- Research
- Open Access
- Published:
Multi-party semiquantum private comparison of size relationship with d-dimensional Bell states
EPJ Quantum Technology volume 10, Article number: 10 (2023)
Abstract
In this paper, we utilize d-dimensional Bell states to construct a multi-party semiquantum private comparison (MSQPC) protocol with two supervisors, which can determine the size relationship of more than two classical users’ private inputs under the control of two supervisors within one round implementation. The two supervisors, i.e., one quantum third party (TP) and one classical TP, are both semi-honest, which means that they can misbehave at their own wishes but are not permitted to conspire with anyone else. Neither quantum entanglement swapping nor unitary operations are required in the proposed MSQPC protocol. The security analysis certifies that the proposed MSQPC protocol can overcome both the outside attacks and the participant attacks.
1 Introduction
Classical secure multiparty computation (SMC) is one of the most important branches of classical cryptography whose security relies on the computational complexity of mathematical problems. As an important branch of SMC, the classical private comparison (CPC) aims to compare the size relationship of private inputs from different users. The first CPC protocol, which is usually named as “the millionaire problem”, was put forward by Yao [1] in 1982. However, the security of this protocol is determined by the computation complexity of solving mathematical problems, which implies that this protocol may be threatened to a great extent once the computing ability of computer is tremendously improved. To get over this problem, a completely novel kind of private comparison, i.e., quantum private comparison (QPC), was invented by Yang and Wen [2] in 2009 by introducing quantum cryptography [3] into CPC. Since then, a series of QPC protocols [4–21] have been proposed in turn. These QPC protocols can be divided into two categories: QPC of equality [2, 4–13] and QPC of size relationship [14–21]. Different from QPC of equality, QPC of size relationship can judge whether the private input of one user is greater than, smaller than or equal to that of another user. Generally speaking, QPC of size relationship is of more use than QPC of equality in practice.
In reality, not everyone is capable of affording expensive quantum devices. In order to overcome this issue, Boyer et al. [22] put forward the novel concept of semiquantumness in 2007. Within a semiquantum cryptography protocol, a classical participant, who only possesses limited quantum capabilities, is free of preparation and measurement of quantum superposition states and quantum entangled states. By absorbing semiquantumness into QPC, Chou et al. [23] constructed the first semiquantum private comparison (SQPC) protocol through utilizing entanglement swapping of Bell states. Hereafter, scholars put forward lots of SQPC protocols [24–34]. SQPC can be also divided into two kinds: SQPC of equality and SQPC of size relationship. The SQPC protocols of Refs. [23–29] belong to the former kind while the ones of Refs. [30–34] belong to the latter kind. However, each of the SQPC protocols of Refs. [30–34] only can determine the size relationship of private inputs from two users within one execution of protocol. There is few SQPC protocol of size relationship which is suitable for more than two users up to now.
Based on the above analysis, in this paper, we concentrate on considering the situation that N classical users aim to compare the size relationship of their private integer sequences under the control of two supervisors within one execution of protocol. In order to accomplish this goal, we put forward a novel multi-party semiquantum private comparison (MSQPC) protocol with two semi-honest third parties (TPs) by using d-dimensional Bell states. Here, two semi-honest TPs, i.e., a quantum TP and a classical TP, are the supervisors, each of whom is permitted to misbehave on her own but cannot conspire with anyone else [5]. Neither quantum entanglement swapping nor unitary operations are employed in the proposed MSQPC protocol.
2 Protocol description
In a d-dimensional quantum system, the Bell state can be denoted as
where \(u,v \in \{ 0,1, \ldots ,d - 1\}\), and ⊕ represents the addition modulo d. In addition, the Z-basis in the d-dimensional quantum system can be represented by
Suppose that the classical user \(P_{n}\) owns a secret integer string \(p_{n} = \{ p_{n}^{1},p_{n}^{2}, \ldots ,p_{n}^{L}\}\), where \(p_{n}^{i} \in \{ 0,1, \ldots ,h\}\), \(h = \frac{d - 1}{2}\), \(n = 1,2, \ldots ,N\) and \(i = 1,2, \ldots ,L\). Here, since h needs to be greater than or equal to 1, d is an odd integer greater than or equal to 3. In addition, N classical users share a private key sequence \(K = \{ k_{1},k_{2}, \ldots ,k_{L}\}\) beforehand by virtue of the d-dimensional quantum system version of the secure mediated semiquantum key distribution (SQKD) protocol in Ref. [35], where \(k_{i} \in \{ 0,1, \ldots ,d - 1\}\) and \(i = 1,2, \ldots ,L\). Note that the d-dimensional quantum system version of the mediated SQKD protocol in Ref. [35] can be derived after quantum TP generates the qudits randomly in the \(T_{1}\) basis and then sends them out in Step i. Furthermore, there are two TPs, i.e., the quantum TP \(TP_{1}\) and the classical TP \(TP_{2}\), where \(TP_{1}\) and \(TP_{2}\) are allowed to impose any attack but cannot conspire with others. The proposed MSQPC protocol with two supervisors is composed of the following steps. Here, the quantum channels used in the proposed protocol are assumed to be ideal.
Step 1: \(TP_{1}\) generates N groups of 8L d-dimensional Bell states, where \(\{ \vert \phi _{u_{n}^{1},v_{n}^{1}} \rangle , \vert \phi _{u_{n}^{2},v_{n}^{2}} \rangle , \ldots , \vert \phi _{u_{n}^{8L},v_{n}^{8L}} \rangle \}\) denotes the nth group Bell states and \(n = 1,2, \ldots ,N\). \(TP_{1}\) records the value of \(V_{n}\), where \(V_{n} = \{ v_{n}^{1},v_{n}^{2}, \ldots ,v_{n}^{8L}\}\). Here, \(v_{n}^{l}\) is the second label of the lth Bell state in the nth group, \(n = 1,2, \ldots ,N\) and \(l = 1,2, \ldots ,8L\). Then, \(TP_{1}\) makes the first particles of the nth group Bell states to form sequence \(S_{n}\) and the second particles of the nth group Bell states to form sequence \(M_{n}\). Here, \(S_{n} = \{ S_{n}^{1},S_{n}^{2}, \ldots ,S_{n}^{8L}\}\), \(M_{n} = \{ M_{n}^{1},M_{n}^{2}, \ldots ,M_{n}^{8L}\}\), \(S_{n}^{l}\) is the first particle of the lth Bell state in the nth group, \(M_{n}^{l}\) is the second particle of the lth Bell state in the nth group, \(n = 1,2, \ldots ,N\) and \(l = 1,2, \ldots ,8L\). Afterward, \(TP_{1}\) transmits \(S_{n}\) to \(P_{n}\) and keeps \(M_{n}\) on her hand, where \(n = 1,2, \ldots ,N\). Except the first particle, the next particle of \(S_{n}\) is sent out by \(TP_{1}\) only after she obtains the previous one from \(TP_{2}\).
Step 2: When receiving the lth particle of \(S_{n}\), \(P_{n}\) randomly chooses one mode between the REFLECT mode and the MEASURE mode, where \(l = 1,2, \ldots ,8L\). Here, the REFLECT mode means that the receiver returns the received particle directly to the sender, while the MEASURE mode means that the receiver uses the \(T_{1}\) basis to measure the received particle, generates a fresh particle in the same state as the received particle and sends the fresh particle back to the sender. \(P_{n}\) writes down her measurement results when choosing the MEASURE mode. Let \(S_{n}' = \{ S_{n}^{1'},S_{n}^{2'}, \ldots ,S_{n}^{8L'}\}\) denote the new sequence derived from \(P_{n}\)’s operations on \(S_{n}\), where \(n = 1,2, \ldots ,N\). Then, \(P_{n}\) transmits \(S_{n}'\) to \(TP_{2}\).
Step 3: \(TP_{2}\) also randomly chooses one mode between the REFLECT mode and the MEASURE mode for the lth particle of \(S_{n}'\), where \(l = 1,2, \ldots ,8L\). \(TP_{2}\) also writes down her measurement results when selecting the MEASURE mode. Let \(S_{n}^{\prime \prime } = \{ S_{n}^{1''},S_{n}^{2''}, \ldots ,S_{n}^{8L''}\}\) denote the new sequence derived from \(TP_{2}\)’s operations on \(S_{n}'\), where \(n = 1,2, \ldots ,N\). Afterward, \(TP_{2}\) transmits \(S_{n}^{\prime \prime }\) to \(TP_{1}\).
Step 4: After \(TP_{1}\) receives all particles of \(S_{n}^{\prime \prime }\) from \(TP_{2}\), \(P_{n}\) and \(TP_{2}\) announce their operation modes, respectively, where \(n = 1,2, \ldots ,N\). Then, \(TP_{1}\), \(TP_{2}\) and \(P_{n}\) take the corresponding actions according to Table 1.
Case 1: both \(P_{n}\) and \(TP_{2}\) have entered into the REFLECT mode. \(TP_{1}\) imposes the d-dimensional Bell basis measurement on particles \(S_{n}^{l''}\) and \(M_{n}^{l}\), where \(l \in \{ 1,2, \ldots ,8L \}\). Through the comparison of her measurement results and the corresponding initial prepared Bell states, \(TP_{1}\) can know whether an eavesdropper is on line or not. If an eavesdropper is on line, the communication will be aborted;
Case 2: \(P_{n}\) and \(TP_{2}\) have entered into the REFLECT mode and the MEASURE mode, respectively. \(TP_{2}\) publishes the state of particle \(S_{n}^{l''}\) to \(TP_{1}\), while \(TP_{1}\) adopts the \(T_{1}\) basis to measure particle \(S_{n}^{l''}\) and particle \(M_{n}^{l}\), where \(l \in \{ 1,2, \ldots ,8L \}\). Through comparing her measurement results on the received particles of \(S_{n}^{\prime \prime }\) in this Case, her measurement results on the corresponding particles in \(M_{n}\) and \(TP_{2}\)’s publishments, \(TP_{1}\) can know whether an eavesdropper is on line or not. If an eavesdropper is on line, the communication will be aborted;
Case 3: \(P_{n}\) and \(TP_{2}\) have entered into the MEASURE mode and the REFLECT mode, respectively. \(P_{n}\) publishes the state of particle \(S_{n}^{l'}\) to \(TP_{1}\), while \(TP_{1}\) adopts the \(T_{1}\) basis to measure particle \(S_{n}^{l''}\) and particle \(M_{n}^{l}\), where \(l \in \{ 1,2, \ldots ,8L \}\). Through comparing her measurement results on the received particles of \(S_{n}^{\prime \prime }\) in this Case, her measurement results on the corresponding particles in \(M_{n}\) and \(P_{n}\)’s publishments, \(TP_{1}\) can know whether an eavesdropper is on line or not. If an eavesdropper is on line, the communication will be aborted;
Case 4: both \(P_{n}\) and \(TP_{2}\) have entered into the MEASURE mode. \(TP_{1}\) randomly picks out half particles of \(S_{n}^{\prime \prime }\) from the ones belonging to Case 4, and informs \(P_{n}\) and \(TP_{2}\) of the chosen positions. For each chosen position, \(P_{n}\) and \(TP_{2}\) publishes the states of particles \(S_{n}^{l'}\) and \(S_{n}^{l''}\), respectively, while \(TP_{1}\) measures particle \(S_{n}^{l''}\) and particle \(M_{n}^{l}\) with the \(T_{1}\) basis, where \(l \in \{ 1,2, \ldots ,8L \}\). \(TP_{1}\) can know whether an eavesdropper is on line or not by comparing her measurement results on these chosen particles of \(S_{n}^{\prime \prime }\), her measurement results on the corresponding particles of \(M_{n}\) and the publishments from \(P_{n}\) and \(TP_{2}\). If an eavesdropper is on line, the communication will be aborted.
Step 5: \(TP_{1}\) counts the number of the remaining particles of \(S_{n}^{\prime \prime }\) belonging to Case 4. If this number is less than L, the communication will be halted and restarted from Step 1.
\(P_{n}\), \(TP_{1}\) and \(TP_{2}\) select the first L particles from the remaining ones of \(S_{n}^{\prime \prime }\) belonging to Case 4 to accomplish private comparison. Let \(s_{n} = \{ s_{n}^{1},s_{n}^{2}, \ldots ,s_{n}^{L}\}\) denote the measurement results of \(S_{n}\) from \(P_{n}\) on these L chosen positions, where \(s_{n}^{i} \in \{ 0,1, \ldots ,d - 1\}\), \(n = 1,2, \ldots ,N\) and \(i = 1,2, \ldots ,L\). Note that \(TP_{1}\) and \(TP_{2}\) can naturally know \(s_{n}\). Then, \(P_{n}\) computes
Finally, \(P_{n}\) sends \(f_{n}^{i}\) to \(TP_{1}\) via an authenticated classical channel.
Step 6: \(TP_{1}\) uses the \(T_{1}\) basis to measure the L particles of \(M_{n}\) corresponding to the first L particles from the remaining ones of \(S_{n}^{\prime \prime }\) belonging to Case 4 in Step 5, where \(n = 1,2, \ldots ,N\). Let \(m_{n} = \{ m_{n}^{1},m_{n}^{2}, \ldots ,m_{n}^{L}\}\) represent \(TP_{1}\)’s measurement results on these L particles of \(M_{n}\), where \(m_{n}^{i} \in \{ 0,1, \ldots ,d - 1\}\) and \(i = 1,2, \ldots ,L\). Then, \(TP_{1}\) calculates
Afterward, \(TP_{1}\) computes
where \(n' = 1,2, \ldots ,N\) and \(n' \ne n\). After that, \(TP_{1}\) makes
Here, \(y ( c_{nn'}^{i} ) = - 1\) implies \(p_{n}^{i} < p_{n'}^{i}\); \(y ( c_{nn'}^{i} ) = 0\) implies \(p_{n}^{i} = p_{n'}^{i}\); \(y ( c_{nn'}^{i} ) = 1\) implies \(p_{n}^{i} > p_{n'}^{i}\). Finally, \(TP_{1}\) informs \(P_{1},P_{2}, \ldots ,P_{N}\) of the final comparison results.
Now we finish the description of the procedure of the proposed MSQPC protocol. For clarity, we show its procedure in Fig. 1 after the processes of eavesdropping detection are neglected.
3 Correctness analysis
3.1 Output correctness
According to Eq. (1), a d-dimensional Bell state is collapsed into \(\vert t \rangle \vert t \oplus v \rangle \) after its two particles are measured with the \(T_{1}\) basis, where \(t,v \in \{ 0,1, \ldots ,d - 1\}\). Based on this, we can infer
After inserting Eq. (3) into Eq. (4), we have
According to Eq. (7) and Eq. (8), we can obtain
In the light of Eq. (5) and Eq. (9), we can calculate
Here, \(n = 1,2, \ldots ,N\) and \(i = 1,2, \ldots ,L\). In accordance with \(p_{n}^{i} \in \{ 0,1, \ldots ,h\}\) and \(h = \frac{d - 1}{2}\), we can conclude from Eq. (6) and Eq. (10) that when \(h < p_{n}^{i}\ominus p_{n'}^{i} \le 2h\), i.e., \(y(c_{nn'}^{i}) = - 1\), it has \(p_{n}^{i} < p_{n'}^{i}\); when \(p_{n}^{i}\ominus p_{n'}^{i} = 0\), i.e., \(y(c_{nn'}^{i}) = 0\), it has \(p_{n}^{i} = p_{n'}^{i}\); when \(0 < p_{n}^{i}\ominus p_{n'}^{i} \le h\), i.e., \(y(c_{nn'}^{i}) = 1\), it has \(p_{n}^{i} > p_{n'}^{i}\). It can be concluded now that the comparison results of this protocol are accurate.
3.2 Examples
In order to further prove the output correctness of this protocol, a concrete example is given in detail. Suppose that \(d = 13\), which implies \(h = 6\); \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) are four classical users; \(p_{1}^{1} = 4\), \(p_{2}^{1} = 5\), \(p_{3}^{1} = 0\), \(p_{4}^{1} = 4\); \(k_{1} = 10\); \(v_{1}^{1} = 4\), \(v_{2}^{1} = 7\), \(v_{3}^{1} = 6\), \(v_{4}^{1} = 2\) and \(s_{1}^{1} = 3\), \(s_{2}^{1} = 8\), \(s_{3}^{1} = 11\), \(s_{4}^{1} = 6\), which implies \(m_{1}^{1} = 7\), \(m_{2}^{1} = 2\), \(m_{3}^{1} = 4\), \(m_{4}^{1} = 8\). In accordance with Eq. (3), \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) calculate \(f_{1}^{1} = 4 \oplus 3 \oplus 10 = 4\), \(f_{2}^{1} = 5 \oplus 8 \oplus 10 = 10\), \(f_{3}^{1} = 0 \oplus 11 \oplus 10 = 8\) and \(f_{4}^{1} = 4 \oplus 6 \oplus 10 = 7\), respectively. After receiving \(f_{1}^{1}\), \(f_{2}^{1}\), \(f_{3}^{1}\), \(f_{4}^{1}\), by virtue of Eq. (4), \(TP_{1}\) obtains \(g_{1}^{1} = 4\ominus 7 \oplus 4 = 1\), \(g_{2}^{1} = 10\ominus 2 \oplus 7 = 2\), \(g_{3}^{1} = 8\ominus 4 \oplus 6 = 10\) and \(g_{4}^{1} = 7\ominus 8 \oplus 2 = 1\). Then, by using Eq. (5), \(TP_{1}\) gets \(c_{12}^{1} = 1\ominus 2 = 12\), \(c_{13}^{1} = 1\ominus 10\ = 4\), \(c_{14}^{1} = 1\ominus 1 = 0\), \(c_{23}^{1} = 2\ominus 10 = 5\), \(c_{24}^{1} = 2\ominus 1 = 1\) and \(c_{34}^{1} = 10\ominus 1 = 9\). Furthermore, based on Eq. (6), \(TP_{1}\) can acquire \(y(c_{12}^{1}) = - 1\), \(y(c_{13}^{1}) = 1\), \(y(c_{14}^{1}) = 0\), \(y(c_{23}^{1}) = 1\), \(y(c_{24}^{1}) = 1\) and \(y(c_{34}^{1}) = - 1\), which means \(p_{1}^{1} < p_{2}^{1}\), \(p_{1}^{1} > p_{3}^{1}\), \(p_{1}^{1} = p_{4}^{1}\), \(p_{2}^{1} > p_{3}^{1}\), \(p_{2}^{1} > p_{4}^{1}\) and \(p_{3}^{1} < p_{4}^{1}\). In conclusion, it can be obtained that \(p_{3}^{1} < p_{1}^{1} = p_{4}^{1} < p_{2}^{1}\). We can draw the conclusion now that the comparison results of this example are right.
4 Security analysis
4.1 Outside attacks
In the following, we analyze three famous kinds of attack launched by an outside eavesdropper, Eve, who aims to obtain \(p_{n}\), where \(n = 1,2, \ldots ,N\).
(1) The intercept-resend attack
There are three kinds of intercept-resend attack need to be discussed.
Firstly, in Step 1, Eve intercepts the particle of \(S_{n}\) sent out from \(TP_{1}\) and transmits \(P_{n}\) the fake one produced in the \(T_{1}\) basis; then, in Step 2, Eve intercepts the particle of \(S_{n}'\) sent out from \(P_{n}\) and transmits \(TP_{2}\) the intercepted original genuine particle of \(S_{n}\). When both \(P_{n}\) and \(TP_{2}\) choose the REFLECT mode, Eve leaves no trace for her attack and cannot be discovered in Step 4; when \(P_{n}\) and \(TP_{2}\) choose the REFLECT mode and the MEASURE mode, respectively, the presence of Eve cannot be found in Step 4 either; when \(P_{n}\) and \(TP_{2}\) choose the MEASURE mode and the REFLECT mode, respectively, the eavesdropping behavior of Eve can be discovered with the probability of \(\frac{d - 1}{d}\) in Step 4; when both \(P_{n}\) and \(TP_{2}\) choose the MEASURE mode, the probability that \(P_{n}\)’s measurement result on the fake particle from Eve is not same to \(TP_{2}\)’s measurement result on the particle of \(S_{n}\) is \(\frac{d - 1}{d}\), and the probability that this particle position is chosen for security check is \(\frac{1}{2}\), so the probability that Eve can be detected is \(\frac{d - 1}{2d}\) in Step 4.
Secondly, in Step 1, Eve intercepts the particle of \(S_{n}\) sent out from \(TP_{1}\) and transmits \(P_{n}\) the fake one generated in the \(T_{1}\) basis; then, in Step 3, Eve intercepts the particle of \(S_{n}^{\prime \prime }\) sent out from \(TP_{2}\) and transmits \(TP_{1}\) the intercepted original genuine particle of \(S_{n}\). Considering that \(P_{n}\) chooses the REFLECT mode, when \(TP_{2}\) chooses the REFLECT mode, Eve leaves no trace for her attack and cannot be discovered in Step 4; when \(TP_{2}\) chooses the MEASURE mode, the eavesdropping behavior of Eve can be discovered with the probability of \(\frac{d - 1}{d}\) in Step 4. Considering that \(P_{n}\) chooses the MEASURE mode, when \(TP_{2}\) chooses the REFLECT mode, the probability that Eve can be discovered is \(\frac{d - 1}{d}\) in Step 4; when \(TP_{2}\) chooses the MEASURE mode, the probability that \(P_{n}\)’s measurement result on the fake particle from Eve is not identical to \(TP_{1}\)’s measurement result on the particle of \(S_{n}\) is \(\frac{d - 1}{d}\), and the probability that this particle position is chosen for security check is \(\frac{1}{2}\), so the presence of Eve can be detected with the probability of \(\frac{d - 1}{2d}\) in Step 4.
Thirdly, in Step 2, Eve intercepts the particle of \(S_{n}'\) sent out from \(P_{n}\) and transmits \(TP_{2}\) the fake one produced in the \(T_{1}\) basis; then, in Step 3, Eve intercepts the particle of \(S_{n}^{\prime \prime }\) sent out from \(TP_{2}\) and transmits \(TP_{1}\) the intercepted original genuine particle of \(S_{n}'\). Considering that \(TP_{2}\) chooses the REFLECT mode, no matter what mode \(P_{n}\) chooses, the eavesdropping behavior of Eve cannot be discovered in Step 4. Considering that \(TP_{2}\) chooses the MEASURE mode, when \(P_{n}\) chooses the REFLECT mode, the presence of Eve can be detected with the probability of \(\frac{d - 1}{d}\) in Step 4; when \(P_{n}\) chooses the MEASURE mode, the probability that \(P_{n}\)’s measurement result on the particle of \(S_{n}\) is not identical to \(TP_{2}\)’s measurement result on the fake particle from Eve is \(\frac{d - 1}{d}\), and the probability that this particle position is chosen for security check is \(\frac{1}{2}\), so the probability that Eve can be discovered is \(\frac{d - 1}{2d}\) in Step 4.
In short, Eve cannot acquire any useful information without being detected by launching the intercept-resend attack.
(2) The measure-resend attack
Eve intercepts the particle of \(S_{n}/S_{n}'/S_{n}^{\prime \prime }\) sent out from \(TP_{1}/P_{n}/TP_{2}\), employs the \(T_{1}\) basis to measure it and transmits \(P_{n}/TP_{2}/TP_{1}\) the resulted state. If at least one of \(P_{n}\) and \(TP_{2}\) chooses the MEASURE mode, the eavesdropping behavior of Eve cannot be detected. Considering that both \(P_{n}\) and \(TP_{2}\) choose the REFLECT mode, the measurement of Eve destroys the entanglement of two qudits within a d-dimensional Bell state, which makes her presence be discovered with the probability of \(\frac{d - 1}{d}\).
To sum up, when Eve performs the measure-resend attack on the transmitted particle, she cannot get any useful information without being discovered.
(3) The entangle-measure attack
Eve may launch her entangle-measure attack shown in Fig. 2: she performs the unitary operation \(U_{E}\) on the particle of \(S_{n}\) sent out from \(TP_{1}\) in Step 1 and imposes the unitary operation \(U_{F}\) on the particle of \(S_{n}'\) sent out from \(P_{n}\) in Step 2, where a common probe space is shared by \(U_{E}\) and \(U_{F}\) with the initial state \(\vert E \rangle \). As illustrated in Ref. [22], the shared probe permits Eve to launch the attack on the particle of \(S_{n}'\) in accordance with the knowledge gained from \(U_{E}\).
Theorem 1
Suppose that Eve performs \(U_{E}\) on the particle of \(S_{n}\) sent out from \(TP_{1}\) in Step 1 and imposes \(U_{F}\) on the particle of \(S_{n}'\) sent out from \(P_{n}\) in Step 2. In order to incur no error in Step 4, the final state of Eve’s probe should be independent of not only the operation of \(P_{n}\), \(TP_{2}\) and \(TP_{1}\) but also their measurement results. Consequently, Eve has no knowledge about \(s_{n}\).
Proof
According to Ref. [31], the effect of \(U_{E}\) on the particle prepared in the \(T_{1}\) basis and Eve’s probe can be described as
Here, the probe \(\vert \varepsilon _{tt'} \rangle \) are decided by \(U_{E}\), \(\sum_{t' = 0}^{d - 1} \vert \alpha _{tt'} \vert ^{2} = 1\) and \(t = 0,1, \ldots ,d - 1\). When Eve performs \(U_{E}\) on the particle of \(S_{n}\) sent out from \(TP_{1}\) in Step 1, we have
After inserting Eq. (11) into Eq. (12), we have
Firstly, consider the situation that \(P_{n}\) chooses the MEASURE mode for the particle of \(S_{n}\) sent out from \(TP_{1}\). Consequently, in accordance with Eq. (13), the whole quantum system is collapsed into \(\vert t' \rangle ( \sum_{t = 0}^{d - 1} e^{\frac{2\pi itu}{d}} \alpha _{tt'} \vert t \oplus v \rangle \vert \varepsilon _{tt'} \rangle )\) when the measurement result of \(P_{n}\) is \(\vert t' \rangle \), where \(t' = 0,1, \ldots ,d - 1\).
Eve imposes \(U_{F}\) on the particle of \(S_{n}'\) sent out from \(P_{n}\). In order that Eve’s attacks cannot be detected in Step 4, no matter what mode \(TP_{2}\) chooses for the particle of \(S_{n}'\) sent out from \(P_{n}\), the whole quantum system should be
when the measurement result of \(P_{n}\) is \(\vert t' \rangle \).
Secondly, consider the situation that \(P_{n}\) chooses the REFLECT mode for the particle of \(S_{n}\) sent out from \(TP_{1}\). As a result, the whole quantum system after the operation of \(P_{n}\) is \(\frac{1}{\sqrt{d}} \sum_{t' = 0}^{d - 1} \vert t' \rangle ( \sum_{t = 0}^{d - 1} e^{\frac{2\pi itu}{d}} \alpha _{tt'} \vert t \oplus v \rangle \vert \varepsilon _{tt'} \rangle )\).
Eve imposes \(U_{F}\) on the particle of \(S_{n}'\) sent out from \(P_{n}\). Assume that \(TP_{2}\) also chooses the REFLECT mode for the particle of \(S_{n}'\) sent out from \(P_{n}\). As a result, the whole quantum system after the operation of \(TP_{2}\) is
Inserting Eq. (14) into Eq. (15) produces
For Eve’s attacks not being discovered in Step 4, the probability that the measurement result of \(TP_{1}\) is \(\vert \phi _{u,v} \rangle \) should be 1. Thus, it can be derived from Eq. (1) and Eq. (16) that
Inserting Eq. (17) into Eq. (14) generates
Inserting Eq. (17) into Eq. (16) generates
Thirdly, consider the situation that \(P_{n}\) chooses the REFLECT mode for the particle of \(S_{n}\) sent out from \(TP_{1}\), while \(TP_{2}\) chooses the MEASURE mode for the particle of \(S_{n}'\) sent out from \(P_{n}\). It is easy to find that as long as Eq. (19) stands, Eve naturally leaves no trace in this situation and cannot be detected in Step 4.
It can be concluded from Eq. (18) and Eq. (19) that, when Eve performs \(U_{E}\) on the particle of \(S_{n}\) sent out from \(TP_{1}\) in Step 1 and imposes \(U_{F}\) on the particle of \(S_{n}'\) sent out from \(P_{n}\) in Step 2, in order to incur no error in Step 4, the final state of Eve’s probe should be independent of not only the operation of \(P_{n}\), \(TP_{2}\) and \(TP_{1}\) but also their measurement results. Consequently, Eve has no knowledge about \(s_{n}\).
On the other hand, Eve may launch other two entangle-measure attacks: (1) Eve imposes \(U_{E}\) on the particle sent out from \(P_{n}\) and imposes \(U_{F}\) on the particle sent out from \(TP_{2}\); (2) Eve performs \(U_{E}\) on the particle sent out from \(TP_{1}\) and performs \(U_{F}\) on the particle sent out from \(TP_{2}\). We can prove in a similar way to the above deduction and conclude that Eve still has no way to acquire any useful information about \(s_{n}\) under these two circumstances. □
4.2 Participant attacks
In the following, we analyze the security of this protocol towards the participant attack, which was first discovered by Gao et al. [36] in 2007.
(1) The participant attack from one dishonest user
In this protocol, \(P_{1},P_{2}, \ldots ,P_{N}\) act equally. Here, we suppose that \(P_{1}\) is the only dishonest user aiming to get \(P_{a}\)’s secret integer string \(p_{a}\), where \(a = 2,3, \ldots ,N\). In order to achieve this goal, \(P_{1}\) may launch her different attacks on \(S_{a}/S_{a}'/S_{a}^{\prime \prime }\) sent out from \(TP_{1}/P_{a}/TP_{2}\). However, \(P_{1}\) is independent from \(TP_{1}\), \(TP_{2}\) and \(P_{a}\), which makes her actually act as an outside eavesdropper. According to Sect. 4.1, \(P_{1}\) has no chance to acquire \(p_{a}\) without being discovered.
In addition, \(P_{1}\) may get \(f_{a}^{i}\) sent out from \(P_{a}\) in Step 5, but she has no way to infer out \(p_{a}^{i}\), because she cannot acquire \(s_{a}^{i}\). Furthermore, although \(TP_{1}\) informs \(P_{1}\) of the final comparison results in Step 6, \(P_{1}\) still has no opportunity to acquire \(p_{a}^{i}\). Here, \(a = 2,3, \ldots ,N\) and \(i = 1,2, \ldots ,L\).
(2) The participant attack from more than one dishonest user
The worst case is that the number of dishonest users is \(N - 1\). Assume that the \(N - 1\) dishonest users are \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\), colluding together to extract \(p_{b}\), where \(b = 2,3, \ldots ,N - 1\). It is obvious that the union of \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) is independent from \(TP_{1}\), \(TP_{2}\) and \(P_{b}\). \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) may implement their attacks on \(S_{b}/S_{b}'/S_{b}^{\prime \prime }\) sent out from \(TP_{1}/P_{b}/TP_{2}\). However, they essentially play the role of an outside eavesdropper and are undoubtedly detected according to Sect. 4.1.
Besides, \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) may get \(f_{b}^{i}\) sent out from \(P_{b}\) in Step 5. But they have no knowledge about \(s_{b}^{i}\) so that they have no way to infer out \(p_{b}^{i}\). Furthermore, although \(TP_{1}\) informs \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) of the final comparison results in Step 6, \(P_{1},P_{2}, \ldots ,P_{b - 1},P_{b + 1}, \ldots ,P_{N}\) still has no opportunity to acquire \(p_{b}^{i}\). Here, \(b = 2,3, \ldots ,N - 1\) and \(i = 1,2, \ldots ,L\).
(3) The participant attack from \(TP_{1}\)
\(TP_{1}\) is assumed to be semi-honest in this protocol. On one hand, \(TP_{1}\) obtains \(f_{n}^{i}\) from \(P_{n}\) in Step 5, where \(n = 1,2, \ldots ,N\) and \(i = 1,2, \ldots ,L\). However, due to lack of \(k_{i}\), \(TP_{1}\) cannot extract \(p_{n}^{i}\) based on \(f_{n}^{i}\) and \(s_{n}^{i}\). On the other hand, \(TP_{1}\) obtains the final comparison results in Step 6. Unfortunately, it is useless for her to acquire \(p_{n}^{i}\).
(4) The participant attack from \(TP_{2}\)
\(TP_{2}\) is assumed to be semi-honest in this protocol. \(TP_{2}\) may receive \(f_{n}^{i}\) from \(P_{n}\) in Step 5, but she has no way to acquire \(p_{n}^{i}\) based on \(f_{n}^{i}\) and \(s_{n}^{i}\), being short of \(k_{i}\). In addition, although the final comparison results may be received by \(TP_{2}\) from \(TP_{1}\) in Step 6, she still has no opportunity to acquire \(p_{n}^{i}\). Here, \(n = 1,2, \ldots ,N\) and \(i = 1,2, \ldots ,L\).
5 Discussions and conclusions
As this protocol is achieved in the d-dimensional quantum system, here we adopt the qudit efficiency defined in Eq. (20) [31] to evaluate its efficiency:
where x, y and z are the length of compared private integer string, the number of consumed qudits and the length of required classical information, respectively. Note that we do not consider the classical resources required for eavesdropping detections.
In this protocol, the length of \(p_{n}\) is L, which implies \(x = L\). \(TP_{1}\) produces N groups of 8L d-dimensional Bell states, lets the first particles of the nth group Bell states make up \(S_{n}\) and the second particles of the nth group Bell states make up \(M_{n}\), and transmits \(S_{n}\) to \(P_{n}\); after receiving \(S_{n}\) from \(TP_{1}\), when \(P_{n}\) chooses the MEASURE mode, she produces 4L fresh qudits; after receiving \(S_{n}'\) from \(P_{n}\), \(TP_{2}\) produces 4L fresh qudits when she chooses the MEASURE mode; here, \(n = 1,2, \ldots ,N\); \(P_{1},P_{2}, \ldots ,P_{N}\) share K in advance through the d-dimensional quantum system version of the secure mediated SQKD protocol in Ref. [35], which consumes \(4L ( 2^{N} + \delta ) + 2L ( 2^{N} + \delta ) \times N\) qudits; so it has \(y = (16L + 4L + 4L) \times N + 4L ( 2^{N} + \delta ) + 2L ( 2^{N} + \delta ) \times N = 24NL + 2L ( N + 2 ) ( 2^{N} + \delta )\). Furthermore, \(P_{n}\) transmit \(f_{n}^{i}\) to \(TP_{1}\), where \(i = 1,2, \ldots ,L\), so it has \(z = L \times N = NL\). Hence, this protocol’s qudit efficiency is \(\eta = \frac{L}{24NL + 2L ( N + 2 ) ( 2^{N} + \delta ) + NL} = \frac{1}{25N + 2 ( N + 2 ) ( 2^{N} + \delta )}\).
This protocol is further compared with the SQPC protocols of size relationship in Refs. [30–34], as listed in Table 2. By virtue of Table 2, we can conclude that this protocol takes advantage over the protocol of Ref. [34] in quantum resource, as the preparation of d-dimensional Bell state is easier than d-dimensional GHZ state; as for the usage of unitary operation, this protocol exceeds the second protocol of Ref. [32]; this protocol defeats the protocol of Ref. [34] in TP’s quantum measurement, due to no use of d-dimensional GHZ state measurements; and this protocol is the only one which can obtain the size relationship of more than two classical users’ secret integer strings within one round execution.
In addition, if we make all Bell states generated by \(TP_{1}\) in Step 1 be \(\vert \phi _{00} \rangle \), which implies to eliminate the need for \(V_{n}\), the modified protocol will be much simpler. However, we do not intend to do this, because the corresponding protocol with all Bell states generated by \(TP_{1}\) in the state of \(\vert \phi _{00} \rangle \) is just the special version of the proposed protocol with \(u_{n}^{l} = 0\) and \(v_{n}^{l} = 0\) for \(n = 1,2, \ldots ,N\) and \(l = 1,2, \ldots ,8L\).
Furthermore, in the proposed protocol, \(P_{n}\), \(TP_{1}\) and \(TP_{2}\) share \(s_{n}\) through quantum technology first; and then, \(P_{n}\) and \(TP_{1}\) conduct private comparison by using the classical method. \(P_{n}\) obtains \(s_{n}\) under the control of both \(TP_{1}\) and \(TP_{2}\). The generation of \(s_{n}\) can be regarded as the SQKD process where \(TP_{1}\) and \(TP_{2}\) cooperate to distribute \(s_{n}\) to \(P_{n}\). If we make \(P_{n}\) and \(TP_{1}\) directly share the key \(s_{n}\) using SQKD technology, and then implement the private comparison, the same correct private comparison results also can be derived. However, this alternative protocol doesn’t need the presence of \(TP_{2}\), which violates the aim of the proposed protocol, i.e., only under the permissions of both \(TP_{1}\) and \(TP_{2}\) can \(P_{1},P_{2}, \ldots ,P_{N}\) determine the size relationship of their private integer strings within one round execution.
To sum up, we construct a novel MSQPC protocol with two supervisors in this paper with d-dimensional Bell states, which aims to determine the size relationship of more than two classical users’ private integer strings under the control of two supervisors within one round execution. In other words, only under the permissions of both supervisors can the goal of this protocol be achieved. The two supervisors, i.e., one quantum TP and one classical TP, are both allowed to perform arbitrary attacks but cannot cooperate with anyone else. Both outside attacks and the participant attacks can be resisted by this protocol. Neither quantum entanglement swapping nor unitary operations are needed.
As far as the current technology is concerned, errors are possible in quantum communication with a certain probability, due to the presence of noise. In the paper, we are devoted to designing a theoretically feasible MSQPC protocol with two supervisors. The quantum channels of the proposed protocol are assumed to be ideal, so the possibility of introducing errors in quantum communication is not considered here. Because how to evaluate the influence of noise in quantum communication is very complicated, we will study this point in future.
In addition, how to apply SQKD with two degrees of freedom [37, 38] into SQPC [39, 40] is also worth of studying. How to convert SQPC into semiquantum summation [41, 42] and Semiquantum secret sharing [43] is also valuable to study.
Availability of data and materials
The datasets used during the current study are available from the corresponding author on reasonable request.
References
Yao AC. Protocols for secure computations. In: Proc. of the 23rd annual IEEE symposium on foundations of computer science. 1982. p. 160–4.
Yang YG, Wen QY. An efficient two-party quantum private comparison protocol with decoy photons and two-photon entanglement. J Phys A, Math Theor. 2009;42(5):055305.
Bennett CH, Brassard G. Quantum cryptography: public key distribution and coin tossing. In: Proceedings of the IEEE international conference on computers, systems and signal processing. Bangalore. 1984. p. 175–9.
Tseng HY, Lin J, Hwang T. New quantum private comparison protocol using EPR pairs. Quantum Inf Process. 2012;11:373–84.
Yang YG, Xia J, Jia X, Zhang H. Comment on quantum private comparison protocols with a semi-honest third party. Quantum Inf Process. 2013;12:877–85.
Ji ZX, Ye TY. Quantum private comparison of equal information based on highly entangled six-qubit genuine state. Commun Theor Phys. 2016;65(6):711–5.
Ye TY. Multi-party quantum private comparison protocol based on entanglement swapping of Bell entangled states. Commun Theor Phys. 2016;66(3):280–90.
Ye TY. Quantum private comparison via cavity QED. Commun Theor Phys. 2017;67(2):147–56.
Ye TY, Ji ZX. Two-party quantum private comparison with five-qubit entangled states. Int J Theor Phys. 2017;56(5):1517–29.
Ye TY, Ji ZX. Multi-user quantum private comparison with scattered preparation and one-way convergent transmission of quantum states. Sci China, Phys Mech Astron. 2017;60(9):090312.
Ji ZX, Ye TY. Multi-party quantum private comparison based on the entanglement swapping of d-level Cat states and d-level Bell states. Quantum Inf Process. 2017;16(7):177.
Ye CQ, Ye TY. Circular multi-party quantum private comparison with n-level single-particle states. Int J Theor Phys. 2019;58:1282–94.
Ye TY, Hu JL. Multi-party quantum private comparison based on entanglement swapping of Bell entangled states within d-level quantum system. Int J Theor Phys. 2021;60(4):1471–80.
Lin S, Sun Y, Liu XF, Yao ZQ. Quantum private comparison protocol with d-dimensional Bell states. Quantum Inf Process. 2013;12:559–68.
Guo FZ, Gao F, Qin SJ, Zhang J, Wen QY. Quantum private comparison protocol based on entanglement swapping of d-level Bell states. Quantum Inf Process. 2013;12(8):2793–802.
Luo QB, Yang GW, She K, Niu WN, Wang YQ. Multi-party quantum private comparison protocol based on d-dimensional entangled states. Quantum Inf Process. 2014;13:2343–52.
Ye CQ, Ye TY. Multi-party quantum private comparison of size relation with d-level single-particle states. Quantum Inf Process. 2018;17(10):252.
Song X, Wen A, Gou R. Multiparty quantum private comparison of size relation based on single-particle states. IEEE Access. 2019;99:1–7.
Cao H, Ma WP, Lü LD, He YF, Liu G. Multi-party quantum comparison of size based on d-level GHZ states. Quantum Inf Process. 2019;18:287.
Chen FL, Zhang H, Chen SG, Cheng WT. Novel two-party quantum private comparison via quantum walks on circle. Quantum Inf Process. 2021;20(5):1–19.
Wang B, Gong LH, Liu SQ. Multi-party quantum private size comparison protocol with d-dimensional Bell states. Front Phys. 2022;10:981376.
Boyer M, Kenigsberg D, Mor T. Quantum key distribution with classical Bob. Phys Rev Lett. 2007;99(14):140501.
Chou WH, Hwang T, Gu J. Semi-quantum private comparison protocol under an almost-dishonest third party. 2016. https://arxiv.org/abs/1607.07961.
Ye TY, Ye CQ. Measure-resend semi-quantum private comparison without entanglement. Int J Theor Phys. 2018;57(12):3819–34.
Thapliyal K, Sharma RD, Pathak A. Orthogonal-state-based and semi-quantum protocols for quantum private comparison in noisy environment. Int J Quantum Inf. 2018;16(5):1850047.
Lang YF. Semi-quantum private comparison using single photons. Int J Theor Phys. 2018;57:3048–55.
Lin PH, Hwang T, Tsai CW. Efficient semi-quantum private comparison using single photons. Quantum Inf Process. 2019;18:207.
Jiang LZ. Semi-quantum private comparison based on Bell states. Quantum Inf Process. 2020;19:180.
Ye CQ, Li J, Chen XB, Yuan T. Efficient semi-quantum private comparison without using entanglement resource and pre-shared key. Quantum Inf Process. 2021;20:262.
Zhou NR, Xu QD, Du NS, Gong LH. Semi-quantum private comparison protocol of size relation with d-dimensional Bell states. Quantum Inf Process. 2021;20:124.
Geng MJ, Xu TJ, Chen Y, Ye TY. Semiquantum private comparison of size relationship based d-level single-particle states. Sci China, Ser G, Phys Mech Astron. 2022;52(9):290311.
Li YC, Chen ZY, Xu QD, Gong LH. Two semi-quantum private comparison protocols of size relation based on single particles. Int J Theor Phys. 2022;61:157.
Luo QB, Li XY, Yang GW, Lin C. A mediated semi-quantum protocol for millionaire problem based on high-dimensional Bell states. Quantum Inf Process. 2022;21:257.
Wang B, Liu SQ, Gong LH. Semi-quantum private comparison protocol of size relation with d-dimensional GHZ states. Chin Phys B. 2022;31:010302.
Zhang XZ, Gong WG, Tan YG, Ren ZZ, Guo XT. Quantum key distribution series network protocol with M-classical Bobs. Chin Phys B. 2009;18(6):2143.
Gao F, Qin SJ, Wen QY, Zhu FC. A simple participant attack on the Bradler-Dusek protocol. Quantum Inf Comput. 2007;7:329.
Ye TY, Geng MJ, Xu TJ, Chen Y. Efficient semiquantum key distribution based on single photons in both polarization and spatial-mode degrees of freedom. Quantum Inf Process. 2022;21(4):123.
Ye TY, Li HK, Hu JL. Semi-quantum key distribution with single photons in both polarization and spatial-mode degrees of freedom. Int J Theor Phys. 2020;59(9):2807.
Ye TY, Lian JY. A novel multi-party semiquantum private comparison protocol of size relationship with d-dimensional single-particle states. Physica A. 2023;611:128424.
Geng MJ, Chen Y, Xu TJ, Ye TY. Single-state semiquantum private comparison based on Bell states. EPJ Quantum Technol. 2022;9:36.
Ye TY, Xu TJ, Geng MJ, Ying C. Two-party secure semiquantum summation against the collective-dephasing noise. Quantum Inf Process. 2022;21:118.
Hu JL, Ye TY. Three-party secure semiquantum summation without entanglement among quantum user and classical users. Int J Theor Phys. 2022;61(6):170.
Chen Y, Ye TY. Semiquantum secret sharing by using χ-type states. Eur Phys J Plus. 2022;137(12):1331.
Acknowledgements
The authors would like to thank the anonymous reviewers for their valuable comments that help enhancing the quality of this paper.
Funding
The National Natural Science Foundation of China (Grant No.62071430 and No.61871347) and the Fundamental Research Funds for the Provincial Universities of Zhejiang (Grant No.JRK21002).
Author information
Authors and Affiliations
Contributions
Jiang-Yuan Lian designed the protocol, conducted partial security analysis and wrote the manuscript; Xia Li conducted partial security analysis; and Tian-Yu Ye checked the protocol and the whole security analysis and reviewed the paper
Corresponding author
Ethics declarations
Ethics approval and consent to participate
Not applicable
Consent for publication
Not applicable
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Lian, JY., Li, X. & Ye, TY. Multi-party semiquantum private comparison of size relationship with d-dimensional Bell states. EPJ Quantum Technol. 10, 10 (2023). https://doi.org/10.1140/epjqt/s40507-023-00167-0
Received:
Accepted:
Published:
DOI: https://doi.org/10.1140/epjqt/s40507-023-00167-0
Keywords
- Multi-party semiquantum private comparison
- d-dimensional Bell states
- Semi-honest third party
- Size relationship