Privacy-preserving quantum protocol for finding the maximum value

In this paper, we first define a primitive protocol of secure multiparty computations to privately compute the logic operator “OR” (SMC_OR). Accordingly, we design a feasible quantum SMC_OR protocol by using single photons, which can achieve information-theoretical security in the semi-honest model. Furthermore, we adopt the proposed quantum SMC_OR protocol to solve an interesting but important privacy-preserving problem, i.e., finding the maximum value among many secrets. Finally, we simulate the related quantum protocols in Qiskit and verify the correctness and the feasibility of the proposed protocols.

Nowadays, quantum computations [1, 2] and quantum communications [3, 4] have received extensive attention and gained many promising achievements, e.g., quantum teleportation [5], quantum cryptography [6] and quantum artificial intelligence [7].

With the further development of quantum computing, classical cryptographic systems (e.g., RSA) faces enormous threatens and challenges. Fortunately, quantum cryptography brings new dawn, e.g., the first quantum key distribution protocol (i.e., the BB84 QKD protocol) [8], which can ensure information-theoretical security [9]. Furthermore, compared with classical cryptography, the biggest advantage of quantum cryptography is that both the sender and the receiver can easily detect any outsider’s eavesdropping when transmitting quantum messages through quantum channels.

In classical settings, modern cryptography has many important functionalities and applications except for the basic encryption and decryption, e.g., ensuring message integrity and protecting user privacy. Similarly, quantum cryptography, which is a combination of modern cryptography and quantum mechanics, can theoretically ensure data security and protect user privacy. Therefore, quantum cryptography has a wide range of research, including quantum key distribution (QKD), quantum secret sharing (QSS), quantum secure direct communication (QSDC), quantum signature (QS), quantum privacy query (QPQ) and so on. However, except for QKD, there are few feasible quantum cryptographic protocols, which can be successfully implemented in large-scale networks.

In this paper, we focus on input privacy in a specific cryptographic task, in which a group of users try to compute the maximum value among their private inputs. Our primary goal is to protect user privacy by designing ingenious quantum cryptographic protocols. Furthermore, our secondary goal is to design quantum protocols by employing feasible quantum processing technologies, so that designed quantum protocols can be practically and effectively implemented. First, we define an interesting but important primitive protocol of secure multiparty computation, i.e., secure multiparty computation of OR (SMC_OR for short) and design the corresponding quantum SMC_OR protocol. What’s more, we present an unconditionally (i.e., information-theoretically) secure quantum protocol for finding the maximum value among many secrets based on proposed quantum SMC_OR protocols, where each secret belongs to a different participant.

In classical setting, secure multiparty computation (SMC) is an important subfield of modern cryptography, which allows a number of mutually distrustful parties to jointly compute a function without leaking their respective private inputs. The first SMC problem was presented by Yao [10], i.e., the Millionaires’ problem, in which two millionaires wish to know who is richer without disclosing their wealth. Privately finding the maximum value is the general case of the Millionaires’ problem, in which a group of parties try to compute the maximum value (i.e., the greatest value) among their private inputs. Accordingly, a naive method to find the maximum value among many private inputs may adopt pairwise private comparison protocols [11], but this method reveals the rank order of all private inputs. Due to its importance, there appeared other better methods to privately compute the maximum value based on classical cryptographic algorithms, e.g., homomorphic encryption [12] and anonymous veto network [13]. However, the security of these algorithms is based on unproven computational assumptions, e.g., to prove the security of proposed algorithms in Ref. [13], the author assumes that the Decision Diffie-Hellman (DDH) problem is intractable. Furthermore, these computational assumptions are vulnerable to the attacks by quantum computers due to fast quantum algorithms [9]. Accordingly, these algorithms based on unproven computational assumptions cannot resist quantum attacks. What’s more, compared with the classical related algorithms or protocols, the biggest advantage of using quantum cryptography to compute the maximum value is that it can easily detect any outsider’s eavesdropping or any party’s dishonesty.

Finding the maximum value among many secrets has important and wide applications in privacy-preserving fields, such as sealed-bid auction [14, 15], electronic voting [16, 17] and federated learning [18, 19]. For example, in sealed-bid auction, an auctioneer can get the highest bid by finding the maximum value among multiple private bids, so that it can ensure the anonymity because each bidder does not need to submit his private bid to the auctioneer. In quantum setting, there were quantum algorithms to find the maximum [20] or the minimum [21]. However, in these quantum algorithms there is not any privacy protection. To the best of our knowledge, there is not yet any quantum protocol for privately finding the maximum value.

