 Research
 Open Access
 Published:
Quantum anonymous veto: a set of new protocols
EPJ Quantum Technology volume 9, Article number: 14 (2022)
Abstract
We propose a set of protocols for quantum anonymous veto (QAV) broadly categorized under the probabilistic, iterative, and deterministic schemes. The schemes are based upon different types of quantum resources. Specifically, they may be viewed as single photonbased, bipartite and multipartite entangled statesbased, orthogonal statebased and conjugate codingbased. The set of the proposed schemes is analyzed for all the requirements of a valid QAV scheme (e.g., privacy, verifiability, robustness, binding, eligibility and correctness). The proposed schemes are observed to be more efficient in comparison to the existing QAV schemes and robust up to the moderate decoherence rate. In addition, a tradeoff between correctness and robustness of the probabilistic QAV schemes is observed. Further, the multipartite dense coding based deterministic QAV scheme is most efficient scheme among the set of schemes proposed here. A bipartite entanglement based iterative scheme employing dense coding is yet another efficient and practical scheme. The intrinsic connections between dining cryptographernet with anonymous vetonet is also explored in the process of designing new protocols.
1 Introduction
Everyday humans have to deal with conflicting issues which demand making some choices and in modern societies, voting is an integral part of those decision making processes. In simple words, everyone having a stake exercises the possible choice of option and finally a decision is arrived at. In most of the cases, the outcome of the voting is based on the majority voting outcome. But sometimes there may be situations where a split outcome is not desireable as the consequences may be too high. So, it is required that any decision that is taken is arrived at by a consensus only. For instance, a verdict for the capital punishment cannot be adjudged only on the majority view of the judges as no judicial system is perfect, and the life of the accused cannot be revived in view of evidences to acquit him posthumously. In such a case, capital punishment is overturned even if one of the judge dissents. Similarly, in big corporations, shareholders may like to exercise their votes before making some crucial decisions. Some of the stakeholders may collude to influence the decision to sabotage the stakes of their rivals. Such a situation naturally desires a process in which the decision is made by consensus. The most glaring example is the United Nations security council resolutions, in which a proposal is rejected at once if one or more of the P5 countries exercise(s) its veto power. Therefore, veto empowers a voter in the voting process to reject a proposal unilaterally. In other words, a proposal is rejected even if one of the voters does not approve the proposal, and thus a decision can only be made unanimously. Usually in the veto scheme, the group of voters is limited and no one would like to reveal their identity after exercising the veto as it may have some repercussions. Therefore, the useful information is only a single bit, i.e., whether the decision is made by consensus or not decision has been reached (which means someone vetoed the proposal in the latter case).
With the advent of quantum enabled technologies, certain tasks are achievable, which were not possible otherwise with the use of classical resources only; e.g., the current classical and postquantum cryptographic systems exploit the mathematical complexity associated with the process of solving certain problems assumed to be hard on classical computers [1]. However, many such cryptographic systems are vulnerable to a scalable quantum computer, which can implement quantum algorithms to solve these respective problems efficiently [1, 2]. In contrast, with the advent of quantum cryptographic schemes, such as BB84 [3] and E91 [4] quantum key distribution (QKD) protocols, quantum mechanics equipped us with the feasibility of unconditional secure communication. Here, unconditional security corresponds to the fact that it’s based on the laws of physics governed by quantum mechanics and is not conditioned on the computational power available to an adversary. This motivated a host of new protocols for secure quantum communication and/or quantum computation. Specifically, secure quantum computation comprises the features of both computation and communication as it enables us to compute a multivariable function, with each input provided by different individuals, in such a way that the inputs are not disclosed. Quantum solutions for the tasks, such as secure multi party computation [5, 6], private comparison [7, 8], auctions [9–11], provide examples of situations where quantum advantage is obtained in the field of secure computation. This also inspired the use of quantum resources in the field of voting as it requires features such as anonymity, verifiability and security from tampering. In 2006, the first set of quantum voting protocols was proposed using quantum entangled states [12, 13]. Since then a large number of new protocols for anonymous voting have been designed, but an unconditionally secure and practical quantum voting protocol has remained elusive till this date [14–18]. More recently, there has been a heightened interest in the quantum anonymous voting protocols with a flurry of papers [19–32]. These voting schemes can be classified in different categories on the basis of required quantum resources, nature of ballots, number of candidates, conditions to be satisfied, and so on.
One such interesting voting scheme is an anonymous veto (AV) protocol, which has not been studied much. Specifically, Rahman and Kar introduced the idea of quantum solution for AV using GHZ states to implement privacy while casting a veto [33]. The idea was to explore the interconnections between the dinning cryptographers (DC) net problem and AV net problem [34]. The idea of DC nets was introduced in 1988 to illustrate a scheme in which parties can send messages with cryptographically secure nontraceability [35]. Specifically, DC nets are based on establishing the secret keys (between every pair of the parties) as one of the primitives. Since then DC nets have been used as one of the possible ways to implement anonymous broadcasting of the messages. In 2021, analogous to [33], a new quantum AV (QAV) protocol based on nparty GHZ states was proposed with a proof of principle experiment on quantum computer placed on cloud by the IBM Corporation for four voters [32]. However, the scheme in [32] is neither practical nor efficient, which motivated us to propose some QAV protocols based on different quantum states. Specifically, we propose here the protocols for QAV scheme using single photon, Bell state, GHZ and cluster state, which can be implemented between voters equipped with different kinds of quantum resources. In the present work, we have also been able to show the intrinsic connections between the AV nets and DC nets. In view of some recent works, we expect the applications of our QAV protocols for the implementation of sealed bid auctions [36].
The rest of the paper is structured as follows. In Sect. 2, we introduce the basic ideas and nomenclature used in the present work. Subsequently, we begin with reviewing the existing schemes of QAV with their limitations in Sect. 3 followed by our new set of QAV schemes in Sect. 4. We present the security and efficiency analysis of the proposed schemes in Sects. 5. And finally, we summarize the results in Sect. 6.
2 Basic notations and definitions
Definition 1
An AV protocol of n voters returns \(\mathcal{V}_{n}=0\) if all the voters support the proposal and \(\mathcal{V}_{n}=1\) otherwise. In other words, an n input function \(\mathcal{V}_{n}\in\{0,1\}\) is computed as
where the ith input \(\mathcal{W}_{i}\in\{0,1\}\) is supplied by the ith voter, and the logical OR operation \(\lor_{i}\) performed over all the i inputs returns 0 only when all the inputs are 0. Thus, \(\mathcal{V}_{n}=0\) or 1 provides whether \(k=0\) or \(k\neq 0\) number of voters veto the proposal among all the n voters, respectively.
2.1 Requirements of anonymous veto protocol
Any AV protocol must conform to the following requirements in order to be classified as a good voting scheme [12, 13, 37].
 Eligibility::

No one except the authorized voters shall be allowed to vote.
 Privacy::

It means that nobody except the voter should be able to know how a particular voter has voted.
 Binding::

No one (including the voter himself) can change the vote \(\mathcal{W}_{i}\) after its submission.
 Correctness::

If the adversary is passive, then the result bit \(\mathcal{V}_{n}=0 {\iff} \mathcal{W}_{i}=0\) ∀i is generated. In other words, it means that after faithfully following the protocol, one is able to successfully detect a veto or unanimous agreement with probability 1.
 Verifiability::

All the participants can verify the result \(\mathcal{V}_{n}\).
 Robustness::

If the adversary is passive, then the result bit \(\mathcal{V}_{n}=i\) \(\forall i\in\{0,1\}\) is generated. It means that the system obtains the result if adversary is passive, i.e. under the effect of the noise in the systems.
2.2 Authentication using quantum digital signatures
The first and foremost thing in any voting scheme is to provide a mechanism to establish that only genuine and eligible voters are allowed to take part in the voting process. It can also be referred to as prevoting stage. Various classical authentication schemes are available for the verification of the authenticity of a voter, but the security of such schemes is usually based on computational complexity only. Here, we will be using a quantum digital signature scheme based on BB84 states as proposed in [38] to verify the authenticity of the eligible voters. Suppose, there is a trusted central authority (CA) who will verify the credentials of the voters. After verification, the voter is registered and asked to generate his digital signature. The voter then sends a sufficiently long sequence of BB84 states (\(\vert 0 \rangle, \vert 1 \rangle, \vert + \rangle, \vert  \rangle\)) to CA where, \(\vert + \rangle = \frac{1}{\sqrt{2}} \{ \vert 0 \rangle + \vert 1 \rangle \}\) and \(\vert  \rangle = \frac{1}{\sqrt{2}} \{ \vert 0 \rangle  \vert 1 \rangle \}\). CA receives the states and measures them randomly in the computational basis (\(\vert 0 \rangle, \vert 1 \rangle\)) or Hadamard basis (\(\vert + \rangle, \vert  \rangle\)). After the measurement, CA eliminates one of the BB84 states that the voter must have never sent. For instance, if CA’s measurement outcome is \(\vert 0 \rangle\) then it infers the voter has not sent \(\vert 1 \rangle\). The measurement outcomes of CA thus form an eliminated signature of the voter. The voting stage and prevoting stage can separated by a considerable time gap, so it becomes important to ensure that only registered voters are allowed to take part in the voting after proving their credentials. During the voting stage for the purpose of authentication, each voter will reveal to CA the choice of BB84 states (digital signature) that they have sent in the prevoting stage. CA will then verify the digital signature with the eliminated signature of the voter and if the number of mismatches is lesser than a particular threshold then the authentication of the voter is validated. After authentication, the voter is allowed to take part in the voting process for casting the vote.
2.3 Decoy state based eavesdropping checking techniques
In quantum cryptography, security is achieved by obtaining an upper bound on the information accessible to Eve by checking the error rates in the transmission of qubits. This is based on the fact that any eavesdropping attempt leaves detectable traces at the receiver’s end. Therefore, some verification qubits, known as decoy qubits [39], are inserted randomly in the string of qubits before transmission to be used for parameter estimation. In other words, for the secure transmission of t qubits through a channel accessible to Eve an additional δt decoy qubits are inserted. The factor of \(\delta > 0\) is decided to achieve the desired level of security. For example, it is shown that the probability of obtaining more than \((\Delta+\epsilon) t \) errors in the transmitted qubits (such that \(\Delta>0,\epsilon>0\))for \(\Delta \delta t\) errors on the decoy qubits is asymptotically less than \(\exp[O(\epsilon^{2} t)]\) for \(\delta=1\) [40]. It is to be mentioned that the decoy state technique described in this section is different from that introduced by Lo et al. [41] based on use of different intensities of coherent light pulses used in QKD.
Decoy state based eavesdropping checking techniques may be broadly categorized on the basis of nature of verification qubits as follows ([39] and references therein).

