1 Introduction

The original characteristics of quantum mechanics such as superposition and entanglement play an important role in quantum cryptography. Utilizing these properties, numerous applications in quantum cryptography, such as quantum key distribution [13], quantum secret sharing [4], quantum secure direct communication [57], and quantum authentication and signature [811], have been proposed. Recently, quantum private comparison (QPC) has gained a great deal of attention and become an important branch of quantum cryptography. Based on the principles of quantum mechanics, the QPC protocol can be used to privately compare the equality of players’ secret without any complex computation.

In fact, the private comparison concept originated in secure multiparty computation which has long been an important subject in classical cryptography. In [12, 13], Yao proposed a protocol to solve the millionaires’ problem, in which two millionaires wish to determine who is richer without knowing their actual worth. Thereafter, Boudot et al. [14] proposed a protocol to decide whether the two millionaires are equally rich. However, Lo [15] in 1997 pointed out that it is impossible to construct a secure equality function in a two-party scenario. Thus, some additional assumptions, i.e., a semi-honest third party (TP), should be considered in QPC protocols.

The earliest two QPC protocols were proposed by Yang et al. [16, 17] in 2009, utilizing two-photon entangled Einstein–Podolsky–Rosen (EPR) pairs and polarized single photons, respectively. Since then, the development of QPC techniques has mainly fallen into three paradigms [18]: “the quantum cryptography QPC [19, 20], the superdense coding QPC [16, 17, 2125], and the entanglement swapping QPC [2628].”

Cryptanalysis is a very important part of cryptography. It finds potential loopholes from an eavesdropper’s viewpoint and improves the protocol’s security level. As pointed out by Lo and Ko, breaking cryptographic systems is as important as building them [29]. With the development of quantum cryptography, various attack strategies have been proposed, such as intercept-resend attacks [30], entanglement swapping attacks [31, 32], teleportation attacks [33], dense coding attacks [3436], channel-loss attacks [37, 38], denial-of-service attacks [39, 40], correlation-extractability attacks [4145], Trojan horse attacks [46, 47], and participant attacks [32, 36]. Understanding these attacks is helpful for designing new protocols with high security.

Recently, Lin et al. [48] proposed a novel two-party QPC protocol based on the entanglement swapping of two EPR pairs without the help of a TP, and this protocol has been claimed to be unconditionally secure. Clearly, a contradiction exists between Lin et al.’s “secure” QPC protocol without a TP and Lo’s result [15]. This contradiction needs to be clarified. In this paper, we show that Lin et al.’s protocol is not as secure as claimed. We find two security loopholes in Lin et al.’s protocol. First, a dishonest party can disclose the other’s private information without being detected. The proposed attack exploits the fact that the one-time-pad key encryption can be broken by manipulating the transmission of quantum sequences between two users. As far as we know, this is a new participant attack scenario that has not yet been addressed in the existing literature. Second, the comparison result can be manipulated completely by either party. Finally, improvements are proposed to avoid these loopholes.

The rest of this paper is organized as follows. Section 2 reviews Lin et al.’s two-party QPC protocol. Section 3 points out two security loopholes in Lin et al.’s protocol and proposes our improvements. Section 4 concludes the paper.

2 Review of Lin et al.’s QPC protocol

Let Alice and Bob be the two parties who want to compare the equality of their M-bit secret messages, \(M_A\) and \(M_B\), respectively. They agree that four Bell states \(\{|\phi ^+ \rangle ,|\phi ^- \rangle , |\psi ^+ \rangle , |\psi ^- \rangle \}\) represent the classical bits \(\{00, 01, 10, 11\}\), respectively. Lin et al.’s QPC protocol proceeds by the following steps:

Step 1 Alice (Bob) prepares a sequence of EPR pairs \(S_A\) (\(S_B\)) according to each of the two bits of \(M_A\) (\(M_B\)), each randomly in the following states,

$$\begin{aligned} |{\phi }^{+} \rangle= & {} \frac{1}{\sqrt{2}} (|{00} \rangle + |{11} \rangle ), |{\phi }^{-} \rangle = \frac{1}{\sqrt{2}} (|{00} \rangle - |{11} \rangle ),\\ |{\psi }^{+} \rangle= & {} \frac{1}{\sqrt{2}} (|{01} \rangle + |{10} \rangle ), |{\psi }^{-} \rangle = \frac{1}{\sqrt{2}} (|{01} \rangle - |{10} \rangle ). \end{aligned}$$