Though near-term quantum computing devices have super-fast computing power, few users can own them due to their expensive costs. Furthermore, the emergence of various quantum cloud platforms (e.g., IBM quantum experience) makes it possible for ordinary users to perform quantum computing. In view of this, we introduce a quantum cloud in our proposed quantum protocols to make the quantum processing capacity required by all parties reach the minimum requirements, i.e., it only needs to perform single-photon operators (Pauli operator and Hadamard gate operator). Furthermore, our proposed quantum protocols take single photons (i.e., BB84 states) as quantum resources and only need to perform single-photon operators and single-photon measurements, which are similar to the BB84 QKD protocol. Therefore, it is feasible to implement proposed protocols with present technologies.

In this section, we first give an informal definition of a primitive problem of secure multiparty computations, i.e., secure multiparty computation of OR (SMC_OR for short), and then present a feasible quantum protocol for SMC_OR, which will be utilized later in privacy-preserving quantum protocol for finding the maximum value (later called privacy-preserving QFMV protocol).

Definition 1

(SMC_OR)

Suppose that there are m (\(m>2\)) parties: \(P_{1},P_{2},\dots ,P_{m}\), each of which has a private input \(x_{i} \in \{0,1\}\) (\(i =1,2,\dots , m\)). After executing the SMC_OR protocol, the protocol outputs \(x_{1} \vee x_{2} \vee \cdots \vee x_{m}\). Here “∨” denotes a logical OR, i.e., \(0\vee 0=0\), \(0\vee 1=1\), \(1\vee 0=1\) and \(1\vee 1=1\). In addition, SMC_OR should satisfy the following requirements:

Correctness. If all parties honestly execute this protocol, then the final output is \(x_{1} \vee x_{2} \vee \cdots \vee x_{m}\), i.e., the output is correct.

Fairness. Roughly speaking, no coalition of dishonest parties can harm any honest party without being detected. In other words, under no circumstances one party should have an advantage over another or other parties.

Privacy. Any other party except for the party \(P_{i}\) learns no information about \(x_{i}\) except the final output \(x_{1} \vee \dots x_{i} \dots \vee x_{m}\).

Security Model. In the following protocols, we only consider the honest-but-curious parties [14, 15], like the semi-honest model [13] in the classical settings, where adversaries may try to learn as much information as possible from a given protocol execution but are not able to deviate from the protocol steps. That is, in the semi-honest model, each participant follows the protocol specification but tries to deduce some private information about the other participants [13].

Furthermore, we assume that there is a semi-honest quantum cloud, who will prepare all quantum resources (i.e., single photons) and perform all single-photon measurements, and other parties with quantum-limited capabilities only need to forward single photons and perform simple single-photon operators. In addition, we assume that there is an authenticated quantum channel between any \(P_{i}\) and \(P_{i+1}\) (\(i=1,2,\dots ,m\) and \(P_{m+1}\) is the quantum cloud). Finally, the quantum cloud is responsible to output \(x_{1} \vee x_{2} \vee \cdots \vee x_{m}\).

In the semi-honest model, each participant follows the protocol specification but tries to deduce some private information about the other participants [13]. So, in the following protocols we mainly consider two privacy goals: (1) Preserving input privacy from anyone inside the group of participants, including the quantum cloud; (2) Preserving input privacy from outside passive attackers, i.e., outside eavesdropper.

Quantum SMC_OR Protocol

Step 1. All parties agree on a small integer k, e.g., \(k =10\), which is related to the probability of successfully outputting \(x_{1} \vee \cdots x_{i} \cdots \vee x_{m}\) (i.e., the error probability \(\delta \approx \frac{1}{2^{k}}\), later see Theorem 1).

Step 2. Each party \(P_{i}\) (\(i=1,2,\dots ,m\)) generates a private array \(X_{i}\) of the length k by his private input \(x_{i}\): If \(x_{i} =0\), then all \(X_{i} [j]\)s are equal to 0; If \(x_{i} =1\), then each \(X_{i} [ j ]\) is equal to 0 or 1 randomly but there is at least one 1 among all \(k X_{i} [j]\)s. That is, if \(x_{i} =0\), then \(X_{i} [1] \vee X_{i} [2]\vee \cdots \vee X_{i} [k]=0\); if \(x_{i} =1\), then \(X_{i} [1]\vee X_{i} [2]\vee \cdots \vee X_{i} [k]=1\).

