 Research
 Open access
 Published:
Hybrid protocols for multiparty semiquantum private comparison, multiplication and summation without a preshared key based on ddimensional singleparticle states
EPJ Quantum Technology volume 11, Article number: 17 (2024)
Abstract
In this paper, by utilizing ddimensional singleparticle states, three semiquantum cryptography protocols, i.e., the multiparty semiquantum private comparison (MSQPC) protocol, the multiparty semiquantum multiplication (MSQM) protocol and the multiparty semiquantum summation (MSQS) protocol, can be achieved simultaneously under the assistance of two semihonest quantum third parties (TPs). Here, the proposed MSQPC scheme is the only protocol which is devoted to judging the size relationship of secret integers from more than two semiquantum participants without a preshared key. And the proposed MSQM protocol absorbs the innovative concept of semiquantumness into quantum multiplication for the first time, which can calculate the modulo d multiplication of private inputs from more than two semiquantum users. As for the proposed MSQS protocol, it is the only semiquantum summation protocol which aims to accomplish the modulo d addition of more than three semiquantum users’ private integers. Neither quantum entanglement swapping nor unitary operations are necessary in the three proposed protocols. The security analysis verifies in detail that both the external attacks and the internal attacks can be resisted in the three proposed protocols.
1 Introduction
In the year of 1984, the pioneer protocol of quantum cryptography, which became known as BB84 protocol hereafter, was proposed by Bennett and Brassard [1]. As a quantum key distribution (QKD) protocol, BB84 protocol successfully integrated quantum mechanics into classical cryptography by employing the polarization of single photons. Since then, plenty of quantum cryptography protocols [1–39] have been born in turn, which can be categorized into quantum secret sharing (QSS) [2–10], quantum private comparison (QPC) [11–19], quantum multiplication (QM) [20–25], quantum summation (QS) [20–22, 26–36], quantum blockchain [37, 38], quantum secure multiparty computation [39] and so on. The application of quantum cryptography into practical circumstances, for example, applying quantum cryptographic protocol into vehicular communication [40], has also been explored. Different from classical cryptography, quantum cryptography provides the unconditional security theoretically based on the laws of quantum mechanics. Nevertheless, not everyone has ability to afford the expensive quantum devices.
Thereupon, a novel concept of semiquantumness was put forward by Boyer et al. [41, 42] in the year of 2007, which means the birth of semiquantum cryptography. Unlike quantum cryptography schemes, semiquantum cryptography schemes [41–44] don’t require semiquantum participants to prepare or measure quantum superposition states and quantum entangled states, which greatly saves experiment costs. In other words, the quantum users need to equip complete quantum capabilities, while the semiquantum participants are restricted to own limited abilities. In semiquantum cryptography, the first semiquantum private comparison (SQPC) protocol was proposed by Chou et al. [45] based on entanglement swapping of Bell states in the year of 2016, the first semiquantum summation (SQS) protocol was put forward by Zhang et al. [46] based on single photons in the year of 2021, and the semiquantum multiplication (SQM) protocol hasn’t been designed until now.
Speaking of SQPC, it can be divided into two kinds: SQPC of equality [45, 47–50] and SQPC of size relationship [51–56]. Compared with the former kind, the latter kind has more functions on determining the relationship of semiquantum participants’ private inputs. In the year of 2021, by adopting ddimensional Bell states, Zhou et al. [51] designed a SQPC scheme of size relationship with a preshared key; and by using ddimensional GHZ states, Wang et al. [52] proposed a SQPC protocol of size relationship with a preshared key. In the year of 2022, by employing ddimensional singleparticle states, Li et al. [53] put forward two SQPC protocols of size relationship, each of which requires a preshared key, where the first protocol and the second protocol use the distribution model and the circle model to transmit particles, respectively; by utilizing ddimensional Bell states, Luo et al. [54] designed a SQPC scheme of size relationship which requires a preshared key; and by employing ddimensional singleparticle states, Geng et al. [55] put forward a SQPC protocol of size relationship with a preshared key, where TP has no knowledge about the final comparison results; and in the year of 2023, Ye and Lian [56] put forward the first multiparty semiquantum private comparison (MSQPC) protocol of size relationship with ddimensional singleparticle states. Compared to SQPC schemes, SQS protocols [46, 57, 58] have been few up to now. More seriously, there is no SQS scheme which can implement the modulo d addition of secret integers from more than three semiquantum participants within one round implementation.
According to the foregoing discussion, in this paper, we utilize ddimensional singleparticle states to design three semiquantum cryptography protocols, i.e., the MSQPC protocol, the multiparty semiquantum multiplication (MSQM) protocol and the multiparty semiquantum summation (MSQS) protocol. Note that only under the assistance of two semihonest quantum third parties (TPs) can the goals of the three proposed protocols be achieved, where the semihonest TPs are permitted to try their best to eavesdrop secret integers of semiquantum participants but cannot collude with anyone else. The proposed MSQPC protocol is the only MSQPC protocol which can implement the comparison of size relationship of more than two semiquantum participants’ private inputs within one execution of protocol, with no requirement of a preshared key. The proposed MSQM protocol is the first scheme absorbing the innovative concept of semiquantumness into quantum multiplication, which is devoted to computing the modulo d multiplication of secret integers from more than two semiquantum users within one round implementation. Note that within a ddimensional quantum system, semiquantum users are typically constrained to the following operations: (a) measuring the qudits in the Z basis \(\{ \vert 0 \rangle , \vert 1 \rangle , \ldots , \vert d  1 \rangle \}\); (b) preparing the fresh qudits in the Z basis; (c) transmitting or reflecting the qudits without disturbance; and (d) recordering the qudits via various delay lines. As for the proposed MSQS protocol, it is also the pioneer scheme of SQS, aiming to compute the modulo d addition of private integers from more than three semiquantum users within one execution of protocol. Neither quantum entanglement swapping nor unitary operations are required in the three proposed protocols. Besides, the usage of quantum resources for the three proposed schemes is identical, as the only section where quantum resources are utilized is in Sect. 2.1 during the keysharing process.
2 Description of protocols
In a ddimensional Hilbert space, two common conjugate bases can be described as
and
Here, F is the ddimensional discrete quantum Fourier transform, \(F \vert t \rangle = \frac{1}{\sqrt{d}} \sum_{\delta = 0}^{d  1} e^{\frac{2\pi i\delta t}{d}} \vert \delta \rangle \) and \(t = 0,1, \ldots ,d  1\).
There are N semiquantum users, \(P_{1},P_{2}, \ldots ,P_{N}\), and two quantum TPs, \(TP_{1}\) and \(TP_{2}\), where the TPs are required to have complete quantum capabilities, while \(P_{1},P_{2}, \ldots ,P_{N}\) are merely asked to possess restricted quantum abilities. It is worth noting that both \(TP_{1}\) and \(TP_{2}\) are semihonest, which means that they can launch all possible attacks to steal private inputs of N semiquantum users except colluding with anyone else. Assume that \(P_{n}\) possesses a Llength secret integer string \(p_{n} = \{ p_{n}^{1},p_{n}^{2}, \ldots ,p_{n}^{L}\}\), where \(P_{n}\) denotes the nth semiquantum participant, \(p_{n}^{i}\) denotes the ith private integer of nth semiquantum participant, \(p_{n}^{i} \in \{ 0,1, \ldots ,d  1\} \), \(n = 1,2, \ldots ,N\) and \(i = 1,2, \ldots ,L\). The quantum channels are assumed to be ideal, and the classical channels are assumed to be authenticated.
This paper proposes a hybrid protocol which initially designs a semiquantum key distribution (SQKD) scheme based on ddimensional single particles in Sect. 2.1, followed by the use of traditional mathematical methods to achieve multiparty private comparison, multiplication, and summation in Sect. 2.2, Sect. 2.3 and Sect. 2.4, respectively. The term “hybrid” means that the proposed multiparty semiquantum private comparison scheme, the proposed multiparty semiquantum multiplication scheme and the proposed multiparty semiquantum summation scheme share the SQKD scheme based on ddimensional singleparticle states together. The SQKD scheme based on ddimensional single particles aims to create a semiquantum private key between \(P_{n}\) and \(TP_{1}\) and a semiquantum private key between \(P_{n}\) and \(TP_{2}\) by using ddimensional single particles.
To make it much easier to understand the process of the proposed hybrid protocols, we create a concise flowchart, depicted in Fig. 1.
2.1 Common procedures of protocols
Step 1: \(TP_{1}\) prepares \(N\ d\)dimensional singleparticle state sequences \(S_{1},S_{2}, \ldots ,S_{N}\) whose particles are randomly picked out from two sets \(T_{1}\) and \(T_{2}\) but excluding \(\vert 0 \rangle \). Note that for the successful implementation of the three proposed protocols, the minimum number of particles in \(S_{n}\) should be 8L. Here, let \(S_{n} = \{ S_{n}^{1},S_{n}^{2}, \ldots ,S_{n}^{8L}\}\) for \(n = 1,2, \ldots ,N\), where \(S_{n}^{l}\) denotes the lth particle of \(S_{n}\) and \(l = 1,2, \ldots ,8L\). Furthermore, \(TP_{1}\) sends \(S_{n}\) to \(P_{n}\) through a quantum channel. Note that except the first particle, \(TP_{1}\) sends out the next particle of \(S_{n}\) to \(P_{n}\) only after receiving the previous one from \(P_{n}\).
Step 2: \(P_{n}\) randomly enters into the REFLECT mode or the MEASURE mode after gaining the lth particle from \(TP_{1}\). Here, the REFLECT mode means to reflect the received particle back without any disturbance, while the MEASURE mode implies to measure the received particle with the \(T_{1}\) basis, record the measurement result, prepare the fresh quantum state as found and return the fresh particle back to the sender. The new sequence after \(P_{n}\) performs her operations on \(S_{n}\) is represented by \(S_{n}'\).
Step 3: After receiving all particles of \(S_{n}'\) from \(P_{n}\), \(TP_{1}\) announces \(P_{n}\) the positions where the particles were produced within the \(T_{1}\) basis, and \(P_{n}\) publishes \(TP_{1}\) her specific operation modes on the particles of \(S_{n}\). Based on the announced information, \(TP_{1}\) implements the corresponding operations as shown in Table 1.
Case 1: \(P_{n}\) has applied the REFLECT mode to the received particle prepared within the \(T_{1}\) basis. After measuring \(S_{n}^{l'}\) with the \(T_{1}\) basis, \(TP_{1}\) compares her measurement result with the corresponding initially prepared state to determine whether there is an eavesdropper or not, where \(l \in \{ 1,2, \ldots ,8L\}\). If there is no eavesdropper, this protocol will be proceeded;
Case 2: \(P_{n}\) has applied the REFLECT mode to the received particle prepared within the \(T_{2}\) basis. After measuring \(S_{n}^{l'}\) with the \(T_{2}\) basis, \(TP_{1}\) compares her measurement result with the corresponding initially prepared state to judge whether there is a stealer or not, where \(l \in \{ 1,2, \ldots ,8L\}\). If there is no stealer, this protocol will be proceeded;
Case 3: \(P_{n}\) has applied the MEASURE mode to the received particle prepared within the \(T_{2}\) basis and \(TP_{1}\) takes no action. It is noteworthy that this Case is ignored;
Case 4: \(P_{n}\) has applied the MEASURE mode to the received particle prepared within the \(T_{1}\) basis. \(TP_{1}\) measures \(S_{n}^{l'}\) with the \(T_{1}\) basis. \(TP_{1}\) randomly picks out half particles belonging to this Case in her hand. Then, \(TP_{1}\) announces \(P_{n}\) the selected positions, and then \(P_{n}\) publishes \(TP_{1}\) her measurement results on the corresponding positions. Afterward, \(TP_{1}\) can know whether there is an eavesdropping behavior or not by comparing her measurement results, the corresponding initially prepared states and the measurement results published by \(P_{n}\). If there is no eavesdropping behavior, this protocol will be proceeded.
Step 4: \(TP_{1}\) counts the number of remaining particles in Case 4. If this quantity is less than L, the communication will be suspended and restarted from Step 1. Then, \(P_{n}\) and \(TP_{1}\) select the first L particles from the remaining particles in Case 4 and record the corresponding measurement results as \(x_{n} = \{ x_{n}^{1},x_{n}^{2}, \ldots ,x_{n}^{L}\}\), where \(x_{n}^{i} \in \{ 1,2, \ldots ,d  1\}\), \(n = 1,2, \ldots ,N\) and \(i = 1,2, \ldots ,L\).
Step 5: \(TP_{2}\) executes the same procedures as \(TP_{1}\) in Steps (1)–(4), in order to make \(TP_{2}\) and \(P_{n}\) also share a Llength secret sequence represented by \(y_{n} = \{ y_{n}^{1},y_{n}^{2}, \ldots ,y_{n}^{L}\}\), where \(y_{n}^{i} \in \{ 1,2, \ldots ,d  1\}\), \(i = 1,2, \ldots ,L\) and \(n = 1,2, \ldots ,N\).