Alice (Bob) then divides them into two ordered sequences \(S_{A_1}\) and \(S_{A_2}\) (\(S_{B_1}\) and \(S_{B_2}\)) composed of the \(1_{st}\) and \(2_{nd}\) particles of each EPR pair, respectively. Alice (Bob) then randomly inserts some decoy photons \(D_A\) (\(D_B\)) into \(S_{A_1}\) (\(S_{B_1}\)) to form a new sequence \(S^{'}_{A_1}\) (\(S^{'}_{B_1}\)), with each decoy photon randomly in \(\{|0\rangle , |1\rangle , |+\rangle , |-\rangle \}\). Finally, Alice (Bob) sends \(S^{'}_{A_1}\) (\(S^{'}_{B_1}\)) to Bob (Alice).

Step 2  To guarantee the transmission security, after confirming that Bob has received \(S^{'}_{A_1}\), Alice publishes the positions and measurement bases of \(D_A\). Bob then performs the corresponding measurements on those decoy photons and publishes the measurement results. Alice then checks for the existence of an eavesdropper. In the same way, after confirming that Alice has received \(S^{'}_{B_1}\), Bob publishes the information for \(D_B\). Alice then performs measurements on \(D_B\) and publishes the measurement results. If there is no eavesdropper, the protocol continues. Otherwise, they abort the communication and restart from Step 1.

Step 3 Alice (Bob) performs a Bell measurement on \(S^{i}_{B_1},S^{i}_{A_2}\) (\(S^{i}_{A_1}\),\(S^{i}_{B_2}\)), where i represents the \(i_{th}\) set of EPR pairs. Thereafter, Alice (Bob) obtains an M-bit measurement result \(C_A\) (\(C_B\)). They then employ the hash function [49], i.e., \(H:\{0,1\}^{N} \rightarrow \{0,1\}^{M}\), on their secret message (\(M_A\) and \(M_B\)) to obtain two hash codes, \(H(M_A)\) and \(H(M_B)\), each of M bits in length. Finally, Alice (Bob) computes the exclusive-OR result \(R_A\) (\(R_B\)) of \(C_A\) and \(H(M_A)\) (\(C_B\) and \(H(M_B)\)), i.e., \(R_A = C_A \oplus H(M_A)\) and \(R_B = C_B \oplus H(M_B)\).

Step 4 Alice (Bob) publishes \(R_A\) (\(R_B\)). If \(R_A = R_B\), Alice’s and Bob’s secret messages are regarded as equal. Otherwise, their secret messages are regarded as different.

We now explain the basic concepts of Lin et al.’s QPC protocol. The outcome collections of entanglement swapping between any two Bell states are listed in Table 1. If the two initial Bell states are identical, then the two measurement results after entanglement swapping will also be the same, i.e., \(|{\psi }^{-} \rangle _{A_1A_2} |{\psi }^{-} \rangle _{B_1B_2}=\frac{1}{2}(|{\phi }^{+} \rangle |{\phi }^{+} \rangle - |{\phi }^{-} \rangle |{\phi }^{-} \rangle - |{\psi }^{+} \rangle |{\psi }^{+} \rangle +|{\psi }^{-} \rangle |{\psi }^{-} \rangle )_{B_1A_2A_1B_2}\). This feature is used in Step 4. If \(M_A = M_B\), then \(C_A = C_B\) and \(R_A = R_B\). Furthermore, the measurement results after entanglement swapping will cover the secret message with a one-time-pad key, so one party (say Alice) will not be able to deduce the other party’s (Bob’s) secret message \(M_B\) from \(C_A\), \(M_A\), and \(R_B = C_B \oplus H(M_B)\). However, we find that Lin et al.’s QPC protocol is not as secure as expected. Details are explained in the next section.

Table 1 Entanglement swapping results
Full size table

3 Loopholes and improvements

A QPC protocol should ensure privacy and fairness [18]. Privacy means that outside parties can not learn players’ secret information nor deduce it from the comparison result. Moreover, one player cannot know the other’s secret. Fairness means that one party knows the sound result of a private comparison if and only if the other party knows the sound result. In this section, we point out two security loopholes in Lin et al.’s protocol. The first loophole concerns privacy, and the second one concerns fairness. Correspondingly, improvements to address both loopholes are proposed.