Step 3. Let \(t=2(k+ q )\), where q is a secure parameter. Furthermore, each party \(P_{i}\) (\(i=1,2,\dots ,m\)) randomly generates two t-element arrays \(R_{i}\) and \(S_{i}\), where \(R_{i} [j] \in _{R} \{0,1\}\) and \(S_{i} [j] \in _{R} \{0,1\}\) for \(j=1,2,\dots ,t\).

Step 4. The quantum cloud prepares t single photons: \(ph_{1}, ph_{2}, \dots , ph_{t}\), each of which is randomly in \(\{\vert 0 \rangle , \vert 1 \rangle , \vert + \rangle , \vert - \rangle\}\). Furthermore, the quantum cloud records the initial states of t single photons. Finally, the quantum cloud sends all t single photons \(ph_{1},ph_{2},\dots ,ph_{t}\) to the party \(P_{1}\) through the authenticated quantum channel.

Step 5. The party \(P_{1}\) executes the following procedures: {

• For \(j=1\) to t do {

  • If \(S_{1} [j]=1\), then apply an H gate operator to the jth single photon \(ph_{j}\);

  • If \(R_{1} [j]=1\), then apply a Pauli operator \(U_{y}\) to the jth single photon \(ph_{j}\). } }

Here, H and \(U_{y}\) are defined by [9],

Step 6. The party \(P_{1}\) sends all t single photons \(ph_{1},ph_{2},\dots ,ph_{t}\) to the party \(P_{2}\) through the authenticated quantum channel.

Step 7. After receiving all photons sent from the party \(P_{1}\), the party \(P_{2}\) executes the similar procedures of the party \(P_{1}\) and then sends all photons to the next party \(P_{3}\) through the authenticated quantum channel. In total, the process is repeated m times. Finally, the party \(P_{m}\) sends t single photons \(ph_{1},ph_{2},\dots ,ph_{t}\) back to the quantum cloud.

Please note that after receiving t single photons sent from the previous party, the party \(P_{i}\) executes the following procedures: {

• For \(j=1\) to t do {

• If \(S_{i} [j]=1\), then apply an H gate operator to the jth single photon \(ph_{j}\);

• If \(R_{i} [j]=1\), then apply a Pauli operator \(U_{y}\) to the jth single photon \(ph_{j}\). } }

Step 8. After receiving all t single photons, the quantum cloud measures each photon \(ph_{j}\) in the initial basis for \(j=1,2,\dots ,t\), and records all measured results.

Step 9. Post-processing: (1) Each party \(P_{i}\) (\(i=1, 2,\dots , m\)) opens his random bits \(S_{i} [j]\)s for \(j=1,2,\dots ,t\). (2) All parties publicly select out the useful js from \(j=1\) to t, where the useful condition of j must satisfy \(\sum_{i=1}^{m} S_{i} [j] \operatorname{mod}2=0\). Please note that the basis of the jth photon \(ph_{j}\) will not change when satisfying the useful condition (please see later correctness analysis for details). (3) All parties keep the useful events, in which the sequence number j satisfies the useful condition, and discard the rest (with the probability of \(\frac{1}{2}\)). (4) There are approximate \(k+ q\) ( i.e., \(\frac{1}{2} t\)) useful events in total. All parties randomly select out exactly k useful events as encoding events to compute the final result and the remaining about q useful events as checking events to check any dishonesty or eavesdropping. (5) Suppose that there are q checking events. The parties open the corresponding sequence number js of all q checking events and ask the quantum cloud to announce the initial quantum states and the measurement results of q checking events. After that, all parties open their respective random bits \(R_{i} [ j ]\)s (only) for all checking events. By all public \(R_{i} [ j ]\)s, the initial quantum states and the corresponding measurement results, all parties can determine whether there is any dishonest party or an outside eavesdropper. That is, if \(\sum_{i} R_{i} [ j ] =0\) (\(\sum_{i} R_{i} [ j ] =1\)), the measurement result should be the same (opposite) as the initial quantum state; otherwise there is a dishonest party or an eavesdropping adversary. If no dishonesty or eavesdropping was found, the parties continue to execute the next step, otherwise abort.

