Skip to main content

Different secure semi-quantum summation models without measurement

Abstract

Secure semi-quantum summation entails the collective computation of the sum of private secrets by multi-untrustworthy and resource-limited participants, facilitated by a quantum third-party. This paper introduces three semi-quantum summation protocols based on single photons, where eliminating the need for classical users to possess measurement capabilities. Two-party protocol 1 and protocol 2 are structured upon different models: star and ring, respectively. The security analysis extensively evaluates the protocols’ resilience against outside and inside attacks, demonstrating protocols are asymptotically secure. Protocol 3 extends two-party protocol 1 to multi-party scenarios, broadening its applicability. Comparison reveals a reduction in the workload for classical users compared to previous similar protocols, and the protocols’ correctness are visually validated through simulation by Qiskit.

1 Introduction

Quantum communication employs qubits as carriers of information exchange, surpassing the limitations of classical information technology in ensuring information security and other aspects. Leveraging the unique physical properties of quantum mechanics, it guarantees non-eavesdropping keys, thus achieving unconditional secure quantum communication in principle and introducing novel concepts for network security [14]. The BB84 protocol [5], as the pioneering quantum key distribution (QKD) protocol, showcases the potential of utilizing quantum principles for secure communication, laying the groundwork for the exploration of quantum cryptographic protocols [68]. Building upon the foundational work in QKD, researchers have delved into quantum protocols extending beyond secure communication to encompass secure computation [912].

Secure multi-party computation (SMC) is a technology enabling multiple parties to collectively compute a predetermined function result without revealing their private data [13, 14]. This technology finds applications in areas such as electronic voting, threshold signatures, and electronic auctions, serving as the cryptographic bedrock for these implementations. However, in 1994, Shor demonstrated the efficacy of quantum algorithms in rapidly factoring large prime numbers [15]. In light of quantum computing, classical SMC faces significant threats [16], as it fails to offer robust security reliant on computational power keys. Quantum secure multi-party computation (QSMC) entails integrating fundamental principles of quantum mechanics into the protocol design of secure multi-party computation [17, 18], ensuring resistance against quantum computing attacks and delivering enhanced security performance while fulfilling the function of secure multi-party computation.

Quantum secure multi-party summation (QSMS) is a subfield of QSMC, which can be seen as an extension of classical multi-party privacy summation in the field of quantum mechanics [1923]. The main purpose of QSMS is to calculate the sum of n participant secret values without revealing their secrets. It can be definition as follows: N participants \(P_{1}, P_{2},\ldots, P_{N}\) try to calculate a summation function \(f(y_{1}, y_{2},\ldots, y_{N})\), where \(y_{i}\in \{y_{1},y_{2},\ldots y_{N}\}\) are present participant \(P_{i}\)’s private input.

While research on quantum information technology is still in its nascent stages, technologies such as quantum communication and quantum computing present challenges due to their complexity and difficulty of application in current work and life scenarios. Additionally, quantum devices entail high costs and intricate operations, with stringent requirements for preparing, storing, and transmitting quantum states. The semi-quantum secure communication protocol proposed by Boyer et al. [24] effectively addresses the bottleneck in the current development of quantum secure communication. It offers a relatively easier implementation while ensuring security. This protocol allows one party to possess full quantum capability, while the other party’s quantum capability remains limited, thus enabling secure communication between quantum users and classical users.

In the semi-quantum secure communication protocol model, both quantum users and classical users require access to a two-way quantum channel [2527]. Initially, qubits are transmitted from the quantum user to the classical user and then returned to the quantum user. Upon receiving each qubit, the classical user selects one of the following options: (1) Measurement: conduct a Z-basis measurement on the received particles. (2) Preparation: prepare a quantum state using the Z-basis and send it back to the quantum user. (3) Measurement and resend: perform Z-basis measurements on the received particles and then resend the results to the quantum user as Z-basis particles. This operation combines the above two actions, with the restriction that classical users always send the same state they measure. (4) Reflection: return the particles to the quantum users without any alteration. (5) Rearrangement: rearrange the received qubits without interfering with their states. The classical user does not ascertain the specific qubits, he only reorders them.

The first three-party semi-quantum summation (SQS) protocol was introduced by Zhang et al. [28] in 2021, utilizing single-qubit-based computation to calculate the summation of participants’ private inputs. In comparison, the protocol proposed by Hu et al. [29] exhibited improved quantum measurement performance for quantum participants and potentially higher qubit efficiency in 2022. Subsequently, Ye et al. presented a more practical protocol capable of resisting collective-dephasing noise, although it failed to achieve the participants’ summation results if a trusted party is absent [30]. In 2024, Lian et al. expanded from dimension 2 to dimension d, aiming to facilitate modulo d addition for more than three semi-quantum users’ private integers [31].

However, ongoing research on SQS faces several challenges: (1) Requirement for classical participants: All classical participants must possess the capability to measure and prepare qubits. (2) Communication mode: The communication mode is relatively limited, achieving star communication but not ring communication. (3) Lack of simulation verification: There is a lack of simulation verification for the proposed protocols.

In this paper, we propose three protocols based on single photons that effectively tackle the aforementioned issues. Protocols 1 and 2 are devised upon different transmission models: one utilizing a star model and the other employing a ring model. Importantly, neither protocol necessitates participants to possess measurement capabilities. In the star model, a semi-honest third-party (TP) simultaneously transmits particles to users 1 and 2. After users 1 and 2 conduct their operations, the particles are returned to TP to finalize communication. Conversely, the ring model involves TP transmitting particles to user 1. Once user 1 completes the operation, the particles are then transmitted to user 2, who subsequently returns them to TP to complete the communication process. Protocol 3 extends protocol 1 (star model) from the two-party SQS to multi-party, thereby enhancing the protocol’s applicability across various scenarios.

The contributions of this paper can be summarized as follows: (1) A protocol that does not require participant measurement is proposed, and classical users do not need to have measurement capabilities, further simplifying their operations. (2) Two different models, star and ring, are proposed without the need for measurement, and the star protocol is extended to multiple parties, expanding communication application scenarios. (3) The proposed protocol was simulated and verified, further verifying its correctness and feasibility. These protocols offer promising solutions for overcoming existing challenges in semi-quantum communication, particularly in terms of communication modes and participant capabilities.

The remainder of this paper is structured as follows: In Sect. 2, we introduce two semi-quantum summation protocols. Section 3 provides an analysis of the security aspects of the two proposed protocols. In Sect. 4, we present the simulation results of the two protocols. Following that, Sect. 5 introduces the multi-party protocol. Finally, Sect. 6 contains the discussion and conclusion of this paper.

2 Semi-quantum summation protocol based on single photons

In this section, an SQS protocol using single photons will be proposed. Suppose the quantum channels are ideal (ie, non-lossy and noiseless) and the classical channels are authenticated in the proposed protocol.

There are two participants (Alice, Bob) and a semi-honest TP. Alice and Bob are classical participants who have a private n-bit string, eager to summation their private information. TP has full quantum capabilities, who aims to obtain the modulo 2 of Alice and Bob’s bit strings. Alice and Bob select an SQKD protocol to pre-shared the length of N keys \(K=(K_{1},K_{2},\ldots,K_{N})\). The length of participants’ (Alice, Bob) private bit strings (A, B) is n. Alice and Bob private bit strings are denoted as \(A=(a_{1},a_{2},\ldots,a_{n})\) and \(B=(b_{1},b_{2},\ldots,b_{n})\), where \(a_{i},b_{i}\in \{0,1\},i=1,2,\ldots,n\). On the premise of not disclosing their respective private bit strings, they hope to use TP to help compute the summation:

$$ \begin{aligned} M=A\oplus B =(a_{1}\oplus b_{1},a_{2}\oplus b_{2},\ldots,a_{n} \oplus b_{n}) \end{aligned} $$
(1)

where, is the modulo 2 addition.

2.1 Protocol 1: star and concise SQS

Step 1: TP generates \(N=8n\) two-qubit product states, each of which is

$$ \begin{aligned} \vert +\rangle \vert +\rangle = \frac{( \vert 0\rangle + \vert 1\rangle )_{A}}{\sqrt {2}} \otimes \frac{( \vert 0\rangle + \vert 1\rangle )_{B}}{\sqrt {2}} \end{aligned} $$
(2)

where A and B denote the system of Alice and Bob. There are two sequences \(S_{A}=\{q_{a}^{1},q_{a}^{2},\ldots,q_{a}^{N}\}\) and \(S_{B}=\{q_{b}^{1},q_{b}^{2},\ldots,q_{b}^{N}\}\), where \(q_{a}^{i}\) and \(q_{b}^{i}\) represent the i-th \((i=1,2,\ldots,N)\) particle. Then, TP transmits \(S_{A}\) to Alice and \(S_{B}\) to Bob.

