1 Introduction

Quantum private comparison (QPC) aims at determining whether two customers’ secrets are equal or not without disclosing privacy to each other by quantum technology. At present, there are a large number of QPC protocols [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41], which employ diverse procedures and a wide variety of quantum resources. In a safe premise, an advisable idea is to make procedures as simple as possible and make the preparation of the used quantum resources as easy as can be. If the idea is kept as a design principle in developing QPC protocols, we will get a more efficient and practical one. To demonstrate the design principle, this study will take Bell states for example in what follows.

As we know, among quantum resources, such as two-particle product states, Bell states, W states, GHZ states, cluster states, χ-type entangled states, five-particle entangled states, six-particle entangled states, and multi-level quantum system, Bell states are a common and useful one. There are four Bell states: {∣ϕ+〉, ∣ϕ〉, ∣ψ+〉, ∣ψ〉}, where \( \mid {\phi}^{\pm}\Big\rangle =1/\sqrt{2}\left(|00\Big\rangle \pm |11\Big\rangle \right) \) and \( \mid {\psi}^{\pm}\Big\rangle =1/\sqrt{2}\left(|01\Big\rangle \pm |10\Big\rangle \right) \). They have found application in diverse QPC protocols [9,10,11,12,13,14,15,16,17,18]. If we focus narrowly on their usage of Bell states, it can be seen that they have used at least two forms of Bell states.

Although the usage of diverse Bell states might increase the qubit efficiency, which is defined as the ratio of the number of compared classical bits to the total number of photons used in comparison [12], it should reduce working efficiency and increase running costs. The reason goes as follows. Various Bell states mean the requirement of multiple states-producing devices or ways. That is to say, different devices, working modes, input particles or whatever will be switched to generate different kinds of quantum states. This is called as states-generation switching in the paper. It would be rather frequent and abundant in a QPC process, which could reduce working efficiency and increase running costs.

If the proposed design principle is used as a reference to design QPC protocols, the used quantum states will be as single as may be and thus states-generation switching can be also avoided as much as possible. In this way, the qubit efficiency might be lowered. However, once a quantum state can be mass produced, its number and the qubit efficiency are not the first things to consider, for to prepare two states of a kind is generally far easier than to do two states of two kinds. For example, to produce two ∣ϕ+〉 Bell states is much easier than to prepare two different Bell states ∣ϕ+〉 and ∣ψ+〉 when you have the ability to generate a ∣ϕ+〉 Bell state. Therefore, for some cases, you would mind quantum states’ forms, not their numbers. In other words, the states’ singleness, not the qubit efficiency, would be one of the first considerations in developing QPC protocols.

According to the above discussion, there should be a QPC protocol implemented using a single Bell state, say ∣ϕ+〉. However, such a protocol is hard to see yet. As mentioned earlier, existent Bell-based QPC protocols generally utilized two forms of theirs or over. Thus, the paper will utilize a single Bell state to design a novel QPC protocol, where the single Bell state ∣ϕ+〉 or ∣ϕ〉 will be used. It would improve efficiency and reduce use costs without states-generation switching.

As Lo [42] dealt with, it is impossible to design a secure equality function in a two-party scenario, so a semi-honest third party (TP) will take part in the presented protocol. Its correctness and security will be validated.

The paper is organized as follows. The proposed protocol is described in Section 2. Its correctness and security are analysed in Section 3. Conclusions are drawn in Section 4.

2 The Proposed QPC Protocol

Two classical customers Alice and Bob are going to exercise QPC for their private data or the respective binary representations A = (aN-1...a1a0) and B = (bN-1...b1b0), where aj, bj∈{0, 1}, j∈{0, 1, ..., N-1}, 2N-1 ≤ max{A, B} < 2N. Based on the three-party scenario described above, the process of the proposed QPC protocol can be described as follows.

  1. Step 1:

    TP generates 3 Nϕ+〉Bell states, where \( \mid {\phi}^{+}\Big\rangle =1/\sqrt{2}\left(|00\Big\rangle +|11\Big\rangle \right) \), and divides the first N ones into two sequences T0 and T1, the second N into T2 and T3, and the last N into T4 and T5. In order to detect eavesdropping, TP generates two sets of decoy photons DA and DB, each randomly chosen from the four states {|0〉, |1〉, |+〉, |−〉}, where \( \left|+\right\rangle =\left(1/\sqrt{2}\right)\left(\left|0\right\rangle +\left|1\right\rangle \right) \) and \( \left|-\right\rangle =\left(1/\sqrt{2}\right)\left(\left|0\right\rangle -\left|1\right\rangle \right) \). Here, Z basis and X basis are used to denote the measuring basis of {|0〉,|1〉} and {|+〉,|−〉}, respectively. TP randomly inserts DA into T0 and T4, composing one new quantum sequence SA, and DB into T2 and T5, forming SB, which are sent to Alice and Bob, respectively. TP measures T1 and T3 along Z basis. If the measuring result is |0〉/|1〉, its corresponding classical bit is labelled as 0/1. We can obtain the measure bits T1 = (t1N-1...t11t10), T3 = (t3N-1...t31t30), where t1j, t3j∈{0, 1}, j∈{0, 1, ..., N-1}.

  2. Step 2:

    Once the sequences SA and SB all reach Alice and Bob, respectively, TP will announce the decoy photons’ positions and measuring bases. By them, Alice and Bob perform the corresponding measure and response its results to TP. It verifies these measure outcomes to check whether there are eavesdroppers in the quantum channels or not. If the detected error rate exceeds a predetermined threshold, this communication will be aborted and the protocol will be restarted. Otherwise, it goes on to Step 3.

  3. Step 3:

    Alice (Bob) discards the decoy photons in SA (SB) to restore the sequences T0 and T4 (T2 and T5), and measures them along Z basis. And then, Alice (Bob) can get the measure bits T0 = (t0N-1...t01t00), T4 = (t4N-1...t41t40) (T2 = (t2N-1...t21t20), T5 = (t5N-1...t51t50)), where t0j, t2j, t4j, t5j∈{0, 1}, j∈{0, 1, ..., N-1}. Alice and Bob perform the bit-wise exclusive-OR operations raj = t0j ⊕ aj ⊕ t4j and rbj = t2j ⊕ bj ⊕ t5j, respectively, where raj, rbj∈{0, 1}, RA = (raN-1...ra1ra0), RB = (rbN-1...rb1rb0), j∈{0, 1, ..., N-1}. The binary numbers RA and RB are announced to TP using classical channels.

  4. Step 4:

    After getting RA and RB, TP computes rj = raj ⊕ t1j ⊕ rbj ⊕ t3j, with RA, RB, T1, and T3, where rj∈{0, 1}, R = (rN-1...r1r0), j∈{0, 1, ..., N-1}. Once the computation outcome rj is 1, TP announces the inequality of the customers’ private data and terminates its work. Otherwise, TP resumes calculating rj until the subscript j = 0, that is, all the bits of RA, RB, T1, and T3 have been calculated; the computation ends up r0 = 0. At this time, it announces that the two participants’ private data are identical.

From the steps above, we can deduce the comparisons with previous Bell-based QPC protocols, which are shown in Table 1.

Table 1 Comparisons with previous Bell-based QPC protocols
Full size table

3 Analyses

3.1 Correctness

In the steps above, the expression rj = raj ⊕ t1j ⊕ rbj ⊕ t3j = rj = t0j ⊕ aj ⊕ t4j ⊕ t1j ⊕ t2j ⊕ bj ⊕ t5j ⊕ t3j holds. Once measured by Alice, Bob and TP, the Bell state \( \mid {\phi}^{+}\Big\rangle =1/\sqrt{2}\left(|00\Big\rangle +|11\Big\rangle \right) \) will collapse to one of the two states {|00〉, |11〉}. Whether it is |00〉 or |11〉, these equations below will be right: t0j = t1j, t2j = t3j, t4j = t5j. Therefore, rj = aj ⊕ bj. According to the exclusive-OR operation, as long as rj = 1, it indicates that aj is not equal to bj; if all the rj = 0, this means aj = bj. So the presented protocol can function correctly.

3.2 Security Analysis

The security of the protocol will be analysed from outsider attacks and insider attacks.

3.2.1 Outsider Attack

There is no place for outsiders to attack in all the steps above except Step 1, where the qubit transmissions through the quantum channels are prone to outsider attacks. In Step 1, the sequences SA and SB containing decoy photons are transmitted in the way of quantum data block [43]; the decoy photon technique [4445] also delivers the security of the qubit transmissions, which can be regarded as a variation of the eavesdropping check method of the BB84 protocol, proven to be unconditionally secure by Ref. [46].

In Step 3, for the announced number RA (RB) is encrypted by the one-time values T0 and T4 (T2 and T5), which are only known to TP and Bob (TP and Alice), respectively, the private data will not be revealed to anyone. In Step 4, the announced rj = 1 does not include any private data at all.

In short, the presented protocol can be resistant to outsider attacks.

3.2.2 Insider Attack

There are two cases of insider attacks to discuss. One is a possibility for one party to get the other’s private data. The other is a probability for TP to retrieve two parties’ private data.

Two Participants’ Attack

Since Alice’s role is equal to Bob’s, only one case is discussed that Alice will try to know Bob’s private data. The only way for Alice is to use the photons sent to her, i.e. the sequences T0 and T4, by which she will just know T1 and T5 according to the properties of Bell states. However, RB is encrypted by Bob’s T2, which is one-time values for, measured along Z basis, Bob’s photon will collapse to |0〉(|1〉) with probability of 50%. Because Bob can’t release his own T2 to Alice and also she is not able to deduce T2 through TP’s T3 for the semi-honest TP cannot cooperate with any participant, Alice has no idea of T2 and T3. Therefore, it is impossible for Alice to obtain Bob’s private data B via her own photons.

If Alice tries to intercept the transmitted particles from TP to Bob, she will be found as an outside eavesdropper as described in the previous section. Therefore, no matter what Alice does, she cannot get Bob’s private data.

In one word, one party can obtain nothing about the other’s secrets.

TP’s Attack

In the proposed protocol, TP is semi-honest. This means that it faithfully prepares Bell states, follows the processes, and will not be corrupted by all outside eavesdroppers. Therefore, it can cheat only using the bits T1 and T3. According to the properties of Bell states, TP can infer T0 and T2 but cannot know the one-time states T4 and T5. And, RA and RB are also encrypted by Alice’s T4 and Bob’s T5, respectively. Thus, it cannot deduce Alice and Bob’s private data A and B from RA and RB. It obtains only the bit rj, namely the QPC result. This means TP cannot get any information about the two participants’ privacy. Hence, the proposed protocol can oppose TP’s attack.

4 Conclusions

In order to better usability and reduce use costs, the paper introduces a design principle for QPC protocols at first. By the design principle, it can be inferred that the singleness of the used quantum resources would mean QPC’s usability to some extent for there being no states-generation switching will avail of high efficiency and low costs. To take Bell states for example, the paper implemented a QPC protocol with a single Bell state, the analyses of which shows that it performs a correct QPC function securely. Moreover, the protocol used steps as few as possible; its quantum resource is only a single Bell state, namely ∣ϕ+〉. So, it can be much easier to handle than those with at least two Bell states. All these manifest that the presented design principle is not only feasible but also beneficial.