3.1 Loophole I

This subsection shows that Lin et al.’s QPC protocol cannot ensure privacy. A dishonest party (say Bob) can obtain the other party’s (Alice’s) secret without being detected. The detailed processes are as follows.

In Step 1, Bob prepares nothing and just waits for Alice.

In Step 2, after confirming that Bob has received \(S^{'}_{A_1}\), Alice publishes the positions and measurement bases of \(D_A\). Bob then performs the corresponding measurements on those decoy photons and publishes the measurement results. Alice then checks for the existence of an eavesdropper. At this point, Bob has recovered original sequence \(S_{A_1}\) from disturbed sequence \(S^{'}_{A_1}\). Bob then inserts some decoy photons \(D_B\) into \(S_{A_1}\) to form a new sequence \(S^{''}_{A_1}\) and sends it to Alice. After confirming that Alice has received \(S^{''}_{A_1}\), Alice and Bob check for the existence of an eavesdropper, as described above. Alice then recovers original sequence \(S_{A_1}\) from disturbed sequence \(S^{''}_{A_1}\).

In Step 3, Alice performs Bell measurements on \((S^{i}_{A_1},S^{i}_{A_2})\), which is actually the EPR pair she prepared. Thus, Alice’s measurement result \(C_A\) equals \(M_A\). Finally, Alice computes \(R_A = C_A \oplus H(M_A) = M_A \oplus H(M_A)\), which means that the original one-time-pad encryption no longer exists.

In Step 4, after Alice publishes \(R_A\), Bob will obtain Alice’s secret message \(M_A\) from \(R_A = M_A \oplus H(M_A)\) without being detected. More precisely, Bob only needs at most \(2^M\) hash computations together with exclusive-OR computations to determine the exact \(M_A\) from \(R_A\). For large M, this is a difficult task in classical cryptography using current technology, but it is not difficult for an adversary in quantum cryptography, who is assumed to have infinite resources and computation power.

3.2 Loophole II

This subsection shows that Lin et al.’s QPC protocol cannot ensure fairness. The comparison result can be manipulated completely by either party because it is fully determined by the classical information published by both parties in Step 4. Thus, the latter party who publishes the exclusive-OR result in Step 4 can manipulate the comparison result completely. For example, after Alice publishes \(R_A\), Bob knows the true comparison result immediately. Bob can then publish \(R_B\) (\(R_B = R_A\)) to make Alice believe their secret messages are the same or publish another \(R_B\) (\(R_B \ne R_A\)) to make Alice believe their secret messages are different. Of course, one could argue that in a QPC protocol with a TP, either party (Alice or Bob) can tell lies to affect the final comparison result. However, it should be noted that in such a protocol, the comparison result will not be manipulated completely by either party (Alice or Bob), because there are some key parameters on the TP’s site that cannot be accessed by the parties. More specifically, neither party (Alice nor Bob) can determine the exact operations to manipulate the final comparison result. As a result, most QPC protocols with a TP congenitally ensure fairness. In some cases, users may only care about the privacy of secure multiparty computation and fairness could be neglected [50]. However, it should be noted that fairness cannot be neglected in some cases that require a high security level, e.g., a QPC protocol that compares not only the equality but also the relative size (which is the larger/smaller) of users’ secrets [51].

3.3 Improvements of Lin et al.’s protocol

To avoid the privacy loophole described in Sect. 3.1, a possible countermeasure is that the two parties do not publish the decoy photon information until both of them have received the quantum sequence in Step 2. Thereafter, Bob cannot replace \(S^{'}_{B_1}\) with \(S^{''}_{A_1}\) and then obtain Alice’s secret message \(M_A\) from \(R_A\).

As described in Sect. 3.2, fairness may be neglected sometimes, but it cannot be neglected if the protocol requires a high security level in some cases. To avoid the fairness loophole described in Sect. 3.2, a semi-honest TP should be introduced with only a simple modification. A semi-honest TP is allowed to misbehave on its own, but cannot conspire with either of two parties [52]. The modified protocol proceeds according to the following steps:

Step 1* Alice (Bob, the TP) prepares a sequence of EPR pairs \(S_A\) (\(S_B\), \(S_T\)) according to each of the two bits of \(M_A\) (\(M_B\), \(M_T\)), each randomly in one of the Bell states \(|{\phi }^{\pm } \rangle ,|{\psi }^{\pm } \rangle \), where \(M_T\) denotes the TP’s random number. Alice (Bob, the TP) then divides them into two ordered sequences \(S_{A_1}\) and \(S_{A_2}\) (\(S_{B_1}\) and \(S_{B_2}\), \(S_{T_1}\), and \(S_{T_2}\)), which is composed by the \(1_{st}\) and \(2_{nd}\) particles of each EPR pair, respectively. Alice (the TP) then randomly inserts some decoy photons \(D_A\) (\(D_T\)) into \(S_{A_2}\) (\(S_{T_2}\)) to form a new sequence \(S^{'}_{A_2}\) (\(S^{'}_{T_2}\)), with each decoy photon randomly in \(\{|0\rangle , |1\rangle , |+\rangle , |-\rangle \}\). Finally, Alice (the TP) sends \(S^{'}_{A_2}\) (\(S^{'}_{T_2}\)) to the TP (Alice).

Step 2* Alice and the TP do not publish the decoy photon information until both of them have received the quantum sequence. They then check the security of the Alice-TP channel, as in Step 2. At this point, Alice (the TP) can obtain the sequences \(S_{A_1}\) and \(S_{T_2}\) (\(S_{T_1}\) and \(S_{A_2}\)). Alice measures each pair in (\(S_{A_1},S_{T_2}\)) using Bell basis and obtains result \(C_A\). Bob (the TP) prepares some decoy photons \(D_B\) (\(D^{'}_T\)) to protect the transmission of \(S_{B_2}\) (\(S_{A_2}\)), as described above.

Step 3* Bob measures each pair in (\(S_{B_1},S_{A_2}\)) using Bell basis and obtains result \(C_B\). The TP also measures each pair in (\(S_{T_1},S_{B_2}\)) using Bell basis and obtains result \(C_T\). Alice and Bob then, respectively, calculate \(R_A = C_A \oplus H(M_A)\) and \(R_B = C_B \oplus H(M_B)\).

Step 4* Alice (Bob) publishes \(R_A\) (\(R_B\)) to the TP. The TP calculates \(R = R_A \oplus R_B \oplus M_T \oplus C_T\). If \(R = 0\), Alice’s and Bob’s secret messages are regarded as equal. Otherwise, their secret messages are regarded as different.

Clearly, the comparison result is not fully determined by the classical information published by both parties anymore, so the fairness loophole has been fixed. We now consider the correctness and security of the modified protocol above.

According to Table 1, we can see that \(IS_1\oplus MR_1\) = \(IS_2\oplus MR_2\), where {\(IS_1, IS_2\)} are the two-bit codes of the two initial Bell states and {\(MR_1, MR_2\)} are the two-bit codes of the two measured Bell states after entanglement swapping. If \(M_A = M_B\), the responding measurement results \(C_A\), \(C_B\), and \(C_T\) satisfy the following equation:

$$\begin{aligned} C_B\oplus C_T = C_A \oplus M_T. \end{aligned}$$
(1)

Thus, if \(M_A = M_B\), then \(R = R_A \oplus R_B \oplus M_T \oplus C_T\) = \(H(M_A) \oplus H(M_B)= 0\). The correctness of the modified protocol is guaranteed by Eq.(1).

In our second improvement, the measurement results after entanglement swapping will cover the secret with a one-time-pad key. More specifically, the TP cannot infer \(M_A\) (\(M_B\)) from \(C_T\), \(M_T\), and \(R_A = C_A \oplus H(M_A)\) (\(R_B = C_B \oplus H(M_B)\)) because the initial state \(M_A\) (\(M_B\)) is unknown to him/her, and hence he/she cannot deduce the measurement result \(C_A\) (\(C_B\)) through the principle of entanglement swapping. A dishonest party (say Bob) cannot infer Alice’s secret from \(R_A = C_A \oplus H(M_A)\) and \(R_B = C_B \oplus H(M_B)\) because \(M_T\) and \(C_T\) are unknown to him. Due to the use of decoy photons, it is secure against outside attackers. Similar results can also be found in [27, 53, 54].

4 Conclusion

In this paper, we described two security loopholes in Lin et al.’s two-party QPC protocol. In this protocol, a dishonest party can obtain the other’s secret messages without being detected. In addition, the comparison procedure without the help of a TP directly leads to the fact that the comparison result can be manipulated completely by either party. We also propose two improvements to avoid these loopholes.