 Research
 Open access
 Published:
Different secure semiquantum summation models without measurement
EPJ Quantum Technology volume 11, Article number: 35 (2024)
Abstract
Secure semiquantum summation entails the collective computation of the sum of private secrets by multiuntrustworthy and resourcelimited participants, facilitated by a quantum thirdparty. This paper introduces three semiquantum summation protocols based on single photons, where eliminating the need for classical users to possess measurement capabilities. Twoparty protocol 1 and protocol 2 are structured upon different models: star and ring, respectively. The security analysis extensively evaluates the protocols’ resilience against outside and inside attacks, demonstrating protocols are asymptotically secure. Protocol 3 extends twoparty protocol 1 to multiparty scenarios, broadening its applicability. Comparison reveals a reduction in the workload for classical users compared to previous similar protocols, and the protocols’ correctness are visually validated through simulation by Qiskit.
1 Introduction
Quantum communication employs qubits as carriers of information exchange, surpassing the limitations of classical information technology in ensuring information security and other aspects. Leveraging the unique physical properties of quantum mechanics, it guarantees noneavesdropping keys, thus achieving unconditional secure quantum communication in principle and introducing novel concepts for network security [1–4]. The BB84 protocol [5], as the pioneering quantum key distribution (QKD) protocol, showcases the potential of utilizing quantum principles for secure communication, laying the groundwork for the exploration of quantum cryptographic protocols [6–8]. Building upon the foundational work in QKD, researchers have delved into quantum protocols extending beyond secure communication to encompass secure computation [9–12].
Secure multiparty computation (SMC) is a technology enabling multiple parties to collectively compute a predetermined function result without revealing their private data [13, 14]. This technology finds applications in areas such as electronic voting, threshold signatures, and electronic auctions, serving as the cryptographic bedrock for these implementations. However, in 1994, Shor demonstrated the efficacy of quantum algorithms in rapidly factoring large prime numbers [15]. In light of quantum computing, classical SMC faces significant threats [16], as it fails to offer robust security reliant on computational power keys. Quantum secure multiparty computation (QSMC) entails integrating fundamental principles of quantum mechanics into the protocol design of secure multiparty computation [17, 18], ensuring resistance against quantum computing attacks and delivering enhanced security performance while fulfilling the function of secure multiparty computation.
Quantum secure multiparty summation (QSMS) is a subfield of QSMC, which can be seen as an extension of classical multiparty privacy summation in the field of quantum mechanics [19–23]. The main purpose of QSMS is to calculate the sum of n participant secret values without revealing their secrets. It can be definition as follows: N participants \(P_{1}, P_{2},\ldots, P_{N}\) try to calculate a summation function \(f(y_{1}, y_{2},\ldots, y_{N})\), where \(y_{i}\in \{y_{1},y_{2},\ldots y_{N}\}\) are present participant \(P_{i}\)’s private input.
While research on quantum information technology is still in its nascent stages, technologies such as quantum communication and quantum computing present challenges due to their complexity and difficulty of application in current work and life scenarios. Additionally, quantum devices entail high costs and intricate operations, with stringent requirements for preparing, storing, and transmitting quantum states. The semiquantum secure communication protocol proposed by Boyer et al. [24] effectively addresses the bottleneck in the current development of quantum secure communication. It offers a relatively easier implementation while ensuring security. This protocol allows one party to possess full quantum capability, while the other party’s quantum capability remains limited, thus enabling secure communication between quantum users and classical users.
In the semiquantum secure communication protocol model, both quantum users and classical users require access to a twoway quantum channel [25–27]. Initially, qubits are transmitted from the quantum user to the classical user and then returned to the quantum user. Upon receiving each qubit, the classical user selects one of the following options: (1) Measurement: conduct a Zbasis measurement on the received particles. (2) Preparation: prepare a quantum state using the Zbasis and send it back to the quantum user. (3) Measurement and resend: perform Zbasis measurements on the received particles and then resend the results to the quantum user as Zbasis particles. This operation combines the above two actions, with the restriction that classical users always send the same state they measure. (4) Reflection: return the particles to the quantum users without any alteration. (5) Rearrangement: rearrange the received qubits without interfering with their states. The classical user does not ascertain the specific qubits, he only reorders them.
The first threeparty semiquantum summation (SQS) protocol was introduced by Zhang et al. [28] in 2021, utilizing singlequbitbased computation to calculate the summation of participants’ private inputs. In comparison, the protocol proposed by Hu et al. [29] exhibited improved quantum measurement performance for quantum participants and potentially higher qubit efficiency in 2022. Subsequently, Ye et al. presented a more practical protocol capable of resisting collectivedephasing noise, although it failed to achieve the participants’ summation results if a trusted party is absent [30]. In 2024, Lian et al. expanded from dimension 2 to dimension d, aiming to facilitate modulo d addition for more than three semiquantum users’ private integers [31].
However, ongoing research on SQS faces several challenges: (1) Requirement for classical participants: All classical participants must possess the capability to measure and prepare qubits. (2) Communication mode: The communication mode is relatively limited, achieving star communication but not ring communication. (3) Lack of simulation verification: There is a lack of simulation verification for the proposed protocols.
In this paper, we propose three protocols based on single photons that effectively tackle the aforementioned issues. Protocols 1 and 2 are devised upon different transmission models: one utilizing a star model and the other employing a ring model. Importantly, neither protocol necessitates participants to possess measurement capabilities. In the star model, a semihonest thirdparty (TP) simultaneously transmits particles to users 1 and 2. After users 1 and 2 conduct their operations, the particles are returned to TP to finalize communication. Conversely, the ring model involves TP transmitting particles to user 1. Once user 1 completes the operation, the particles are then transmitted to user 2, who subsequently returns them to TP to complete the communication process. Protocol 3 extends protocol 1 (star model) from the twoparty SQS to multiparty, thereby enhancing the protocol’s applicability across various scenarios.
The contributions of this paper can be summarized as follows: (1) A protocol that does not require participant measurement is proposed, and classical users do not need to have measurement capabilities, further simplifying their operations. (2) Two different models, star and ring, are proposed without the need for measurement, and the star protocol is extended to multiple parties, expanding communication application scenarios. (3) The proposed protocol was simulated and verified, further verifying its correctness and feasibility. These protocols offer promising solutions for overcoming existing challenges in semiquantum communication, particularly in terms of communication modes and participant capabilities.
The remainder of this paper is structured as follows: In Sect. 2, we introduce two semiquantum summation protocols. Section 3 provides an analysis of the security aspects of the two proposed protocols. In Sect. 4, we present the simulation results of the two protocols. Following that, Sect. 5 introduces the multiparty protocol. Finally, Sect. 6 contains the discussion and conclusion of this paper.
2 Semiquantum summation protocol based on single photons
In this section, an SQS protocol using single photons will be proposed. Suppose the quantum channels are ideal (ie, nonlossy and noiseless) and the classical channels are authenticated in the proposed protocol.
There are two participants (Alice, Bob) and a semihonest TP. Alice and Bob are classical participants who have a private nbit string, eager to summation their private information. TP has full quantum capabilities, who aims to obtain the modulo 2 of Alice and Bob’s bit strings. Alice and Bob select an SQKD protocol to preshared the length of N keys \(K=(K_{1},K_{2},\ldots,K_{N})\). The length of participants’ (Alice, Bob) private bit strings (A, B) is n. Alice and Bob private bit strings are denoted as \(A=(a_{1},a_{2},\ldots,a_{n})\) and \(B=(b_{1},b_{2},\ldots,b_{n})\), where \(a_{i},b_{i}\in \{0,1\},i=1,2,\ldots,n\). On the premise of not disclosing their respective private bit strings, they hope to use TP to help compute the summation:
where, ⊕ is the modulo 2 addition.
2.1 Protocol 1: star and concise SQS
Step 1: TP generates \(N=8n\) twoqubit product states, each of which is
where A and B denote the system of Alice and Bob. There are two sequences \(S_{A}=\{q_{a}^{1},q_{a}^{2},\ldots,q_{a}^{N}\}\) and \(S_{B}=\{q_{b}^{1},q_{b}^{2},\ldots,q_{b}^{N}\}\), where \(q_{a}^{i}\) and \(q_{b}^{i}\) represent the ith \((i=1,2,\ldots,N)\) particle. Then, TP transmits \(S_{A}\) to Alice and \(S_{B}\) to Bob.
Step 2: Upon receiving particles from TP, Alice prepares a sequence \(Z_{A}=\{z_{a}^{1},z_{a}^{2},\ldots,z_{a}^{m}\}\), where \(z_{a}^{i}\) is chosen from \(\{0\rangle ,1\rangle \}\) at random, \(i=1,2,\ldots,m\). Subsequently, Alice combines \(Z_{A}\) and \(S_{A}\) to compose a new sequence \(Q_{A}\), and reorders the positions of particles in the \(Q_{A}\). Alice transmits \(Q_{A}\) to TP, where the length of \(Q_{A}\) is \(8n+m\). After receiving the particles sent by TP, Bob implemented the same operation as Alice.
Step 3: When TP is receiving \(Q_{A}\) and \(Q_{B}\) from Alice and Bob, he randomly chooses either \(\sigma _{Z}\) basis (\(\{0\rangle ,1\rangle \}\)) or \(\sigma _{X}\) basis (\(\{+\rangle ,\rangle \}\)) to measure each particle. Then, TP announces which basis he chose to measure for each particle.
Step 4: Alice and Bob publish the positions of \(S_{A}\) and \(Z_{A}\) in \(Q_{A}\), \(S_{B}\) and \(Z_{B}\) in \(Q_{B}\), respectively. According to Alice and Bob’s different operations, the following eight cases will occur, and the details are listed in Table 1:
Case 1: TP performs \(\sigma _{X}\) measurement on the particle which is belongs \(S_{A}\) and \(S_{B}\). Case 2: TP performs \(\sigma _{X}\) measurement on the particle which is belongs \(S_{A}\) and \(Z_{B}\). Case 3: TP performs \(\sigma _{X}\) measurement on the particle which is belongs \(Z_{A}\) and \(S_{B}\). Case 4: TP performs \(\sigma _{X}\) measurement on the particle which is belongs \(Z_{A}\) and \(Z_{B}\).
The cases 1, 2, 3 and 4 are used for checking eavesdropping. An example is illustrated, in case 1, TP performs \(\sigma _{X}\) measurement to detect eavesdropping. If there are no eavesdroppers in quantum channel, TP obtains \(+\rangle _{A}\otimes +\rangle _{B}\). Once other quantum states appear, it indicates the presence of eavesdroppers during the communication process. Once the error rate exceeds the prethreshold value, the protocol will be discarded.
Case 5: TP performs \(\sigma _{Z}\) measurement on the particle which is belongs \(S_{A}\) and \(Z_{B}\). Case 6: TP performs \(\sigma _{Z}\) measurement on the particle which is belongs \(Z_{A}\) and \(S_{B}\). Case 7: TP performs \(\sigma _{Z}\) measurement on the particle which is belongs \(Z_{A}\) and \(Z_{B}\).
The cases 5, 6 and 7, at least one of Alice and Bob has prepared the fresh particle, TP obtains a bit string \(r_{a}^{1},r_{a}^{2},\ldots,r_{a}^{3n}\) and \(r_{b}^{1},r_{b}^{2},\ldots,r_{b}^{3n}\) which measured in \(\sigma _{Z}\) basis corresponding the positions \(r_{a}^{1}r_{a}^{2}...r_{a}^{3n}\) and \(r_{b}^{1}r_{b}^{2}...r_{b}^{3n}\). The measurement results of Alice and Bob’s are denoted as \(r_{a}^{i}\) and \(r_{b}^{i}\) which are used for computing the private summation.
Case 8: TP performs \(\sigma _{Z}\) measurement on the particle which is belongs \(S_{A}\) and \(S_{B}\).
The case 8 will be discarded by TP.
Step 5: TP chooses a part of bits in \(r_{a}^{1}r_{a}^{2}...r_{a}^{3n}\) and \(r_{b}^{1}r_{b}^{2}...r_{b}^{3n}\) to be TEST bits, and declares the positions and value which he selected. Two participants announce the value of the TEST bits at the corresponding position. They calculate the error rate on TEST bits. Once the error rate is higher than the prethreshold value, the protocol will be terminated.
Step 6: The participants and TP compute the summation of bit strings. Alice holds \(R_{A}=\{r_{a}^{1}r_{a}^{2}...r_{a}^{n}\}\), and Bob holds \(R_{B}=\{r_{b}^{1}r_{b}^{2}...r_{b}^{n}\}\). Alice computes \(C_{A}^{i}=r_{a}^{i}\oplus a_{i}\oplus K_{i}\), Bob computes \(C_{B}^{i}=r_{b}^{i}\oplus b_{i}\oplus K_{i}\), where ⊕ is the modulo 2 addition. Then, TP computes \(C_{A}^{i}\oplus C_{B}^{i} \oplus r_{a}^{i} \oplus r_{b}^{i} = a_{i} \oplus b_{i}\), the result is Alice and Bob ith private summation.
2.2 Protocol 2: ring and concise SQS
Step 1: TP generates a N single photons \(S_{T}\) sequence which randomly contains {\(+\rangle \), \(\rangle \), \(0\rangle \), \(1\rangle \)}, and transmits to Alice.
Step 2: Upon receiving the sequence \(S_{T}\) from TP, Alice prepares a sequence \(S_{A}=\{r_{a}^{1},r_{a}^{2},\ldots,r_{a}^{N}\}\), where \(r_{a}^{i}\) is chosen from \(\{0\rangle ,1\rangle \}\) at random, \(i=1,2,\ldots,N\). Subsequently, Alice combines \(S_{T}\) and \(S_{A}\) to compose a new sequence \(S_{2}\), and reorders the positions of particles in the \(S_{2}\). Alice transmits \(S_{2}\) to Bob, where the length of \(S_{2}\) is 2N.
Step 3: Upon receiving the sequence \(S_{2}\) from Alice, Bob prepares a sequence \(S_{B}=\{r_{b}^{1},r_{b}^{2},\ldots,r_{b}^{N}\}\), where \(r_{b}^{i}\) is chosen from \(\{0\rangle ,1\rangle \}\) at random, \(i=1,2,\ldots,N\). Subsequently, Bob combines \(S_{2}\) and \(S_{B}\) to compose a new sequence \(S_{3}\), and reorders the positions of particles in the \(S_{3}\). Bob transmits \(S_{3}\) to TP, where the length of \(S_{3}\) is 3N.
Noticed that, the photons prepared by TP, Alice, Bob are represent CTRL photons, \(\mathrm{SIFT} _{A}\) photons, \(\mathrm{SIFT} _{B}\) photons, respectively.
Step 4: TP announces to A and B that he received the sequence \(S_{3}\). Afterwards, two participants respectively declare the orders of the photons in the sequence \(S_{2}\) and \(S_{3}\).
Step 5: TP performs \(\sigma _{X}\) measurement on the CTRL photon, performs \(\sigma _{Z}\) measurement on the \(\mathrm{SIFT} _{A}\) and \(\mathrm{SIFT} _{B}\) photon. For detecting eavesdropping, TP calculates the error rate about CTRL photons. If eavesdropping absent, TP’s measurement results should be consistent with what he initially prepared. Once the error rate is higher than the prethreshold value, the protocol will be dropped.
Step 6: TP chooses a part of bits in \(S_{A}=\{r_{a}^{1},r_{a}^{2},\ldots,r_{a}^{N}\}\) and \(S_{B}=\{r_{b}^{1},r_{b}^{2},\ldots,r_{b}^{N}\}\) to be TEST bits, and declares the positions and value which he selected. Two participants announce the value of the TEST bits at the corresponding position. They calculate the error rate on TEST bits. Once the error rate is higher than the prethreshold value, the protocol will be terminated.
Step 7: The participants and TP compute the summation of bit strings. Alice holds \(R_{A}=\{r_{a}^{1}r_{a}^{2}...r_{a}^{n}\}\), and Bob holds \(R_{B}=\{r_{b}^{1}r_{b}^{2}...r_{b}^{n}\}\). Alice computes \(C_{A}^{i}=r_{a}^{i}\oplus a_{i}\oplus K_{i}\), Bob computes \(C_{B}^{i}=r_{b}^{i}\oplus b_{i}\oplus K_{i}\), where ⊕ is the modulo 2 addition. Then, TP computes \(C_{A}^{i}\oplus C_{B}^{i} \oplus r_{a}^{i} \oplus r_{b}^{i} = a_{i} \oplus b_{i}\), the result is Alice and Bob ith private summation.
3 Security analysis
In this section, we analyze the proposed SQS protocols’ security. Generally speaking, when analyzing SQS security, the following two attack scenarios need to be considered [7, 16, 28]. Outside attack: Malicious attacker attempts to obtain the privacy strings of participants. Inside attack: TP and participants attempt to steal the privacy strings of other participants. Suppose Eve has fully quantum capability. The following will prove that Eve’s access to any private information will introduce errors.
3.1 Security analysis of SCSQS
Outside attacker Eve attempts to grab the participants’ private bit strings, and he needs to obtain the keys that the participant uses to encrypt their private inputs. Here is an analysis of Eve’s desire to obtain Alice’s private bit string, similar to the analysis of Bob’s private bit string.
Interceptresend attack
Eve intercepts the sequence \(S_{A}\) which is sending to Alice from TP, and reprepares self a sequence \(S_{E}\). Eve sends Alice \(S_{E}\) instead of \(S_{A}\). When Alice received \(S_{E}\), she combines \(S_{E}\) with \(Z_{A}\) to obtain \(Q_{A}'\), and transmits \(Q_{A}'\) to TP. Then, Eve intercepts \(Q_{A}'\), attempts to infer which particles Alice prepared. He prepares a fake sequence \(Q_{A}''\), and sends to TP. Unfortunately, Eve will be detected with high probability causing he does not realize the order of \(Q_{A}'\).
When conducting eavesdropping detection in Step 4, TP performs \(\sigma _{X}\) measurement on the particle with \(1/2\), situation 1 with \(1/2\): particle in \(Z_{A}\), there are no error introduce; situation 2 with \(1/2\): particle in \(S_{A}\), Eve has a probability of \(1/2\) being detected. Hence, the total detection rate is \(1/2*(1/2*0+1/2*1/2)=1/8\) in Step 4. Specifically, in case \(1\&2\), the detection particle in \(S_{A}\) which generated by TP. When Eve sents particle one of \(0\rangle ,1\rangle ,+\rangle ,\rangle \) to TP with \(1/4\). Eve prepares \(+\rangle \) particle, he can pass the detection with \(1/4\). If Eve prepares \(0\rangle \)(\(1\rangle \)), he can pass the detection with \(1/2\). Eve prepares \(\rangle \) particle, he will be noticed by TP. In case \(3\&4\), the detection particle in \(Z_{A}\) which generated by Alice. Because TP will take \(\sigma _{X}\) on the particle \(Z_{A}\), the measurement results are \(+\rangle \) or \(\rangle \), he cannot distinguish the fake particle.
For eavesdropping detection in Step 5, TP performs \(\sigma _{Z}\) measurement on the particle with \(1/2\), situation 3 with \(1/2\): the \(Z_{A}\) particle, Eve has a probability of \(1/2\) being detected. Situation 4 with \(1/2\): particle in \(S_{A}\), discard. Hence, the total detection rate is \(1/2*1/2*1/2)=1/8\) in Step 5.
Measureresend attack
Eve intercepts and measures the sequence \(S_{A}\) which is sending to Alice from TP. He regenerates a sequence \(S_{E}\) with same measurement results and transmits to Alice. When Alice received \(S_{E}\), she prepares a sequence \(Q_{A}'\) of \(S_{E}\) and \(Z_{A}\) together, and sends to TP. Subsequently, Eve intercepts and measures \(Q_{A}'\) to obtain Alice keys. And he generates a false sequence \(Q_{A}''\), sends to TP. Apparently, because of \(Q_{A}'\) ordered by Alice, Eve can be detected with high probability.
For eavesdropping detection in Step 4, TP measures the particle using \(\sigma _{X}\) basis with \(1/2\), situation 1 with \(1/2\): the \(Z_{A}\) particle, there are no error introduce; situation 2 with \(1/2\): the \(S_{A}\) particle, Eve has a probability of \(1/4\) being detected. Hence, the total detection rate is \(1/2*(1/2*0+1/2*1/4)=1/16\) in Step 4. Specifically, in case \(1\&2\), the detection particle in \(S_{A}\) which prepared by TP. Eve cannot know which basis TP choice to generate particles. Eve chose \(\sigma _{Z}\) with \(1/2\), he can pass the detection with \(1/2\). Eve chose \(\sigma _{X}\) with \(1/2\), TP cannot notice he. In case \(3\&4\), the detection particle in \(Z_{A}\) which prepared by Alice. Because TP will take \(\sigma _{X}\) on the particle \(Z_{A}\), the measurement results are \(+\rangle \) or \(\rangle \), he cannot distinguish the fake particle.
When conducting eavesdropping detection in Step 5, TP measures the particle using \(\sigma _{Z}\) basis with \(1/2\), situation 3 with \(1/2\): particle in \(Z_{A}\), there are no error introduce. Situation 4 with \(1/2\): particle in \(S_{A}\), discard. Eve does not introduce any errors in step 5.
Entanglemeasure attack
Eve performs attacks via two unitary operations on qubits: \(U_{E}\) operation to entangle the ancillary particle \(0\rangle _{E}\) for particles transferred from TP to Alice, and \(U_{F}\) operation to measure the ancillary particle \(0\rangle _{E}\) for particles transferred from Alice to TP. In the proposed protocol, Eve may perform attack on each qubit in \(Q_{A}\) and \(Q_{B}\) to entangle the qubit with its auxiliary qubits. After Alice and Bob pronounced the order of \(Q_{A}\) and \(Q_{B}\), Eve then measures the auxiliary particles entangled with the particle to obtain information about Alice and Bob’s key bits. The global state of the composite system composed by particles A, B and E is \(A+B+E\).
A. Particles same sorted position which are in \(Z_{A}\) and \(Z_{B}\). The state of \(A+B+E\) becomes \(z_{1}z_{2}\rangle _{AB}e_{Z_{1}Z_{2}}\rangle \), where \(z_{1},z_{2}\in \{0,1\}\). For Eve passing the detection in Step 5, \(U_{F}\) should satisfies:
which means there is no change on the state of \(A+B\).
B. Alice’s particle in \(Z_{A}\) and Bob’s particle in \(S_{B}\). When \(z_{a}\) is \(0\rangle \), the state of \(A+B+E\) becomes \(00\rangle _{AB}e_{00}\rangle +01\rangle _{AB}e_{01}\rangle \), or the state of \(A+B+E\) becomes \(10\rangle _{AB}e_{10}\rangle +11\rangle _{AB}e_{11}\rangle \) when \(z_{a}\) is \(1\rangle \).
Let \(z_{a}\) is \(0\rangle \). After Eve performs \(U_{F}\), state evolves into:
Bring \(0\rangle =(+\rangle +\rangle )/\sqrt {2}\) and \(1\rangle =(+\rangle \rangle )/\sqrt {2}\) into \(B+E\) in equation (6):
If Eve wants to induce no error, TP should obtain the \(\rangle \) with the probability of 0. Therefore,
Let \(z_{a}\) is \(1\rangle \). After Eve performs \(U_{F}\), state evolves into:
Bring \(0\rangle =(+\rangle +\rangle )/\sqrt {2}\) and \(1\rangle =(+\rangle \rangle )/\sqrt {2}\) into \(B+E\) in equation (6):
If Eve wants to induce no error, TP should obtain the \(\rangle \) with the probability of 0. Therefore,
C. Alice’s particle in \(S_{A}\) and Bob’s particle in \(Z_{B}\). When \(z_{b}\) is \(0\rangle \), the state of \(A+B+E\) becomes \(00\rangle _{AB}e_{00}\rangle +10\rangle _{AB}e_{10}\rangle \), or the state of \(A+B+E\) becomes \(01\rangle _{AB}e_{01}\rangle +11\rangle _{AB}e_{11}\rangle \) when \(z_{b}\) is \(1\rangle \).
Assume \(z_{b}\) is \(0\rangle \). After Eve performs \(U_{F}\), state evolves into:
Bring \(0\rangle =(+\rangle +\rangle )/\sqrt {2}\) and \(1\rangle =(+\rangle \rangle )/\sqrt {2}\) into \(A+E\) in equation (6):
If Eve wants to induce no error, TP should obtain the \(\rangle \) with the probability of 0. Therefore,
Assume \(z_{b}\) is \(1\rangle \). After Eve performs \(U_{F}\), state evolves into:
Bring \(0\rangle =(+\rangle +\rangle )/\sqrt {2}\) and \(1\rangle =(+\rangle \rangle )/\sqrt {2}\) into \(A+E\) in equation (15):
If Eve wants to induce no error, TP should obtain the \(\rangle \) with the probability of 0. Therefore,
According equation (8), (11), (14) and (17), it can be inferred that:
D. Particles same sorted position which are in \(S_{A}\) and \(S_{B}\). The state of \(A+B+E\) becomes \(00\rangle _{AB}e_{00}\rangle +01\rangle _{AB}e_{01}\rangle +10 \rangle _{AB}e_{10}\rangle +11\rangle _{AB}e_{11}\rangle \). After Eve performs \(U_{F}\), state evolves into:
For no errors are introduced under Eve’s attack, the measurement result of the state of \(A+B\) should be \(++\rangle \). According equation (18), (19) can be rewritten as follows:
And according equation (18), (5), (6), (9), (12) and (15) can be rewritten as follows:
Obviously, Eve induces no error, his probes are independent of two participants measurement results.
TP attack
A semihonest TP is defined as someone who needs to follow the protocol steps but is not allowed to collude with others, and can only attempt to deduce the participant’s secret by collecting public information. Although TP can acquire the order of \(Q_{A}\) (\(Q_{B}\)), he does not know the preshared keys K between Alice and Bob. As a consequence, he cannot obtain the private bit strings.
Participant attack
Suppose Alice is a dishonest participant who wants obtain the keys between TP and Bob, and infers to Bob’s private bit string. When Alice attacks, she will use any possible attack methods, including the interceptresend, measureresend and entanglemeasure attacks used by outside attacker Eve. In addition, she will also adopt more serious attack methods.
3.2 Security analysis of RCSQS
Security analysis of RCSQS protocol is similar to SCSQS protocol. Here, we focus on analyzing dishonest participants’(dishonest Alice and dishonest Bob) attacks.
Interceptresend attack
Suppose Alice is a dishonest participant who wants to obtain \(\mathrm{SIFT} _{B}\), and intercepts the \(S_{3}\). Then, she prepares 3N fake photons \((S'_{3})\) and sends \(S'_{3}\) to TP. When Bob posted his rearranged order, Alice could measure the corresponding photons using \(\sigma _{Z}\) basis to obtains the Bob’s bit string. However, Alice will be detected. To begin with, Alice’s attack on CTRL photons can be easily detected because she does not know which state TP is prepared for. Besides, Alice’s attack on \(\mathrm{SIFT}_{B}\) photons can be easily detected because she does not distinguish the state and position of Bob’s prepared particles.
For eavesdropping detection in Step 5, TP measures the particle using \(\sigma _{X}\) or \(\sigma _{Z}\). Alice randomly prepared particle is \(1\rangle \) or \(0\rangle \), after measured by TP, the state will be \(+\rangle \), \(\rangle \), \(0\rangle \) or \(1\rangle \). Hence, the detection rate is \(1/4\) in Step 5. When conducting eavesdropping detection in Step 6, TP will verify the state of the TEST bit with Bob, and there is a half chance that \(1\rangle \) or \(0\rangle \) randomly prepared by Alice will be the same as the state prepared by Bob. Hence, the detection rate is \(1/2\) in Step 6.
The security analysis of dishonest participant Bob using interceptresend attack is similar to the analysis of Alice.
Measureresend attack
Suppose Bob is a dishonest participant who desires to acquire \(\mathrm{SIFT} _{A}\). When Bob received \(S_{2}\), he measures all particles in \(S_{2}\) using \(\sigma _{Z}\) basis and prepares new particles with same measurement results. Then, he prepares 3N fake photons \(S'_{3}\) and transmits to TP. When Alice posted her rearranged order, Bob could measure the corresponding photons using \(\sigma _{Z}\) basis to obtains the Alice’s bit string. Nevertheless, Bob will be detected. Bob’s attack on CTRL photons can be easily detected because she does not know which state TP is prepared for.
When conducting eavesdropping detection in Step 5, TP measures the particle using \(\sigma _{X}\) or \(\sigma _{Z}\). Bob randomly prepared particle is \(1\rangle \) or \(0\rangle \), after measured by TP, the state will be \(+\rangle \), \(\rangle \), \(0\rangle \) or \(1\rangle \). Hence, the detection rate is \(1/4\) in Step 5.
The security analysis of dishonest participant Alice using measureresend attack is similar to the analysis of Bob.
Entanglemeasure attack
Considering that the sequence sent \(S_{T}\) by TP to Alice does not contain any valid information, Eve will perform two unitary operations on the qubits: \(U_{S}\) operation to entangle the ancillary particle for particles transferred from Alice to Bob, and \(U_{T}\) operation to measure the ancillary particle for particles transferred from Bob to TP.
A. Suppose Eve performs attack \((U_{S},U_{T})\). Defined \(0\rangle _{T}\), \(1\rangle _{T}\), \(+\rangle _{T}\) and \(\rangle _{T}\) represent the CTRL qubit, and \(\mathrm{SIFT} _{A}\) qubits are represented as \(0\rangle _{A}\) and \(1\rangle _{A}\), and \(\mathrm{SIFT} _{B}\) qubits are represented as \(0\rangle _{B}\) and \(1\rangle _{B}\). When Eve performed \(U_{S}\), the composite system particles T and A become:
B. After Eve performed \(U_{T}\), the composite system particles T, A and B become:
C. Eve can not be detected through eavesdropping, the following conditions will be met:
which can be obtained that \(T_{0}\rangle =T_{1}\rangle =T\rangle \). So,
The above equations show that Eve’s ancillary particle is independent of CTRL, \(\mathrm{SIFT} _{A}\) and \(\mathrm{SIFT} _{B}\) photons, so if Eve does not want to be detected for his eavesdropping behavior, he will also be unable to obtain information.
4 Simulation of the presented protocols
To demonstrate the correctness of the outputs of the three protocols, we conducted simulation experiments using IBM’s Qiskit without considering the eavesdropping inspection process [32].
4.1 Simulation of the SCSQS protocol
Assuming that the particles sent by TP to Alice are \(+\rangle \), \(+\rangle \), \(+\rangle \) and \(+\rangle \), represented by quantum registers \(q_{0}\), \(q_{1}\), \(q_{2}\) and \(q_{3}\), respectively. The particle states prepared by Alice themselves are \(0\rangle \), \(1\rangle \), \(0\rangle \) and \(1\rangle \), represented by registers \(q_{4}\), \(q_{5}\), \(q_{6}\) and \(q_{7}\), respectively.
According to the protocol steps, TP randomly performs \(\sigma _{X}\) and \(\sigma _{Z}\) measurements on the received particles. In the simulation phase, it is assumed that TP performs \(\sigma _{X}\) measurements on registers \(q_{0}\), \(q_{1}\), \(q_{4}\) and \(q_{5}\), and \(\sigma _{Z}\) measurements on \(q_{2}\), \(q_{3}\), \(q_{6}\) and \(q_{7}\). The relevant circuit diagram is shown in Fig. 1, and the corresponding measurement results are shown in Fig. 2.
4.2 Simulation of the RCSQS protocol
Assuming that the particles sent by TP to Alice are \(+\rangle \), \(\rangle \), \(0\rangle \) and \(1\rangle \), represented by quantum registers \(q_{0}\), \(q_{1}\), \(q_{2}\) and \(q_{3}\), respectively. The particle states prepared by Alice themselves are \(1\rangle \), \(0\rangle \), \(1\rangle \) and \(0\rangle \), represented by registers \(q_{4}\), \(q_{5}\), \(q_{6}\) and \(q_{7}\), respectively. The particle states prepared by Bob themselves are \(0\rangle \), \(1\rangle \), \(0\rangle \) and \(0\rangle \), represented by registers \(q_{8}\), \(q_{9}\), \(q_{10}\) and \(q_{11}\), respectively.
According to the protocol steps, TP performs \(\sigma _{X}\) and \(\sigma _{Z}\) measurements on the CTRL particles. In the simulation phase, it is show that TP performs \(\sigma _{X}\) measurements on registers \(q_{0}\), \(q_{1}\), and \(\sigma _{Z}\) measurements on \(q_{2}\), \(q_{3}\). The relevant circuit diagram is shown in Fig. 3, and the corresponding measurement results are shown in Fig. 4.
5 Protocol 3: multiparty SCSQS
In this section, based on SCSQS protocol, the MPSQS protocol will be proposed.
There are \(n(n\geq 2)\) participants \((P_{1}, P_{2},\ldots, P_{n})\) and a semihonest TP. The participants \(P_{j}(2\le j \le n)\) are classical participants who have a private Nbit string, eager to summation their private information. TP has full quantum capabilities, who aims to obtain the modulo 2 of the participants’ bit strings. The participants select an SQKD protocol to preshared the length of N keys \(K=(K^{1},K^{2},\ldots,K^{N})\). The length of participants’ private bit strings (\(M_{1}\), \(M_{2}\),…, \(M_{n}\)) is N, which are denoted as \(M_{1}=(m_{1}^{1},m_{1}^{2},\ldots,m_{1}^{N})\), \(M_{2}=(m_{2}^{1},m_{2}^{2},\ldots,m_{2}^{N}), \ldots, M_{n}=(m_{n}^{1},m_{n}^{2},\ldots,m_{n}^{N})\), where \(m_{j}^{i}\in \{0,1\}\), \(i=1,2,\ldots,N\). On the premise of not disclosing their respective private bit strings, they hope to use TP to help compute the summation:
where, ⊕ is the modulo 2 addition.
Step 1: TP generates \(N=8n\) nqubit product states, each of which is
where \(1,2,\ldots,n\) denote the system of n participants. There are n sequences \(Q_{1}=\{q_{1}^{1},q_{1}^{2},\ldots,q_{1}^{N}\}\), \(Q_{2}=\{q_{2}^{1},q_{2}^{2},\ldots,q_{2}^{N}\}\), …, \(Q_{n}=\{q_{n}^{1},q_{n}^{2},\ldots,q_{n}^{N}\}\), where \(q_{j}^{i}\) represents the ith \((i=1,2,\ldots,N)\) particle for jth participant. Then, TP transmits \(Q_{j}\) to each participant.
Step 2: Upon receiving particles from TP, \(P_{j}\) prepares a sequence \(Z_{j}=\{z_{a}^{1},z_{a}^{2},\ldots,z_{a}^{m}\}\), where \(z_{j}^{i}\) is chosen from \(\{0\rangle ,1\rangle \}\) at random, \(i=1,2,\ldots,m\). Subsequently, \(P_{j}\) combines \(Z_{j}\) and \(Q_{j}\) to compose a new sequence \(S_{j}\), and reorders the positions of particles in the \(S_{j}\). \(P_{j}\) transmits \(S_{j}\) to TP, where the length of \(N_{j}\) is \(8n+m\).
Step 3: When TP is receiving \(S_{j}\) from \(P_{j}\), he randomly chooses either \(\sigma _{Z}\) basis (\(\{0\rangle ,1\rangle \}\)) or \(\sigma _{X}\) basis (\(\{+\rangle ,\rangle \}\)) to measure each particle. Then, TP announces which basis he chose to measure for each particle.
Step 4: \(P_{j}\) publishs the positions of \(Q_{j}\) and \(Z_{j}\) in \(S_{j}\). According to \(P_{j}\)’s different operations, the following various cases will occur:
The cases which TP performed \(\sigma _{X}\) measurement on the particle are used for checking eavesdropping. An example is illustrated, if there are no eavesdroppers in quantum channel, TP obtains \(+\rangle _{1}\otimes +\rangle _{2}\otimes \cdots\otimes +\rangle _{n}\). Once other quantum states appear, it indicates the presence of eavesdroppers during the communication process.
The case which TP performs \(\sigma _{Z}\) measurement on the particle which is belongs \(Q_{1}\), \(Q_{2}\), …, \(Q_{n}\) will be discarded.
The cases which TP performed \(\sigma _{Z}\) measurement at least one of Alice and Bob has prepared the fresh particles are used for computing the private summation. TP obtains a bit string \(r_{1}^{1},r_{1}^{2},\ldots,r_{1}^{3n}\), \(r_{2}^{1},r_{2}^{2},\ldots,r_{2}^{3n}\), …, \(r_{n}^{1},r_{n}^{2},\ldots,r_{n}^{3n}\) which measured in \(\sigma _{Z}\) basis corresponding the positions \(r_{1}^{1}r_{1}^{2}...r_{1}^{3n}\), \(r_{2}^{1}r_{2}^{2}...r_{2}^{3n}\) and \(r_{n}^{1}r_{n}^{2}...r_{n}^{3n}\). The measurement result of \(P_{1}\), \(P_{2}\) and \(P_{n}\)’s are denoted as \(r_{1}^{i}\), \(r_{2}^{i}\) and \(r_{n}^{i}\).
Step 5: TP chooses a part of bits in \(r_{1}^{1}r_{1}^{2}...r_{1}^{3n}\), \(r_{2}^{1}r_{2}^{2}...r_{2}^{3n}\) and \(r_{n}^{1}r_{n}^{2}...r_{n}^{3n}\) to be TEST bits, and declares the positions and value which he selected. Two participants announce the value of the TEST bits at the corresponding position. They calculate the error rate on TEST bits. Once the error rate is higher than the predefined threshold value, the protocol will be terminated.
Step 6: The participants and TP compute the summation of bit strings. \(P_{1}\) holds \(R_{1}=\{r_{1}^{1},r_{1}^{2},\ldots,r_{1}^{n}\}\), \(P_{2}\) holds \(R_{2}=\{r_{2}^{1},r_{2}^{2},\ldots,r_{n}^{n}\}\), …, \(P_{n}\) holds \(R_{n}=\{r_{n}^{1},r_{n}^{2},\ldots,r_{n}^{n}\}\). \(P_{1}\) computes \(C_{1}^{i}=r_{1}^{i}\oplus m_{1}^{i} \oplus K^{i}\), \(P_{2}\) computes \(C_{2}^{i}=r_{2}^{i}\oplus m_{2}^{i} \oplus K^{i}\), …, \(P_{n}\) computes \(C_{n}^{i}=r_{n}^{i}\oplus m_{n}^{i} \oplus K^{i}\) where ⊕ is the modulo 2 addition. Then, TP computes \(C_{1}^{i}\oplus C_{2}^{i} \oplus \cdots \oplus C_{n}^{i} \oplus r_{1}^{i} \oplus r_{2}^{i} \oplus \cdots \oplus r_{n}^{i} = m_{1}^{i} \oplus m_{2}^{i} \oplus \cdots\oplus m_{n}^{i} \), the result is Alice and Bob ith private summation.
6 Discussion and conclusion
We compare the proposed protocols with similar protocols in detail are shown in Table 2. Zhang et al. [28], Hu et al. [29] and our protocols based on single qubits which are easier to generate the qubits. Zhang et al. [28] and Ye et al. [30] implement communication between three participants, but Hu et al. [29] and our protocols communication with only two participants. Importantly, previous SQS protocols necessitated classical user measurements, while the proposed protocols eliminate this requirement, with TP only requiring singleparticle measurements.
In conclusion, this paper introduces three secure semiquantum summation protocols, all of which operate without classical measurement and are capable of computing the modulo 2 addition of participants’ private bits. When designing these protocols, the following key aspects were considered: (1) Minimizing the classical participants’ capabilities to only preparing qubits using Zbasis, while employing methods that don’t require measurement capabilities. (2) Designing protocols based on different transmission modes, namely star and ring protocols. (3) Extending protocols applicable to two or three parties to support Nparty scenarios. With these design principles in mind, SCSQS is a star protocol that eliminates the need for measurement, RCSQS is a ring protocol also devoid of measurement requirements, and MPSQS extends from SCSQS to Nparty scenarios. These proposed protocols have been demonstrated to effectively prevent typical attack behaviors such as interceptresend attacks, measureresend attacks, entanglemeasure attacks, TP attacks, and participant attacks. Moreover, it’s worth noting that the designed protocols come with certain limitations, such as the requirement for participants to preshare keys. These limitations provide areas for future research and improvement in semiquantum communication protocols.
Data Availability
No datasets were generated or analysed during the current study.
Abbreviations
 QKD:

Quantum Key Distribution
 SMC:

Secure Multiparty Computation
 QSMC:

Quantum Secure Multiparty Computation
 QSMS:

Quantum secure Multiparty Summation
 SQS:

SemiQuantum Summation
 TP:

ThirdParty
 SCSQS:

Star and Concise SemiQuantum Summation
 RCSQS:

Ring and Concise SemiQuantum Summation
 MPSQS:

MultiParty SemiQuantum Summation
References
Cabello A. Quantum key distribution in the Holevo limit. Phys Rev Lett. 2000;85(26):5635.
Grasselli F. Quantum cryptography. Quantum science and technology. Cham: Springer; 2021.
Aumasson JP. The impact of quantum computing on cryptography. Comput. Fraud Secur.. 2017;6:8–11.
Diffie W, Hellman M. New directions in cryptography. IEEE Trans Inf Theory. 1976;22(6):644–54.
Bennett CH, Brassard G. Quantum cryptography: public key distribution and coin tossing. In: Proceedings of the IEEE international conference on computers, systems and signal processing. Bangalore. 1984. p. 175–9.
Yin J, Li YH, Liao SK, Yang M, Cao Y, Zhang L, Ren JG, Cai WQ, Liu WY, Li SL, Shu R, Huang YM, Deng L, Li L, Zhang Q, Liu NL, Chen YA, Lu CY, Wang XB, Xu FH, Wang JY, Peng CZ, Ekert A, Pan JW. Entanglementbased secure quantum cryptography over 1,120 kilometres. Nature. 2020;582(7813):501–5.
Renner R, Wolf R. Quantum advantage in cryptography. AIAA J. 2023;61(5):1895–910.
Sonko S, Ibekwe KI, Ilojianya VI, Etukudoh EA, Fabuyide A. Quantum cryptography and US digital security: a comprehensive review: investigating the potential of quantum technologies in creating unbreakable encryption and their future in national security. Comput. Sci. IT Res. J.. 2024;5(2):390–414.
Sutradhar K. Secure multiparty quantum aggregating protocol. Quantum Inf Comput. 2023;23(3&4):245–56.
Sun Z, Song L, Huang Q, Yin L, Long G, Lu J, Hanzo L. Toward practical quantum secure direct communication: a quantummemoryfree protocol and code design. IEEE Trans Commun. 2020;68(9):5778–92.
Grassl M. Entanglementassisted quantum communication beating the quantum Singleton bound. Phys Rev A. 2021;103(2):L020601.
Yang Z, Zolanvari M, Jain R. A survey of important issues in quantum computing and communications. IEEE Commun Surv Tutor 2023.
Goldreich O. Secure multiparty computation. Manuscript Preliminary version. 1998;78(110):1–108.
Knott B, Venkataraman S, Hannun A, Sengupta S, Ibrahim M, vander Maaten L. Crypten secure multiparty computation meets machine learning. Adv Neural Inf Process Syst. 2021;34:4961–73.
Shor PW. Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of the 35th annual symposium on foundations of computer science. Piscataway: IEEE; 1994. p. 124–34.
Grasselli F. Quantum cryptography. Quantum science and technology. Cham: Springer; 2021.
Lo HK. Insecurity of quantum secure computations. Phys Rev A. 1997;56(2):1154.
Bartusek J. Secure quantum computation with classical communication. In: Proceedings of the theory of cryptography conference. Cham: Springer; 2021. p. 1–30.
Shi RH, Zhang S. Quantum solution to a class of twoparty private summation problems. Quantum Inf Process. 2017;16:1–9.
Yang HY, Ye TY. Secure multiparty quantum summation based on quantum Fourier transform. Quantum Inf Process. 2018;17(6):129.
Ji Z, Zhang H, Wang H, Wu F, Jia J, Wu W. Quantum protocols for secure multiparty summation. Quantum Inf Process. 2019;18:1–19.
Sutradhar K, Om H. A generalized quantum protocol for secure multiparty summation. IEEE Trans Circuits Syst II, Express Briefs. 2020;67(12):2978–82.
Lu Y, Ding G. Quantum secure multiparty summation with graph state. Entropy. 2024;26(1):80.
Boyer M, Kenigsberg D, Mor T. Quantum key distribution with classical Bob. Phys Rev Lett. 2007;99(14):140501.
Zou X, Qiu D, Li L, Wu L, Li L. Semiquantum key distribution using less than four quantum states. Phys Rev A. 2009;79(5):1744.
Iqbal H, Krawec WO. Semiquantum cryptography. Quantum Inf Process. 2020;19(3):1–52.
Tian Y, Li J, Chen XB, Ye CQ, Li HJ. An efficient semiquantum secret sharing protocol of specific bits. Quantum Inf Process. 2021;20(6):1–11.
Zhang C, Huang Q, Long Y, Sun Z. Secure threeparty semiquantum summation using single photons. Int J Theor Phys. 2021;60(9):3478–87.
Hu JL, Ye TY. Threeparty secure semiquantum summation without entanglement among quantum user and classical users. Int J Theor Phys. 2022;61(6):170.
Ye TY, Xu TJ, Geng MJ, Chen Y. Twoparty secure semiquantum summation against the collectivedephasing noise. Quantum Inf Process. 2022;21(3):118.
Lian JY, Ye TY. Hybrid protocols for multiparty semiquantum private comparison, multiplication and summation without a preshared key based on ddimensional singleparticle states. EPJ Quantum Technol. 2024;11(1):17.
Ye CQ, Li J, Chen XB, Hou Y. A feasible semiquantum private comparison based on entanglement swapping of Bell states. Phys A, Stat Mech Appl. 2023;625:129023.
Funding
Project supported by the Natural Science Basic Research Program of Shaanxi (Program No. 2024JCYBQN0688) and the China Scholarship Council.
Author information
Authors and Affiliations
Contributions
A. wrote the main manuscript text B. Comparative analysis of relevant protocols C. Draw a protocol simulation diagram D. Verified the correctness of the protocol E. Secondary editing of the manuscript
Corresponding author
Ethics declarations
Ethics approval and consent to participate
Not applicable.
Consent for publication
Not applicable.
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Tian, Y., Zhang, N., Ye, C. et al. Different secure semiquantum summation models without measurement. EPJ Quantum Technol. 11, 35 (2024). https://doi.org/10.1140/epjqt/s40507024002479
Received:
Accepted:
Published:
DOI: https://doi.org/10.1140/epjqt/s40507024002479