4.1 Correctness
The core idea of the proposed privacy- preserving QFMV protocol is to calculate bitwise OR operators of all private bit strings from left to right, i.e., from high to low. Initially, each bit string \(Y_{i}^{*}\) represents a private secret, i.e., \(Y_{i}\). As the calculations progress, increasingly, all parties, except one whose input is the maximum value, can determine that their private inputs are less than the maximum value, and accordingly, they will input 0 in later quantum SMC_OR protocols. That is, only the party with the maximum value retains all bits in his private bit string, while other parties renew their bits to ensure that each bit of them is less than or equal to the corresponding bit of the maximum value. So, it can finally output all bits of the maximum value. Here, we give a simple example, as shown in Fig. 1. From the example, we can see that the correctness of the proposed QFMV protocol is mainly guaranteed by quantum SMC_OR protocols. So, we further analyze the correctness of the quantum SMC_OR protocol as Theorem 1. In the following theorem, suppose that the number of one among m private inputs (i.e., \(x_{1}, x_{2},\dots , x_{m}\)) in the quantum SMC_OR protocol is p, where \(p\leq m\).
Theorem 1
If \(p=0\) or 1, then the quantum SMC_OR protocol is perfectly correct; If \(p\geq 2\), then it may give a wrong output 0, but the error probability \(\delta \approx \frac{1}{2^{k}}\), which is very small and negligible when k is large enough, e.g., \(k=10\).
Proof
(1) On the one hand, from Eqs. (1) and (2), we can easily get the following equations:
$$\begin{aligned}& H^{2} = U_{Y}^{2} =I, \end{aligned}$$
(5)
$$\begin{aligned}& HU_{Y} H=- U_{Y}, \end{aligned}$$
(6)
$$\begin{aligned}& HU_{Y} =- U_{Y} H. \end{aligned}$$
(7)
Furthermore, we consider all possible operators on a specific photon, e.g., \(ph_{j}\), as shown in Fig. 2.
Suppose that the initial state of the photon \(ph_{j}\) is \(\vert \psi \rangle _{j}\). By previously prescribed procedures, when the photon \(ph_{j}\) finally comes back to the quantum cloud, its final state \(\vert \phi \rangle _{j}\) will be changed as
$$ \vert \phi \rangle _{j} = U_{Y}^{R_{m} [j]} H^{S_{m} [j]} \cdots U_{Y}^{R_{2} [j]} H^{S_{2} [j]} U_{Y}^{R_{1} [j]} H^{S_{1} [j]} \vert \psi \rangle _{j}. $$
(8)
By Eqs. (5)–(7), we can further get
$$ \vert \phi \rangle _{j} = (-1)^{l} U_{Y}^{\sum _{i} R_{i} [j]} H^{\sum _{i} S_{i} [j]} \vert \psi \rangle _{j}. $$
(9)
Here, \(l =0\) or \(l =1\). Furthermore, if j satisfies the useful condition, then \(\sum_{i} S_{i} [j] =0\operatorname{mod}2\), so
$$ \vert \phi \rangle _{j} = (-1)^{l} U_{Y}^{\sum _{i} R_{i} [j]} \vert \psi \rangle _{j}. $$
(10)
In addition, it gives
$$\begin{aligned}& U_{Y} \vert 0 \rangle \rightarrow \vert 1 \rangle , \\& U_{Y} \vert 1 \rangle \rightarrow - \vert 0 \rangle , \\& U_{Y} \vert + \rangle \rightarrow \vert - \rangle , \\& U_{Y} \vert - \rangle \rightarrow - \vert + \rangle . \end{aligned}$$
(11)
By Eqs. (10) and (11), we further know that for any useful event, the final state will remain the same as the initial state except for a global phase if the number of performing \(U_{Y}\) is even, otherwise it will change, but it keeps the same basis.
In turn, if the measured result of the jth photon \(ph_{j}\) by the quantum cloud is inconsistent with the initial state of the photon \(ph_{l_{j}}\), then \(\sum_{i =1}^{m} R_{i} [ j ] \operatorname{mod}2=1\), and \(\sum_{i =1}^{m} R_{i} [ j ] \operatorname{mod}2=0\) otherwise. That is, the single \(R_{i} [ j ]\) is private, but the quantum cloud knows the summation of \(\sum_{i =1}^{m} R_{i} [ j ] \operatorname{mod}2\).
