Two-Party Quantum Private Comparison Using Single Photons

Abstract

Quantum private comparison (QPC) aims to determine whether two parties’ private inputs are equal or not without leaking out their genuine contents. At present, there is seldom QPC protocol which uses single photons as quantum resource. In this paper, we are devoted to converting Zhang et al.’s three-party quantum summation (QS) protocol based on single photons (Int. J. Quantum Inf. 15(2), 1750010, 2017) into the corresponding two-party QPC protocol with single photons. The correctness and the security of the proposed QPC protocol with single photons can be guaranteed. The proposed QPC protocol is naturally free from Trojan horse attacks because of its single directional particle transmission mode.

1 Introduction

Quantum private comparison (QPC), first suggested by Yang and Wen [1] in 2009, aims to determine whether two parties’ private inputs are equal or not without leaking out their genuine contents. Since the first two-party QPC protocol [1] was proposed, QPC has quickly aroused the interests of researchers. As a result, a lot of two-party QPC protocols have been designed, such as the ones with single particles [2], product states [3, 4], Bell states [1, 5,6,7,8,9], GHZ states [10,11,12], W states [13, 14], cluster states [15, 16], χ-type entangled states [17,18,19], five-particle entangled states [20] and six-particle entangled states [21]. Besides the two-party QPC protocols, many multi-party QPC protocols [22,23,24,25,26,27,28,29,30] have also been suggested.

It is easy to find out that at present, there is seldom QPC protocol which uses single photons as quantum resource. Apparently, compared with an entangled state, single photon has some merits. For example, the preparation and the measurement of single photon are much easier than those of an entangled state. Therefore, it is worthy of designing a QPC protocol with single photons.

Based on the above analysis, in this paper, we are devoted to designing a novel two-party QPC protocol which uses single photons as quantum resource. After looking deeply into the three-party quantum summation (QS) protocol based on single photons proposed by Zhang et al. [31], we find out that Zhang et al.’s three-party QS protocol can be converted into the corresponding two-party QPC protocol with single photons. Therefore, in this paper, we concentrate on converting Zhang et al.’s three-party QS protocol into the corresponding two-party QPC protocol.

The rest of this paper is organized as follows: in Section 2, Zhanget al.’s three-party QS protocol is reviewed; in Section 3, the two-party QPC protocol with single photons is described and analyzed; and finally, conclusion is given in Section 4.

2 Review of Zhang et al.’s Three-Party QS Protocol

For integrity, in this section, we review Zhang et al.’s three-party QS protocol.

In Zhang et al.’s three-party QS protocol, there are three participants, P₁, P₂, P₃, each of whom has one secret bit. The secret bit from P_i is represented by m_i, where i = 1,2,3. The goal of this protocol is to guarantee the correctness of the summation result and keep the privacy of each participant’s input. Three participants agree on beforehand that both |0〉(|1〉) and |+〉(|−〉) represent the classical bit 0 (1). Here, \(\vert \pm \rangle =\frac {1}{2}(\vert 0\rangle \pm \vert 1\rangle )\). The quantum and classical channels are supposed to be authenticated, noiseless and lossless. Without loss of generality, suppose that P₁ prepares the initial quantum states. Zhang et al.’s three-party QS protocol is illustrated as follows.

• Step 1: P₁ prepares 1 + d single photons {p_1,1, p_1,2,…,p_{1,1 + d}} all in the state |+〉, and generates (1 + d) × 2 single photons {p_2,1, p_2,2,…,p_{2,1 + d}}, {p_3,1, p_3,2,…,p_{3,1 + d}} all in the state |1〉. Then, P₁ performs (1 + d) × 2 controlled-not operations, which are denoted by CNOT_ij, i ∈{1,2,…,1 + d}, j ∈{2,3}. In the operation CNOT_ij, p_1,i is the control qubit and p_j,i is the target qubit. Afterward, P₁ performs the Hadamard gates on all photons. Finally, P₁ picks out photons {p_1,1, p_1,2,…,p_{1,1 + d}} as the group G₁, photons {p_2,1, p_2,2,…,p_{2,1 + d}} as the group G₂, and photons {p_3,1, p_3,2,…,p_{3,1 + d}} as the group G₃.

• Step 2: P₁ prepares two groups of decoy photons randomly in one of the four states {|0〉,|1〉,|+〉,|−〉}. Then, P₁ picks out one group of decoy photons and randomly inserts these decoy photons into G₂ (G₃) to form a new group \({G}^{\prime }_{2} ({G}^{\prime }_{3} )\). Finally, P₁ sends \({G}^{\prime }_{2} ({G}^{\prime }_{3} )\) to P₂(P₃), and keeps G₁ in his hand.

• Step 3: After confirming the receipt of \({G}^{\prime }_{2} \) from P₂, P₁ publishes the positions of decoy photons in \({G}^{\prime }_{2} \)and asks P₂ to measure them with the basis {|0〉,|1〉} or the basis {|+〉,|−〉}. After P₂ announces his measurement results, P₁ calculates the error rate by comparing the initial states of decoy photons with the measurement results from P₂. If the error rate is greater than the threshold value, the communication will be terminated and restarted from Step 1; otherwise, P₂ will drop out the decoy photons to recover G₂, and the protocol will be continued.

  In the meanwhile, P₁ checks the transmission security of \({G}^{\prime }_{3} \) with P₃ in the similar way.

• Step 4: P₂ and P₃ collaborate to check whether P₁ generated the true single photons and performed the proper operations as described in Step 1 in the following way. P₂ and P₃ randomly choose d photons in the same positions of G₂ and G₃, and require P₁ to choose d photons in the same positions of G₁. Then, P₂ and P₃ ask P₁ to measure the chosen d photons randomly with the basis {|0〉,|1〉} or the basis {|+〉,|−〉}. After P₁ publishes his measurement results, P₂ and P₃ use the same basis as that used by P₁ to measure their corresponding photons. Finally, P₂ and P₃ compare the correlations of their three’s measurement results to check whether P₁ is honest or not. If P₁ is dishonest, the communication will be terminated and restarted from Step 1; otherwise, the communication will be continued.

• Step 5: After dropping out the d photons used for checking, P_i(i = 1,2,3) measures the photon in his hand with the basis {|0〉,|1〉} and obtains his private key k_i. Then, P_i calculates the ciphertext c_i = m_i ⊕ k_i and publishes it. As a result, P_i obtains the summation of their three’s inputs by calculating c₁ ⊕ c₂ ⊕ c₃. Here, ⊕ is the addition modulo 2.

3 The Proposed Two-Party QPC Protocol with Single Photons

In this section, we convert Zhang et al.’s three-party QS protocol into the corresponding two-party QPC protocol.

In 1997, Lo [32] pointed out that it is impossible to evaluate the equality function securely in a two-party scenario. Therefore, in the realm of QPC, a third party (TP) is always needed. Suppose that there are two parties, Alice and Bob, each of whom has one secret bit. The secret bit from Alice (Bob) is represented by m_a(m_b). Alice and Bob want to determine whether m_a is equal to m_b or not without leaking out their genuine contents. The proposed two-party QPC protocol is consisted of the following steps:

• Step 1: TP prepares 1 + d single photons {p_1,1, p_1,2,…,p_{1,1 + d}} all in the state |+〉, and generates (1 + d) × 2 single photons {p_2,1, p_2,2,…,p_{2,1 + d}}, {p_3,1, p_3,2,…,p_{3,1 + d}} all in the state |1〉. Then, TP performs (1 + d) × 2 controlled-not operations, which are denoted by CNOT_ij, i ∈ {1,2,…,1 + d},j ∈ {2,3}. In the operation CNOT_ij, p_1,i is the control qubit and p_j,i is the target qubit. Afterward, TP performs the Hadamard gates on all photons. Finally, TP picks out photons {p_1,1, p_1,2,…,p_{1,1 + d}} as the group G₁, photons {p_2,1, p_2,2,…,p_{2,1 + d}} as the group G₂, and photons {p_3,1, p_3,2,…,p_{3,1 + d}} as the group G₃.

• Step 2: TP prepares two groups of decoy photons randomly in one of the four states {|0〉,|1〉,|+〉,|−〉}. Then, TP picks out one group of decoy photons and randomly inserts these decoy photons into G₂(G₃) to form a new group \({G}^{\prime }_{2} ({G}^{\prime }_{3} )\). Finally, TP sends \({G}^{\prime }_{2} ({G}^{\prime }_{3} )\) to Alice (Bob), and keeps G₁ in his hand.

• Step 3: After confirming the receipt of \({G}^{\prime }_{2} \) from Alice, TP publishes the positions of decoy photons in \({G}^{\prime }_{2} \) and asks Alice to measure them with the basis {|0〉,|1〉} or the basis {|+〉,|−〉}. After Alice announces her measurement results, TP calculates the error rate by comparing the initial states of decoy photons with the measurement results of Alice. If the error rate is greater than the threshold value, the communication will be terminated and restarted from Step 1; otherwise, Alice will drop out the decoy photons to recover G₂, and the protocol will be continued.

  In the meanwhile, TP checks the transmission security of \({G}^{\prime }_{3} \) with Bob in the similar way.

• Step 4: Alice and Bob collaborate to check whether TP generated the true single photons and performed the proper operations as described in Step 1 in the following way. Alice and Bob randomly choose d photons in the same positions of G₂ and G₃, and require TP to choose d photons in the same positions of G₁. Then, Alice and Bob ask TP to measure the chosen d photons randomly with the basis {|0〉,|1〉} or the basis {|+〉,|−〉}. After TP publishes his measurement results, Alice and Bob use the same basis as that used by TP to measure their corresponding photons. Finally, Alice and Bob compare the correlations of their three’s measurement results to check whether TP is honest or not. If TP is dishonest, the communication will be terminated and restarted from Step 1; otherwise, the communication will be continued.

• Step 5: After dropping out the d photons used for checking, Alice (Bob) measures the photon in her (his) hand with the basis {|0〉,|1〉} and obtains her (his) private key k_a(k_b). Similarly, TP can obtain his private key k_t. Then, Alice (Bob) calculates the ciphertext c_a = m_a ⊕ k_a(c_b = m_b ⊕ k_b) and publishes it. Afterward, TP calculates s = c_a ⊕ c_b ⊕ k_t. Finally, if s = 0, TP will publish to Alice and Bob that m_a = m_b; otherwise, TP will publish to Alice and Bob that m_a ≠ m_b.

For clarity, the flow chart of the proposed two-party QPC protocol is further given in Fig. 1.

Fig. 1

The flow chart of the proposed two-party QPC protocol

We further point out the differences between the proposed two-party QPC protocol and Zhang et al.’s three-party QS protocol. In the former, we use TP, Alice and Bob to replace P₁, P₂ and P₃ of the latter, respectively. Moreover, in the former, TP has no secret bit to encrypt with his private key k_t while in the latter, P₁ needs to calculate the ciphertext c₁ = m₁ ⊕ k₁.

Correctness

In the following, we will show that the correctness of the comparison between m_a and m_b can be guaranteed.

After TP performs (1 + d) × 2 controlled-not operations in Step 1, the particles {p_1,j, p_2,j, p_3,j} will form an entangled state

$$ \vert \phi_{j} \rangle =\frac{1}{\sqrt 2 }(\vert 011\rangle +\vert 100\rangle ), $$

(1)

where j ∈{1,2,…,1 + d}. After the operations of Hadamard gates in Step 1, |ϕ_j〉 will become

$$ \vert {\phi }^{\prime}_{j} \rangle =\frac{1}{2 }(\vert 000\rangle +\vert 011\rangle -\vert 101\rangle -\vert 110\rangle ). $$

(2)

In Step 5, TP, Alice and Bob measure their respective particle of \(\vert {\phi }^{\prime }_{j} \rangle \) with the basis {|0〉,|1〉} and obtain the private keys k_t, k_a and k_b, respectively. Obviously, we have

$$ k_{a} \oplus k_{b} \oplus k_{t} = 0. $$

(3)

As a result, it can be obtained that

$$ s=c_{a} \oplus c_{b} \oplus k_{t} =(m_{a} \oplus k_{a} )\oplus (m_{b} \oplus k_{b} )\oplus k_{t} =m_{a} \oplus m_{b} . $$

(4)

Therefore, if s = 0, we will have m_a = m_b; otherwise, we will have m_a ≠ m_b.

Security

In Zhang et al.’s three-party QS protocol, the security against the outside attacks and the security against the participant attacks (including the individual attack from P₂ or P₃ and the individual attack from P₁) have been validated in detail. It is straightforward that the proposed two-party QPC protocol is also secure against the outside attacks and the participant attacks (including the individual attack from Alice or Bob and the individual attack from TP) .

Qubit Efficiency

Here, we calculate the qubit efficiency after ignoring the eavesdropping check processes. The qubit efficiency η is defined as \(\eta =\frac {r_{c} }{r_{q} }\), where r_c is the number of the compared classical bits and n_q is the number of consumed qubits [33]. In the proposed two-party QPC protocol, one |+〉 and two |1〉s can be used to compare one secret bit from each party, hence its qubit efficiency is 33.3%.

4 Conclusion

To sum up, in this paper, inspired by Zhang et al.’s three-party QS protocol based on single photons, we propose the corresponding two-party QPC protocol with single photons. The proposed QPC protocol uses single photons as the initial quantum resource rather than quantum entangled states. Moreover, the correctness and the security of the proposed QPC protocol can be guaranteed. The proposed QPC protocol transmits the particles in a single directional way, so it is naturally free from Trojan horse attacks.