Step 10. Suppose that k encoding events kept to compute the final result are corresponding to the \(l_{1} \text{th}, l_{2} \text{th}, \dots , l_{k }\text{th}\) photon among all t photons, where \(l_{j} \in \{1,2,\dots , t \}\) and \(j \in \{1,2,\dots , k \}\). Then, all parties open the corresponding sequence number js of all k encoding events: \(l_{1}, l_{2}, \dots , l_{k}\). Each party \(P_{i}\) (\(i =1, 2,\dots , m\)) computes

for \(j =1,2,\dots , k\). Furthermore, each party \(P_{i}\) opens \(X_{i}^{*} [ l_{j} ]\). Please note that \(X_{i}^{*} [ l_{j} ] = ( X_{i} [ j ] + R_{i} [ l_{j} ] ) \operatorname{mod}2= X_{i} [ j ] \oplus R_{i} [ l_{j} ]\), which is the one-time pad method to encrypt \(X_{i} [ j ]\) since \(R_{i} [ l_{j} ]\) is random and private.

Step 11. The quantum cloud computes \(X^{*} [ l_{j} ]\) (\(j=1,2,\dots ,k\)) by

Furthermore, the quantum cloud performs the following procedures: {

1. (1)

   Let \(w=0\).

2. (2)

   For \(j=1\) to k do {

   • If the measured result of the \(l_{j}\)th photon \(ph_{l_{j}}\) is inconsistent with the initial state of the photon \(ph_{l_{j}}\) (later we will prove that it implies that \(\sum_{i =1}^{m} R_{i} [ l_{j} ] \operatorname{mod}2=1\)),

   • then \(w =( X^{*} [ l_{j} ] +1) \operatorname{mod}2\); //\(w = \sum_{i =1}^{m} X_{i} [ j ] \operatorname{mod}2\).

   • else \(w = X^{*} [ l_{j} ]\). //\(w = \sum_{i =1}^{m} X_{i} [ j ] \operatorname{mod}2\).

   • If \(w =1\), Return (w). }

   Return (0).}

Similarly, we assume there are m (\(m>2\)) parties: \(P_{1}, P_{2},\dots ,P_{i},\dots ,P_{m}\) in the following privacy-preserving QFMV protocol, where each party \(P_{i}\) has a secret \(Y_{i} \in Z_{N}\) and \(n =\log N\) (i.e., \(Y_{i}\) is an n-bit integer). Similarly, \(Y_{i} [j]\) represents the jth bit of \(Y_{i}\). The goal of the protocol is to find the maximum value \(Y_{\max}\) among all secrets \(Y_{1},Y_{2},\dots ,Y_{i},\dots \), and \(Y_{m}\) (i.e., \(Y_{\max} \in \{ Y_{1}, Y_{2},\dots , Y_{m} \}\) but \(Y_{\max} \geq Y_{i}\) for any i), while it must protect the privacy of all non-maximum secrets.

Step 1. Each party \(P_{i}\) (\(i=1,2,\dots ,m\)) generates an auxiliary array \(Y_{i}^{*}\) and sets \(Y_{i}^{*} = Y_{i}\) initially.

Step 2. All parties jointly execute the following procedures: {

For \(j=1\) to n do {

1. (1)

   All parties execute a quantum SMC_OR protocol with the help of the quantum cloud, where each party \(P_{i}\) (\(i=1,2,\dots ,m\)) privately inputs \(Y_{i}^{*} [j]\). Accordingly, the quantum cloud outputs and opens \(W[j]\), where \(W [ j ] = Y_{1}^{*} [ j ] \vee Y_{2}^{*} [ j ] \vee \cdots \vee Y_{m}^{*} [j]\).

2. (2)

   Each party \(P_{i}\) (\(i=1,2,\dots ,m\)) renews the auxiliary array \(Y_{i}^{*}\) according to the previous output \(W [ j ]\):

   If \(W [ j ] > Y_{i}^{*} [j]\) (i.e., \(W [ j ] =1\) and \(Y_{i}^{*} [ j ] =0\)), then set \(Y_{i}^{*} = \boldsymbol{0}\) (i.e., let all \(Y_{i}^{*} [j]\)s be equal to 0). // It implies that \(Y_{i}\) cannot be the maximum (please see Fig. 1).

