Different secure semi-quantum summation models without measurement

Secure semi-quantum summation entails the collective computation of the sum of private secrets by multi-untrustworthy and resource-limited participants, facilitated by a quantum third-party. This paper introduces three semi-quantum summation protocols based on single photons, where eliminating the need for classical users to possess measurement capabilities. Two-party protocol 1 and protocol 2 are structured upon diﬀerent models: star and ring, respectively. The security analysis extensively evaluates the protocols’ resilience against outside and inside attacks, demonstrating protocols are asymptotically secure. Protocol 3 extends two-party protocol 1 to multi-party scenarios, broadening its applicability. Comparison reveals a reduction in the workload for classical users compared to previous similar protocols, and the protocols’ correctness are visually validated through simulation by Qiskit.


Introduction
Quantum communication employs qubits as carriers of information exchange, surpassing the limitations of classical information technology in ensuring information security and other aspects.Leveraging the unique physical properties of quantum mechanics, it guarantees non-eavesdropping keys, thus achieving unconditional secure quantum communication in principle and introducing novel concepts for network security [1][2][3][4].The BB84 protocol [5], as the pioneering quantum key distribution (QKD) protocol, showcases the potential of utilizing quantum principles for secure communication, laying the groundwork for the exploration of quantum cryptographic protocols [6][7][8].Building upon the foundational work in QKD, researchers have delved into quantum protocols extending beyond secure communication to encompass secure computation [9][10][11][12].
Secure multi-party computation (SMC) is a technology enabling multiple parties to collectively compute a predetermined function result without revealing their private data [13,14].This technology finds applications in areas such as electronic voting, threshold signatures, and electronic auctions, serving as the cryptographic bedrock for these implementations.However, in 1994, Shor demonstrated the efficacy of quantum algorithms in rapidly factoring large prime numbers [15].In light of quantum computing, classical SMC faces significant threats [16], as it fails to offer robust security reliant on computational power keys.Quantum secure multi-party computation (QSMC) entails integrating fundamental principles of quantum mechanics into the protocol design of secure multi-party computation [17,18], ensuring resistance against quantum computing attacks and delivering enhanced security performance while fulfilling the function of secure multi-party computation.
Quantum secure multi-party summation (QSMS) is a subfield of QSMC, which can be seen as an extension of classical multi-party privacy summation in the field of quantum mechanics [19][20][21][22][23].The main purpose of QSMS is to calculate the sum of n participant secret values without revealing their secrets.It can be definition as follows: N participants P 1 , P 2 , . . ., P N try to calculate a summation function f (y 1 , y 2 , . . ., y N ), where y i ∈ {y 1 , y 2 , . . .y N } are present participant P i 's private input.
While research on quantum information technology is still in its nascent stages, technologies such as quantum communication and quantum computing present challenges due to their complexity and difficulty of application in current work and life scenarios.Additionally, quantum devices entail high costs and intricate operations, with stringent requirements for preparing, storing, and transmitting quantum states.The semi-quantum secure communication protocol proposed by Boyer et al. [24] effectively addresses the bottleneck in the current development of quantum secure communication.It offers a relatively easier implementation while ensuring security.This protocol allows one party to possess full quantum capability, while the other party's quantum capability remains limited, thus enabling secure communication between quantum users and classical users.
In the semi-quantum secure communication protocol model, both quantum users and classical users require access to a two-way quantum channel [25][26][27].Initially, qubits are transmitted from the quantum user to the classical user and then returned to the quantum user.Upon receiving each qubit, the classical user selects one of the following options: (1) Measurement: conduct a Z-basis measurement on the received particles.(2) Preparation: prepare a quantum state using the Z-basis and send it back to the quantum user.(3) Measurement and resend: perform Z-basis measurements on the received particles and then resend the results to the quantum user as Z-basis particles.This operation combines the above two actions, with the restriction that classical users always send the same state they measure.(4) Reflection: return the particles to the quantum users without any alteration.
(5) Rearrangement: rearrange the received qubits without interfering with their states.The classical user does not ascertain the specific qubits, he only reorders them.
The first three-party semi-quantum summation (SQS) protocol was introduced by Zhang et al. [28] in 2021, utilizing single-qubit-based computation to calculate the summation of participants' private inputs.In comparison, the protocol proposed by Hu et al. [29] exhibited improved quantum measurement performance for quantum participants and potentially higher qubit efficiency in 2022.Subsequently, Ye et al. presented a more practical protocol capable of resisting collective-dephasing noise, although it failed to achieve the participants' summation results if a trusted party is absent [30].In 2024, Lian et al. expanded from dimension 2 to dimension d, aiming to facilitate modulo d addition for more than three semi-quantum users' private integers [31].
However, ongoing research on SQS faces several challenges: (1) Requirement for classical participants: All classical participants must possess the capability to measure and prepare qubits.(2) Communication mode: The communication mode is relatively lim-ited, achieving star communication but not ring communication.(3) Lack of simulation verification: There is a lack of simulation verification for the proposed protocols.
In this paper, we propose three protocols based on single photons that effectively tackle the aforementioned issues.Protocols 1 and 2 are devised upon different transmission models: one utilizing a star model and the other employing a ring model.Importantly, neither protocol necessitates participants to possess measurement capabilities.In the star model, a semi-honest third-party (TP) simultaneously transmits particles to users 1 and 2. After users 1 and 2 conduct their operations, the particles are returned to TP to finalize communication.Conversely, the ring model involves TP transmitting particles to user 1.Once user 1 completes the operation, the particles are then transmitted to user 2, who subsequently returns them to TP to complete the communication process.Protocol 3 extends protocol 1 (star model) from the two-party SQS to multi-party, thereby enhancing the protocol's applicability across various scenarios.
The contributions of this paper can be summarized as follows: (1) A protocol that does not require participant measurement is proposed, and classical users do not need to have measurement capabilities, further simplifying their operations.(2) Two different models, star and ring, are proposed without the need for measurement, and the star protocol is extended to multiple parties, expanding communication application scenarios.(3) The proposed protocol was simulated and verified, further verifying its correctness and feasibility.These protocols offer promising solutions for overcoming existing challenges in semi-quantum communication, particularly in terms of communication modes and participant capabilities.
The remainder of this paper is structured as follows: In Sect.2, we introduce two semiquantum summation protocols.Section 3 provides an analysis of the security aspects of the two proposed protocols.In Sect.4, we present the simulation results of the two protocols.Following that, Sect. 5 introduces the multi-party protocol.Finally, Sect.6 contains the discussion and conclusion of this paper.

Semi-quantum summation protocol based on single photons
In this section, an SQS protocol using single photons will be proposed.Suppose the quantum channels are ideal (ie, non-lossy and noiseless) and the classical channels are authenticated in the proposed protocol.
There are two participants (Alice, Bob) and a semi-honest TP.Alice and Bob are classical participants who have a private n-bit string, eager to summation their private information.TP has full quantum capabilities, who aims to obtain the modulo 2 of Alice and Bob's bit strings.Alice and Bob select an SQKD protocol to pre-shared the length of N keys K = (K 1 , K 2 , . . ., K N ).The length of participants' (Alice, Bob) private bit strings (A, B) is n.Alice and Bob private bit strings are denoted as A = (a 1 , a 2 , . . ., a n ) and B = (b 1 , b 2 , . . ., b n ), where a i , b i ∈ {0, 1}, i = 1, 2, . . ., n.On the premise of not disclosing their respective private bit strings, they hope to use TP to help compute the summation: where, ⊕ is the modulo 2 addition.

Protocol 1: star and concise SQS
Step 1: TP generates N = 8n two-qubit product states, each of which is where A and B denote the system of Alice and Bob.There are two sequences S A = {q 1 a , q 2 a , . . ., q N a } and S B = {q 1 b , q 2 b , . . ., q N b }, where q i a and q i b represent the i-th (i = 1, 2, . . ., N) particle.Then, TP transmits S A to Alice and S B to Bob.
Step 2: Upon receiving particles from TP, Alice prepares a sequence . ., m. Subsequently, Alice combines Z A and S A to compose a new sequence Q A , and reorders the positions of particles in the Q A .Alice transmits Q A to TP, where the length of Q A is 8n + m.After receiving the particles sent by TP, Bob implemented the same operation as Alice.
Step 3: When TP is receiving Q A and Q B from Alice and Bob, he randomly chooses either σ Z basis ({|0 , |1 }) or σ X basis ({|+ , |-}) to measure each particle.Then, TP announces which basis he chose to measure for each particle.
Step 4: Alice and Bob publish the positions of S A and Z A in Q A , S B and Z B in Q B , respectively.According to Alice and Bob's different operations, the following eight cases will occur, and the details are listed in Table 1: Case 1: TP performs σ X measurement on the particle which is belongs S A and S B .Case 2: TP performs σ X measurement on the particle which is belongs S A and Z B .Case 3: TP performs σ X measurement on the particle which is belongs Z A and S B .Case 4: TP performs σ X measurement on the particle which is belongs Z A and Z B .
The cases 1, 2, 3 and 4 are used for checking eavesdropping.An example is illustrated, in case 1, TP performs σ X measurement to detect eavesdropping.If there are no eavesdroppers in quantum channel, TP obtains |+ A ⊗ |+ B .Once other quantum states appear, it indicates the presence of eavesdroppers during the communication process.Once the error rate exceeds the pre-threshold value, the protocol will be discarded.
Case 5: TP performs σ Z measurement on the particle which is belongs S A and Z B .Case 6: TP performs σ Z measurement on the particle which is belongs Z A and S B .Case 7: TP performs σ Z measurement on the particle which is belongs Z A and Z B .
The cases 5, 6 and 7, at least one of Alice and Bob has prepared the fresh particle, TP obtains a bit string r 1 a , r 2 a , . . ., r 3n a and r 1 b , r 2 b , . . ., r 3n b which measured in σ Z basis corresponding the positions r 1 a r 2 a ...r 3n a and r 1 b r 2 b ...r 3n b .The measurement results of Alice and Bob's are denoted as r i a and r i b which are used for computing the private summation.Case 8: TP performs σ Z measurement on the particle which is belongs S A and S B .The case 8 will be discarded by TP.
Step 5: TP chooses a part of bits in r 1 a r 2 a ...r 3n a and r 1 b r 2 b ...r 3n b to be TEST bits, and declares the positions and value which he selected.Two participants announce the value of the TEST bits at the corresponding position.They calculate the error rate on TEST bits.Once the error rate is higher than the pre-threshold value, the protocol will be terminated.
Step 6: The participants and TP compute the summation of bit strings.Alice holds R A = {r 1 a r 2 a ...r n a }, and Bob holds where ⊕ is the modulo 2 addition.Then, TP computes the result is Alice and Bob i-th private summation.
Step 2: Upon receiving the sequence S T from TP, Alice prepares a sequence S A = {r 1 a , r 2 a , . . ., r N a }, where r i a is chosen from {|0 , |1 } at random, i = 1, 2, . . ., N .Subsequently, Alice combines S T and S A to compose a new sequence S 2 , and reorders the positions of particles in the S 2 .Alice transmits S 2 to Bob, where the length of S 2 is 2N .
Step 3: Upon receiving the sequence S 2 from Alice, Bob prepares a sequence . ., N .Subsequently, Bob combines S 2 and S B to compose a new sequence S 3 , and reorders the positions of particles in the S 3 .Bob transmits S 3 to TP, where the length of S 3 is 3N .
Noticed that, the photons prepared by TP, Alice, Bob are represent CTRL photons, SIFT A photons, SIFT B photons, respectively.
Step 4: TP announces to A and B that he received the sequence S 3 .Afterwards, two participants respectively declare the orders of the photons in the sequence S 2 and S 3 .
Step 5: TP performs σ X measurement on the CTRL photon, performs σ Z measurement on the SIFT A and SIFT B photon.For detecting eavesdropping, TP calculates the error rate about CTRL photons.If eavesdropping absent, TP's measurement results should be consistent with what he initially prepared.Once the error rate is higher than the pre-threshold value, the protocol will be dropped.
Step 6: TP chooses a part of bits in S A = {r 1 a , r 2 a , . . ., r N a } and S B = {r 1 b , r 2 b , . . ., r N b } to be TEST bits, and declares the positions and value which he selected.Two participants announce the value of the TEST bits at the corresponding position.They calculate the error rate on TEST bits.Once the error rate is higher than the pre-threshold value, the protocol will be terminated.
Step 7: The participants and TP compute the summation of bit strings.Alice holds R A = {r 1 a r 2 a ...r n a }, and Bob holds where ⊕ is the modulo 2 addition.Then, TP computes C i A ⊕C i B ⊕r i a ⊕r i b = a i ⊕ b i , the result is Alice and Bob i-th private summation.

Security analysis
In this section, we analyze the proposed SQS protocols' security.Generally speaking, when analyzing SQS security, the following two attack scenarios need to be considered [7,16,28].Outside attack: Malicious attacker attempts to obtain the privacy strings of participants.Inside attack: TP and participants attempt to steal the privacy strings of other participants.Suppose Eve has fully quantum capability.The following will prove that Eve's access to any private information will introduce errors.

Security analysis of SCSQS
Outside attacker Eve attempts to grab the participants' private bit strings, and he needs to obtain the keys that the participant uses to encrypt their private inputs.Here is an analysis of Eve's desire to obtain Alice's private bit string, similar to the analysis of Bob's private bit string.
Intercept-resend attack Eve intercepts the sequence S A which is sending to Alice from TP, and re-prepares self a sequence S E .Eve sends Alice S E instead of S A .When Alice received S E , she combines S E with Z A to obtain Q A , and transmits Q A to TP.Then, Eve intercepts Q A , attempts to infer which particles Alice prepared.He prepares a fake sequence Q A , and sends to TP.Unfortunately, Eve will be detected with high probability causing he does not realize the order of Q A .
When conducting eavesdropping detection in Step 4, TP performs σ X measurement on the particle with 1/2, situation 1 with 1/2: particle in Z A , there are no error introduce; situation 2 with 1/2: particle in S A , Eve has a probability of 1/2 being detected.Hence, the total detection rate is 1/2 * (1/2 * 0 + 1/2 * 1/2) = 1/8 in Step 4. Specifically, in case 1&2, the detection particle in S A which generated by TP.When Eve sents particle one of |0 , |1 , |+ , |to TP with 1/4.Eve prepares |+ particle, he can pass the detection with 1/4.If Eve prepares |0 (|1 ), he can pass the detection with 1/2.Eve prepares |particle, he will be noticed by TP.In case 3&4, the detection particle in Z A which generated by Alice.Because TP will take σ X on the particle Z A , the measurement results are |+ or |-, he cannot distinguish the fake particle.

Measure-resend attack
Eve intercepts and measures the sequence S A which is sending to Alice from TP.He re-generates a sequence S E with same measurement results and transmits to Alice.When Alice received S E , she prepares a sequence Q A of S E and Z A together, and sends to TP.Subsequently, Eve intercepts and measures Q A to obtain Alice keys.And he generates a false sequence Q A , sends to TP. Apparently, because of Q A ordered by Alice, Eve can be detected with high probability.
For eavesdropping detection in Step 4, TP measures the particle using σ X basis with 1/2, situation 1 with 1/2: the Z A particle, there are no error introduce; situation 2 with 1/2: the S A particle, Eve has a probability of 1/4 being detected.Hence, the total detection rate is 1/2 * (1/2 * 0 + 1/2 * 1/4) = 1/16 in Step 4. Specifically, in case 1&2, the detection particle in S A which prepared by TP.Eve cannot know which basis TP choice to generate particles.Eve chose σ Z with 1/2, he can pass the detection with 1/2.Eve chose σ X with 1/2, TP cannot notice he.In case 3&4, the detection particle in Z A which prepared by Alice.Because TP will take σ X on the particle Z A , the measurement results are |+ or |-, he cannot distinguish the fake particle.
When conducting eavesdropping detection in Step 5, TP measures the particle using σ Z basis with 1/2, situation 3 with 1/2: particle in Z A , there are no error introduce.Situation 4 with 1/2: particle in S A , discard.Eve does not introduce any errors in step 5.
Entangle-measure attack Eve performs attacks via two unitary operations on qubits: U E operation to entangle the ancillary particle |0 E for particles transferred from TP to Alice, and U F operation to measure the ancillary particle |0 E for particles transferred from Alice to TP.In the proposed protocol, Eve may perform attack on each qubit in Q A and Q B to entangle the qubit with its auxiliary qubits.After Alice and Bob pronounced the order of Q A and Q B , Eve then measures the auxiliary particles entangled with the particle to obtain information about Alice and Bob's key bits.The global state of the composite system composed by particles A, B and E is A + B + E. A ( If Eve wants to induce no error, TP should obtain the |with the probability of 0. Therefore, Let z a is |1 .After Eve performs U F , state evolves into:  6): If Eve wants to induce no error, TP should obtain the |with the probability of 0. Therefore, Assume z b is |1 .After Eve performs U F , state evolves into: 15): If Eve wants to induce no error, TP should obtain the |with the probability of 0. Therefore, According equation ( 8), ( 11), ( 14) and ( 17), it can be inferred that: For no errors are introduced under Eve's attack, the measurement result of the state of A + B should be | + + .According equation ( 18), ( 19) can be rewritten as follows: And according equation ( 18), ( 5), ( 6), ( 9), ( 12) and ( 15) can be rewritten as follows: Obviously, Eve induces no error, his probes are independent of two participants measurement results.
TP attack A semi-honest TP is defined as someone who needs to follow the protocol steps but is not allowed to collude with others, and can only attempt to deduce the participant's secret by collecting public information.Although TP can acquire the order of Q A (Q B ), he does not know the pre-shared keys K between Alice and Bob.As a consequence, he cannot obtain the private bit strings.
Participant attack Suppose Alice is a dishonest participant who wants obtain the keys between TP and Bob, and infers to Bob's private bit string.When Alice attacks, she will use any possible attack methods, including the intercept-resend, measure-resend and entangle-measure attacks used by outside attacker Eve.In addition, she will also adopt more serious attack methods.

Security analysis of RCSQS
Security analysis of RCSQS protocol is similar to SCSQS protocol.Here, we focus on analyzing dishonest participants'(dishonest Alice and dishonest Bob) attacks.
Intercept-resend attack Suppose Alice is a dishonest participant who wants to obtain SIFT B , and intercepts the S 3 .Then, she prepares 3N fake photons (S 3 ) and sends S 3 to TP.When Bob posted his rearranged order, Alice could measure the corresponding photons using σ Z basis to obtains the Bob's bit string.However, Alice will be detected.To begin with, Alice's attack on CTRL photons can be easily detected because she does not know which state TP is prepared for.Besides, Alice's attack on SIFT B photons can be easily detected because she does not distinguish the state and position of Bob's prepared particles.
For eavesdropping detection in Step 5, TP measures the particle using σ X or σ Z .Alice randomly prepared particle is |1 or |0 , after measured by TP, the state will be |+ , |-, |0 or |1 .Hence, the detection rate is 1/4 in Step 5. When conducting eavesdropping detection in Step 6, TP will verify the state of the TEST bit with Bob, and there is a half chance that |1 or |0 randomly prepared by Alice will be the same as the state prepared by Bob.Hence, the detection rate is 1/2 in Step 6.
The security analysis of dishonest participant Bob using intercept-resend attack is similar to the analysis of Alice.
Measure-resend attack Suppose Bob is a dishonest participant who desires to acquire SIFT A .When Bob received S 2 , he measures all particles in S 2 using σ Z basis and prepares new particles with same measurement results.Then, he prepares 3N fake photons S 3 and transmits to TP.When Alice posted her rearranged order, Bob could measure the corresponding photons using σ Z basis to obtains the Alice's bit string.Nevertheless, Bob will be detected.Bob's attack on CTRL photons can be easily detected because she does not know which state TP is prepared for.
When conducting eavesdropping detection in Step 5, TP measures the particle using σ X or σ Z .Bob randomly prepared particle is |1 or |0 , after measured by TP, the state will be |+ , |-, |0 or |1 .Hence, the detection rate is 1/4 in Step 5.
The security analysis of dishonest participant Alice using measure-resend attack is similar to the analysis of Bob.
Entangle-measure attack Considering that the sequence sent S T by TP to Alice does not contain any valid information, Eve will perform two unitary operations on the qubits: U S operation to entangle the ancillary particle for particles transferred from Alice to Bob, and U T operation to measure the ancillary particle for particles transferred from Bob to TP.
A. Suppose Eve performs attack (U S , U T ).Defined |0 T , |1 T , |+ T and |-T represent the CTRL qubit, and SIFT A qubits are represented as |0 A and |1 A , and SIFT B qubits are represented as |0 B and |1 B .When Eve performed U S , the composite system particles T and A become: B. After Eve performed U T , the composite system particles T, A and B become: C. Eve can not be detected through eavesdropping, the following conditions will be met: which can be obtained that The above equations show that Eve's ancillary particle is independent of CTRL, SIFT A and SIFT B photons, so if Eve does not want to be detected for his eavesdropping behavior, he will also be unable to obtain information.

Simulation of the presented protocols
To demonstrate the correctness of the outputs of the three protocols, we conducted simulation experiments using IBM's Qiskit without considering the eavesdropping inspection process [32].
According to the protocol steps, TP randomly performs σ X and σ Z measurements on the received particles.In the simulation phase, it is assumed that TP performs σ X measurements on registers q 0 , q 1 , q 4 and q 5 , and σ Z measurements on q 2 , q 3 , q 6 and q 7 .The relevant circuit diagram is shown in Fig. 1, and the corresponding measurement results are shown in Fig. 2.

Simulation of the RCSQS protocol
Assuming that the particles sent by TP to Alice are |+ , |-, |0 and |1 , represented by quantum registers q 0 , q 1 , q 2 and q 3 , respectively.The particle states prepared by Alice themselves are |1 , |0 , |1 and |0 , represented by registers q 4 , q 5 , q 6 and q 7 , respectively.The particle states prepared by Bob themselves are |0 , |1 , |0 and |0 , represented by registers q 8 , q 9 , q 10 and q 11 , respectively.According to the protocol steps, TP performs σ X and σ Z measurements on the CTRL particles.In the simulation phase, it is show that TP performs σ X measurements on registers q 0 , q 1 , and σ Z measurements on q 2 , q 3 .The relevant circuit diagram is shown in Fig. 3, and the corresponding measurement results are shown in Fig. 4.

Protocol 3: multi-party SCSQS
In this section, based on SCSQS protocol, the MPSQS protocol will be proposed.
Step 2: Upon receiving particles from TP, P j prepares a sequence Z j = {z 1 a , z 2 a , . . ., z m a }, where z i j is chosen from {|0 , |1 } at random, i = 1, 2, . . ., m. Subsequently, P j combines Z j eliminates the need for measurement, RCSQS is a ring protocol also devoid of measurement requirements, and MPSQS extends from SCSQS to N-party scenarios.These proposed protocols have been demonstrated to effectively prevent typical attack behaviors such as intercept-resend attacks, measure-resend attacks, entangle-measure attacks, TP attacks, and participant attacks.Moreover, it's worth noting that the designed protocols come with certain limitations, such as the requirement for participants to pre-share keys.These limitations provide areas for future research and improvement in semi-quantum communication protocols.

Figure 1 Figure 2
Figure 1 Circuit diagram for SCSQS

Figure 3 Figure 4
Figure 3 Circuit diagram for RCSQS
which means there is no change on the state of A + B.B. Alice's particle in Z A and Bob's particle in S B .When z a is |0 , the state of A + B + E Alice's particle in S A and Bob's particle in Z B .When z b is |0 , the state of A + B + E becomes |00 AB |e 00 + |10 AB |e 10 , or the state of A + B + E becomes |01 AB |e 01 + |11 AB |e 11 when z b is |1 .Assume z b is |0 .After Eve performs U F , state evolves into: AB |e 10 + |11 AB |e 11 = |10 AB |f 10 + |11 AB |f 11 = |1 A |0 B |f 10 + |1 B |f 11 .

Table 2
Comparison of the protocols