Step 2: Upon receiving particles from TP, Alice prepares a sequence \(Z_{A}=\{z_{a}^{1},z_{a}^{2},\ldots,z_{a}^{m}\}\), where \(z_{a}^{i}\) is chosen from \(\{|0\rangle ,|1\rangle \}\) at random, \(i=1,2,\ldots,m\). Subsequently, Alice combines \(Z_{A}\) and \(S_{A}\) to compose a new sequence \(Q_{A}\), and reorders the positions of particles in the \(Q_{A}\). Alice transmits \(Q_{A}\) to TP, where the length of \(Q_{A}\) is \(8n+m\). After receiving the particles sent by TP, Bob implemented the same operation as Alice.

Step 3: When TP is receiving \(Q_{A}\) and \(Q_{B}\) from Alice and Bob, he randomly chooses either \(\sigma _{Z}\) basis (\(\{|0\rangle ,|1\rangle \}\)) or \(\sigma _{X}\) basis (\(\{|+\rangle ,|-\rangle \}\)) to measure each particle. Then, TP announces which basis he chose to measure for each particle.

Step 4: Alice and Bob publish the positions of \(S_{A}\) and \(Z_{A}\) in \(Q_{A}\), \(S_{B}\) and \(Z_{B}\) in \(Q_{B}\), respectively. According to Alice and Bob’s different operations, the following eight cases will occur, and the details are listed in Table 1:

Table 1 Alice, Bob and TP’s operations on the particle

Case 1: TP performs \(\sigma _{X}\) measurement on the particle which is belongs \(S_{A}\) and \(S_{B}\). Case 2: TP performs \(\sigma _{X}\) measurement on the particle which is belongs \(S_{A}\) and \(Z_{B}\). Case 3: TP performs \(\sigma _{X}\) measurement on the particle which is belongs \(Z_{A}\) and \(S_{B}\). Case 4: TP performs \(\sigma _{X}\) measurement on the particle which is belongs \(Z_{A}\) and \(Z_{B}\).

The cases 1, 2, 3 and 4 are used for checking eavesdropping. An example is illustrated, in case 1, TP performs \(\sigma _{X}\) measurement to detect eavesdropping. If there are no eavesdroppers in quantum channel, TP obtains \(|+\rangle _{A}\otimes |+\rangle _{B}\). Once other quantum states appear, it indicates the presence of eavesdroppers during the communication process. Once the error rate exceeds the pre-threshold value, the protocol will be discarded.

Case 5: TP performs \(\sigma _{Z}\) measurement on the particle which is belongs \(S_{A}\) and \(Z_{B}\). Case 6: TP performs \(\sigma _{Z}\) measurement on the particle which is belongs \(Z_{A}\) and \(S_{B}\). Case 7: TP performs \(\sigma _{Z}\) measurement on the particle which is belongs \(Z_{A}\) and \(Z_{B}\).

The cases 5, 6 and 7, at least one of Alice and Bob has prepared the fresh particle, TP obtains a bit string \(r_{a}^{1},r_{a}^{2},\ldots,r_{a}^{3n}\) and \(r_{b}^{1},r_{b}^{2},\ldots,r_{b}^{3n}\) which measured in \(\sigma _{Z}\) basis corresponding the positions \(r_{a}^{1}r_{a}^{2}...r_{a}^{3n}\) and \(r_{b}^{1}r_{b}^{2}...r_{b}^{3n}\). The measurement results of Alice and Bob’s are denoted as \(r_{a}^{i}\) and \(r_{b}^{i}\) which are used for computing the private summation.

Case 8: TP performs \(\sigma _{Z}\) measurement on the particle which is belongs \(S_{A}\) and \(S_{B}\).

The case 8 will be discarded by TP.

Step 5: TP chooses a part of bits in \(r_{a}^{1}r_{a}^{2}...r_{a}^{3n}\) and \(r_{b}^{1}r_{b}^{2}...r_{b}^{3n}\) to be TEST bits, and declares the positions and value which he selected. Two participants announce the value of the TEST bits at the corresponding position. They calculate the error rate on TEST bits. Once the error rate is higher than the pre-threshold value, the protocol will be terminated.

Step 6: The participants and TP compute the summation of bit strings. Alice holds \(R_{A}=\{r_{a}^{1}r_{a}^{2}...r_{a}^{n}\}\), and Bob holds \(R_{B}=\{r_{b}^{1}r_{b}^{2}...r_{b}^{n}\}\). Alice computes \(C_{A}^{i}=r_{a}^{i}\oplus a_{i}\oplus K_{i}\), Bob computes \(C_{B}^{i}=r_{b}^{i}\oplus b_{i}\oplus K_{i}\), where is the modulo 2 addition. Then, TP computes \(C_{A}^{i}\oplus C_{B}^{i} \oplus r_{a}^{i} \oplus r_{b}^{i} = a_{i} \oplus b_{i}\), the result is Alice and Bob i-th private summation.

2.2 Protocol 2: ring and concise SQS

Step 1: TP generates a N single photons \(S_{T}\) sequence which randomly contains {\(|+\rangle \), \(|-\rangle \), \(|0\rangle \), \(|1\rangle \)}, and transmits to Alice.

Step 2: Upon receiving the sequence \(S_{T}\) from TP, Alice prepares a sequence \(S_{A}=\{r_{a}^{1},r_{a}^{2},\ldots,r_{a}^{N}\}\), where \(r_{a}^{i}\) is chosen from \(\{|0\rangle ,|1\rangle \}\) at random, \(i=1,2,\ldots,N\). Subsequently, Alice combines \(S_{T}\) and \(S_{A}\) to compose a new sequence \(S_{2}\), and reorders the positions of particles in the \(S_{2}\). Alice transmits \(S_{2}\) to Bob, where the length of \(S_{2}\) is 2N.

Step 3: Upon receiving the sequence \(S_{2}\) from Alice, Bob prepares a sequence \(S_{B}=\{r_{b}^{1},r_{b}^{2},\ldots,r_{b}^{N}\}\), where \(r_{b}^{i}\) is chosen from \(\{|0\rangle ,|1\rangle \}\) at random, \(i=1,2,\ldots,N\). Subsequently, Bob combines \(S_{2}\) and \(S_{B}\) to compose a new sequence \(S_{3}\), and reorders the positions of particles in the \(S_{3}\). Bob transmits \(S_{3}\) to TP, where the length of \(S_{3}\) is 3N.

Noticed that, the photons prepared by TP, Alice, Bob are represent CTRL photons, \(\mathrm{SIFT} _{A}\) photons, \(\mathrm{SIFT} _{B}\) photons, respectively.

Step 4: TP announces to A and B that he received the sequence \(S_{3}\). Afterwards, two participants respectively declare the orders of the photons in the sequence \(S_{2}\) and \(S_{3}\).

Step 5: TP performs \(\sigma _{X}\) measurement on the CTRL photon, performs \(\sigma _{Z}\) measurement on the \(\mathrm{SIFT} _{A}\) and \(\mathrm{SIFT} _{B}\) photon. For detecting eavesdropping, TP calculates the error rate about CTRL photons. If eavesdropping absent, TP’s measurement results should be consistent with what he initially prepared. Once the error rate is higher than the pre-threshold value, the protocol will be dropped.

Step 6: TP chooses a part of bits in \(S_{A}=\{r_{a}^{1},r_{a}^{2},\ldots,r_{a}^{N}\}\) and \(S_{B}=\{r_{b}^{1},r_{b}^{2},\ldots,r_{b}^{N}\}\) to be TEST bits, and declares the positions and value which he selected. Two participants announce the value of the TEST bits at the corresponding position. They calculate the error rate on TEST bits. Once the error rate is higher than the pre-threshold value, the protocol will be terminated.

Step 7: The participants and TP compute the summation of bit strings. Alice holds \(R_{A}=\{r_{a}^{1}r_{a}^{2}...r_{a}^{n}\}\), and Bob holds \(R_{B}=\{r_{b}^{1}r_{b}^{2}...r_{b}^{n}\}\). Alice computes \(C_{A}^{i}=r_{a}^{i}\oplus a_{i}\oplus K_{i}\), Bob computes \(C_{B}^{i}=r_{b}^{i}\oplus b_{i}\oplus K_{i}\), where is the modulo 2 addition. Then, TP computes \(C_{A}^{i}\oplus C_{B}^{i} \oplus r_{a}^{i} \oplus r_{b}^{i} = a_{i} \oplus b_{i}\), the result is Alice and Bob i-th private summation.

3 Security analysis

In this section, we analyze the proposed SQS protocols’ security. Generally speaking, when analyzing SQS security, the following two attack scenarios need to be considered [7, 16, 28]. Outside attack: Malicious attacker attempts to obtain the privacy strings of participants. Inside attack: TP and participants attempt to steal the privacy strings of other participants. Suppose Eve has fully quantum capability. The following will prove that Eve’s access to any private information will introduce errors.