Furthermore, by Eqs. (3) and (4), we can get
$$\begin{aligned} X^{*} [ l_{j} ]&= \sum_{i=1}^{m} X_{i}^{*} [ l_{j} ] \operatorname{mod}2 \\ &= \sum_{i=1}^{m} \bigl( X_{i} [j]+ R_{i} [ l_{j} ]\bigr) \operatorname{mod}2 \\ &= \sum_{i=1}^{m} X_{i} [j] \operatorname{mod}2+ \sum_{i=1}^{m} R_{i} [j] \operatorname{mod}2. \end{aligned}$$
(12)
If \(\sum_{i =1}^{m} R_{i} [ j ] \operatorname{mod}2=1\), \(\sum_{i =1}^{m} X_{i} [ j ] \operatorname{mod}2=( X^{*} [ l_{j} ] +1) \operatorname{mod}2\), and \(\sum_{i =1}^{m} X_{i} [ j ] \operatorname{mod}2= X^{*} [ l_{j} ]\) otherwise. So, the equation of \(w = \sum_{i =1}^{m} X_{i} [ j ] \operatorname{mod}2\) is always true. In turn, the quantum cloud can deduce the value of \(\sum_{i =1}^{m} X_{i} [ j ] \operatorname{mod}2\) (i.e., w) by the public information and his recorded results.
(2) On the other hand, we further consider the following different cases that m inputs \(x_{1},\dots x_{i},\dots , x_{m}\) have p ones (i.e., p is the number of ones in all \(x_{i}\)s).
In the case of \(p =0\) (i.e., all \(x_{i}\)s are equal to 0):
Accordingly, all \(X_{i} [j]\)s are equal to 0. That is, \(w = \sum_{i=1}^{m} X_{i} [j] \operatorname{mod}2=0\) for all j. Since \(x_{1} \vee x_{2} \vee \cdots \vee x_{m} =0\), the output is correct.
In the case of \(p =1\):
There is just one \(X_{i^{*}}\) that \(X_{i^{*}} \neq 0\), so there is at least one j, such that \(w = \sum_{i=1}^{m} X_{i} [j] \operatorname{mod}2 = X_{i^{*}} [ j ] = 1\). That is, \(x_{1} \vee x_{2} \vee \cdots \vee x_{m} =w=1\). Therefore, the output is correct.
In the case of \(p =2\):
Suppose that \(x_{i_{1}} =1\) and \(x_{i_{2}} =1\). Accordingly, \(X_{i_{1}} \neq \boldsymbol{0}\) and \(X_{i_{2}} \neq \boldsymbol{0}\). Then, the total number of appropriate \(X_{i_{1}}\) and \(X_{i_{2}}\) is \(( 2^{k} -1)( 2^{k} -1)\). Furthermore, the final output \(w =1\) if \(X_{i_{1}} \neq X_{i_{2}}\), otherwise \(w =0\) (i.e., \(X_{i_{1}} = X_{i_{2}}\)). The number of possible \(X_{i_{1}}\) (i.e., \(X_{i_{1}} \neq 0\)) is (\(2^{k} -1\)). So, the error probability (i.e., \(X_{i_{1}} = X_{i_{2}}\)) is equal to
$$\begin{aligned}& \delta = \frac{( 2^{k} -1)}{( 2^{k} -1)( 2^{k} -1)}, \\& \delta = \frac{1}{( 2^{k} -1)}. \end{aligned}$$
(13)
Obviously, when k is large enough, \(\delta \approx 0\). For example, if \(k=6\), \(\delta =0.01587\); if \(k=10\), \(\delta =0.00098\).