1.
BB84 subroutine: The set of BB84 states is inserted by the sender in the travel qubits randomly and the receiver measures them after the sender informs him the position and the basis chosen to prepare the state. All the errors in the measurement outcome (including due to transmission noise) when compared with the state prepared are attributed to the eavesdropping attempt. The name suggests that security comes from Eve’s inability to measure a quantum state in mutually unbiased bases without leaving detectable traces.

2.
GV subroutine: Multiple copies of one of the entangled states (say a Bell state) are used as decoy states while the position of the entangled particles is kept secret while transmission. This geographical separation of entangled qubits restricts Eve from measuring the state in the publicly known basis. An eavesdropping attempts leads to entanglement swapping and detectable traces as errors in the receiver’s port.
It would be worth mentioning here that in semiquantum cryptography a twoway communication of the decoy qubits is involved as a classical user reflects all the decoy qubits as he is restricted to measure in the computational basis only. Thus, in what follows, a secure transmission of qubits is performed using decoy state based eavesdropping checking technique.
3 Existing protocols and their limitations
We briefly review two quantum anonymous veto protocols, and mention some of their limitations. Specifically, we summarize a quantum anonymous veto protocol proposed by Rahman and Kar (RK) referred to as RKQAV protocol [33], which motivated Wang et al.’s scheme [32] referred to as WQAV protocol.
3.1 Iterative QAV protocol: RKQAV protocol
Rahman and Kar [33] proposed RKQAV protocol using the properties of multiple copies of nqubit GHZ states [42] shared among n voters \(V_{i}\) \(\forall i\in \{0,1,\dots,n1 \}\). Without loss of generality, we assume that \(0\leq k\leq n\) voters veto the proposal. The steps involved in the protocol based on generalization of dining cryptographers protocol can be briefly mentioned as follows:
 RKQAV 1::

l (\(l \ge 2\)) ordered copies of nqubit GHZ states
$$ \vert \chi\rangle_{j} = \frac{1}{\sqrt{2}} \bigl( \bigl\vert 0 \rangle^{\otimes n} + \bigr\vert 1 \rangle^{\otimes n}\bigr)\quad \forall j= 0,1,\dots,l1 $$(2)are shared among the n voters in such a manner that each voter receives one qubit of each of the GHZ states.^{Footnote 1} They check the shared correlations by verifying GHZtype paradox.
 RKQAV 2::

All the voters select one of the shared l copies of the GHZ state randomly for encoding (say mth copy). k voters perform a unitary operation \(\sigma_{z}\) on his qubit of the mth GHZ state while the rest of the \(nk\) voters do nothing.
 RKQAV 3::

If the final state of the mth GHZ state remains unchanged, i.e., they obtain \(\vert \chi \rangle_{m}\) on GHZ measurement, it corresponds to either \(k=0\) or k is nonzero even number. However, in case of odd k, the final joint state will be orthogonal to the initial state, i.e.,
$$ \vert \chi\rangle^{\perp}_{m} = \frac{1}{\sqrt{2}} \bigl( \bigl\vert 0 \rangle^{\otimes n}  \bigr\vert 1 \rangle^{\otimes n}\bigr). $$(3)This allows the voters to distinguish whether an odd number of voters have vetoed the proposal (for \(\vert \chi\rangle^{\perp}_{m}\)) or an inconclusive outcome (for \(\vert \chi\rangle_{m}\)) is obtained. For the final joint state \(\vert \chi\rangle_{m}\) no conclusion can be made as the state can be obtained in following cases: (a) all are in ‘favour’ of the proposal or (b) an even number of voters have vetoed the proposal.
In case of conclusive outcome \(\vert \chi\rangle^{\perp}_{m}\) they have accomplished the desired task, while for an inconclusive outcome \(\vert \chi\rangle_{m}\) they proceed with the protocol. To distinguish between the two cases of an inconclusive outcome (a) \(k=0\) and (b) k nonzero even number, they repeat the next step for a few iterations.
 RKQAV 4::

In the \(t^{th}\) (for \(t\geq 1\)) iteration,^{Footnote 2}k voters apply a unitary operation {\sigma}_{z}(t)=(\begin{array}{cc}1& 0\\ 0& exp(i\pi {2}^{t})\end{array}) to convey they are against the proposal, while \(nk\) do nothing, on their respective qubits of the randomly chosen GHZ state among the remaining \(lt\) copies.
In each iteration, if their measurement outcome results \(\vert \chi\rangle\) then \(2^{t}k\) is even (including zero), while the final state \(\vert \chi\rangle^{\perp}\) corresponds an odd value of \(2^{t}k\).
They truncate this iteration until either the measurement outcome is \(\vert \chi\rangle^{\perp}\) or they get \(\vert \chi\rangle\) for \(k=0\) conclusively.
 RKQAV 5::

Since, the total number of voters is finite and after every round we eliminate half of the possibilities, so after a finite number of steps one can detect whether there is any unanimity ‘in favor’ of the decision or at least one voter has vetoed the proposal.
RKQAV protocol provided an initial idea to implement AV using quantum states, but this protocol was not mature (due to a large number of loopholes) to be implemented with real systems. Specifically, in the original proposal of RK, it was not mentioned who is responsible for the generation and distribution of the GHZ states. Nothing was stated about how and who will have the responsibility to distinguish between the GHZ states \(\vert \chi\rangle\) and \(\vert \chi\rangle^{\perp}\). Further, no elaborate security analysis of the protocol with respect to an ideal quantum voting protocol was reported. Additionally, the implementation of the protocol requires a maximum of \(\sim(1+\log_{2} n)\) number of iterations to yield a conclusive outcome \(\mathcal{V}_{n}\), so we refer to this scheme as iterative QAV protocol.
3.2 Probabilistic QAV protocol: WQAV protocol
Wang et al. [32] further improved the RKQAV protocol and presented a new and mature mechanism (WQAV). Similar to RKQAV, this protocol utilizes the GHZ state, while allows measurement by voters in the computational (\(\{\vert 0 \rangle, \vert 1 \rangle\}\)) and diagonal (\(\{\vert + \rangle, \vert  \rangle\}\)) basis in addition of single qubit unitary operations, i.e. \(\sigma_{z}\) and Hadamard gate. In this case, the quantum voting network consists of n voters \(V_{i}\) \(\forall i\in \{0,1,\dots,n1 \}\) which is controlled by a semihonest central authority (CA).
The steps involved in the protocol can be briefly described as follows:
 WQAV 1::

CA authenticates every voter and shares a binary key \(B_{i} = \{b_{ij}\}_{j=0,1, \dots,l1}\) of lbits using any QKD protocol, such as BB84 protocol [3], with the ith voter \(V_{i}\).
 WQAV 2::

CA distributes l ordered copies of nqubit GHZ states (2) in a secure manner such that each voter receives a qubit of entangled states.
 WQAV 3::

Only if each voter finds the error rate in the eavesdropping check below the threshold error, they proceed with the protocol and each voter \(V_{i}\) possesses l ordered particles given by \(S_{i}=\{s^{i}_{j}\}_{j=0,1,\dots,l1}\).
 WQAV 4::

Each voter encodes their voting information. Specifically, k voters perform a local phase flip gate \(\sigma_{z}\) to every particle \(s^{i}_{j}\) with probability \(1/2\), while the rest of the \(nk\) voters do nothing.
 WQAV 5::

Voter \(V_{i}\) applies a Hadamard operation on his set of particles \(S_{i}\) before measuring them in the computational basis. This will result in the generation of l ordered intermediate data sequence \(T_{i} = \{t_{ij}\}_{j=0,1,\dots,l1}\) for each voter \(V_{i}\).
 WQAV 6::

Every voter \(V_{i}\) then transmits his data sequence \(T_{i}\) to CA via the use of the shared secret key \(B_{i}\) with CA. Specifically, the data sequence received by CA from each voter is \(Y_{i}= T_{i}\bigoplus B_{i} = \{y_{ij} = (t_{ij} +b_{ij}) \operatorname{mod} 2\}_{j=0,1,\dots,l1} \).
 WQAV 7::

CA then calculates \(\{R_{j}\}_{j=0,1,\dots,l1}= Y_{i}\bigoplus B_{i}\) with
$$ R_{j}= \sum^{n1}_{i=0} (y_{ij} + b_{ij} ) \operatorname{mod} 2. $$(4)  WQAV 8::

If CA gets at least one \(R_{j} \ne 0\), then at least one voter has vetoed the proposal. In other words, \(\mathcal{V}_{n}=0 \Leftrightarrow R_{j}=0\) ∀j. The probability for CA to successfully detect a veto is given by \((1{2^{l}} )\). This is due to the fact that if \(k=0\) then the number of outcomes “1” in the sequence \(\{t_{0,j},t_{1,j}, \dots, t_{n1,j} \}\) for every \(j=0,1,\dots,l1\) is even. However, if at least one voter has vetoed the protocol, then the probability of successfully getting “1” for each \(R_{j}\) is 1/2.
WQAV protocol has elaborately discussed the mechanism for secure distribution of shared GHZ states and have discussed the security analysis. Further, it has been proved that this protocol satisfies the essential requirements of any secure voting protocol. The disadvantage of WQAV is that it requires a large amount of quantum resources. For example, the CA has to generate l bit keys with all the voters using QKD/quantum key agreement (QKA) protocol which will require additional resources. Further, the n party GHZ state is difficult to generate and maintain, and here l copies of such a state are required. Only ideal cases have been considered while a practical protocol should be robust against noise. Specifically, due to the effect of noise the correlations in GHZ states will reduce, which may lead to false veto or vice versa. The scheme, although achieving the task in a single iteration, remains a probabilistic QAV protocol unless l is large. Further, there is no discussion on the possibilities of improving the efficiency or robustness of the protocol.
4 New protocols for quantum veto
The field for development of unconditionally secure AV protocol using quantum resources is still at a nascent stage. In the following, we propose a few protocols in order to implement AV scheme using the optimal utilization of quantum resources and perform their security analysis. Specifically, we divide the proposed schemes in three broad categories: (i) probabilistic QAV, (ii) iterative QAV, and (iii) deterministic QAV protocols.
4.1 Probabilistic QAV protocols
We assume that we have a quantum voting network with a semihonest central authority CA (unless stated otherwise) and n voters \(V_{i}\)s. The semihonest model ensures that CA faithfully follows all the protocol specifications, but may try to gain additional private information about other participants. Without loss of generality, we may assume that \(0\leq k\leq n\) voters veto the proposal.
4.1.1 QAV1: quantum key distribution/key agreement based QAV protocol
A probabilistic QAV protocol, which uses the complete graph structure (Fig. 1(a)) can be proposed using any of the existing protocols for QKD or QKA. Specifically, the dashed lines in Fig. 1(a) in the tree structure represent classical communication, while the smooth lines correspond to the quantum transmission. The steps involved in this protocol (QAV1) are as follows:
 Step 1.1:

CA verifies the validity of every voter \(V_{i}\) by using the method of quantum digital signature described in Sect. 2.
 Step 1.2:

Voter \(V_{i}\) generates a l bit symmetric key \(V^{ij}=\{ v^{ij}_{l'} \}_{j\neq i}\) \(\forall i,j=0,1,\dots,n1\) with \(v^{ij}_{l'} \in \{ 0,1\}\), and \(l'=0,1,\dots,l1\) with voter \(V_{j\neq i}\) using a QKD or QKA protocol.
 Step 1.3:

Voter \(V_{i}\) computes his sequence \(V^{i}_{l'}=\sum^{n1}_{j=0,j\neq i} v^{ij}_{l'} \operatorname{mod} 2\) for every bit value of \(l'\). All \(nk\) voters in favour of the proposal announce \(V^{i}_{l'}\), while k voters either publicly announce \(V^{i}_{l'}\) or apply a not gate to \(V^{i}_{l'}\) before publicly announcing with an equal probability.
 Step 1.4:

CA will compute the sequence \(S_{l'}= \sum^{n1}_{i=0} V^{i}_{l'} \mathrm{mod}2\) for every \(l'=1,2,\dots,l\).
 Step 1.5:

Thus, \(\mathcal{V}_{n}=0 \Leftrightarrow S_{l'}=0\) \(\forall l'\). If at least one of the voter has used his veto power, then CA will get at least one of the \(S_{l'} \ne 0\) and the success probability of detecting a veto is given by \(12^{l}\).
An important point to be mentioned here is that the role of CA in this protocol is only for the authentication of the eligible voters. Thus, this protocol can be implemented without CA if the voters have the ability to authenticate each other. The protocol described above has a similar structure to that of the DC net as this also requires to establish symmetric keys between all the pairs of voters before the voters can start casting their votes. Further, in principle, all the voters can use different types of quantum resources to share the keys among them, such as using single photon based [3, 43], orthogonal state based [44], entangled state based [4, 45], counterfactual [46], semiquantum [47], continuous variable [48] QKD and/or QKA [49, 50], which will give the corresponding flavor to the proposed QAV scheme. Thus, this protocol is general in nature and actually represent a family of protocols which can be reduced to a specific protocol by choice of specific scheme(s) of QKD/QKA. The above fact is established by providing three protocols (cf. QAV2QAV4), which can be viewed as specific protocols reduced from a more general protocol described here. In principle, each pair of voters can choose different QKD/QKA scheme independently, which will result in a hybrid QAV scheme.
4.1.2 QAV2: Bell state based probabilistic QAV protocol
This protocol too involves the arrangement of voters in a tree structure as shown in Fig. 1(a) and shows that the same task performed by WQAV protocol can be accomplished using solely bipartite entanglement, which is much easier to be produced and maintained. Specifically, the dashed lines in Fig. 1(a) in the tree structure represent quantum communication, while the smooth lines correspond to the shared entanglement. The steps involved in this protocol (QAV2) are as follows:
 Step 2.1:

Same as Step 1.1 of QAV1.
 Step 2.2:

CA securely distributes l Bell states \(\vert \phi \rangle = \frac{1}{\sqrt{2}} (\vert 00 \rangle + \vert 11 \rangle) \) for each pair of the voters in a secure manner, i.e., voter \(V_{i}\) shares l copies of \(\vert \phi \rangle\) states with each of the \(n1\) other voters.
 Step 2.3:

Same as WQAV 3, but here \(V_{i}\) possesses l strings of \(n1\) ordered particles given by \(\{s^{ij}_{l'} \}_{j\neq i}\) \(\forall i,j=0,1,\dots,n1\) with \(l'=0,1,\dots,l1\).
 Step 2.4:

Same as WQAV 4.
 Step 2.5:

Similar to WQAV 5, Voter \(V_{i}\) measures all the qubits in the computational basis after performing a Hadamard operation and obtains l binary sequences of \(n1\) bits given by \(\{ v^{ij}_{l'} \}_{j\neq i} \) \(\forall i,j=0,1,\dots,n1\) with \(v^{ij}_{l'} \in \{ 0,1\}\).
 Step 2.6:

Similar to WQAV 6, Voter \(V_{i}\) computes his sequence \(V^{i}_{l'}=\sum^{n1}_{j=0,j\neq i} v^{ij}_{l'} \operatorname{mod} 2\) for every bit value of \(l'\). Subsequently, Voter \(V_{i}\) publicly announce his data sequence \(V^{i}_{l'}\).
 Step 2.7:

Similar to WQAV 7, CA (in principle, all the voters) calculates the \(\{R_{l'}\}\) with \(R_{l'}= \sum^{n1}_{i=0} V^{i}_{l'}\operatorname{mod} 2\).
Thus, \(\mathcal{V}_{n}=0 \Leftrightarrow R_{l'}=0\) \(\forall l'\) and if CA gets at least one \(R_{l'} \neq 0\), then \(k>0\). Similar to WQAV and QAV1, the probability for CA to successfully detect a veto is given by \((12^{l} )\).
The protocol described above has a very close resemblance with the DCnet problem with regards to its advantages and disadvantages. The main disadvantage of this protocol is that we need to a minimum of \(l \times ^{n}C_{2}\) ^{Footnote 3} copies of Bell states which would consume a considerable amount of quantum resources. However, it does address the practical challenges in preparation of multipartite entangled state and robustness of WQAV protocol.
4.1.3 QAV3 and QAV4: alternative protocols of QAV for voters with limited resources
QAV1 can be easily modified to be implemented by the parties with unique quantum resources/abilities. For example, using an orthogonal state based QKA scheme [49] between each pair of voters completely orthogonal state based QAV protocol is proposed here. The feasibility of GV protocol [44] established that the unconditional security of quantum cryptography can be achieved using solely orthogonal states. This is achieved by making the basis of preparation of the state inaccessible to the eavesdropper by using temporal or geographical splitting of different quantum pieces. We briefly describe the modification in Step 1.2 of QAV1 to design an orthogonal state based protocol (QAV3), while the rest of the steps remain unchanged.
 Step 3.2.1:

\(V_{i}\) generates \(\frac{l}{2}\) Bell states \(\vert \phi \rangle\) to be shared with voter \(V_{j\neq i}\) and forms two ordered sequences of all the first qubits \(H^{ij}=\{h^{ij}_{l'} \}_{j\neq i}\) and second qubits \(T^{ij}=\{t^{ij}_{l'} \}_{j\neq i}\) with \(l'=0,1,\dots,\frac{l}{2}1\). Similarly, all the set of voters \(i,j=0,1,\dots,n1\) prepare the home and travel sequences \(H^{ij}\) and \(T^{ij}\), respectively.
All the voters \(V_{i}\) prepare a random lbit sequence \(K^{ij}= \{k^{ij}_{l'} \}_{j\neq i}\), where \(k^{ij}_{l'} \in \{0,1 \} \), to share the rest of the voters \(V_{j\neq i}\).
 Step 3.2.2:

\(V_{i}\) concatenates some Bell states to \(T^{ij}\) and applies a permutation operator to the enlarged travel sequence \(T^{ij}_{1}\) before sending them to \(V_{j}\). \(V_{i}\) reveals the correct order of sequence only after he receives an authenticated acknowledgment of the receipt of qubits from \(V_{j}\).
 Step 3.2.3:

If the error rate in the eavesdropping checking is below the predetermined threshold value, \(V_{j}\) applies the unitary operation I, \(\sigma_{x}\), \(i\sigma_{y}\), and \(\sigma_{z}\) to the sequence \(T^{ij}\) in order to encode 00, 01, 10, and 11 from \(K^{ji}\), respectively.
 Step 3.2.4:

\(V_{j}\) sends the encoded sequence of travel qubits \(T^{ij}\) to \(V_{i}\) after concatenating some Bell states and applying a permutation operator. The correct order of travel qubits to perform eavesdropping checking and obtaining \(T^{ij}\) is revealed by \(V_{i}\) only after he receives an authenticated acknowledgment from \(V_{i}\).
 Step 3.2.5:

\(V_{i}\) announces his random sequence \(K^{ij}\) if they obtain error below the threshold value. \(V_{j}\) reveals the permutation operation only after he gets to know \(K^{ij}\). Subsequently, he performs a Bell measurement on the pair of home and travel qubits from \(H^{ij}\) and \(T^{ij}\) and obtains the random sequence \(K^{ji}\) sent by \(V_{j}\). The symmetric key between \(V_{i}\) and \(V_{j}\) is obtained as \(K^{ij}\oplus K^{ji}\).
Another modification of QAV1 allows semiquantum users, i.e., voters with limited quantum resources, to perform QAV. Specifically, a semiquantum or classical voter is defined as the one who can (1) measure the quantum state in the computational basis only, (2) prepare the quantum state in the computational basis only, and (3) do nothing and/or reflect a quantum state which is sent to him by a quantum user. The steps involved in semiquantum AV protocol (QAV4) with classical voters inspired from semiQKD protocol [51] can be described as follows:
 Step 4.2.1:

CA generates l Bell states \(\vert \phi \rangle\) to be shared with voters \(V_{i}\) and \(V_{j\neq i}\). He forms two ordered sequences of all the first qubits \(F^{ij}=\{f^{ij}_{l'} \}_{j\neq i}\) and second qubits \(S^{ij}=\{s^{ij}_{l'} \}_{j\neq i}\) with \(l'=0,1,\dots,l1\). Finally, he sends sequences \(F^{ij}\) and \(S^{ij}\) to voters \(V_{i}\) and \(V_{j}\), respectively.
 Step 4.2.2:

\(V_{i}\) prepares a random string \(R^{ij}=\{r^{ij}_{l'} \}_{j\neq i}\), where \(r^{ij}_{l'}\in \{0,1 \}\). He measures the qubits \(f^{ij}_{l'}\) if \(r^{ij}_{l'}=0\) and keeps it unchanged otherwise. He also notes the measurement outcomes in a string \(T^{ij}=\{t^{ij}_{l'} \}_{j\neq i}\) \(\forall r^{ij}_{l'}=0\) and prepares fresh qubits \(t^{ij}_{l'}\rangle\), where \(t^{ij}_{l'}\in \{0,1 \}\). He reinserts \(t^{ij}_{l'}\rangle\) \(\forall r^{ij}_{l'}=0\) in the remaining qubits of \(F^{ij}\) and sends \(F^{\prime ij}\) to CA.
Independently, \(V_{j}\) adopts the same procedure to obtain \(S^{\prime ij}\) and then sends it to CA.
 Step 4.2.3:

CA performs the Bell measurement on the respective pairs in sequences \(F^{\prime ij}\) and \(S^{\prime ij}\) and records \(C^{ij}=\{c^{ij}_{l'} \}_{j\neq i}\), where \(c^{ij}_{l'}=0\) if the measurement outcome is \(\vert \phi \rangle\) and \(c^{ij}_{l'}=1\) otherwise. Finally, he announces \(C^{ij}\).
 Step 4.2.4:

\(V_{i}\) and \(V_{j}\) announce their random strings \(R^{ij}\) and \(R^{ji}\), respectively. They obtain the error rate in cases \(r^{ij}_{l'}=1=r^{ji}_{l'}\) as CA would have announced \(c^{ij}_{l'}=0\) ideally. If the error is below the threshold value, they obtain \(\bar{K}^{ij}\) and \(\bar{K}^{ji}\) (approximately of size \(l/4\)) as the subset of \(T^{ij}\) and \(T^{ji}\) for the cases when \(r^{ij}_{l'}=1=r^{ji}_{l'}\), \(c^{ij}_{l'}=0\).
 Step 4.2.5:

Ideally, \(\bar{K}^{ij}=\bar{K}^{ji}=K^{ij}\), otherwise \(V_{i}\) and \(V_{j}\) may perform postprocessing of the key to obtain symmetric key.
QAV3 (QAV4) has the same arrangement of voters in AV net as QAV1 (QAV2).
4.2 Iterative QAV protocols
In such class of protocols, we will be using Bell states and their quantum correlations. We assume that we have a quantum voting network with a semihonest central authority CA and n voters \(V_{i}\).
4.2.1 QAV5: Bell state based iterative probabilistic QAV protocol
In fact, QAV2 proposed earlier can be implemented in an iterative manner to give us a probabilistic outcome of the AV. Thus, the arrangement of voters has the same graph structure as in QAV2. The steps involved in this protocol are as follows:
 Step 5.1Step 5.7:

CA performs QAV2 with all the voters for \(l=1\). Thus, \(\mathcal{V}_{n}=1 \Leftrightarrow R=1\) and leads to an inconclusive result otherwise.
All the parties repeat the protocol an arbitrary number of time \(l'\) until they either get \(R=1\) or conclude with probability \((12^{l'} )\) that \(\mathcal{V}_{n}=0\). Though the scheme remains probabilistic as is QAV2, but it requires \(^{n} C_{2}\times l'\) ^{Footnote 4} copies of Bell states which will be less than that in QAV2 if \(R=1\) is obtained in \(l'< l\), where l is a constant number of Bell states used in QAV2.
4.2.2 QAV6: Bell state based iterative QAV protocol
Let us now present another protocol where the arrangement of voters is in circular order as shown in Fig. 1(b). Here, in each iteration the CA will generate one Bell state, keep one particle with himself while the other particle travels through each of the voters and finally comes back to CA. The main advantage of this scheme is that the voting process requires less than \(1+\log_{2} n\) copies of Bell states. The steps involved in the protocol (QAV6) are as follows:
 Step 6.1:

Same as Step 1.1 of QAV1.
 Step 6.2:

CA generates a Bell state \(\vert \phi \rangle \). CA sends the second qubit of \(\vert \phi \rangle \) to \(V_{0}\) as travel qubits in a secure manner. He keeps the first qubit as home qubits with himself.
 Step 6.3:

After ensuring that there is no eavesdropping attempt, \(V_{0}\) applies \(\sigma_{z}\) operation to the travel qubit to veto the proposal and does nothing in case he supports the proposal.
 Step 6.4:

\(V_{0}\) sends the encoded travel qubit to \(V_{1}\) in a secure manner, who encodes his message in the same way as \(V_{0}\).
Voter \(V_{i} \) \(\forall 0\leq i \leq n\) receives the travel qubits from \(V_{i1}\) and sends it to \(V_{i+1}\) after applying \(\sigma_{z}\) operation to veto the proposal.
 Step 6.5:

\(V_{n}\) receives the travel qubits from \(V_{n1}\) in a secure manner and encodes his vote. Finally, he sends the travel qubits to CA in a secure manner.
 Step 6.6:

CA measures the final state \(\vert \phi' \rangle =\sigma_{z}^{k} \vert \phi \rangle \), if k voters vetoed the proposal, in the Bell basis. If \(\langle\phi'  \phi\rangle=0\), CA announces \(\mathcal{V}_{n}=1\), while \(\langle\phi'  \phi\rangle=1\) leads to an inconclusive outcome.
 Step 6.7:

In case of an inconclusive outcome, CA repeats Steps 6.26.6 with the k voters applying unitary {\sigma}_{z}(t)=\left(\begin{array}{cc}1& 0\\ 0& exp(i\pi {2}^{t})\end{array}\right) on the travel qubit to veto the proposal in the tth iteration.
In each iteration, if CA gets \(\langle\phi'  \phi\rangle=0\) in the measurement outcome he announces \(\mathcal{V}_{n}=1\), while \(\langle\phi'  \phi\rangle=1\) leads to an inconclusive outcome as \(2^{t}k\) is even (including zero).
 Step 6.7:

CA repeats Step 6.7 until he gets \(\mathcal{V}_{n}=1\) or gets \(\mathcal{V}_{n}=0\) conclusively. It should take at most \(1+\log_{2} n\) number of iterations to yield a conclusive outcome for n voters.
4.3 QAV7: deterministic QAV protocol
Finally, we propose a QAV protocol that can succeed with unit probability in a single iteration. This circular scheme (cf. Fig. 1(b)) is based on mulitiparty densecoding [52]. Here, every Voter \(V_{i}\) is assigned a subgroup \(g_{i}= \{I, O_{i} \} \) of a group of operations \(G_{2^{m}}\) to encode his information, where \(V_{i}\) applies \(O_{i}\) to veto the proposal while does nothing otherwise. The group \(G_{2^{m}}=\{I,\sigma_{x}, i\sigma_{y}, \sigma_{z}\}^{\otimes \lceil \log_{2} m\rceil}\) with at least \({2^{m}}\) elements is obtained from the modified Pauli group (an Abelian group under multiplication obtained by neglecting the global phase of the states postoperation). The \({2^{m}}\) elements of the group \(G_{2^{m}}\) generate quantum states mutually orthogonal to each other enabling it useful for multiparty densecoding (see [52] for detail). The subgroups assigned for encoding are pairwise disjoint \(g_{i}\cap g_{j}= \{ {I} \} \forall i,j\in\{0,1,\dots,n1\}\) and \(O_{0}O_{1}\cdots O_{n1}=I\). A few examples of the operations \(\{g_{i} \}_{i=0,1,\dots,n1}\) for different values of n are given in Table 1. In principle, the assignment of subgroups to voters for encoding can be performed randomly as distribution of secret index in [15], which forbids some participants with the help of CA to identify the voters vetoing the proposal. Thus, each voter knows only the subgroup assigned to him.
The steps involved in this protocol (QAV7) are as follows:
 Step 7.1:

Same as Step 1.1 of QAV1.
 Step 7.2:

CA prepares an mqubit entangled state \(\psi_{\mathrm{in}}\rangle\) (with \(m\ge (n1 )\)).
 Step 7.3:

CA prepares string of l qubits (\(l< m\)) of \(\psi_{0}\rangle\) to send to \(V_{0}\) as travel qubits in a secure manner. He keeps the string of the rest of the \(ml\) qubits as home qubits with himself.
 Step 7.4:

After ensuring that there is no eavesdropping attempt, Voter \(V_{0}\) encodes his vote. Specifically, Voter \(V_{0}\) applies operation \(O_{0}\) on all the travel qubits to veto while does nothing to support the proposal. The operation of \(V_{0}\) transforms the initial state \(\psi_{\mathrm{in}}\rangle\) to \(\psi_{0}\rangle\).
 Step 7.5:

Voter \(V_{0}\) sends the l travel qubits of \(\psi_{0}\rangle\) to \(V_{1}\) in a secure manner, who encodes his message using \(g_{1}\) to transform the state to \(\psi_{1}\rangle\).
 Step 7.6:

Voter \(V_{i} \) \(\forall 1\leq i \leq n1\) receives the travel qubits of \(\psi_{i1}\rangle\) from \(V_{i1}\) and sends the travel qubits of \(\psi_{i}\rangle\) to \(V_{i+1}\) after encoding his message using \(g_{i}\).
 Step 7.7:

Voter \(V_{n}\) receives the travel qubits of \(\psi_{n1}\rangle\) from \(V_{n1}\) in a secure manner. He encodes his message using \(g_{n}\) to obtain \(\psi_{n}\rangle\). Finally, he sends the travel qubits to CA in a secure manner.
 Step 7.8:

CA measures \(\psi_{n}\rangle\) in the same basis he has prepared the initial state \(\psi_{\mathrm{in}}\rangle\). If \(\langle\psi_{\mathrm{in}} \psi_{n}\rangle=0\), CA announces \(\mathcal{C}_{n}=1\) while he announces \(\mathcal{C}_{n}=0\) for the measurement outcome \(\langle\psi_{\mathrm{in}} \psi_{n}\rangle=1\).
CA’s announcement \(\mathcal{C}_{n}=1\) corresponds to the situation \(k\neq\{0,n\}\), i.e., at least one of the voters has vetoed the proposal. On the other hand, CA’s announcement \(\mathcal{C}_{n}=0\) corresponds to unanimity in the decision (all have either vetoed or not vetoed), i.e., \(k=\{0,n\}\). Only the voters know their individual voting preferences, thus they can deduce whether the proposal is vetoed or not, i.e., \(\mathcal{V}_{n}=0\) or 1, respectively.
5 Security and efficiency analysis of the proposed scheme
A QAV scheme is expected to satisfy a few criteria of security listed in Sect. 2. Further, we may note that a QAV protocol is ϵsecure if it is ϵindistinguishable from a perfectly secure (hypothetical) ideal QAV scheme following those listed conditions [53, 54]. In the following, we will explicitly show the security of our proposed schemes with regards to requirements for AV along these lines (which is summarized in Table 2).
5.1 Eligibility
In all the protocols, we are using the scheme of quantum digital signatures for authentication of the voters irrespective of whether CA performs the authentication or the voters authenticate each other among themselves. In this way, only the eligible voters will be allowed to vote and thus the eligibility condition is satisfied for all the proposed protocols.
5.2 Privacy
An eavesdropper attempts to access the information a voter is transmitting to CA. Her endeavor would result in a message encoded (by voter \(V_{j}\)) joint state shared among CA and Eve (before a measurement performed by Eve and/or CA) which can be described as
where \(p_{0}\) is the probability that \(V_{j}\) supports the proposal. Eve will further discriminate \(\rho_{j}^{E}\) to identify the secret value of j. However, the legitimate parties, i.e., voters and CA, would desire to adopt quantum cryptography tools, such as decoy state technique, to obtain the joint state in ideal situation as
which ensures that Eve has no information about the choice of the voter. Thus, ϵprivacy of a QAV scheme can be defined in the information theoretic description of security [53, 54] as \(\min\limits_{j} \frac{1}{2}\Vert \rho^{V_{j}E} \rho^{V_{j}E}_{\mathrm{ideal}}\Vert\leq \epsilon\). Here, we provide privacy of the voters for the proposed QAV schemes against some of the wellknown individual attacks by an adversary as well as the collusion attacks by the legitimate parties.
To begin with, we consider the intercept and resend attack by a nonparticipant Eve. In the intercept and resend attack, Eve intercepts the travel particles from one legitimate user to another. Subsequently, Eve prepares a random state (known to him) and sends it to the party who was intended to receive the intercepted particles. For example, in QAV2, Eve may perform this attack by intercepting the l copies of Bell state to be shared between all the pairs of voters by CA. She will be able to get the information about the shared symmetric keys used by the voter to cast their votes by sending the symmetric separable single qubit strings to both the voters. This will eventually give her access to all the secret information that voters were sharing. To prevent this attack, we can employ decoy qubit based eavesdropping checking (cf. Sect. 2), e.g., using the BB84 states (\(\vert 0 \rangle, \vert 1\rangle, \vert + \rangle, \vert  \rangle\)). Suppose l Bell states are to be securely distributed between a pair of voters by CA who inserts 2l decoy states randomly before sending. The pair of voters measure the 2l decoy qubits to obtain the error rate and attribute all these errors to the eavesdropping attempts. Since Eve is ignorant about the position of the decoy states as well as the choice of randomly used basis for preparation of the decoy states so the voters will detect the presence of Eve by comparison of the measurement outcomes with that of the prepared state. This allows the voters to obtain the bounds on the information accessible to Eve on the remaining lbits key they obtain eventually. The probability to detect the presence of Eve is given by \(1\frac{1}{4^{l/2}}\). Similarly, in QAV1, the decoy state based eavesdropping checking technique is effective to circumvent the intercept and resend attack as it is an integral part of the QKA/QKD protocols used in the generation of symmetric keys between the voters. Along the same lines, all the proposed protocols are free from the intercept and resend attack by using the decoy qubit based eavesdropping checking while transmission of the qubits between two parties.
Another type of attack strategy is entangle and measure attack. In such type of attacks, Eve entangles her ancilla qubit with the travel qubit and measures her ancilla afterwards to get the information transmitted. Specifically, Eve prepares an ancilla qubit in a superposition state as \(\vert q \rangle_{E}= \alpha \vert 0 \rangle_{E} + \beta \vert 1 \rangle_{E}\) and then entangles it with the travel qubit using the CNOT gate with control on the ancilla and target on the travel qubit. It can be observed that the use of decoy qubits prepared in the BB84 states (\(\vert 0 \rangle, \vert 1\rangle, \vert + \rangle, \vert  \rangle\)) will result in the successful detection of Eve with success probability \(\vert\beta\vert^{2}\) if Eve attacks the decoy states \(\vert 0 \rangle\) and \(\vert 1 \rangle\) while the state remains separable for the rest of the decoy states (\(\vert + \rangle, \vert  \rangle\)). Thus, the average probability of detecting Eve can be obtained as \(\frac{\vert\beta\vert^{2}}{2}\) assuming that all decoy states are prepared with an equal probability. Notice that if Eve prepares ancilla with \(\beta\rightarrow 0\) then the detection probability of Eve will be vanishingly small as in that case Eve neither disturbs the decoy qubit nor gains any information.
Another significant attack is the man in the middle attack where Eve impersonates as a legitimate party. This attack can be prevented by the use of a secure authentication scheme [55–57] before sending of the actual sequence of particles. Further, we are using the quantum digital signatures which would protect us from this attack.
Further, in a participant attack, a user or a group of users will either try to get some information about the voting pattern of the voters or try to influence the result of the voting without being detected. In QAV1, QAV3 and QAV4, every voter \(V_{i}\) generates a lbit symmetric key with the rest of the voters using a QKA/QKD protocol, which is followed by an application of some logical operations of those keys before publicly announcing the result. Thus, it is not possible for any voter to get the information about the voting pattern/preference of the other voters from the announced information. Similarly, it is applicable to the rest of the protocols, i.e., QAV2, QAV5, QAV6 and QAV7. However, in the collusion attack, \(k< n\) voters out of the total n voters collude to acquire the inaccessible information about the voting preferences of the rest of the \(nk\) voters and then try to change the outcome. In all of proposed protocols, we can see that it is not possible to violate the secrecy of the vote as well as the outcome of the voting process. For instance, QAV7 is prone to the collusion attack by an arbitrary voter and CA as they know the choices by all voters in the end if the operations applied by the voters are public knowledge. Specifically, CA has the information of the final result after measurement and (all) the voter(s) have encoding operations, and thus together they have all the pieces required to get all the voting preferences, i.e., to identify the parties vetoing the proposal. Here, this possibility is circumvented as the disjoint subgroups are assigned to every voter for voting in a random manner with neither CA nor the voters aware of the encoding operations used by the rest of the voters.
We have shown here that the privacy of the votes can be accomplished against some of the popular outsider’s and insider’s attacks, but a more rigorous security proof against collective and coherent attacks will be performed in our future works.
5.3 Binding
In all the protocols proposed here, an outsider (or a participant other than the voter) cannot change the vote encoded by any voter, and the same is already established in the context of privacy against denial of service and disturbance attacks. Further, in the probabilistic and deterministic protocols (i.e., QAV1–QAV4 and QAV7), even the voter cannot alter the vote as they only get one chance to encode it, but in the iterative protocols, a dishonest voter may change his vote in every iteration, e.g, in QAV4–QAV5. However, the voter’s change of the vote in the successive iterations neither allows him access to the partial tally of the votes nor compromises the privacy of the other voters. Thus, a voter cannot take advantage of changing the vote in every iteration to get a favourable final outcome of his choice.
5.4 Correctness
The correctness of an ϵcorrect QAV scheme requires that the result bit is generated wrong with probability \(\operatorname{Pr}[\mathcal{W}_{i}=0\ \forall i\longrightarrow \mathcal{V}_{n}=1]\leq \epsilon \). The success probability of probabilistic protocols is given by \(\frac{1}{2^{l}}\) where l represents the number of bits used by each voter. So, probabilistic QAV protocols are ϵcorrect with \(\epsilon \geq 1\frac{1}{2^{l}}\). In comparison to the probabilistic protocols, the iterative and deterministic QAV protocols can be implemented with a relatively small value ϵ.
5.5 Verifiability
The AV scheme is ϵverifiable if every voter can confirm his vote with a probability of failing verifiability \(\operatorname{Pr}[\mathcal{W}_{i}=j \longrightarrow \mathcal{V}_{n}=j\oplus 1]\leq \epsilon\). Notice that a voter (say \(V_{i}\)) can verify his veto ideally with unit probability, while any other voter may independently have supported the proposal which reduces the verifiability of the scheme as the voters supporting the proposal with input \(\mathcal{W}_{i}=0\) would not be able to verify the outcome. Thus, as long as the scheme is \(\epsilon_{c}\)correct it will lead to ϵverifiability \((\epsilon>\epsilon_{c} )\). In our case, a party who vetoed the proposal can verify the outcome with unit probability in case of iterative (QAV6) and deterministic (QAV7) schemes. However, in case of probabilistic schemes, he will be able to verify the result as long as the correctness is ensured. Further, in case when the parties support the proposal, it does not appear possible to ensure verifiability without disclosing individual choices.
5.6 Robustness
Decoherence is the major challenge in the implementation of quantum communication. In the absence of an adversary, an interaction of the qubits with the ambient environment is expected to reduce the correctness by leading to a wrong outcome. Any realistic physical implementation of the proposed protocols will always be noisy due to the presence of the surrounding environment. Further, the protocol will be practically useful only if it gives the correct result even in the presence of a limited amount of noise. Here, we will be comparing the feasibility of the proposed protocols under the presence of noise by considering that the noise affects the qubits only when they travel from one party to the other. Further, we assume that the qubits that do not travel are hardly affected by the noise. In quantum information theory, the effect of noise on the quantum state \(\rho_{i}\) evolving to \(\rho_{f}\) is described as an operatorsum representation in terms of Kraus operators as [40, 58]
where \(E_{i}\)s are the Kraus operators with \(\sum_{i}E_{i}^{\dagger} E_{i} = I\).
To discuss the robustness of the proposed schemes, we study the effect of two of the most important noise channels, namely amplitude damping and phase damping, on the proposed protocols. The Kraus operators for amplitude damping are
and those for phase damping are
These operators can be substituted in Eq. (7) to give us the final state with \(\eta_{j}\) as the damping parameter.
Suppose an n qubit initial pure state \(\rho_{i}= \vert \Phi \rangle\langle \Phi \vert\) is used for the implementation of a protocol, with \(m ( nm )\) home (travel) qubits denoted by \(h ( t )\), then the final state before measurement can be written as
where \(E^{k}_{i_{j}}\) are the Kraus opertors of amplitude or phase damping with \(k\in \{\mathrm{AD,PD}\}\). The effect of the noise can be quantified by a distance based measure, known as the square of fidelity (henceforth referred to as fidelity), given by
where \(\vert \Phi^{f} \rangle\) represents the final state that the initial pure state \(\vert \Phi \rangle\) should have been after performing all the encoding operations by every party in a decoherence free environment. In our case, we consider that all the encoding operations are equiprobable and hence calculate the average fidelity for each of the proposed QAV protocols. Before we proceed further, notice that the average fidelity quantifies the robustness of the scheme as the low fidelity corresponds to the wrong outcome.
The QAV1 protocol is dependent upon the choice of QKA/QKD protocol used for the initial key generation. Without loss of generality, we consider BB84 protocol in this case for the analysis. It involves the sending of BB84 states from one voter to the other voters for creating a lbit keys between every pair of voters. The average fidelity for generation of lbit keys for every pair of voters under amplitude damping noise is computed to be \(\frac{1}{4^{l}} (\sqrt{1\eta_{a} }\eta_{a} +3 )^{l} \) while under phase damping noise it is found to be \(\frac{1}{4^{l}} (\sqrt{1\eta_{p} }+3 )^{l} \). Thus, the fidelity depends on the noise parameter values as well as the number of key bits required for working of the protocol as can be seen from Fig. 2(a). Specifically, the protocol is robust for the small values of noise parameters (\(\eta_{p}\) or \(\eta_{a}\)), and a higher value of noise reduces the fidelity significantly and thus rendering the protocol practically ineffective. Since QAV1 is a probabilistic AV protocol and for \(l=10\) we get a conclusive outcome with probability 99.9%, which can be further improved by increasing the number of key bits l. However, with an increase in the key size the robustness decreases and thus a tradeoff between correctness and robustness of the probabilistic QAV schemes is observed. Further, we can observe that the amplitude damping noise has a greater impact on the average fidelity in comparison to that for the phase damping noise due to the presence of fast decaying term \(\eta_{a}\) in the former case. Similarly, in QAV2 protocol based on the Bell states shared among two voters, the average fidelity for generation of lbit keys among every pair of voters under amplitude damping noise is \((1+ \frac{1}{2} (\eta_{a} 2) \eta_{a} )^{l}\) while under phase damping noise is \((1  \frac{\eta_{p}}{2})^{l} \). Interestingly, as QAV5 protocol is similar to QAV2 (with differences in the encoding and measurement stages), the average fidelity is the same as that for QAV2. Along the same lines, the average fidelity for QAV3 (orthogonal state based protocol) under amplitude damping noise is found to be \((1  \frac{\eta_{a}}{2})^{l}\) while under phase damping noise it is computed as \((1  \frac{\eta_{p}}{2})^{l/2} \) for only even values of l. Further, average fidelity for QAV4 (semiquantum protocol) is obtained to be the same as QAV2 as the communication complexity is same in both the schemes. Among these schemes, QAV2 (and QAV4 and QAV5, too) is the least robust against noise (cf. Fig. 2(b)).
We further obtain the average fidelity of the transmitted states in QAV6 and QAV7 implemented by the four voters with the help of CA as
respectively. In QAV6, one of the qubits of the Bell states is transmitted five times through the noisy environment. Therefore, the effect of amplitude damping is more severe than that of phase damping. In QAV7 protocol, a deterministic scheme among the four voters with two travel qubits has twice more travel qubits than that in QAV6. The expressions for average fidelity are along the expected lines with amplitude damping having more adverse effect. Figure 2(c) shows a comparison of average fidelity for QAV6 and QAV7 for the case of four voters. We can see that the robustness of the protocol is dependent upon the noise parameters. In the case of practical implementation, all the protocols may be observed robust up to moderate decoherence rates and the robustness decrease as the noise parameters increase.
5.7 Efficiency of the protocols
The performance of a quantum communication scheme can be quantified in terms of qubit efficiency, given by [59]
where c is the number of classical bits transmitted, q is the minimum number of qubits required, while b is the additional classical bits of information required for secure transmission. It is to be noted here that we do not consider the classical bits exchanged during eavesdropping checking while computing η. Further, the number of qubits required can be written as \(q=Q+\delta t\), where Q represents the total Q qubits used in the protocol, while t represents the number of travel qubits in the corresponding protocol. The factor of \(\delta \neq 0\) is decided to achieve the desired level of security of t travel qubits by using δt decoy qubits. In QAV protocols, \(c=1\) as we require only one bit of information \(\mathcal{V}_{n}\) after the completion of the protocol. Let us now compare the efficiency of the existing QAV protocols along with that of our proposed QAV protocols.
To begin with, let us look at the efficiency of WQAV protocol. In this protocol, CA has to establish a l qubit key with all the n voters using BB84 protocol, which requires the exchange of a minimum \(4nl\) qubits. Thereafter, CA would share \((1+\delta_{0})l\) ordered copies of nqubit GHZ state with the voters, which will require an additional \(nl(1+\delta_{0})\delta_{1}\) decoy qubits. Here, \(\delta_{0}\) and \(\delta_{1}\) are the security parameters for checking the GHZ correlations and eavesdropping checking, respectively. Thus, \(q=nl(5+\delta_{0}+\delta_{1}+\delta_{0}\delta_{1})\). The voters further require an exchange of a total of \(b=nl\) classical bits to CA, and hence the efficiency is given by \(\{nl(6+\delta_{0}+\delta_{1}+\delta_{0}\delta_{1})\}^{1}\). Though a detailed security of the RKQAV protocol was not reported we can calculate its qubit efficiency in the similar manner to that of WQAV protocol. This also requires the transfer of \((1+\delta_{0})nl\) GHZ particles (qubits) from CA to the n voters. After preforming some operations on their GHZ particles, the voters will then return back a total nl particles to CA. To ensure the detection of Eve during transfer of qubits, we require additional \(nl(2+\delta_{0})\delta_{1}\) decoy qubits. Thus, qubit efficiency is \(\{nl(1+\delta_{0}+2\delta_{1}+\delta_{0}\delta_{1})\}^{1}\) as \(b=0\).
Similarly, we can compute the qubit efficiency of the proposed probabilistic QAV protocols. QAV1 protocol is based on the generation of l bit key among all pairs of n voters using any of the QKD or QKA protocol. For instance, considering l bit key shared among arbitrary two voters using the BB84 QKD protocol, which involves \(q={}^{n} C_{2}\, 4l\). Further, after generation of the symmetric keys every voter has to publicly announce the l bits of classical information, which makes \(b=nl\) and the efficiency is calculated as \(\{(2n1))nl \}^{1}\). Similarly, QAV2 requires the sharing of the l Bell states, among all pairs of voters. The total number of qubits used are \(q={^{n}C_{2}}\, 2l(\delta_{1}+1)\), and nl classical bits are required. Hence, the qubit efficiency of QAV2 can be calculated as \(\{((n1)(\delta_{1}+1)+1) nl\}^{1}\). QAV3 uses an orthogonal state based QKA to generate l bit key between any pair of voters. The total number of qubits required \(q={^{n}C_{2}}\, l(\delta_{1}+1)\) with \(b=4nl\) classical bits are required. This results in qubit efficiency as \(\{(\frac{(n1)(\delta_{1}+1)}{2}+4)nl\}^{1}\). In QAV4, semiQKD is employed by the parties which requires \(q={^{n}C_{2}}\, 8l\) with \(b=nl\) to generate l bit keys. This leads to the efficiency of protocol as \(\{nl(4n3)\}^{1}\) by including classical communication post QKD step.
Along the same lines, the qubit efficiency of the proposed iterative QAV protocols can also be obtained. The efficiency of protocol QAV5 is similar to that of QAV2. Let’s now look at efficiency analysis of QAV6. In this protocol a Bell state is generated and then one qubit is kept by the CA while the other qubit will be travelling among the n voters for casting the vote and will return back to CA. In this case, \(q=((n+1)(1+\delta_{1}) +2)l\) and \(c=0\) which leads to efficiency calculated as \(\{((n+1)(1+\delta_{1}) +2)l \}^{1}\). Here, l refers to the number of iterations required to get a conclusive outcome and its maximum value is given by \(1+\log_{2}n\). In QAV7, we are using the dense coding scheme to arrive at the voting outcome. Here, CA generates a mqubit entangled state and then l qubits of that state are transferred to all the voters one by one and finally returned back to CA which leads to \(q=m+(n+1)l\). Finally the revealing of outcome results in use of \(b=1\) classical bit of information which leads to efficiency as \(\{m + (n+1)(1+\delta_{1})l +1\}^{1}\). The comparison of the efficiencies is presented in Table 3. Without loss of generality, we further calculated the efficiency in a special case of 4 voters. We can see that some of our proposed protocols fare better than the RKQAV and WQAV protocols. Interestingly, we can clearly observe that for 4party voting example of all the mentioned protocols, QAV6 and QAV7 have the best efficiency. In fact, this is true for voting with higher number of voters too.
6 Conclusions
Veto is a form of voting in which the proposals are accepted only in the case of consensus among the involved parties. Further, there is a heightened interest in designing protocols for secure anonymous veto using the quantum resources. In this study, we have proposed a number of quantum anonymous veto protocols based on various degrees of available quantum resources. In the present work, we have classified the protocols based on the probabilistic, iterative and deterministic approaches in order to accomplish the task and arrive at the desired outcome. We have further explored the intrinsic connections between DCnet and AVnets. We have performed a security and efficiency analysis of the proposed protocols and established the proposed schemes are secure against some of the widely studied attacks. We have also performed a comparative analysis of the performance of the existing QAV schemes. In addition, we have examined the robustness of the proposed protocols under realistic physical systems, i.e., the effect of noise on the implementation. The analysis shows that the proposed schemes are robust in the presence of weak noise. Our comparison of the performance of the proposed schemes establishes that the deterministic QAV scheme (QAV7) is an optimal protocol to accomplish the desired task. A bipartite entanglement QAV scheme (QAV6) is also observed to be more efficient and robust than all the existing iterative and probabilistic QAV schemes. However, QAV6 does not satisfy the requirement of binding. Further, all the protocol proposed here can be experimentally implemented using the currently available technology. However, a particular laboratory or a company may have its own restrictions. For example, a laboratory may have capacity to produce the single qubit states only. Thus, in short, the set of protocols proposed here and the comparison tables reported here leads to an opportunity to different organizations having varied expertise and capability to implement QAV based on the available resources and the exact requirement(s). The recent application of AV schemes to perform sealed bid auction [36] by performing AV for each bit of the placed bids starting from the most significant bit to the least significant bit will hopefully encourage the utilization of the proposed schemes for other socioeconomic tasks of relevance. We hope that the set of proposed QAV schemes will motivate experimentalists to realize the protocols and find them useful in performing veto and auction in the real life situations.
Availability of data and materials
No additional data is needed for this work.
Notes
In Ref. [33], it is not explicitly mentioned who prepares and shares them among the voters. For the sake of completeness, we may assume here one of the voters or a trusted third party prepares and shares it among them.
Interestingly, RKQAV 3 can be viewed as \((t=0)\)th iteration.
\({}^{n}C_{r} = \frac{n!}{(nr)! r!}\)
\({}^{n}C_{r} = \frac{n!}{(nr)! r!}\)
References
ShenoyHejamadi A, Pathak A, Radhakrishna S. Quantum cryptography: Key distribution and beyond. Quanta. 2017;6(1):1–47.
Gisin N, Ribordy G, Tittel W, Zbinden H. Quantum cryptography. Rev Mod Phys. 2002;74(1):145.
Bennett CH, Brassard G. Quantum cryptography: Public key distribution and coin tossing. In: International conference on computer system and signal processing. Bangalore, India: IEEE; 1984. p. 175–9.
Ekert AK. Quantum cryptography based on Bell’s theorem. Phys Rev Lett. 1991;67(6):661.
Colbeck R. Quantum and relativistic protocols for secure multiparty computation. 2009. arXiv preprint. arXiv:0911.3814.
Crépeau C, Gottesman D, Smith A. Secure multiparty quantum computation. In: Proceedings of the thiryfourth annual ACM symposium on theory of computing. 2002. p. 643–52.
Yang YG, Cao WF, Wen QY. Secure quantum private comparison. Phys Scr. 2009;80(6):065002.
Yang YG, Wen QY. An efficient twoparty quantum private comparison protocol with decoy photons and twophoton entanglement. J Phys A, Math Theor. 2009;42(5):055305.
Naseri M. Secure quantum sealedbid auction. Opt Commun. 2009;282(9):1939–43.
Hogg T, Harsha P, Chen KY. Quantum auctions. Int J Quantum Inf. 2007;5(05):751–80.
Sharma RD, Thapliyal K, Pathak A. Quantum sealedbid auction using a modified scheme for multiparty circular quantum key agreement. Quantum Inf Process. 2017;16(7):169.
Hillery M, Ziman M, Bužek V, Bieliková M. Towards quantumbased privacy and voting. Phys Lett A. 2006;349(1–4):75–81.
Vaccaro JA, Spring J, Chefles A. Quantum protocols for anonymous voting and surveying. Phys Rev A. 2007;75(1):012333.
Thapliyal K, Sharma RD, Pathak A. Protocols for quantum binary voting. Int J Quantum Inf. 2017;15(01):1750007.
Wang Q, Yu C, Gao F, Qi H, Wen Q. Selftallying quantum anonymous voting. Phys Rev A. 2016;94(2):022333.
Jiang L, He G, Nie D, Xiong J, Zeng G. Quantum anonymous voting for continuous variables. Phys Rev A. 2012;85(4):042309.
Bonanome M, Bužek V, Hillery M, Ziman M. Toward protocols for quantumensured privacy and secure voting. Phys Rev A. 2011;84(2):022331.
Xue P, Zhang X. A simple quantum voting scheme with multiqubit entanglement. Sci Rep. 2017;7(1):1–4.
Sun X, Wang Q, Kulicki P, Sopek M. A simple voting protocol on quantum blockchain. Int J Theor Phys. 2019;58(1):275–81.
Jiang DH, Wang J, Liang XQ, Xu GB, Qi HF. Quantum voting scheme based on locally indistinguishable orthogonal product states. Int J Theor Phys. 2020;59(2):436–44.
Liu JS, Li YC, Wang QL, Hu M, Zhang ZC. Quantum anonymous voting protocol based on singleparticle. Phys Scr. 2021;96(8):085101.
Wang J, Xu GB, Jiang DH. Quantum voting scheme with GreenbergerHorneZeilinger states. Int J Theor Phys. 2020;59(8):2599–605.
Wang Q, Liu J, Li Y, Yu C, Pan S. Quantum Bell statesbased anonymous voting with anonymity trace. Quantum Inf Process. 2021;20(4):1–21.
Du G, Zhou BM, Ma CG, Zhang S, Li JY. A secure quantum voting scheme based on orthogonal product states. Int J Theor Phys. 2021;60(4):1374–83.
Shi R, Qin J, Liu B, Zhang M. Anonymous quantum voting protocol based on Chinese remainder theorem. Eur Phys J D. 2021;75(1):1–7.
Sekga C, Mafu M. Quantum state sharing of an arbitrary mparticle state using Einstein–Podolsky–Rosen pairs and application in quantum voting. Mod Phys Lett A. 2021;36:2150151.
Liu BX, Jiang DH, Liang XQ, Zhang YH. A novel quantum voting scheme based on BB84state. Int J Theor Phys. 2021;60(4):1339–49.
Li YP, Zhou FX, Wang TY, Lu LF. Novel quantum voting protocol with eightqubit cluster entangled state. Int J Theor Phys. 2020;59(9):2671–80.
Li YR, Jiang DH, Zhang YH, Liang XQ. A quantum voting protocol using singleparticle states. Quantum Inf Process. 2021;20(3):1–17.
Zhang X, Zhang JZ, Xie SC. A secure quantum voting scheme based on quantum group blind signature. Int J Theor Phys. 2020;59(3):719–29.
Joy D, Sabir M, Behera BK, Panigrahi PK. Implementation of quantum secret sharing and quantum binary voting protocol in the IBM quantum computer. Quantum Inf Process. 2020;19(1):1–20.
Wang Q, Li Y, Yu C, Shi R, Zhang Z. Quantumbased anonymity and secure veto. Quantum Inf Process. 2021;20(3):1–22.
Rahaman R, Kar G. GHZ correlation provides secure Anonymous Veto Protocol. 2015. arXiv preprint. arXiv:1507.00592.
Ding J, Emery D, Müller J, Ryan PY, Kee Wong V. PostQuantum Anonymous Veto Networks. EVoteID 2020. 2020; .
Chaum D. The dining cryptographers problem: Unconditional sender and recipient untraceability. J Cryptol. 1988;1(1):65–75.
Bag S, Hao F, Shahandashti SF, Ray IG. SEAL: Sealedbid auction without auctioneers. IEEE Trans Inf Forensics Secur. 2019;15:2042–52.
Schneier B. Applied cryptography. New York: Wiley; 1996.
Wallden P, Dunjko V, Kent A, Andersson E. Quantum digital signatures with quantumkeydistribution components. Phys Rev A. 2015;91(4):042304.
Sharma RD, Thapliyal K, Pathak A, Pan AK, De A. Which verification qubits perform best for secure communication in noisy channel? Quantum Inf Process. 2016;15(4):1703–18.
Nielsen MA, Chuang IL. Quantum Computing and Quantum Information. Cambridge: Cambridge University Press; 2000.
Lo HK, Ma X, Chen K. Decoy state quantum key distribution. Phys Rev Lett. 2005;94(23):230504.
Greenberger DM, Horne MA, Zeilinger A. Going beyond Bell’s theorem. In: Bell’s theorem, quantum theory and conceptions of the universe. Berlin: Springer; 1989. p. 69–72.
Bennett CH. Quantum cryptography using any two nonorthogonal states. Phys Rev Lett. 1992;68(21):3121.
Goldenberg L, Vaidman L. Quantum cryptography based on orthogonal states. Phys Rev Lett. 1995;75(7):1239.
Bennett CH, Brassard G, Mermin ND. Quantum cryptography without Bell’s theorem. Phys Rev Lett. 1992;68(5):557.
Noh TG. Counterfactual quantum cryptography. Phys Rev Lett. 2009;103(23):230501.
Boyer M, Kenigsberg D, Mor T. Quantum key distribution with classical Bob. Phys Rev Lett. 2007;99:140501.
Srikara S, Thapliyal K, Pathak A. Continuous variable B92 quantum key distribution protocol using single photon added and subtracted coherent states. Quantum Inf Process. 2020;19(10):371.
Shukla C, Alam N, Pathak A. Protocols of quantum key agreement solely using Bell states and Bell measurement. Quantum Inf Process. 2014;13(11):2391–405.
Shukla C, Thapliyal K, Pathak A. Semiquantum communication: protocols for key agreement, controlled secure direct communication and dialogue. Quantum Inf Process. 2017;16(12):1–19.
Krawec WO. Mediated semiquantum key distribution. Phys Rev A. 2015;91(3):032323.
Banerjee A, Thapliyal K, Shukla C, Pathak A. Quantum conference. In: Quantum information processing. vol. 17. 2018. p. 1–22.
Renner R. Security of quantum key distribution. Int J Quantum Inf. 2008;6(01):1–127.
MüllerQuade J, Renner R. Composability in quantum cryptography. New J Phys. 2009;11(8):085006.
Kanamori Y, Yoo SM, Gregory DA, Sheldon FT. On quantum authentication protocols. In: GLOBECOM05, IEEE global telecommunications conference, 2005. 2005. p. 5.
Ljunggren D, Bourennane M, Karlsson A. Authoritybased user authentication in quantum key distribution. Phys Rev A. 2000;62(2):022305.
Zhang Z, Zeng G, Zhou N, Xiong J. Quantum identity authentication based on pingpong technique for photons. Phys Lett A. 2006;356(3):199–205.
Kraus K. General state changes in quantum theory. Ann Phys. 1971;64(2):311–35.
Cabello A. Quantum key distribution in the Holevo limit. Phys Rev Lett. 2000;85(26):5635.
Acknowledgements
SM, APar and APat acknowledge Deepak Khazanchi for his interest in this work.
Funding
This work is supported by grants received through the project “Partnership 2020: Leveraging USIndia Cooperation in Higher Education to Harness Economic Opportunities and Innovation” which is enabling a collaboration between University of Nebraska at Omaha, and JIIT, Noida. KT acknowledges GA ČR (project No. 1822102S) and support from ERDF/ESF project ‘Nanotechnologies for Future’ (CZ.02.1.01/0.0/0.0/16_019/0000754).
Author information
Authors and Affiliations
Contributions
All authors discussed, read and approved the final manuscript. APat conceptualized the problem. APat, KT and SM wrote the protocols and compared and analyzed them. APar was involved in security analysis of the schemes.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Mishra, S., Thapliyal, K., Parakh, A. et al. Quantum anonymous veto: a set of new protocols. EPJ Quantum Technol. 9, 14 (2022). https://doi.org/10.1140/epjqt/s40507022001332
Received:
Accepted:
Published:
DOI: https://doi.org/10.1140/epjqt/s40507022001332