Privacy-preserving quantum protocol for finding the maximum value

In this paper, we first define a primitive protocol of secure multiparty computations to privately compute the logic operator “OR” (SMC_OR). Accordingly, we design a feasible quantum SMC_OR protocol by using single photons, which can achieve information-theoretical security in the semi-honest model. Furthermore, we adopt the proposed quantum SMC_OR protocol to solve an interesting but important privacy-preserving problem, i.e., finding the maximum value among many secrets. Finally, we simulate the related quantum protocols in Qiskit and verify the correctness and the feasibility of the proposed protocols.

In this paper, we focus on input privacy in a specific cryptographic task, in which a group of users try to compute the maximum value among their private inputs. Our primary goal is to protect user privacy by designing ingenious quantum cryptographic protocols. Furthermore, our secondary goal is to design quantum protocols by employing feasible quantum processing technologies, so that designed quantum protocols can be practically and effectively implemented. First, we define an interesting but important primitive protocol of secure multiparty computation, i.e., secure multiparty computation of OR (SMC_OR for short) and design the corresponding quantum SMC_OR protocol. What's more, we present an unconditionally (i.e., information-theoretically) secure quantum protocol for finding the maximum value among many secrets based on proposed quantum SMC_OR protocols, where each secret belongs to a different participant.
In classical setting, secure multiparty computation (SMC) is an important subfield of modern cryptography, which allows a number of mutually distrustful parties to jointly compute a function without leaking their respective private inputs. The first SMC problem was presented by Yao [10], i.e., the Millionaires' problem, in which two millionaires wish to know who is richer without disclosing their wealth. Privately finding the maximum value is the general case of the Millionaires' problem, in which a group of parties try to compute the maximum value (i.e., the greatest value) among their private inputs. Accordingly, a naive method to find the maximum value among many private inputs may adopt pairwise private comparison protocols [11], but this method reveals the rank order of all private inputs. Due to its importance, there appeared other better methods to privately compute the maximum value based on classical cryptographic algorithms, e.g., homomorphic encryption [12] and anonymous veto network [13]. However, the security of these algorithms is based on unproven computational assumptions, e.g., to prove the security of proposed algorithms in Ref. [13], the author assumes that the Decision Diffie-Hellman (DDH) problem is intractable. Furthermore, these computational assumptions are vulnerable to the attacks by quantum computers due to fast quantum algorithms [9]. Accordingly, these algorithms based on unproven computational assumptions cannot resist quantum attacks. What's more, compared with the classical related algorithms or protocols, the biggest advantage of using quantum cryptography to compute the maximum value is that it can easily detect any outsider's eavesdropping or any party's dishonesty.
Finding the maximum value among many secrets has important and wide applications in privacy-preserving fields, such as sealed-bid auction [14,15], electronic voting [16,17] and federated learning [18,19]. For example, in sealed-bid auction, an auctioneer can get the highest bid by finding the maximum value among multiple private bids, so that it can ensure the anonymity because each bidder does not need to submit his private bid to the auctioneer. In quantum setting, there were quantum algorithms to find the maximum [20] or the minimum [21]. However, in these quantum algorithms there is not any privacy protection. To the best of our knowledge, there is not yet any quantum protocol for privately finding the maximum value.
Though near-term quantum computing devices have super-fast computing power, few users can own them due to their expensive costs. Furthermore, the emergence of various quantum cloud platforms (e.g., IBM quantum experience) makes it possible for ordinary users to perform quantum computing. In view of this, we introduce a quantum cloud in our proposed quantum protocols to make the quantum processing capacity required by all parties reach the minimum requirements, i.e., it only needs to perform single-photon operators (Pauli operator and Hadamard gate operator). Furthermore, our proposed quantum protocols take single photons (i.e., BB84 states) as quantum resources and only need to perform single-photon operators and single-photon measurements, which are similar to the BB84 QKD protocol. Therefore, it is feasible to implement proposed protocols with present technologies.

Quantum SMC_OR protocol
In this section, we first give an informal definition of a primitive problem of secure multiparty computations, i.e., secure multiparty computation of OR (SMC_OR for short), and then present a feasible quantum protocol for SMC_OR, which will be utilized later in privacy-preserving quantum protocol for finding the maximum value (later called privacypreserving QFMV protocol).
Fairness. Roughly speaking, no coalition of dishonest parties can harm any honest party without being detected. In other words, under no circumstances one party should have an advantage over another or other parties.
Privacy. Any other party except for the party P i learns no information about x i except the final output x 1 ∨ . . . x i · · · ∨ x m . Security Model. In the following protocols, we only consider the honest-but-curious parties [14,15], like the semi-honest model [13] in the classical settings, where adversaries may try to learn as much information as possible from a given protocol execution but are not able to deviate from the protocol steps. That is, in the semi-honest model, each participant follows the protocol specification but tries to deduce some private information about the other participants [13].
Furthermore, we assume that there is a semi-honest quantum cloud, who will prepare all quantum resources (i.e., single photons) and perform all single-photon measurements, and other parties with quantum-limited capabilities only need to forward single photons and perform simple single-photon operators. In addition, we assume that there is an authenticated quantum channel between any P i and P i+1 (i = 1, 2, . . . , m and P m+1 is the quantum cloud). Finally, the quantum cloud is responsible to output x 1 ∨ x 2 ∨ · · · ∨ x m .
In the semi-honest model, each participant follows the protocol specification but tries to deduce some private information about the other participants [13]. So, in the following protocols we mainly consider two privacy goals: (1) Preserving input privacy from anyone inside the group of participants, including the quantum cloud; (2) Preserving input privacy from outside passive attackers, i.e., outside eavesdropper.
Quantum SMC_OR Protocol Step 1. All parties agree on a small integer k, e.g., k = 10, which is related to the probability of successfully outputting x 1 ∨ · · · x i · · · ∨ x m (i.e., the error probability δ ≈ 1 2 k , later see Theorem 1).
Step 2. Each party P i (i = 1, 2, . . . , m) generates a private array X i of the length k by his private input x i : If x i = 0, then all X i [j]s are equal to 0; If x i = 1, then each X i [j] is equal to 0 or 1 randomly but there is at least one 1 among all kX i [j]s. That is, if x i = 0, then Step 3. Let t = 2(k + q), where q is a secure parameter. Furthermore, each party P i (i = 1, 2, . . . , m) randomly generates two t-element arrays R i and Step 4. The quantum cloud prepares t single photons: ph 1 , ph 2 , . . . , ph t , each of which is randomly in {|0 , |1 , |+ , |-}. Furthermore, the quantum cloud records the initial states of t single photons. Finally, the quantum cloud sends all t single photons ph 1 , ph 2 , . . . , ph t to the party P 1 through the authenticated quantum channel.
Step 5. The party P 1 executes the following procedures: then apply an H gate operator to the jth single photon ph j ; If R 1 [j] = 1, then apply a Pauli operator U y to the jth single photon ph j . } } Here, H and U y are defined by [9], Step 6. The party P 1 sends all t single photons ph 1 , ph 2 , . . . , ph t to the party P 2 through the authenticated quantum channel.
Step 7. After receiving all photons sent from the party P 1 , the party P 2 executes the similar procedures of the party P 1 and then sends all photons to the next party P 3 through the authenticated quantum channel. In total, the process is repeated m times. Finally, the party P m sends t single photons ph 1 , ph 2 , . . . , ph t back to the quantum cloud.
Please note that after receiving t single photons sent from the previous party, the party P i executes the following procedures: then apply an H gate operator to the jth single photon ph j ; If R i [j] = 1, then apply a Pauli operator U y to the jth single photon ph j . } } Step 8. After receiving all t single photons, the quantum cloud measures each photon ph j in the initial basis for j = 1, 2, . . . , t, and records all measured results.
Step 9. Post-processing: (1) Each party P i (i = 1, 2, . . . , m) opens his random bits S i [j]s for j = 1, 2, . . . , t. (2) All parties publicly select out the useful js from j = 1 to t, where the useful condition of j must satisfy m i=1 S i [j] mod 2 = 0. Please note that the basis of the jth photon ph j will not change when satisfying the useful condition (please see later correctness analysis for details). (3) All parties keep the useful events, in which the sequence number j satisfies the useful condition, and discard the rest (with the probability of 1 2 ). (4) There are approximate k + q ( i.e., 1 2 t) useful events in total. All parties randomly select out exactly k useful events as encoding events to compute the final result and the remaining about q useful events as checking events to check any dishonesty or eavesdropping. (5) Suppose that there are q checking events. The parties open the corresponding sequence number js of all q checking events and ask the quantum cloud to announce the initial quantum states and the measurement results of q checking events. After that, all parties open their respective random bits R i [j]s (only) for all checking events. By all public R i [j]s, the initial quantum states and the corresponding measurement results, all parties can determine whether there is any dishonest party or an outside eavesdropper. That is, , the measurement result should be the same (opposite) as the initial quantum state; otherwise there is a dishonest party or an eavesdropping adversary. If no dishonesty or eavesdropping was found, the parties continue to execute the next step, otherwise abort.
(2) For j = 1 to k do { If the measured result of the l j th photon ph l j is inconsistent with the initial state of the photon ph l j (later we will prove that it implies that

Privacy-preserving QFMV protocol
Similarly, we assume there are m (m > 2) parties: P 1 , P 2 , . . . , P i , . . . , P m in the following privacy-preserving QFMV protocol, where each party P i has a secret Y i ∈ Z N and n = log N (i.e., Y i is an n-bit integer). Similarly, Y i [j] represents the jth bit of Y i . The goal of the protocol is to find the maximum value Y max among all secrets Y 1 , Y 2 , . . . , Y i , . . . , and Y m (i.e., Y max ∈ {Y 1 , Y 2 , . . . , Y m } but Y max ≥ Y i for any i), while it must protect the privacy of all nonmaximum secrets.
Step 1. Each party P i (i = 1, 2, . . . , m) generates an auxiliary array Y * i and sets Y * i = Y i initially.
Step 2. All parties jointly execute the following procedures: { For j = 1 to n do { (1) All parties execute a quantum SMC_OR protocol with the help of the quantum cloud, where each party P i (i = 1, 2, . . . , m) privately inputs Y * i [j]. Accordingly, the quantum cloud outputs and opens If s be equal to 0). // It implies that Y i cannot be the maximum (please see Fig. 1

Correctness
The core idea of the proposed privacy-preserving QFMV protocol is to calculate bitwise OR operators of all private bit strings from left to right, i.e., from high to low. Initially, each bit string Y * i represents a private secret, i.e., Y i . As the calculations progress, increasingly, all parties, except one whose input is the maximum value, can determine that their private inputs are less than the maximum value, and accordingly, they will input 0 in later quantum SMC_OR protocols. That is, only the party with the maximum value retains all bits in his private bit string, while other parties renew their bits to ensure that each bit of them is less than or equal to the corresponding bit of the maximum value. So, it can finally output all bits of the maximum value. Here, we give a simple example, as shown in Fig. 1. From the example, we can see that the correctness of the proposed QFMV protocol is mainly guaranteed by quantum SMC_OR protocols. So, we further analyze the correctness of the quantum SMC_OR protocol as Theorem 1. In the following theorem, suppose that the number of one among m private inputs (i.e., x 1 , x 2 , . . . , x m ) in the quantum SMC_OR protocol is p, where p ≤ m. Theorem 1 If p = 0 or 1, then the quantum SMC_OR protocol is perfectly correct; If p ≥ 2, then it may give a wrong output 0, but the error probability δ ≈ 1 2 k , which is very small and negligible when k is large enough, e.g., k = 10.  1) and (2), we can easily get the following equations: Furthermore, we consider all possible operators on a specific photon, e.g., ph j , as shown in Fig. 2. Suppose that the initial state of the photon ph j is |ψ j . By previously prescribed procedures, when the photon ph j finally comes back to the quantum cloud, its final state |φ j will be changed as By Eqs. (5)- (7), we can further get Here, l = 0 or l = 1. Furthermore, if j satisfies the useful condition, then i S i [j] = 0 mod 2, so In addition, it gives By Eqs. (10) and (11), we further know that for any useful event, the final state will remain the same as the initial state except for a global phase if the number of performing U Y is even, otherwise it will change, but it keeps the same basis.
In turn, if the measured result of the jth photon ph j by the quantum cloud is inconsistent with the initial state of the photon ph l j , then m i=1 R i [j] mod 2 = 1, and m i=1 R i [j] mod 2 = 0 otherwise. That is, the single R i [j] is private, but the quantum cloud knows the summation of m i=1 R i [j] mod 2. Furthermore, by Eqs. (3) and (4), we can get mod 2 is always true. In turn, the quantum cloud can deduce the value of m i=1 X i [j] mod 2 (i.e., w) by the public information and his recorded results.
(2) On the other hand, we further consider the following different cases that m inputs x 1 , . . . x i , . . . , x m have p ones (i.e., p is the number of ones in all x i s).
In the case of p = 0 (i.e., all x i s are equal to 0): In the case of p = 1: There is just one X i * that X i * = 0, so there is at least one j, such that w = m i=1 X i [j] mod 2 = X i * [j] = 1. That is, x 1 ∨ x 2 ∨ · · · ∨ x m = w = 1. Therefore, the output is correct.
In the case of p = 2: Suppose that x i 1 = 1 and x i 2 = 1. Accordingly, X i 1 = 0 and X i 2 = 0. Then, the total number of appropriate X i 1 and X i 2 is (2 k -1)(2 k -1). Furthermore, the final output w = 1 if X i 1 = X i 2 , otherwise w = 0 (i.e., X i 1 = X i 2 ). The number of possible X i 1 (i.e., X i 1 = 0) is (2 k -1). So, the error probability (i.e., X i 1 = X i 2 ) is equal to Obviously, when k is large enough, δ ≈ 0. For example, if k = 6, δ = 0.01587; if k = 10, δ = 0.00098. In the case of p = 3: We consider the following error combinations: k rows (corresponding to j = 1, 2, . . . , k) and p columns (corresponding to p array X i s), where each column has at least one "1" (i.e., the corresponding X i = 0) and each row has zero "1" or two "1"s, i.e., w = m i=1 X i [j] mod 2 = 0. However, x 1 ∨ x 2 ∨ · · · ∨ x m = 1. Furthermore, by the possible 1s in each row, we can deduce that the error probability satisfies the following condition: Similarly, when k is large enough, δ ≈ 0. For example, if k = 6, δ < 0.01638; if k = 10, δ < 0.00098. By analogy, we can easily deduce that other more general cases for any p: Please note that C 0 p + C 1 p + C 2 p + · · · + C p p = 2 p and C i p = C i-1 p-1 + C i p-1 . Therefore, when k is large enough, δ is negligible. That is, the proposed quantum SMC_OR protocol is approximatively correct.

Security
According to the proposed QFMV protocol, all parties jointly compute the bitwise OR operators of their respective private inputs (see Fig. 1). So, the security of the proposed QFMV protocol is guaranteed by that of the proposed quantum SMC_OR protocol. In the following theorem, we will prove that our proposed quantum SMC_OR protocol is information-theoretically secure in the semi-honest model.

Theorem 2
The proposed quantum SMC_OR protocol is information-theoretically secure, when all parties honestly execute the protocol.
Proof Before publishing the random bit S i [j], each party P i performs two quantum operators U Y H S i [j] on the jth photon ph j , that is, he encrypts each transmitted qubit (e.g., the single-photon ph j ) by using two random and secret bits (i.e., privately performing two quantum operators U Y H S i [j] on the photon ph j ). Similarly, it is a perfect quantum encryption [22], which is information-theoretically secure. By Ref. [22], the quantum protocol is information-theoretically secure if for every input state ρ in , the output state ρ out is a totally mixed state. The relation of the input state ρ in and the output state ρ out is as follows: Here ρ in is the density matrix of all possible t-qubit input states and U k is the corresponding unitary operator applied to the input state.
For simplicity, we only analyze an arbitrary photon, e.g., ph j , in our protocol. Accordingly, we can get So, after the party P i performing the corresponding operators, the output state should be in From Eq. (19), we can see that the output of the single-photon ph j after the party P i performing private operators is just a totally mixed state. So, anyone including the quantum cloud or the next party P i+1 cannot get any private information about the party P i 's bits . That is, it is a perfect quantum encryption. After completing the tests of q checking events, each party P i computes and opens is completely random and private. Clearly, it is a classical one-time pad.
In short, perfect quantum encryption and classical one-time pad can ensure the information-theoretical security of the proposed quantum protocols in the semi-honest model.
Furthermore, a dishonest party (e.g., P i-1 ) can perform a collusion attack to eavesdrop on partial private information of the party P i with the next party P i+1 as follows: After the dishonest party P i-1 receives all t single photons, he prepares t two-photon Bell states and sends t photons of Bell states to the party P i instead of the original t single photons. Without loss of generality, we only analyze a Bell state of two photons, e.g., |00 ab +|11 ab √ 2 . For example, the dishonest party P i-1 sends the photon b to the party P i instead of the real photon ph j , while he keeps the photon a in hands. Accordingly, the party P i performs the following operators U Later, the party P i sends the photon b to the next party P i+1 . To implement the collusion attack, the party P i+1 does nothing except send the photon b to the party P i-1 . Finally, the party P i-1 performs a Bell-basis measurement on the two photons (a, b) so that it can deduce partial private information of the party P i . For example, if his measured result is |00 ab +|11 ab √ 2 , then he can deduce that R i [j] = 0 and S i [j] = 0. In particular, to resist this collusion attack, we add the tests of q checking events in our proposed protocol. Obviously, checking events can ensure the honesty of all parties and resist the outsider's eavesdropping, which is similar to the decoy technology in QKD [23].
On the other hand, if the dishonest parties perform this attack, the final output must be wrong. So, in order to verify whether the final output is the maximum value among many secrets, we can add a commit protocol in the initial phase as follows: Each party P i (i = 1, 2, . . . , m) randomly selects an integer R i ∈ Z N and computes where Y i is his secret and H(·) is a hash function with strong collisionresistant. Then the party P i submits C i to the quantum cloud by the classical channels. That is, the party P i commits Y i to the quantum cloud, but no one can get Y i only from C i without R i .
Later, when the quantum cloud outputs the maximum value Y max , the party P max with the maximum value Y max opens his secrets Y max and R max . Finally, the quantum cloud can verify its correctness by determining whether the following equation is true or not: If there is no any party to claim the maximum value, it shows the output result is wrong. According to the above analysis, if all parties honestly execute the protocol, it will output the final result rightly. In turn, any eavesdropping or dishonesty can be easily detected by public comparisons in checking events. Accordingly, no coalition of dishonest parties can harm any honest party without being detected. Furthermore, all parties in our protocol are perfect peer and execute the same procedures. Therefore, the proposed quantum SMC_OR protocol can achieve the fairness.
In addition, like most existing multiparty quantum computations, our proposed quantum SMC_OR protocol needs authenticated quantum channels, which can ensure the authenticity of quantum resources and participant identities. In principle, we may combine quantum authentication technologies [24] with classical authentication technologies [25] to implement various authentications in quantum channels.

Performance
The proposed quantum SMC_OR protocol takes single photons as quantum resources and accordingly needs single-photon-based operators (i.e., U Y and H) and measurements. Suppose that there are m parties. Then, it needs to transmit 2(k + q)m qubits. So, the communicational complexity is O(km). Furthermore, we assume that the bit length of each secret in the proposed QFMV protocol is n. So, it needs to call the proposed quantum SMC_OR protocol n times. Accordingly, our proposed QFMV protocol's communicational complexity is O(kmn).
Furthermore, we simulate the proposed quantum SMC_OR protocol in Qiskit of IBM (Qiskit-0.23.2; Python-3.8.6; OS-Linux). First, we verify the correctness of this protocol in different instances, i.e., the different parameters: k, p and m. For example, k = 7, p = 5 and m = 11. The detailed circuits of this instance are shown in Fig. 3. Then, we focus on the error rate (i.e., the error probability δ) of proposed SMC_OR protocol with different values of k and p.
The curve charts in Fig. 4 show the relationships between the error rate and the parameter p when k takes different values. In our simulation experiments, suppose that there are 10 parties and they jointly compute the SMC_OR protocol 60000 times for each k, where each input is random in each time. From Fig. 4, we can see that the error rate mainly depends on the values of k when p ≥ 2, and it is approximatively equal to 0 when k = 10. In short, our simulation experiments verify the correctness and the feasibility of the proposed quantum SMC_OR protocol.
At present, we do not consider quantum noise and loss of photons in our proposed quantum protocols. Obviously, we can increase the number of transmitting single photons (i.e., t) in practical applications and adopt classical error-correction technology to avoid these problems. In addition, when the parties are far apart, we may deploy a quantum repeater at each party, which is used to forward private and unknown states of photons based on teleportation. In a word, it is feasible to implement our proposed quantum protocols with the present quantum technologies.

Conclusion
In this paper, we first designed a feasible quantum protocol with the help of a quantum cloud to privately compute the logic operator "OR", which takes single photons as quantum resources and only needs to perform single-photon operators and measurements. Furthermore, we first presented a novel quantum approach to privately find the maximum value among many secrets based on the proposed quantum SMC_OR protocol.
In our proposed quantum protocols, we build a perfect quantum encryption and combine the perfect quantum encryption with the classical one-time pad to perfectly protect the privacy of each input. Therefore, there are good application prospects of our proposed protocols in emerging computations, e.g., outsourcing quantum cloud computing and quantum federated learning. Especially, as a building block, quantum SMC_OR protocol can be utilized to privately compute more complex Boolean functions.
In a word, the proposed quantum protocols show that we can also design sophisticated and flexible cryptographic protocols based on quantum physics as mathematic cryptography, not just QKD. In future work, we will further focus on the feasibility of proposed quantum protocols, e.g., considering weak coherent pulses instead of single photons.