   

   The Schematic of the proposed QFMV protocol

   Full size image

3. (3)

   \(j ++\). } }

Step 4. After executing n quantum SMC_OR protocols, the protocol finally outputs \(\{ W [ 1 ], W [ 2 ], \dots , W [ n ]\}\) as the bit string of the maximum value.

4.1 Correctness

The core idea of the proposed privacy- preserving QFMV protocol is to calculate bitwise OR operators of all private bit strings from left to right, i.e., from high to low. Initially, each bit string \(Y_{i}^{*}\) represents a private secret, i.e., \(Y_{i}\). As the calculations progress, increasingly, all parties, except one whose input is the maximum value, can determine that their private inputs are less than the maximum value, and accordingly, they will input 0 in later quantum SMC_OR protocols. That is, only the party with the maximum value retains all bits in his private bit string, while other parties renew their bits to ensure that each bit of them is less than or equal to the corresponding bit of the maximum value. So, it can finally output all bits of the maximum value. Here, we give a simple example, as shown in Fig. 1. From the example, we can see that the correctness of the proposed QFMV protocol is mainly guaranteed by quantum SMC_OR protocols. So, we further analyze the correctness of the quantum SMC_OR protocol as Theorem 1. In the following theorem, suppose that the number of one among m private inputs (i.e., \(x_{1}, x_{2},\dots , x_{m}\)) in the quantum SMC_OR protocol is p, where \(p\leq m\).

Theorem 1

If \(p=0\) or 1, then the quantum SMC_OR protocol is perfectly correct; If \(p\geq 2\), then it may give a wrong output 0, but the error probability \(\delta \approx \frac{1}{2^{k}}\), which is very small and negligible when k is large enough, e.g., \(k=10\).

Proof

(1) On the one hand, from Eqs. (1) and (2), we can easily get the following equations:

Furthermore, we consider all possible operators on a specific photon, e.g., \(ph_{j}\), as shown in Fig. 2.

The transmitting schematic of the single photon

Full size image

Suppose that the initial state of the photon \(ph_{j}\) is \(\vert \psi \rangle _{j}\). By previously prescribed procedures, when the photon \(ph_{j}\) finally comes back to the quantum cloud, its final state \(\vert \phi \rangle _{j}\) will be changed as

By Eqs. (5)–(7), we can further get

Here, \(l =0\) or \(l =1\). Furthermore, if j satisfies the useful condition, then \(\sum_{i} S_{i} [j] =0\operatorname{mod}2\), so

In addition, it gives

By Eqs. (10) and (11), we further know that for any useful event, the final state will remain the same as the initial state except for a global phase if the number of performing \(U_{Y}\) is even, otherwise it will change, but it keeps the same basis.

In turn, if the measured result of the jth photon \(ph_{j}\) by the quantum cloud is inconsistent with the initial state of the photon \(ph_{l_{j}}\), then \(\sum_{i =1}^{m} R_{i} [ j ] \operatorname{mod}2=1\), and \(\sum_{i =1}^{m} R_{i} [ j ] \operatorname{mod}2=0\) otherwise. That is, the single \(R_{i} [ j ]\) is private, but the quantum cloud knows the summation of \(\sum_{i =1}^{m} R_{i} [ j ] \operatorname{mod}2\).

Furthermore, by Eqs. (3) and (4), we can get

If \(\sum_{i =1}^{m} R_{i} [ j ] \operatorname{mod}2=1\), \(\sum_{i =1}^{m} X_{i} [ j ] \operatorname{mod}2=( X^{*} [ l_{j} ] +1) \operatorname{mod}2\), and \(\sum_{i =1}^{m} X_{i} [ j ] \operatorname{mod}2= X^{*} [ l_{j} ]\) otherwise. So, the equation of \(w = \sum_{i =1}^{m} X_{i} [ j ] \operatorname{mod}2\) is always true. In turn, the quantum cloud can deduce the value of \(\sum_{i =1}^{m} X_{i} [ j ] \operatorname{mod}2\) (i.e., w) by the public information and his recorded results.

(2) On the other hand, we further consider the following different cases that m inputs \(x_{1},\dots x_{i},\dots , x_{m}\) have p ones (i.e., p is the number of ones in all \(x_{i}\)s).

In the case of \(p =0\) (i.e., all \(x_{i}\)s are equal to 0):

Accordingly, all \(X_{i} [j]\)s are equal to 0. That is, \(w = \sum_{i=1}^{m} X_{i} [j] \operatorname{mod}2=0\) for all j. Since \(x_{1} \vee x_{2} \vee \cdots \vee x_{m} =0\), the output is correct.

In the case of \(p =1\):

There is just one \(X_{i^{*}}\) that \(X_{i^{*}} \neq 0\), so there is at least one j, such that \(w = \sum_{i=1}^{m} X_{i} [j] \operatorname{mod}2 = X_{i^{*}} [ j ] = 1\). That is, \(x_{1} \vee x_{2} \vee \cdots \vee x_{m} =w=1\). Therefore, the output is correct.

In the case of \(p =2\):

Suppose that \(x_{i_{1}} =1\) and \(x_{i_{2}} =1\). Accordingly, \(X_{i_{1}} \neq \boldsymbol{0}\) and \(X_{i_{2}} \neq \boldsymbol{0}\). Then, the total number of appropriate \(X_{i_{1}}\) and \(X_{i_{2}}\) is \(( 2^{k} -1)( 2^{k} -1)\). Furthermore, the final output \(w =1\) if \(X_{i_{1}} \neq X_{i_{2}}\), otherwise \(w =0\) (i.e., \(X_{i_{1}} = X_{i_{2}}\)). The number of possible \(X_{i_{1}}\) (i.e., \(X_{i_{1}} \neq 0\)) is (\(2^{k} -1\)). So, the error probability (i.e., \(X_{i_{1}} = X_{i_{2}}\)) is equal to

Obviously, when k is large enough, \(\delta \approx 0\). For example, if \(k=6\), \(\delta =0.01587\); if \(k=10\), \(\delta =0.00098\).

In the case of \(p =3\):

We consider the following error combinations: k rows (corresponding to \(j=1,2,\dots ,k\)) and p columns (corresponding to p array \(X_{i}\)s), where each column has at least one “1” (i.e., the corresponding \(X_{i} \neq 0\)) and each row has zero “1” or two “1”s, i.e., \(w = \sum_{i=1}^{m} X_{i} [j] \operatorname{mod}2=0\). However, \(x_{1} \vee x_{2} \vee \cdots \vee x_{m} =1\). Furthermore, by the possible 1s in each row, we can deduce that the error probability satisfies the following condition:

Similarly, when k is large enough, \(\delta \approx 0\). For example, if \(k=6\), \(\delta <0.01638\); if \(k=10\), \(\delta <0.00098\).

By analogy, we can easily deduce that other more general cases for any p:

Please note that \(C_{p}^{0} + C_{p}^{1} + C_{p}^{2} +\cdots + C_{p}^{p} = 2^{p}\) and \(C_{p}^{i} = C_{p-1}^{i-1} + C_{p-1}^{i}\). Therefore, when k is large enough, δ is negligible. That is, the proposed quantum SMC_OR protocol is approximatively correct. □

4.2 Security

According to the proposed QFMV protocol, all parties jointly compute the bitwise OR operators of their respective private inputs (see Fig. 1). So, the security of the proposed QFMV protocol is guaranteed by that of the proposed quantum SMC_OR protocol. In the following theorem, we will prove that our proposed quantum SMC_OR protocol is information-theoretically secure in the semi-honest model.

Theorem 2

The proposed quantum SMC_OR protocol is information-theoretically secure, when all parties honestly execute the protocol.

Proof

Before publishing the random bit \(S_{i} [ j ]\), each party \(P_{i}\) performs two quantum operators \(U_{Y}^{R_{i} [j]} H^{S_{i} [j]}\) on the jth photon \(ph_{j}\), that is, he encrypts each transmitted qubit (e.g., the single-photon \(ph_{j}\)) by using two random and secret bits (i.e., privately performing two quantum operators \(U_{Y}^{R_{i} [j]} H^{S_{i} [j]}\) on the photon \(ph_{j}\)). Similarly, it is a perfect quantum encryption [22], which is information-theoretically secure.

By Ref. [22], the quantum protocol is information-theoretically secure if for every input state \(\rho _{\mathrm{in}}\), the output state \(\rho _{\mathrm{out}}\) is a totally mixed state. The relation of the input state \(\rho _{\mathrm{in}}\) and the output state \(\rho _{\mathrm{out}}\) is as follows:

Here \(\rho _{\mathrm{in}}\) is the density matrix of all possible t-qubit input states and \(U_{k}\) is the corresponding unitary operator applied to the input state.

For simplicity, we only analyze an arbitrary photon, e.g., \(ph_{j}\), in our protocol. Accordingly, we can get

So, after the party \(P_{i}\) performing the corresponding operators, the output state should be in

From Eq. (19), we can see that the output of the single-photon \(ph_{j}\) after the party \(P_{i}\) performing private operators is just a totally mixed state. So, anyone including the quantum cloud or the next party \(P_{i +1}\) cannot get any private information about the party \(P_{i}\)’s bits \(R_{i} [ j ]\) and \(S_{i} [ j ]\). That is, it is a perfect quantum encryption.

After completing the tests of q checking events, each party \(P_{i}\) computes and opens \(X_{i}^{*} [ l_{j} ]=( X_{i} [j]+ R_{i} [ l_{j} ])\operatorname{mod}2\), where \(R_{i} [ l_{j} ]\) is completely random and private. Clearly, it is a classical one-time pad.

In short, perfect quantum encryption and classical one-time pad can ensure the information-theoretical security of the proposed quantum protocols in the semi-honest model.

Furthermore, a dishonest party (e.g., \(P_{i -1}\)) can perform a collusion attack to eavesdrop on partial private information of the party \(P_{i}\) with the next party \(P_{i+1}\) as follows:

After the dishonest party \(P_{i-1}\) receives all t single photons, he prepares t two-photon Bell states and sends t photons of Bell states to the party \(P_{i}\) instead of the original t single photons. Without loss of generality, we only analyze a Bell state of two photons, e.g., \(\frac{ \vert 00 \rangle _{\mathrm{ab}} + | 11\rangle _{\mathrm{ab}}}{\sqrt{2}}\). For example, the dishonest party \(P_{i-1}\) sends the photon b to the party \(P_{i}\) instead of the real photon \(ph_{j}\), while he keeps the photon a in hands. Accordingly, the party \(P_{i}\) performs the following operators \(U_{Y}^{R_{i} [j]} H^{S_{i} [j]}\) on the photon b:

Later, the party \(P_{i}\) sends the photon b to the next party \(P_{i+1}\). To implement the collusion attack, the party \(P_{i+1}\) does nothing except send the photon b to the party \(P_{i-1}\). Finally, the party \(P_{i-1}\) performs a Bell-basis measurement on the two photons (a, b) so that it can deduce partial private information of the party \(P_{i}\). For example, if his measured result is \(\frac{ \vert 00 \rangle _{\mathrm{ab}} + | 11\rangle _{\mathrm{ab}}}{\sqrt{2}}\), then he can deduce that \(R_{i} [ j ] =0\) and \(S_{i} [ j ] =0\).

In particular, to resist this collusion attack, we add the tests of q checking events in our proposed protocol. Obviously, checking events can ensure the honesty of all parties and resist the outsider’s eavesdropping, which is similar to the decoy technology in QKD [23].

On the other hand, if the dishonest parties perform this attack, the final output must be wrong. So, in order to verify whether the final output is the maximum value among many secrets, we can add a commit protocol in the initial phase as follows:

Each party \(P_{i}\) (\(i =1,2,\dots , m\)) randomly selects an integer \(R_{i} \in Z_{N}\) and computes \(C_{i} = H ( R_{i} \oplus H ( R_{i} \oplus Y_{i} ))\), where \(Y_{i}\) is his secret and \(H (\boldsymbol{\cdot})\) is a hash function with strong collision-resistant. Then the party \(P_{i}\) submits \(C_{i}\) to the quantum cloud by the classical channels. That is, the party \(P_{i}\) commits \(Y_{i}\) to the quantum cloud, but no one can get \(Y_{i}\) only from \(C_{i}\) without \(R_{i}\).

Later, when the quantum cloud outputs the maximum value \(Y_{\max}\), the party \(P_{\max}\) with the maximum value \(Y_{\max}\) opens his secrets \(Y_{\max}\) and \(R_{\max}\). Finally, the quantum cloud can verify its correctness by determining whether the following equation is true or not:

If there is no any party to claim the maximum value, it shows the output result is wrong.