3.1 Security analysis of SCSQS

Outside attacker Eve attempts to grab the participants’ private bit strings, and he needs to obtain the keys that the participant uses to encrypt their private inputs. Here is an analysis of Eve’s desire to obtain Alice’s private bit string, similar to the analysis of Bob’s private bit string.

Intercept-resend attack

Eve intercepts the sequence \(S_{A}\) which is sending to Alice from TP, and re-prepares self a sequence \(S_{E}\). Eve sends Alice \(S_{E}\) instead of \(S_{A}\). When Alice received \(S_{E}\), she combines \(S_{E}\) with \(Z_{A}\) to obtain \(Q_{A}'\), and transmits \(Q_{A}'\) to TP. Then, Eve intercepts \(Q_{A}'\), attempts to infer which particles Alice prepared. He prepares a fake sequence \(Q_{A}''\), and sends to TP. Unfortunately, Eve will be detected with high probability causing he does not realize the order of \(Q_{A}'\).

When conducting eavesdropping detection in Step 4, TP performs \(\sigma _{X}\) measurement on the particle with \(1/2\), situation 1 with \(1/2\): particle in \(Z_{A}\), there are no error introduce; situation 2 with \(1/2\): particle in \(S_{A}\), Eve has a probability of \(1/2\) being detected. Hence, the total detection rate is \(1/2*(1/2*0+1/2*1/2)=1/8\) in Step 4. Specifically, in case \(1\&2\), the detection particle in \(S_{A}\) which generated by TP. When Eve sents particle one of \(|0\rangle ,|1\rangle ,|+\rangle ,|-\rangle \) to TP with \(1/4\). Eve prepares \(|+\rangle \) particle, he can pass the detection with \(1/4\). If Eve prepares \(|0\rangle \)(\(|1\rangle \)), he can pass the detection with \(1/2\). Eve prepares \(|-\rangle \) particle, he will be noticed by TP. In case \(3\&4\), the detection particle in \(Z_{A}\) which generated by Alice. Because TP will take \(\sigma _{X}\) on the particle \(Z_{A}\), the measurement results are \(|+\rangle \) or \(|-\rangle \), he cannot distinguish the fake particle.

For eavesdropping detection in Step 5, TP performs \(\sigma _{Z}\) measurement on the particle with \(1/2\), situation 3 with \(1/2\): the \(Z_{A}\) particle, Eve has a probability of \(1/2\) being detected. Situation 4 with \(1/2\): particle in \(S_{A}\), discard. Hence, the total detection rate is \(1/2*1/2*1/2)=1/8\) in Step 5.

Measure-resend attack

Eve intercepts and measures the sequence \(S_{A}\) which is sending to Alice from TP. He re-generates a sequence \(S_{E}\) with same measurement results and transmits to Alice. When Alice received \(S_{E}\), she prepares a sequence \(Q_{A}'\) of \(S_{E}\) and \(Z_{A}\) together, and sends to TP. Subsequently, Eve intercepts and measures \(Q_{A}'\) to obtain Alice keys. And he generates a false sequence \(Q_{A}''\), sends to TP. Apparently, because of \(Q_{A}'\) ordered by Alice, Eve can be detected with high probability.

For eavesdropping detection in Step 4, TP measures the particle using \(\sigma _{X}\) basis with \(1/2\), situation 1 with \(1/2\): the \(Z_{A}\) particle, there are no error introduce; situation 2 with \(1/2\): the \(S_{A}\) particle, Eve has a probability of \(1/4\) being detected. Hence, the total detection rate is \(1/2*(1/2*0+1/2*1/4)=1/16\) in Step 4. Specifically, in case \(1\&2\), the detection particle in \(S_{A}\) which prepared by TP. Eve cannot know which basis TP choice to generate particles. Eve chose \(\sigma _{Z}\) with \(1/2\), he can pass the detection with \(1/2\). Eve chose \(\sigma _{X}\) with \(1/2\), TP cannot notice he. In case \(3\&4\), the detection particle in \(Z_{A}\) which prepared by Alice. Because TP will take \(\sigma _{X}\) on the particle \(Z_{A}\), the measurement results are \(|+\rangle \) or \(|-\rangle \), he cannot distinguish the fake particle.

When conducting eavesdropping detection in Step 5, TP measures the particle using \(\sigma _{Z}\) basis with \(1/2\), situation 3 with \(1/2\): particle in \(Z_{A}\), there are no error introduce. Situation 4 with \(1/2\): particle in \(S_{A}\), discard. Eve does not introduce any errors in step 5.

Entangle-measure attack

Eve performs attacks via two unitary operations on qubits: \(U_{E}\) operation to entangle the ancillary particle \(|0\rangle _{E}\) for particles transferred from TP to Alice, and \(U_{F}\) operation to measure the ancillary particle \(|0\rangle _{E}\) for particles transferred from Alice to TP. In the proposed protocol, Eve may perform attack on each qubit in \(Q_{A}\) and \(Q_{B}\) to entangle the qubit with its auxiliary qubits. After Alice and Bob pronounced the order of \(Q_{A}\) and \(Q_{B}\), Eve then measures the auxiliary particles entangled with the particle to obtain information about Alice and Bob’s key bits. The global state of the composite system composed by particles A, B and E is \(A+B+E\).

A. Particles same sorted position which are in \(Z_{A}\) and \(Z_{B}\). The state of \(A+B+E\) becomes \(|z_{1}z_{2}\rangle _{AB}|e_{Z_{1}Z_{2}}\rangle \), where \(z_{1},z_{2}\in \{0,1\}\). For Eve passing the detection in Step 5, \(U_{F}\) should satisfies:

$$ \begin{aligned} U_{F}\bigl( \vert z_{1}z_{2} \rangle _{AB} \vert e_{Z_{1}Z_{2}}\rangle \bigr)= \vert z_{1}z_{2} \rangle _{AB} \vert f_{Z_{1}Z_{2}}\rangle \end{aligned} $$
(3)

which means there is no change on the state of \(A+B\).

B. Alice’s particle in \(Z_{A}\) and Bob’s particle in \(S_{B}\). When \(z_{a}\) is \(|0\rangle \), the state of \(A+B+E\) becomes \(|00\rangle _{AB}|e_{00}\rangle +|01\rangle _{AB}|e_{01}\rangle \), or the state of \(A+B+E\) becomes \(|10\rangle _{AB}|e_{10}\rangle +|11\rangle _{AB}|e_{11}\rangle \) when \(z_{a}\) is \(|1\rangle \).

Let \(z_{a}\) is \(|0\rangle \). After Eve performs \(U_{F}\), state evolves into:

$$ \begin{aligned} &U_{F}\bigl( \vert 00\rangle _{AB} \vert e_{00}\rangle + \vert 01\rangle _{AB} \vert e_{01} \rangle \bigr) \\ &\quad= \vert 00\rangle _{AB} \vert f_{00}\rangle + \vert 01\rangle _{AB} \vert f_{01}\rangle \\ &\quad=|0\rangle _{A}\bigl( \vert 0\rangle _{B} \vert f_{00}\rangle + \vert 1\rangle _{B} \vert f_{01} \rangle \bigr). \end{aligned} $$
(4)

Bring \(|0\rangle =(|+\rangle +|-\rangle )/\sqrt {2}\) and \(|1\rangle =(|+\rangle -|-\rangle )/\sqrt {2}\) into \(B+E\) in equation (6):

$$ \begin{aligned} & \vert 0\rangle _{B} \vert f_{00}\rangle + \vert 1\rangle _{B} \vert f_{01}\rangle \\ &\quad= \vert +\rangle _{B}\frac{ \vert f_{00}\rangle + \vert f_{01}\rangle}{\sqrt {2}}+ \vert - \rangle _{B}\frac{ \vert f_{00}\rangle - \vert f_{01}\rangle}{\sqrt {2}}. \end{aligned} $$
(5)

If Eve wants to induce no error, TP should obtain the \(|-\rangle \) with the probability of 0. Therefore,

$$ \begin{aligned} |f_{00}\rangle =|f_{01} \rangle \end{aligned} $$
(6)

Let \(z_{a}\) is \(|1\rangle \). After Eve performs \(U_{F}\), state evolves into:

$$ \begin{aligned} &U_{F}\bigl( \vert 10\rangle _{AB} \vert e_{10}\rangle + \vert 11\rangle _{AB} \vert e_{11} \rangle \bigr) \\ &\quad= \vert 10\rangle _{AB} \vert f_{10}\rangle + \vert 11\rangle _{AB} \vert f_{11}\rangle \\ &\quad=|1\rangle _{A}\bigl( \vert 0\rangle _{B} \vert f_{10}\rangle + \vert 1\rangle _{B} \vert f_{11} \rangle \bigr). \end{aligned} $$
(7)

Bring \(|0\rangle =(|+\rangle +|-\rangle )/\sqrt {2}\) and \(|1\rangle =(|+\rangle -|-\rangle )/\sqrt {2}\) into \(B+E\) in equation (6):

$$ \begin{aligned} & \vert 0\rangle _{B} \vert f_{10}\rangle + \vert 1\rangle _{B} \vert f_{11}\rangle \\ &\quad = \vert +\rangle _{B}\frac{ \vert f_{10}\rangle + \vert f_{11}\rangle}{\sqrt {2}}+ \vert - \rangle _{B}\frac{ \vert f_{10}\rangle - \vert f_{11}\rangle}{\sqrt {2}}. \end{aligned} $$
(8)

If Eve wants to induce no error, TP should obtain the \(|-\rangle \) with the probability of 0. Therefore,

$$ \begin{aligned} |f_{10}\rangle =|f_{11} \rangle \end{aligned} $$
(9)

C. Alice’s particle in \(S_{A}\) and Bob’s particle in \(Z_{B}\). When \(z_{b}\) is \(|0\rangle \), the state of \(A+B+E\) becomes \(|00\rangle _{AB}|e_{00}\rangle +|10\rangle _{AB}|e_{10}\rangle \), or the state of \(A+B+E\) becomes \(|01\rangle _{AB}|e_{01}\rangle +|11\rangle _{AB}|e_{11}\rangle \) when \(z_{b}\) is \(|1\rangle \).

Assume \(z_{b}\) is \(|0\rangle \). After Eve performs \(U_{F}\), state evolves into:

$$ \begin{aligned} &U_{F}\bigl( \vert 00\rangle _{AB} \vert e_{00}\rangle + \vert 10\rangle _{AB} \vert e_{10} \rangle \bigr) \\ &\quad= \vert 00\rangle _{AB} \vert f_{00}\rangle + \vert 10\rangle _{AB} \vert f_{10}\rangle \\ &\quad=|0\rangle _{B}\bigl( \vert 0\rangle _{A} \vert f_{00}\rangle + \vert 1\rangle _{A} \vert f_{10} \rangle \bigr). \end{aligned} $$
(10)

Bring \(|0\rangle =(|+\rangle +|-\rangle )/\sqrt {2}\) and \(|1\rangle =(|+\rangle -|-\rangle )/\sqrt {2}\) into \(A+E\) in equation (6):

$$ \begin{aligned} & \vert 0\rangle _{A} \vert f_{00}\rangle + \vert 1\rangle _{A} \vert f_{10}\rangle \\ &\quad= \vert +\rangle _{A}\frac{ \vert f_{00}\rangle + \vert f_{10}\rangle}{\sqrt {2}}+ \vert - \rangle _{A}\frac{ \vert f_{00}\rangle - \vert f_{10}\rangle}{\sqrt {2}}. \end{aligned} $$
(11)

If Eve wants to induce no error, TP should obtain the \(|-\rangle \) with the probability of 0. Therefore,

$$ \begin{aligned} |f_{00}\rangle =|f_{10} \rangle \end{aligned} $$
(12)

Assume \(z_{b}\) is \(|1\rangle \). After Eve performs \(U_{F}\), state evolves into:

$$ \begin{aligned} &U_{F}\bigl( \vert 01\rangle _{AB} \vert e_{01}\rangle + \vert 11\rangle _{AB} \vert e_{11} \rangle \bigr) \\ &\quad= \vert 01\rangle _{AB} \vert f_{01}\rangle + \vert 11\rangle _{AB} \vert f_{11}\rangle \\ &\quad=|1\rangle _{B}\bigl( \vert 0\rangle _{A} \vert f_{01}\rangle + \vert 1\rangle _{A} \vert f_{11} \rangle \bigr). \end{aligned} $$
(13)

Bring \(|0\rangle =(|+\rangle +|-\rangle )/\sqrt {2}\) and \(|1\rangle =(|+\rangle -|-\rangle )/\sqrt {2}\) into \(A+E\) in equation (15):

$$ \begin{aligned} & \vert 0\rangle _{A} \vert f_{01}\rangle + \vert 1\rangle _{A} \vert f_{11}\rangle \\ &\quad= \vert +\rangle _{A}\frac{ \vert f_{01}\rangle + \vert f_{11}\rangle}{\sqrt {2}}+ \vert - \rangle _{A}\frac{ \vert f_{01}\rangle - \vert f_{11}\rangle}{\sqrt {2}}. \end{aligned} $$
(14)

If Eve wants to induce no error, TP should obtain the \(|-\rangle \) with the probability of 0. Therefore,

$$ \begin{aligned} |f_{01}\rangle =|f_{11} \rangle \end{aligned} $$
(15)

According equation (8), (11), (14) and (17), it can be inferred that:

$$ \begin{aligned} |f_{00}\rangle =|f_{01} \rangle =|f_{10}\rangle =|f_{11}\rangle =|f \rangle \end{aligned} $$
(16)

D. Particles same sorted position which are in \(S_{A}\) and \(S_{B}\). The state of \(A+B+E\) becomes \(|00\rangle _{AB}|e_{00}\rangle +|01\rangle _{AB}|e_{01}\rangle +|10 \rangle _{AB}|e_{10}\rangle +|11\rangle _{AB}|e_{11}\rangle \). After Eve performs \(U_{F}\), state evolves into:

$$ \begin{aligned} &U_{F}\bigl( \vert 00\rangle _{AB} \vert e_{00}\rangle + \vert 01\rangle _{AB} \vert e_{01} \rangle + \vert 10\rangle _{AB} \vert e_{10}\rangle + \vert 11\rangle _{AB} \vert e_{11} \rangle \bigr) \\ &\quad = \vert 00\rangle _{AB} \vert f_{00}\rangle + \vert 01\rangle _{AB} \vert f_{01}\rangle + \vert 10 \rangle _{AB} \vert f_{10}\rangle + \vert 11\rangle _{AB} \vert f_{11}\rangle . \end{aligned} $$
(17)

For no errors are introduced under Eve’s attack, the measurement result of the state of \(A+B\) should be \(|++\rangle \). According equation (18), (19) can be rewritten as follows:

$$ \begin{aligned} &U_{F}\bigl( \vert 00\rangle _{AB} \vert e_{00}\rangle + \vert 01\rangle _{AB} \vert e_{01} \rangle + \vert 10\rangle _{AB} \vert e_{10}\rangle + \vert 11\rangle _{AB} \vert e_{11} \rangle \bigr) \\ &\quad = \vert {+}{+}\rangle _{BC} \vert f\rangle . \end{aligned} $$
(18)

And according equation (18), (5), (6), (9), (12) and (15) can be rewritten as follows:

$$\begin{aligned}& \begin{aligned}U_{F}\bigl( \vert z_{1}z_{2}\rangle _{AB} \vert e_{Z_{1}Z_{2}}\rangle \bigr)&= \vert z_{1}z_{2} \rangle _{AB} \vert f_{Z_{1}Z_{2}}\rangle \\ &= \vert z_{1}z_{2}\rangle _{AB} \vert f \rangle , \end{aligned} \end{aligned}$$
(19)
$$\begin{aligned}& \begin{aligned}U_{F}\bigl( \vert 00\rangle _{AB} \vert e_{00}\rangle + \vert 01\rangle _{AB} \vert e_{01} \rangle \bigr) &= \vert 00\rangle _{AB} \vert f_{00}\rangle + \vert 01\rangle _{AB} \vert f_{01} \rangle \\ &= \vert 0+\rangle _{AB} \vert f\rangle , \end{aligned} \end{aligned}$$
(20)
$$\begin{aligned}& \begin{aligned}U_{F}\bigl( \vert 10\rangle _{AB} \vert e_{10}\rangle + \vert 11\rangle _{AB} \vert e_{11} \rangle \bigr) &= \vert 10\rangle _{AB} \vert f_{10}\rangle + \vert 11\rangle _{AB} \vert f_{11} \rangle \\ &= \vert 1+\rangle _{AB} \vert f\rangle , \end{aligned} \end{aligned}$$
(21)
$$\begin{aligned}& \begin{aligned}U_{F}\bigl( \vert 00\rangle _{AB} \vert e_{00}\rangle + \vert 10\rangle _{AB} \vert e_{10} \rangle \bigr) &= \vert 00\rangle _{AB} \vert f_{00}\rangle + \vert 10\rangle _{AB} \vert f_{10} \rangle \\ &= \vert {+}0\rangle _{AB} \vert f\rangle , \end{aligned} \end{aligned}$$
(22)
$$\begin{aligned}& \begin{aligned}U_{F}\bigl( \vert 01\rangle _{AB} \vert e_{01}\rangle + \vert 11\rangle _{AB} \vert e_{11} \rangle \bigr)& = \vert 01\rangle _{AB} \vert f_{01}\rangle + \vert 11\rangle _{AB} \vert f_{11} \rangle \\ &= \vert {+}1\rangle _{AB} \vert f\rangle . \end{aligned} \end{aligned}$$
(23)

Obviously, Eve induces no error, his probes are independent of two participants measurement results.

TP attack

A semi-honest TP is defined as someone who needs to follow the protocol steps but is not allowed to collude with others, and can only attempt to deduce the participant’s secret by collecting public information. Although TP can acquire the order of \(Q_{A}\) (\(Q_{B}\)), he does not know the pre-shared keys K between Alice and Bob. As a consequence, he cannot obtain the private bit strings.

Participant attack

Suppose Alice is a dishonest participant who wants obtain the keys between TP and Bob, and infers to Bob’s private bit string. When Alice attacks, she will use any possible attack methods, including the intercept-resend, measure-resend and entangle-measure attacks used by outside attacker Eve. In addition, she will also adopt more serious attack methods.

3.2 Security analysis of RCSQS

Security analysis of RCSQS protocol is similar to SCSQS protocol. Here, we focus on analyzing dishonest participants’(dishonest Alice and dishonest Bob) attacks.

Intercept-resend attack

Suppose Alice is a dishonest participant who wants to obtain \(\mathrm{SIFT} _{B}\), and intercepts the \(S_{3}\). Then, she prepares 3N fake photons \((S'_{3})\) and sends \(S'_{3}\) to TP. When Bob posted his rearranged order, Alice could measure the corresponding photons using \(\sigma _{Z}\) basis to obtains the Bob’s bit string. However, Alice will be detected. To begin with, Alice’s attack on CTRL photons can be easily detected because she does not know which state TP is prepared for. Besides, Alice’s attack on \(\mathrm{SIFT}_{B}\) photons can be easily detected because she does not distinguish the state and position of Bob’s prepared particles.

For eavesdropping detection in Step 5, TP measures the particle using \(\sigma _{X}\) or \(\sigma _{Z}\). Alice randomly prepared particle is \(|1\rangle \) or \(|0\rangle \), after measured by TP, the state will be \(|+\rangle \), \(|-\rangle \), \(|0\rangle \) or \(|1\rangle \). Hence, the detection rate is \(1/4\) in Step 5. When conducting eavesdropping detection in Step 6, TP will verify the state of the TEST bit with Bob, and there is a half chance that \(|1\rangle \) or \(|0\rangle \) randomly prepared by Alice will be the same as the state prepared by Bob. Hence, the detection rate is \(1/2\) in Step 6.

The security analysis of dishonest participant Bob using intercept-resend attack is similar to the analysis of Alice.

Measure-resend attack

Suppose Bob is a dishonest participant who desires to acquire \(\mathrm{SIFT} _{A}\). When Bob received \(S_{2}\), he measures all particles in \(S_{2}\) using \(\sigma _{Z}\) basis and prepares new particles with same measurement results. Then, he prepares 3N fake photons \(S'_{3}\) and transmits to TP. When Alice posted her rearranged order, Bob could measure the corresponding photons using \(\sigma _{Z}\) basis to obtains the Alice’s bit string. Nevertheless, Bob will be detected. Bob’s attack on CTRL photons can be easily detected because she does not know which state TP is prepared for.

When conducting eavesdropping detection in Step 5, TP measures the particle using \(\sigma _{X}\) or \(\sigma _{Z}\). Bob randomly prepared particle is \(|1\rangle \) or \(|0\rangle \), after measured by TP, the state will be \(|+\rangle \), \(|-\rangle \), \(|0\rangle \) or \(|1\rangle \). Hence, the detection rate is \(1/4\) in Step 5.

The security analysis of dishonest participant Alice using measure-resend attack is similar to the analysis of Bob.

Entangle-measure attack

Considering that the sequence sent \(S_{T}\) by TP to Alice does not contain any valid information, Eve will perform two unitary operations on the qubits: \(U_{S}\) operation to entangle the ancillary particle for particles transferred from Alice to Bob, and \(U_{T}\) operation to measure the ancillary particle for particles transferred from Bob to TP.

A. Suppose Eve performs attack \((U_{S},U_{T})\). Defined \(|0\rangle _{T}\), \(|1\rangle _{T}\), \(|+\rangle _{T}\) and \(|-\rangle _{T}\) represent the CTRL qubit, and \(\mathrm{SIFT} _{A}\) qubits are represented as \(|0\rangle _{A}\) and \(|1\rangle _{A}\), and \(\mathrm{SIFT} _{B}\) qubits are represented as \(|0\rangle _{B}\) and \(|1\rangle _{B}\). When Eve performed \(U_{S}\), the composite system particles T and A become:

$$\begin{aligned}& \begin{aligned} U_{S}\bigl( \vert 0\rangle _{T} \vert g\rangle \bigr)= \vert 0\rangle _{T} \vert g_{00}\rangle + \vert 1 \rangle _{T} \vert g_{01}\rangle , \end{aligned} \end{aligned}$$
(24)
$$\begin{aligned}& \begin{aligned} U_{S}\bigl( \vert 1\rangle _{T} \vert g\rangle \bigr)= \vert 0\rangle _{T} \vert g_{10}\rangle + \vert 1 \rangle _{T} \vert g_{11}\rangle , \end{aligned} \end{aligned}$$
(25)
$$\begin{aligned}& \begin{aligned} U_{S}\bigl( \vert +\rangle _{T} \vert g\rangle \bigr)= \vert 0\rangle _{T} \vert g_{+0}\rangle + \vert 1 \rangle _{T} \vert g_{+1}\rangle , \end{aligned} \end{aligned}$$
(26)
$$\begin{aligned}& \begin{aligned} U_{S}\bigl( \vert -\rangle _{T} \vert g\rangle \bigr)= \vert 0\rangle _{T} \vert g_{-0}\rangle + \vert 1 \rangle _{T} \vert g_{-1}\rangle , \end{aligned} \end{aligned}$$
(27)
$$\begin{aligned}& \begin{aligned} U_{S}\bigl( \vert 0\rangle _{A} \vert g\rangle \bigr)= \vert 0\rangle _{A} \vert g_{00}\rangle + \vert 1 \rangle _{A} \vert g_{01}\rangle , \end{aligned} \end{aligned}$$
(28)
$$\begin{aligned}& \begin{aligned} U_{S}\bigl( \vert 1\rangle _{A} \vert g\rangle \bigr)= \vert 0\rangle _{A} \vert g_{10}\rangle + \vert 1 \rangle _{A} \vert g_{11}\rangle . \end{aligned} \end{aligned}$$
(29)

B. After Eve performed \(U_{T}\), the composite system particles T, A and B become:

$$\begin{aligned}& \begin{aligned} U_{T}U_{S}\bigl( \vert 0 \rangle _{T} \vert g\rangle \bigr)=U_{T}\bigl( \vert 0\rangle _{T} \vert t_{00} \rangle + \vert 1\rangle _{T} \vert t_{01}\rangle \bigr), \end{aligned} \end{aligned}$$
(30)
$$\begin{aligned}& \begin{aligned} U_{T}U_{S}\bigl( \vert 1 \rangle _{T} \vert g\rangle \bigr)=U_{T}\bigl( \vert 0\rangle _{T} \vert t_{10} \rangle + \vert 1\rangle _{T} \vert t_{11}\rangle \bigr), \end{aligned} \end{aligned}$$
(31)
$$\begin{aligned}& \begin{aligned} U_{T}U_{S}\bigl( \vert + \rangle _{T} \vert g\rangle \bigr)=U_{T}\bigl( \vert 0\rangle _{T} \vert t_{+0} \rangle + \vert 1\rangle _{T} \vert t_{+1}\rangle \bigr), \end{aligned} \end{aligned}$$
(32)
$$\begin{aligned}& \begin{aligned} U_{T}U_{S}\bigl( \vert - \rangle _{T} \vert g\rangle \bigr)=U_{T}\bigl( \vert 0\rangle _{T} \vert t_{-0} \rangle + \vert 1\rangle _{T} \vert t_{-1}\rangle \bigr), \end{aligned} \end{aligned}$$
(33)
$$\begin{aligned}& \begin{aligned} U_{T}U_{S}\bigl( \vert 0 \rangle _{A} \vert g\rangle \bigr)=U_{T}\bigl( \vert 0\rangle _{A} \vert t_{00} \rangle + \vert 1\rangle _{A} \vert t_{01}\rangle \bigr), \end{aligned} \end{aligned}$$
(34)
$$\begin{aligned}& \begin{aligned} U_{T}U_{S}\bigl( \vert 1 \rangle _{A} \vert g\rangle \bigr)=U_{T}\bigl( \vert 0\rangle _{A} \vert t_{10} \rangle + \vert 1\rangle _{A} \vert t_{11}\rangle \bigr), \end{aligned} \end{aligned}$$
(35)
$$\begin{aligned}& \begin{aligned} U_{T}\bigl( \vert 0\rangle _{B} \vert t\rangle \bigr)= \vert 0\rangle _{B} \vert t_{00}\rangle + \vert 1 \rangle _{B} \vert t_{01}\rangle , \end{aligned} \end{aligned}$$
(36)
$$\begin{aligned}& \begin{aligned} U_{T}\bigl( \vert 1\rangle _{B} \vert t\rangle \bigr)= \vert 0\rangle _{B} \vert t_{10}\rangle + \vert 1 \rangle _{B} \vert t_{11}\rangle . \end{aligned} \end{aligned}$$
(37)

C. Eve can not be detected through eavesdropping, the following conditions will be met:

$$\begin{aligned}& \begin{aligned}U_{T}U_{S}\bigl( \vert 0 \rangle _{T} \vert g\rangle \bigr)&=U_{T}\bigl( \vert 0\rangle _{T} \vert t_{00} \rangle + \vert 1\rangle _{T} \vert t_{01}\rangle \bigr) \\ & = \vert 0\rangle _{T} \vert T_{0}\rangle , \end{aligned} \end{aligned}$$
(38)
$$\begin{aligned}& \begin{aligned}U_{T}U_{S}\bigl( \vert 1 \rangle _{T} \vert g\rangle \bigr)&=U_{T}\bigl( \vert 0\rangle _{T} \vert t_{10} \rangle + \vert 1\rangle _{T} \vert t_{11}\rangle \bigr) \\ & = \vert 1\rangle _{T} \vert T_{1}\rangle , \end{aligned} \end{aligned}$$
(39)
$$\begin{aligned}& \begin{aligned}U_{T}U_{S}\bigl( \vert + \rangle _{T} \vert g\rangle \bigr)&=U_{T}\bigl( \vert 0\rangle _{T} \vert t_{+0} \rangle + \vert 1\rangle _{T} \vert t_{+1}\rangle \bigr) \\ & =\frac{1}{\sqrt {2}}U_{T}\bigl( \vert 0\rangle _{T} \vert t_{00}\rangle + \vert 1\rangle _{T} \vert t_{01} \rangle \bigr)+\frac{1}{\sqrt {2}}U_{T} \bigl( \vert 0\rangle _{T} \vert t_{10}\rangle + \vert 1 \rangle _{T} \vert t_{11}\rangle \bigr) \\ & =\frac{1}{2}\bigl[ \bigl\vert +\rangle _{T}\bigl( \vert T_{0}\rangle + \vert T_{1}\rangle \bigr)+ \bigr\vert - \rangle _{T}\bigl( \vert T_{0}\rangle - \vert T_{1}\rangle \bigr)\bigr] \\ & =\frac{1}{2}|+\rangle _{T}\bigl( \vert T_{0}\rangle + \vert T_{1}\rangle \bigr), \end{aligned} \end{aligned}$$
(40)
$$\begin{aligned}& \begin{aligned}U_{T}U_{S}\bigl( \vert - \rangle _{T} \vert g\rangle \bigr)&=U_{T}\bigl( \vert 0\rangle _{T} \vert t_{-0} \rangle + \vert 1\rangle _{T} \vert t_{-1}\rangle \bigr) \\ & =\frac{1}{\sqrt {2}}U_{T}\bigl( \vert 0\rangle _{T} \vert t_{00}\rangle + \vert 1\rangle _{T} \vert t_{01} \rangle \bigr)-\frac{1}{\sqrt {2}}U_{T} \bigl( \vert 0\rangle _{T} \vert t_{10}\rangle + \vert 1 \rangle _{T} \vert t_{11}\rangle \bigr) \\ & =\frac{1}{2}\bigl[ \bigl\vert +\rangle _{T}\bigl( \vert T_{0}\rangle - \vert T_{1}\rangle \bigr)+ \bigr\vert - \rangle _{T}\bigl( \vert T_{0}\rangle + \vert T_{1}\rangle \bigr)\bigr] \\ & =\frac{1}{2}|-\rangle _{T}\bigl( \vert T_{0}\rangle + \vert T_{1}\rangle \bigr), \end{aligned} \end{aligned}$$
(41)

which can be obtained that \(|T_{0}\rangle =|T_{1}\rangle =|T\rangle \). So,

$$\begin{aligned}& \begin{aligned} U_{T}U_{S}\bigl( \vert 0 \rangle _{T} \vert g\rangle \bigr)= \vert 0\rangle _{T} \vert T\rangle , \end{aligned} \end{aligned}$$
(42)
$$\begin{aligned}& \begin{aligned} U_{T}U_{S}\bigl( \vert 1 \rangle _{T} \vert g\rangle \bigr)= \vert 1\rangle _{T} \vert T\rangle , \end{aligned} \end{aligned}$$
(43)
$$\begin{aligned}& \begin{aligned} U_{T}U_{S}\bigl( \vert + \rangle _{T} \vert g\rangle \bigr)= \vert +\rangle _{T} \vert T\rangle , \end{aligned} \end{aligned}$$
(44)
$$\begin{aligned}& \begin{aligned} U_{T}U_{S}\bigl( \vert - \rangle _{T} \vert g\rangle \bigr)= \vert -\rangle _{T} \vert T\rangle , \end{aligned} \end{aligned}$$
(45)
$$\begin{aligned}& \begin{aligned}U_{T}U_{S}\bigl( \vert 0 \rangle _{A} \vert g\rangle \bigr)&=U_{T}\bigl( \vert 0\rangle _{B} \vert t_{00} \rangle + \vert 1\rangle _{B} \vert t_{01}\rangle \bigr) \\ &= \vert 0\rangle _{B} \vert T\rangle , \end{aligned} \end{aligned}$$
(46)
$$\begin{aligned}& \begin{aligned}U_{T}U_{S}\bigl( \vert 1 \rangle _{A} \vert g\rangle \bigr)&=U_{T}\bigl( \vert 0\rangle _{B} \vert t_{10} \rangle + \vert 1\rangle _{B} \vert t_{11}\rangle \bigr) \\ &= \vert 1\rangle _{B} \vert T\rangle , \end{aligned} \end{aligned}$$
(47)
$$\begin{aligned}& \begin{aligned}U_{T}\bigl( \vert 0\rangle _{B} \vert t\rangle \bigr)&= \vert 0\rangle _{B} \vert t_{00}\rangle + \vert 1 \rangle _{B} \vert t_{01}\rangle \\ &= \vert 0\rangle _{B} \vert T\rangle , \end{aligned} \end{aligned}$$
(48)
$$\begin{aligned}& \begin{aligned}U_{T}\bigl( \vert 1\rangle _{B} \vert t\rangle \bigr)& = \vert 0\rangle _{B} \vert t_{10}\rangle + \vert 1 \rangle _{B} \vert t_{11}\rangle \\ &= \vert 1\rangle _{B} \vert T\rangle . \end{aligned} \end{aligned}$$
(49)

The above equations show that Eve’s ancillary particle is independent of CTRL, \(\mathrm{SIFT} _{A}\) and \(\mathrm{SIFT} _{B}\) photons, so if Eve does not want to be detected for his eavesdropping behavior, he will also be unable to obtain information.

4 Simulation of the presented protocols

To demonstrate the correctness of the outputs of the three protocols, we conducted simulation experiments using IBM’s Qiskit without considering the eavesdropping inspection process [32].

4.1 Simulation of the SCSQS protocol

Assuming that the particles sent by TP to Alice are \(|+\rangle \), \(|+\rangle \), \(|+\rangle \) and \(|+\rangle \), represented by quantum registers \(q_{0}\), \(q_{1}\), \(q_{2}\) and \(q_{3}\), respectively. The particle states prepared by Alice themselves are \(|0\rangle \), \(|1\rangle \), \(|0\rangle \) and \(|1\rangle \), represented by registers \(q_{4}\), \(q_{5}\), \(q_{6}\) and \(q_{7}\), respectively.

According to the protocol steps, TP randomly performs \(\sigma _{X}\) and \(\sigma _{Z}\) measurements on the received particles. In the simulation phase, it is assumed that TP performs \(\sigma _{X}\) measurements on registers \(q_{0}\), \(q_{1}\), \(q_{4}\) and \(q_{5}\), and \(\sigma _{Z}\) measurements on \(q_{2}\), \(q_{3}\), \(q_{6}\) and \(q_{7}\). The relevant circuit diagram is shown in Fig. 1, and the corresponding measurement results are shown in Fig. 2.

Figure 1
figure 1

Circuit diagram for SCSQS

Figure 2
figure 2

Measurement results of SCSQS

4.2 Simulation of the RCSQS protocol

Assuming that the particles sent by TP to Alice are \(|+\rangle \), \(|-\rangle \), \(|0\rangle \) and \(|1\rangle \), represented by quantum registers \(q_{0}\), \(q_{1}\), \(q_{2}\) and \(q_{3}\), respectively. The particle states prepared by Alice themselves are \(|1\rangle \), \(|0\rangle \), \(|1\rangle \) and \(|0\rangle \), represented by registers \(q_{4}\), \(q_{5}\), \(q_{6}\) and \(q_{7}\), respectively. The particle states prepared by Bob themselves are \(|0\rangle \), \(|1\rangle \), \(|0\rangle \) and \(|0\rangle \), represented by registers \(q_{8}\), \(q_{9}\), \(q_{10}\) and \(q_{11}\), respectively.

According to the protocol steps, TP performs \(\sigma _{X}\) and \(\sigma _{Z}\) measurements on the CTRL particles. In the simulation phase, it is show that TP performs \(\sigma _{X}\) measurements on registers \(q_{0}\), \(q_{1}\), and \(\sigma _{Z}\) measurements on \(q_{2}\), \(q_{3}\). The relevant circuit diagram is shown in Fig. 3, and the corresponding measurement results are shown in Fig. 4.

Figure 3
figure 3

Circuit diagram for RCSQS

Figure 4
figure 4

Measurement results of RCSQS

5 Protocol 3: multi-party SCSQS

In this section, based on SCSQS protocol, the MPSQS protocol will be proposed.

There are \(n(n\geq 2)\) participants \((P_{1}, P_{2},\ldots, P_{n})\) and a semi-honest TP. The participants \(P_{j}(2\le j \le n)\) are classical participants who have a private N-bit string, eager to summation their private information. TP has full quantum capabilities, who aims to obtain the modulo 2 of the participants’ bit strings. The participants select an SQKD protocol to pre-shared the length of N keys \(K=(K^{1},K^{2},\ldots,K^{N})\). The length of participants’ private bit strings (\(M_{1}\), \(M_{2}\),…, \(M_{n}\)) is N, which are denoted as \(M_{1}=(m_{1}^{1},m_{1}^{2},\ldots,m_{1}^{N})\), \(M_{2}=(m_{2}^{1},m_{2}^{2},\ldots,m_{2}^{N}), \ldots, M_{n}=(m_{n}^{1},m_{n}^{2},\ldots,m_{n}^{N})\), where \(m_{j}^{i}\in \{0,1\}\), \(i=1,2,\ldots,N\). On the premise of not disclosing their respective private bit strings, they hope to use TP to help compute the summation:

$$ \begin{aligned}M&=M_{1} \oplus M_{2} \oplus \cdots \oplus M_{n} \\ &=\bigl(m_{1}^{1}\oplus m_{2}^{1} \oplus \cdots\oplus m_{n}^{1}, m_{1}^{2} \oplus m_{2}^{2} \oplus \cdots\oplus m_{n}^{2}, m_{1}^{N}\oplus m_{2}^{N} \oplus \cdots\oplus m_{n}^{N}\bigr) \end{aligned} $$
(50)

where, is the modulo 2 addition.

Step 1: TP generates \(N=8n\) n-qubit product states, each of which is

$$ \begin{aligned} \vert +\rangle \vert +\rangle ... \vert + \rangle = \frac{( \vert 0\rangle + \vert 1\rangle )_{1}}{\sqrt {2}}\otimes \frac{( \vert 0\rangle + \vert 1\rangle )_{2}}{\sqrt {2}}\otimes \cdots\otimes \frac{( \vert 0\rangle + \vert 1\rangle )_{n}}{\sqrt {2}} \end{aligned} $$
(51)

where \(1,2,\ldots,n\) denote the system of n participants. There are n sequences \(Q_{1}=\{q_{1}^{1},q_{1}^{2},\ldots,q_{1}^{N}\}\), \(Q_{2}=\{q_{2}^{1},q_{2}^{2},\ldots,q_{2}^{N}\}\), …, \(Q_{n}=\{q_{n}^{1},q_{n}^{2},\ldots,q_{n}^{N}\}\), where \(q_{j}^{i}\) represents the i-th \((i=1,2,\ldots,N)\) particle for j-th participant. Then, TP transmits \(Q_{j}\) to each participant.

Step 2: Upon receiving particles from TP, \(P_{j}\) prepares a sequence \(Z_{j}=\{z_{a}^{1},z_{a}^{2},\ldots,z_{a}^{m}\}\), where \(z_{j}^{i}\) is chosen from \(\{|0\rangle ,|1\rangle \}\) at random, \(i=1,2,\ldots,m\). Subsequently, \(P_{j}\) combines \(Z_{j}\) and \(Q_{j}\) to compose a new sequence \(S_{j}\), and reorders the positions of particles in the \(S_{j}\). \(P_{j}\) transmits \(S_{j}\) to TP, where the length of \(N_{j}\) is \(8n+m\).

Step 3: When TP is receiving \(S_{j}\) from \(P_{j}\), he randomly chooses either \(\sigma _{Z}\) basis (\(\{|0\rangle ,|1\rangle \}\)) or \(\sigma _{X}\) basis (\(\{|+\rangle ,|-\rangle \}\)) to measure each particle. Then, TP announces which basis he chose to measure for each particle.

Step 4: \(P_{j}\) publishs the positions of \(Q_{j}\) and \(Z_{j}\) in \(S_{j}\). According to \(P_{j}\)’s different operations, the following various cases will occur:

The cases which TP performed \(\sigma _{X}\) measurement on the particle are used for checking eavesdropping. An example is illustrated, if there are no eavesdroppers in quantum channel, TP obtains \(|+\rangle _{1}\otimes |+\rangle _{2}\otimes \cdots\otimes |+\rangle _{n}\). Once other quantum states appear, it indicates the presence of eavesdroppers during the communication process.

The case which TP performs \(\sigma _{Z}\) measurement on the particle which is belongs \(Q_{1}\), \(Q_{2}\), …, \(Q_{n}\) will be discarded.

The cases which TP performed \(\sigma _{Z}\) measurement at least one of Alice and Bob has prepared the fresh particles are used for computing the private summation. TP obtains a bit string \(r_{1}^{1},r_{1}^{2},\ldots,r_{1}^{3n}\), \(r_{2}^{1},r_{2}^{2},\ldots,r_{2}^{3n}\), …, \(r_{n}^{1},r_{n}^{2},\ldots,r_{n}^{3n}\) which measured in \(\sigma _{Z}\) basis corresponding the positions \(r_{1}^{1}r_{1}^{2}...r_{1}^{3n}\), \(r_{2}^{1}r_{2}^{2}...r_{2}^{3n}\) and \(r_{n}^{1}r_{n}^{2}...r_{n}^{3n}\). The measurement result of \(P_{1}\), \(P_{2}\) and \(P_{n}\)’s are denoted as \(r_{1}^{i}\), \(r_{2}^{i}\) and \(r_{n}^{i}\).

Step 5: TP chooses a part of bits in \(r_{1}^{1}r_{1}^{2}...r_{1}^{3n}\), \(r_{2}^{1}r_{2}^{2}...r_{2}^{3n}\) and \(r_{n}^{1}r_{n}^{2}...r_{n}^{3n}\) to be TEST bits, and declares the positions and value which he selected. Two participants announce the value of the TEST bits at the corresponding position. They calculate the error rate on TEST bits. Once the error rate is higher than the predefined threshold value, the protocol will be terminated.

Step 6: The participants and TP compute the summation of bit strings. \(P_{1}\) holds \(R_{1}=\{r_{1}^{1},r_{1}^{2},\ldots,r_{1}^{n}\}\), \(P_{2}\) holds \(R_{2}=\{r_{2}^{1},r_{2}^{2},\ldots,r_{n}^{n}\}\), …, \(P_{n}\) holds \(R_{n}=\{r_{n}^{1},r_{n}^{2},\ldots,r_{n}^{n}\}\). \(P_{1}\) computes \(C_{1}^{i}=r_{1}^{i}\oplus m_{1}^{i} \oplus K^{i}\), \(P_{2}\) computes \(C_{2}^{i}=r_{2}^{i}\oplus m_{2}^{i} \oplus K^{i}\), …, \(P_{n}\) computes \(C_{n}^{i}=r_{n}^{i}\oplus m_{n}^{i} \oplus K^{i}\) where is the modulo 2 addition. Then, TP computes \(C_{1}^{i}\oplus C_{2}^{i} \oplus \cdots \oplus C_{n}^{i} \oplus r_{1}^{i} \oplus r_{2}^{i} \oplus \cdots \oplus r_{n}^{i} = m_{1}^{i} \oplus m_{2}^{i} \oplus \cdots\oplus m_{n}^{i} \), the result is Alice and Bob i-th private summation.

6 Discussion and conclusion

We compare the proposed protocols with similar protocols in detail are shown in Table 2. Zhang et al. [28], Hu et al. [29] and our protocols based on single qubits which are easier to generate the qubits. Zhang et al. [28] and Ye et al. [30] implement communication between three participants, but Hu et al. [29] and our protocols communication with only two participants. Importantly, previous SQS protocols necessitated classical user measurements, while the proposed protocols eliminate this requirement, with TP only requiring single-particle measurements.

Table 2 Comparison of the protocols

In conclusion, this paper introduces three secure semi-quantum summation protocols, all of which operate without classical measurement and are capable of computing the modulo 2 addition of participants’ private bits. When designing these protocols, the following key aspects were considered: (1) Minimizing the classical participants’ capabilities to only preparing qubits using Z-basis, while employing methods that don’t require measurement capabilities. (2) Designing protocols based on different transmission modes, namely star and ring protocols. (3) Extending protocols applicable to two or three parties to support N-party scenarios. With these design principles in mind, SCSQS is a star protocol that eliminates the need for measurement, RCSQS is a ring protocol also devoid of measurement requirements, and MPSQS extends from SCSQS to N-party scenarios. These proposed protocols have been demonstrated to effectively prevent typical attack behaviors such as intercept-resend attacks, measure-resend attacks, entangle-measure attacks, TP attacks, and participant attacks. Moreover, it’s worth noting that the designed protocols come with certain limitations, such as the requirement for participants to pre-share keys. These limitations provide areas for future research and improvement in semi-quantum communication protocols.

Data Availability

No datasets were generated or analysed during the current study.

Abbreviations

QKD:

Quantum Key Distribution

SMC:

Secure Multi-party Computation

QSMC:

Quantum Secure Multi-party Computation

QSMS:

Quantum secure Multi-party Summation

SQS:

Semi-Quantum Summation

TP:

Third-Party

SCSQS:

Star and Concise Semi-Quantum Summation

RCSQS:

Ring and Concise Semi-Quantum Summation

MPSQS:

Multi-Party Semi-Quantum Summation

References

  1. Cabello A. Quantum key distribution in the Holevo limit. Phys Rev Lett. 2000;85(26):5635.

    Article  ADS  Google Scholar 

  2. Grasselli F. Quantum cryptography. Quantum science and technology. Cham: Springer; 2021.

    Book  Google Scholar 

  3. Aumasson JP. The impact of quantum computing on cryptography. Comput. Fraud Secur.. 2017;6:8–11.

    Article  Google Scholar 

  4. Diffie W, Hellman M. New directions in cryptography. IEEE Trans Inf Theory. 1976;22(6):644–54.

    Article  MathSciNet  Google Scholar 

  5. Bennett CH, Brassard G. Quantum cryptography: public key distribution and coin tossing. In: Proceedings of the IEEE international conference on computers, systems and signal processing. Bangalore. 1984. p. 175–9.

    Google Scholar 

  6. Yin J, Li YH, Liao SK, Yang M, Cao Y, Zhang L, Ren JG, Cai WQ, Liu WY, Li SL, Shu R, Huang YM, Deng L, Li L, Zhang Q, Liu NL, Chen YA, Lu CY, Wang XB, Xu FH, Wang JY, Peng CZ, Ekert A, Pan JW. Entanglement-based secure quantum cryptography over 1,120 kilometres. Nature. 2020;582(7813):501–5.

    Article  ADS  Google Scholar 

  7. Renner R, Wolf R. Quantum advantage in cryptography. AIAA J. 2023;61(5):1895–910.

    Article  ADS  Google Scholar 

  8. Sonko S, Ibekwe KI, Ilojianya VI, Etukudoh EA, Fabuyide A. Quantum cryptography and US digital security: a comprehensive review: investigating the potential of quantum technologies in creating unbreakable encryption and their future in national security. Comput. Sci. IT Res. J.. 2024;5(2):390–414.

    Article  Google Scholar 

  9. Sutradhar K. Secure multiparty quantum aggregating protocol. Quantum Inf Comput. 2023;23(3&4):245–56.

    MathSciNet  Google Scholar 

  10. Sun Z, Song L, Huang Q, Yin L, Long G, Lu J, Hanzo L. Toward practical quantum secure direct communication: a quantum-memory-free protocol and code design. IEEE Trans Commun. 2020;68(9):5778–92.

    Article  Google Scholar 

  11. Grassl M. Entanglement-assisted quantum communication beating the quantum Singleton bound. Phys Rev A. 2021;103(2):L020601.

    Article  ADS  MathSciNet  Google Scholar 

  12. Yang Z, Zolanvari M, Jain R. A survey of important issues in quantum computing and communications. IEEE Commun Surv Tutor 2023.

  13. Goldreich O. Secure multi-party computation. Manuscript Preliminary version. 1998;78(110):1–108.

    Google Scholar 

  14. Knott B, Venkataraman S, Hannun A, Sengupta S, Ibrahim M, vander Maaten L. Crypten secure multi-party computation meets machine learning. Adv Neural Inf Process Syst. 2021;34:4961–73.

    Google Scholar 

  15. Shor PW. Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of the 35th annual symposium on foundations of computer science. Piscataway: IEEE; 1994. p. 124–34.

    Chapter  Google Scholar 

  16. Grasselli F. Quantum cryptography. Quantum science and technology. Cham: Springer; 2021.

    Book  Google Scholar 

  17. Lo HK. Insecurity of quantum secure computations. Phys Rev A. 1997;56(2):1154.

    Article  ADS  Google Scholar 

  18. Bartusek J. Secure quantum computation with classical communication. In: Proceedings of the theory of cryptography conference. Cham: Springer; 2021. p. 1–30.

    Google Scholar 

  19. Shi RH, Zhang S. Quantum solution to a class of two-party private summation problems. Quantum Inf Process. 2017;16:1–9.

    Article  ADS  MathSciNet  Google Scholar 

  20. Yang HY, Ye TY. Secure multi-party quantum summation based on quantum Fourier transform. Quantum Inf Process. 2018;17(6):129.

    Article  ADS  MathSciNet  Google Scholar 

  21. Ji Z, Zhang H, Wang H, Wu F, Jia J, Wu W. Quantum protocols for secure multi-party summation. Quantum Inf Process. 2019;18:1–19.

    Article  ADS  MathSciNet  Google Scholar 

  22. Sutradhar K, Om H. A generalized quantum protocol for secure multiparty summation. IEEE Trans Circuits Syst II, Express Briefs. 2020;67(12):2978–82.

    Google Scholar 

  23. Lu Y, Ding G. Quantum secure multi-party summation with graph state. Entropy. 2024;26(1):80.

    Article  ADS  Google Scholar 

  24. Boyer M, Kenigsberg D, Mor T. Quantum key distribution with classical Bob. Phys Rev Lett. 2007;99(14):140501.

    Article  ADS  MathSciNet  Google Scholar 

  25. Zou X, Qiu D, Li L, Wu L, Li L. Semi-quantum key distribution using less than four quantum states. Phys Rev A. 2009;79(5):1744.

    Article  Google Scholar 

  26. Iqbal H, Krawec WO. Semi-quantum cryptography. Quantum Inf Process. 2020;19(3):1–52.

    Article  MathSciNet  Google Scholar 

  27. Tian Y, Li J, Chen XB, Ye CQ, Li HJ. An efficient semi-quantum secret sharing protocol of specific bits. Quantum Inf Process. 2021;20(6):1–11.

    Article  MathSciNet  Google Scholar 

  28. Zhang C, Huang Q, Long Y, Sun Z. Secure three-party semi-quantum summation using single photons. Int J Theor Phys. 2021;60(9):3478–87.

    Article  Google Scholar 

  29. Hu JL, Ye TY. Three-party secure semiquantum summation without entanglement among quantum user and classical users. Int J Theor Phys. 2022;61(6):170.

    Article  MathSciNet  Google Scholar 

  30. Ye TY, Xu TJ, Geng MJ, Chen Y. Two-party secure semiquantum summation against the collective-dephasing noise. Quantum Inf Process. 2022;21(3):118.

    Article  ADS  MathSciNet  Google Scholar 

  31. Lian JY, Ye TY. Hybrid protocols for multi-party semiquantum private comparison, multiplication and summation without a pre-shared key based on d-dimensional single-particle states. EPJ Quantum Technol. 2024;11(1):17.

    Article  Google Scholar 

  32. Ye CQ, Li J, Chen XB, Hou Y. A feasible semi-quantum private comparison based on entanglement swapping of Bell states. Phys A, Stat Mech Appl. 2023;625:129023.

    Article  MathSciNet  Google Scholar 

Download references

Funding

Project supported by the Natural Science Basic Research Program of Shaanxi (Program No. 2024JC-YBQN-0688) and the China Scholarship Council.

Author information

Authors and Affiliations

Authors

Contributions

A. wrote the main manuscript text B. Comparative analysis of relevant protocols C. Draw a protocol simulation diagram D. Verified the correctness of the protocol E. Secondary editing of the manuscript

Corresponding author

Correspondence to Yuan Tian.

Ethics declarations

Ethics approval and consent to participate

Not applicable.

Consent for publication

Not applicable.

Competing interests

The authors declare no competing interests.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Tian, Y., Zhang, N., Ye, C. et al. Different secure semi-quantum summation models without measurement. EPJ Quantum Technol. 11, 35 (2024). https://doi.org/10.1140/epjqt/s40507-024-00247-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1140/epjqt/s40507-024-00247-9

Keywords