(p_{b}^{i}\).

Thirdly, in Step 6″, \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) may steal \(g_{b}^{i}\) sent out from \(P_{b}\) and \(\beta _{i}\) sent out from \(TP_{2}\), in which \(y_{b}^{i}\) can be derived out based on \(\beta _{i}\) and \(y_{1}^{i},y_{2}^{i}, \ldots ,y_{b - 1}^{i},y_{b + 1}^{i}, \ldots ,y_{N}^{i}\), according to Eq. (9). Unfortunately, \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) has no chance to obtain \(p_{b}^{i}\) which is encrypted by \(x_{b}^{i}\) and \(y_{b}^{i}\), in accordance with Eq. (8). Furthermore, in Step 7″, \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) may hear of the final multiplication results from \(TP_{1}\), but they are still helpless in getting \(p_{b}^{i}\).

Fourthly, in Step 6‴, \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) may hear of \(\mu _{b}^{i}\) sent out from \(P_{b}\) and \(\nu _{i}\) sent out from \(TP_{2}\), so they can infer out \(y_{b}^{i}\) according to Eq. (13). However, \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) has no chance to obtain \(p_{b}^{i}\) based on Eq. (12), due to lack of \(x_{b}^{i}\). Besides, in Step 7‴, \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) may hear of the final summation results from \(TP_{1}\), but they still cannot acquire \(p_{b}^{i}\).

In conclusion, two or more users has no chance to acquire the secret integers of remaining users in the three proposed protocols.

1. (3)

   The participant attack from semi-honest \(TP_{1}\)

It is assumed that \(TP_{1}\) cannot be allowed to conspire with anyone else. On the one hand, \(TP_{1}\) may launch her attacks on the qudits between \(TP_{2}\) and \(P_{n}\) to steal \(y_{n}^{i}\); nevertheless, her eavesdropping behaviors are definitely detected according to Sect. 5.1. On the other hand, \(TP_{1}\) receives \(c_{n}^{i}/g_{n}^{i}/\mu _{n}^{i}\) and \(\chi _{n'n}^{i}/\beta _{i}/\nu _{i}\) from \(P_{n}\) and \(TP_{2}\), respectively; however, she cannot infer out \(p_{n}^{i}\), due to lack of \(y_{n}^{i}\), according to Eq. (3)/Eq. (8)/Eq. (12). In addition, the final comparison/multiplication/summation results cannot work in getting \(p_{n}^{i}\) either.

1. (4)

   The participant attack from semi-honest \(TP_{2}\)

It is assumed that \(TP_{2}\) cannot be permitted to collude with anyone else. On the one hand, \(TP_{2}\) may launch her attacks on the particles between \(TP_{1}\) and \(P_{n}\) to get \(x_{n}^{i}\), but she is undoubtedly discovered based on Sect. 5.1. On the other hand, \(TP_{2}\) may hear of \(c_{n}^{i}/g_{n}^{i}/\mu _{n}^{i}\) from \(P_{n}\) to \(TP_{1}\) in Step 6′/ Step 6″/ Step 6‴; nevertheless, she has no chance to acquire \(p_{n}^{i}\), because of being short of \(x_{n}^{i}\), in accordance with Eq. (3)/Eq. (8)/Eq. (12). In addition, \(TP_{2}\) may hear of the final comparison/multiplication/summation results from \(TP_{1}\), but is still helpless for her to get \(p_{n}^{i}\).

The proposed hybrid protocol can achieve the multi-party semiquantum private comparison scheme, the multi-party semiquantum multiplication scheme and the multi-party semiquantum summation scheme simultaneously under the help of two TPs. Here, \(TP_{1}\) and \(TP_{2}\) mutually supervise each other. The function of \(TP_{1}\) is to create a semiquantum private key \(x_{n}\) with \(P_{n}\); in the meanwhile, \(TP_{2}\) creates a semiquantum private key \(y_{n}\) with \(P_{n}\). Some existing semiquantum private comparison [55] and summation protocols [46] only need one TP. However, in practical applications, these protocols can only be applied to the scenario with a single authority center. However, a protocol with two TPs, such as our hybrid protocol, can be applied to the situation with two mutually supervising authority centers. In addition, our hybrid protocol can be applied into many scenarios, such as voting, ranking, bidding, and so on.

As illustrated in Ref. [55], the qudit efficiency is utilized to calculate the communication efficiency of a quantum protocol suitable for the d-dimensional Hilbert space, which is defined as

Here, κ, τ and ξ are the length of private inputs established, the number of qudits consumed and the number of classical bits expended, respectively. Note that we neglect the classical resources expended during the eavesdropping detection processes.

In the proposed MSQPC protocol, the length of \(p_{n}\) is L, so we gain \(\kappa = L\). \(TP_{1}/TP_{2}\) prepares N groups of 8L d-dimensional single-particle states and transmits them to the semiquantum participants; after getting the qudits from \(TP_{1}/TP_{2}\), when \(P_{n}\) enters into the MEASURE mode, she is asked to produce 4L fresh qudits based on the found states within the \(T_{1}\) basis; so we obtain \(\tau = ( 8L \times N + 4L \times N ) \times 2 = 24NL\). Then, \(P_{n}\) and \(TP_{2}\) send \(c_{n}^{i}\) and \(\chi _{n'n}^{i}\) to \(TP_{1}\), respectively, where \(n = 1,2, \ldots ,N\), \(n' = 2,3, \ldots ,N\), \(n' > n\) and \(i = 1,2, \ldots ,L\). Hence, we have \(\xi = L \times N + \frac{N(N - 1)}{2} \times L = NL + \frac{NL(N - 1)}{2}\). As a result, the proposed MSQPC protocol’s qudit efficiency is \(\eta = \frac{L}{24NL + NL + \frac{NL(N - 1)}{2}} = \frac{2}{N^{2} + 49N}\).

Whether in the proposed MSQM protocol or MSQS protocol, by adopting the same analysis method as foregoing discussion, we can obtain \(\kappa = L\) and \(\tau = 24NL\). Furthermore, \(P_{n}\) and \(TP_{2}\) send \(g_{n}^{i}/\mu _{n}^{i}\) and \(\beta _{i}/\nu _{i}\) to \(TP_{1}\), respectively, where \(i = 1,2, \ldots ,L\). Therefore, it can be deduced that \(\xi = L \times N + L = (N + 1)L\). Consequently, the qudit efficiency of the proposed MSQM protocol or MSQS protocol is \(\eta = \frac{L}{24NL + (N + 1)L} = \frac{1}{25N + 1}\).

In the SQPC protocol of Ref. [55], the length of Alice’s or Bob’s secrets is n, so we get \(\kappa = n\). The minimum number of d-dimensional single-particle states generated by TP should be 16n; then, TP sends 8n particles to Alice and 8n particles Bob; when Alice and Bob enter into the MEASURE mode, they send the freshly prepared qudits to TP. Furthermore, this protocol adopts the SQKD protocol [63] to produce the pre-shared keys among Alice and Bob, consuming 24n qudits. Hence, we obtain \(\tau = 16n + 4n + 4n + 24n = 48n\). In addition, Alice sends \(R_{A}^{i}\) to TP while Bob sends \(R_{B}^{i}\) to TP. TP needs to announce \(r_{i}\) to Alice and Bob. As a result, we obtain \(\xi = 3n\). It can be concluded that the qudit efficiency of the protocol in Ref. [55] is \(\eta = \frac{n}{48n + 3n} = \frac{1}{51}\).

Using the same method, we obtain that the qudit efficienies of the protocol of Ref. [51], the protocol of Ref. [52], the first protocol of Ref.[53], the second protocol of Ref.[53] and the protocol of Ref.[54] are \(\frac{1}{50}\), \(\frac{1}{42}\), \(\frac{1}{50}\), \(\frac{1}{14}\) and \(\frac{1}{38}\), respectively. In the proposed MSQPC protocol, when \(N = 2\), the corresponding qudit efficiency is \(\frac{1}{51}\). With respect to qudit efficiency, compared to the protocols of Refs. [51–55], our MSQPC protocol does not have an advantage, but is very close to the protocol of Ref. [51] and the first protocol of Ref. [53]. The protocols of Refs. [51–55] can only achieve the private comparison between two semiquantum users. Fortunately, the proposed hybrid protocol can achieve the semiquantum private comparison, the semiquantum multiplication and the semiquantum summation simultaneously among more than two semiquantum participants, which may decrease the qudit efficiency.

In addition, we compare the proposed MSQPC protocol with the present SQPC protocols of size relationship in Refs. [51–55], as shown in Table 2. In accordance with Table 2, the proposed MSQPC protocol is superior to the protocols of Refs. [51, 52, 54] in quantum resources, as d-dimensional single-particle states are much easier to produce than d-dimensional Bell states and d-dimensional GHZ states; on the usage of a pre-shared key, the proposed MSQPC protocol defeats the protocols of Refs. [51–55], as it has no demand for a pre-shared key; due to no use of unitary operations, the proposed MSQPC protocol exceeds the second protocol of Ref. [53]; as for the quantum measurements from quantum parties, the proposed MSQPC protocol takes advantage over the protocols of Refs. [51, 52, 54], due to that it doesn’t require d-dimensional GHZ state measurements or d-dimensional Bell state measurements; and the proposed MSQPC protocol, aiming to determine the size relationship of more than two semiquantum participants’ private inputs within one round implementation, is the only one which doesn’t require a pre-shared key.

In conclusion, in this paper, by utilizing d-dimensional single-particle states, the first MSQPC protocol without a pre-shared key, aiming to judge the size relationship of more than two semiquantum users’ secret integers, is put forward; the first MSQM protocol integrating the concept of semiquantumness into quantum multiplication is put forward, which is devoted to computing the modulo d multiplication of secret integers from more than two semiquantum participants; and the first MSQS protocol which can calculate the modulo d addition of private inputs from more than three semiquantum users is put forward. It is noteworthy that only under the control of two TPs can the goals of the three proposed protocols be achieved, where the semi-honest TPs are allowed to launch arbitrary attacks but cannot cooperate with anyone else.

The three proposed protocols have no demand for quantum entanglement swapping and unitary operations. Both the outside attacks and the participant attacks can be resisted in the three proposed protocols.

The datasets used during the current study are available from the corresponding author on reasonable request

MSQPC:

Multi-party semiquantum private comparison

MSQM:

Multi-party semiquantum multiplication

MSQS:

Multi-party semiquantum summation

TP:

Third party

QKD:

Quantum key distribution

QSS:

Quantum secret sharing

QPC:

Quantum private comparison

QM:

Quantum multiplication

QS:

Quantum summation

SQPC:

Semiquantum private comparison

SQS:

Semiquantum summation

SQM:

Semiquantum multiplication

SQKD:

Semiquantum key distribution

CNOT:

Controlled-not

the National Natural Science Foundation of China (Grant No.62071430), the Fundamental Research Funds for the Provincial Universities of Zhejiang (Grant No. JRK21002) and the Project Supported by Scientific Research Fund of Zhejiang Provincial Education Department (Grant No. Y202352615).

Authors and Affiliations

1. College of Information & Electronic Engineering, Zhejiang Gongshang University, Hangzhou, 310018, P.R. China

   Jiang-Yuan Lian & Tian-Yu Ye

Contributions

Jiang-Yuan Lian wrote the manuscript; and Tian-Yu Ye reviewed and checked the paper

Corresponding author

Correspondence to Tian-Yu Ye.

Ethics approval and consent to participate

Not applicable

Consent for publication

Not applicable

Competing interests

The authors declare no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions