 Research
 Open access
 Published:
Efficient quantum secure multiparty greatest common divisor protocol and its applications in private set operations
EPJ Quantum Technology volume 11, Article number: 57 (2024)
Abstract
Private set intersection (PSI) has important application value, however, current quantum PSI protocols are either unsuitable for multiparty scenarios or inefficient. Recently, Imran (arXiv:2303.17196v3, 2023) proposed two quantum secure multiparty greatest common divisor (GCD) protocols that can be used for PSI, but with the downside of information leakage and resource consumption. In this paper, we propose a novel quantum secure multiparty GCD protocol that has higher security and lower complexity. To hide privacy, each party randomly selects a coefficient within a range determined by his input integer, and with the assistance of a semihonest third party TP, all parties secretly calculate the linear combination of their inputs under these coefficients. Once enough linear combinations are collected, TP calculates the GCD of these combinations, which is equal to the GCD of all input integers. To verify the honesty of participants, a quantum zeroknowledge proof subprotocol is designed. Analysis shows that our GCD protocol is correct and has security against malicious attacks. Moreover, its complexity is polynomial level and lower than Imran’s. Furthermore, we demonstrate the scalability of our GCD protocol in private set operations, such as private set intersection, private set intersection cardinality, private multiset intersection, etc.
1 Introduction
In today’s advanced network, data sharing is crucial but may also lead to problems such as data security and personal privacy leakage. To address these concerns, secure multiparty computation (SMC) offers a solution for controlled data sharing. The concept of SMC was first introduced by Yao [1] in 1982 and involves two or more participants using their secret information to collaboratively calculate the objective function. The goal is to ensure that each party only obtains its own calculation results and cannot infer the secret information of any other party through the interactive data in the calculation process. Although SMC has become a hot topic in cryptography, the more universal a SMC scheme is, the more resources it consumes. Therefore, scholars need to design special protocols for specific problems. Private set operation (PSO) is an important SMC problem that considers data aggregation and analysis between multiple private data sets, such as determining the intersection (union) set (or its cardinality), the membership, or the equality relationship between sets. Most classical PSO schemes use classical cryptography based on Computational Hardness Assumption, which has a theoretical risk of being broken. For instance, with the development of quantum computing, cryptosystems based on the Prime Decomposition Problem and Discrete Logarithm Problem have been cracked by Shor’s algorithm [2, 3], while symmetric cryptosystems have to improve the key standard in front of Grover’s algorithm [4]. However, quantum computing also has brought a new paradigm of cryptography, quantum cryptography, which uses the laws of quantum physics to achieve unconditional security. SMC using quantum cryptography is called quantum SMC (QSMC).
As representative quantum PSO problems, Private set intersection (PSI) and Private set intersection cardinality (PSICA) involve finding the intersection set (or its cardinality) of multiple private sets without revealing any set elements. In 2015, Shi [5] proposed an oblivious setmember decision protocol based on phaseencoded quantum private query [6] and introduced the first quantum twoparty PSI protocol [7]. Subsequently, Cheng et al. [8] analyzed its security loophole, and Maitra [9] extended the protocol to the rational player scenarios. The method based on phase encoding is efficient, requiring only \(O(m)\) qubits per element in general with a universal set size of \(M=2^{m}\). But it requires highdimensional Oracle operations that are difficult to implement, and it is difficult to extend to \(n>2\)party case. In contrast, schemes inspired by quantum key distribution (QKD) [10] using single particles (single photons or dlevel particles, etc.), or socalled QKDlike schemes, are easier to guide to higher feasibility. One of the singleparticle schemes is the subset encoding of set [11–13], where each subset of the universal set is given a unique Mbit binary code, where each bit represents an element. The other schemes use Bloom Filter [14, 15], a hash encryption of set elements, whose complexity is only related to the size of the private set, not the universal set. However, none of these schemes work for \(n>2\)party case.
When it comes to PSICA, protocols that use the quantum counting algorithm [4, 16] can achieve a lower communication complexity of \(O(m)\). In 2016, Shi et al. [17] introduced the first quantum twoparty PSICA protocol. Later in 2018, Shi proposed an improved version [18] that didn’t require the set size of the two parties to be disclosed and limited. In 2022, Shi et al. made another improvement [19] that avoided complex Oracle operations, and proposed a private conditional query protocol based on it. Liu et al. [20] and Shi [21] successively extended the method to the \(n>2\)party case. However, the quantum counting algorithm, which is a generalization of Grover’s algorithm [4], typically has nearexponential complexity (\(O(\sqrt{M})=O\left (2^{ \frac{m}{2}}\right )\)) [22] to reduce the counting error to less than 1. Another solution for the PSICA problem is to use a QKDlike scheme based on subset encoding, which includes the use of EPR pairs [23], QKD states [24, 25], GHZ states [26], dlevel cat states [27], etc. While some schemes are based on quantum circuits [28, 29]. Only Ref [27, 28] applies to nparty case, while the other protocols are only suitable for 2 or 3 parties. The QKDlike scheme is easy to implement and does not require complex Grover iteration. However, the scheme based on subset encoding must consider each element of the universal set, making its complexity \(O(M)\) or greater.
It can be seen that none of the above PSI or PSICA protocols can balance the applicability to multiple parties and polynomiallevel complexity. Moreover, an efficient multiparty protocol should compute the final result after all participants have contributed, rather than calculating between any two, as it can reveal a significant amount of information and incur high costs. Therefore, there is a pressing need for a novel scheme that surpasses the subset encoding or quantumcounting paradigm and provides both low complexity and high security.
There has been a recent breakthrough in dealing with difficult multiparty set operations. In 2022, Li et al. [30] proposed a quantum SMC protocol for finding the least common multiple (LCM) of private integers. This protocol is based on Shor’s algorithm and has polynomial complexity. The LCM is calculated by the property that the period of the connection of multiple periodic functions is exactly the LCM of all periods. Later in 2023, Liu et al. [31] developed a prime encoding method for each set. This involves mapping the elements of each set to prime numbers and then calculating the product of these prime numbers. The LCM of these products is then calculated by using the LCM protocol, and the prime factor of the LCM is decomposed by Shor’s algorithm to obtain the union of all sets. This is the first multiparty quantum private set union protocol with polynomial complexity for m. The prime encoding requires only \(O(m)\) bits to represent any element in \(Z_{N}\) [31], and it does not need to consider all the elements in the universal set. Inspired by it, in 2023, Imran [32] proposed two quantum protocols for calculating the greatest common divisor (GCD), one probabilistic and the other deterministic. Imran also gave corresponding multiparty PSI protocols through prime encoding, which are the first to achieve exponential acceleration in multiparty quantum PSI. However, these protocols have some disadvantages: (1) They require calculating the LCM first and then excluding the noncommon factors one by one to find the GCD, which could leak more information. (2) The LCM can be equal to the product of all integers making the complexity of the protocols polynomial but still high.
In this paper, we propose a new quantum multiparty GCD protocol, which eliminates the need to calculate the LCM of all integers first. Instead, we obtain the GCD by calculating their random linear combinations with the assistance of a semihonest third party TP. TP can calculate the GCD of these linear combinations to arrive at the final result. To prevent any parties from stealing information through illegal input, we design a corresponding quantum zeroknowledge proof subprotocol to verify if the final result is the common divisor of all integers. Our analysis indicates that our protocol has security against malicious attacks and has lower complexity than Ref [32]. Furthermore, we provide some applications based on the GCD protocol, such as multiparty PSI, PSICA, and private multiset intersection (PMSI), etc., to demonstrate the scalability of the GCD protocol.
The rest of this paper is organized as follows: In Sect. 2 we give the definitions of some notations, define the security model, and introduce two prime protocols. In Sect. 3, we first design a quantum zeroknowledge proof subprotocol, then present our GCD protocol based on the former. In Sect. 4 we analyze the correctness, security, and complexity of the proposed GCD protocol. We show examples to illustrate the process and simulate the protocol on a classical computer. In Sect. 5 some applications of our GCD protocol are given and analyzed. The paper is concluded in Sect. 6.
2 Preliminary
2.1 Definitions of notations
Table 1 shows the definitions of notations used.
In addition, taking two gqubits particles \(h=\left (h_{g1},h_{g2},\ldots ,h_{0}\right )\) and \(t= (t_{g1},t_{g2},\ldots , t_{0} )\) as example, the quantum gates used in this paper are as follows (where addition and multiplication are all performed mod \(G=2^{g}\)):

(1)
Quantum Fourier Transform \(\mathcal{QFT}\) and its inverse:
$$\begin{aligned} &\mathcal{QFT}_{h}: \left \lvert a\right \rangle _{h}\rightarrow \frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ] }e^{\imath 2\pi \frac{a}{G}j} \left \lvert j\right \rangle _{h}, \end{aligned}$$(1)$$\begin{aligned} &\mathcal{QFT}^{\dagger}_{h}: \left \lvert a\right \rangle _{h} \rightarrow \frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ] }e^{ \imath 2\pi \frac{a}{G}j} \left \lvert j\right \rangle _{h}. \end{aligned}$$(2) 
(2)
Rotation gate \(\mathcal{ROT}(b)\) where \(b\in \left [ G \right ]\):
$$ \mathcal{ROT}(b)_{h}: \left \lvert a\right \rangle _{h}\rightarrow e^{ \imath 2\pi \frac{b}{G}a} \left \lvert a\right \rangle _{h}. $$(3) 
(3)
Modular summation gate \(\mathcal{SUM}(b)\) where \(b\in \left [ G \right ]\):
$$ \mathcal{SUM}(b)_{h}: \left \lvert a\right \rangle _{h}\rightarrow \left \lvert a+b\right \rangle _{h}. $$(4) 
(4)
Modular multiplication gate \(\mathcal{MUL}(b)\) where \(b\in \left [ G \right ]^{o}\):
$$ \mathcal{MUL}(b)_{h}: \left \lvert a\right \rangle _{h}\rightarrow \left \lvert ab\right \rangle _{h}. $$(5)Note that b is odd, so it is coprime with \(G=2^{g}\) and then has a unique multiplicative inverse \(b^{1}_{G}\).

(5)
Bitwise XOR gate \(\mathcal{XOR}\):
$$ \mathcal{XOR}_{h,t}: \left \lvert a\right \rangle _{h} \left \lvert b \right \rangle _{t}\rightarrow \left \lvert a\right \rangle _{h} \left \lvert b\oplus a\right \rangle _{t}. $$(6)
2.2 Security model
In this paper, we consider the malicious model, where adversaries may try to learn as much information as possible, even if the protocol itself is compromised. In a malicioussecure protocol, all attacks other than a) forging input, b) not participating in the protocol, and c) terminating the protocol halfway should be all defended or detected. Specifically, if either party enters inputs that are not allowed, they should also be prevented or discovered.
Since quantum protocols and classical protocols are different, strict ideal process paradigm [33] cannot be used for security proof. However, similar methods can still be used for argumentation, as follows:
Definition 1
(Probability indistinguishability)
For two discrete random variables X̂ and X, the statistical difference, or Kolmogorov distance (see Chap. 9 in Ref [34]) between X, X̂ is defined as
where x takes all possible values. If there is not any positive polynomial \(\mu (m): \mathbb{N}\to \mathbb{R}\) so that \(D(X,\hat{X})\ge \frac{1}{\mu (m)}\), then we say \(D(X,\hat{X})\) is negligible, and X̂ and X are probability indistinguishable. For two quantum states ρ, ρ̂ (density operators), a similar conception is the socalled trace distance (also Chap. 9 in Ref [34]):
also with a conception of quantum probability indistinguishability.
Definition 2
(Security of a protocol)

(1)
Assume that each party will follow the protocol steps. For any party P, assume that his input is \(x_{P}\), his expected output is \(F_{P}\), and call all the information he obtains in the protocol as his view \(VIEW_{P}\). If for all P, there is a simulator SI satisfying that \(SI(x_{P},F_{P})\) and \(VIEW_{P}\) are probability indistinguishable, then the protocol holds semihonest security.

(2)
On the other hand, assume that several parties (denoted by group I̅) perform a kind of malicious attack, then if their view can still be simulated, or the attack can be detected with high probability, then the protocol holds malicious security.
It is worth noting that unconditional security under malicious models is challenging even for Quantum SMC, and some difficulties may even be impossible to solve. For example, there are several nogo theorems in the case of two parties. It was proved impossible to achieve a perfectly secure twoparty QSMC protocol that can defend against all types of malicious attacks [35], which also applies to quantum bit commitment [36, 37]. The main idea is that if a twoparty protocol can defend all attacks from one party, then the other party will have an effective attack method. Although we consider the case of \(n\ge 2\) parties in this paper, there will be twoparty communication processes inevitably, and when malicious parties are in the majority, these processes may comply with these nogo theorems. To solve this problem, we introduce a semihonest third party TP, i.e., he won’t perform any malicious attacks, but only try to learn all parties’ privacy by the interaction information during normal protocol execution. We will prevent any communication between each participant and any other party other than TP, which avoids the effective conditions of these nogo theorems.
Finally, classical or quantum communication between each pair of participants is assumed to be private and authenticated. This can be achieved through various means, such as quantum key distribution [10], or just the eavesdropper detection technique used in QKD, or quantum identity authentication [38], etc. As a result, we will no longer consider interception and eavesdropping attacks.
2.3 Privacypreserving quantum protocol for finding the maximum value
A quantum maximum value protocol is required in our GCD protocol. In 2022, Shi et al. [39] proposed a maximum value protocol based on quantum secure multiparty computation of OR (QSMC_OR). We will use it as an example. In short, it involves the following steps:
Protocol 1
(Privacypreserving quantum protocol for finding the maximum value)
There are n participants \(P_{1}, P_{2}, \ldots , P_{n}\). Each \(P_{i}\) has a private integer \(c_{i}\in \left [ 2^{m_{1}} \right ]=\left \{ 0,1,\ldots , 2^{m_{1}}1 \right \}\). They want to calculate the maximum value \(c=\underset{i\in [\!\![n]\!\!]}{\ \mathrm {max}\ }\ c_{i}\), without disclosing any other information to other participants.

Step 1
Each \(P_{i}\) generates \(m_{1}\)bit array \(c_{i}^{*}\), and sets \(c_{i}^{*}=c_{i}\) (i.e., each term \(c_{i}^{*}[j]\) in \(c_{1}^{*}\) is equal to the jth bit of \(c_{i}\));

Step 2
For \(j=1,2,\ldots ,n\):
(1) Executing QSMC_OR protocol with the assistance of third party (TP), then calculate \(W[j]=\vee _{i=1}^{n} c_{i}^{*}[j]\);
(2) Each \(P_{i}\) updates his array: If \(W[j]>c_{i}^{*}[j]\), sets \(c_{i}^{*}=0\);

Step 3
Output the maximum value \(c=W\).
As they analyzed, this protocol first holds semihonest security. If any party is dishonest, then the final result will be wrong and can be found by a series of verification operations. Therefore, it is malicious secure. The communication and computational complexity of the above protocol are both \(O(m_{1}n)\).
2.4 Secure quantum twoparty scalar product protocol
In 2023, Liu et al. [40] proposed a secure quantum twoparty scalar product protocol based on Fourier Entangled state. When the dimension of the input vector is 1, it involves the following steps (in short):
Protocol 2
(Secure quantum twoparty scalar product)
There are 2 parties Alice and Bob. Alice has a private integer \(x_{A}\in \left [ 2^{m_{2}} \right ]\), Bob has two private integers \(x_{B}^{1},x_{B}^{2}\in \left [ 2^{m_{2}} \right ]\). After the calculation, Alice obtains \(Y=x_{A}x_{B}^{1}+x_{B}^{2}\ \mathrm{mod}\ 2^{m_{2}}\), while Bob gets nothing.

Step 1
Set \(g=m_{2}+2\), \(G=2^{g}\). Alice sets \(p=2x_{A}+1\), Bob sets \(q=2x_{B}^{1}+1\) and \(s=4x_{B}^{2}2x_{B}^{1}1\ \mathrm{mod}\ G\);

Step 2
Alice prepared 3 gqubit particles h, \(t_{1}\), \(t_{2}\) initiated as \(\left \lvert 0\right \rangle _{h} \left \lvert 0\right \rangle _{t_{1}} \left \lvert 0\right \rangle _{t_{2}}\), and does the following:
$$\begin{aligned} &\left \lvert 0\right \rangle _{h} \left \lvert 0\right \rangle _{t_{1}} \left \lvert 0\right \rangle _{t_{2}} \overset{\mathcal {QFT}_{h}}{\longrightarrow }\frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]} \left \lvert j\right \rangle _{h} \left \lvert 0 \right \rangle _{t_{1}} \left \lvert 0\right \rangle _{t_{2}} \\ &\overset{\mathcal {XOR}_{h,t_{1}}\mathcal {XOR}_{h,t_{2}}}{\longrightarrow } \frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]} \left \lvert j \right \rangle _{h} \left \lvert j\right \rangle _{t_{1}} \left \lvert j\right \rangle _{t_{2}} \\ &\overset{\mathcal {MUL}(p)_{h}}{\longrightarrow }\frac{1}{\sqrt{G}}\sum _{j \in \left [ G \right ]} \left \lvert j\right \rangle _{h} \left \lvert j\right \rangle _{t_{1}} \left \lvert jp\right \rangle _{t_{2}}, \end{aligned}$$(9)then sends \(t_{1}\), \(t_{2}\) to Bob;

Step 3
Bob does the following:
$$\begin{aligned} \frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]} \left \lvert j \right \rangle _{h} \left \lvert j\right \rangle _{t_{1}} \left \lvert jp\right \rangle _{t_{2}} \overset{\mathcal {ROT}(s)_{t_{1}}\mathcal {ROT}(q)_{t_{2}}}{\longrightarrow } \frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]}e^{\imath 2\pi \frac{pq+s}{G}j} \left \lvert j\right \rangle _{h} \left \lvert j \right \rangle _{t_{1}} \left \lvert jp\right \rangle _{t_{2}}, \end{aligned}$$(10)then sends \(t_{1}\), \(t_{2}\) back;

Step 4
Alice does the following:
$$\begin{aligned} &\frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]}e^{\imath 2\pi \frac{pq+s}{G}j} \left \lvert j\right \rangle _{h} \left \lvert j \right \rangle _{t_{1}} \left \lvert jp\right \rangle _{t_{2}} \overset{\mathcal {MUL}(p^{1}_{G})_{t_{2}}}{\longrightarrow } \frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]}e^{\imath 2\pi \frac{pq+s}{G}j} \left \lvert j\right \rangle _{h} \left \lvert j \right \rangle _{t_{1}} \left \lvert j\right \rangle _{t_{2}} \\ &\overset{\mathcal {XOR}_{h,t_{1}}\mathcal {XOR}_{h,t_{2}}}{\longrightarrow } \frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]}e^{\imath 2\pi \frac{pq+s}{G}j} \left \lvert j\right \rangle _{h} \left \lvert 0 \right \rangle _{t_{1}} \left \lvert 0\right \rangle _{t_{2}}, \end{aligned}$$(11)then measures \(t_{1}\), \(t_{2}\). If obtaining \(\left \lvert 0\right \rangle \), then continue. Otherwise, She considers that Bob is dishonest.

Step 5
Alice performs \(\mathcal{QFT}^{\dagger}:\frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]}e^{\imath 2\pi \frac{pq+s}{G}j} \left \lvert j\right \rangle _{h}\rightarrow \left \lvert pq+s\right \rangle _{h}\), then calculates \(Y=\frac{pq+s2x_{A}\ \mathrm{mod}\ G}{4}\).
To preserve Alice’s privacy, she can add two random integers \(c^{(1)}\), \(c^{(2)}\) on \(t_{1}\), \(t_{2}\), which was proved that it does not affect the final output. In addition, Bob can use a method called Entanglement Bondage (EB) to test Alice’s honesty. In this paper, Alice is always semihonest, thus we omit the steps related to EB. As was analyzed, the communication and computational complexity of Protocol 2 are \(O(m_{2})\) and \(O(m_{2}^{2})\) respectively.
3 Proposed protocol
Firstly, we propose a zeroknowledge proof protocol for nonzero multiples in Sect. 3.1, which can verify whether the final result is a true common divisor to prevent malicious attackers in the GCD protocol. Subsequently, based on the zeroknowledge proof, a quantum multiparty GCD computing protocol was proposed in Sect. 3.2.
Here we briefly introduce our original ideas. Assume that there are two participants, Alice and Bob, each with a private positive integer \(x_{1}\), \(x_{2}\) respectively. They want to calculate the GCD \(\mathrm{gcd}(x_{1}, x_{2})\). The idea is based on Euclid’s theorem:
Theorem 1
(Euclid)
\(\forall a,b,r\in \mathbb{Z}\), where \(a,b\ge 0\), we have \(\mathrm{gcd}(a,b)=\mathrm{gcd}(a+br,b)\).
Let Bob select an integer r randomly, and then they calculate \(y=x_{2}+rx_{1}\) by Protocol 2, where Alice gets y and Bob gets nothing. Then Alice can calculate the GCD as
Here, r is selected from a range \(S\gg x_{2}\) so that it can almost completely mask \(x_{2}\). This idea can be extended to cases where \(n>2\), i.e., let the third party TP obtain \(y=\sum _{i\in [\!\![n]\!\!]}x_{i}r_{i}\) after a series of steps, where each \(r_{i}\) is randomly selected from a range \(S_{i}\gg x_{i}\). However, the extended method is different from the original idea that we cannot exclude other factors in y than \(\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ x_{i}\). We will ensure the correctness of the GCD results by repeating the above process and taking the GCD of the results. Besides, we will achieve malicious security of the GCD protocol through the proposed zeroknowledge proof subprotocol, which is also based on the above ideas.
3.1 Quantum zeroknowledge proof subprotocol for nonzero multiples
Definition 3
(Zeroknowledge proof for nonzero multiples (NZMZKP))
Assume that there is a verifier (VF) that has \(d\in \left [ M \right ]^{o}\), and a prover (PV) that has an integer \(e=\omega d\in \left [ M \right ]^{o}\), where \(\omega >0\) is an integer unknown to PV and VF. PV should prove to VF that he truly has e. A qualified zeroknowledge proof (ZKP) protocol should meet the following requirements:

(a)
Completeness: If PV truely has e, he must be acknowledged by VF.

(b)
Soundness: If PV does not have e, he cannot pass the test, or can pass only with a tiny probability.

(c)
Zeroknowledgeness: VF cannot disclose any information about d to PV, and PV cannot disclose ω to VF.
We only consider a semihonest verifier.
The specific process is as follows:
Protocol 3
(Quantum zeroknowledge proof for nonzero multiples)

Step 1
Set \(S'= KM^{2}\), where K is a large enough constant, like 100. Let \(m_{2}=\left \lceil \log{(M+S'M)} \right \rceil \), \(g=m_{2}+2\), \(G=2^{g}\).

Step 2
VF sets \(p=4d+1\). PV selects an integer \(r\in \left [ \left \lfloor \frac{S'}{2} \right \rfloor \right ]\), and sets \(q=2r+1\), \(s=4e2r1\ \mathrm{mod}\ G\);

Step 3
VF prepared 3 gqubit particles h, \(t_{1}\), \(t_{2}\) initiated as \(\left \lvert 0\right \rangle _{h} \left \lvert 0\right \rangle _{t_{1}} \left \lvert 0\right \rangle _{t_{2}}\), and does the following:
$$\begin{aligned} &\left \lvert 0\right \rangle _{h} \left \lvert 0\right \rangle _{t_{1}} \left \lvert 0\right \rangle _{t_{2}} \overset{\mathcal {QFT}_{h}}{\longrightarrow }\frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]} \left \lvert j\right \rangle _{h} \left \lvert 0 \right \rangle _{t_{1}} \left \lvert 0\right \rangle _{t_{2}} \\ &\overset{\mathcal {XOR}_{h,t_{1}}\mathcal {XOR}_{h,t_{2}}}{\longrightarrow } \frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]} \left \lvert j \right \rangle _{h} \left \lvert j\right \rangle _{t_{1}} \left \lvert j\right \rangle _{t_{2}} \\ &\overset{\mathcal {MUL}(p)_{h}}{\longrightarrow }\frac{1}{\sqrt{G}}\sum _{j \in \left [ G \right ]} \left \lvert j\right \rangle _{h} \left \lvert j\right \rangle _{t_{1}} \left \lvert jp\right \rangle _{t_{2}}. \end{aligned}$$(13)Then he selects two integers \(c^{(1)},c^{(2)}\in \left [ G \right ]\), and performs:
$$\begin{aligned} &\frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]} \left \lvert j \right \rangle _{h} \left \lvert j\right \rangle _{t_{1}} \left \lvert jp\right \rangle _{t_{2}} \overset{\mathcal {SUM}(c^{(1)})_{t_{1}}\mathcal {SUM}(c^{(2)})_{t_{2}}}{\longrightarrow } \\ &\frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]} \left \lvert j \right \rangle _{h} \left \lvert j+c^{(1)}\right \rangle _{t_{1}} \left \lvert jp+c^{(2)}\right \rangle _{t_{2}}, \end{aligned}$$(14)then sends \(t_{1}\), \(t_{2}\) to PV;

Step 4
PV performs as:
$$\begin{aligned} &\frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]} \left \lvert j \right \rangle _{h} \left \lvert j+c^{(1)}\right \rangle _{t_{1}} \left \lvert jp+c^{(2)}\right \rangle _{t_{2}} \overset{\mathcal {ROT}(s)_{t_{1}}\mathcal {ROT}(q)_{t_{2}}}{\longrightarrow } \\ &e^{\imath 2\pi \frac{sc^{(1)}+qc^{(2)}}{G}}\frac{1}{\sqrt{G}}\sum _{j \in \left [ G \right ]}e^{\imath 2\pi \frac{pq+s}{G}j} \left \lvert j \right \rangle _{h} \left \lvert j+c^{(1)}\right \rangle _{t_{1}} \left \lvert jp+c^{(2)}\right \rangle _{t_{2}}, \end{aligned}$$(15)then sends \(t_{1}\), \(t_{2}\) back. Note that the global phase \(e^{\imath 2\pi \frac{sc^{(1)}+qc^{(2)}}{G}}\) can be omitted [40];

Step 5
VF does the following:
$$\begin{aligned} &\frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]}e^{\imath 2\pi \frac{pq+s}{G}j} \left \lvert j\right \rangle _{h} \left \lvert j+c^{(1)} \right \rangle _{t_{1}} \left \lvert jp+c^{(2)}\right \rangle _{t_{2}} \\ & \overset{\mathcal {SUM}(Gc^{(1)})_{t_{1}}\mathcal {SUM}(Gc^{(2)})_{t_{2}}}{\longrightarrow } \frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]}e^{\imath 2\pi \frac{pq+s}{G}j} \left \lvert j\right \rangle _{h} \left \lvert j \right \rangle _{t_{1}} \left \lvert jp\right \rangle _{t_{2}} \\ &\overset{\mathcal {MUL}(p^{1}_{G})_{t_{2}}}{\longrightarrow } \frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]}e^{\imath 2\pi \frac{pq+s}{G}j} \left \lvert j\right \rangle _{h} \left \lvert j \right \rangle _{t_{1}} \left \lvert j\right \rangle _{t_{2}} \\ &\overset{\mathcal {XOR}_{h,t_{1}}\mathcal {XOR}_{h,t_{2}}}{\longrightarrow } \frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]}e^{\imath 2\pi \frac{pq+s}{G}j} \left \lvert j\right \rangle _{h} \left \lvert 0 \right \rangle _{t_{1}} \left \lvert 0\right \rangle _{t_{2}}, \end{aligned}$$(16)then measures \(t_{1}\), \(t_{2}\). If obtaining \(\left \lvert 0\right \rangle \), then continue. Otherwise, he may consider that PV is dishonest, and the proof fails.

Step 6
VF performs \(\mathcal{QFT}^{\dagger}:\frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]}e^{\imath 2\pi \frac{pq+s}{G}j} \left \lvert j\right \rangle _{h}\rightarrow \left \lvert pq+s\right \rangle _{h}\), then calculates \(C=\frac{pq+s4d\ \mathrm{mod}\ G}{4}\). If C is odd, then continue. Otherwise, the proof fails. The quantum circuit of the above steps is shown in Fig. 1.

Step 7
VF now calculates \(\mathrm{gcd}(C,d)\). If \(\mathrm{gcd}(C,d)=d\), then the proof succeeds. Otherwise, the proof fails.
3.2 Quantum secure multiparty greatest common divisor protocol
Definition 4
(Secure multiparty greatest common divisor (SMGCD))
Assume that there are n parties \(P_{1},P_{2},\ldots , P_{n}\), where each \(P_{i},i\in [\!\![n]\!\!]\) has a private integer \(x_{i}\in [\!\![M1]\!\!]\). They want to calculate \(Y=\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ x_{i}\). A qualified GCD protocol should meet the following requirements:

(a)
Correctness: If all \(P_{i}\) are semihonest, then the output should be \(Y=\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ x_{i}\).

(b)
Security: If any \(P_{i}\) is semihonest, then his privacy \(x_{i}\) should be preserved. If any \(P_{i}\) is malicious, then his attacks should be defended or detected.
To achieve information hiding, we first handle the even factors of \(x_{i}\) separately to prevent participants from cheating by entering 0. Then, for the remaining odd factors, ei, the participants calculate their GCD. Let S be a large enough number, then each party sets a private range \(S_{i}\approx \frac{S}{e_{i}}\) based on their own integer \(e_{i}\), and then randomly selects a coefficient \(r_{i}\) within the range \(\left [ S_{i} \right ]^{o}\). Through quantum secret sharing, with the assistance of a semihonest third party TP, they calculate the linear combination of their private integers under these random coefficients in a secret way, i.e., calculate \(u=\sum _{i\in [\!\![n]\!\!]}e_{i}r_{i}\). Here, we chose \(S_{i}\approx \frac{S}{e_{i}}\) based on an intuition that the expectation and variance of \(e_{i}r_{i}\) are approximately only determined by S and \(d=\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ e_{i}\) but independent of \(\omega _{i}=\frac{e_{i}}{d}\). Further analysis shows that \(v=\sum _{i\in [\!\![n]\!\!]}{\omega _{i}r_{i}}=\frac{u}{d}\) can be considered as random variables independent of \(\omega _{i}\) (see Proposition 2 in Sect. 4.2.2 for details). After collecting a sufficient number of random linear combinations, to ensure the success rate of protocol output (see Theorem 4), TP uses Shor’s algorithm [2, 3] to exclude certain factors. Subsequently, he calculates the GCD of these random linear combinations, which is equal to the GCD of all private integers. Finally, TP executes the Protocol 3 with each party to verify their honesty. The specific process is as follows:
Protocol 4
(Quantum secure multiparty greatest common divisor)

Step 1
Each \(P_{i},i\in [\!\![n]\!\!]\) splits \(x_{i}\) into two parts: \(x_{i}=2^{c_{i}}e_{i}\), where \(e_{i}\in \left [ M \right ]^{o}\) is the odd factor, and \(2^{c_{i}}\) is the even factor of \(x_{i}\) (\(c_{i}\) is the maximum index of 2). Let \(m=\left \lceil \log M \right \rceil \), then \(P_{i}\) sets \(c'_{i}=mc_{i}\in \left [ m \right ]\).

Step 2
Call Protocol 1 to calculate \(c'=\underset{i\in [\!\![n]\!\!]}{\ \mathrm {max}\ }\ c'_{i}\), and let \(c=mc'\).

Step 3
Set \(S= Kn\sqrt{n}M^{2}\), where K is a large enough constant, like 100. Let \(t=\left \lceil \log{(nS)} \right \rceil \), \(T=2^{t}\), \(g=t1\), \(G=2^{g}=\frac{T}{2}\). Each \(P_{i}\) sets \(S_{i}=\left \lfloor \frac{S}{e_{i}} \right \rfloor \).

Step 4
Do the following for \(l=O(1)\) times:
(1) The semihonest third party TP prepared n gqubit particles \(t_{1},t_{2},\ldots ,t_{n}\) initiated as \(\left \lvert 0\right \rangle _{t_{1}}\cdots \left \lvert 0\right \rangle _{t_{n}}\), and does the following:
$$\begin{aligned} &\left \lvert 0\right \rangle _{t_{1}}\cdots \left \lvert 0\right \rangle _{t_{n}}\overset{\mathcal {QFT}_{t_{1}}}{\longrightarrow } \frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]} \left \lvert j \right \rangle _{t_{1}} \left \lvert 0\right \rangle _{t_{2}}\cdots \left \lvert 0\right \rangle _{t_{n}} \\ & \overset{\mathcal {XOR}_{t_{1},t_{2}}\cdots \mathcal {XOR}_{t_{1},t_{n}}}{\longrightarrow } \frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]} \left \lvert j \right \rangle _{t_{1}}\cdots \left \lvert j\right \rangle _{t_{n}}, \end{aligned}$$(17)then sends \(t_{i}\) to \(P_{i}\) respectively (Since TP may not strictly satisfy the semihonest condition in real life, fidelity verification can be performed on the quantum states sent by TP in this step according to specific needs. See details in Section 4.2.2);
(2) \(P_{i}\) performs \(\mathcal{QFT}\) on \(t_{i}\) as:
$$\begin{aligned} &\frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]} \left \lvert j \right \rangle _{t_{1}}\cdots \left \lvert j\right \rangle _{t_{n}} \overset{\mathcal {QFT}_{t_{1}}\cdots \mathcal {QFT}_{t_{n}}}{\longrightarrow } \\ &\frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]}\left ( \frac{1}{\sqrt{G}}\sum _{\delta _{1}\in \left [ G \right ]}e^{\imath 2 \pi \frac{\delta _{1}}{G}j} \left \lvert \delta _{1}\right \rangle _{t_{1}} \right )\cdots \left (\frac{1}{\sqrt{G}}\sum _{\delta _{n}\in \left [ G \right ]}e^{\imath 2\pi \frac{\delta _{n}}{G}j} \left \lvert \delta _{n} \right \rangle _{t_{n}}\right ), \end{aligned}$$(18)then measures \(t_{i}\) to get \(\delta _{i}\), and calculate \(\Delta _{i}=2\delta _{i}\) respectively. The quantum circuit of Step 4 (1), (2) is shown in Fig. 2a.
(3) Each \(P_{i}\) selects \(r_{i}\in \left [ S_{i} \right ]^{o}\), and sends \(C_{i}=e_{i}r_{i}+\Delta _{i}\ \mathrm{mod}\ T\) to TP. TP checks whether \(C_{i}\) is odd. If yes, then continue. Otherwise, TP considers \(P_{i}\) dishonest.
(4) TP calculates \(C=\sum _{i\in [\!\![n]\!\!]}C_{i}\ \mathrm{mod}\ T\).
(5) TP uses Shor’s factoring algorithm [2, 3] to obtain all prime factors of C, i.e., for each iteration, he selects an integer x coprime to C and then finds the order \(r_{x}\) of x modulus C, which is actually a phase estimation process to the operator \(\mathcal{MUL}_{C}(x)\) (means to multiply x modulus C). The quantum circuit of the orderfinding process is shown in Fig. 2b. When obtaining the phase ϕ, the order \(r_{x}\) can be recovered by using continued fraction, and then he can deduce one nontrivial factor of C from \(r_{x}\). Through multiple iterations, he can collect all prime factors of C. Then he excludes all factors that do not belong to \(\left [ M \right ]^{o}\) and multiplies the remaining factors to obtain κ.

Step 5
After collecting \(\kappa ^{(1)},\kappa ^{(2)},\ldots , \kappa ^{(l)}\), TP calculates \(d_{\kappa}=\underset{j\in [\!\![l]\!\!]}{\mathrm {gcd}}\ \kappa ^{(j)}\).

Step 6
For each \(P_{i},i\in [\!\![n]\!\!]\), TP and \(P_{i}\) execute Protocol 3, where \(P_{i}\) is the prover and should prove that he has \(e_{i}\), and TP is the verifier who inputs \(d_{\kappa}\). If all \(P_{i}\) proves successfully, then continue; Otherwise, the protocol fails, and Step 4 should be repeated more times.

Step 7
TP broadcasts \(d_{\kappa}\) to all parties. Then \(Output=2^{c}d_{\kappa}\).
4 Protocol analysis and simulation
Here, we will analyze Protocols 3 and 4 presented in Sect. 3, show examples to illustrate them, and then simulate them in classical computers.
4.1 Analysis of the quantum zeroknowledge proof subprotocol for nonzero multiples
4.1.1 Completeness
Completeness means that if PV truly has \(e=\omega d\in \left [ M \right ]^{o}\), he must be acknowledged by VF. According to the correctness of Protocol 2 [40], we have
where \(4(2dr+e)4a2^{m_{2}}\in \left [ G \right ]\), i.e., \(2dr+ea2^{m_{2}}\in \left [ 2^{m_{2}} \right ]\). Remember that
thus \(C=2dr+e\). Since e is odd, \(2dr\) is even, then C is odd, and can pass the test in Step 6. Therefore, by Theorem 1 we have
and the proof succeeds.
4.1.2 Soundness
Soundness means that if PV does not have a correct \(e=\omega d>0\), then he cannot pass the test, or can pass only with a tiny probability. We have the following theorem:
Theorem 2
The probability that PV deceives VF successfully is \(\eta _{d}\le \frac{1}{d}\).
Proof
For PV, he may try the following methods to deceive VF:

If PV attempts to utilize the property \(\mathrm{gcd}(0, d)=d\), i.e., he inputs \(e'=0\), then VF will find that \(C=e'+2dr\) is even, i.e., PV’s cheating will be detected;

If PV randomly inputs a nonzero number \(e'\in \left [ M \right ]^{o}\), then the probability of \(de'\) is \(\eta _{d}=\mathrm{Pr}\left [ de' \right ]=\left \lfloor \frac{M}{2}/d \right \rfloor /\frac{M}{2}\le \frac{1}{d}\). When \(d=1\), this test is meaningless. However, when \(d \ge 3\), \(\eta _{d}\) will be low.
Therefore, the probability that PV deceives VF successfully is less than \(\frac{1}{d}\). □
4.1.3 Zeroknowledgeness
We follow the security definition in Sect. 2.2. At first, we can directly deduce that PV cannot steal VF’s privacy d, since the malicious security of Protocol 2 is proved [40]. Now we prove that PV’s privacy e (i.e., ω) is preserved.
Theorem 3
PV’s privacy e is preserved.
Proof
By the security of Protocol 2, VF can only learn the output \(C=2dr+e=d\left (2r+\omega \right )\). Since he knows d, we only consider \(X=2r+\omega \). Remember \(r\in \left [ \left \lfloor \frac{S'}{2} \right \rfloor \right ]\), thus \(2r\in \left [ S' \right ]^{e}\) approximately (\(\frac{S'}{2}\left \lfloor \frac{S'}{2} \right \rfloor <1\ll \frac{S'}{2}\)), and then \(X\in \left [\omega , S'+\omega \right )^{o}\). We can construct a simulator SI for VF by selecting a random odd number \(\hat{X}\in \left [ S' \right ]^{o}\) uniformly. Now we prove that X̂ and X are probability indistinguishable. The Kolmogorov distance [34] between X, X̂ is
which is negligible. Therefore, X̂ and X are probability indistinguishable, and the protocol truly preserves PV’s privacy. □
In addition, assume that the promise of NZMZKP is not satisfied, i.e., PV is semihonest, but only has \(e=\omega d_{1}\), \(d_{1}< d\), while VF has \(d=\tau d_{1}\), and \(\mathrm{gcd}(\omega ,\tau )=1\). Then the output of VF will be \(\mathrm{gcd}(e,d)=\mathrm{gcd}(\omega d_{1},\tau d_{1})=d_{1}< d\), and he won’t pass the test. What’s more, VF will know more information about PV’s privacy e, i.e., he learns that \(\mathrm{gcd}(e,d)=d_{1}\).
4.1.4 Complexity
Since \(S'=KM^{2}\gg M\), we have
and thus as the same as Protocol 2, the communication and computational complexity of Protocol 3 are \(O(m)\) and \(O(m^{2})\) respectively.
4.1.5 Example
Here, we will briefly illustrate the meaning of the steps in Protocol 3 with a simple example. Assume that \(M=16\), VF has \(d=5\), PV truly has \(e=15\), \(\omega =3\). Then

(1)
In Step 1, they set \(S'=KM^{2}=100\times 16^{2}=25600\). Here, we set \(S'\gg M^{2}\) so that VF cannot learn ω from \(2dr+e=d(2r+\omega )\), as is proved in Theorem 3. Then they set \(m_{2}=\left \lceil \log \left (M+S'M\right ) \right \rceil =19\) so that \(2dr+e\ \mathrm{mod}\ 2^{m_{2}}=2dr+e\) according to Eq. (19).

(2)
In Step 2, PV selects \(r\in \left [ \left \lfloor \frac{S'}{2} \right \rfloor \right ]= \left [ 12800 \right ]\) randomly, such as \(r=3451\). r can mask ω since \(S'\) is large enough.

(3)
In Step 26, VF and PV call Protocol 2 to calculate \(C=2dr+e\ \mathrm{mod}\ 2^{m_{2}}=2dr+e\), where VF inputs 2d and gets C, PV inputs r, e and gets nothing. Now VF has \(C=2dr+e=2\times 5\times 3451+15=34525\), which is odd and can pass the test in Step 6.

(4)
In Step 7, VF finds that \(\mathrm{gcd}(C,d)=\mathrm{gcd}(34525,5)=5=d\), then the proof succeeds.
If PV doesn’t have a correct e, he may try to input \(e'=0\) to pass the proof. However, the result \(C=e'+2dr=2dr\) will be even and cannot pass the test in Step 6. Or he may inputs a random \(e'\), such as 14, then \(C=2dr+e=34524\) and \(\mathrm{gcd}(C,d)=\mathrm{gcd}(34524,5)=1\ne d\), then the proof fails. When \(d>1\), the probability he can pass the proof is low, as shown in Theorem 2.
4.2 Analysis of the quantum secure multiparty greatest common divisor protocol
4.2.1 Correctness
Correctness means that if all \(P_{i}\) are semihonest, then the output should be \(Y=\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ x_{i}\). Here, we denote \(u=\sum _{i\in [\!\![n]\!\!]}e_{i}r_{i}\), \(d=\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ e_{i}\), \(v=\frac{u}{d}\), \(\omega _{i}=\frac{e_{i}}{d}\).
(1) In Steps 12, since
we have \(c=\underset{i\in [\!\![n]\!\!]}{\mathrm {min}}\ c_{i}\).
(2) In Step 4 (1), (2), since
Note that the number of possible values of \(\delta _{1},\ldots ,\delta _{n}\in \left [ G \right ]\) satisfying \(\sum _{i=1}^{n}\delta _{i}\equiv 0(\ \mathrm{mod}\ G)\) is \(G^{n1}\), then the first term of the penultimate equation of Eq. (25) has probability 1. Therefore, \(P_{i}\) will obtains \(\delta _{i}\) randomly, only with a constraint \(\sum _{i=1}^{n}\delta _{i} \equiv 0 (\ \mathrm{mod}\ G)\). Since \(\Delta _{i}=2\delta _{i}\), we have
(3) In Step 4 (3), it’s obvious that \(C_{i}=e_{i}r_{i}+\Delta _{i}\ \mathrm{mod}\ T=e_{i}r_{i}+2\delta _{i}2^{t}\) is odd, and thus can pass TP’s test.
(4) In Step 4 (4), we have
Since
we have \(C=\sum _{i\in [\!\![n]\!\!]}e_{i}r_{i}=u\).
(5) In Step 4 (5), TP excludes all factors of \(C=u=vd\) that do not belong to \(\left [ M \right ]^{o}\) to get κ. Since \(d=\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ e_{i}\in \left [ M \right ]^{o}\), after TP’s operation, it still holds that \(d\kappa \).
(6) In Step 5, TP calculates \(d_{\kappa}=\underset{j\in [\!\![l]\!\!]}{\mathrm {gcd}}\ \kappa ^{(j)}\). Let \(\gamma ^{(j)}=\frac{\kappa ^{(j)}}{d}\), then if \(\underset{j\in [\!\![l]\!\!]}{\mathrm {gcd}}\ \gamma ^{(j)}=1\), we have
We can prove that the probability that \(\underset{j\in [\!\![l]\!\!]}{\mathrm {gcd}}\ \gamma ^{(j)}=1\) is high.
Theorem 4
If \(l\ge 3\), we have
Proof
We first provide the following proposition.
Proposition 1
When \(S\gg M^{2}\), \(\forall Q\in \left [ M \right ]^{o}\) and \(v'\in \left [ Q \right ]\), we have
Especially, let \(v'=0\), we have \(\mathrm{Pr}\left [ Qv \right ]\approx \frac{1}{Q}\).
We will prove it in Appendix A.1. Obviously the proposition also holds for \(\gamma ^{(j)}\), since \(\gamma ^{(j)}\) is generated by excluding all factors of v that not belongs to \(\left [ M \right ]^{o}\). Then for each prime \(p\in \left [ M \right ]^{op}\), we have
Therefore,
And then
□As a result, for any small probability \(\epsilon >0\), we have \(1\frac{1}{2^{l}}\ge 1\epsilon \) as long as \(l\ge \log \epsilon =O(1)\). For example, let \(\epsilon =1\%\), then \(l=7\ge \log 100\). In fact, due to the fact that in the proof of Theorem 4, the left end of inequality \(\sum _{p\in \left [ M \right ]^{op}} \frac{1}{p^{l}}< \sum _{x=3}^{ \infty} \frac{1}{x^{l}}\) is much smaller than the right end, the scaling of this step is very obvious, so the given success rate is a relatively loose upper bound.
(7) Finally, we have \(\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ x_{i} = \underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ 2^{c_{i}}e_{i}= \underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ 2^{c_{i}} \times \underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ e_{i}=2^{ \underset{i\in [\!\![n]\!\!]}{\mathrm {min}}\ c_{i}}d=2^{c}d_{\kappa}\), and thus the protocol is correct.
4.2.2 Security
Security means that if any \(P_{i}\) is semihonest, then his privacy \(x_{i}\) should be preserved. If any \(P_{i}\) is malicious, then his attacks should be defended or detected. Since attacks in Step 2 will be detected as mentioned in Sect. 2.3, and the semihonest TP will not execute any malicious attacks, we only need to consider the following cases:

Semihonest case, i.e., all parties are semihonest;

Participant attacks in the secret sharing process, i.e., in Step 4 (1), (2);

Participant attacks in the input process, i.e., in Step 4 (3).
Then we have the following theorem.
Theorem 5
Protocol 4holds malicious security, i.e., in all the above cases, it can preserve semihonest parties’ privacy, and detect malicious parties’ attacks with high probability.
Proof
• Semihonest case: Assume all parties are semihonest, we prove the semihonest security of the protocol.
We analyze it stepbystep.
(1) In Step 2, the called Protocol 1 is secure.
(2) In step 4 (1), (2), all \(P_{i}\) use \(\mathcal{QFT}\) to share secrets, i.e., \(P_{i}\) can obtain a key \(\delta _{i}\) satisfying \(\sum _{i=1}^{n}\delta _{i}\equiv 0 (\ \mathrm{mod}\ G)\). Each \(P_{i}\)’s key is unknown to others, especially to TP.
(3) In Step 4 (3), TP can only get \(C_{i}=e_{i}r_{i}+\Delta _{i}\ \mathrm{mod}\ T\), where the key \(\Delta _{i}\) masks the true value of \(e_{i}r_{i}\). Therefore, the final value TP can obtain is only \(C=u=vd\), where d is the information he should obtain.
(4) Obviously, to prove semihonest security, we only need to prove that \(v=\sum _{i=1}^{n} \omega _{i}r_{i}\) does not contain any relevant information about \(\omega _{i}\), i.e. v can be simulated by TP himself. As described in Sect. 3.2, we set the range \(S_{i}\approx \frac{S}{e_{i}}\) to make the expectation and variance of v approximately independent of \(\omega _{i}\). When S is large enough, it can even be considered that the probability distribution of v is also independent of \(\omega _{i}\). Although accurate analysis is difficult, we can use the Central Limit Theorem to approximate and describe this independence quantitatively. We have
Proposition 2
Let \(\hat{\omega}_{i}=1\), \(\hat{r}_{i}\in \left [ \left \lfloor \frac{S}{d} \right \rfloor \right ]\), and \(\hat{v}=\sum _{i=1}^{n}\hat{\omega}_{i}\hat{r}_{i}\). If \(S\gg n\sqrt{n}M^{2}\), then approximately, the Kolmogorov distance between v̂ and v is
As a result, TP can simulate v by the above v̂ with indistinguishable probability distribution. Thus we have proved that v does not contain any relevant information about \(\omega _{i}\). The above proposition is proved in Appendix A.2. In addition, due to the independence of \(r_{i}\) in each round of Step 4 from other rounds, v is also the same. This avoids the possibility of TP obtaining information by collecting v for l times, because TP can simulate all v he gets by generating l independent v̂. Therefore, the number of rounds l does not affect security.
(5) In Step 6, \(P_{i}\) should prove to TP by calling Protocol 3. If l is large enough, then d will be the true GCD of \(e_{i}\), and the promise of NZMZKP is satisfied. As a result, the zeroknowledgeness of Protocol 3 holds, and thus no privacy is leaked.
(6) In Step 7, TP broadcasts \(d_{\kappa}=d\) to all parties, which is the valid output.
Therefore, the whole protocol holds semihonest security.
• Participant attacks in the secret sharing process: We consider the secret sharing process, i.e., Step 4 (1), (2). Since the quantum state is prepared by the semihonest TP, any party cannot forge it. Besides, there is no communication (neither quantum nor classical) between every two parties in the protocol. Therefore, the group I̅ of malicious parties cannot interfere with particles \(t_{I}=\left (t_{i},i\in I\right )\) obtained by semihonest parties, where \(I= [\!\![n]\!\!]\overline{I}\). In this case, the malicious group only has the following three types of attacks:

(1)
Measurement attack: The group measures the particles \(t_{\overline{I}}=\left (t_{i},i\in \overline{I}\right )\) it obtains to extract information. Assume that the state is
$$\begin{aligned} \left \lvert \psi \right \rangle =\frac{1}{\sqrt{G}}\sum _{j\in \left [ G \right ]}\left (\otimes _{i\in I} \left \lvert j\right \rangle _{t_{i}}\right )\left (\otimes _{i'\in \overline{I}} \left \lvert j\right \rangle _{t_{i'}}\right ), \end{aligned}$$(36)then we can calculate the reduced density operator of I̅ (i.e., its view) as
$$\begin{aligned} &\rho _{\overline{I}}=\mathrm{Tr}_{I}\left ( \left \lvert \psi \right \rangle \left \langle \psi \right \lvert \right ) \\ &=\mathrm{Tr}_{I}\left (\frac{1}{G}\sum _{j,j'\in \left [ G \right ]} \left (\otimes _{i\in I} \left \lvert j\right \rangle \left \langle j' \right \lvert _{t_{i}}\right )\left (\otimes _{i'\in \overline{I}} \left \lvert j\right \rangle \left \langle j'\right \lvert _{t_{i'}} \right )\right ) \\ &=\frac{1}{G}\sum _{j,j'\in \left [ G \right ]}\mathrm{Tr}\left ( \otimes _{i\in I} \left \lvert j\right \rangle \left \langle j' \right \lvert _{t_{i}} \right )\left (\otimes _{i'\in \overline{I}} \left \lvert j\right \rangle \left \langle j'\right \lvert _{t_{i'}} \right ) \\ &=\frac{1}{G}\sum _{j\in \left [ G \right ]}\left (\otimes _{i'\in \overline{I}} \left \lvert j\right \rangle \left \langle j\right \lvert _{t_{i'}}\right ). \end{aligned}$$(37)Since the trace \(\mathrm{Tr}\left ( \otimes _{i\in I} \left \lvert j\right \rangle \left \langle j'\right \lvert _{t_{i}} \right )\) is unitarily invariant, even if any semihonest party performs \(\mathcal{QFT}\) or any other unitary transformation, the above results remain unchanged. Besides, by the principle of implicit measurement (see Chap. 4.4 in Ref [34]), even if the semihonest party measures his particle, the result of Eq. (37), thus I̅’s view, still remains unchanged, because the attacked won’t share his result to anyone else. That means, the attacker will gain nothing.

(2)
Entangleandmeasure attack: The group entangles all particles \(t_{\overline{I}}\) it has with an additional particle a, waits for any other parties to complete their operations, and performs measurement after that to obtain information. However, since \(t_{\overline{I}}\) won’t be sent back in the protocol, this attack is equivalent to a measurement attack, which has been proved ineffective above.

(3)
Pure destruction: The group tries to destroy the quantum state to hinder the execution of I̅. For example, receiving particles incorrectly; Not performing \(\mathcal{QFT}\), but performing other operations; Not recording the correct keys, etc. However, whatever I̅ does, it is completely unable to hinder I since there isn’t any communication between I and I̅. It’s just the reverse of a measurement attack in which any operations performed by I cannot change the view of I̅. Therefore, the only result I̅ can cause is to output several wrong keys not satisfying \(\sum _{i=1}^{n} \Delta _{i}\equiv 0(\ \mathrm{mod}\ T)\), and then TP cannot obtain the true d. It leads to that the zeroknowledge proof in Step 6 will fail.
Therefore, this process is secure.
• Participant attacks in the input process We consider the input process, i.e., Step 4 (3). The only means to attack is to input some invalid number, which is divided into the following two types:
(1) For an alone attacker, if he inputs 1, then his output must be 1, which means nothing. If he inputs an integer that contains all kinds of the prime factors in \(\left [ M \right ]^{o}\), then he can learn others’ factors; however, such an integer cannot be inputted, because, by the Prime Theorem, there is \(\Theta \left (\frac{M}{\ln M}\right )\) prime numbers in \(\left [ M \right ]^{o}\), which leads to a product large than \(3^{\frac{M}{\ln M}}\ge 3^{\frac{M}{\sqrt{M}}} =2^{2^{\frac{M}{2}}}\), and a bit number large than \(2^{\frac{m}{2}}\). It’s impossible to realize such an input. The only effective input is 0. If he inputs 0, then the result GCD may contain more factor than the normal result, since \(\mathrm{gcd}(0,x)=x\). However, his invalid input will be detected in Step 4 (3), since \(\Delta _{i}\) is even, and thus \(C_{i}=0+\Delta _{i}\) is even, not odd. Therefore, an alone attacker cannot perform any attack.
(2) We consider a collision attack. Assume that except TP and \(P_{i},i\in I\), all others are malicious. Further assume that there are \(n_{a}\) groups in the malicious party, where information is shared within each group, and not shared between any two groups. To steal more information other than d, a group can choose some inputs to ensure their modular sum is 0, which is similar to an alone attacker. To realize this, the group’s size must be even, so that the sum of even odd numbers is even, and then they can deceive TP in Step 4 (3). However, if they perform this attack, the result d will be independent of their inputs, and to pass the zeroknowledge proof in Step 6, they can only try to choose a random number. For each group, to reach the greatest success probability, i.e., \(\eta _{d}=\frac{1}{d}\) (see Sect. 4.2), they should uniform their chosen. Then the probability that all groups succeed is
It will be low (1%) if \(d\ge 3\), \(n_{a}\ge 5\) or \(d\ge 5\), \(n_{a}\ge 3\).
As a special case, if \(d=1\), then the malicious parties can always pass the proof, and know the information that the semihonest parties’ integers are coprime. This case is inevitable. However, let \(n_{I}\) be the size of I, then we have a similar version of Theorem 4:
Proposition 3
Assume that each \(e_{i}\in \left [ M \right ]^{o}\) is selected uniformly and randomly. If \(n_{I}\ge 3\), we have
It can be proved also similarly (see Appendix A.3). By this proposition, the case of \(d=1\) is not rare, even almost 100% if \(n_{I}\) is large enough, thus it gives a very low quantity of information.
In total, the protocol can preserve semihonest parties’ privacy, and detect malicious parties’ attacks with high probability. □
The above theorem demonstrates that the protocol has malicious security with the assistance of a semihonest TP. However, there are still two additional points worth discussing, as follows.
• Reducing the information TP learns. It can be seen that in our protocol, TP will obtain the final GCD result. To construct a perfect protocol, a third party TP should not learn the participant’s inputs. However, for a tradeoff between smooth resolution of problems and security, TP is allowed to learn the protocol’s output in some SMC protocols [26, 28, 41]. In our protocol, TP must obtain the GCD to perform the zeroknowledge proof to verify the honesty of each party, which is an important part of the protocol. However, he will not gain any other information. Besides, it’s generally unable to accurately launch all the input information from the GCD, since the mapping \((x_{1},\ldots,x_{n})\to \underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ {x_{i}}\) is generally oneway. In fact, multiple integers randomly selected are coprime with a large probability, i.e., the GCD almost completely lost the specific information of inputs, as shown in Proposition 3. So the information TP learns is tiny.
In some cases where TP is not allowed to obtain results, there are several possible ways to reduce the information he learns. For example, using a public hash function to replace each input factor with another factor to prevent TP from obtaining specific factors from the obtained d, as will be seen in Protocol 6 below. Alternatively, all parties, except TP, may agree in advance on some prohibited factors to mislead TP and mask their true factors. However, none of these schemes can completely hide information. How to prevent TP from obtaining any information while maintaining the original functionality of the protocol is a problem that needs to be studied.
• Constraining TP to meet the semihonest condition. Another more acute issue is that Theorem 5 is proved based on the semihonest assumption of TP. Generally, a third party satisfies the noncollusion assumption, i.e., he does not cooperate with any participant to perform attacks. The semihonest assumption further requires TP to avoid executing any active attacks, which is a bit too strong for realworld scenarios. If TP does not satisfy this assumption, the protocol’s security will not be guaranteed. Especially, TP can perform a forgery attack on the entangled state distribution process in Step 4 of Protocol 4. One of the simplest methods is to prespecify the key \(\delta _{i}\), then prepare the \(\mathcal{QFT}^{\dagger}\left \lvert \delta _{i}\right \rangle \) state and send it to \(P_{i}\). After applying \(\mathcal{QFT}\) measurements, \(P_{i}\) will undoubtedly obtain the \(\delta _{i} \) specified by TP. This will result in participants being unable to use their keys to hide information. TP can proactively make \(\delta _{i}\) satisfy \(\sum _{i\in [\!\![n]\!\!]}\delta _{i}\equiv 0(\ \mathrm{mod}\ G)\), so this cheating cannot be easily detected through secure multiparty summation.
Obviously, the above forgery attacks of TP will inevitably result in the states received by the participating parties not meeting the predetermined form. Therefore, if \(P_{1},\ldots,P_{n}\), especially the semihonest ones I among them, can test the fidelity of the entangled states sent from TP, then they can verify TP’s honesty before generating \(\delta _{i}\) to prevent him from stealing their information. Note that the Fourier entangled state sent by TP is equivalent to g independent nparty GHZ states [42], i.e,
where \(t^{k}_{i}\) denotes the kth qubit of \(t_{i}\). Therefore, we only need to know how to verify nparty GHZ states.
On the other hand, the verification of entangled states must be jointly participated by all parties involved, therefore, it must be ensured that dishonest parties I̅ cannot deceive semihonest parties I by forging verification information so that I cannot detect TP cheating. Such a method exists. Ref [43] proposed a protocol to verify nparty GHZ states with dishonest parties which relies solely on local operations and classical communication (LOCC). Therefore, no party can deceive other parties by forging quantum states or manipulating measurement results. To avoid the verification process destroying the entangled state, TP should prepare multiple copies of the GHZ state. During the protocol, one copy is randomly chosen for the actual calculations. The remaining copies can then be used for verification, with a verifier being randomly selected each time. This approach prevents a dishonest verifier from manipulating the results. This random selection must be independent of TP and the participants, otherwise, TP can accurately prepare real and fake states based on the selection. For this, they need another thirdparty platform to execute the random selection.
Specifically, assuming that L copies are required and the trace distance between the state sent by TP and the GHZ state is greater than ϵ, it’s proven in Ref [43] that the probability of passing the verification is at most \(\eta _{GHZ}= \frac{2n}{L_{GHZ}\left \lvert I\right \lvert \epsilon ^{2}}\), where \(\left \lvert I\right \lvert \) represents the number of semihonest parties. When satisfying the SemiHonest Majority Assumption (i.e. \(\left \lvert I\right \lvert =\Omega (n)\)), if the state significantly deviates from the correct state, i.e., \(\epsilon =\frac{1}{poly(n)}\), then only \(L_{GHZ}=O(poly^{2}(n))\) is needed to reduce the probability of passing to below 1%. This process can be repeated g times to obtain a highquality Fourier entangled state, which is sufficient in some practical applications. Of course, if we want to make the probability of passing negligible or still hold even when \(\left \lvert I\right \lvert <\Omega (n)\), we need more resource consumption. To this end, sampling surveys can be conducted irregularly on all tasks undertaken by a facility or center that plays the role of TP, thus achieving a balance between security and efficiency. Since TP’s reputation will be evaluated based on the results of the sampling survey, the actual TP continuously approaches the ideal semihonest TP in the game.
4.2.3 Complexity
At first, Theorem 4 shows that the round number \(l=O(1)\). For instance, we can let \(l=7\) so that the success rate of Protocol 4 can be more than 99%. We now consider the complexity of each round.

(1)
In Step 2, the complexity of Protocol 1 is \(O(m_{1}n)\). Since \(c_{i}'\ge m\), \(m_{1}=O(\log m)\), and then the complexity is \(O(n\log m)\).

(2)
In Step 4 (1), (2), the qubit number of each particle is
$$\begin{aligned} &g=t1=O\left (\log S+\log n\right )=O\left (\log (Kn\sqrt{n}M^{2})+ \log n\right ) \\ &=O\left (2\log M+\frac{3}{2}\log n+\log n\right )=O\left (2m+ \frac{5}{2}\log n\right ). \end{aligned}$$(41)In general, \(n< M<2^{m}\) i.e., \(\log n < m\), thus \(g=O(m)\). All operations in Sect. 2.1 are of \(O(m^{2})\) computational complexity [40], and thus the communication and computational complexity here are \(O(nm)\) and \(O(nm^{2})\) respectively.

(3)
In Step 4 (5), TP uses Shor’s algorithm to factorize \(u<2^{t}=2^{O(m)}\), and the computational complexity here is \(O(m^{3}\log m)\), if using an accelerated version [3, 31].

(4)
In Step 6, TP perform Protocol 3 with each \(P_{i}\), and the communication and computational complexity here are \(O(nm)\) and \(O(nm^{2})\) respectively.
In total, the communication and computational complexity of the protocol is \(O(nm)\) and \(O(nm^{2}+m^{3}\log m)\) respectively. We now compare with similar protocols. In the LCM protocol [30] of Li et al., all parties’ \(O(nm)\)qubit systems are entangled, and the communication complexity is \(O(n^{2}m\log (nm))\), while the computational complexity is \(O(n^{3}m^{2}\log (nm))\). In Imran’s first GCD protocol [32], all parties’ \(O(nm)\)qubit systems are entangled. Since this protocol is based on the original Shor’s algorithm, it’s probabilistic, and the complexity is \(O(n^{2}m^{2})\) and \(O(n^{3}m^{6}\log (nm^{2}))\). His other protocol utilized the same principle, but instead based on an exact version of Shor’s algorithm with computational complexity \(O(n^{3}m^{6}\log (nm^{2}))\), which is deterministic. In our GCD protocol, all parties’ \(O(m)\)qubit quantum systems are entangled, and our protocol is probabilistic. The comparison is shown in Table 2. It can be seen that our protocol reaches much lower complexity.
4.2.4 Example
Similar to Sect. 4.1.5, we show a simple example of Protocol 4 here to make our thoughts easier to understand. Assume that \(M=32\), \(n=3\), \((x_{1},x_{2},x_{3})=(5,15,10)\). The expected result is \(Y=\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ {x_{i}}=5\).

(1)
In Step 12, we have \(x_{i}=2^{c_{i}}e_{i}\), then \((c_{1},c_{2},c_{3})=(0,0,1)\), \((e_{1},e_{2},e_{3})=(5,15,5)\). Let \(m=\left \lceil \log M \right \rceil =5\), then \(P_{1}\), \(P_{2}\), \(P_{3}\) call Protocol 1 to calculate \(c'=\underset{i\in [\!\![n]\!\!]}{\ \mathrm {max}\ }\ {(mc_{i})}=\ \mathrm{max}\ (5,5,4)=5\). Then \(c=mc'=0\). Here, the result \(c=\underset{i\in [\!\![n]\!\!]}{\mathrm {min}}\ {c_{i}}\), as shown in Sect. 4.2.1(1), so that \(2^{c}\) is the even factor of Y. So they only need to calculate \(d=\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ {e_{i}}\), then \(Y=2^{c}d\).

(2)
In Step 3, they set \(S=Kn\sqrt{n}M^{2}=100\times 3\sqrt{3} \times 32^{2}\approx 532086\), and \(S_{i}=\left \lfloor \frac{S}{e_{i}} \right \rfloor \). Similar to Protocol 3, we set \(S\gg n\sqrt{n}M^{2}\) and \(S_{i}\approx \frac{S}{e_{i}}\) so that the random integer \(r_{i}\in \left [ S_{i} \right ]^{o}\) can mask \(e_{i}\), as is proved in Proposition 2. Then they set \(t=\left \lceil \log (nS) \right \rceil =21\) and \(T=2^{t}=2097152\) so that \(C=\sum _{i\in [\!\![n]\!\!]}e_{i}r_{i}\ \mathrm{mod}\ T=\sum _{i\in [\!\![n]\!\!]}e_{i}r_{i}\), as shown in Eq. (28). Here, \((S_{1},S_{2},S_{3})=(106417,35472,106417)\).

(3)
In Step 4 (1), (2), they perform secret sharing by \(\mathcal{QFT}\), and then each \(P_{i}\) gets an even integer key \(\Delta _{i}\in \left [ T \right ]\) satisfying \(\sum _{i\in [\!\![n]\!\!]}\Delta _{i}\ \mathrm{mod}\ T=0\). Such as \((\Delta _{1},\Delta _{2},\Delta _{3})=(757620,1581230,1855454)\).

(4)
In Step 4 (3), (4), \(P_{i}\) selects \(r_{i}\in \left [ S_{i} \right ]^{o}\) randomly, such as \((r_{1},r_{2},r_{3})=(51561,12123,37433)\). Then they send \(C_{i}=e_{i}r_{i}+\Delta _{i}\ \mathrm{mod}\ T\) to TP, so that TP can calculate \(C=\sum _{i\in [\!\![n]\!\!]}C_{i}\ \mathrm{mod}\ T=\sum _{i\in [\!\![n]\!\!]}e_{i}r_{i}\) without learning each \(e_{i}r_{i}\). Here, \((C_{1},C_{2},C_{3})=(1015425,1763075,2042619)\), and \(C=626815\). \(C_{i}\) must be odd since \(\Delta _{i}\) is even, which can prevent an invalid input such as 0.

(5)
In Step 4 (5), TP uses Shor’s algorithm to factorize C. Here, \(C= 5\times 7\times 17909\). Then he excludes all factors that do not belong to \(\left [ M \right ]^{o}=\left [ 32 \right ]^{o}\), to obtain \(\kappa ^{(1)}=5\times 7=35\). This step is required because TP must obtain the correct \(d\in \left [ M \right ]^{o}\) without any other factors so that he can execute Protocol 3 in Step 6.

(6)
The Step 4 should be repeated \(l=O(1)\) times. For example, the second result is: \((r_{1},r_{2},r_{3})^{(2)}=(31511,4213,75325)\), \(C^{(2)}=597375=3^{4} \times 5^{3} \times 59\), \(\kappa ^{(2)}=3^{4} \times 5^{3} =10125\). Now in Step 5, TP calculates \(d_{\kappa}=\underset{j\in [\!\![l]\!\!]}{\mathrm {gcd}}\ {\kappa ^{(j)}}= \mathrm{gcd}(35, 10125)=5=d\). In general, if \(l>7\), the probability of \(d_{\kappa}=d\) will be close to 1, as shown in Theorem 4.

(7)
In Step 6, TP and each \(P_{i}\) call Protocol 3 to execute zeroknowledge proof. \(P_{i}\) should prove that he truly has a nonzero multiple \(e_{i}\) of \(d_{\kappa}\). If each \(P_{i}\) passes the proof, then TP broadcast \(Output=2^{c}d_{\kappa}=5\).
4.3 Simulation
Here we will verify the feasibility of Protocol 4 through computer simulation. Since the feasibility of Shor’s algorithm [44], Protocol 1 [39], and Protocol 2 [40] were all verified by simulations or experiments before, we simplify these steps. Specifically, we directly calculate the maximum value and scalar product, and do factorization by violent searching (since M is small here, it’s affordable). We execute the simulation in Python 3.7 IBM Qiskit 0.41.0. However, Since the protocol requires too many qubits (e.g., let \(M=4\), \(n=2\), \(K=100\), then \(g=\left \lceil \log (nKn\sqrt{n}M^{2}) \right \rceil 1\approx 13\), and \(ng=26\) qubits are needed), it’s hard to simulate in Qiskit (with limitation of 24 qubits for PC and 32 qubits for Cloud). Thus we only set \(K=1\), as a simplest example. Since it does not meet the condition \(K\ge 100\), we repeat \(l=10\) times in Step 4. The Qiskit circuit for \(n=3\), \(M=2\) is shown in Fig. 3 for example. For some inputs, the correct results are still obtained, as shown in Table 3. It demonstrates that the protocol can run as expected.
5 Applications
The proposed GCD protocol has a certain degree of scalability. To demonstrate this, we propose three applications based on it, including private set intersection, private set intersection cardinality (PSICA), and private multiset intersection (PMSI).
5.1 Private set intersection (cardinality)
Definition 5
(Private set intersection (cardinality) (PSI, PSICA))
Assume that there are n parties \(P_{1},P_{2},\ldots , P_{n}\), where each \(P_{i},i\in [\!\![n]\!\!]\) has a private set \(S_{i}=\left \{ a_{i1},a_{i2},\ldots ,a_{iL_{i}} \right \} \subseteq \left [ M \right ]\), \(m=\left \lceil \log{M} \right \rceil \), where \(L_{i}\le L\). They want to calculate \(\cap _{i=1}^{n} S_{i}\) (or its cardinality \(\left \lvert \cap _{i=1}^{n} S_{i}\right \lvert \)), where any party cannot learn any information about others’ privacy other than the output.
To transform the GCD problem to a PSI (CA) problem, we use prime encoding, as defined below [31]
Definition 6
(Prime encoding of set)
Let \(p_{a}\) denote the ath prime number (e.g., \(p_{1}=2\), \(p_{2}=3\)). Then the primeencode of an element \(a\ge 0\) is \(\mathrm{Pri}\left (a\right )=p_{a+1}\). The primeencode of a set \(S=\left \{ a_{1},a_{2},\ldots ,a_{L} \right \}\) is
This encoding is obviously a onetoone mapping. Besides, we now prove that \(\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ {\mathrm{Pri}\left (S_{i}\right )}\) is also onetoone corresponding to \(\cap _{i=1}^{n} S_{i}\):
Proposition 4
(Homomorphism of prime encoding)
For any n sets \(S_{1},S_{2},\ldots ,S_{n}\subseteq \left [ M \right ]\), it holds that
Proof
□
Thus, we can obtain \(\cap _{i=1}^{n} S_{i}\) by calculate \(\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ {\mathrm{Pri}\left (S_{i}\right )}\).
Protocol 5
(Quantum secure multiparty private set intersection)

Step 1
Each party \(P_{i}\) calculates \(x_{i}=\mathrm{Pri}\left (S_{i}\right )=\prod _{j=1}^{L_{i}} \mathrm{Pri}\left (a_{ij}\right )\).

Step 2
Call Protocol 4 to calculate \(Y=\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ x_{i}\), and broadcast Y to all parties.

Step 3
\(\forall j\in [\!\![L_{i}]\!\!]\), \(P_{i}\) checks if \(\mathrm{Pri}\left (a_{ij}\right )Y\), so as to factorize Y to \(y_{1},y_{2},\ldots ,y_{L_{Y}}\), where \(L_{Y}\) is the number of prime factors of Y.

Step 4
\(y_{1},y_{2},\ldots ,y_{L_{Y}}\) are primedecoded to \(s_{j}=\mathrm{Pri}^{1}(y_{j})\), and thus \(\cap _{i=1}^{n} S_{i}=\left \{ s_{1},s_{2},\ldots , s_{L_{Y}} \right \}\).
Protocol 6
(Quantum secure multiparty private set intersection cardinality)

Step 1
Share a key \(k\in \left \{ 0,1 \right \}^{m}\) between all \(P_{i}\), which can be realized by quantum key distribution [10].

Step 2
\(P_{i}\) use a public hash function \(h:\left \{ 0,1 \right \}^{m}\to \left \{ 0,1 \right \}^{m}\) to encrypt all his elements: \(a_{ij}\to h(a_{ij}\oplus k)=b_{ij}\).

Step 3
\(P_{i}\) calculates \(x_{i}=\prod _{j=1}^{L_{i}}\mathrm{Pri}\left (b_{ij}\right )\).

Step 4
Call Protocol 4 to calculate \(Y=\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ x_{i}\), and TP does not broadcast Y to all parties.

Step 5
TP use Shor’s algorithm to factorize Y to \(y_{1},y_{2},\ldots ,y_{L_{Y}}\), and thus \(\left \lvert \cap _{i=1}^{n} S_{i}\right \lvert =L_{Y}\).

Step 6
TP broadcasts \(L_{Y}\) to all parties.
Analysis:

(a)
Correctness: The correctness is based on the fact that \(\cap _{i=1}^{n} S_{i}\) and \(Y=\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ x_{i}\) are onetoone corresponding, as shown in Proposition 4.

(b)
Security: Since GCD protocol is secure, and \(\cap _{i=1}^{n} S_{i}\) and \(Y=\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ x_{i}\) are corresponding, then any party cannot learn more information other than \(\cap _{i=1}^{n} S_{i}\). In the PSICA protocol, TP cannot learn the elements of \(\cap _{i=1}^{n} S_{i}\) because they are encrypted by the hash function h and key k. Therefore, he can only output the cardinality of it.

(c)
Complexity: After prime encoding, each number \(a_{ij}\in \left [ 2^{m} \right ]\) is mapped to \(\mathrm{Pri}\left (a_{ij}\right )\in \left [ 2^{2m} \right ]\) [31], and its bit number is still \(O(m)\). Since \(x_{i}=\prod _{j=1}^{L_{i}}\mathrm{Pri}\left (a_{ij}\right )\in \left [ 2^{2mL} \right ]\), the bit number of \(x_{i}\) is \(O(mL)\). In the PSICA protocol, TP uses Shor’s algorithm in Step 5, which has the same complexity as Step 4 (5) of Protocol 4. Therefore, the communication and computational complexity of the above protocols is \(O(nmL)\) and \(O(nm^{2}L^{2}+m^{3}L^{3}\log (mL))\) respectively. We compare them with other similar protocols mentioned in Sect. 1, which is shown in Table 4. It can be seen that our protocols achieve the lowest complexity.
5.2 Private multiset intersection
As a widely used data structure, multisets, unlike sets, can have multiple occurrences of the same element. For example, a multiset can be \(\left \{ a:1,b:2,c:0,d:3 \right \}\), where \(a:1\) means that a occurs 1 time, etc. The definition of the intersection of multisets is as follows:
Definition 7
(Private multiset intersection (PMSI))
Let the universal set be \(\left [ M \right ]\), where \(m=\left \lceil \log{M} \right \rceil \), and each \(a_{j}\) is different with others. Assume that there are n parties \(P_{1},P_{2},\ldots , P_{n}\), where each \(P_{i},i\in [\!\![n]\!\!]\) has a private multiset \(S_{i}= \{ 0:L_{i1},1:L_{i2},\ldots ,M1: L_{iM} \}\), where \(\sum _{j=1}^{M} L_{ij}=L_{i}\le L\) is the size of \(S_{i}\). They want to calculate \(\cap _{i=1}^{n} S_{i}\), where any party cannot learn any information about others’ privacy other than the output. Specifically,
It can be seen that PMSI is equivalent to the problem of finding the minimum occurrences among all the private multisets for each element. However, it cannot be achieved just by doing so, because the universal set size \(M=O(2^{m})\) is exponential. In classical SMC, to calculate the intersection of multisets, each element is often represented by irreducible polynomials, and thus each multiset is represented by the higher degree polynomial obtained by the product of all the irreducible polynomials [45]. By polynomialbased methods, PMSI is transformed into the problem of finding the greatest common divisor of polynomials, with polynomial complexity. However, this kind of scheme requires the use of classical homomorphic encryption whose security is questionable. In addition, to our knowledge, there has not yet been a quantum SMC protocol for PMSI, especially for multiparty PMSI. We point out that prime encoding is not only applicable to sets but also naturally to multisets.
Definition 8
(Prime encoding of multiset)
Still follow the definition \(\mathrm{Pri}\left (j1\right )=p_{j}\), \(j\in [\!\![M]\!\!]\). The primeencode of a multiset \(S=\left \{ 0:L_{1},1:L_{2},\ldots ,M1:L_{M} \right \}\) is
Similarly, based on the uniqueness of prime factorization, such encoding must still correspond onetoone. In addition, the homomorphism between GCD and intersection is also provable:
Proposition 5
(Homomorphism of prime encoding of multiset)
For any n multisets \(S_{1},S_{2},\ldots ,S_{n}\), it still holds that
Proof
By Eqs. (45) and (46), we have
□
As a result, by following almost the same steps as PSI, PMSI can be implemented.
Protocol 7
(Quantum secure multiparty private multiset intersection)

Step 1
Each party \(P_{i}\) calculates \(x_{i}=\mathrm{Pri}\left (S_{i}\right )\).

Step 2
Call Protocol 4 to calculate \(Y=\underset{i\in [\!\![n]\!\!]}{\mathrm {gcd}}\ x_{i}\), and broadcast Y to all parties.

Step 3
\(\forall j\in [\!\![M]\!\!]\) and \(L_{ij}>0\), \(P_{i}\) checks whether \(\mathrm{Pri}\left (j1\right )^{1}Y\), \(\mathrm{Pri}\left (j1\right )^{2}Y,\ldots \) , so as to factorize Y to \(p_{1}^{L^{(Y)}_{1}},p_{2}^{L^{(Y)}_{2}},\ldots ,p_{M}^{L^{(Y)}_{M}}\).

Step 4
Output \(\cap _{i=1}^{n} S_{i}=\left \{ 0:L^{(Y)}_{1},1:L^{(Y)}_{2},\ldots , M1:L^{(Y)}_{M} \right \}\).
As a supplement, the above PMSI protocol can also be transformed into a private multiset intersection cardinality (PMSICA) protocol, similar to Protocol 6.
Analysis:

(a)
Correctness: Similarly to Protocol 5, the protocol is correct by Proposition 5.

(b)
Security: Still similarly, the security comes from the fact that prime encoding is onetoone corresponding and homomorphic.

(c)
Complexity: Since the bit number of a primeencode is still \(O(m)\), and the size of a multiset is still \(O(L)\), the complexity is the same as protocol 5, i.e., \(O(nmL)\) (communication) and \(O(nm^{2}L^{2}+m^{3}L^{3}\log (mL))\) (computational).
6 Conclusion
In this paper, we propose a novel quantum multiparty greatest common divisor (GCD) protocol. Our protocol avoids the issues of information leakage and resource consumption that arise from computing the least common multiple. Using our customdesigned quantum zeroknowledge proof subprotocol we designed, we can verify the honesty of all parties involved, resulting in a more secure and efficient protocol compared to existing ones. Additionally, we demonstrate the scalability of our GCD protocol by presenting applications such as multiparty private set intersection (cardinality) and private multiset intersection, etc., which have shown better performance than similar protocols. Nevertheless, some aspects of our protocol can be improved. For instance, its application is limited by the requirement for a semihonest third party, as described in Sect. 4.2.2. Besides, the protocol requires the preparation and transmission of highdimensional entangled states, which are more susceptible to interference in highnoise environments. Addressing these issues is an area of future research.
Data availability
Not applicable.
Code availability
Not applicable.
References
Yao AC. Protocols for secure computations. In: 23rd IEEE symposium on foundations of computer science. Piscataway: IEEE; 1982. p. 160–4. https://doi.org/10.1109/SFCS.1982.38.
Shor PW. Algorithms for quantum computation: discrete logarithms and factoring. In: Proceeding of 35th annual symposium on foundations of computer science. Los Alamitos: IEEE; 1994. p. 124–34. https://doi.org/10.1109/SFCS.1994.365700.
Shor PW. Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J Comput. 1997;26(5):1484–509. https://doi.org/10.1137/S0097539795293172.
Grover LK. Quantum mechanics helps in searching for a needle in a haystack. Phys Rev Lett. 1997;79(2):325–8. https://doi.org/10.1103/PhysRevLett.79.325.
Shi RH, Mu Y, Zhong H, Zhang S. Quantum oblivious setmember decision protocol. Phys Rev A. 2015;92(2):022309. https://doi.org/10.1103/PhysRevA.92.022309.
Olejnik L. Secure quantum private information retrieval using phaseencoded queries. Phys Rev A. 2011;84(2):022313. https://doi.org/10.1103/PhysRevA.84.022313.
Shi RH, Mu Y, Zhong H, Cui J, Zhang S. An efficient quantum scheme for private set intersection. Quantum Inf Process. 2016;15(1):363–71. https://doi.org/10.1007/s111280151165z.
Cheng XG, Guo R, Chen YH. Cryptanalysis and improvement of a quantum private set intersection protocol. Quantum Inf Process. 2016;16(2):37. https://doi.org/10.1007/s111280161502x.
Maitra A. Quantum secure twoparty computation for set intersection with rational players. Quantum Inf Process. 2018;17(8):197. https://doi.org/10.1007/s1112801819689.
Bennett CH, Brassard G. Quantum cryptography: public key distribution and coin tossing. Theor Comput Sci. 2014;560(1):7–11. https://doi.org/10.1016/j.tcs.2014.05.025.
Debnath SK, Dey K, Kundu N, Choudhury T. Feasible private set intersection in quantum domain. Quantum Inf Process. 2021;20(1):41. https://doi.org/10.1007/s11128021029874.
Liu W, Yin HW. A novel quantum protocol for private set intersection. Int J Theor Phys. 2021;60(6):2074–83. https://doi.org/10.1007/s1077302104824x.
Liu WJ, Li WB, Wang HB. An improved quantum private set intersection protocol based on Hadamard gates. Int J Theor Phys. 2022;61(3):53. https://doi.org/10.1007/s10773022050483.
Debnath SK, Srivastava V, Mohanty T, Kundu N, Sakurai K. Quantum secure privacy preserving technique to obtain the intersection of two datasets for contact tracing. J Inf Secur Appl. 2022;66(1):103127. https://doi.org/10.1016/j.jisa.2022.103127.
Liu B, Zhang XY, Shi RH, Zhang MW, Zhang GX. Sepsi: a secure and efficient privacypreserving set intersection with identity authentication in iot. Mathematics. 2022;10(12):2120. https://doi.org/10.3390/math10122120.
Brassard G, HØyer P, Tapp A. Quantum counting. In: Larsen KG, Skyum S, Winskel G, editors. Automata, languages and programming. Heidelberg: Springer; 1998. p. 820–31. https://doi.org/10.1007/BFb00551.
Shi RH, Mu Y, Zhong H, Zhang S, Cui J. Quantum private set intersection cardinality and its application to anonymous authentication. Inf Sci. 2016;370–371:147–58. https://doi.org/10.1016/j.ins.2016.07.071.
Shi RH. Efficient quantum protocol for private set intersection cardinality. IEEE Access. 2018;6:73102–9. https://doi.org/10.1109/ACCESS.2018.2872741.
Shi RH, Li YF. Quantum private set intersection cardinality protocol with application to privacypreserving condition query. IEEE Trans Circuits Syst I, Regul Pap. 2022;69(6):2399–411. https://doi.org/10.1109/TCSI.2022.3152591.
Liu B, Zhang MW, Shi RH. Quantum secure multiparty private set intersection cardinality. Int J Theor Phys. 2020;59(7):1992–2007. https://doi.org/10.1007/s10773020044718.
Shi RH. Quantum multiparty privacy set intersection cardinality. IEEE Trans Circuits Syst II, Express Briefs. 2021;68(4):1203–7. https://doi.org/10.1109/TCSII.2020.3032550.
Diao ZJ, Huang CF, Wang K. Quantum counting: algorithm and error distribution. Acta Appl Math. 2012;118(1):147–59. https://doi.org/10.1007/s1044001296826.
Shi RH. Quantum private computation of cardinality of set intersection and union. Eur Phys J D. 2018;72(12):221. https://doi.org/10.1140/epjd/e2018903807.
Shi RH, Zhang MW. A feasible quantum protocol for private set intersection cardinality. IEEE Access. 2019;7:72105–12. https://doi.org/10.1109/ACCESS.2019.2919119.
Liu B, Ruan O, Shi RH, Zhang MW. Quantum private set intersection cardinality based on bloom filter. Sci Rep. 2021;11(1):17332. https://doi.org/10.1038/s41598021967701.
Zhang C, Long YX, Sun ZW, Li Q, Huang Q. Threeparty quantum private computation of cardinalities of set intersection and union based on ghz states. Sci Rep. 2020;10(1):22246. https://doi.org/10.1038/s4159802077579w.
Wang YL, Hu PC, Xu QL. Quantum protocols for private set intersection cardinality and union cardinality based on entanglement swapping. Int J Theor Phys. 2021;60(9):3514–28. https://doi.org/10.1007/s10773021049257.
Shi RH, Li YF. Quantum protocol for secure multiparty logical and with application to multiparty private set intersection cardinality. IEEE Trans Circuits Syst I, Regul Pap. 2022;69(12):5206–18. https://doi.org/10.1109/TCSI.2022.3200974.
Liu W, Li YZ, Wang ZR, Li YG. A new quantum private protocol for set intersection cardinality based on a quantum homomorphic encryption scheme for Toffoli gate. Entropy. 2023;25(3):516. https://doi.org/10.3390/e25030516.
Li ZX, Liu WJ. A quantum secure multiparty computation protocol for least common multiple. 2022. Preprint. https://doi.org/10.48550/arXiv.2210.08165.
Liu WJ, Yang Q, Li ZX. Quantum multiparty private set union protocol based on least common multiple and shor’s algorithm. Int J Quantum Inf. 2023;2023:2340006. https://doi.org/10.1142/S0219749923400063.
Imran M. Secure multiparty quantum computations for greatest common divisor and private set intersection. 2023. Preprint. https://doi.org/10.48550/arXiv.2303.17196.
Goldreich O, Micali S, Wigderson A. How to play any mental game. In: 19th annual ACM symposium on theory of computing. New York: ACM; 1987. p. 218–29. https://doi.org/10.1145/28395.28420.
Nielsen MA, Chuang IL. Quantum computation and quantum information: 10th anniversary edition. New York: Cambridge University Press; 2010. https://doi.org/10.1017/CBO9780511976667.
Buhrman H, Christandl M, Schaffner C. Complete insecurity of quantum protocols for classical twoparty computation. Phys Rev Lett. 2012;109(16):160501. https://doi.org/10.1103/PhysRevLett.109.160501.
Mayers D. Unconditionally secure quantum bit commitment is impossible. Phys Rev Lett. 1997;78(17):3414. https://doi.org/10.1103/PhysRevLett.78.3414.
Lo HK, Chau HF. Is quantum bit commitment really possible? Phys Rev Lett. 1997;78(17):3410. https://doi.org/10.1103/PhysRevLett.78.3410.
Dutta A, Pathak A. A short review on quantum identity authentication protocols: how would Bob know that he is talking with Alice? Quantum Inf Process. 2022;21(11):369. https://doi.org/10.1007/s11128022037170.
Shi RH, Li YF. Privacypreserving quantum protocol for finding the maximum value. EPJ Quantum Technol. 2022;9(1):13. https://doi.org/10.1140/epjqt/s40507022001323.
Liu WJ, Li ZX. Secure and efficient twoparty quantum scalar product protocol with application to privacypreserving matrix multiplication. IEEE Trans Circuits Syst I, Regul Pap. 2023;70(11):4456–69. https://doi.org/10.1109/TCSI.2023.3295891.
Mishra S, Thapliyal K, Parakh A, Pathak A. Quantum anonymous veto: a set of new protocols. EPJ Quantum Technol. 2022;9(1):14. https://doi.org/10.1140/epjqt/s40507022001332.
Greenberger DM, Horne MA, Zeilinger A. Bell’s theorem, quantum theory and conceptions of the universe. Dordrecht: Springer; 1989. https://doi.org/10.1007/9789401708494.
Pappa A, Chailloux A, Wehner S, Diamanti E, Kerenidis I. Multipartite entanglement verification resistant against dishonest parties. Phys Rev Lett. 2012;108(26):260502. https://doi.org/10.1103/PhysRevLett.108.260502.
Lu CY, Browne DE, Yang T, Pan JW. Demonstration of a compiled version of shor’s quantum factoring algorithm using photonic qubits. Phys Rev Lett. 2007;99(25):250505. https://doi.org/10.1103/PhysRevLett.99.250504.
Kissner L, Song D. Privacypreserving set operations. In: Shoup V, editor. Advances in cryptology – CRYPTO 2005. vol. 3621. Berlin: Springer; 2005. p. 241–57. https://doi.org/10.1007/11535218_15.
Evans L, editor. Measure theory and fine properties of functions. New York: Routledge; 1992. https://doi.org/10.1201/9780203747940.
Bond J. Calculating the general solution of a linear Diophantine equation. Am Math Mon. 1967;74(8):955–7. https://doi.org/10.2307/2315274.
Broida JG, Williamson SG. A comprehensive introduction to linear algebra. 1989. Available at https://cseweb.ucsd.edu/~gill/CILASite.
Hall Philip BA. The distribution of means for samples of size n drawn from a population in which the variate takes values between 0 and 1, all such values beding equally probable. Biometrika. 1967;19(3–4):240–4. https://doi.org/10.1093/biomet/19.34.240.
Funding
This work is supported by the National Natural Science Foundation of China (62071240), the Innovation Program for Quantum Science and Technology (2021ZD0302901), the Postgraduate Research & Practice Innovation Program of Jiangsu Province (KYCX23_1370), and the Natural Science Foundation of Jiangsu Province (BK20231142, BK20220804).
Ethics declarations
Ethics approval and consent to participate
Not applicable.
Consent for publication
Not applicable.
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix: Proof of propositions
Appendix: Proof of propositions
1.1 A.1 Proposition 1
Proposition 1
When \(S\gg M^{2}\), \(\forall Q\in \left [ M \right ]^{o}\) and \(v'\in \left [ Q \right ]\), we have
Especially, let \(v'=0\), we have \(\mathrm{Pr}\left [ Qv \right ]\approx \frac{1}{Q}\).
To prove it, we first give a lemma.
Lemma 1
Assume that \(r\in \left [ S \right ]^{o}\) is selected uniformly and randomly, then for any positive odd integer \(Q\ll S\), \(\forall r'\in \left [ Q \right ]\), we have
Proof
\(r\ \mathrm{mod}\ Q=r'\) means that \(r=r'+qQ\in \left [ S \right ]\), then \(0\le r'+qQ< S\), \(r'\le qQ< Sr'\). If \(r'\) is even, then \(qQ=r'r\) is odd and q is odd; If \(r'\) is odd, then \(qQ=r'r\) is even and q is even. Since \(S\gg Q\), there are approximately \(\frac{sr'+r'}{Q}=\frac{S}{Q}\) integers between \(r'\) and \(Sr'\), where odd and even numbers each account for half. No matter which one \(r'\) is, there are \(\frac{S}{2Q}\) possible q for it, and thus the probability is
□
Now we prove the proposition.
Proof of Proposition 1
We use mathematical induction to prove this.

(1)
For \(b=1\), denote \(d_{0}=Q\), \(d_{1}=\mathrm{gcd}(\omega _{1},d_{0})\), and \(d_{0}=\alpha _{1} d_{1}\), \(\omega _{1}=\beta _{1}d_{1}\), then \(\mathrm{gcd}(\alpha _{1},\beta _{1})=1\). \(v\ \mathrm{mod}\ Q=v'\) is equivalent to \(Q(v'v)\), i.e., \(d_{0}(v'\sum _{i=1}^{n}\omega _{i} r_{i})\). It can be transformed into \(\omega _{1}r_{1}=\beta _{1} d_{1} r_{1}\equiv v'\sum _{i=2}^{n} \omega _{i}r_{i}\), i.e., \(\omega _{1}r_{1}=\beta _{1} d_{1} r_{1}\equiv v'\sum _{i=2}^{n} \omega _{i}r_{i}+q\alpha _{1} d_{1}\), where q is any integer. Its necessary condition is \(d_{1}(v'\sum _{i=2}^{n}\omega _{i}r_{i})\). Assume that \(v'\sum _{i=2}^{n}\omega _{i}r_{i}=c_{1} d_{1}\), then \(\beta _{1} r_{1}=c_{1}+q\alpha _{1}\), i.e., \(\beta _{1} r_{1} \equiv c_{1} (\ \mathrm{mod}\ \alpha _{1})\). Since \(\mathrm{gcd}(\alpha _{1}, \beta _{1})=1\), \({\beta _{1}}^{1}_{\alpha _{1}}\) exists, then
$$\begin{aligned} r_{1} \equiv c_{1}{\beta _{1}}^{1}_{\alpha _{1}} (\ \mathrm{mod}\ \alpha _{1}). \end{aligned}$$(A.4)It means that \(r_{1}\) has solutions, i.e., the condition is also sufficient. In addition, since \(\alpha _{1}\) is odd, and
$$\begin{aligned} S_{i}\approx \frac{S}{e_{i}}\ge \frac{S}{M}\gg \frac{M^{2}}{M}=M\ge Q, \end{aligned}$$(A.5)then by Lemma 1, the probability is
$$\begin{aligned} &\mathrm{Pr}\left [ d_{0}(v'\sum _{i=1}^{n}\omega _{i}r_{i}) \parallel d_{1}(v'\sum _{i=2}^{n}\omega _{i}r_{i})\right ] \\ &=\mathrm{Pr}\left [ r_{1} \equiv c_{1}{\beta _{1}}^{1}_{\alpha _{1}} (\ \mathrm{mod}\ \alpha _{1}) \parallel d_{1}(v'\sum _{i=2}^{n} \omega _{i}r_{i})\right ] \\ &\approx \frac{1}{\alpha _{1}}=1/\frac{d_{0}}{d_{b}}=\frac{Q}{d_{1}}. \end{aligned}$$(A.6) 
(2)
For \(1< b <n\), assume that we have proved that the necessary and sufficient condition of \(d_{b2}(v'\sum _{i=b1}^{n}\omega _{i}r_{i})\) is \(d_{b1}(v'\sum _{i=b}^{n}\omega _{i}r_{i})\). Now consider the condition of \(d_{b1}(v'\sum _{i=b}^{n}\omega _{i}r_{i})\), i.e., \(\sum _{i=b}^{n}\omega _{i}r_{i} \equiv v'(\ \mathrm{mod}\ d_{b1})\), which can be transformed into \(\omega _{b} r_{b}= v'\sum _{i=b+1}^{n}\omega _{i}r_{i} +q d_{b1}\), where q is any integer. Denote \(\mathrm{gcd}(d_{b1},\omega _{b})=d_{b}\), \(d_{b1}=\alpha _{b} d_{b}\), \(\omega _{b}=\beta _{b} d_{b}\), then \(\mathrm{gcd}(\alpha _{b}, \beta _{b})=1\). Now we have \(\beta _{b} d_{b} r_{b}= v'\sum _{i=b+1}^{n}\omega _{i}r_{i} +q d_{b1}\), whose necessary condition is \(d_{b}(v'\sum _{i=b+1}^{n}\omega _{i}r_{i})\). Now we prove that it’s also a sufficient condition. Assume that \(v'\sum _{i=b+1}^{n}\omega _{i}r_{i}=c_{b} d_{b}\), then the equation becomes \(\beta _{b} r_{b}=c_{b}+q\alpha _{b}\), i.e., \(\beta _{b} r_{b} \equiv c_{b} (\ \mathrm{mod}\ \alpha _{b})\). Since \({\beta _{b}}^{1}_{\alpha _{b}}\) exists, we have
$$\begin{aligned} r_{b} \equiv c_{b}{\beta _{b}}^{1}_{\alpha _{b}} (\ \mathrm{mod}\ \alpha _{b}), \end{aligned}$$(A.7)which means that \(r_{b}\) has solutions, i.e., the condition is also sufficient. In addition, since \(\alpha _{b}\) is odd, by Lemma 1, the probability is
$$\begin{aligned} &\mathrm{Pr}\left [ d_{b1}(v'\sum _{i=b}^{n}\omega _{i}r_{i}) \parallel d_{b}(v'\sum _{i=b+1}^{n}\omega _{i}r_{i})\right ] \\ &=\mathrm{Pr}\left [ r_{b} \equiv c_{b}{\beta _{b}}^{1}_{\alpha _{b}} (\ \mathrm{mod}\ \alpha _{b}) \parallel d_{b}(v'\sum _{i=b+1}^{n} \omega _{i}r_{i})\right ] \\ &\approx \frac{1}{\alpha _{b}}=1/\frac{d_{b1}}{d_{b}}= \frac{d_{b1}}{d_{b}}. \end{aligned}$$(A.8) 
(3)
For \(b=n\), following the above deduction, we consider the condition of \(d_{n1}(v'\omega _{n} r_{n})\), i.e., \(\omega _{n} r_{n} \equiv v' (\ \mathrm{mod}\ d_{n1})\). Since
$$\begin{aligned} &\mathrm{gcd}(d_{n1},\omega _{n})=\mathrm{gcd}(\mathrm{gcd}(d_{n2}, \omega _{n1}),\omega _{n})=\cdots \\ &=\mathrm{gcd}(Q,\omega _{1},\ldots ,\omega _{n})\le \mathrm{gcd}( \omega _{1},\ldots ,\omega _{n})=1, \end{aligned}$$(A.9)it becomes \(r_{n} \equiv v'{\omega _{n}}^{1}_{d_{n1}} (\ \mathrm{mod}\ d_{n1})\), with a probability
$$\begin{aligned} \mathrm{Pr}\left [ d_{n1}(v'\omega _{n} r_{n}) \right ]\approx \frac{1}{d_{n1}}. \end{aligned}$$(A.10)Now we can calculate the final probability as
$$\begin{aligned} &\mathrm{Pr}\left [ v\ \mathrm{mod}\ Q=v' \right ] \\ &=\mathrm{Pr}\left [ d_{0}(v'\sum _{i=1}^{n}\omega _{i}r_{i}) \parallel d_{1}(v'\sum _{i=2}^{n}\omega _{i}r_{i})\right ] \\ &\times \mathrm{Pr}\left [ d_{1}(v'\sum _{i=2}^{n}\omega _{i}r_{i}) \parallel d_{2}(v'\sum _{i=3}^{n}\omega _{i}r_{i})\right ] \\ &\times \cdots \times \mathrm{Pr}\left [ d_{n2}(v'\sum _{i=n1}^{n} \omega _{i}r_{i}) \parallel d_{n1}(v'\omega _{n} r_{n})\right ] \times \mathrm{Pr}\left [ d_{n1}(v'\omega _{n} r_{n}) \right ] \\ &\approx \frac{d_{1}}{Q}\times \frac{d_{2}}{d_{1}} \times \cdots \times \frac{d_{n1}}{d_{n2}} \times \frac{1}{d_{n1}}=\frac{1}{Q}. \end{aligned}$$(A.11)
□
1.2 A.2 Proposition 2
Proposition 2
Let \(\hat{\omega}_{i}=1\), \(\hat{r}_{i}\in \left [ \left \lfloor \frac{S}{d} \right \rfloor \right ]\), and \(\hat{v}=\sum _{i=1}^{n}\hat{\omega}_{i}\hat{r}_{i}\). If \(S\gg n\sqrt{n}M^{2}\), then approximately, the Kolmogorov distance between v̂ and v is
To prove it, we first introduce the following Lemma 2, which means that the probability of \(\sum _{i\in [\!\![n]\!\!]}\omega _{i}r_{i}=v'\) is approximately independent of the value of \(\omega _{i} \). For convenience, let \(r_{i}=2\xi _{i}+1\), where \(\xi _{i}\in \left [ \left \lfloor \frac{S}{2\omega _{i}d} \right \rfloor \right ]\), then we have
Lemma 2
Let \(\xi _{i}\in \left [ \frac{S}{2\omega _{i}d} \right ]\) be selected randomly and uniformly. Given any integer θ, we have
where \(V_{\frac{2d}{S}\theta}\) is the \((n1)\)dimensional Hausdorff measure (or, roughly, \((n1)\)dim volume [46]) of \(\Lambda =\left \{ \vec{\zeta }  \sum _{i=1}^{n}\zeta _{i}= \frac{2d}{S}\theta ,0\le \zeta _{i}<1 \right \}\), i.e., \(\mathcal{H}^{n1}(\Lambda )\).
Proof
Let \({\xi}_{i}^{(k)}, 1\le k\le n\) be an integer solution of \(\sum _{i=1}^{k}\omega _{i}{\xi}_{i}^{(k)}{=d_{k}}\), \(d_{k}=\underset{i\in [\!\![k]\!\!]}{\mathrm {gcd}}\ \omega _{i}\). Obviously \(d_{1}=\omega _{1}\), \(d_{n}=1\). By Bézout’s Lemma, such a solution always exists. The general solution of \(\sum _{i=1}^{n}\omega _{i}\xi _{i}=\theta \) is [47]:
where
and
Then the constraint \{\begin{array}{cc}& {\xi}_{i}\in \left[\lfloor \frac{S}{2{\omega}_{i}d}\rfloor \right]\\ & {\sum}_{i=1}^{n}{\omega}_{i}{\xi}_{i}=\theta \end{array} is approximately equivalent to
since \(S\gg 2M>2\omega _{i}d\), and \(\vec{\xi}=\theta \vec{a}+\mathbf{A}'\vec{z}\) is always integer. Let \(\zeta _{i}=\frac{2d}{S}\omega _{i} \xi _{i}\), then \(\vec{\zeta}=\frac{2d}{S}\mathbf{W}\vec{\xi}\), where \(\mathbf{W}= \begin{pmatrix} \omega _{1} & & \\ & \ddots & \\ & & \omega _{n} \end{pmatrix} \). Then the constraint is changed to
where \(\vec{b}=\frac{2d}{S}\mathbf{W}\theta \vec{a}\), \(\mathbf{A}=\frac{2d}{S}\mathbf{W}\mathbf{A}'\). Denote
Obviously, Λ is a \((n1)\)dim hyperplane, and if we know its \((n1)\)dim volume \(V_{\frac{2d}{S}\theta}=\mathcal{H}^{n1}(\Lambda )\) and the lattice density ρ of \(\vec{b}+\mathbf{A}\vec{z}\), then we can calculate the number of grid points in Λ approximately, i.e., the feasible solution number of \(\sum _{i=1}^{n}\omega _{i}\xi _{i}=\theta \). Now we deduce the density. The lattices fundamental domain \(P(\mathbf{A})\) (an \((n1)\)dim simplex composed of the basis vectors of the lattice starting from the origin, i.e., the simplex composed of the column vectors of A) undergoes countless translations and stacks in space, forming all the lattice points. Therefore, we can consider that in each such a simplex, there is one point. To calculate \(P(\mathbf{A})\)’s \((n1)\)dim volume, note that \(\mathbf{A}:\mathbb{Z}^{n1}\to \mathbb{Z}^{n}\), and \(P(\mathbf{A})=\mathbf{A}\left (P(I_{n1})\right )\), where \(P(I_{n1})\) is a unit hypercube in \((n1)\)dim Euclidean space. We have
where \(\mathcal{L}^{n1}(\cdot )\) is the \((n1)\)dim Lebesgue measure (obviously \(\mathcal{L}^{n1}(P(I_{n1}))=1\)), and \(J(\mathbf{A})\) is the Jacobian of matrix A (See Lemma 1 in Chap. 3.3.1 of Ref [46]). In addition,
where \(Det(\cdot )\) means determinant (see Theorem 3 in Chap. 3.2.1 of Ref [46]). Then
and there are \(R_{v}\approx V_{\frac{2d}{S}\theta}\rho \) feasible solutions. Since there are approximately
possible groups of \(\xi _{1},\ldots \xi _{n}\) in total, the probability is
We can deduce that
whose proof can be seen in Lemma 3. Thus
□
As a supplement, we provide a proof of Eq. (A.26).
Lemma 3
Proof
where
We have the following theorem (see Chap. 4.6 of Ref [48]):
Theorem 6
(CauthyBinet)
For matrices \(\mathbf{X}\in \mathbb{R}^{p\times q}\) and \(\mathbf{Y}\in \mathbb{R}^{q\times p}\), where \(p< q\), we have
where \(\mathbf{Y}_{S}\) takes all possible \(p\times p\) subdeterminant of Y, and \(\mathbf{X}_{S}\) is the \(p\times p\) subdeterminant of X in the symmetric location of \(\mathbf{Y}_{S}\).
In our case, \(\mathbf{X}=\mathbf{B}^{T}\), \(\mathbf{Y}=\mathbf{B}\), thus \(p=n1\), and \(\mathbf{X}_{S}=\mathbf{Y}_{S}^{T}\). Thus
where \(\mathbf{B}_{j}\) means the matrix obtained by removing row j of B. Now
where \(d_{1}=\omega _{1}\). \(\left \lvert Det(\mathbf{B}_{2})\right \lvert \) is similar. For \(3\le j\le n\),
where
We add all rows to row 1, then the elements of row 1 become
Thus
and
Now
□
Now Lemma 2 is proved completely, and we only need to calculate \(V_{\frac{2d}{S}\theta}\). Let \(Z=\sum _{i=1}^{n}Z_{i}\), where \(Z_{i}\) is selected in \([0,1]\) randomly and uniformly, and \(Z_{i}\)’s are mutual independence, then Z satisfies Irwin–Hall distribution [49], and we have:
Lemma 4
Let the probability density function of Z be \(f_{Z}(z)\), then \(V_{z}=\sqrt{n}f_{Z}(z)\), where \(V_{z}\) is still the \((n1)\)dim Hausdorff measure of \(\Lambda _{z}=\left \{ \vec{Z}  \sum _{i=1}^{n} Z_{i}=z,0\le Z_{i}<1 \right \}\).
Proof
For a specific z, the \(V_{z}\) is the \(n1\)dim measure of the hypercrosssections between \(\left \{ \vec{Z}  \sum _{i=1}^{n} Z_{i}=z \right \}\) and \(\left \{ \vec{Z} 0\le Z_{i}<1 \right \}\). The normal of \(\sum _{i=1}^{n}Z_{i}=z\) is \(\vec{n}=\frac{1}{\sqrt{n}}\left (1,1,\ldots ,1\right )^{T}\). Taking the differential element dz, when z becomes \(z+dz\), the entire crosssection will shift \(\left (dz,0,\ldots ,0\right )\frac{1}{\sqrt{n}}\left (1,\ldots ,1 \right )=\frac{1}{\sqrt{n}}dz\) lengths above the normal n⃗, and the integral volume element is \(V_{z}\), then
i.e., \(f_{Z}(z)=V_{z}\frac{1}{\sqrt{n}}\). □
Now we can prove the proposition.
Proof of Proposition 2
Let \(r_{i}=2\xi _{i}+1\), where \(\xi _{i}\in \left [ \left \lfloor \frac{S}{2\omega _{i}d} \right \rfloor \right ]\). If n is even, then denote \(v=2\varsigma +1 \); otherwise, \(v=2\varsigma +2\). Now
then
where \(\mu \le \frac{1}{2}\sum _{i=1}^{n}\omega _{i}\). We denote \(\theta =\varsigma \mu \), then by Lemmas 2 and 4, we have
It can be seen that the statistical difference of v corresponding to different values of \(\omega _{i}\) mainly comes from the difference of θ, i.e., the difference of μ. Since \(\mu \le \frac{1}{2}\sum _{i=1}^{n}\omega _{i}\le \frac{nM}{2d}\ll n \sqrt{n}M^{2}\ll S\), the statistical difference will be very small. This is sufficient for realworld application scenarios, but we still need to explore the magnitude of the difference further, i.e., to calculate \(f_{Z}(\frac{2d}{S}\theta )\). Though the mathematical expression of \(f_{Z}(\cdot )\) is complex, it can be approximated through the Central Limit Theorem when n is large enough, i.e.,
Theorem 7
(LindebergLevy)
If all \(Z_{i}\) are independent and identically distributed, and \(\mathbb{E}\left [ Z_{i} \right ]=\mu _{z}\), \(\mathbb{D}\left [ Z_{i} \right ]=\sigma _{z}^{2}\), then when n is large enough, \(\bar{Z}=\frac{1}{n}Z=\frac{1}{n}\sum _{i=1}^{n}Z_{i}\) approximately follows a normal distribution \(N\left (\mu _{z},\frac{1}{n}\sigma _{z}^{2}\right )\), i.e.,
Here, \(\mu _{z}=\frac{1}{2}\), \(\sigma _{z}=\frac{1}{\sqrt{12}}\). Let \(z=n\mu _{z}+z'\frac{n\sigma _{z}}{\sqrt{n}}\), i.e., \(z'=\frac{\sqrt{n}}{n\sigma _{z}}\left (zn\mu _{z}\right )= \frac{\sqrt{12}}{\sqrt{n}}\left (z\frac{n}{2}\right )\), then
where \(0\le z\le n\), thus \(\left \lvert z\frac{n}{2}\right \lvert \le \frac{n}{2}\). Denote \(\hat{\mu} =\frac{n1}{2}\) or \(\frac{n2}{2}\), then
and
□
1.3 A.3 Proposition 3
Proposition 3
Assume that each \(e_{i}\in \left [ M \right ]^{o}\) is selected uniformly and randomly. If \(n_{I}\ge 3\), we have
Proof
For each prime \(p\in \left [ M \right ]^{op}\), we have
then
The subsequent derivation is consistent with the proof of Theorem 4. □
Rights and permissions
Open Access This article is licensed under a Creative Commons AttributionNonCommercialNoDerivatives 4.0 International License, which permits any noncommercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/byncnd/4.0/.
About this article
Cite this article
Li, ZX., Liu, WJ. & Su, BM. Efficient quantum secure multiparty greatest common divisor protocol and its applications in private set operations. EPJ Quantum Technol. 11, 57 (2024). https://doi.org/10.1140/epjqt/s40507024002684
Received:
Accepted:
Published:
DOI: https://doi.org/10.1140/epjqt/s40507024002684