Hybrid protocols for multi-party semiquantum private comparison, multiplication and summation without a pre-shared key based on d -dimensional single-particle states

In this paper, by utilizing d -dimensional single-particle states, three semiquantum cryptography protocols, i.e., the multi-party semiquantum private comparison (MSQPC) protocol, the multi-party semiquantum multiplication (MSQM) protocol and the multi-party semiquantum summation (MSQS) protocol, can be achieved simultaneously under the assistance of two semi-honest quantum third parties (TPs). Here, the proposed MSQPC scheme is the only protocol which is devoted to judging the size relationship of secret integers from more than two semiquantum participants without a pre-shared key. And the proposed MSQM protocol absorbs the innovative concept of semiquantumness into quantum multiplication for the ﬁrst time, which can calculate the modulo d multiplication of private inputs from more than two semiquantum users. As for the proposed MSQS protocol, it is the only semiquantum summation protocol which aims to accomplish the modulo d addition of more than three semiquantum users’ private integers. Neither quantum entanglement swapping nor unitary operations are necessary in the three proposed protocols. The security analysis veriﬁes in detail that both the external attacks and the internal attacks can be resisted in the three proposed protocols.

Thereupon, a novel concept of semiquantumness was put forward by Boyer et al. [41,42] in the year of 2007, which means the birth of semiquantum cryptography.Unlike quantum cryptography schemes, semiquantum cryptography schemes [41][42][43][44] don't require semiquantum participants to prepare or measure quantum superposition states and quantum entangled states, which greatly saves experiment costs.In other words, the quantum users need to equip complete quantum capabilities, while the semiquantum participants are restricted to own limited abilities.In semiquantum cryptography, the first semiquantum private comparison (SQPC) protocol was proposed by Chou et al. [45] based on entanglement swapping of Bell states in the year of 2016, the first semiquantum summation (SQS) protocol was put forward by Zhang et al. [46] based on single photons in the year of 2021, and the semiquantum multiplication (SQM) protocol hasn't been designed until now.
Speaking of SQPC, it can be divided into two kinds: SQPC of equality [45,[47][48][49][50] and SQPC of size relationship [51][52][53][54][55][56].Compared with the former kind, the latter kind has more functions on determining the relationship of semiquantum participants' private inputs.In the year of 2021, by adopting d-dimensional Bell states, Zhou et al. [51] designed a SQPC scheme of size relationship with a pre-shared key; and by using d-dimensional GHZ states, Wang et al. [52] proposed a SQPC protocol of size relationship with a pre-shared key.In the year of 2022, by employing d-dimensional single-particle states, Li et al. [53] put forward two SQPC protocols of size relationship, each of which requires a pre-shared key, where the first protocol and the second protocol use the distribution model and the circle model to transmit particles, respectively; by utilizing d-dimensional Bell states, Luo et al. [54] designed a SQPC scheme of size relationship which requires a pre-shared key; and by employing d-dimensional single-particle states, Geng et al. [55] put forward a SQPC protocol of size relationship with a pre-shared key, where TP has no knowledge about the final comparison results; and in the year of 2023, Ye and Lian [56] put forward the first multi-party semiquantum private comparison (MSQPC) protocol of size relationship with d-dimensional single-particle states.Compared to SQPC schemes, SQS protocols [46,57,58] have been few up to now.More seriously, there is no SQS scheme which can implement the modulo d addition of secret integers from more than three semiquantum participants within one round implementation.
According to the foregoing discussion, in this paper, we utilize d-dimensional singleparticle states to design three semiquantum cryptography protocols, i.e., the MSQPC protocol, the multi-party semiquantum multiplication (MSQM) protocol and the multiparty semiquantum summation (MSQS) protocol.Note that only under the assistance of two semi-honest quantum third parties (TPs) can the goals of the three proposed protocols be achieved, where the semi-honest TPs are permitted to try their best to eavesdrop secret integers of semiquantum participants but cannot collude with anyone else.The proposed MSQPC protocol is the only MSQPC protocol which can implement the com-parison of size relationship of more than two semiquantum participants' private inputs within one execution of protocol, with no requirement of a pre-shared key.The proposed MSQM protocol is the first scheme absorbing the innovative concept of semiquantumness into quantum multiplication, which is devoted to computing the modulo d multiplication of secret integers from more than two semiquantum users within one round implementation.Note that within a d-dimensional quantum system, semiquantum users are typically constrained to the following operations: (a) measuring the qudits in the Z basis {|0 , |1 , . . ., |d -1 }; (b) preparing the fresh qudits in the Z basis; (c) transmitting or reflecting the qudits without disturbance; and (d) recordering the qudits via various delay lines.As for the proposed MSQS protocol, it is also the pioneer scheme of SQS, aiming to compute the modulo d addition of private integers from more than three semiquantum users within one execution of protocol.Neither quantum entanglement swapping nor unitary operations are required in the three proposed protocols.Besides, the usage of quantum resources for the three proposed schemes is identical, as the only section where quantum resources are utilized is in Sect.2.1 during the key-sharing process.

Description of protocols
In a d-dimensional Hilbert space, two common conjugate bases can be described as and Here, F is the d-dimensional discrete quantum Fourier transform, F|t = 1 d |δ and t = 0, 1, . . ., d -1.There are N semiquantum users, P 1 , P 2 , . . ., P N , and two quantum TPs, TP 1 and TP 2 , where the TPs are required to have complete quantum capabilities, while P 1 , P 2 , . . ., P N are merely asked to possess restricted quantum abilities.It is worth noting that both TP 1 and TP 2 are semi-honest, which means that they can launch all possible attacks to steal private inputs of N semiquantum users except colluding with anyone else.Assume that P n possesses a L-length secret integer string p n = {p 1 n , p 2 n , . . ., p L n }, where P n denotes the nth semiquantum participant, p i n denotes the ith private integer of nth semiquantum participant, p i n ∈ {0, 1, . . ., d -1}, n = 1, 2, . . ., N and i = 1, 2, . . ., L. The quantum channels are assumed to be ideal, and the classical channels are assumed to be authenticated.
This paper proposes a hybrid protocol which initially designs a semiquantum key distribution (SQKD) scheme based on d-dimensional single particles in Sect.2.1, followed by the use of traditional mathematical methods to achieve multi-party private comparison, multiplication, and summation in Sect.2.2, Sect.2.3 and Sect.2.4, respectively.The term "hybrid" means that the proposed multi-party semiquantum private comparison scheme, the proposed multi-party semiquantum multiplication scheme and the proposed multiparty semiquantum summation scheme share the SQKD scheme based on d-dimensional single-particle states together.The SQKD scheme based on d-dimensional single particles aims to create a semiquantum private key between P n and TP 1 and a semiquantum private key between P n and TP 2 by using d-dimensional single particles.To make it much easier to understand the process of the proposed hybrid protocols, we create a concise flowchart, depicted in Fig. 1.

Common procedures of protocols
Step 1: TP 1 prepares N d-dimensional single-particle state sequences S 1 , S 2 , . . ., S N whose particles are randomly picked out from two sets T 1 and T 2 but excluding |0 .Note that for the successful implementation of the three proposed protocols, the minimum number of particles in S n should be 8L.Here, let S n = {S 1 n , S 2 n , . . ., S 8L n } for n = 1, 2, . . ., N , where S l n denotes the lth particle of S n and l = 1, 2, . . ., 8L.Furthermore, TP 1 sends S n to P n through a quantum channel.Note that except the first particle, TP 1 sends out the next particle of S n to P n only after receiving the previous one from P n .
Step 2: P n randomly enters into the REFLECT mode or the MEASURE mode after gaining the lth particle from TP 1 .Here, the REFLECT mode means to reflect the received particle back without any disturbance, while the MEASURE mode implies to measure the received particle with the T 1 basis, record the measurement result, prepare the fresh quantum state as found and return the fresh particle back to the sender.The new sequence after P n performs her operations on S n is represented by S n .
Step 3: After receiving all particles of S n from P n , TP 1 announces P n the positions where the particles were produced within the T 1 basis, and P n publishes TP 1 her specific operation modes on the particles of S n .Based on the announced information, TP 1 implements the corresponding operations as shown in Table 1.
Case 1: P n has applied the REFLECT mode to the received particle prepared within the T 1 basis.After measuring S l n with the T 1 basis, TP 1 compares her measurement result with the corresponding initially prepared state to determine whether there is an eavesdropper or not, where l ∈ {1, 2, . . ., 8L}.If there is no eavesdropper, this protocol will be proceeded; Case 2: P n has applied the REFLECT mode to the received particle prepared within the T 2 basis.After measuring S l n with the T 2 basis, TP 1 compares her measurement result with the corresponding initially prepared state to judge whether there is a stealer or not, where l ∈ {1, 2, . . ., 8L}.If there is no stealer, this protocol will be proceeded; Case 3: P n has applied the MEASURE mode to the received particle prepared within the T 2 basis and TP 1 takes no action.It is noteworthy that this Case is ignored; Case 4: P n has applied the MEASURE mode to the received particle prepared within the T 1 basis.TP 1 measures S l n with the T 1 basis.TP 1 randomly picks out half particles belonging to this Case in her hand.Then, TP 1 announces P n the selected positions, and then P n publishes TP 1 her measurement results on the corresponding positions.Afterward, TP 1 can know whether there is an eavesdropping behavior or not by comparing her measurement results, the corresponding initially prepared states and the measurement results published by P n .If there is no eavesdropping behavior, this protocol will be proceeded.
Step 4: TP 1 counts the number of remaining particles in Case 4. If this quantity is less than L, the communication will be suspended and restarted from Step 1.Then, P n and TP 1 select the first L particles from the remaining particles in Case 4 and record the corresponding measurement results as x n = {x 1 n , x 2 n , . . ., x L n }, where x i n ∈ {1, 2, . . ., d -1}, n = 1, 2, . . ., N and i = 1, 2, . . ., L.
Step 5: TP 2 executes the same procedures as TP 1 in Steps (1)-( 4), in order to make TP 2 and P n also share a L-length secret sequence represented by y n = {y 1 n , y 2 n , . . ., y L n }, where y i n ∈ {1, 2, . . ., d -1}, i = 1, 2, . . ., L and n = 1, 2, . . ., N .Additionally, it is important to clarify why the minimum particle number in S n should be 8L.In Case 4, the number of particles used for privacy comparison should be L, consequently requiring the number of particles for eavesdropping detection greater than or equal to L. This suggests that the particle number in Case 4 should be greater than or equal to 2L .Given that the particles in S n are distributed in the four Cases with equal probabilities, the quantity of particles in S n should be greater than or equal to 8L.

Protocol for multi-party semiquantum private comparison
It is necessary to highlight that the value range of p i n needs to be reset, i.e., p i n ∈ {0, 1, . . ., h}, where h = d-1 2 and the symbol denotes the floor operation.For instance, if d = 12, then h = 12-1 2 = 5.5 = 5.

Example
For the sake of further supporting the foregoing analysis of output correctness of the presented MSQPC protocol, a specific example is given in detail.Suppose that P 1 , P 2 , P 3 , P 4 are four semiquantum participants whose first private inputs are p 1 1 = 0, p 1 2 = 6, p 1  3 = 4, p 1 4 = 8, respectively in a 17-dimensional quantum system; after measuring the qudits prepared by TP 1 , P 1 , P 2 , P 3 , , respectively; and after measuring the qudits prepared by TP 2 , P 1 , P 2 , P 3 , P 4 acquire y  6).Furthermore, according to Eq. ( 7), Therefore, we can conclude that the comparison results of the proposed MSQPC protocol are right.

Output correctness
In the light of Eqs. ( 8)- (10), it can be deduced that After inserting Eq. ( 19) into Eq.(11), it has for i = 1, 2, . . ., L, which validates that the output correctness of multiplication results in the proposed MSQM protocol.

Simulation based on IBM's Qiskit
To further demonstrate the output correctness of three proposed protocols, we conduct the simulation experiment by utilizing IBM's Qiskit without considering the eavesdropping check processes.The three proposed protocols only utilize d-dimensional singleparticle states as quantum resources and perform d-dimensional single-particle measurements, which suggests that only when the quantum measurement results on single photons are accurate can the output correctness of protocols be guaranteed.It is easy to construct the quantum measurement circuit for single photon.In the following, we will simulate out the measurement outcomes of four single photons, considering a quantum system with a level of 8.The simulated quantum measurement circuits for |6 , |7 , F|6 and F|7 are shown in Figs.2- Based on Figs.2-5, it can be concluded that the measurement outcomes on single photons are entirely accurate.This implies that the output correctness of three proposed protocols can be guaranteed, as they only necessitate the d-dimensional single-particle measurements.

Security analysis 5.1 Outside attacks
To steal the confidential integer sequence p n , an outside eavesdropper, Eve, may launch seven types of attacks during Steps (1)-( 5), i.e., the intercept-resend attack, the measureresend attack, the entangle-measure attack, the double controlled-not (CNOT) attacks, the Trojan horse attacks, the collective attack and the coherent attack.Note that either in the quantum channel between TP 1 and P n or between TP 2 and P n , Eve always acts equally.Consequently, we only discuss the security of the quantum channel between TP 1 and P n .
(1) The intercept-resend attack Eve intercepts the particle of S n from TP 1 to P n and sends P n the fake one she has already produced in the T 1 basis in Step 1; after P n implements her operation on the fake particle, Eve intercepts the corresponding particle of S n from P n to TP 1 and transmits TP 1 the intercepted genuine one of S n in Step 2. When the intercepted genuine particle is prepared in the T 2 basis, no matter what mode P n has entered into, the existence of Eve cannot be Considering that the intercepted genuine particle is produced in the T 1 basis, if P n has entered into the REFLECT mode, the eavesdropping behavior of Eve cannot be detected in Case 1 of Step 3; if P n has entered into the MEASURE mode, the probability that the intercepted particle is chosen for eavesdropping detection is 1  2 , and the probability that P n 's measurement result on the fake particle is not same to the corresponding initial prepared state and TP 1 's measurement result on the intercepted genuine particle of S n is d-2 d-1 , so the existence of Eve can be discovered with the probability of d-2 2d-2 in Case 4 of Step 3, which validates that Eve's eavesdropping behavior on one of the particles transmitted between TP 1 and P n cannot be detected with the probability of d 2d-2 .Consequently, the probability that Eve's this intercept-resend attack on the 8L particles of S n can be discovered is 1 -( d 2d-2 ) 8L , which will approach to 1 if L is large enough.
(2) The measure-resend attack In Step 1, Eve intercepts the particle of S n from TP 1 to P n , utilizes the T 1 basis to measure it and transmits the resulted state to P n .When the intercepted particle is in the T 1 basis, the presence of Eve cannot be detected either in Case 1 or Case 4 of Step 3, no matter what mode P n has entered into.Considering that the intercepted particle is in the T 2 basis, when P n has entered into the MEASURE mode, the eavesdropping behavior of Eve cannot be discovered in Case 3 of Step 3, as the intercepted particle is not chosen for security check; when P n has entered into the REFLECT mode, the presence of Eve will be detected undoubtedly in Case 2 of Step 3, as Eve's measurement destroys the quantum superposition state of the intercepted particle.
(3) The entangle-measure attack As shown in Fig. 6, Eve launches her entangle-measure attack on the transmitted particle by employing two unitary operations U E and U F , where U E is imposed on the particle of S n from TP 1 to P n in Step 1 and U F is performed on the particle of S n from P n to TP 1 in Step 2. As illustrated in Refs.[41,42], U E and U F share a common probe space with the auxiliary state | , where Eve is permitted by the shared probe to launch the attack on the particle of S n on the basis of the knowledge gained from U E .
Theorem 1 Suppose that Eve implements U E on the qudit from TP 1 to P n in Step 1 and imposes U F on the qudit from P n to TP 1 in Step 2. For introducing no error in Step 3, the final state of Eve's probe should be independent of not only the operations of P n and TP 1 , but also their measurement results.Consequently, Eve fails to acquire knowledge about x n .
Proof For convenience, we utilize |t and |G t to denote the T 1 basis and the T 2 basis, respectively, where d |δ and t = 0, 1, . . ., d -1.(i) Consider the situation that the particle attacked by Eve in Step 1 is prepared in the T 1 basis.
In the light of Ref. [55], the effect of U E on the particle and Eve's probe can be described as where the probe |ω tt are decided by U E , d-1 t =0 |λ tt | 2 = 1 and t = 0, 1, . . ., d -1.When P n intends to enter into the MEASURE mode, in order to get rid of the eavesdropping check in Case 4, Eve should make P n 's measurement result on the attacked particle be the same to the corresponding initial prepared state.Hence, it can be deduced that for t = t .After P n performed the MEASURE mode, the global state of composite system was collapsed into λ tt |t |ω tt in accordance with Eq. ( 23) and Eq. ( 24).In order to escape the security check in Case 4, Eve should make P n 's measurement result on the attacked particle of S n be the same to TP 1 's measurement result on the corresponding particle of S n .Thus, the whole quantum system after being applied with U F should be which means that U F is not allowed to alter the quantum state of S n .
When P n has chosen the REFLECT mode, by virtue of Eqs. ( 23)-( 25), the whole quantum system after being applied with U F should be which means that TP 1 's measurement result on the particle of S n is naturally same to the corresponding initial prepared state.As a result, as long as Eqs.( 24), ( 25) are established, the eavesdropping behavior of Eve cannot be discovered in Case 1 of Step 3.
(ii) Consider the situation that the attacked particle is prepared in the T 2 basis.Combining Eq. ( 23) and Eq. ( 24), we obtain When U E is implemented on the particle prepared in the T 2 basis and Eve's probe, the global composite system should be On the basis of Eq. ( 27) and Eq. ( 28), it can be derived that When P n has chosen the MEASURE mode, the trace of Eve will never be discovered in Case 3 of Step 3, as there is no eavesdropping detection in this Case.When P n has chosen the REFLECT mode, based on Eq. ( 25) and Eq. ( 29), the whole quantum system after being applied with U F should be In the light of the inverse quantum Fourier transform, it can be deduced that where δ = 0, 1, . . ., d -1.Inserting Eq. ( 31) into Eq.( 30) generates In order to escape the security check in Case 2 of Step 3, Eve should make TP 1 's measurement result on the particle of S n be the same to the corresponding initial prepared state.Hence, in accordance with Eq. ( 32), it can be deduced that for t = j, where t, j = 0, 1, . . ., d -1.Obviously, for any t = j, we obtain Combining Eq. ( 33) and Eq. ( 34), it can be derived that (iii) Inserting Eq. ( 35) into Eq.( 25) produces which means that Eve cannot extract any knowledge about x i n , under the condition that the attacked particle is prepared in the T 1 basis and P n enters into the MEASURE mode.Then, inserting Eq. ( 35) into Eq.( 26) produces which means that Eve cannot obtain x i n , under the condition that the attacked particle is prepared in the T 1 basis and P n enters into the REFLECT mode.Furthermore, inserting Eq. ( 35) into Eq.( 32) produces which means that Eve has no knowledge about x i n , under the condition that the attacked particle is prepared in the T 2 basis and P n enters into the REFLECT mode.
By virtue of Eqs. ( 36)-( 38), it can be concluded that when Eve implements U E on the qudit from TP 1 to P n in Step 1 and imposes U F on the qudit from P n to TP 1 in Step 2. For introducing no error in Step 3, the final state of Eve's probe should be independent of not only the operations of P n and TP 1 , but also their measurement results.Consequently, Eve fails to acquire knowledge about x n .
(4) The double CNOT attacks In accordance with Ref. [49], Eve initiates the first CNOT attack in Step 1, employing the particle of S n and her ancillary particle as the control qudit and the target qudit, respectively.Subsequently, Eve proceeds with the second CNOT operation on the particle of S n as the control qudit and her auxiliary particle as the target qudit in Step 2, with the aim of extracting the information about P n 's operation from her auxiliary particle.For convenience, we adopt |t and |G t to represent the T 1 basis and the T 2 basis, respectively, where d |δ and t = 0, 1, . . ., d -1.In a d-level quantum system, the CNOT operation can be described as where the symbol ⊕ denotes the modulo d addition.
(i) Consider the scenario where the initial particle of S n is prepared in the T 1 basis.After Eve performs the first CNOT attack U CT(d) on the single photon |t S and her ancillary qudit |ε E in Step 1, the global state of the composite system is evolved into for t = 0, 1, . . ., d -1, where ε is a constant that can take any value from 0 to d -1.Afterward, P n executes the REFLECT mode or the MEASURE mode on the received particle.It is worth noting that regardless of the mode P n has chosen, the new quantum system after undergoing the second CNOT attack launched by Eve in Step 2 will collapse into Based on Eq. ( 40) and Eq. ( 41), it can be understood that TP 1 's measurement result on the particle of S n is automatically identical to P n 's measurement result on the particle of S n and the initial prepared state of S n , which implies that Eve can evade the security check in both Case 1 and Case 4 of Step 3.
(ii) Consider the scenario where the initial prepared state of S n is in the T 2 basis.When the single particle |G t S and the auxiliary qudit |ε E generated by Eve are subjected to the first CNOT operation U CT(d) in Step 1, the composite system global state is evolved into for t = 0, 1, . . ., d -1, where ε is a constant that can take any value from 0 to d -1.After P n has applied the REFLECT mode to the received particle, Eve launches the second CNOT operation in Step 2, which can be depicted as in accordance with Eq. ( 39) and Eq.(42).In order to escape the eavesdropping detection in Case 2 of Step 3, Eve should make TP 1 's measurement result on the particle of S n be same to the initial produced particle state of S n , which means that the values of δ ⊕ δ should consistently be a constant for δ = 0, 1, . . ., d -1 according to Eq. ( 43).
(iii) By consolidating the foregoing discussions, we can draw the following two judgements.
Firstly, considering that d is equal to 2. Then, regardless of whether t = 0 or t = 1, we can consistently deduce that the value of t ⊕ t is equal to 0. Hence, Eq. ( 41) and Eq. ( 43) will transform into and respectively.On the basis of Eq. ( 44) and Eq. ( 45), we can infer that Eve's attacks cannot be discovered in Step 3. Nevertheless, Eve still has no way to obtain the information about P n 's operation, due to that her auxiliary particle |ε E consistently stays unchanged.It can be concluded that if d is equal to 2, Eve will acquire nothing by performing the double CNOT operations on the particles transmitted in the quantum channel between TP 1 and P n in Step 1 and Step 2. Secondly, considering that d is greater than 2. When δ takes all values from 0 to d -1, the corresponding d values of δ ⊕ δ must not be a constant.Therefore, according to Eq. ( 43), TP 1 's measurement result on S n must not be same to the initial produced state, which implies that if d is greater than 2, Eve's double CNOT attacks will inevitably be detected in Case 2 of Step 3.
(iv) Overall, by initiating the double CNOT attacks on the qudits transmitted between TP 1 and P n in Step 1 and Step 2, Eve fails to eavesdrop the information about P n 's operation without being detected, not to mention the knowledge about x n .
(5) The Trojan horse attacks As the particles of S n travel from TP 1 to P n and back from P n to TP 1 , we need to address two kinds of Trojan horse attacks launched by Eve: the delay-photon Trojan horse attack [59,60] and the invisible photon eavesdropping attack [61].Both these attacks involve stealing the information about P n 's operation by inserting a tail-made photon produced by Eve into the one transmitted between TP 1 and P n .To guarantee the security of the proposed protocols, P n employs a photon beam splitter (PBS: 50/50) to divide each sample signal into two pieces and measure them, which can effectively resist the former type of attack.[60,62] As for the latter type of attack, P n utilizes a wavelength filter to process each signal before executing the operation.[60,62] (6) The collective and coherent attacks The collective attack represents a class of attacks that exploit the vulnerabilities within a quantum communication system.The coherent attack denotes a type of attack that takes advantage of the coherence of quantum systems.According to Ref. [22], Eve generates an autonomous ancillary particle to communicate with each qudit and jointly performs the measurement operation on all the ancillary qudits, which can be seen as the collective attack.In the coherent attack, Eve produces an individual ancillary particle, intercepts the participant's particle and conducts the measurement process within the computational basis {|1 , |2 , . . ., |d -1 }.Unfortunately, Eve's trace will undoubtedly be discovered based on the deduction of Eqs. ( 23)-( 45), indicating that she has no way to acquire p n .

Participant attacks
(1) The participant attack from one dishonest user In the three proposed protocols, the semiquantum subscribers P 1 , P 2 , . . ., P N play the equal roles all the time.Without losing generality, it is assumed that P 1 is the dishonest user who tries her best to steal the secret integers of the remaining N -1 participants.
Firstly, in Steps ( 1)-( 5), to acquire x a = {x 1 a , x 2 a , . . ., x L a } or y a = {y 1 a , y 2 a , . . ., y L a }, P 1 may launch her attacks on the qudits between TP 1 and P a or between TP 2 and P a , where a = 2, 3, . . ., N .Nevertheless, P 1 is independent from P a , TP 1 and TP 2 , which makes her play the role of an outside eavesdropper.Consequently, in the three proposed protocols, P 1 has no information about x a and y a in accordance with Sect.5.1.
Secondly, in Step 6 , P 1 may hear of c i a sent out from P a and χ i n n sent out from TP 2 , but she cannot acquire p i a according to Eq. ( 3) and Eq. ( 4), due to that she is unable to obtain x i a and y i a simultaneously.Then, in Step 7 , although P 1 may hear of the final comparison results from TP 1 , she still cannot obtain p i a .Thirdly, in Step 6 , P 1 may hear of g i a sent out from P a and β i sent out from TP 2 , but she has no way to infer out p i a in accordance with Eq. ( 8) and Eq. ( 9), because of being short of both x i a and y i a .Besides, in Step 7 , P 1 may hear of the final multiplication results from TP 1 , but she still has no chance to get p i a .Fourthly, in Step 6 , P 1 may hear of μ i a sent out from P a and ν i sent out from TP 2 , but she is unable to acquire p i a based on Eq. ( 12) and Eq. ( 13), due to lack of both x i a and y i a .Furthermore, in Step 7 , P 1 may hear of the final summation results from TP 1 , but she still has no idea about p i a .In short, one dishonest user cannot acquire the private inputs of remaining N -1 users in the three proposed protocols.
Firstly, in Steps ( 1)-( 5), to acquire . ., y L b }, P 1 , P 2 , . . ., P b-1 , P b+1 , . . ., P N may launch their attacks on the qudits between TP 1 and P b or between TP 2 and P b .Obviously, the union of P 1 , P 2 , . . ., P b-1 , P b+1 , . . ., P N is independent from P b , TP 1 and TP 2 , making the union of N -1 participants play the role of an external attacker.As a result, P 1 , P 2 , . . ., P b-1 , P b+1 , . . ., P N has no way to get the knowledge about x b or y b according to Sect.5.1.
Secondly, in Step 6 , P 1 , P 2 , . . ., P b-1 , P b+1 , . . ., P N may steal c i b sent out from P b and χ i n n sent out from TP 2 , which means that y i b can be decoded out in the light of Eq. ( 4).Nevertheless, P 1 , P 2 , . . ., P b-1 , P b+1 , . . ., P N still cannot obtain p i b based on y i b and c i b , because of being short of x i b , according to Eq. ( 3).Then, in Step 7 , although P 1 , P 2 , . . ., P b-1 , P b+1 , . . ., P N may hear of the final comparison results from TP 1 , they still has no way to extract p i b .Thirdly, in Step 6 , P 1 , P 2 , . . ., P b-1 , P b+1 , . . ., P N may steal g i b sent out from P b and β i sent out from TP 2 , in which y i b can be derived out based on β i and y i 1 , y i 2 , . . ., y i b-1 , y i b+1 , . . ., y i N , according to Eq. ( 9).Unfortunately, P 1 , P 2 , . . ., P b-1 , P b+1 , . . ., P N has no chance to obtain p i b which is encrypted by x i b and y i b , in accordance with Eq. ( 8).Furthermore, in Step 7 , P 1 , P 2 , . . ., P b-1 , P b+1 , . . ., P N may hear of the final multiplication results from TP 1 , but they are still helpless in getting p i b .Fourthly, in Step 6 , P 1 , P 2 , . . ., P b-1 , P b+1 , . . ., P N may hear of μ i b sent out from P b and ν i sent out from TP 2 , so they can infer out y i b according to Eq. ( 13).However, P 1 , P 2 , . . ., P b-1 , P b+1 , . . ., P N has no chance to obtain p i b based on Eq. ( 12), due to lack of x i b .Besides, in Step 7 , P 1 , P 2 , . . ., P b-1 , P b+1 , . . ., P N may hear of the final summation results from TP 1 , but they still cannot acquire p i b .In conclusion, two or more users has no chance to acquire the secret integers of remaining users in the three proposed protocols.
(3) The participant attack from semi-honest TP 1 It is assumed that TP 1 cannot be allowed to conspire with anyone else.On the one hand, TP 1 may launch her attacks on the qudits between TP 2 and P n to steal y i n ; nevertheless, her eavesdropping behaviors are definitely detected according to Sect.5.1.On the other hand, TP 1 receives c i n /g i n /μ i n and χ i n n /β i /ν i from P n and TP 2 , respectively; however, she cannot infer out p i n , due to lack of y i n , according to Eq. (3)/Eq.( 8)/Eq.( 12).In addition, the final comparison/multiplication/summation results cannot work in getting p i n either.(4) The participant attack from semi-honest TP 2 It is assumed that TP 2 cannot be permitted to collude with anyone else.On the one hand, TP 2 may launch her attacks on the particles between TP 1 and P n to get x i n , but she is undoubtedly discovered based on Sect.5.1.On the other hand, TP 2 may hear of c i n /g i n /μ i n from P n to TP 1 in Step 6 / Step 6 / Step 6 ; nevertheless, she has no chance to acquire p i n , because of being short of x i n , in accordance with Eq. (3)/Eq.(8)/Eq.( 12).In addition, TP 2 may hear of the final comparison/multiplication/summation results from TP 1 , but is still helpless for her to get p i n .

Discussions and conclusions
The proposed hybrid protocol can achieve the multi-party semiquantum private comparison scheme, the multi-party semiquantum multiplication scheme and the multi-party semiquantum summation scheme simultaneously under the help of two TPs.Here, TP 1 and TP 2 mutually supervise each other.The function of TP 1 is to create a semiquantum private key x n with P n ; in the meanwhile, TP 2 creates a semiquantum private key y n with P n .Some existing semiquantum private comparison [55] and summation protocols [46] only need one TP.However, in practical applications, these protocols can only be applied to the scenario with a single authority center.However, a protocol with two TPs, such as our hybrid protocol, can be applied to the situation with two mutually supervising authority centers.In addition, our hybrid protocol can be applied into many scenarios, such as voting, ranking, bidding, and so on.
As illustrated in Ref. [55], the qudit efficiency is utilized to calculate the communication efficiency of a quantum protocol suitable for the d-dimensional Hilbert space, which is defined as Here, κ, τ and ξ are the length of private inputs established, the number of qudits consumed and the number of classical bits expended, respectively.Note that we neglect the classical resources expended during the eavesdropping detection processes.
In the proposed MSQPC protocol, the length of p n is L, so we gain κ = L. TP 1 /TP 2 prepares N groups of 8L d-dimensional single-particle states and transmits them to the semiquantum participants; after getting the qudits from TP 1 /TP 2 , when P n enters into the MEASURE mode, she is asked to produce 4L fresh qudits based on the found states within the T 1 basis; so we obtain τ = (8L × N + 4L × N) × 2 = 24NL.Then, P n and TP 2 send c i n and χ i n n to TP 1 , respectively, where n = 1, 2, . . ., N , n = 2, 3, . . ., N , n > n and i = 1, 2, . . ., L. Hence, we have ξ . Whether in the proposed MSQM protocol or MSQS protocol, by adopting the same analysis method as foregoing discussion, we can obtain κ = L and τ = 24NL.Furthermore, P n and TP 2 send g i n /μ i n and β i /ν i to TP 1 , respectively, where i = 1, 2, . . ., L. Therefore, it can be deduced that ξ = L × N + L = (N + 1)L.Consequently, the qudit efficiency of the proposed MSQM protocol or MSQS protocol is η = L 24NL+(N+1)L = 1 25N+1 .In the SQPC protocol of Ref. [55], the length of Alice's or Bob's secrets is n, so we get κ = n.The minimum number of d-dimensional single-particle states generated by TP should be 16n; then, TP sends 8n particles to Alice and 8n particles Bob; when Alice and Bob enter into the MEASURE mode, they send the freshly prepared qudits to TP.Furthermore, this protocol adopts the SQKD protocol [63] to produce the pre-shared keys among Alice and Bob, consuming 24n qudits.Hence, we obtain τ = 16n + 4n + 4n + 24n = 48n.In addition, Alice sends R i A to TP while Bob sends R i B to TP. TP needs to announce r i to Alice and Bob.As a result, we obtain ξ = 3n.It can be concluded that the qudit efficiency of the protocol in Ref. [55] is η = n 48n+3n = 1 51 .Using the same method, we obtain that the qudit efficienies of the protocol of Ref. [51], the protocol of Ref. [52], the first protocol of Ref. [53], the second protocol of Ref. [53] and the protocol of Ref. [54] are 1  50 , 1 42 , 1 50 , 1 14 and 1 38 , respectively.In the proposed MSQPC protocol, when N = 2, the corresponding qudit efficiency is 1  51 .With respect to qudit efficiency, compared to the protocols of Refs.[51][52][53][54][55], our MSQPC protocol does not have an advantage, but is very close to the protocol of Ref. [51] and the first protocol of Ref. [53].The protocols of Refs.[51][52][53][54][55] can only achieve the private comparison between two semiquantum users.Fortunately, the proposed hybrid protocol can achieve the semiquantum private comparison, the semiquantum multiplication and the semiquantum summation simultaneously among more than two semiquantum participants, which may decrease the qudit efficiency.
In addition, we compare the proposed MSQPC protocol with the present SQPC protocols of size relationship in Refs.[51][52][53][54][55], as shown in Table 2.In accordance with Table 2, the proposed MSQPC protocol is superior to the protocols of Refs.[51,52,54] in quantum resources, as d-dimensional single-particle states are much easier to produce than d-dimensional Bell states and d-dimensional GHZ states; on the usage of a pre-shared key, the proposed MSQPC protocol defeats the protocols of Refs.[51][52][53][54][55], as it has no demand for a pre-shared key; due to no use of unitary operations, the proposed MSQPC protocol exceeds the second protocol of Ref. [53]; as for the quantum measurements from quantum parties, the proposed MSQPC protocol takes advantage over the protocols of Refs.[51,52,54], due to that it doesn't require d-dimensional GHZ state measurements The first protocol of Ref. [53] d-dimensional single-particle The second protocol of Ref. [53] d-dimensional single-particle Ref. [54] d-dimensional Bell states Ref. [55] d-dimensional single-particle or d-dimensional Bell state measurements; and the proposed MSQPC protocol, aiming to determine the size relationship of more than two semiquantum participants' private inputs within one round implementation, is the only one which doesn't require a pre-shared key.
In conclusion, in this paper, by utilizing d-dimensional single-particle states, the first MSQPC protocol without a pre-shared key, aiming to judge the size relationship of more than two semiquantum users' secret integers, is put forward; the first MSQM protocol integrating the concept of semiquantumness into quantum multiplication is put forward, which is devoted to computing the modulo d multiplication of secret integers from more than two semiquantum participants; and the first MSQS protocol which can calculate the modulo d addition of private inputs from more than three semiquantum users is put forward.It is noteworthy that only under the control of two TPs can the goals of the three proposed protocols be achieved, where the semi-honest TPs are allowed to launch arbitrary attacks but cannot cooperate with anyone else.
The three proposed protocols have no demand for quantum entanglement swapping and unitary operations.Both the outside attacks and the participant attacks can be resisted in the three proposed protocols.

Figure 1
Figure 1 The flow chart for the proposed hybrid protocols

Figure 2 Figure 3 Figure 4 Figure 5
Figure 2 (a) Quantum circuit of the single-particle state |6 (b) The simulation results of (a)

Figure 6
Figure 6Eve's entangle-measure attack with U E and U F

Table 1
TP 1 's operations under different Cases

Table 2
Comparison of the proposed MSQPC protocol with the present SQPC protocols of size relationship