According to the above analysis, if all parties honestly execute the protocol, it will output the final result rightly. In turn, any eavesdropping or dishonesty can be easily detected by public comparisons in checking events. Accordingly, no coalition of dishonest parties can harm any honest party without being detected. Furthermore, all parties in our protocol are perfect peer and execute the same procedures. Therefore, the proposed quantum SMC_OR protocol can achieve the fairness.

In addition, like most existing multiparty quantum computations, our proposed quantum SMC_OR protocol needs authenticated quantum channels, which can ensure the authenticity of quantum resources and participant identities. In principle, we may combine quantum authentication technologies [24] with classical authentication technologies [25] to implement various authentications in quantum channels. □

4.3 Performance

The proposed quantum SMC_OR protocol takes single photons as quantum resources and accordingly needs single-photon-based operators (i.e., \(U_{Y}\) and H) and measurements. Suppose that there are m parties. Then, it needs to transmit \(2(k+q)m\) qubits. So, the communicational complexity is \(O(km)\). Furthermore, we assume that the bit length of each secret in the proposed QFMV protocol is n. So, it needs to call the proposed quantum SMC_OR protocol n times. Accordingly, our proposed QFMV protocol’s communicational complexity is \(O(kmn)\).

Furthermore, we simulate the proposed quantum SMC_OR protocol in Qiskit of IBM (Qiskit-0.23.2; Python-3.8.6; OS-Linux). First, we verify the correctness of this protocol in different instances, i.e., the different parameters: k, p and m. For example, \(k=7\), \(p=5\) and \(m=11\). The detailed circuits of this instance are shown in Fig. 3. Then, we focus on the error rate (i.e., the error probability δ) of proposed SMC_OR protocol with different values of k and p.

Quantum circuits of an instance of SMC_OR

Full size image

The curve charts in Fig. 4 show the relationships between the error rate and the parameter p when k takes different values. In our simulation experiments, suppose that there are 10 parties and they jointly compute the SMC_OR protocol 60000 times for each k, where each input is random in each time. From Fig. 4, we can see that the error rate mainly depends on the values of k when \(p\geq 2\), and it is approximatively equal to 0 when \(k=10\). In short, our simulation experiments verify the correctness and the feasibility of the proposed quantum SMC_OR protocol.

Curve charts of the error rate with different parameters

Full size image

At present, we do not consider quantum noise and loss of photons in our proposed quantum protocols. Obviously, we can increase the number of transmitting single photons (i.e., t) in practical applications and adopt classical error-correction technology to avoid these problems. In addition, when the parties are far apart, we may deploy a quantum repeater at each party, which is used to forward private and unknown states of photons based on teleportation.

In a word, it is feasible to implement our proposed quantum protocols with the present quantum technologies.

In this paper, we first designed a feasible quantum protocol with the help of a quantum cloud to privately compute the logic operator “OR”, which takes single photons as quantum resources and only needs to perform single-photon operators and measurements. Furthermore, we first presented a novel quantum approach to privately find the maximum value among many secrets based on the proposed quantum SMC_OR protocol.

In our proposed quantum protocols, we build a perfect quantum encryption and combine the perfect quantum encryption with the classical one-time pad to perfectly protect the privacy of each input. Therefore, there are good application prospects of our proposed protocols in emerging computations, e.g., outsourcing quantum cloud computing and quantum federated learning. Especially, as a building block, quantum SMC_OR protocol can be utilized to privately compute more complex Boolean functions.

In a word, the proposed quantum protocols show that we can also design sophisticated and flexible cryptographic protocols based on quantum physics as mathematic cryptography, not just QKD. In future work, we will further focus on the feasibility of proposed quantum protocols, e.g., considering weak coherent pulses instead of single photons.

Not applicable.

The authors would like to thank the editor and the referees for carefully reading the paper, and for their useful comments which helped improve the paper.

This work was supported by National Natural Science Foundation of China (No. 61772001).

Authors and Affiliations

1. School of Control and Computer Engineering, North China Electric Power University, Beijing City, 102206, China

   Run-hua Shi & Yi-fei Li

Contributions

RHS contributed to the initiation of the research and was a major contributor in writing the manuscript. YFL implemented circuit simulations and contributed to the comment and revision of the manuscript. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Run-hua Shi.

Ethics approval and consent to participate

Not applicable.

Consent for publication

Not applicable.

Competing interests

The authors declare that they have no competing interests.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions