Quantum Secure Multi-Party Summation Based on Grover’s Search Algorithm

Abstract

In this paper, a quantum secure multi-party summation protocol is proposed based on some properties of Grover’s search algorithm. In the protocol, each participant’s secret input is encoded as a unitary operation on the travelling two-qubit state. With the help of a semi-honest third party, all participants can simultaneously obtain the summation result without disclosing their secret inputs. Only the preparation and measurement of single qubits are required, which makes the proposed protocol feasible using current technology. At last, we demonstrate the correctness and security of the protocol, which can resist various attacks from both external attackers and internal participants.

1 Introduction

Quantum cryptography, which is regarded as the combination of quantum mechanics and classical cryptography, has attracted a lot of attention since Bennett and Brassard presented the first quantum key distribution protocol [1]. Different from the security of the classical cryptography which is based on the assumption of computation complexity, that of quantum cryptography relies on the quantum mechanics principles, e.g., no-cloning theorem, Heisenberg uncertainty principle, which make it unconditionally secure in theory. Consequently, in the past decades, many scholars have studied it, and proposed a lot of branches of quantum cryptography, such as quantum key distribution [1,2,3], quantum secret sharing [4,5,6,7], quantum private query [8,9,10,11], quantum multi-party computation [12,13,14], and so on.

Secure multi-party summation, as a vital research point of secure multi-party computation, can be used to construct complex security protocols for other multi-party computation. Thus, in the past few years, researchers have proposed a variety of quantum secure multi-party summation protocols using different strategies. In 2006, Hillery et al. [15] proposed the first multi-party summation protocol with the two-particle N-level entangled states, which can complete the summation of N participants in the voting process on the premise of ensuring the anonymity of participants. In 2010, based on multi-particle entangled states, Chen et al. [16] proposed another secure addition module 2. In 2016, Shi et al. [17] proposed a new protocol based on the quantum Fourier transform, which utilized 2m −qubit entangled state as information carrier. Afterwards, a few quantum secure multi-party summation [18,19,20] has been proposed, in which various properties of quantum mechanics are exploited. However, these protocols encounter a problem in practical application, that is, it is difficult to prepare the information carriers (multi-particle entangled states) with current technology. To solve this problem, a novel quantum secure multi-party summation protocol with qubits is proposed, in which some properties of Grover’s search algorithm is utilized. In the protocol, two-qubit states are used as the information carriers that are transmitted among the participants. For the signal particles, each participant encodes his secret input by performing the encoding operations that are used to transform the initial state into the target state in Grover’s search algorithm. At last, according to the parity of the number of the unitary operations, a semi-honest third party selects one of two mutually unbiased bases to measure these single qubits. Based on the third party’s announcement, participants can get the summation result of their secret inputs.

The rest of this paper is organized as follows. In Section 2, we introduce the essential preliminaries briefly. Then, we use the properties of Grover’s search algorithm to design a protocol of quantum secure multi-party summation and give an example in Section 3. In Section 4, we demonstrate the proposed protocol is correct and secure. Finally, a brief conclusion is given in Section 5.

2 Preliminaries

Let us start with describing some notations which are used in this paper. For convenience, these notations are similar to Grover’s search algorithm [21]. In the algorithm, there exists a data set with four items that is represented by a two-qubit state \(|\widetilde {\varphi }_{uv}\rangle =(|0\rangle +(-1)^{v}|1\rangle )(|0\rangle +(-1)^{u}|1\rangle )\), u, v ∈{0,1}. Evidently, \(|\widetilde {\varphi }_{00}\rangle =\frac {1}{2}(|00\rangle +|01\rangle +|10\rangle +|11\rangle )\). The target state is |φ_mn〉 = |mn〉, m, n ∈{0,1}. Two specific unitary operations are required on \(|\widetilde {\varphi }_{uv}\rangle \) to achieve the search task.

$$ U_{xy}=I-2|\varphi_{xy}\rangle\langle\varphi_{xy}|, V_{xy}=2|\widetilde{\varphi}_{xy}\rangle\langle\widetilde{\varphi}_{xy}|-I, $$

(1)

where x, y ∈{0,1}. The first unitary operation U_xy causes the phase of the state |xy〉 to flip once, and its matrix is expressed as:

$$ U_{xy}=\left( \begin{array}{cccc} (-1)^{\bar{x}\bar{y}}& & & \\ & (-1)^{\bar{x}y} & & \\ & & (-1)^{x\bar{y}} & \\ & & & (-1)^{xy} \end{array} \right), $$

(2)

where \(\bar {x}=x \oplus 1,\bar {y}=y \oplus 1\), the symbol ⊕ denotes bitwise Exclusive OR. The second one V_xy causes the amplitude of the state |xy〉 to increase. Performing the above two unitary operations on \(|\widetilde {\varphi }_{uv}\rangle \), we can find

$$ V_{uv}U_{mn}|\widetilde{\varphi}_{uv}\rangle=|\varphi_{mn}\rangle. $$

(3)

Here, since the global phase has no effect on the results, it can be ignored in this paper, i.e., ±|φ_mn〉 = |φ_mn〉. The search target can be obtained by measuring with the basis MB_Z = {|0〉,|1〉}.

Using the property depicted in (3), Hsu [22] has proposed a quantum secret sharing protocol based on Grover’s search algorithm in 2003. In this protocol, only when two participants combine their qubits and perform V_uv on their two-qubit state can they both determine the state |φ_mn〉. Subsequently, researchers have carried out a series of researches on quantum cryptographic protocols based on Grover’s search algorithm [23,24,25,26]. Then, we further investigated the properties of these quantum states and operations, and drew some interesting results, which can be used to design the proposed quantum secure multi-party summation protocol.

Given two operators \(U_{x_{1}y_{1}}\) and \(U_{x_{2}y_{2}}\), where x₁, y₁, x₂, y₂ ∈{0,1}. Clearly, these operators are commutative. That is, \(U_{x_{2}y_{2}}U_{x_{1}y_{1}}=U_{x_{1}y_{1}}U_{x_{2}y_{2}}\). In addition, if x₁ = x₂ and y₁ = y₂, we get \(U_{x_{1}y_{1}}U_{x_{1}y_{1}}=I\), i.e.,

$$ U^{n}_{x_{1}y_{1}}=U^{n(mod\ 2)}_{x_{1}y_{1}}. $$

(4)

Otherwise, we get

$$ U_{x_{2}y_{2}}U_{x_{1}y_{1}}=X_{x_{1} \oplus x_{2},y_{1} \oplus y_{2}}, $$

(5)

where,

$$ \begin{array}{@{}rcl@{}} X_{00}&=&\left( \begin{array}{cccc} \ 1 & & & \\ & \ 1 & & \\ & & \ 1& \\ & & & \ 1 \end{array} \right), X_{01}=\left( \begin{array}{cccc} 1 & & & \\ & 1 & & \\ & & -1& \\ & & & -1 \end{array} \right),\\ X_{10}&=&\left( \begin{array}{cccc} 1 & & & \\ & -1 & & \\ & & 1& \\ & & & -1 \end{array} \right), X_{11}=\left( \begin{array}{cccc} 1 & & & \\ & -1 & & \\ & & -1 & \\ & & & 1 \end{array} \right). \end{array} $$

(6)

So, we can obtain the result shown in (7) after these two operations on the quantum state \(|\widetilde {\varphi }_{uv}\rangle \).

$$ U_{x_{2}y_{2}}U_{x_{1}y_{1}}|\widetilde{\varphi}_{uv}\rangle=|\widetilde{\varphi}_{x_{1} \oplus x_{2} \oplus u, y_{1} \oplus y_{2} \oplus v}\rangle. $$

(7)

3 Quantum Secure Multi-Party Summation Protocol

Suppose that there is a semi-honest third party P₀, who may misbehave on his own but cannot conspire with anyone. There are N parties, P_i(i = 1,2,⋯ ,N), who hold their own secret input D_i with length of 2n. That is, D_i = (d_i,1, d_i,2,⋯ ,d_i,2n), d_{i, j} ∈{0,1}(j = 1,2,⋯ ,2n). All participants want to obtain the summation of their secret inputs shown in (8), without revealing the genuine content of their secret inputs.

$$ \oplus_{i=1}^{N}D_{i}=\{\oplus_{i=1}^{N}d_{i,1},\oplus_{i=1}^{N}d_{i,2},\cdots,\oplus_{i=1}^{N}d_{i,2n}\}, $$

(8)

where \(\oplus _{i=1}^{N}d_{i,j}=d_{1,j} \oplus d_{2,j} \oplus {\cdots } \oplus d_{N,j}\). The detailed procedures of the proposed quantum secure multi-party summation can be described as follows.

Step 1::

P₀ generates a random bit sequence S with length of 2n. According to this bit sequence, he prepares an ordered sequence of two-qubit states Q₁, i.e.,

$$ S=(s_{1},s_{2},\cdots,s_{2n})\Longrightarrow Q_{1}=(|\widetilde{\varphi}_{s_{1},s_{2}}\rangle,|\widetilde{\varphi}_{s_{3},s_{4}}\rangle,\cdots,|\widetilde{\varphi}_{s_{2n-1},s_{2n}}\rangle). $$

(9)

To ensure the security of particle transmission, P₀ prepares δ decoy particles which are randomly in one of the four BB84 states, and inserts them into the sequence Q₁ randomly to form a new sequence \(\widetilde {Q}_{1}\). At last, P₀ sends the particle sequence \(\widetilde {Q}_{1}\) to the next participant P₁.

Step 2::

After confirming that P₁ has received the sequence \(\widetilde {Q}_{1}\), P₀ checks the security of \(\widetilde {Q}_{1}\)’s transmission together with P₁. To be specific, according to the positions of decoy particles and their bases published by P₀, P₁ measures the corresponding decoy particles and tells P₀ the results. P₀ calculates the error rate by comparing the measurement results with the initial states of the decoy particles. If the error rate exceeds the predetermined threshold, they restart the protocol. Otherwise, they proceed to the next step.

Step 3::

By deleting the decoy particles from \(\tilde {Q}_{1}\), P₁ can get the sequence Q₁. Then, P₁ encodes his secret input D₁ on the sequence Q₁. Concretely, P₁ generates a random bit string m₁ = {m_1,1, m_1,2,⋯ ,m_1,n}. If m_1,t = 0 (t = 1,2,⋯ ,n), the private data d_1,2t− 1, d_1,2t is split to two parts, i.e., \(d_{1,2t-1}=x_{1}^{1,2t-1} \oplus x_{2}^{1,2t-1},d_{1,2t}=y_{1}^{1,2t} \oplus y_{2}^{1,2t}\). Then, P₁ performs \(U_{x_{1}^{1,2t-1},y_{1}^{1,2t}}U_{x_{2}^{1,2t-1},y_{2}^{1,2t}}\) on the state \(|\widetilde {\varphi }_{s_{2t-1},s_{2t}}\rangle \). Otherwise, P₁ directly performs \(U_{d_{1,2t-1},d_{1,2t}}\) on \(|\widetilde {\varphi }_{s_{2t-1},s_{2t}}\rangle \). The encoded sequence is denoted as Q₂. Finally, P₁ randomly selects δ decoy particles to insert into Q₂, and sends the new sequence \(\widetilde {Q}_{2}\) to participant P₂.

Step i + 2 (i = 2,3,⋯ ,N)::

When P_i has received the quantum state sequence \(\widetilde {Q}_{i}\) from P_i− 1, P_i− 1 checks the security of the particle transmission with P_i,which is similar to Step 2. If the error rate exceeds the predetermined threshold, the protocol is restarted. Otherwise, P_i performs the encoding operations similar to Step 3 and sends the particle sequence \(\widetilde {Q}_{i+1}\) to the next participant P_i+ 1. As for the last participant P_N, he sends the particle sequence \(\widetilde {Q}_{N+1}\) to P₀.

Step N + 3::

When P₀ has received the sequence \(\widetilde {Q}_{N+1}\) from P_N, he performs eavesdropping detection with P_N. Then he gets Q_N+ 1 after removing the decoy particles from \(\widetilde {Q}_{N+1}\). Now, P_i (i = 1,2,⋯ ,N) tells P₀ the bit string m_i. P₀ calculates M_t = m_1,t ⊕ m_2,t ⊕⋯ ⊕ m_{N, t} (t = 1,2,⋯ ,n). Then, P₀ executes different processes according to the value of M_t.

1. (1)

   When M_t = 0, P₀ measures the corresponding particles with basis MB_X = {|+〉,|−〉} directly, and obtains the result \(|\widetilde {\varphi }_{w_{2t-1},w_{2t}}\rangle \). P₀ calculates the summation:

$$ A_{2t-1}=w_{2t-1} \oplus s_{2t-1}, A_{2t}=w_{2t} \oplus s_{2t}. $$

(10)

1. (2)

   When M_t = 1, P₀ performs the unitary operation \(V_{s_{2t-1},s_{2t}}\) on the t-th two-qubit state. Then he measures these states with basis MB_Z, and obtains the result \(|\varphi _{w_{2t-1},w_{2t}}\rangle \). P₀ calculates the summation:

$$ A_{2t-1}=w_{2t-1}, A_{2t}=w_{2t}. $$

(11)

Finally, P₀ publishes the summation result A = (A₁, A₂,⋯ ,A_N− 1, A_N). In this way, all participants can obtain the summation of their secret inputs.

To illustrate our protocol more clearly, a three-party case (i.e., N = 3) is taken as an example. For convenience, the eavesdropping detecting is ignored. In this case, there are three participants P₁, P₂, and P₃, who want to get the summation of their secret inputs with length of 8 (i.e., n = 4), D₁ = 01101101,D₂ = 10100111,D₃ = 11010010.

At first, P₀ generates an ordered two-qubit state sequence \(Q_{1}=(|\widetilde {\varphi }_{01}\rangle ,|\widetilde {\varphi }_{01}\rangle \), \(|\widetilde {\varphi }_{11}\rangle ,|\widetilde {\varphi }_{00}\rangle )\), namely the bit string is S = 01011100. P₁ (P₂, P₃) applies his encoding operations on the signal particles, according to his secret input D₁ (D₂, D₃) and random bit string m₁ (m₂, m₃). The states are changed with the corresponding encoding operations, which are depicted in Table 1.

Table 1 Encoding operations on the sequence

At the end of the protocol, P₀ obtains states \(U_{11}|\widetilde {\varphi }_{10}\rangle , U_{01}|\widetilde {\varphi }_{01}\rangle , U_{10}|\widetilde {\varphi }_{11}\rangle \), \(|\widetilde {\varphi }_{00}\rangle \). According to the value of m_i declared by P_i, P₀ can calculate M₁ = 1,M₂ = 1,M₃ = 1,M₄ = 0. So he performs the operations V₀₁ ⊗ V₀₁ ⊗ V₁₁ ⊗ I to get the states \(|\varphi _{00}\rangle ,|\varphi _{01}\rangle ,|\varphi _{10}\rangle ,|\widetilde {\varphi }_{00}\rangle \), and measures these particles in the basis MB_Z or MB_X. Finally, P₀ obtains the summation of their secret inputs A = 00011000, and knows A = D₁ ⊕ D₂ ⊕ D₃.

4 Analysis of the Protocol

In this section, we first discuss the correctness of the proposed protocol. Then, the security of this protocol is analyzed by considering the external attacks and some common internal attacks.

4.1 Correctness

For a secure multi-party summation protocol, it is correct, which means that all participants can obtain the summation of their secret inputs without disclosing any secrets. In the following, we will show the result of the protocol is the summation of their secret inputs.

Suppose one initial state of the signal particles is \(|\widetilde {\varphi }_{s_{2t-1},s_{2t}}\rangle \), the encoding operation U_xy has been performed r times in Steps 3 to N + 2, that is, \(U_{x_{r},y_{r}}U_{x_{r-1},y_{r-1}} {\cdots } U_{x_{2},y_{2}}U_{x_{1},y_{1}}\), where x_i, y_i ∈{0,1}. According to the Step N + 3, we know M_t = r (mod 2). So, after these encoding operations, the signal particles are in the state \(|\phi \rangle =U_{x_{r},y_{r}} {\cdots } U_{x_{1},y_{1}}|\widetilde {\varphi }_{s_{2t-1},s_{2t}}\rangle \). Due to the commutability of U_xy, we can get:

$$ U_{x_{r},y_{r}} {\cdots} U_{x_{1},y_{1}}=\underbrace{U_{00} {\cdots} U_{00}}_{r_{00}}\underbrace{U_{01} {\cdots} U_{01}}_{r_{01}}\underbrace{U_{10} {\cdots} U_{10}}_{r_{10}}\underbrace{U_{11} {\cdots} U_{11}}_{r_{11}}, $$

(12)

where r_xy is the frequency of U_xy, and r₀₀ + r₀₁ + r₁₀ + r₁₁ = r. Based on (4), we get \(U_{x_{i},y_{i}}^{r_{xy}}=U_{x_{i},y_{i}}^{a_{xy}}\), where a_xy = r_xy (mod 2). Thus, (12) can be abbreviated as:

$$ U_{x_{r},y_{r}}U_{x_{r-1},y_{r-1}} {\cdots} U_{x_{2},y_{2}}U_{x_{1},y_{1}}=U_{00}^{a_{00}}U_{01}^{a_{01}}U_{10}^{a_{10}}U_{11}^{a_{11}}. $$

(13)

Obviously, if r is even, M_t = a₀₀ ⊕ a₀₁ ⊕ a₁₀ ⊕ a₁₁ = 0. Otherwise, M_t = a₀₀ ⊕ a₀₁ ⊕ a₁₀ ⊕ a₁₁ = 1. Next, we will discuss these two cases.

1. (1)

   M_t = 0, i.e., a₀₀ ⊕ a₀₁ ⊕ a₁₀ ⊕ a₁₁ = 0.

There are two different scenarios. One is a₀₀ = a₀₁ = a₁₀ = a₁₁ = 1 or 0. Due to the property of U₀₀U₀₁U₁₀U₁₁ = I, we get the final state \(|\phi \rangle =|\widetilde {\varphi }_{s_{2t-1},s_{2t}}\rangle \). The other is that any two of a₀₀, a₀₁, a₁₀, a₁₁ are 1. Namely, there are two operations performed odd times and two operations with even times. In terms of (5), we get

$$ U_{00}^{a_{00}}U_{01}^{a_{01}}U_{10}^{a_{10}}U_{11}^{a_{11}}=(-1)^{a_{00}}X_{a_{10} \oplus a_{11},a_{01} \oplus a_{11}}. $$

(14)

To sum up, when a₀₀ ⊕ a₀₁ ⊕ a₁₀ ⊕ a₁₁ = 0, we get the final state |ϕ〉:

$$ \begin{array}{@{}rcl@{}} |\phi\rangle&=&(-1)^{a_{00}}X_{a_{10} \oplus a_{11},a_{01} \oplus a_{11}}|\widetilde{\varphi}_{s_{2t-1},s_{2t}}\rangle\\ &=&|\widetilde{\varphi}_{a_{10} \oplus a_{11} \oplus s_{2t-1},a_{01} \oplus a_{11} \oplus s_{2t}}\rangle. \end{array} $$

(15)

At the end of this protocol, we know, when M_t = 0, the unitary operation U_xy of the t-th two-qubit state \(|\widetilde {\varphi }_{s_{2t-1},s_{2t}}\rangle \) is even times. According to (15), we can obtain the result \(|\phi \rangle =|\widetilde {\varphi }_{w_{2t-1},w_{2t}}\rangle \), which is in {| + +〉,|− +〉,| + −〉,|−−〉}. Finally, P₀ measures the state with MB_X to gain the summation. Clearly, in terms of (10) and (16), we know the summation is \(A_{j}=\oplus _{i=1}^{N} D_{i,j}\ (j=1,2,\cdots ,2n)\).

$$ \begin{array}{@{}rcl@{}} w_{2t-1}&=&a_{10} \oplus a_{11} \oplus s_{2t-1} =d_{1,2t-1} \oplus d_{2,2t-1} \oplus {\dots} \oplus d_{N,2t-1} \oplus s_{2t-1},\\ w_{2t} &=&a_{01} \oplus a_{11} \oplus s_{2t} =d_{1,2t} \oplus d_{2,2t} \oplus {\dots} \oplus d_{N,2t} \oplus s_{2t}. \end{array} $$

(16)

1. (2)

   M_t = 1, i.e., a₀₀ ⊕ a₀₁ ⊕ a₁₀ ⊕ a₁₁ = 1.

There are two scenarios to consider as well. On the one hand, only one of a₀₀, a₀₁, a₁₀, a₁₁ is 1. That is, only one of the four operations performs odd, (13) can be rewritten as \(U_{00}^{a_{00}}U_{01}^{a_{01}}U_{10}^{a_{10}}U_{11}^{a_{11}}=U_{a_{10} \oplus a_{11},a_{01} \oplus a_{11}}\). On the other hand, any three of a₀₀, a₀₁, a₁₀, a₁₁ are 1. That is, three of the four operations perform odd, (13) can be rewritten as \(U_{00}^{a_{00}}U_{01}^{a_{01}}U_{10}^{a_{10}}U_{11}^{a_{11}}=-U_{a_{10} \oplus a_{11},a_{01} \oplus a_{11}}\).

Overall, when a₀₀ ⊕ a₀₁ ⊕ a₁₀ ⊕ a₁₁ = 1, the encoding operation sequence of U_xy can be abbreviated as:

$$ U_{00}^{a_{00}}U_{01}^{a_{01}}U_{10}^{a_{10}}U_{11}^{a_{11}}=\pm U_{a_{10} \oplus a_{11},a_{01} \oplus a_{11}}. $$

(17)

In our protocol, when M_t = 1, P₀ has to perform operation \(V_{s_{2t-1},s_{2t}}\) on the quantum state \(|\widetilde {\varphi }_{s_{2t-1},s_{2t}}\rangle \) in Step N + 3. According to the Grover’s search algorithm, the following results are obtained:

$$ |\phi\rangle=\pm V_{s_{2t-1},s_{2t}}U_{a_{10} \oplus a_{11},a_{01} \oplus a_{11}}|\widetilde{\varphi}_{s_{2t-1},s_{2t}}\rangle =|\varphi_{a_{10} \oplus a_{11},a_{01} \oplus a_{11}}\rangle. $$

(18)

Contrast with M_t = 0, the unitary operation U_xy of the t-th two-qubit state \(|\widetilde {\varphi }_{s_{2t-1},s_{2t}}\rangle \) is odd. According to (18), We obtain the result \(|\phi \rangle =|\varphi _{w_{2t-1},w_{2t}}\rangle \), which is in {|00〉,|01〉,|10〉,|11〉}. Finally, P₀ measures the state with MB_Z to gain the summation. Evidently, from (11) and (19), we know the summation is \(A_{j}=\oplus _{i=1}^{N} D_{i,j}\ (j=1,2,\cdots ,2n)\).

$$ \begin{array}{@{}rcl@{}} w_{2t-1}&=&a_{10} \oplus a_{11} =d_{1,2t-1} \oplus d_{2,2t-1} \oplus {\dots} \oplus d_{N,2t-1},\\ w_{2t} &=&a_{01} \oplus a_{11} =d_{1,2t} \oplus d_{2,2t} \oplus {\dots} \oplus d_{N,2t}. \end{array} $$

(19)

Consequently, taking the above two circumstances into consideration, the protocol we proposed is correct.

4.2 Security

In a quantum secure multi-party summation protocol, the participants are not all honest, which means their attacks should be considered. Moreover, since the participant takes part in the execution of the protocol, he generally has more powerful than Eve. Thus, in addition to the external attacks, the security of the proposed protocol under three common internal attacks, which are performed by different dishonest participants respectively, are analyzed in this section.

4.2.1 External Attack

Suppose there is an external attacker, Eve, whose goal is to steal the secret information of one participant P_i (i = 1,2,⋯ ,N). According to the publicly available messages m_i and A_i, Eve has no access to any information about D_i. So she has to attack the travelling particle sequence \(\widetilde {Q}_{i+1}\), which is sent from P_i to P_i+ 1. This attack can be intercept-resend attack, measurement-resend attack and entanglement-measurement attack, etc. However, in our protocol, some decoy particles are added, and these particles are randomly in one of the four BB84 states. Clearly, the method of eavesdropping detection with decoy particles is derived from the BB84 protocol, which has proved to be unconditionally security in theory. That is, as long as Eve tries to attack the travelling particles in the process of particle transmission, it will be detected because she does not know the positions and measurement bases of these decoy particles. Therefore, the proposed protocol is secure against this external attack.

4.2.2 A Dishonest Participant’s Attack

N participants P_i (i = 1,2,⋯ ,N) play the same roles in the proposed protocol. So, without loss of generality, we can assume that the participant P_i is dishonest, denoting as \(P_{i}^{*}\), who tries to steal the secret input of P_i+ 1. He can send a false particle sequence F to P_i+ 1. P_i+ 1 performs the encoding operation on F according to his secret input, then adds δ decoy particles and gets the particle string \(\widetilde {F}\). After that, P_i+ 1 sends it to P_i+ 2. At this point, \({P}_{i}^{*}\) attacks this particle sequence \(\widetilde {F}\) to distinguish the encoding operations. However, since he does not know the locations of the decoy particles, his attack behavior will inevitably introduce errors as Eve, which will be inevitably discovered by the eavesdropping detection process between P_i+ 1 and P_i+ 2. Thus, such an attack would be null and void for our protocol.

4.2.3 Multiple Dishonest Participants’ Collusion Attack

In this attack, there are two or more participants who cooperate to steal secret inputs of honest participants. At first, a special case is considered, which N − 1 participants conspire. Obviously, they can infer the secret input of the remaining honest participant based on the summation result published by P₀. Similarly, if N − k participants conspire, they can easily get the summation of other k participants’ secret inputs. Therefore, these situations are trivial. Now, we will discuss some non-trivial cases. For example, in a four-party protocol, P₁ and P₃ are dishonest participants, who are denoted as \(P_{1}^{*}\) and \(P_{3}^{*}\), they clearly have easy access to the summation of P₂ and P₄. The key point is whether they are able to eavesdrop the information about P₂’s or P₄’s secret input. Obviously, \(P_{1}^{*}\) and \(P_{3}^{*}\) conspire to steal P₂’s secret input more easily than P₄’s. Thus, the case, in which, \(P_{1}^{*}\) and \(P_{3}^{*}\) conspire to attack P₂, is discussed as follows.

First of all, let us consider a simple attack strategy. \(P_{1}^{*}\) receives the quantum state sent by P₀, then he chooses the basis MB_X to obtain the initial state, and infers the classical bit sequence S. Then the secret input of \(P_{1}^{*}\) is encoded into the particle sequence \(\widetilde {Q}_{2}\) and sent to P₂. P₂ receives the particle sequence and checks the security of the transmission. The sequence \(\widetilde {Q}_{3}\) is obtained after the corresponding encoding operations and the addition of the decoy particles. \(P_{3}^{*}\) detects eavesdropping with P₂, discarding the decoy particles to get Q₃. After that, he performs the operation \(V_{s_{2t-1},s_{2t}}\) according to the classical bit sequence S, and measures with MB_Z or MB_X. However, P₂ will announce whether the secret is not split (m_2,t = 1) or split (m_2,t = 0) until P₀ receive the sequence \(\widetilde {Q}_{5}\). Therefore, even they know the correct sequence S, they cannot infer the parity of the encoding operations by all participants. Namely, they cannot know whether the odd or even numbers of operations U_xy are carried out in the process of the protocol. Therefore, the correct measurement basis cannot be selected to get the correct results. Moreover, even they know M_t = ⊕_im_{i, t}, they cannot know whether the m_1,t and m_4,t are 0 or 1, but only the summation of them.

Next, let us consider a more general attack strategy. \(P_{1}^{*}\) intercepts the signal particles, and sends a pseudo-particle sequence \(\widetilde {Q}_{2}^{*}\). Each pair of particles in \(\widetilde {Q}_{2}^{*}\) is:

$$ |\alpha\rangle=|00\rangle|u_{00}\rangle+|01\rangle|u_{01}\rangle+|10\rangle|u_{10}\rangle+|11\rangle|u_{11}\rangle. $$

(20)

\(P_{1}^{*}\) continues to execute the protocol and sends \(\widetilde {Q}_{2}^{*}\) to P₂. P₂ continues Step 2, splits the secret input or not according to m_2,t, encodes them into \(\widetilde {Q}_{2}^{*}\) to get a new particle string \(\widetilde {Q}_{3}^{*}\). At last, he sends it to \(P_{3}^{*}\). \(P_{3}^{*}\) and P₂ pass the eavesdropping detection, then \(P_{3}^{*}\) measures the particle sequence and distinguishes what kind of encoding operations P₂ has carried out. Because the operations carried out in the encoding process are U_xy, which are determined by the secret inputs, there are different operations for different secret inputs shown in Table 2. P₂’s different operations on quantum state |α〉 result in different quantum states, as shown in Table 3.

Table 2 Encoding operations for different secret inputs

Table 3 Effects of different encoding operations on the pseudo-particle sequence

Obviously, in order to distinguish the operations of P₂, we need to distinguish the above encoded quantum states. However, this is impossible, since we have found some interesting relationship between the encoded quantum states. Performing the encoding operation U₁₀U₁₁ for 01 to get \(|\alpha _{01}^{0}\rangle \), we find that

$$ |\alpha_{01}^{0}\rangle=|\alpha_{00}^{0}\rangle-|\alpha_{00}^{1}\rangle-|\alpha_{01}^{1}\rangle \ \text{or}\ -|\alpha_{01}^{0}\rangle=|\alpha_{00}^{0}\rangle-|\alpha_{10}^{1}\rangle-|\alpha_{11}^{1}\rangle. $$

(21)

In addition, we also find that

$$ \begin{array}{@{}rcl@{}} |\alpha_{10}^{0}\rangle &=&|\alpha_{00}^{0}\rangle-|\alpha_{00}^{1}\rangle-|\alpha_{10}^{1}\rangle \ \text{or}\ -|\alpha_{10}^{0}\rangle=|\alpha_{00}^{0}\rangle-|\alpha_{01}^{1}\rangle-|\alpha_{11}^{1}\rangle,\\ |\alpha_{11}^{0}\rangle &=&|\alpha_{00}^{0}\rangle-|\alpha_{00}^{1}\rangle-|\alpha_{11}^{1}\rangle \ \text{or}\ -|\alpha_{11}^{0}\rangle=|\alpha_{00}^{0}\rangle-|\alpha_{01}^{1}\rangle-|\alpha_{10}^{1}\rangle. \end{array} $$

(22)

Apparently, the quantum states obtained by different secret inputs after different encoding operations are linearly correlated. The necessary and sufficient condition for a configuration proposed by Chefles and Barnett [27] to be deterministically distinguished is linear independent, so the quantum states after these operations cannot be deterministically distinguished. Therefore, even \(P_{1}^{*}\) and \(P_{3}^{*}\) collusive attack P₂, P₂’s secret input cannot be judged since the quantum states after operations are linearly correlated.

Thus, these participants’ attacks are failure in the protocol.

4.2.4 The Semi-Honest Third Party’s Attack

Since the third party P₀ is semi-honest, he also attempts to obtain a participant P_i’s secret input. Furthermore, the role of P₀ in the protocol is different from other participants, he needs to prepare the initial states and send them to the next participant P₁. However, he is semi-honest, he cannot conspire with others. To be convenient, suppose P₀ wants to get the information of P₁’s secret input. Since the encoding of secret input is realized by operation U_xy, P₀ must know what kind of operation that P₁ has carried out. Then P₀ will intercept the particles \(\widetilde {Q}_{2}\) emitted by P₁, but in the eavesdropping detection between P₁ and P₂, he will be detected as Eve as well. So the protocol is safe for such attack.

From the above analyses, it is shown that the protocol is secure against both external and internal attacks, which means no one can access a participant’s secret input without being detected.

5 Conclusion

In Grover’s search algorithm, a product state of two qubits can be converted to a special target state through applying two specific unitary operations. Moreover, if the unitary operation is executed one more time, the target state will become another superposition state. Obviously, since these states are non-orthogonal, they cannot be perfect discriminated. Based on it, a new quantum secure multi-party summation with qubits is proposed in this paper. At first, two qubits, the initial state of the Grover’s search algorithm, are prepared by a semi-honest third party who may misbehave on his own but cannot conspire with other participants. Then, the signal particles are transmitted among all participants who respectively performs the unitary operations representing their secret inputs. Finally, according to the parity of the number of the encoding operations, the third party measures the traveling particles in different bases and obtains the summation. In this way, all participants achieve secure summation task with the aid of this semi-honest third party. By discussing the case under external attacks and some common internal attacks, it is shown that the proposed protocol is secure, which is based on some results of Grover’s search algorithm and quantum state discrimination. In addition, instead of multi-particle entangled states, only qubits are used as the information carriers, which makes the proposed protocol more feasible using current technology.