In the case of \(p =3\):
We consider the following error combinations: k rows (corresponding to \(j=1,2,\dots ,k\)) and p columns (corresponding to p array \(X_{i}\)s), where each column has at least one “1” (i.e., the corresponding \(X_{i} \neq 0\)) and each row has zero “1” or two “1”s, i.e., \(w = \sum_{i=1}^{m} X_{i} [j] \operatorname{mod}2=0\). However, \(x_{1} \vee x_{2} \vee \cdots \vee x_{m} =1\). Furthermore, by the possible 1s in each row, we can deduce that the error probability satisfies the following condition:
$$\begin{aligned}& \delta < \frac{ ( C_{3}^{0} + C_{3}^{2} )^{k}}{( 2^{k} -1)( 2^{k} -1)( 2^{k} -1)}, \\& \delta < \frac{4^{k}}{( 2^{k} -1)( 2^{k} -1)( 2^{k} -1)} \approx \frac{1}{ 2^{k}}. \end{aligned}$$
(14)
Similarly, when k is large enough, \(\delta \approx 0\). For example, if \(k=6\), \(\delta <0.01638\); if \(k=10\), \(\delta <0.00098\).
By analogy, we can easily deduce that other more general cases for any p:
$$\begin{aligned}& \delta < \frac{( C_{p}^{0} + C_{p}^{2} + C_{p}^{4} +\cdots + C_{p}^{2 \lfloor p/2 \rfloor} )^{k}}{( 2^{k} -1)^{p}}, \\& \delta < \frac{( 2^{p-1} )^{k}}{( 2^{k} -1)^{p}} \approx \frac{1}{2^{k}}. \end{aligned}$$
(15)
Please note that \(C_{p}^{0} + C_{p}^{1} + C_{p}^{2} +\cdots + C_{p}^{p} = 2^{p}\) and \(C_{p}^{i} = C_{p-1}^{i-1} + C_{p-1}^{i}\). Therefore, when k is large enough, δ is negligible. That is, the proposed quantum SMC_OR protocol is approximatively correct. □
4.2 Security
According to the proposed QFMV protocol, all parties jointly compute the bitwise OR operators of their respective private inputs (see Fig. 1). So, the security of the proposed QFMV protocol is guaranteed by that of the proposed quantum SMC_OR protocol. In the following theorem, we will prove that our proposed quantum SMC_OR protocol is information-theoretically secure in the semi-honest model.
Theorem 2
The proposed quantum SMC_OR protocol is information-theoretically secure, when all parties honestly execute the protocol.
Proof
Before publishing the random bit \(S_{i} [ j ]\), each party \(P_{i}\) performs two quantum operators \(U_{Y}^{R_{i} [j]} H^{S_{i} [j]}\) on the jth photon \(ph_{j}\), that is, he encrypts each transmitted qubit (e.g., the single-photon \(ph_{j}\)) by using two random and secret bits (i.e., privately performing two quantum operators \(U_{Y}^{R_{i} [j]} H^{S_{i} [j]}\) on the photon \(ph_{j}\)). Similarly, it is a perfect quantum encryption [22], which is information-theoretically secure.
By Ref. [22], the quantum protocol is information-theoretically secure if for every input state \(\rho _{\mathrm{in}}\), the output state \(\rho _{\mathrm{out}}\) is a totally mixed state. The relation of the input state \(\rho _{\mathrm{in}}\) and the output state \(\rho _{\mathrm{out}}\) is as follows:
$$ \rho _{\mathrm{out}} = \sum_{k} p_{k} U_{k} \rho _{\mathrm{in}} U_{k}^{\dagger} = \frac{1}{ 2^{t}} I. $$
(16)
Here \(\rho _{\mathrm{in}}\) is the density matrix of all possible t-qubit input states and \(U_{k}\) is the corresponding unitary operator applied to the input state.
For simplicity, we only analyze an arbitrary photon, e.g., \(ph_{j}\), in our protocol. Accordingly, we can get
(17)
$$\begin{aligned}& R_{i} [ j ], S_{i} [ j ] \in _{R} \{0,1\}. \end{aligned}$$
(18)
So, after the party \(P_{i}\) performing the corresponding operators, the output state should be in
(19)
From Eq. (19), we can see that the output of the single-photon \(ph_{j}\) after the party \(P_{i}\) performing private operators is just a totally mixed state. So, anyone including the quantum cloud or the next party \(P_{i +1}\) cannot get any private information about the party \(P_{i}\)’s bits \(R_{i} [ j ]\) and \(S_{i} [ j ]\). That is, it is a perfect quantum encryption.
After completing the tests of q checking events, each party \(P_{i}\) computes and opens \(X_{i}^{*} [ l_{j} ]=( X_{i} [j]+ R_{i} [ l_{j} ])\operatorname{mod}2\), where \(R_{i} [ l_{j} ]\) is completely random and private. Clearly, it is a classical one-time pad.
In short, perfect quantum encryption and classical one-time pad can ensure the information-theoretical security of the proposed quantum protocols in the semi-honest model.
Furthermore, a dishonest party (e.g., \(P_{i -1}\)) can perform a collusion attack to eavesdrop on partial private information of the party \(P_{i}\) with the next party \(P_{i+1}\) as follows:
After the dishonest party \(P_{i-1}\) receives all t single photons, he prepares t two-photon Bell states and sends t photons of Bell states to the party \(P_{i}\) instead of the original t single photons. Without loss of generality, we only analyze a Bell state of two photons, e.g., \(\frac{ \vert 00 \rangle _{\mathrm{ab}} + | 11\rangle _{\mathrm{ab}}}{\sqrt{2}}\). For example, the dishonest party \(P_{i-1}\) sends the photon b to the party \(P_{i}\) instead of the real photon \(ph_{j}\), while he keeps the photon a in hands. Accordingly, the party \(P_{i}\) performs the following operators \(U_{Y}^{R_{i} [j]} H^{S_{i} [j]}\) on the photon b:
$$\begin{aligned}& U_{Y}^{0} H^{0} \frac{ \vert 00 \rangle _{\mathrm{ab}} + \vert 11\rangle _{\mathrm{ab}}}{\sqrt{2}} = \frac{ \vert 00 \rangle _{\mathrm{ab}} + \vert 11\rangle _{\mathrm{ab}}}{\sqrt{2}}, \end{aligned}$$
(20)
$$\begin{aligned}& U_{Y}^{0} H^{1} \frac{ \vert 00 \rangle _{\mathrm{ab}} + \vert 11\rangle _{\mathrm{ab}}}{\sqrt{2}} = \frac{ \vert 0+ \rangle _{\mathrm{ab}} + \vert 1-\rangle _{\mathrm{ab}}}{\sqrt{2}}, \end{aligned}$$
(21)
$$\begin{aligned}& U_{Y}^{1} H^{0} \frac{ \vert 00 \rangle _{\mathrm{ab}} + \vert 11\rangle _{\mathrm{ab}}}{\sqrt{2}} = \frac{ \vert 01 \rangle _{\mathrm{ab}} - \vert 10\rangle _{\mathrm{ab}}}{\sqrt{2}}, \end{aligned}$$
(22)
$$\begin{aligned}& U_{Y}^{1} H^{1} \frac{ \vert 00 \rangle _{\mathrm{ab}} + \vert 11\rangle _{\mathrm{ab}}}{\sqrt{2}} = \frac{ \vert 0- \rangle _{\mathrm{ab}} + \vert 1+\rangle _{\mathrm{ab}}}{\sqrt{2}}. \end{aligned}$$
(23)
Later, the party \(P_{i}\) sends the photon b to the next party \(P_{i+1}\). To implement the collusion attack, the party \(P_{i+1}\) does nothing except send the photon b to the party \(P_{i-1}\). Finally, the party \(P_{i-1}\) performs a Bell-basis measurement on the two photons (a, b) so that it can deduce partial private information of the party \(P_{i}\). For example, if his measured result is \(\frac{ \vert 00 \rangle _{\mathrm{ab}} + | 11\rangle _{\mathrm{ab}}}{\sqrt{2}}\), then he can deduce that \(R_{i} [ j ] =0\) and \(S_{i} [ j ] =0\).
In particular, to resist this collusion attack, we add the tests of q checking events in our proposed protocol. Obviously, checking events can ensure the honesty of all parties and resist the outsider’s eavesdropping, which is similar to the decoy technology in QKD [23].