Additionally, it is important to clarify why the minimum particle number in \(S_{n}\) should be 8L. In Case 4, the number of particles used for privacy comparison should be L, consequently requiring the number of particles for eavesdropping detection greater than or equal to L. This suggests that the particle number in Case 4 should be greater than or equal to 2L. Given that the particles in \(S_{n}\) are distributed in the four Cases with equal probabilities, the quantity of particles in \(S_{n}\) should be greater than or equal to 8L.
2.2 Protocol for multiparty semiquantum private comparison
It is necessary to highlight that the value range of \(p_{n}^{i}\) needs to be reset, i.e., \(p_{n}^{i} \in \{ 0,1, \ldots ,h\}\), where \(h = \lfloor \frac{d  1}{2} \rfloor \) and the symbol ⌊⌋ denotes the floor operation. For instance, if \(d = 12\), then \(h = \lfloor \frac{12  1}{2} \rfloor = \lfloor 5.5 \rfloor = 5\).
Step 6′: After performing Steps (1)–(5) of Sect. 2.1, \(P_{n}\) calculates
where the symbol ⊕ represents the modulo d addition, \(n = 1,2, \ldots ,N\) and \(i = 1,2, \ldots ,L\). Then, \(P_{n}\) sends \(c_{n}^{i}\) to \(TP_{1}\) through an authenticated classical channel. Furthermore, \(TP_{2}\) computes
and sends \(\chi _{n'n}^{i}\) to \(TP_{1}\) through an authenticated classical channel, where the symbol ⊝ denotes the modulo d subtraction, \(i = 1,2, \ldots ,L\), \(n = 1,2, \ldots ,N\), \(n' = 2,3, \ldots ,N\) and \(n' > n\).
Step 7′: After obtaining \(\chi _{n'n}^{i}\) from \(TP_{2}\), \(TP_{1}\) calculates
and
where \(i = 1,2, \ldots ,L\), \(n = 1,2, \ldots ,N\), \(n' = 2,3, \ldots ,N\) and \(n < n'\).
Furthermore, \(TP_{1}\) makes
Here, \(\gamma ( R_{nn'}^{i} ) =  1\) means \(p_{n}^{i} < p_{n'}^{i}\); \(\gamma ( R_{nn'}^{i} ) = 1\) means \(p_{n}^{i} > p_{n'}^{i}\); and \(\gamma ( R_{nn'}^{i} ) = 0\) means \(p_{n}^{i} = p_{n'}^{i}\). Finally, \(TP_{1}\) publishes the comparison results to \(P_{1},P_{2}, \ldots ,P_{N}\).
2.3 Protocol for multiparty semiquantum multiplication
Step 6″: After executing Steps (1)–(5) of Sect. 2.1, \(P_{n}\) calculates
where \(n = 1,2, \ldots ,N\) and \(i = 1,2, \ldots ,L\). Then, \(P_{n}\) sends \(g_{n} = \{ g_{n}^{1},g_{n}^{2}, \ldots ,g_{n}^{L}\}\) to \(TP_{1}\) via an authenticated classical channel. Furthermore, \(TP_{2}\) calculates
for \(i = 1,2, \ldots ,L\) and sends the sequence \(\beta = \{ \beta _{1},\beta _{2}, \ldots ,\beta _{L}\}\) to \(TP_{1}\) through an authenticated classical channel.
Step 7″: After obtaining \(g_{n}\) for \(n = 1,2, \ldots ,N\) and the sequence β, \(TP_{1}\) calculates
and
for \(i = 1,2, \ldots ,L\). Finally, \(TP_{1}\) announces \(P_{1},P_{2}, \ldots ,P_{N}\) the multiplication result sequence \(M = \{ M_{1},M_{2}, \ldots M_{L}\}\), where \(M_{i}\) denotes the modulo d multiplication of \(p_{1}^{i},p_{2}^{i}, \ldots ,p_{N}^{i}\).
2.4 Protocol for multiparty semiquantum summation
Step 6‴: After implementing Steps (1)–(5) of Sect. 2.1, \(P_{n}\) calculates
where \(n = 1,2, \ldots ,N\) and \(i = 1,2, \ldots ,L\). Then, \(P_{n}\) sends \(\mu _{n} = \{ \mu _{n}^{1},\mu _{n}^{2}, \ldots ,\mu _{n}^{L}\}\) to \(TP_{1}\) via an authenticated classical channel. Moreover, \(TP_{2}\) computes
for \(i = 1,2, \ldots ,L\) and sends the sequence \(\nu = \{ v_{1},v_{2}, \ldots ,v_{L}\}\) to \(TP_{1}\) through an authenticated classical channel.
Step 7‴: After obtaining \(\mu _{n}\) for \(n = 1,2, \ldots ,N\) and the sequence ν, \(TP_{1}\) calculates
and
for \(i = 1,2, \ldots ,L\). Finally, \(TP_{1}\) calculates
for \(i = 1,2, \ldots ,L\) and publishes the final summation result sequence \(\mathit{sum} = \{ \mathit{sum}_{1},\mathit{sum}_{2}, \ldots , \mathit{sum}_{L}\}\) to \(P_{1},P_{2}, \ldots ,P_{n}\), where \(\mathit{sum}_{i}\) represents the modulo d addition of \(p_{1}^{i},p_{2}^{i}, \ldots ,p_{N}^{i}\).
3 Correctness analysis
3.1 Correctness analysis of the proposed MSQPC protocol
3.1.1 Output correctness
By combining Eq. (3) with Eq. (5), we infer that
After inserting Eq. (17) and Eq. (4) into Eq. (6), we acquire that
In the light of Eq. (18) and Eq. (7), it can be concluded that when \(h < p_{n}^{i}\circleddash p_{n'}^{i} \le 2h\), i.e., \(\gamma (R_{nn'}^{i}) =  1\), we get \(p_{n}^{i} < p_{n'}^{i}\); when \(p_{n}^{i}\circleddash p_{n'}^{i} = 0\), i.e., \(\gamma (R_{nn'}^{i}) = 0\), we have \(p_{n}^{i} = p_{n'}^{i}\); when \(0 < p_{n}^{i}\circleddash p_{n'}^{i} \le h\), i.e., \(\gamma (R_{nn'}^{i}) = 1\), we acquire \(p_{n}^{i} > p_{n'}^{i}\). Here, \(i = 1,2, \ldots ,L\), \(n = 1,2, \ldots ,N\), \(n' = 2,3, \ldots ,N\) and \(n < n'\). Thus, it can be concluded that the accuracy of comparison results of the proposed MSQPC protocol can be ensured.
3.1.2 Example
For the sake of further supporting the foregoing analysis of output correctness of the presented MSQPC protocol, a specific example is given in detail. Suppose that \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) are four semiquantum participants whose first private inputs are \(p_{1}^{1} = 0\), \(p_{2}^{1} = 6\), \(p_{3}^{1} = 4\), \(p_{4}^{1} = 8\), respectively in a 17dimensional quantum system; after measuring the qudits prepared by \(TP_{1}\), \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) obtain \(x_{1}^{1} = 2\), \(x_{2}^{1} = 14\), \(x_{3}^{1} = 1\), \(x_{4}^{1} = 16\), respectively; and after measuring the qudits prepared by \(TP_{2}\), \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) acquire \(y_{1}^{1} = 6\), \(y_{2}^{1} = 4\), \(y_{3}^{1} = 12\), \(y_{4}^{1} = 1\),respectively. By virtue of Eq. (3), \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) compute \(c_{1}^{1} = 0 \oplus 2 \oplus 6 = 8\), \(c_{2}^{1} = 6 \oplus 14 \oplus 4 = 7\), \(c_{3}^{1} = 4 \oplus 1 \oplus 12 = 0\) and \(c_{4}^{1} = 8 \oplus 16 \oplus 1 = 8\), respectively. Furthermore, \(TP_{2}\) gets \(\chi _{21}^{1} = 4\circleddash 6 = 15\), \(\chi _{31}^{1} = 12\circleddash 6 = 6\), \(\chi _{41}^{1} = 1\circleddash 6 = 12\), \(\chi _{32}^{1} = 12\circleddash 4 = 8\), \(\chi _{42}^{1} = 1\circleddash 4 = 14\) and \(\chi _{43}^{1} = 1\circleddash 12 = 6\) in accordance with Eq. (4).
After receiving the classical information sent out by \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) and \(TP_{2}\), \(TP_{1}\) gets \(m_{1}^{1} = 8\circleddash 2 = 6\), \(m_{2}^{1} = 7\circleddash 14 = 10\), \(m_{3}^{1} = 0\circleddash 1 = 16\) and \(m_{4}^{1} = 8\circleddash 16 = 9\) based on Eq. (5). Then, \(TP_{1}\) calculates \(R_{12}^{1} = 6\circleddash 10 \oplus 15 = 11\), \(R_{13}^{1} = 6\circleddash 16 \oplus 6 = 13\), \(R_{14}^{1} = 6\circleddash 9 \oplus 12 = 9\), \(R_{23}^{1} = 10\circleddash 16 \oplus 8 = 2\), \(R_{24}^{1} = 10\circleddash 9 \oplus 14 = 15\) and \(R_{34}^{1} = 16\circleddash 9 \oplus 6 = 13\) by virtue of Eq. (6). Furthermore, according to Eq. (7), \(TP_{1}\) makes \(\gamma (R_{12}^{1}) =  1\), \(\gamma (R_{13}^{1}) =  1\), \(\gamma (R_{14}^{1}) =  1\), \(\gamma (R_{23}^{1}) = 1\), \(\gamma (R_{24}^{1}) =  1\) and \(\gamma (R_{34}^{1}) =  1\). In other words, \(TP_{1}\) obtains \(p_{1}^{1} < p_{2}^{1}\), \(p_{1}^{1} < p_{3}^{1}\), \(p_{1}^{1} < p_{4}^{1}\), \(p_{2}^{1} > p_{3}^{1}\), \(p_{2}^{1} < p_{4}^{1}\) and \(p_{3}^{1} < p_{4}^{1}\), which means \(p_{1}^{1} < p_{3}^{1} < p_{2}^{1} < p_{4}^{1}\). Therefore, we can conclude that the comparison results of the proposed MSQPC protocol are right.
3.2 Correctness analysis of the proposed MSQM protocol
3.2.1 Output correctness
In the light of Eqs. (8)–(10), it can be deduced that
After inserting Eq. (19) into Eq. (11), it has
for \(i = 1,2, \ldots ,L\), which validates that the output correctness of multiplication results in the proposed MSQM protocol.
3.2.2 Example
Here, a numerical example is given to further demonstrate that the output of the proposed MSQM is accurate. Assume that the first private integer of four semiquantum users \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) are \(p_{1}^{1} = 3\), \(p_{2}^{1} = 7\), \(p_{3}^{1} = 1\) and \(p_{4}^{1} = 6\),respectively in a 10dimensional quantum system; and by measuring the corresponding single photons prepared by \(TP_{1}\) and \(TP_{2}\), \(P_{1}\) obtains \(x_{1}^{1} = 2\), \(y_{1}^{1} = 9\), \(P_{2}\) gets \(x_{2}^{1} = 5\), \(y_{2}^{1} = 4\), \(P_{3}\) acquires \(x_{3}^{1} = 7\), \(y_{3}^{1} = 1\) and \(P_{4}\) gains \(x_{4}^{1} = 3\), \(y_{4}^{1} = 2\). Then, according to Eq. (8), \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) calculate \(g_{1}^{1} = 3 \times 2 \times 9 = 54\), \(g_{2}^{1} = 7 \times 5 \times 4 = 140\), \(g_{3}^{1} = 1 \times 7 \times 1 = 7\) and \(g_{4}^{1} = 6 \times 3 \times 2 = 36\),respectively, and sends them to \(TP_{1}\). Furthermore, in accordance with Eq. (9), \(TP_{2}\) calculates \(\beta _{1} = 9 \times 4 \times 1 \times 2 = 72\) and sends it to \(TP_{1}\).
Afterward, \(TP_{1}\) computes \(\alpha _{1} = 2 \times 5 \times 7 \times 3 = 210\) according to Eq. (10) and figures up \(M_{1} = \frac{54 \times 140 \times 7 \times 36}{210 \times 72}\bmod 10 = 6\) by virtue of Eq. (11), which represents that the output accuracy of the proposed MSQM protocol can be assured.
3.3 Correctness analysis of the proposed MSQS protocol
3.3.1 Output correctness
By substituting Eq. (12) into Eq. (15), it can be shown that
Furthermore, inserting Eq. (21), Eq. (13) and Eq. (14) into Eq. (16) generates
for \(i = 1,2, \ldots ,L\), which means that the summation results of the proposed MSQS protocol are reliable.
3.3.2 Example
In this section, we give a specific example to further prove that the summation result of the proposed MSQS protocol is correct. It is assumed that semiquantum subscribers \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) possess their own private inputs \(p_{1}^{1} = 0\), \(p_{2}^{1} = 11\), \(p_{3}^{1} = 3\) and \(p_{4}^{1} = 6\), respectively in a 12dimensional quantum system. After \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) measure the single photons produced by \(TP_{1}\) and \(TP_{2}\), respectively, it can be obtained that \(x_{1}^{1} = 8\), \(y_{1}^{1} = 2\), \(x_{2}^{1} = 4\), \(y_{2}^{1} = 1\), \(x_{3}^{1} = 7\), \(y_{3}^{1} = 11\), \(x_{4}^{1} = 1\) and \(y_{4}^{1} = 6\). Then, in accordance with Eq. (12), \(P_{1}\), \(P_{2}\), \(P_{3}\), \(P_{4}\) compute \(\mu _{1}^{1} = 0 \oplus 8 \oplus 2 = 10\), \(\mu _{2}^{1} = 11 \oplus 4 \oplus 1 = 4\), \(\mu _{3}^{1} = 3 \oplus 7 \oplus 11 = 9\) and \(\mu _{4}^{1} = 6 \oplus 1 \oplus 6 = 1\), respectively. Furthermore, \(TP_{2}\) transmits \(v_{1} = (12  2) \oplus (12  1) \oplus (12  11) \oplus (12  6) = 4\) to \(TP_{1}\) in accordance with Eq. (13).
After receiving \(\mu _{1}^{1}\), \(\mu _{2}^{1}\), \(\mu _{3}^{1}\), \(\mu _{4}^{1}\) and \(v_{1}\), by virtue of Eq. (14) and Eq. (15), \(TP_{1}\) calculates \(\sigma _{1} = (12  8) \oplus (12  4) \oplus (12  7) \oplus (12  1) = 4\) and \(\theta _{1} = 10 \oplus 4 \oplus 9 \oplus 1 = 0\). As a result, based on Eq. (16), \(TP_{1}\) acquires \(\mathit{sum}_{1} = 4 \oplus 4 \oplus 0 = 8\), which confirms that the output correctness of the proposed MSQS protocol.
4 Simulation based on IBM’s Qiskit
To further demonstrate the output correctness of three proposed protocols, we conduct the simulation experiment by utilizing IBM’s Qiskit without considering the eavesdropping check processes. The three proposed protocols only utilize ddimensional singleparticle states as quantum resources and perform ddimensional singleparticle measurements, which suggests that only when the quantum measurement results on single photons are accurate can the output correctness of protocols be guaranteed. It is easy to construct the quantum measurement circuit for single photon. In the following, we will simulate out the measurement outcomes of four single photons, considering a quantum system with a level of 8. The simulated quantum measurement circuits for \(\vert 6 \rangle , \vert 7 \rangle ,F \vert 6 \rangle\) and \(F \vert 7 \rangle \) are shown in Figs. 25, respectively. Here, \(F\left 6 \right\rangle = \frac{1}{\sqrt {8}}\sum_{\delta = 0}^{7} {e^{\frac{3\pi \delta i}{2}}} \left \delta \right\rangle \) and \(F\left 7 \right\rangle = \frac{1}{\sqrt {8}}\sum_{\delta = 0}^{7} {e^{\frac{7\pi \delta i}{4}}} \left \delta \right\rangle \) . Obviously, for any \(\delta = 0,1, \ldots ,7\), we have \(\left e^{\frac{{3\pi \delta i}}{2}} \right^{2} = \left e^{\frac{{7\pi \delta i}}{4}} \right^{2} = 1\). Therefore, for simplicity, we disregard the specific phase values \({e^{i \times \frac{{3\pi \delta }}{2}}}\) and \({e^{i \times \frac{{7\pi \delta }}{4}}}\) in Figs. 4(a) and Figs. 5(a), respectively, as they have no impact on the corresponding measurement results. Note that 100,000 simulation experiments are conducted for each single photon.
Based on Figs. 25, it can be concluded that the measurement outcomes on single photons are entirely accurate. This implies that the output correctness of three proposed protocols can be guaranteed, as they only necessitate the ddimensional singleparticle measurements.
5 Security analysis
5.1 Outside attacks
To steal the confidential integer sequence \(p_{n}\), an outside eavesdropper, Eve, may launch seven types of attacks during Steps (1)–(5), i.e., the interceptresend attack, the measureresend attack, the entanglemeasure attack, the double controllednot (CNOT) attacks, the Trojan horse attacks, the collective attack and the coherent attack. Note that either in the quantum channel between \(TP_{1}\) and \(P_{n}\) or between \(TP_{2}\) and \(P_{n}\), Eve always acts equally. Consequently, we only discuss the security of the quantum channel between \(TP_{1}\) and \(P_{n}\).

(1)
The interceptresend attack
Eve intercepts the particle of \(S_{n}\) from \(TP_{1}\) to \(P_{n}\) and sends \(P_{n}\) the fake one she has already produced in the \(T_{1}\) basis in Step 1; after \(P_{n}\) implements her operation on the fake particle, Eve intercepts the corresponding particle of \(S_{n}'\) from \(P_{n}\) to \(TP_{1}\) and transmits \(TP_{1}\) the intercepted genuine one of \(S_{n}\) in Step 2. When the intercepted genuine particle is prepared in the \(T_{2}\) basis, no matter what mode \(P_{n}\) has entered into, the existence of Eve cannot be discovered either in Case 2 or Case 3 of Step 3. Considering that the intercepted genuine particle is produced in the \(T_{1}\) basis, if \(P_{n}\) has entered into the REFLECT mode, the eavesdropping behavior of Eve cannot be detected in Case 1 of Step 3; if \(P_{n}\) has entered into the MEASURE mode, the probability that the intercepted particle is chosen for eavesdropping detection is \(\frac{1}{2}\), and the probability that \(P_{n}\)’s measurement result on the fake particle is not same to the corresponding initial prepared state and \(TP_{1}\)’s measurement result on the intercepted genuine particle of \(S_{n}\) is \(\frac{d  2}{d  1}\), so the existence of Eve can be discovered with the probability of \(\frac{d  2}{2d  2}\) in Case 4 of Step 3, which validates that Eve’s eavesdropping behavior on one of the particles transmitted between \(TP_{1}\) and \(P_{n}\) cannot be detected with the probability of \(\frac{d}{2d  2}\). Consequently, the probability that Eve’s this interceptresend attack on the 8L particles of \(S_{n}\) can be discovered is \(1  (\frac{d}{2d  2})^{8L}\), which will approach to 1 if L is large enough.

(2)
The measureresend attack
In Step 1, Eve intercepts the particle of \(S_{n}\) from \(TP_{1}\) to \(P_{n}\), utilizes the \(T_{1}\) basis to measure it and transmits the resulted state to \(P_{n}\). When the intercepted particle is in the \(T_{1}\) basis, the presence of Eve cannot be detected either in Case 1 or Case 4 of Step 3, no matter what mode \(P_{n}\) has entered into. Considering that the intercepted particle is in the \(T_{2}\) basis, when \(P_{n}\) has entered into the MEASURE mode, the eavesdropping behavior of Eve cannot be discovered in Case 3 of Step 3, as the intercepted particle is not chosen for security check; when \(P_{n}\) has entered into the REFLECT mode, the presence of Eve will be detected undoubtedly in Case 2 of Step 3, as Eve’s measurement destroys the quantum superposition state of the intercepted particle.

(3)
The entanglemeasure attack
As shown in Fig. 6, Eve launches her entanglemeasure attack on the transmitted particle by employing two unitary operations \(U_{E}\) and \(U_{F}\), where \(U_{E}\) is imposed on the particle of \(S_{n}\) from \(TP_{1}\) to \(P_{n}\) in Step 1 and \(U_{F}\) is performed on the particle of \(S_{n}'\) from \(P_{n}\) to \(TP_{1}\) in Step 2. As illustrated in Refs.[41, 42], \(U_{E}\) and \(U_{F}\) share a common probe space with the auxiliary state \(\vert \Omega \rangle \), where Eve is permitted by the shared probe to launch the attack on the particle of \(S_{n}'\) on the basis of the knowledge gained from \(U_{E}\).
Theorem 1
Suppose that Eve implements \(U_{E}\) on the qudit from \(TP_{1}\) to \(P_{n}\) in Step 1 and imposes \(U_{F}\) on the qudit from \(P_{n}\) to \(TP_{1}\) in Step 2. For introducing no error in Step 3, the final state of Eve’s probe should be independent of not only the operations of \(P_{n}\) and \(TP_{1}\), but also their measurement results. Consequently, Eve fails to acquire knowledge about \(x_{n}\).
Proof
For convenience, we utilize \(\vert t \rangle \) and \(\vert G_{t} \rangle \) to denote the \(T_{1}\) basis and the \(T_{2}\) basis, respectively, where \(\vert G_{t} \rangle = F \vert t \rangle = \frac{1}{\sqrt{d}} \sum_{\delta = 0}^{d  1} e^{\frac{2\pi i\delta t}{d}} \vert \delta \rangle \) and \(t = 0,1, \ldots ,d  1\).
(i) Consider the situation that the particle attacked by Eve in Step 1 is prepared in the \(T_{1}\) basis.
In the light of Ref.[55], the effect of \(U_{E}\) on the particle and Eve’s probe can be described as
where the probe \(\vert \omega _{tt'} \rangle \) are decided by \(U_{E}\), \(\sum_{t' = 0}^{d  1} \vert \lambda _{tt'} \vert ^{2} = 1\) and \(t = 0,1, \ldots ,d  1\).
When \(P_{n}\) intends to enter into the MEASURE mode, in order to get rid of the eavesdropping check in Case 4, Eve should make \(P_{n}\)’s measurement result on the attacked particle be the same to the corresponding initial prepared state. Hence, it can be deduced that
for \(t \ne t'\). After \(P_{n}\) performed the MEASURE mode, the global state of composite system was collapsed into \(\lambda _{tt} \vert t \rangle \vert \omega _{tt} \rangle \) in accordance with Eq. (23) and Eq. (24). In order to escape the security check in Case 4, Eve should make \(P_{n}\)’s measurement result on the attacked particle of \(S_{n}\) be the same to \(TP_{1}\)’s measurement result on the corresponding particle of \(S_{n}'\). Thus, the whole quantum system after being applied with \(U_{F}\) should be
which means that \(U_{F}\) is not allowed to alter the quantum state of \(S_{n}'\).
When \(P_{n}\) has chosen the REFLECT mode, by virtue of Eqs. (23)–(25), the whole quantum system after being applied with \(U_{F}\) should be
which means that \(TP_{1}\)’s measurement result on the particle of \(S_{n}'\) is naturally same to the corresponding initial prepared state. As a result, as long as Eqs. (24), (25) are established, the eavesdropping behavior of Eve cannot be discovered in Case 1 of Step 3.
(ii) Consider the situation that the attacked particle is prepared in the \(T_{2}\) basis. Combining Eq. (23) and Eq. (24), we obtain
When \(U_{E}\) is implemented on the particle prepared in the \(T_{2}\) basis and Eve’s probe, the global composite system should be
On the basis of Eq. (27) and Eq. (28), it can be derived that
When \(P_{n}\) has chosen the MEASURE mode, the trace of Eve will never be discovered in Case 3 of Step 3, as there is no eavesdropping detection in this Case. When \(P_{n}\) has chosen the REFLECT mode, based on Eq. (25) and Eq. (29), the whole quantum system after being applied with \(U_{F}\) should be
In the light of the inverse quantum Fourier transform, it can be deduced that
where \(\delta = 0,1, \ldots ,d  1\). Inserting Eq. (31) into Eq. (30) generates
In order to escape the security check in Case 2 of Step 3, Eve should make \(TP_{1}\)’s measurement result on the particle of \(S_{n}'\) be the same to the corresponding initial prepared state. Hence, in accordance with Eq. (32), it can be deduced that
for \(t \ne j\), where \(t,j = 0,1, \ldots ,d  1\). Obviously, for any \(t \ne j\), we obtain
Combining Eq. (33) and Eq. (34), it can be derived that
(iii) Inserting Eq. (35) into Eq. (25) produces
which means that Eve cannot extract any knowledge about \(x_{n}^{i}\), under the condition that the attacked particle is prepared in the \(T_{1}\) basis and \(P_{n}\) enters into the MEASURE mode. Then, inserting Eq. (35) into Eq. (26) produces
which means that Eve cannot obtain \(x_{n}^{i}\), under the condition that the attacked particle is prepared in the \(T_{1}\) basis and \(P_{n}\) enters into the REFLECT mode. Furthermore, inserting Eq. (35) into Eq. (32) produces
which means that Eve has no knowledge about \(x_{n}^{i}\), under the condition that the attacked particle is prepared in the \(T_{2}\) basis and \(P_{n}\) enters into the REFLECT mode.
By virtue of Eqs. (36)–(38), it can be concluded that when Eve implements \(U_{E}\) on the qudit from \(TP_{1}\) to \(P_{n}\) in Step 1 and imposes \(U_{F}\) on the qudit from \(P_{n}\) to \(TP_{1}\) in Step 2. For introducing no error in Step 3, the final state of Eve’s probe should be independent of not only the operations of \(P_{n}\) and \(TP_{1}\), but also their measurement results. Consequently, Eve fails to acquire knowledge about \(x_{n}\). □

(4)
The double CNOT attacks
In accordance with Ref. [49], Eve initiates the first CNOT attack in Step 1, employing the particle of \(S_{n}\) and her ancillary particle as the control qudit and the target qudit, respectively. Subsequently, Eve proceeds with the second CNOT operation on the particle of \(S_{n}'\) as the control qudit and her auxiliary particle as the target qudit in Step 2, with the aim of extracting the information about \(P_{n}\)’s operation from her auxiliary particle. For convenience, we adopt \(\vert t \rangle \) and \(\vert G_{t} \rangle \) to represent the \(T_{1}\) basis and the \(T_{2}\) basis, respectively, where \(\vert G_{t} \rangle = F \vert t \rangle = \frac{1}{\sqrt{d}} \sum_{\delta = 0}^{d  1} e^{\frac{2\pi i\delta t}{d}} \vert \delta \rangle \) and \(t = 0,1, \ldots ,d  1\). In a dlevel quantum system, the CNOT operation can be described as
where the symbol ⊕ denotes the modulo d addition.
(i) Consider the scenario where the initial particle of \(S_{n}\) is prepared in the \(T_{1}\) basis. After Eve performs the first CNOT attack \(U_{CT(d)}\) on the single photon \(\vert t \rangle _{S}\) and her ancillary qudit \(\vert \varepsilon \rangle _{E}\) in Step 1, the global state of the composite system is evolved into
for \(t = 0,1, \ldots ,d  1\), where ε is a constant that can take any value from 0 to \(d  1\). Afterward, \(P_{n}\) executes the REFLECT mode or the MEASURE mode on the received particle. It is worth noting that regardless of the mode \(P_{n}\) has chosen, the new quantum system after undergoing the second CNOT attack launched by Eve in Step 2 will collapse into
Based on Eq. (40) and Eq. (41), it can be understood that \(TP_{1}\)’s measurement result on the particle of \(S_{n}'\) is automatically identical to \(P_{n}\)’s measurement result on the particle of \(S_{n}\) and the initial prepared state of \(S_{n}\), which implies that Eve can evade the security check in both Case 1 and Case 4 of Step 3.
(ii) Consider the scenario where the initial prepared state of \(S_{n}\) is in the \(T_{2}\) basis. When the single particle \(\vert G{}_{t} \rangle _{S}\) and the auxiliary qudit \(\vert \varepsilon \rangle _{E}\) generated by Eve are subjected to the first CNOT operation \(U_{CT(d)}\) in Step 1, the composite system global state is evolved into
for \(t = 0,1, \ldots ,d  1\), where ε is a constant that can take any value from 0 to \(d  1\). After \(P_{n}\) has applied the REFLECT mode to the received particle, Eve launches the second CNOT operation in Step 2, which can be depicted as
in accordance with Eq. (39) and Eq. (42). In order to escape the eavesdropping detection in Case 2 of Step 3, Eve should make \(TP_{1}\)’s measurement result on the particle of \(S_{n}'\) be same to the initial produced particle state of \(S_{n}\), which means that the values of \(\delta \oplus \delta \) should consistently be a constant for \(\delta = 0,1, \ldots ,d  1\) according to Eq. (43).
(iii) By consolidating the foregoing discussions, we can draw the following two judgements.
Firstly, considering that d is equal to 2. Then, regardless of whether \(t = 0\) or \(t = 1\), we can consistently deduce that the value of \(t \oplus t\) is equal to 0. Hence, Eq. (41) and Eq. (43) will transform into
and
respectively. On the basis of Eq. (44) and Eq. (45), we can infer that Eve’s attacks cannot be discovered in Step 3. Nevertheless, Eve still has no way to obtain the information about \(P_{n}\)’s operation, due to that her auxiliary particle \(\vert \varepsilon \rangle _{E}\) consistently stays unchanged. It can be concluded that if d is equal to 2, Eve will acquire nothing by performing the double CNOT operations on the particles transmitted in the quantum channel between \(TP_{1}\) and \(P_{n}\) in Step 1 and Step 2.
Secondly, considering that d is greater than 2. When δ takes all values from 0 to \(d  1\), the corresponding d values of \(\delta \oplus \delta \) must not be a constant. Therefore, according to Eq. (43), \(TP_{1}\)’s measurement result on \(S_{n}'\) must not be same to the initial produced state, which implies that if d is greater than 2, Eve’s double CNOT attacks will inevitably be detected in Case 2 of Step 3.
(iv) Overall, by initiating the double CNOT attacks on the qudits transmitted between \(TP_{1}\) and \(P_{n}\) in Step 1 and Step 2, Eve fails to eavesdrop the information about \(P_{n}\)’s operation without being detected, not to mention the knowledge about \(x_{n}\).

(5)
The Trojan horse attacks
As the particles of \(S_{n}\) travel from \(TP_{1}\) to \(P_{n}\) and back from \(P_{n}\) to \(TP_{1}\), we need to address two kinds of Trojan horse attacks launched by Eve: the delayphoton Trojan horse attack [59, 60] and the invisible photon eavesdropping attack [61]. Both these attacks involve stealing the information about \(P_{n}\)’s operation by inserting a tailmade photon produced by Eve into the one transmitted between \(TP_{1}\) and \(P_{n}\). To guarantee the security of the proposed protocols, \(P_{n}\) employs a photon beam splitter (PBS: 50/50) to divide each sample signal into two pieces and measure them, which can effectively resist the former type of attack. [60, 62] As for the latter type of attack, \(P_{n}\) utilizes a wavelength filter to process each signal before executing the operation. [60, 62]

(6)
The collective and coherent attacks
The collective attack represents a class of attacks that exploit the vulnerabilities within a quantum communication system. The coherent attack denotes a type of attack that takes advantage of the coherence of quantum systems. According to Ref. [22], Eve generates an autonomous ancillary particle to communicate with each qudit and jointly performs the measurement operation on all the ancillary qudits, which can be seen as the collective attack. In the coherent attack, Eve produces an individual ancillary particle, intercepts the participant’s particle and conducts the measurement process within the computational basis \(\{ \vert 1 \rangle , \vert 2 \rangle , \ldots , \vert d  1 \rangle \}\). Unfortunately, Eve’s trace will undoubtedly be discovered based on the deduction of Eqs. (23)–(45), indicating that she has no way to acquire \(p_{n}\).
5.2 Participant attacks

(1)
The participant attack from one dishonest user
In the three proposed protocols, the semiquantum subscribers \(P_{1},P_{2}, \ldots ,P_{N}\) play the equal roles all the time. Without losing generality, it is assumed that \(P_{1}\) is the dishonest user who tries her best to steal the secret integers of the remaining \(N  1\) participants.
Firstly, in Steps (1)–(5), to acquire \(x_{a} = \{ x_{a}^{1},x_{a}^{2}, \ldots ,x_{a}^{L}\}\) or \(y_{a} = \{ y_{a}^{1},y_{a}^{2}, \ldots ,y_{a}^{L}\}\), \(P_{1}\) may launch her attacks on the qudits between \(TP_{1}\) and \(P_{a}\) or between \(TP_{2}\) and \(P_{a}\), where \(a = 2,3, \ldots ,N\). Nevertheless, \(P_{1}\) is independent from \(P_{a}\), \(TP_{1}\) and \(TP_{2}\), which makes her play the role of an outside eavesdropper. Consequently, in the three proposed protocols, \(P_{1}\) has no information about \(x_{a}\) and \(y_{a}\) in accordance with Sect. 5.1.
Secondly, in Step 6′, \(P_{1}\) may hear of \(c_{a}^{i}\) sent out from \(P_{a}\) and \(\chi _{n'n}^{i}\) sent out from \(TP_{2}\), but she cannot acquire \(p_{a}^{i}\) according to Eq. (3) and Eq. (4), due to that she is unable to obtain \(x_{a}^{i}\) and \(y_{a}^{i}\) simultaneously. Then, in Step 7′, although \(P_{1}\) may hear of the final comparison results from \(TP_{1}\), she still cannot obtain \(p_{a}^{i}\).
Thirdly, in Step 6″, \(P_{1}\) may hear of \(g_{a}^{i}\) sent out from \(P_{a}\) and \(\beta _{i}\) sent out from \(TP_{2}\), but she has no way to infer out \(p_{a}^{i}\) in accordance with Eq. (8) and Eq. (9), because of being short of both \(x_{a}^{i}\) and \(y_{a}^{i}\). Besides, in Step 7″, \(P_{1}\) may hear of the final multiplication results from \(TP_{1}\), but she still has no chance to get \(p_{a}^{i}\).
Fourthly, in Step 6‴, \(P_{1}\) may hear of \(\mu _{a}^{i}\) sent out from \(P_{a}\) and \(\nu _{i}\) sent out from \(TP_{2}\), but she is unable to acquire \(p_{a}^{i}\) based on Eq. (12) and Eq. (13), due to lack of both \(x_{a}^{i}\) and \(y_{a}^{i}\). Furthermore, in Step 7‴, \(P_{1}\) may hear of the final summation results from \(TP_{1}\), but she still has no idea about \(p_{a}^{i}\).
In short, one dishonest user cannot acquire the private inputs of remaining \(N  1\) users in the three proposed protocols.

(2)
The participant attack from two or more dishonest users
Consider the worst situation that \(N  1\) participants, \(P_{1},P_{2}, \ldots ,P_{b  1},P_{b + 1}, \ldots ,P_{N}\), conspire to steal the secret inputs of \(P_{b}\), where \(b \in \{ 2,3, \ldots ,N  1\}\).
Firstly, in Steps (1)–(5), to acquire \(x_{b} = \{ x_{b}^{1},x_{b}^{2}, \ldots ,x_{b}^{L}\}\) or \(y_{b} = \{ y_{b}^{1},y_{b}^{2}, \ldots ,y_{b}^{L}\}\), \(P_{1},P_{2}, \ldots , P_{b  1}, P_{b + 1}, \ldots ,P_{N}\) may launch their attacks on the qudits between \(TP_{1}\) and \(P_{b}\) or between \(TP_{2}\) and \(P_{b}\). Obviously, the union of \(P_{1},P_{2}, \ldots ,P_{b  1},P_{b + 1}, \ldots ,P_{N}\) is independent from \(P_{b}\), \(TP_{1}\) and \(TP_{2}\), making the union of \(N  1\) participants play the role of an external attacker. As a result, \(P_{1},P_{2}, \ldots ,P_{b  1},P_{b + 1}, \ldots ,P_{N}\) has no way to get the knowledge about \(x_{b}\) or \(y_{b}\) according to Sect. 5.1.
Secondly, in Step 6′, \(P_{1},P_{2}, \ldots ,P_{b  1},P_{b + 1}, \ldots ,P_{N}\) may steal \(c_{b}^{i}\) sent out from \(P_{b}\) and \(\chi _{n'n}^{i}\) sent out from \(TP_{2}\), which means that \(y_{b}^{i}\) can be decoded out in the light of Eq. (4). Nevertheless, \(P_{1},P_{2}, \ldots ,P_{b  1},P_{b + 1}, \ldots ,P_{N}\) still cannot obtain \(p_{b}^{i}\) based on \(y_{b}^{i}\) and \(c_{b}^{i}\), because of being short of \(x_{b}^{i}\), according to Eq. (3). Then, in Step 7′, although \(P_{1},P_{2}, \ldots ,P_{b  1},P_{b + 1}, \ldots ,P_{N}\) may hear of the final comparison results from \(TP_{1}\), they still has no way to extract \(p_{b}^{i}\).
Thirdly, in Step 6″, \(P_{1},P_{2}, \ldots ,P_{b  1},P_{b + 1}, \ldots ,P_{N}\) may steal \(g_{b}^{i}\) sent out from \(P_{b}\) and \(\beta _{i}\) sent out from \(TP_{2}\), in which \(y_{b}^{i}\) can be derived out based on \(\beta _{i}\) and \(y_{1}^{i},y_{2}^{i}, \ldots ,y_{b  1}^{i},y_{b + 1}^{i}, \ldots ,y_{N}^{i}\), according to Eq. (9). Unfortunately, \(P_{1},P_{2}, \ldots ,P_{b  1},P_{b + 1}, \ldots ,P_{N}\) has no chance to obtain \(p_{b}^{i}\) which is encrypted by \(x_{b}^{i}\) and \(y_{b}^{i}\), in accordance with Eq. (8). Furthermore, in Step 7″, \(P_{1},P_{2}, \ldots ,P_{b  1},P_{b + 1}, \ldots ,P_{N}\) may hear of the final multiplication results from \(TP_{1}\), but they are still helpless in getting \(p_{b}^{i}\).
Fourthly, in Step 6‴, \(P_{1},P_{2}, \ldots ,P_{b  1},P_{b + 1}, \ldots ,P_{N}\) may hear of \(\mu _{b}^{i}\) sent out from \(P_{b}\) and \(\nu _{i}\) sent out from \(TP_{2}\), so they can infer out \(y_{b}^{i}\) according to Eq. (13). However, \(P_{1},P_{2}, \ldots ,P_{b  1},P_{b + 1}, \ldots ,P_{N}\) has no chance to obtain \(p_{b}^{i}\) based on Eq. (12), due to lack of \(x_{b}^{i}\). Besides, in Step 7‴, \(P_{1},P_{2}, \ldots ,P_{b  1},P_{b + 1}, \ldots ,P_{N}\) may hear of the final summation results from \(TP_{1}\), but they still cannot acquire \(p_{b}^{i}\).
In conclusion, two or more users has no chance to acquire the secret integers of remaining users in the three proposed protocols.

(3)
The participant attack from semihonest \(TP_{1}\)
It is assumed that \(TP_{1}\) cannot be allowed to conspire with anyone else. On the one hand, \(TP_{1}\) may launch her attacks on the qudits between \(TP_{2}\) and \(P_{n}\) to steal \(y_{n}^{i}\); nevertheless, her eavesdropping behaviors are definitely detected according to Sect. 5.1. On the other hand, \(TP_{1}\) receives \(c_{n}^{i}/g_{n}^{i}/\mu _{n}^{i}\) and \(\chi _{n'n}^{i}/\beta _{i}/\nu _{i}\) from \(P_{n}\) and \(TP_{2}\), respectively; however, she cannot infer out \(p_{n}^{i}\), due to lack of \(y_{n}^{i}\), according to Eq. (3)/Eq. (8)/Eq. (12). In addition, the final comparison/multiplication/summation results cannot work in getting \(p_{n}^{i}\) either.

(4)
The participant attack from semihonest \(TP_{2}\)
It is assumed that \(TP_{2}\) cannot be permitted to collude with anyone else. On the one hand, \(TP_{2}\) may launch her attacks on the particles between \(TP_{1}\) and \(P_{n}\) to get \(x_{n}^{i}\), but she is undoubtedly discovered based on Sect. 5.1. On the other hand, \(TP_{2}\) may hear of \(c_{n}^{i}/g_{n}^{i}/\mu _{n}^{i}\) from \(P_{n}\) to \(TP_{1}\) in Step 6′/ Step 6″/ Step 6‴; nevertheless, she has no chance to acquire \(p_{n}^{i}\), because of being short of \(x_{n}^{i}\), in accordance with Eq. (3)/Eq. (8)/Eq. (12). In addition, \(TP_{2}\) may hear of the final comparison/multiplication/summation results from \(TP_{1}\), but is still helpless for her to get \(p_{n}^{i}\).
6 Discussions and conclusions
The proposed hybrid protocol can achieve the multiparty semiquantum private comparison scheme, the multiparty semiquantum multiplication scheme and the multiparty semiquantum summation scheme simultaneously under the help of two TPs. Here, \(TP_{1}\) and \(TP_{2}\) mutually supervise each other. The function of \(TP_{1}\) is to create a semiquantum private key \(x_{n}\) with \(P_{n}\); in the meanwhile, \(TP_{2}\) creates a semiquantum private key \(y_{n}\) with \(P_{n}\). Some existing semiquantum private comparison [55] and summation protocols [46] only need one TP. However, in practical applications, these protocols can only be applied to the scenario with a single authority center. However, a protocol with two TPs, such as our hybrid protocol, can be applied to the situation with two mutually supervising authority centers. In addition, our hybrid protocol can be applied into many scenarios, such as voting, ranking, bidding, and so on.
As illustrated in Ref. [55], the qudit efficiency is utilized to calculate the communication efficiency of a quantum protocol suitable for the ddimensional Hilbert space, which is defined as
Here, κ, τ and ξ are the length of private inputs established, the number of qudits consumed and the number of classical bits expended, respectively. Note that we neglect the classical resources expended during the eavesdropping detection processes.
In the proposed MSQPC protocol, the length of \(p_{n}\) is L, so we gain \(\kappa = L\). \(TP_{1}/TP_{2}\) prepares N groups of 8L ddimensional singleparticle states and transmits them to the semiquantum participants; after getting the qudits from \(TP_{1}/TP_{2}\), when \(P_{n}\) enters into the MEASURE mode, she is asked to produce 4L fresh qudits based on the found states within the \(T_{1}\) basis; so we obtain \(\tau = ( 8L \times N + 4L \times N ) \times 2 = 24NL\). Then, \(P_{n}\) and \(TP_{2}\) send \(c_{n}^{i}\) and \(\chi _{n'n}^{i}\) to \(TP_{1}\), respectively, where \(n = 1,2, \ldots ,N\), \(n' = 2,3, \ldots ,N\), \(n' > n\) and \(i = 1,2, \ldots ,L\). Hence, we have \(\xi = L \times N + \frac{N(N  1)}{2} \times L = NL + \frac{NL(N  1)}{2}\). As a result, the proposed MSQPC protocol’s qudit efficiency is \(\eta = \frac{L}{24NL + NL + \frac{NL(N  1)}{2}} = \frac{2}{N^{2} + 49N}\).
Whether in the proposed MSQM protocol or MSQS protocol, by adopting the same analysis method as foregoing discussion, we can obtain \(\kappa = L\) and \(\tau = 24NL\). Furthermore, \(P_{n}\) and \(TP_{2}\) send \(g_{n}^{i}/\mu _{n}^{i}\) and \(\beta _{i}/\nu _{i}\) to \(TP_{1}\), respectively, where \(i = 1,2, \ldots ,L\). Therefore, it can be deduced that \(\xi = L \times N + L = (N + 1)L\). Consequently, the qudit efficiency of the proposed MSQM protocol or MSQS protocol is \(\eta = \frac{L}{24NL + (N + 1)L} = \frac{1}{25N + 1}\).
In the SQPC protocol of Ref. [55], the length of Alice’s or Bob’s secrets is n, so we get \(\kappa = n\). The minimum number of ddimensional singleparticle states generated by TP should be 16n; then, TP sends 8n particles to Alice and 8n particles Bob; when Alice and Bob enter into the MEASURE mode, they send the freshly prepared qudits to TP. Furthermore, this protocol adopts the SQKD protocol [63] to produce the preshared keys among Alice and Bob, consuming 24n qudits. Hence, we obtain \(\tau = 16n + 4n + 4n + 24n = 48n\). In addition, Alice sends \(R_{A}^{i}\) to TP while Bob sends \(R_{B}^{i}\) to TP. TP needs to announce \(r_{i}\) to Alice and Bob. As a result, we obtain \(\xi = 3n\). It can be concluded that the qudit efficiency of the protocol in Ref. [55] is \(\eta = \frac{n}{48n + 3n} = \frac{1}{51}\).
Using the same method, we obtain that the qudit efficienies of the protocol of Ref. [51], the protocol of Ref. [52], the first protocol of Ref.[53], the second protocol of Ref.[53] and the protocol of Ref.[54] are \(\frac{1}{50}\), \(\frac{1}{42}\), \(\frac{1}{50}\), \(\frac{1}{14}\) and \(\frac{1}{38}\), respectively. In the proposed MSQPC protocol, when \(N = 2\), the corresponding qudit efficiency is \(\frac{1}{51}\). With respect to qudit efficiency, compared to the protocols of Refs. [51–55], our MSQPC protocol does not have an advantage, but is very close to the protocol of Ref. [51] and the first protocol of Ref. [53]. The protocols of Refs. [51–55] can only achieve the private comparison between two semiquantum users. Fortunately, the proposed hybrid protocol can achieve the semiquantum private comparison, the semiquantum multiplication and the semiquantum summation simultaneously among more than two semiquantum participants, which may decrease the qudit efficiency.
In addition, we compare the proposed MSQPC protocol with the present SQPC protocols of size relationship in Refs. [51–55], as shown in Table 2. In accordance with Table 2, the proposed MSQPC protocol is superior to the protocols of Refs. [51, 52, 54] in quantum resources, as ddimensional singleparticle states are much easier to produce than ddimensional Bell states and ddimensional GHZ states; on the usage of a preshared key, the proposed MSQPC protocol defeats the protocols of Refs. [51–55], as it has no demand for a preshared key; due to no use of unitary operations, the proposed MSQPC protocol exceeds the second protocol of Ref. [53]; as for the quantum measurements from quantum parties, the proposed MSQPC protocol takes advantage over the protocols of Refs. [51, 52, 54], due to that it doesn’t require ddimensional GHZ state measurements or ddimensional Bell state measurements; and the proposed MSQPC protocol, aiming to determine the size relationship of more than two semiquantum participants’ private inputs within one round implementation, is the only one which doesn’t require a preshared key.
In conclusion, in this paper, by utilizing ddimensional singleparticle states, the first MSQPC protocol without a preshared key, aiming to judge the size relationship of more than two semiquantum users’ secret integers, is put forward; the first MSQM protocol integrating the concept of semiquantumness into quantum multiplication is put forward, which is devoted to computing the modulo d multiplication of secret integers from more than two semiquantum participants; and the first MSQS protocol which can calculate the modulo d addition of private inputs from more than three semiquantum users is put forward. It is noteworthy that only under the control of two TPs can the goals of the three proposed protocols be achieved, where the semihonest TPs are allowed to launch arbitrary attacks but cannot cooperate with anyone else.
The three proposed protocols have no demand for quantum entanglement swapping and unitary operations. Both the outside attacks and the participant attacks can be resisted in the three proposed protocols.
Data availability
The datasets used during the current study are available from the corresponding author on reasonable request
Abbreviations
 MSQPC:

Multiparty semiquantum private comparison
 MSQM:

Multiparty semiquantum multiplication
 MSQS:

Multiparty semiquantum summation
 TP:

Third party
 QKD:

Quantum key distribution
 QSS:

Quantum secret sharing
 QPC:

Quantum private comparison
 QM:

Quantum multiplication
 QS:

Quantum summation
 SQPC:

Semiquantum private comparison
 SQS:

Semiquantum summation
 SQM:

Semiquantum multiplication
 SQKD:

Semiquantum key distribution
 CNOT:

Controllednot
References
Bennett CH, Brassard G. Quantum cryptography: public key distribution and coin tossing. In: Proceedings of IEEE international conference on computers, systems and signal processing. Bangalore. 1984. p. 175–9.
Hillery M, Buzek V, Berthiaume A. Quantum secret sharing. Phys Rev A. 1999;59:1829.
Karlsson A, Koashi M, Imoto N. Quantum entanglement for secret sharing and secret splitting. Phys Rev A. 1999;59:162–8.
Zhang ZJ, Yang J, Man ZX, Li Y. Multiparty secret sharing of quantum information using and identifying Bell state. Eur Phys J D. 2005;33(1):133–6.
Deng FG, Li XH, Zhou HY. Efficient highcapacity quantum secret sharing with twophoton entanglement. Phys Lett A. 2008;372(12):1957–62.
Chen XB, Niu XX, Zhou XJ, Yang YX. Multiparty quantum secret sharing with the singleparticle quantum state to encode the information. Quantum Inf Process. 2013;12:365.
Ye CQ, Ye TY. Circular semiquantum secret sharing using single particles. Commun Theor Phys. 2018;70:661–71.
Li CY, Ye CQ, Tian Y, Chen XB, Li J. Clusterstatebased quantum secret sharing for users with different abilities. Quantum Inf Process. 2021;20(12):385.
Sutradhar K, Om H. Enhanced (t, n) threshold dlevel quantum secret sharing. Sci Rep. 2021;11:17083.
Sutradhar K, Om H. An efficient simulation of quantum secret sharing. 2021. arXiv:2103.11206.
Yang YG, Wen QY. An efficient twoparty quantum private comparison protocol with decoy photons and twophoton entanglement. J Phys A, Math Theor. 2009;42(5):055305.
Chen XB, Xu G, Niu XX, Wen QY, Yang YX. An efficient protocol for the private comparison of equal information based on the triplet entangled state and singleparticle measurement. Opt Commun. 2010;283:1561–5.
Guo FZ, Gao F, Qin SJ, Zhang J, Wen QY. Quantum private comparison protocol based on entanglement swapping of dlevel Bell states. Quantum Inf Process. 2013;12(8):2793–802.
Ye TY. Quantum private comparison via cavity QED. Commun Theor Phys. 2017;67(2):147–56.
Song XL, Wen AJ, Gou R. Multiparty quantum private comparison of size relation based on singleparticle states. IEEE Access. 2019;99:1–7.
Cao H, Ma WP, Lü LD, He YF, Liu G. Multiparty quantum comparison of size based on dlevel GHZ states. Quantum Inf Process. 2019;18:287.
Wang B, Gong LH, Liu SQ. Multiparty quantum private size comparison protocol with ddimensional Bell states. Front Phys. 2022;10:981376.
Lian JY, Li X, Ye TY. Multiparty quantum private comparison of size relationship with two third parties based on ddimensional Bell states. Phys Scr. 2023;98:035011.
Sutradhar K, Om H. A privacypreserving comparison protocol. IEEE Trans Comput. 2023;72(6):1815–21.
Shi RH, Mu Y, Zhong H, Cui J, Zhang S. Secure multiparty quantum computation for summation and multiplication. Sci Rep. 2016;6:19655.
Lv SX, Jiao XF, Zhou P. Multiparty quantum computation for summation and multiplication with mutually unbiased bases. Int J Theor Phys. 2019;58(9):2872–82.
Sutradhar K, Om H. Hybrid quantum protocols for secure multiparty summation and multiplication. Sci Rep. 2020;10:9097.
Sutradhar K, Om H. A costeffective quantum protocol for secure multiparty multiplication. Quantum Inf Process. 2021;20(11):380.
Sutradhar K, Om H. Secret sharing based multiparty quantum computation for multiplication. Int J Theor Phys. 2021;60:3417–25.
Li FL, Hu H, Zhu SX. A (k, n)threshold dynamic quantum secure multiparty multiplication protocol. Quantum Inf Process. 2022;21:394.
Heinrich S. Quantum summation with an application to integration. J Complex. 2002;18(1):1–50.
Chen XB, Xu G, Yang YX, Wen QY. An efficient protocol for the secure multiparty quantum summation. Int J Theor Phys. 2010;49(11):2793–804.
Zhang C, Sun ZW, Huang X, Long DY. Threeparty quantum summation without a trusted third party. Int J Quantum Inf. 2015;13(02):1550011.
Shi RH, Zhang S. Quantum solution to a class of twoparty private summation problems. Quantum Inf Process. 2017;16(9):225.
Liu W, Wang YB, Fan WQ. An novel protocol for the quantum secure multiparty summation based on twoparticle bell states. Int J Theor Phys. 2017;56(9):2783–91.
Yang HY, Ye TY. Secure multiparty quantum summation based on quantum Fourier transform. Quantum Inf Process. 2018;17(6):129.
Ji Z, Zhang H, Wang H, Wu F, Jia J, Wu W. Quantum protocols for secure multiparty summation. Quantum Inf Process. 2019;18(6):168.
Sutradhar K, Om H. A generalized quantum protocol for secure multiparty summation. IEEE Trans Circuits Syst II. 2020;67(12):2978–82.
Ye TY, Xu TJ. A lightweight threeuser secure quantum summation protocol without a third party based on singleparticle states. Quantum Inf Process. 2022;21(9):309.
Ye TY, Hu JL. Quantum secure multiparty summation based on the phase shifting operation of dlevel quantum system and its application. Int J Theor Phys. 2021;60(3):819–27.
Sutradhar K. Secure multiparty quantum aggregating protocol. Quantum Inf Comput. 2023;23:245–56.
Venkatesh R, Savadatti Hanumantha B. A privacypreserving quantum blockchain technique for electronic medical records. IEEE Eng Manage Rev. 2023;51(4):137–44.
Venkatesh R, Savadatti Hanumantha B. Electronic medical records protection framework based on quantum blockchain for multiple hospitals. Multimed Tools Appl. 2023. https://doi.org/10.1007/s1104202316848y.
Sutradhar K, Om H. An efficient simulation for quantum secure multiparty computation. Sci Rep. 2021;11:2206.
Sutradhar K. A quantum cryptographic protocol for secure vehicular communication. IEEE Trans Intell Transp Syst. 2023;1–10.
Boyer M, Kenigsberg D, Mor T. Quantum key distribution with classical Bob. Phys Rev Lett. 2007;99(14):140501.
Boyer M, Gelles R, Kenigsberg D, Mor T. Semiquantum key distribution. Phys Rev A. 2009;79(3):032341.
Ye TY, Li HK, Hu JL. Semiquantum key distribution with single photons in both polarization and spatialmode degrees of freedom. Int J Theor Phys. 2020;59:2807–15.
Ye TY, Geng MJ, Xu TJ, Chen Y. Efficient semiquantum key distribution based on single photons in both polarization and spatialmode degrees of freedom. Quantum Inf Process. 2022;21(4):123.
Chou WH, Hwang T, Gu J. Semiquantum private comparison protocol under an almostdishonest third party. 2016. arXiv:1607.07961.
Zhang C, Huang Q, Long YX, Sun ZW. Secure threeparty semiquantum summation using single photons. Int J Theor Phys. 2021;60:3478–87.
Ye TY, Ye CQ. Measureresend semiquantum private comparison without entanglement. Int J Theor Phys. 2018;57(12):3819–34.
Lang YF. Semiquantum private comparison using single photons. Int J Theor Phys. 2018;57:3048–55.
Lin PH, Hwang T, Tsai CW. Efficient semiquantum private comparison using single photons. Quantum Inf Process. 2019;18:207.
Ye CQ, Li J, Chen XB, Yuan T. Efficient semiquantum private comparison without using entanglement resource and preshared key. Quantum Inf Process. 2021;20:262.
Zhou NR, Xu QD, Du NS, Gong LH. Semiquantum private comparison protocol of size relation with ddimensional Bell states. Quantum Inf Process. 2021;20:124.
Wang B, Liu SQ, Gong LH. Semiquantum private comparison protocol of size relation with ddimensional GHZ states. Chin Phys B. 2022;31:010302.
Li YC, Chen ZY, Xu QD, Gong LH. Two semiquantum private comparison protocols of size relation based on single particles. Int J Theor Phys. 2022;61:157.
Luo QB, Li XY, Yang GW, Lin C. A mediated semiquantum protocol for millionaire problem based on highdimensional Bell states. Quantum Inf Process. 2022;21:257.
Geng MJ, Xu TJ, Chen Y, Ye TY. Semiquantum private comparison of size relationship based dlevel singleparticle states. Sci Sin Phys Mech Astron. 2022;52(9):290311.
Ye TY, Lian JY. A novel multiparty semiquantum private comparison protocol of size relationship with ddimensional singleparticle states. Physica A. 2023;611:128424.
Ye TY, Xu TJ, Geng MJ, Chen Y. Twoparty secure semiquantum summation against the collectivedephasing noise. Quantum Inf Process. 2022;21:118.
Hu JL, Ye TY. Threeparty secure semiquantum summation without entanglement among quantum user and classical users. Quantum Inf Process. 2022;61:170.
Gisin N, Ribordy G, Tittel W, Zbinden H. Quantum cryptography. Rev Mod Phys. 2002;74:145.
Deng FG, Zhou P, Li XH, et al. Robustness of twoway quantum communication protocols against Trojan horse attack. 2005. arXiv:quantph/0508168.
Cai QY. Eavesdropping on the twoway quantum communication protocols with invisible photons. Phys Lett A. 2006;351:23.
Li XH, Deng FG, Zhou HY. Improving the security of secure direct communication based on the secret transmitting order of particles. Phys Rev A. 2006;74:054302.
Krawec WO. Mediated semiquantum key distribution. Phys Rev A. 2015;91(3):032323.
Funding
the National Natural Science Foundation of China (Grant No.62071430), the Fundamental Research Funds for the Provincial Universities of Zhejiang (Grant No. JRK21002) and the Project Supported by Scientific Research Fund of Zhejiang Provincial Education Department (Grant No. Y202352615).
Author information
Authors and Affiliations
Contributions
JiangYuan Lian wrote the manuscript; and TianYu Ye reviewed and checked the paper
Corresponding author
Ethics declarations
Ethics approval and consent to participate
Not applicable
Consent for publication
Not applicable
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Lian, JY., Ye, TY. Hybrid protocols for multiparty semiquantum private comparison, multiplication and summation without a preshared key based on ddimensional singleparticle states. EPJ Quantum Technol. 11, 17 (2024). https://doi.org/10.1140/epjqt/s4050702400228y
Received:
Accepted:
Published:
DOI: https://doi.org/10.1140/epjqt/s4050702400228y