On the other hand, if the dishonest parties perform this attack, the final output must be wrong. So, in order to verify whether the final output is the maximum value among many secrets, we can add a commit protocol in the initial phase as follows:
Each party \(P_{i}\) (\(i =1,2,\dots , m\)) randomly selects an integer \(R_{i} \in Z_{N}\) and computes \(C_{i} = H ( R_{i} \oplus H ( R_{i} \oplus Y_{i} ))\), where \(Y_{i}\) is his secret and \(H (\boldsymbol{\cdot})\) is a hash function with strong collision-resistant. Then the party \(P_{i}\) submits \(C_{i}\) to the quantum cloud by the classical channels. That is, the party \(P_{i}\) commits \(Y_{i}\) to the quantum cloud, but no one can get \(Y_{i}\) only from \(C_{i}\) without \(R_{i}\).
Later, when the quantum cloud outputs the maximum value \(Y_{\max}\), the party \(P_{\max}\) with the maximum value \(Y_{\max}\) opens his secrets \(Y_{\max}\) and \(R_{\max}\). Finally, the quantum cloud can verify its correctness by determining whether the following equation is true or not:
$$ C_{\max} =H \bigl( R_{\max} \oplus H ( R_{\max} \oplus Y_{\max} ) \bigr). $$
(24)
If there is no any party to claim the maximum value, it shows the output result is wrong.
According to the above analysis, if all parties honestly execute the protocol, it will output the final result rightly. In turn, any eavesdropping or dishonesty can be easily detected by public comparisons in checking events. Accordingly, no coalition of dishonest parties can harm any honest party without being detected. Furthermore, all parties in our protocol are perfect peer and execute the same procedures. Therefore, the proposed quantum SMC_OR protocol can achieve the fairness.
In addition, like most existing multiparty quantum computations, our proposed quantum SMC_OR protocol needs authenticated quantum channels, which can ensure the authenticity of quantum resources and participant identities. In principle, we may combine quantum authentication technologies [24] with classical authentication technologies [25] to implement various authentications in quantum channels. □
4.3 Performance
The proposed quantum SMC_OR protocol takes single photons as quantum resources and accordingly needs single-photon-based operators (i.e., \(U_{Y}\) and H) and measurements. Suppose that there are m parties. Then, it needs to transmit \(2(k+q)m\) qubits. So, the communicational complexity is \(O(km)\). Furthermore, we assume that the bit length of each secret in the proposed QFMV protocol is n. So, it needs to call the proposed quantum SMC_OR protocol n times. Accordingly, our proposed QFMV protocol’s communicational complexity is \(O(kmn)\).
Furthermore, we simulate the proposed quantum SMC_OR protocol in Qiskit of IBM (Qiskit-0.23.2; Python-3.8.6; OS-Linux). First, we verify the correctness of this protocol in different instances, i.e., the different parameters: k, p and m. For example, \(k=7\), \(p=5\) and \(m=11\). The detailed circuits of this instance are shown in Fig. 3. Then, we focus on the error rate (i.e., the error probability δ) of proposed SMC_OR protocol with different values of k and p.
The curve charts in Fig. 4 show the relationships between the error rate and the parameter p when k takes different values. In our simulation experiments, suppose that there are 10 parties and they jointly compute the SMC_OR protocol 60000 times for each k, where each input is random in each time. From Fig. 4, we can see that the error rate mainly depends on the values of k when \(p\geq 2\), and it is approximatively equal to 0 when \(k=10\). In short, our simulation experiments verify the correctness and the feasibility of the proposed quantum SMC_OR protocol.
At present, we do not consider quantum noise and loss of photons in our proposed quantum protocols. Obviously, we can increase the number of transmitting single photons (i.e., t) in practical applications and adopt classical error-correction technology to avoid these problems. In addition, when the parties are far apart, we may deploy a quantum repeater at each party, which is used to forward private and unknown states of photons based on teleportation.
In a word, it is feasible to implement our proposed quantum protocols with the present quantum technologies.
